Managing risk in-house
- Subtitle: Cover Story
|Photo: Sandra Strangemore|
Although sometimes it also depends on your business — in some sectors taking risks is what drives business forward and increases competitive edge.
A critical skill in managing business these days is knowing how much risk to take to make sure a business is competitive yet playing by the rules at the same time.
In some cases risk is episodic, however structured enterprise risk planning should be a part of every organization. The subject of risk management was the topic discussed at the annual roundtable organized by Canadian Lawyer InHouse in co-operation with the Association of Corporate Counsel. The seventh annual InHouse/ACC General Counsel Roundtable included legal department leaders from a variety of sectors, all with varying degrees of risk to consider in their organizations.
This was Veta T. Richardson’s first roundtable as the new president and CEO of the Association of Corporate Counsel.
This is an extended version of the article that appears in this month’s print and digital edition.
This year’s participants were Mark Adams, senior vice president, general counsel, and corporate secretary, AGF Management Ltd.; Megan Evans, chief legal and risk officer, The Hospital For Sick Children; Nathalie Clark, general counsel and corporate secretary, Canadian Bankers Association; Brian Hilbers, general counsel, Bruce Power; Av Maharaj, vice president and chief counsel, International, Kellogg Co.;and Veta T. Richardson, president and CEO, Association of Corporate Counsel. InHouse editor Jennifer Brown moderated the discussion.
INHOUSE: How do you view and manage risk in your organization?
AV MAHARAJ: We have varying risks around the world. With approximately 33,000 employees and manufacturing facilities in 17 different countries and products distributed, the risks are varied and the challenges are different almost daily. It is definitely a challenge to figure out which one you have
to deal with. We do have a very well-developed enterprise risk management system and that’s something we are very proud of and something I am actively involved in and leading the charge, as it were, for the international operations for Kellogg Co.
VETA T. RICHARDSON: We recently completed a 2011 census and a survey of chief legal officers and one of the things we asked was: ‘What are some of the most pressing issues that you have to grapple with in your departments?’
The top three issues they are focused on were compliance in an increasingly regulatory environment that's worldwide in scope, keeping their arms around what's going on within their company, and just keeping apprised of all the activities enterprise-wide. That’s what general counsel say they are focused on in terms of risk.
NATHALIE CLARK: I don't have a traditional role that you would typically see in a large publicly traded company. My role is mainly a role of lobbyist.
I do head a committee that is comprised of all the general counsels within the big financial institutions. We identify issues that are industry-wide that need our attention and representation before various levels of governments, whether federal or provincial.
I also head the Fraud and Security Department at the Association. So my role as a general counsel is very broad. I am part of the management team and I’m responsible for risks. The risks that we face as a trade association are mainly risk associated with media.
So there is reputational risk for the industry, but risk associated with regulatory compliance with lobbying legislation, which is quite sophisticated, as well as competition risks.
BRIAN HILBERS: One of our core competencies is managing risk. As you can imagine, in a nuclear facility, we need to understand what those risks are and effectively manage that risk. We are very, very good on the operational side at managing risk. We are moving towards better managing risk on the non-operational side, whether that's financial risk, reputational risk, safety risk, et cetera. From my perspective, the biggest issue today is trying to get ahead of those risks, trying to put in place the processes and procedures and putting in place a culture that we are able to actually effectively manage risk as an organization.
MEGAN EVANS: Risk is something that we know quite well in the sense that we are providing very complex care to very, very sick children. I think our journey sounds much like yours, Brian, in a sense of we are very good at managing the risk on the clinical side and we are now in the middle stages of rolling out an enterprise risk management framework to consolidate that across all of what we do. I am responsible for legal, risk, privacy, freedom of information, and the duties of the corporate secretary for the organization.
MARK ADAMS: Risk management is clearly embedded in my role and I oversee the compliance function as well. My executive team colleagues look to me as the moral compass of the organization at times, and that sort of embeds itself into discussions around risk management, and you are seen as a leader in that regard.
We have a pretty good enterprise risk management system that our executive team is deeply involved in but beyond that, episodic risk is probably the first and foremost thing that I deal with on a day-to-day basis. As a legal person that is form and function of what we do, and it's embedded in almost everything, every decision we help make for our organizations.
INHOUSE: How is risk management formalized in your organization? Is there a special risk management committee you are a part of?
HILBERS: Our culture is a reporting-type culture, so we have a process known as a "station condition report" where anybody who is an employee or a contractor on our site, on a daily basis can file a report which traditionally has been used in the operation world, but has been extended to other things, so you will get reporting on everything from a cut finger to a major risk or major concern that somebody has with a management practice.
