Strategic Risk Management: Art or Science?
I just returned from Vienna and the annual conference of our European chapter--ACC Europe. Strategic Risk Management: Art or Science? engaged our more than 250 participants with outstanding speakers from across Europe. The discussions in the sessions and during the breaks were lively and informative. The topics were especially relevant given the recent international financial meltdown and, of course, the Deepwater Horizon environmental tragedy in the Gulf of Mexico.
The panelists of our opening plenary session, Gouverner c’est prévoir or the Art of Strategic Management: How Does Management See Our Role? encouraged us to take our eyes away from our in-boxes and the possibly low risk daily legal service demands we are bombarded with, and spend more time identifying and mitigating the larger risks facing our companies. Moderated by David Bernick, Senior VP and General Counsel of Philip Morris International, the panel also examined the role of in-house counsel in strategic risk management.
Other panels discussed the nuts and bolts of risk management, the counsel’s role in company ethics programs, and specific legal and business issues facing companies that do business in Europe. I found each session to be valuable and educational, and I greatly appreciate all our members who served on panels and added so much to the conference.
While at the conference, I read a column by David Brooks of The New York Times on risk and society’s response. His words were both timely and disconcerting. His sobering comments have particular relevance for in-house attorneys and others responsible for risk management in their organizations.
Brooks discussed risk assessment and the intersection of complex technology and human psychology. Technology allows us to live well but much of it and the financial and other systems it enables have become too complex for any single person to comprehend. Yet at the same time, it is individuals who must monitor and make decisions about risk. As Brooks notes, “humans are not great at measuring and responding to risk in situations too complicated to understand.”
He goes on to make five key points:
1. We do not understand how little failures combine to create catastrophes (citing Three Mile Island).
2. We acclimate to risk and think if something worked the last time it will work again (the Challenger disaster).
3. We have too much faith in safety and back up systems (more people are killed in cross walks than jaywalking because they fail to look both ways).
4. We combine complicated tech systems with complicated governance structures and tangled and confusing lines of authority and responsibility (Deepwater Horizon).
5. We tell good news and hide bad news (just about everyone).
These are challenging times. Brooks concludes that we must go beyond making technology safer and develop better ways to assess risk and make choices that guard against risk creep, false security and good news bias.
The Brooks column certainly came at an opportune moment for the ACCE delegates as we thought about identifying and mitigating risk. ACC staff asked a number of delegates to identify the risks facing their companies and how they approach it.
Thirty-five conference participants responded to our survey and identified the top five risks their companies face. Most commonly cited were: Contractual (66%); Data protection/Privacy (58%); Anti-trust (54%); Regulatory (54%); Fraud (52%) and Ethics (46%).
Most compelling, companies have developed policies to address these risks and to measure their results. The areas for which companies most commonly have policies are: Data protection (72%); Contractual (69%); Ethics (58%); Corporate governance (52%); Anti-trust (49%); Financial (46%) and Fraud (46%). An impressive 64% of respondents said their organizations assess the effectiveness of their compliance programs. And, 90% of those that do such assessments use similar methods – audits, either random or regular, of specific business functions; general data keeping about the nature and incidence of compliance problems; and qualitative reporting (for example, debrief after an investigation).
As we discussed in Vienna and the data clearly shows, in-house counsel understand the risks facing their companies; and, the in-house bar is actively seeking solutions and putting together sophisticated programs to mitigate these risks and to measure the results.
