Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

April 2016 edition

The Insider: “Risk” is the new black

Sterling Miller

Sterling MillerIt’s difficult to be part of any business and not hear about “risk.” It’s everywhere. As my title suggests, risk is the new black. It’s on the lips of every CEO, CFO, and board member, as it should be. And, anything that is important to the board and the C-suite is important to the legal department. In fact, over the past five or so years, one of the key responsibilities businesses are placing on in-house lawyers is spotting and managing risk. The business wants its in-house lawyers to be the ones who sniff through virtually every situation looking for risk (legal or otherwise). What this means is that, more and more, in-house counsel need to be masters of the company’s business operations and strategy (both short and long term), because you cannot successfully spot and manage risk unless you understand how the company operates and where it wants to go.

Generally, when asked about risk, most in-house lawyers respond retroactively, i.e., we talk about risk in terms of things the company has already experienced – a recent lawsuit, a data breach, an internal investigation, etc. While this is helpful, it is only part of the calculus of identifying risk. The harder part (and the more valuable skill) is being able to look forward and see risk. While a more valuable skill, my experience is that there is little to no training around how to “look for risk,” let alone how to evaluate it or report it. For many in-house lawyers, myself included, it is largely a self-taught skill. My goal here is not to write a treatise about risk or risk management. I have read enough of those types of articles to know that they look really impressive; have complicated charts, graphs, and formulas; but most are hard to apply in the everyday, fast-paced in-house world. I want to set out a handful of simple ideas and processes you can use to spot and identify forward-looking risk and to evaluate and manage that risk alongside the business. Hopefully, with just a few guidelines, you will be better able to fulfill the demand from the business that you become “Risk Spotter in Chief” or, as I was often called, the “Risk Guy.”

What is risk?

When we think of “risk,” we tend to think only of bad things. Yet, not all risk is negative. Avoiding all risk is not the way to run a successful business, sports team, legal department, research facility, military, or pretty much any organization you can name. Taking risks is important to the success of any endeavor. There is risk in any merger, for example, but companies still take that risk every day because there may be a big financial payoff. There is risk in “going for it” on fourth down in American football, but teams still take the chance because it may allow them to win the game.

It's important, then, to not always view risk as negative. For simplicity, think of risk as a continuum of “degrees of consequences” ranging from negative outcomes to increasingly positive outcomes:

Risk/Outcome Continuum

Risk Outcome chart

The key is your ability as in-house counsel to understand the different consequences of what you, or the company, want to do, where those consequences fall on the above continuum, and how everything balances out when the good and the bad are added up (i.e., “value creation” vs. “value destruction”). Where the negative consequences clearly outweigh the positive consequences and the downside is material, you probably do not take the risk or vice versa. The really hard part is when the negative and positive consequences are close or nearly equal. Now you have the premise of what I call the “risk conundrum,” i.e., how do you best manage a situation that has nearly equal negative and positive outcomes? As they say, that’s why the C-suite gets paid the big money. And because the C-suite wants to keep making the big money, they want their in-house lawyers helping spot and manage risk with the goal of helping the business get to positive outcomes.

Types of risk

As in-house counsel, I made it simple for myself and categorized risk as either “legal” or “strategic.” Legal risks are things lawyers are very familiar with, including such broad categories as:

  • Compliance risk
  • Litigation risk
  • Regulatory risk
  • Security risk (e.g., is the physical plant a “safe” work place)
  • Information risk (e.g., data breach, theft of trade secrets)

Strategic risks are things that the business leaders tend to focus on that are critical to the survival of the business, such as:

  • Financial risk
  • Marketplace risk (e.g., competitors, disruptive technology/business model risk)
  • Succession risk (e.g., sudden death of a CEO)
  • Major political uncertainty risk (e.g., a political coup, currency devaluation)
  • Natural disaster risk (e.g., pandemic, earthquake, flood)

These lists are not exhaustive and my two categories of risk are not mutually exclusive. In fact, they often overlap:

