It could be argued that from the time that students first enter law school they are being trained as de facto risk managers. Students are typically asked in their exams to “spot the issue” and spend hours learning the various legal pitfalls (ie: risks) that may face future clients. In practice lawyers continue to play the role of risk managers as they are called upon to manage and minimize the risks that clients face in their daily business operations. Despite this considerable grounding in working with risk and counseling clients on methods to minimize and avoid risk, seemingly very few law firms in Canada actually engage in any sort of structured or coordinated risk management activities for their own organizations.
Early thinking about risk can be traced to the renaissance period when mathematicians began to study probability in organized fashion. Not long after, the management of risk began to be considered in a business context when insurance and other financial products such as futures were created to account for commercial risk inherent in activities like farming and shipping. The modern discipline of risk management in North America has much more recent roots however, and can be traced to a period in the 1970’s when a variety of federal agencies in the United States including the U.S. Nuclear Regulatory Commission began to embrace systemized risk management analysis. From these beginnings, risk management has grown to become a multi faceted management discipline that is an important component of the strategic management activities of organizations both big and small. The importance of risk management activities has also come to the attention of the general public in recent years due in large part to the high profile failure of risk management systems in cases such as the collapse of Enron and the Deepwater Horizon oil spill.
Like many strategic management processes, risk management is not a complex activity, however it does require the commitment of time and resources to be planned and executed properly. Guidance for the design of risk management systems can be taken from the two most well established frameworks, being the International Standards Organization (“ISO”) standard 31000/31010 and the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). These frameworks both suggest a similar process that includes establishing the context, risk identification, risk analysis, risk evaluation and risk treatment. Despite the somewhat standard approaches advocated by the two leading frameworks, the actual implementation of a risk management system is typically highly customized to each organization’s unique circumstances. Risk management is approached in a somewhat similar fashion to traditional strategic planning with an professional consultant or knowledgeable staff member leading firm management through a facilitated process to identify, analyze and develop treatment plans for significant risks.
A properly planned and executed risk management strategy can result in a number of considerable benefits to law firms including the support of strategic and other business planning initiatives, the assurance of effective resource allocation and the mitigation of negative consequences from unexpected circumstances. There are myriad resources regarding risk management available online and I encourage all those responsible for management functions in law firms to spend some time familiarizing yourself with the topic and considering whether risk management should form a focus of your firms strategic management activities in the future.