General Counsel as Risk Management Leader
It is almost a cliché now to say that the general counsel is also a risk manager. Whether as in-house corporate counsel or outside business lawyer, risk management is top of the agenda for most general counsel. What does it mean to say that the general counsel is a risk manager? The answer depends on the general counsel’s role. There are specific and concrete actions based on each distinct role.
Focus on the general counsel as:
The contributions to risk management in the company turn on which hat the general counsel is wearing.
At the top of the organizational pyramid, the general counsel provides legal advice and often exerts a significant influence beyond strictly legal decisions. The first task for the general counsel in the board or ownership context is to illustrate the benefits of risk management as a discipline. It is important to communicate these benefits in financial or economic terms as much as possible. The benefits of risk management can and should be expressed in terms that resonate with the rest of the board and owners.
Risk management increases the value of the organization by improving the measurement of and response to uncertainty.
Once the board and/or owners (the “governing body” or “oversight group”) appreciate the value of risk management, the general counsel can help this oversight group understand the types of risk relevant to the organization.
Many risks are not worth the bother. For example, is it possible that foreign currency risk could affect the firm if the Japanese Yen suddenly rises in relation to the U.S. Dollar? Sure. But for a US company with no Japanese customers or suppliers foreign currency as a class of risk is not germane.
The objective at this stage is to identify the broad classes of risk that the risk management framework should cover. When a board understands the contours of risk appropriate to the organization, senior management can develop the framework in detail.
It is important for the board and the general counsel to connect the risk framework back to the organizational objectives. Here the board has a unique role to play. If the strategic plan calls for 10% organic growth, then risks related to that objective get priority. Even objectives like improved reputation can shape the risk framework.
Once the risk framework is developed and implemented, the board will begin to receive a consolidated report of enterprise risk. The discussion of those reports will inevitably trigger a review of the framework itself. This review is not a sign that the framework failed. It is part and parcel of the risk management process. The general counsel would do well to remind the board that continuous improvement is one of the benefits of the risk management process.
Finally, as advisor to the governing body, the general counsel will help draft a communication to senior management and stakeholders. Companies which are publicly traded or operate in regulated industries must communicate their risk management plan in compliance with governing law.
The general counsel serves as advisor to the governing body of the organization. As such, the general counsel should: communicate the value of risk management, shape the development of a risk management framework, ensure alignment to organizational objectives, and communicate the risk management plan to stakeholders.
The general counsel is also a member of the senior management team. Of course, the general counsel serves as the chief legal officer of the company, but is also part of executive team making business decisions. The senior management team needs to accomplish four tasks to bring risk management to life.
First, they need to adapt and fill out the details of the risk management framework from the oversight group. Guidance from the oversight group might be detailed or sparse. The management team will need to complete the risk management framework.
Second, the executive team will need to communicate its adaptation of the risk management framework. Moreover, it should be apparent that the framework is embedded in the strategic plan and the operating parameters of each group represented on the management team. If risk management is an isolated document or process it will probably fail.
Third, one of the best ways to communicate seriousness about risk management is to allocate sufficient resources. Specificity wins the day. Resources include named roles, budget line items, and measured activities like training. Risk management resource allocation should happen within each functional area. This does not mean there is no room for an independent risk management function. It only means that risk management should be embedded in the organization.
Fourth, senior management needs to assign authority and responsibility "At the appropriate levels within the organization." There are certainly industries where a strong, independent risk management function makes sense like banking and insurance. Risk management as a discipline, however, is best practice within the core of the business as part of regular operations.
On the flip-side, if risk is assigned to everyone, then no one will manage risk. Senior management needs to consider the size, geography, and the nature of its business to find the "appropriate level.” The objective is to have people (not one person) throughout the organization who have primary responsibility for risk within the orbit of their job duties.
Senior management has some heavy lifting to implement risk. They need to:
General counsel can help senior management accomplish these objectives. General counsel should, however, also participate as a member of the team not just as an advisor. Legals risks are a class of risk that should be part of the framework.
Once these objectives are completed, senior managers will include risk reviews as part of their regular meetings. Risk will be common-sized and comparable across departments, divisions, and lines of business, including legal risks.
With the enterprise risk framework in hand, the general counsel heads to the legal department to adapt the framework for legal risk. The legal department will use the adapted framework to manage legal risks.
How does legal risk management differ from the regular work the general counsel performs everyday? Like the rest of the organization, risk management allows lawyers to express the value of their work in terms accessible to the rest of the organization. It is a supplement to their legal analysis and work product; not a replacement.
The general counsel aims to measure and manage legal risk. Legal risk management allows the general counsel to common size contract, litigation, regulatory, and statutory risks. General counsel can use the company's risk management framework to perform legal risk assessments.
There is a more complete description of the steps for implementing a legal risk management framework in “6 Steps to Legal Risk Management."
With a standard approach for measuring legal risk, general counsel can produce a legal risk register. The legal risk register is the principal report to communicate legal risk to the rest of the organization.
Legal risk assessments and the legal risk register allow general counsel to give insight into the portfolio of risk. They also translate a lawyer's view of an issue into terms that a business colleague can understand, because each risk has a single risk rating which is transparent and grounded in the objectives and strategy of the entire organization.
General counsel are instrumental in the development and implementation of risk management, acting as the advisor to the board, member of the senior management team, or as head of the legal department. The general counsel works as risk manager at both a strategic and operational level.
International Standards Organization (ISO) 31000:2018 5.2. ↩︎