Types of risk chart

For example, the bank/financial markets meltdown in 2008 in the U.S. (and elsewhere) included both strategic risks (severe financial problems for most companies, governments teetering on default) and legal risks (regulatory and litigation problems for many companies). Similarly, in the U.S., there is a constant battle in Washington over H1-B visas (i.e., visas given to highly-skilled foreign workers so they can fill jobs U.S. employers have difficulty filling from the domestic work force). A company may have a strategic risk in that if it cannot find enough qualified employees with the right skills to perform critical jobs, the business will be negatively impacted. The company also has a legal risk in that regulations limit the number of H1-B visas and the cap number fluctuates year to year, typically running out in the first or second calendar quarter. Thus, companies must promptly begin the legal process of applying for H1-B visas or risk getting shut out. The most valuable in-house lawyers see the company’s strategic and legal risks, understand how they interconnect, and advise the company on what to do next (e.g., lobby the U.S. government to add to the number of available visas, a process to ensure applicants are qualified for H1-B visas).

Spotting risk

Risk is everywhere. While the company wants you to spot every risk, doing so is impossible. In order to make it manageable, you need to know what types of risk are most important to the company and where to look to get information about those risks. Here are three things to do:

First, you need to either create or become part of a team that spots risk and/or determines what types of risk are important to measure. Many companies have an enterprise risk management department. If so, this is the group you want to insert yourself into in some manner, i.e., as a member, partner, or subject matter expert. If not, you may need to organize a group yourself. This would include internal audit, finance, legal, information security, and members of the primary lines of business. The goal of this risk team, however constituted, is to regularly identify and consider the company’s key strategic, operational, and legal risks. This group will need to evaluate the company’s opportunities and threats across all businesses and staff group functions. And this team will need to constantly update its work product to account for changes in facts, circumstances, or law.

Second, keep your eyes and ears open in meetings: Board meetings, C-suite meetings, “Town Hall” meetings, strategy planning meetings, staff group meetings, etc. There is an amazing amount of information flowing at these types of meetings. As different topics are introduced, quickly run through these questions:

  • Is this something a regulator might be interested in?
  • Is this something that could make customers or vendors upset or bring on litigation?
  • Is this something that, if it became public or goes “badly,” could damage the reputation of the company?
  • Is this something covered by specific laws and does it comply?
  • Is this something you have seen other companies (competitors, etc.) have problems with?
  • Is this something that could severely injure someone (e.g., a safety or environmental mishap)?

This is not an exhaustive list, but it is a “good enough” list that if you hit on any of these, it tells you to do some more digging about the risks associated with the project or idea. You can also use this same list (or any list you care to create) as you read documents or emails discussing the company’s business or when you read or watch third-party information sources (newspapers, television, magazines). As in-house counsel, you should be constantly on the lookout for risk. A list of questions like these gives you a tool to use as you do so.

Third, create a simple “alarm” system to tell you if something bad might be coming your way. Set up an alert in each of the main Internet search engines: Google, Yahoo!, and Bing. Use the name of your company (or any of its subsidiaries) when setting up the alert. You can also add specific topics if helpful. Anytime the search engine finds an article containing the name(s) or terms in the alert, you will get an email with a link to the article. You can also monitor social media regarding your company’s brand. Most of what you get back from these tools can be quickly discarded but every once in a while you’ll find something that requires more attention.

Evaluating risk

In order to evaluate risk and potential outcomes, you need to understand three things:

  1. The company’s business goals and strategy.
  2. The company’s level of risk tolerance, i.e., how much risk will the company accept?
  3. The right questions to ask.

The company’s business goals and strategy (short and long term) should be easily available to you and the risk team mentioned above. Again, as an in-house lawyer, you need to fully understand how your company operates in order to understand its goals and strategies. Educate yourself (and help others in the Legal Department educate themselves as well). Once you know the goals and strategy, you can be on the lookout for developments that could impact either one (negatively or positively).

The company’s level of risk tolerance comes primarily from the board of directors and the C-suite (or in small businesses, directly from the owner(s)). Some companies are very conservative, some not so much. Company policies also set the bar on risk tolerance. Additionally, internal audits and the individual business units/staff groups (including members of the compliance department and the legal department) can and should weigh in on acceptable risks. The most straight forward method of getting this information is to ask the right people through interviews, surveys, workshops, offsites, etc.

