The future of risk management
When negotiating an agreement recently I asked the counterparty's Lawyer, who was being unnecessarily intransigent, “What level of risk do you think your client would accept?” His answer, “none”.
We come across this 'black letter' view of risk often, particularly with more junior Lawyers.
There are other equally limiting perspectives:
- ‘all risks are Legal risks’
- ‘all risks are created equal’
- ‘it’s not my job to advise a client on the acceptability of risks’
We will call this the one-dimensional view of Legal risk management – risks of any impact should be avoided.
This frustrates counterparties, slows down transactions and creates a drag on business. It is perhaps the central reason Lawyers get branded as ‘un-commercial’.
Leading Legal professionals take a different view. They understand the key to risk management is moving insightful risk information from the 'informed' (i.e. Legal) to the 'risk empowered' (i.e. management) to respond.
Putting this simple concept in action, however, requires investment in core risk competencies such as: expansive risk sourcing, consistent risk prioritisation, agile risk response, and the ability to translate Legal risk into commercial consequences.
The very nature of any contract implies both parties accept some form of transactional risk, and Legal risk is typically only a small percentage of the overall enterprise risk. In fact, research by CEB (a consultancy) suggests that ‘Legal and Compliance Risks’ have triggered only 6% of significant risk events in the last 50 years of corporate history. And the majority of that was a result of regulatory actions and large litigation.
Conventional wisdom has suggested risks are two-dimensional, in other words, risks should be prioritised based on their impact and probability.
However, there is still a blind spot. This methodology suggests that two similarly rated risks have the same potential to destroy shareholder value.
It doesn't take into account the speed at which the risk will materialise or the relative potential to mitigate the risk. There needs to be a third dimension of risk management.
Take an example from everyday life. As an Australian male I am 13 times more likely to die from heart disease than from a transport accident. Clearly both risks are high impact, yet heart disease is many times higher in probability.
Here is where the traditional two dimensions fall down; with heart disease I am likely to have many years and opportunities to mitigate the risk – avoiding cream buns for example. A car crash will happen in seconds, and I won’t be able to do much to save myself in those few seconds.
What we need is a third criterion that embraces the velocity of the risk and the potential to mitigate it. At Plexus we call this ‘risk resilience’.
We define resilience as 'the speed to which an organisation can detect and mitigate a risk'.
Resilience = risk velocity (speed) x mitigation potential
A manufacturing client of ours recently shared an example of where this played out.
They had prioritised their review of procurement contracts based on the dollar value of the agreement.
An engineer purchased a $1,000 piece of equipment which, because of its quantum, did not require any Legal review. The equipment subsequently failed, shutting down the plant and costing the company tens of millions of dollars. They discovered they had no recourse for consequential loss in the vendor’s agreement.
Hence, although the risk in this agreement was, at first glance, low impact/low probability the company had very low resilience if the product failed.
Placing an importance on acknowledging the future of risk management, Plexus applies the simple matrix above to help Legal functions more effectively prioritise their involvement in activities like contract review.
Not only does this improve prioritisation of potential risks, the business loves the approach. It increases the responsiveness of the Legal function and, when applied on an individual contract (clause) level, it gives a far clearer picture of the risks within a contract, allowing them to make informed commercial decisions with future risk management in mind.
As Machiavelli said ‘All courses of action are risky, so prudence is not in avoiding risk, but calculating risk and acting decisively.’