What is risk?
The informal notion of risk as the chance that something bad might happen is not a bad place to start defining risk. Better management requires a better definition though. We need to break risk into distinct parts that are measurable.
Risk is the probability of loss given an event
Mathematical precision is possible and desirable in some cases. Large financial firms, for example, have sufficient data about operational losses that they can build predictive models based on experience to measure risk. They are the exception.
To illustrate how we might define risk in statistical terms take the formula:
R = p * LGE
In this case R stands for risk, p for Probability of Event expressed as a percentage, and LGE stands for Loss Given Event. LGE is a measurement of the financial harm from an event. LGE can include non-financial losses, but they must yield to measurement for the formula to quantify risk.
Most organizations do not have the data or resources (or confidence in) abstract models of risk. Organizations without statistically valid loss data can still measure and manage risk, particularly legal risk, by simply moving a few steps toward quantification, away from the “bad stuff” notion.
Risk under ISO 31000 offers an alternative approach
The traditional approach to risk suffers from another important deficiency. It focuses only on losses, presumably because the origins of risk models are in insurance (how much to charge for protection from “bad stuff”?) and credit risk (what happens if the borrower doesn’t pay?).
In 2009, the International Organization for Standardization (ISO) released a fresh approach to risk and risk management: ISO 31000:2009 Risk management – Principles and guidelines.
ISO 31000 provides a new definition of risk that is especially useful for measuring legal risk. Risk is the “effect of uncertainty on objectives.” Risk management then starts with identifying uncertainty and then evaluating effects (positive and negative).
Legal risk is difficult to measure. However, with the help of the ISO 31000 definition of risk, we can express legal uncertainties and then measure them and their potential effects. We may not achieve mathematical precision, but we can achieve better management.
Four types of legal risk
There are four broad categories of legal risk, or four areas of legal uncertainty: structural, regulatory, litigation, and contractual.
Litigation risk
Litigation is the most discussed legal risk in organizations. Litigation is often public and always distracting. The range of events that cause litigation is broad: employee misconduct, accidents, product liability and so on. The list can seem endless.
When management meets with the lawyer to discuss “What is the chance we will lose this case and what are the likely damages,” it is too late for risk management. Prior to litigation, we need to identify the areas of uncertainty that affect our objectives. Risk management is not fortune telling. Instead, we want to narrow the possible outcomes from particular events.
For example, a court case in an influential state invalidates a fee charged to consumers as an undisclosed interest charge subject to compensatory and punitive damages. Our organization charges a similar fee. However, the fee is charged a certain number of times and in known states. The statute in question carries known penalties. We have the building blocks to measure and manage legal risk from similar litigation.
Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.
Contract risk
Contract risk is the most pernicious and difficult to track among legal risks. The traditional approach to contract risk focuses on a breach of contract by one party and the extra-contractual liabilities that might arise. This approach treats each contract individually and in isolation.
Most organizations focus their contract risk management strategy on drafting effective agreements. Quality contract drafting is necessary, but not sufficient to manage contract risk. There are cases where one contract can create significant risk, such as:
- An exceptional share of revenue is tied to one contract,
- Procurement or service contracts for critical components allow for disruption or price escalation, and
- The counterparty does not indemnify us for damages that carry exceptional consequences like unpaid taxes and environmental problems.
In most cases, however, individual contracts often do not, on their own, have the gravity of litigation. The substantive, common and difficult to track risk is the uncertainty that arises from the contract portfolio in its entirety. Systemic under-management of contracts creates expense leakage and missed revenue opportunities.
Regulatory risk
The growth of the administrative branch of government is daunting to most business leaders. Regulatory risk represents the uncertainty of the consequences of an agency’s action.
A few examples will illustrate the point:
- A transportation company applies for a license to expand its operations to a new hub. Uncertainty regarding the agency’s decision as well as the scope of the decision create risk. Under ISO 31000 the agency’s decision can have positive effects, but the uncertainty creates risk.
- A product manufacturer and distributor offers a novel product warranty to generate additional revenue. State insurance commissioners can determine that the warranty should be classified as insurance. They can then impose fines, require insurance applications, impose conditions on the product and pursue civil remedies depending on the state statue.
Identification of regulatory risks is challenging, but the uncertainty about the effects is measurable. Regulations grant powers to the agencies charged with enforcement of the statute and regulations. Penalties range from fines to administrative orders.
Structural risk
Structural legal risk is rare for most organizations. Structural legal risks arise from uncertainty about the underpinnings of a particular industry, technology or method of doing business. When the airline industry was regulated, for example, there was a structural legal risk that the industry would be deregulated.
The scope of a structural legal risk is broad and it usually alters the competitive landscape.
Structural legal risks can arise from sources other than legislation. Antitrust litigation can significantly alter pricing in an industry or key business relationships. Consumer protection enforcement actions can also change the fundamental assumptions of an industry, but rendering a marketing practice (multi-level marketing, for example) unacceptable.
Structural legal risk is also a good example of the ISO 31000 definition of risk. We can be uncertain about the change from a regulated to a deregulated industry. The potential effects are varied, some are positive; some are negative. A structural change can benefit one organization while harming another.
Effective risk identification
To identify risks reliably requires a workable definition of risk. The ISO 31000 definition of risk usefully includes “positive risks.” This is right lens for identifying legal risks and, ultimately, managing legal risks.
Risk in an information problem. We can manage risk when we understand the scope and components of our uncertainty. The approach to risk can guide the organization to develop a risk management strategy.