Rethinking Risk Management

Most risk management advice is based on how to avoid bad things through taking proactive and preventative steps. For example, use checklists on every file to avoid missing crucial steps. Document the advice you’ve given, particularly if your client isn’t likely to follow it. Use retainer letters to set clear expectations for your clients.

Other advice is based on avoiding risk through knowing when to leave well enough alone. The best is example is the axiom that a lawyer should never sue for fees because that’s a frequent trigger for a legal malpractice claim or law society misconduct complaint.

But bad things do happen, even to well-prepared lawyers and not every risk can be managed out of existence. The likelihood is that at some point, even the most risk averse among us will get caught unawares. What do you do then? How will you respond to the event you’ve worked hard to avoid?

Sharon Nelson posted yesterday about an interview in which cybersecurity expert Bruce Schneier talks about the risks associated with the Internet of Things. Schneier, in his interview with Logikcull notes that we should all assume our vulnerability to having our data hacked. He says:

I think we have to assume our networks are penetrated — all of us. We have to assume our credit card numbers are compromised — all of us. And we have to build resilience into our systems.

Here’s what I think is missing. Our systems tend to be fragile. We aren’t resilient. We can’t recover. We can’t adapt. We can’t mitigate. We don’t think in those ways. We think in terms of prevention instead of response and recovery. So I think that’s how our thinking needs to change.Resilience means let’s assume the bad thing has happened and figure out how to survive anyway. Let’s figure out how to recover, how to adapt, how to do business even though. It means we focus less on prevention and more on detection and response — and a lot on response.

His comments have me thinking hard about where best to focus resources dedicated to risk management. Is it important in every circumstance to assume the worst and plan for how to survive it? Or is this only important in the arena he’s talking about, dealing with information and data management where so many systems are vulnerable because they operate outside a lawyer or law firm’s direct control.

It seems to me that as in most things, what’s needed is a balanced approach in which we take proactive steps to avoid what can easily be avoided and at the same time direct significant effort toward preparing for a comprehensive response when disaster does strike, in whatever form.

What do you think?

Comments are closed.