Risk management can succeed or fail based on support from senior management. This does not mean that the CEO, managing director, or board of directors is the sole authority for support of a legal risk management initiative.
Our risk management framework is scalable, which means we can adopt it at the appropriate level of the organization. For example, the legal group, compliance office, finance department, or risk team might adopt this framework for legal risk as part of their existing work.
The leadership mandate should address eight topics:
- Explicit endorsement of the risk management initiative,
- Alignment of the company culture and risk policy,
- Alignment of business strategy and risk policy,
- Key Performance Indicators (KPIs) for the framework,
- Framework’s compliance with relevant laws,
- Accountability for development and maintenance of the framework,
- Resource constraints, and
- The communication plan.
Leadership for the group should explicitly support the adoption and use of a risk management. Each organization handles these decisions and communications differently. Some are highly formal; other less so. Whatever the medium, the message should be clear to the team.
Culture + policy
Before creating the risk management plan or designing the framework for risk calculations, we need to consider company culture and the risk policy we expect to implement.
Alignment is a popular word in the corporate world. Lack of alignment in risk management can undermine the entire effort. Consider two cases of misalignment:
- An early stage company focused on growth and well capitalized. A risk averse framework will generate unhelpful conflict over resource allocation and strategy, undermining the effectiveness of the risk management effort.
- An established company focused on enduring value and legacy. A risk tolerance framework will fail to capture manageable risks, raising questions about the judgement of those responsible for the risk management framework.
There is no objectively correct approach to risk. But the framework should be aligned to support the business.
Good alignment is when we have the right risk tolerance and ratings for the size and tenor of the company.
Culture and policy fit
It is up to us to ensure that the risk management framework we want to use fits with the company culture.
Strategy + policy alignment
The team responsible for the legal risk management framework should understand the organization’s strategy and objectives. The organization’s strategy objectives will shape the risk identification process, because the risk team will look only for events that interfere with those strategic objectives.
Key Performance Indicators (KPIs)
Key Performance Indicators or KPIs provide a quick gauge of the risk management policy’s effectiveness. It is easy for the legal team to get lost on the organization’s KPIs.
Focus instead on KPIs for the risk management framework.
Consider answering these questions:
- One year after adoption, how would you know that the risk management framework was a success?
- After three years, how would you measure the financial benefit of the risk management framework?
- Five years after adoption, what changes in organizational behavior would constitute a successful risk management framework?
Here are some sample answers to generate ideas:
- In one year, we have a single risk registry that lists every risk from each line of business operating in any territory. This is an information and reporting KPI.
- In three years, we reduced unexpected losses and expenses from legal issues by 30%. This is a measurable, expense related KPI.
- After five years, we have embedded legal professional in every line of business. Those professionals activity contribute to revenue growth and expense control. This is a human resources and operational KPI.
These KPIs are more or less quantitative to help stimulate KPI ideas that are relevant to your context.
Compliance with applicable regulations is important for senior leaders to consider when mandating the adoption of any risk management framework.
Your organization might operate in an industry subject to a government agency that already requires a certain risk management plan and/or reporting.
In that case, you should ask whether the regulatory framework address legal risk explicitly or implicitly. Understanding the requirements of the regulation will allow you to find opportunities to use this risk framework to fill in the gaps.
The mandate to adopt a risk framework for legal risks should also identify the people or groups who are accountable for the results.
While it is tempting to say “the entire legal department,” this approach means that no one is accountable. It is possible to achieve similar team-wide accountability with more specific assignments, such as:
- Jane is responsible for the maintenance of the legal risk registry (more about the registry later).
- Sam is responsible for development and maintenance of the risk assessment worksheet.
- Completion of legal risk assessment worksheets will be part of every legal professional’s periodic review.
Everyone is accountable for specific parts of implementing the risk management framework.
Risk management and legal groups sometimes do not receive the budgets that they think are necessary to provide the very best service to the organization.
The mandate from leadership should be explicit about the resources required. The good news is that much of the work required for legal risk management is a question of repositioning existing work and taking the time to collaborate across the organization.
Certainly, there are expensive and elaborate risk management and control systems for license on the market. This training, however, assumes that there is little or no budget for such systems. Instead, we will focus on legal risk assessment using common office applications and inexpensive solutions.
The most important resource question for management is the allocation of time to the risk management process. It will be slow at first, but will become normal quickly.
Senior leadership should communicate the risk management mandate clearly and fully. This means that it is not enough to provide glib statements like, “we value risk management.” Communication from leadership should include the risk management plan and an endorsement of continuous improvement (that means tolerating some mistakes).