Tuesday, 3 January 2006

HOW TO MANAGE RISK – A FEW TRICKS OF THE TRADE

In the now not-so-new world of intensified levels of corporate and personal accountability, it has become crucial for all businesses and those involved in business operations to have in place effective systems of risk management. A failure to do so can lead to very damaging business and personal consequences. Of course, the precise requirements to manage a business' risks effectively will depend very much upon the type of business itself. This article is not intended to explore or set out detail of a focussed risk management strategy, but rather to highlight some common themes and to act as a form of checklist for the use of a wider group of risk managers.

To counter-balance the increase and broadening of risk exposures in any business activity, it is prudent to consider very carefully what reductions might be achieved through changes such as improved equipment, procedures or contractual arrangements. Difficulties that can arise have become much more complicated and, therefore, more difficult to avoid and standards expected have been raised by competition, new regulation and the legal framework within which businesses operate. Clients and customers are often less forgiving today, partly because they themselves are also more accountable.

Controlling loss

As highlighted above, the precise nature of risk that needs to be reviewed will vary from business to business. There are, however, some common themes which will apply to most businesses. The first rule must be that any business should have in place a system geared to ensuring easy access to internal and/or external advice in a way that fits well with business operations. Provisions of compliance, governance and risk management advice have developed into stand alone businesses of their own. The fact is that it is essential that the senior management of any business and its legal team review regularly and continually the management and control of risk with the support of whatever external resource may be appropriate. It will often be impossible for any one person to cover all aspects unaided and to try to do so may leave that person vulnerable to attack if something goes wrong.

The second rule must be to recognise the importance of proper communication, both identifying for everyone involved the areas of risk and ensuring that no individual is isolated or unsupported. Every business needs to ensure that there is openness across the business in such matters. Of course, the very core of some business activities is taking risks so we are not always concerned with avoiding risk, but we should always be looking to manage it appropriately.

One obvious area to review is how we communicate both externally and internally. The now very wide use made of electronic communication has made the task of keeping track of business operations more complicated. Contractual obligations are often set in a less formal medium and it is essential to ensure, particularly in the context of international dealings, that everyone involved understands fully the different and potentially great exposures that can arise in every location where the business operates.

By way of illustration, only, of the types of issues that may arise, let us consider activities in the commercial and transactional world and the role of an investment bank. The bank's role can be multi-faceted, but there are inevitable exposures which often result in claims arising from failures to carry out adequate due diligence in gathering information. Given the scope of such activities, it is important to have in place a systematic approach to risk management. Key steps that should be followed, many of which will have an application in other business environments, might include:

1. Review historic loss and claims experience both from your own organisation and other organisations involved in similar business
2. Identify specific areas of the business and the level and nature of risks involved in each
3. Consider existing procedures and how they might be improved to reduce risk
4. Consider the appropriateness of increased supervision or control of specific activities
5. Consider which staff should take responsibility and the extent of that responsibility
6. Consider the adoption of standard procedures and communications with external parties
7. Consider the scope of activities to be carried out and how potential liability can or might be limited 
8. Consider what overall protections could be put in place, specifically insurance arrangements.

By reference to such general categories, more detailed strategies can be applied to specific risk areas. Returning to the specific area of investment banking, you may face exposure as a result of a failure at the outset to allocate responsibility between the client and each of its professional advisers in the investigative process. Inevitably, investigations will be carried out in a tight time frame and new information will come to the table on a near continuous basis. Specific responsibilities can become blurred in this way and in the event of a problem arising, it will be essential to the limitation of exposure to be able to identify the boundaries of the bank's responsibilities. Contemporaneous documentation will certainly be the best way of identifying those boundaries, but of course, only if they were indeed documented!

In order to minimise risk, the bank's role should be clearly defined in writing, making clear not only what is included in the bank's tasks, but also what is not included. All members of the bank's team should be clear about what has been agreed and, if additional tasks are taken on subsequently, these should also be clearly recorded in writing and again communicated prior to any reporting. The work actually carried out should be reviewed and compared with what was agreed to be undertaken. The potential impact of any work not carried out should be analysed and this should also be made clear in a written report to the client, identifying also where reliance has been placed on the work of others.

Similar considerations will be applicable, with a greater or lesser level of focus, to all kinds of business relationships and situations, with special procedures being set in relation to particular areas of the business' operations.

As touched upon above, there may be scope for certain risks to be excluded by contract in particular engagements. Accountants working on transactions sometimes place a financial limit on their liability and the use of such limits has become more widely acceptable in recent years. Perhaps, it is inevitable, however, that there is sometimes a reluctance to introduce such limitations in negotiations for new business. With the increasingly detailed review that regulators carry out in particular areas of business, many businesses, particularly those involved in financial services have had to tighten up their practises. It is, therefore, essential that any business has a good relationship with its regulator. This, in itself, can be an invaluable element of risk management.

In the event that some form of loss does materialise, it is essential to have in place a damage limitation strategy. This is of particular value in the context of a business’ reputation. Any business, against which a claim is made, must be in a position to develop a clear perspective on the claim and respond quickly. There may, in any event, be obligations to notify insurers and/or regulators at an early stage. Again good communication and relationship management will play an important part.

Review of insurance arrangements

Although the incidence of losses ought to be reduced through measures of the kind discussed above, it is inevitable that there will be some potential for mistake and consequent loss. To err is human! Once appropriate procedures have been put in place, the most obvious means of limiting exposure from what might be described as inevitable losses, will be by the use of insurance. The availability of insurance for specific exposures needs to be reviewed regularly.

Any business will potentially have in place a myriad of different insurance arrangements. It will be prudent for a thorough analysis of availability and value of insurance cover to be carried out, probably annually, to ensure appropriate protection in all the business' operations. There are very few risks that can not be protected by insurance, but, of course, great care needs to be taken to understand the effect of any exclusions that apply all insurance comes at a price so that an assessment has to be made of what level of risk a business and, indeed, those involved in the business, should retain and what level should be the subject of an insurance arrangement. Directors' and Officers" Liability insurance will, of course, generally be considered an essential element in any business' insurance programme.

Levels of premium charged by insurers can fluctuate significantly. At times, certain areas of risk have become as near to uninsurable as makes no difference by virtue of cost, and in recent years businesses, particularly bigger businesses, have tended to retain more risk exposure than they used to, but have sought to reduce the level of actual exposure by tightening up on risk control. Spending on risk control, including compliance with regulatory obligations, has increased widely and significantly. But it is a difficult balance to strike when short term cost of all such "non-profit" making parts of the business is itself closely scrutinised.

The essential lesson is that it is crucial that everybody involved in any specific dealings understands the scope of their activities and those of everyone else involved, and that a detailed analysis is carried out of all business activities in the context of a thorough understanding of all legal exposures to ensure that a risk management programme really does provide the best possible protection for the business and everyone involved in it. It is no exaggeration to say that a gap in risk management can ultimately decide the success or failure of a business enterprise.

Colin Porter
Principal


cporter@accentonlegal.com