Irrespective of the size of your organization, or the industry in which you do business, good and accepted practice requires that there be someone responsible for risk management, and that you have internal risk management controls, i.e., a risk management policy or plan, to address risk issues relevant to your business.
Risk management concepts are applied across all businesses and industries, including banking and investment, education, health care, legal and manufacturing, just to name a few. Each industry has its own specific approach and perspective to risk management. There are, however, widely recognized risk management concepts that can be applied to all businesses and industries. These include (1) identification of the potential risks; (2) evaluation of risks to determine likelihood, frequency and severity of risks; (3) prioritization of risks; (4) development of structure and internal controls to mitigate risk; and (5) because risks cannot be eliminated, insuring against risks. Information gathering on these concepts is key to the development of any structure and strategy for mitigation of risk.
As indicated above, each industry has its own unique risks. As general counsel and risk management partner at Phillips Lytle, my obvious focus is on risks related to the practice of law. For example, the risk of missing statutory or court mandated deadlines. In the health care industry, in addition to patient care concerns, risk areas may include accuracy, compliance and patient privacy. Research should be conducted to identify the types of risk concerns that most frequently arise in your industry. In this regard, there is likely significant information available in the public domain that will address risk management issues that are pervasive to your business or industry.
In addition to external research, internal group discussion will be critical to identifying risk concerns. As risk management partner, I am a member of various firm committees for the express purpose of identifying potential risk concerns and gathering information about those concerns.
There are also risk concerns that apply across all businesses and industries. These include, but are not limited to, security and safety risks for the business and its employees; information technology risks; personnel risks, such as discrimination and harassment; and document storage and retention risks.
Once risks have been identified, there must be an evaluation of those risks, which will inform you of important considerations, including the likelihood and frequency of the risk event; the severity of the risk event (even if the risk of that event is not frequent); and the potential consequences of the risk event. Evaluation will also inform you as to whether the potential risk warrants internal control and the level of priority the risk will have within your risk structure.
Some examples here may be instructive. Addressing frequency, I am aware that the breadth of our firm’s client base may give rise to regular conflict of interest issues. Similarly, a risk manager in the field of accounting is aware that, depending on the complexity of a business, there may be risk concerns of material misstatement in the auditing process. Addressing severity may be more difficult, but is equally important. One can foresee that a single event, although infrequent, could lead to a significant loss and even be catastrophic to a business. For example, in construction, given the nature of the work, a risk event could lead to significant injury or the loss of life.
Risk evaluation must further address the potential consequences of a risk event, including the effect those consequences will have on your business. For example, is the consequence of a risk event reputational or financial? Does the consequence preclude continued work in a business segment? To properly evaluate all of the foregoing, consideration of applicable laws, regulations, industry standards and best practices may be necessary.
As a final point on evaluation, it bears noting that thorough evaluation will almost certainly inform the development of mitigation strategies.
Once evaluation of the risks attendant to your business is complete, the risks should be prioritized. Risks should be prioritized by frequency, severity and consequence, with appropriate weight given to each factor depending on your business or industry. Prioritization will provide an overview of all risks and place the focus on the risks that present the most significant threats to your business.
At the outset of this article, I presented my view that every business organization, regardless of size, should have a person with designated responsibility for risk management and have internal risk management controls.
With respect to a designated risk manager function, the size of an organization and the risks attendant to the business will dictate the size of the risk management function. It is not unusual for large companies to have extensive risk management teams. Other companies contract with an outside vendor to provide risk management services. Smaller organizations, or professional organizations such as law and accounting firms, may address the risk management function internally. At Phillips Lytle, because our law practice spans five practice groups and multiple offices, we have clear lines for risk management training and dissemination of information, and clear lines for reporting. Those lines begin and end with the risk management partner.
Internal control documents and risk management policies vary widely from business to business and industry to industry. There are, however, certain sections/topics that should be included in any risk management policy. These include, but are not limited to:
Because risk can only be mitigated, not eliminated, risk management considerations must include insuring against risk. The risk management process, however, will help identify the types and amounts of insurance needed to ensure the continued viability and success of your organization. Moreover, engaging in the risk management process, designating risk management personnel and responsibilities, and adopting written internal controls and procedures for mitigation of risk, may result in insurance premium reductions.
Kevin J. English is the risk management partner with Phillips Lytle LLP and leader of the firm’s Insurance Coverage Practice Team. His experience with insurance coverage matters includes additional insured’s coverage, working with primary and excess insurance carriers to defend the interests of insureds, and monitoring defense claims where the claim exceeds insurance coverage. He can be reached at (716) 847-5447 or mailto:email@example.com.