On a daily basis, the executive team and others in the organization are able to look at this database and see the issues. You can see what's percolating on the shop floor. That's sort of the starting point. We have metrics where we manage the number of reports we get and we try to push those reports.
We have a formal structure, as well. In the law division, for example, we have a risk log that we manage. That risk log feeds into a higher divisional risk log, which feeds into a corporate risk log. That risk log is reviewed on a monthly basis at the executive team level, and that risk log is then reviewed at a director level on a quarterly basis. We try to get ahead of those risks and try to put in place processes and procedures and try to proactively ensure these risks do not manifest themselves into something major in the company.
EVANS: Accreditation Canada now requires that hospitals have an enterprise risk-management framework in place. So the hospital started this journey a few years ago and we are at the stage where we have a very robust risk register and a framework for who owns the risks and how we report on the risks. We are looking now to take that next step forward to make it a process, to embed it in our operational and strategic planning and in some of the other frameworks that we use across the organization.
CLARK: Since 2008 and the global financial crisis, all financial institutions globally have been facing an increasingly challenging world where regulation has been adopted at all levels of the operations of the bank, so the risk has been identified as high. So one of the things we are observing definitely as an association is that this regulatory reaction, if you will, has put a very important burden on our financial institutions, especially on the ones that are smaller institutions.
RICHARDSON: We established an office of compliance that reports to our general counsel that serves as a base for addressing what is, for us, more financial and reporting-related risk related to all these enterprises and to ACC. In our recent survey we saw that 12 per cent now have risk management/insurance that report to the general counsel, as well. So what we saw overall in terms of general counsel is taking a more proactive stance and trying to be more risk-preventive in their corporations.
MAHARAJ: I think the big issue for enterprise risk management is likelihood of risk, and then what's the size of the risk? If you plot those two things out on a graph, things actually become fairly straightforward. Obviously, there is reputational risk you have to layer into that as well. But if you can identify the top right quadrant, the high-risk, the high-likelihood events, that's where you should be spending your time. Ultimately you should be able to say, 'OK, high risk, high value. Here is my plan. Here are the steps I'm going to take.'
ADAMS: Our enterprise risk management is about the things that ultimately put you out of business, but it's also the things that aren't, the legal compliance risk. We can't be there to manage everyone's risk. It's up to the businesses.
INHOUSE: Would you say risk is the top item you spend time on now or is it just one of the list of three or five top things that's on your agenda?
HILBERS: To me, it's part of your day-to-day activities. It's part of your DNA as counsel of a large corporation. For us the value proposition of our law division is to provide business-oriented legal advice, which affects positively the bottom-line profitability of the company.
The only way you can provide that value to the company is to be able to provide that risk-mitigation strategy. You want to be understood and be able to articulate what those risks are and develop really strong relationships with the key stakeholders in the organization, so that they will come to you with those risks and you will be able to provide input, but also be very courageous. Be able to say no when you need to say no. As long as you have strong relationships, it becomes easier to be courageous in the face of risk.
EVANS: If I reflect on it at Sick Kids, the hardest part was getting my head around what the risk tolerance was of the organization. If you really understand the risk tolerance of the organization and the areas that are impacted, it sometimes helps you to provide advice that's better suited for the organization. I think ultimately, it's been part of my success within the organization.
MAHARAJ: I think one of the issues is understanding the risk tolerance of the organization, but also having a deep understanding of your business is really required because if you don't understand your business, how can you give that advice in a meaningful way? The other thing is we are talking about risk mitigation. I was in China at one point and the president of international turned to me and said, 'Are you in the risk elimination business or the risk mitigation business?' I responded, 'There's no such thing as risk elimination.' I don't think any of us could sit around the table and say, 'If we do "X," the entire risk is entirely eliminated.' So if you understand the business, understand that we are trying to mitigate risk as much as possible, I think that gets you into a good place.
CLARK: I completely agree with Brian that risk management should be part of your DNA. As a general counsel you need to understand very deeply and intimately the vision and the strategy of your organization.
For me, that's the starting point and then you build on that and be part of the senior management team, as well, so that you're there on a weekly basis at the senior management table, and you understand the challenges and the various initiatives that all your senior colleagues in the organizations are going through. I think that helps you understand the business, how the vision is being operationalized, and you can offer so much more practical guidance looking at legal risk, but risk in general, I think.
I would say the biggest risk that we have to manage as an organization is the reputational risk, and it is absolutely the most important risk and a lot of our risk management activities are developed around media, social media, media in general, relationships with regulators, policy-makers.
The biggest risk that we need to manage as an association is how the world perceives the Canadian banks.
