I spent the last 20 years of my professional life living in the belly of the beast. I’ve been in-house counsel, I’ve served as a compliance officer for seven multinational corporations — and I have the scars to prove it.
My duties were wide and varied. They included drafting contracts, managing litigation, negotiating settlements with plaintiffs and regulators, supporting mergers and acquisitions, providing legal advice to colleagues around the globe, developing and delivering training programs, performing investigations, drafting standards of conduct, and many other similar activities that fill a corporate counsel’s or compliance officer’s day. However, my job in all of these roles was essentially the same: to help my clients understand and better manage their legal and ethical risks.
Having wallowed in the risk management world for so long, it should come as no surprise that there were several occasions along the way in which I found myself locked in a room with other unfortunate colleagues itemizing legal and ethical risks and assigning each a number from zero to 10. For those who have never had the “pleasure” of this experience, you should know that it truly is a special kind of torture. Minutes drag on like hours and hours drag on like days while endless debates ensue as to whether a particular risk should be ranked as a seven or an eight. Invariably, the severe tedium of the proceedings is punctuated by confused discussions regarding the respective merits of discerning the magnitude of “inherent” verses “mitigated” risks.
Despite the most sincere intentions by all concerned to use the product of such tiresome exercises, not once have I witnessed this process yield an ounce of risk reduction in a real corporation. Not once!
This is not to say that there is no utility in itemizing and reaching a consensus on the general identity and magnitude of enterprise risks. However, when undertaking such work, keep in mind that absent real data you are playing a counterproductive game of by-guess-and-by-golly. At best, the work product will lack precision. At worst, it will be pure fantasy and distort, rather than reflect, reality.
To drive home this point, contrast the risk ranking exercise I just described with a risk calculation based on real data. Suppose an engineer wants to calculate the risks associated with a safety valve failure on a boiler. She might begin her work by gathering failure rate data for the valve from published literature. She could also gather data regarding the frequency with which the boiler safety valve activates during normal operation. The engineer could then calculate the energy of a boiler explosion that would result from a safety valve failure and provide reasonable predictions about the likely consequences of such an event. Presuming this work was performed in a competent manner, she could reliably plot the risk associated with the safety valve failure on a likelihood/consequences risk matrix. This is what a “real” data-driven risk assessment looks like.
Unlike such an engineering risk assessment, the typical corporate risk ranking exercise usually operates in a data vacuum. It would be a rare company indeed that had reliable data on the frequency that employees violate the law, let alone the likelihood and magnitude of resulting lawsuits or government enforcement actions.
Nevertheless, if you find utility in performing a risk ranking exercise, I recommend that you spare yourself unnecessary agony by simply assigning a risk designation of “high,” “medium,” or “low” rather than using a numerical scale. But, whatever you do, don’t let that activity distract you from performing a far more important task: evaluating the reliability of the systems you are counting on to manage your enterprise risks.
Focus on your corporate functions
Willie Sutton, the notorious American bank robber, is quoted as saying that he robbed banks “because that’s where the money is.” If you’re really interested in engaging in an exercise that will make a material difference in your organization’s capacity to manage its legal and ethical risks, you’ve got to focus your attention on those parts of the organization that are charged with managing the bulk of these risks. In most companies, this task falls to individuals working in corporate functions like law, compliance, human resources, quality, regulatory, finance, accounting, safety, and environmental. These folks do the necessary heavy lifting every day of the week to ensure compliance with legal and ethical standards in the highest risk areas.
Even though corporations may spend tens, if not hundreds, of millions of dollars on an annual basis to sustain and operate their functional groups, many do not have a systematic means of determining the reliability of the systems such functional groups create and operate to perform their work. Moreover, as often as not the “mandate” to ensure compliance with complex legal and ethical standards exceeds the “means” provided to these departments to achieve their objectives. This leaves many organizations with weak compliance and ethics management systems that make the enterprise vulnerable to some very unpleasant surprises. So, when you begin digging into how well your functional groups are operating, don’t be surprised to find many significant opportunities for improvement.
Generally speaking, I’ve found the most significant obstacle to performing this kind of risk assessment work is political rather than technical. Functional groups in corporations often operate like little fiefdoms and tend to resist scrutiny by other functions. This, of course, is one of the primary reasons that significant system weaknesses can persist for decades unbeknownst to company management — until there is a major crisis. Overcoming internal opposition to routine assessments of how well your corporate functions are managing legal and ethical risks is likely to be challenging. But, if you really want to get serious about better managing these risks, find a way to work with your leadership to implement a systematic approach to measure the effectiveness of the systems you and your organization are counting on to stay out of trouble.