Context matters. It is tempting to identify risks that, while real, are not relevant to your context. There are some risks that are simply too large or too derivative to spend time analyzing.
For example, a regional chain of grocery stores might initially identify changes to food labelling as a regulatory risk. The grocery store chain lacks the resources to comment or influence the regulatory process. More important, as a retailer the labeling law does not change how they sell food products.
The law and changes to it certainly affect their suppliers and the food producers. In the end, they correctly decide that their context allows them to take this risk off the list.
What is your organization’s external context? At first glance, this might seem like a vague notion, but the external context means those outside factors which relate to your organization’s objectives.
To give shape to your external context identify market forces, trends or drivers, or dependencies.
There are many potential market forces. You might ask the following types of questions:
- Does your organization compete in a regulated industry, such as financial services, health care, or transportation?
- Is your industry or related business practices under political scrutiny, such as land use change, fees and charges, or the like.
- Are their important technical standards that influence your assessment of legal risk?
- Is your organization local, regional, national, or global?
- Is the organization public or private? How does its ownership affect the context?
Long term trends can influence how we understand the external context for risk. Those trends should be at the appropriate level and intersect with legal risk.
Dependencies can magnify both likelihood and consequences ratings. So it is important to identify them in our assessment of the external context.
For example, if the organization relies on a single supplier for a key component of our production process and it is difficult to switch, then a breach of contract risk would automatically impose more risk than a similar claim with a commodity supplier.
The internal context can be just as complex (sometimes more so) as the external environment. We will focus on three major areas: objectives, structure, and systems.
Since the definition of risk is “the effect of uncertainty on objectives” we must list the organization’s objectives. Recall that the “organization” might be the entire company, division, department, or team. At whatever scale, we need to identify the objective.
To the extent, the organization’s structure is relevant, we should include it in the discussion of the internal context.
A foreign affiliate might be subject to an intellectual property claim, but the nature of the affiliate and the jurisdiction in question might mean that the risk is inherently low.
Whereas, the same claim in our primary jurisdiction against the Research & Development subsidiary, might have significantly graver consequences.
Understanding our internal systems is important for two different reasons. First, they can be a useful source of quantitative data to improve our qualitative judgement about likelihood and consequences.
Second, our internal systems can both control and create risk.