At the core of the design of a risk framework is the risk model. A risk model is the technique we use to calculate or measure a particular risk.
Case management v. Quantitative models
Approaches to risk management typically fall along a continuum with reactive methods at one end and predictive models at the other end.
Legal risk management is usually little more than case management: something happened, we collect information, and file documents. The case management approach prohibits any effort to common size risks or even to compare them in any meaningful or consistent way.
Quantitative models on the other hand strive to anticipate likelihood and outcomes based on a reservoir of historical data and statistically valid predictive models.
This formula is adapted from a basic credit risk model that defines R as Risk, p as Probability, and LGE as Loss Given Event. In credit risk, LGE is LGD or Loss Given Default.
Probably is a numerical percentage. Loss Given Event (LGE) is the amount that can be lost if there is a default, or in our case an event. Multiplying LGE by probability results in precise financial calculation of a risk.
Case management v. Quantitative
Case management is characterized by incident response, ad hoc management, constant surprise, and assumed uniqueness. To rely on case management is to give up on risk management as a preventative practice.
Quantitative models use predictive analytics, empirical data, external data, and validated statistical models. Most organizations do not have the data, resources, or confidence in abstract models of risk.
Neither case management nor quantitative models are appropriate for legal risk management. We need an alternative model.
Qualitative (blue paper)
We need a qualitative model. A qualitative model blends expert judgement and empirical data. A qualitative model is forward leaning, not simply reactive.
Framework > qualitative model
A qualitative model allows us to measure legal risk (even if we can’t calculate it). Consistent application of a qualitative model will give us insight into the organization’s risk profile.
The qualitative model starts with two questions:
- What is the likelihood of the risk event or consequence?
- How significant is the consequence?
From those two answers, we will derive a risk rating, a score used to compare risks.You might ask, “Isn’t likelihood just another word for probability?” In a word, NO. Our risk model will measure likelihood, and consequences for that matter, qualitatively, not quantitatively.
A qualitative rating uses a scale with defined terms instead of a calculated value.
Here is 5 point scale for likelihood:
4 Almost certain 3 Highly likely 2 Somewhat likely 1 Unlikely 0 Unknown
There is no magic to the five point scale. We can change the framework to support a 10, 12, or 100 point scale. The magic is in the clear distinctions between the bands and the consistent application of the likelihood rating.
The point is that you will rate the likelihood of an uncertain event, even if you do not know the probability of it happening. Don’t worry, we will cover the measurement of likelihood in more detail later. The idea is simple (but not simplistic).
People often focus on the consequences in a risk analysis. It is tempting just to quantify the potential losses from a lawsuit. Any amount over a certain number (its different for every organization) scare the executive team into action.
Here is an example of a 5 point scale to rate consequences:
4 Substantial 3 Significant 2 Material 1 Immaterial 0 Unknown
The amounts at each cut off will differ among organizations. What is “immaterial” to a multinational corporation is “substantial” for a local doughnut shop.
Consequences scale with values
To illustrate this point, here is the same 5 point scale with numerical bounds. Your risk culture may or may not want to use a bright line between these scales. The key item is that the scale applies to organizations of any size.