INHOUSE: Nathalie, you mentioned social media. How much damage can social media cause?
CLARK: Social media is definitely something we monitor on a constant basis. We discover very often in social media that some reports or papers are going to come out in a few days that are very damaging for the industry. A good example of that is a report that came out about bank bailouts in Canada. Through social media we identified this risk three days before the report came out. Social media is something that you absolutely need to monitor when you are a trade association. We were able to respond in a much better way to all media inquiries that we got.
MAHARAJ: Social media is moving so quickly. The question for Kellogg is how do we play in that space? What is the risk involved, because I definitely think there is a reputational component. There are also the issues of third parties using your brand inappropriately online and ultimately, the question is how do you respond? As it develops, as it grows, you really have to look at when do you have to play in that area; when do you have to not play in the area because there are some times when the best strategy is to do nothing. I think it's only going to get bigger, bigger, and bigger and more complicated and how, as general counsel, are we going to deal with that issue is an ultimate question.
RICHARDSON: I think one of the things that has been on the minds of our members is how to be more proactive in use of social media in terms of response because a lot of time, the focus is on potential areas of liability — your employees who are online inappropriately, but also how social media can be used as a tool to be able to quickly respond and correct.
EVANS: We've had circumstances where a staff member has had an extremely frustrating day — a 12-hour nursing shift with a patient who is violent — and they go home and post something on Facebook about what happened. From a privacy perspective, that's obviously a huge deal for our organization. In one particular case, the person didn't have any privacy settings on their account, so it wasn't that it was just their friends that could see that; it was out there for the world and it was clearly identified that she was a Sick Kids staff member.
Certainly that patient's family, if they had seen that, would know for sure that that was their child. We obviously have to respond to that kind of thing and it's really quite astonishing to realize the level of understanding people have about the fact that that stuff is public unless you take steps. We found the need to extend our privacy training, which we already do, into considering things that have to do with social media.
ADAMS: The other thing with social media is sometimes your lack of presence there is more telling than being there. So organizations, on the product/marketing side, feel the need to be there so you've got to deal with all the controls to put in place.
I'm anxious for the day that we’re having to respond to Twitter and blogs and they are going to be coming to the legal office every day. This is also an area where the Facebooks of the world and LinkedIn change their rules unilaterally. That's just the way that industry works.
I think the tougher stuff is getting an arm around your employee base, and particularly when you have a sales force.
CLARK: You can have the best policies, the best controls in place, but you need to ensure that your staff understands how it transpires into their day-to-day job.
INHOUSE: How do you approach mitigating risk?
MAHARAJ: As an example, for advertising and marketing, we have a very collaborative process at Kellogg where legal is involved, marketing is involved, the nutrition groups are involved, so things get vetted at an early stage. So if there is a crisis, you can go to one of these processes and figure out what just happened. Being trained in crisis management is critical, and it’s not just about raising your hand and saying, 'By virtue of the fact I'm a lawyer, I can manage crisis management.' I don't think that works.
RICHARDSON: We had a conference for our European chapter members in Amsterdam and they ran a couple of drills where they took hypotheticals and quickly concluded that there was no right or wrong approach, but it's the process that's important; having that in place to know who is your team, who are you going to turn to? How will information be communicated to keep all the players up to date and involved? And what will be your centralized approach to handling whatever it is that you might face? It all turns back to having a process that seems to be the defining factor between handling it successfully or handling it in an unco-ordinated fashion.
CLARK: It's actually one of the key roles of the CBA to provide some support for crisis management. For example, during the G20, obviously banks were targeted — their facilities, their branches, their employees. So we had a team within the CBA of different backgrounds managing internally a group of external bankers to ensure the response was an industry response on top of individual responses. Decisions were made like closing all our branches in the downtown core. In times of crisis the CBA will host committees comprised of risk-management people, business continuity people, as well as security people.
EVANS: For us, it's through committees. Each of the subject matter expert committees look at the risks that are related to their subject matter expertise and then there's a rollup to the board. The board ultimately, in our case, has retained the responsibility for the framework where I understand, in other circumstances, it can often get delegated down to a risk committee or a finance and audit committee. Given the nature of the hospital's business, they want that big-picture look kept with them. With respect to any risk that is significant we don't want our board to hear about anything in the media that we haven't discussed with them first.
They are interested not so much in just what's the mitigation strategy for these big-ticket risks, but how do we know that those risk mitigation strategies are working?
ADAMS: With our board, the reporting that goes in to the audit committee on a quarterly basis is through the internal audit reports. That's sort of the end result of it, just going through the different business groups and highlighting the areas of concern that may start out as a procedural or a process issue, but that's where you ferret out some sort of systemic issues.