When you ask the right people, it is fundamentally important that you also ask the “right” questions. By this I mean finding a way to go beyond discussing historical failures or problems and, instead, attempting to peer into the future and spot new or different types of risk. For this, you and the risk team need to be able to explain to those you are interviewing what you are trying to accomplish with respect to gathering information about risks. If you don’t, and just ask them to “set out any risks you see for the company next year,” you will probably get a recitation tied to past failures, but get little about a potential risk arising from future problems. Regardless, think about the things you need to know from your source, including:

  • What type of risk is it?
  • Under what scenarios would the risk arise/happen?
  • What is the likelihood of the risk occurring?
  • Can third parties cause the risk to the company?
  • What type of harm can arise from the risk?
    • Monetary?
    • Operational?
    • Criminal?
  • What is the best case, worst case, and most likely case for the company in terms of harm?
  • What are the ways we can deal with the risk to minimize bad outcomes and maximize good outcomes?
    • Policies/training?
    • Contractual terms?
    • Insurance?
    • Operational controls?
    • Take a “bigger” risk?
    • Preparation
  • Are there benchmarks or standards we can use to measure against?
  • How can we best monitor the risk/what are the trigger points?

You will likely/should come up with your own tailored list of questions for your company, but the above list covers a wide swath of what you need to know.

Reporting risk

Finally, you need to report risk to the business. This will occur in one of two ways:

  1. A formal risk assessment report (usually prepared by the risk team), or
  2. An ad hoc report (made when necessary).

The formal report will likely go to the board of directors/audit committee and the C-suite. It will be written and follow a fairly rigid process and established format. An ad hoc report may be an email to the general counsel, a memo to the CEO, or an off-the-cuff discussion during a meeting. Regardless of the way the risk is reported, you need to ultimately cover five things: 1) what the risk is; 2) the likelihood of the risk occurring; 3) the range of outcomes the company could face; 4) the options the company has for dealing with the range of outcomes; and 5) a recommendation about which option the company should choose and why.

If you are reporting the risk in writing, be sure to take the necessary steps to preserve any privilege that might apply. If you fail to do so, understand that any writing (email, report, presentation, etc.) may have to be turned over to the other side in the event of a government investigation or civil litigation. This means you need to spend time with the nonlawyers helping them learn to write smart and to know when to appropriately involve the legal department so as to preserve any privilege. Both are important, because poorly drafted or thought out documents discussing risk could be as harmful to the company as the worst risks they describe. Keep in mind that if you work for a publicly traded company, then you will need to identify risks to the business in the “risk factors” section of your public filings.

You will not spot every risk your company faces, and that’s okay, but you need to have a plan in place to catch the most important ones. The simple ideas and processes I’ve set out here can help in-house counsel spot and evaluate risk. A lot of it you probably already know or intuitively understand based on your legal training (though thinking about risk as “positive” can be new). The challenge is translating your understanding and knowledge of risk into something the business values and can use to maximize the success of the company, and therefore the interests of the shareholders, customers, and employees. Being able to spot and communicate risk (and solutions/options) is a core skill you need to develop on the way to becoming general counsel. The key takeaways here are: 1) be constantly alert for risks to your company; 2) don’t just report risk, be prepared to discuss the potential outcomes and options for the company; and 3) don’t create additional “bad” risk by not putting a lot of thought into writing documents discussing/analyzing risk (or failing to teach your fellow employees doing the same how to draft smart documents).


About the author

Sterling Miller spent over twenty years as in-house counsel, including being general counsel for Sabre Corporation and Travelocity.com. He currently serves as Senior Counsel for Hilgers Graben PLLC focusing on litigation, data privacy, compliance, and consulting with in-house Legal Departments. You can follow his blog “Ten Things You Need to Know as In-House Counsel” at www.TenThings.net and follow him on Twitter @10ThingsLegal. His first book, The Evolution of Professional Football, was published in December 2015 and is available on Amazon and at www.SterlingMillerBooks.com.


Keep your attorneys up to speed with West LegalEd Center - LEARN MORE