We have different compliance groups embedded within our organization and they all trickle up their reporting through one report to the audit committee and then ultimately to the board.
That's where the episodic risks come through, I think, and that's where the board can track. The last thing you'll want is your board finding out about something through the media that they haven't even touched upon. I think the board gets its comfort through the processes that are put in place. It's only through those real-life situations that you kind of test out all the cobwebs or what's working and what doesn't in those things.
HILBERS: What we do on a quarterly basis is produce something called "legal briefs." We take the major issues that are both external and internal and explain what has happened in the industry or elsewhere and then actually apply them to Bruce Power-type situations and say, “These are the sorts of things you should be aware of and this is what you should do in these sorts of situations.”
INHOUSE: What is the role of external counsel with respect to risk management? Are you discussing your risk-management plans with your external counsel and asking them to help you with it, or are they approaching you?
ADAMS: I think the enterprise risk-management framework is more embedded in the business. External counsel are not living the facts. I think they can feed into it if there are discrete questions, particularly if it's dealing with regulatory risk or something like that, but there are so many different things on your ERM that they just don't have that much insight into. I think they get more involved, at least from my standpoint, on the episodic risk.
There's a lot that in-house counsel brings to the table, first and foremost because they are close to the business. They can understand why the risk happened the way it did or what the issues are. In terms of external counsel coming to me personally or even the organization with ERM, I'm not sure it's that much on their radar screen yet.
HILBERS: I would agree with that. We have had a strategic partnership with a couple of law firms for about a decade now, so the benefit of that is our external has a pretty good knowledge of our business; not as great as, obviously, in-house counsel does that lives it day-to-day, but they have a pretty good knowledge of our business.
From my perspective, I'm looking for my in-house counsel to provide that enterprise risk-management service. That should be part of their service and there's expectation that they provide that, as well. For example, there are certain files that we have no in-house lawyers on. It's all dealt with external counsel. My expectation is that they will deal with those files and deal with those matters in a similar manner as we would, and have an understanding as to our risk tolerance. It is very difficult to get your external counsel to understand your risk tolerance — understand your risk tolerance and provide that risk-adjusted advice externally.
MAHARAJ: I just think the role of in-house counsel has evolved in Canada over the last five or 10 years. We are part of the business and so we look at it from that perspective. External counsel looks at your business very, very differently. The very, very good ones can make that jump, but one of the reasons why good in-house counsel have been successful is because they are part of the business.
RICHARDSON: I think that's the value that in-house counsel brings. When you look at managing risk, you are looking at identifying what the potential challenges might be, assessing how that impacts your business, and then responding. I think the role outside counsel can play is in the identification side. They can raise the flag and say, 'Hey, there has been this new law or new regulation. This could impact a sector.' But the role in-house counsel plays is they know and understand the business and how the different challenges that may come to fore will impact your operations, and then being able to take the next step and look at how does that impact risk in terms of your overall enterprise and what are the steps that you can put in place to manage or mitigate it.
EVANS: We use our claims history to inform our enterprise risk-management planning and we look at critical occurrences to help us with refining mitigation strategies, et cetera. We have had the same external firm doing our claims work for us for 20, 30 years. So we have engaged a number of the lawyers at that firm who have been very involved with our litigation over the course of a number of years to sort of be an independent observer in terms of how that part of our risk-management framework has developed. It's been very helpful sometimes to have somebody who is looking at it from a very narrow perspective and not in the business on a day-to-day basis, and we have learned a lot from them.
MAHARAJ: Enterprise risk management will be a tough nut to crack, to get real value from my external counsel to be really involved in that process.
HILBERS: I would suggest, though, you challenge your external firms to provide that service and that value. Look at the fees that you are being charged. You need to challenge them. We also evaluate our external counsel on a quarterly basis. One of the evaluations is knowledge of the business and another one is value-added services.
EVANS: While they may not know your business as well as you do or members of your team do, they oftentimes, if they're really good at what they do, know the industry really well. So when we are talking about trending or seeing that black swan before it arrives in your pond, sometimes they are able to bring things to your attention that have yet to hit your radar screen.
HILBERS: You have to show them that that's important to you and tell them that that's important to you, and you're expecting it.
CLARK: The regulatory risk and how it will impact an industry at a high level is really something that outside firms have mastered, definitely in the financial services area. So, very often, you will receive a phone call or see a little publication come out on their web site where they tell you, 'This is coming. There's a bill pending,' or, 'There's a new piece of regulation and we think it's going to impact your business in this way or that way.' I think you use your outside counsel as someone with the resources to monitor laws and regulations applicable to an industry.
Published in InHouse Cover Story