What’s Our Risk Tolerance?

In my last article I said the hardest question I asked my internal and external lawyers was “What’s the risk?”

The hardest question my internal lawyers asked me was “What’s our risk tolerance?”

The answer to this question is critical to the operation and credibility of a legal department.

We have all seen:

• routine contracts that took 15 rounds of negotiation because attorneys on both sides were grinding every possible risk out of the contract;

• legal departments labeled the “Department of No” because too many proposed activities were vetoed for carrying risk; and

• attorneys stuck in analysis paralysis and unable to make a call.

This behavior is sometimes the result of under developed judgement or poor training, but more often it results from failure of legal leadership to convey the organization’s risk tolerance.  Without that guidance, people will err on the side of eliminating all risk out of fear of the consequences of failing to prevent any risk from materializing.

If leadership instructed the contracting attorney not to sweat the small stuff and just make sure we are reasonably protected on the big stuff (if there is big stuff…), he would be less concerned about career repercussions when something goes wrong in a contract.  This would make people more likely to prevent the perfect from being the enemy of the good.  Of course, leadership will need to be clear about what types of contracts and contractual provisions carry risk and how they want those risks addressed.   The benefit to efficiency, attorney job satisfaction and client service from taking the time to do this will be considerable.

Guiding attorneys reviewing the advisability of proposed activities is harder.  My guidance was “If it’s illegal, we are not doing it," “If all we have is an argument that barely passes the ‘red face’ test on the question of legality, we are not doing it," and"If it's not the right thing to do, we are not doing it.". However, most questions are not so clear cut, which is why we have so many lawyers running around.  There are usually risks to doing something and risks to doing nothing.

My guidance was that where the law is unclear, we could approve an activity as long we had a good defensible argument as to why it was consistent with the applicable legal framework.  Of course, this had to be calibrated with the potential severity of the consequences for being wrong on that assessment.

This "make sure you have a solid argument"'approach can be helpful to attorneys in the U.S. where arguing by analogy that what you are doing is consistent with the legal framework at issue is tolerated.  My colleagues outside the U.S. often struggled with this because, in those systems, there is typically only a right answer and a wrong answer; there is less or no room for a "this should be the answer" approach.

In addition, in those systems, penalties are generally assessed using a strict liability-like approach, with little or no consideration for having tried to get it right, and the penalties for any specific breach can range from the de minimus to the ruinous.  This makes addressing risk tolerance that much more important, and difficult, in those countries.  It is quite rational in these circumstances for attorneys to overweight the severity variable using the most severe potential penalty when trying to weigh the likelihood of a risk materializing against the potential severity of being wrong.  But when you do that, you say "no" to a lot of activities that , in reality, don't pose an unacceptable level of risk.

Articulating risk tolerance is very difficult.  It would be easy to say “on a scale of 1 to 10, you are authorized to approve risks up to level 5, from level 6 to 7 you need to speak with a member of my leadership team and for 8 to 10, I need to be consulted.”  Unfortunately, there’s no standard scale for assessing all the variations of risk.  We need well-trained attorneys to use their judgment to make risk decisions consistent with the organization’s broad guidance.  We also need leadership to make clear that people making reasonable risk decisions will be supported if and when things go wrong.  Without that assurance, it’s human nature for people to protect themselves by taking the most conservative approach.

Because being precise on questions of risk tolerance is so difficult, I often resorted to parables.  For example, “I took a risk driving to work today”. Or “I took a risk eating the burrito special in the cafeteria today.”  I took those risks because, although the risks in each case ranged from mild to severe, those risks were unlikely to materialize given the circumstance that my commute rarely exceeded 20 mph and our cafeteria was a high volume operation.  We also used more relevant examples of risks that had been addressed by various members of the legal department to demonstrate how we reasoned through them to arrive at an acceptable answer.

My strategy in using these examples was that they would convey to people that we wanted them to think through how much risk there really was in a particular situation .  We needed them to use their judgement on whether to take the risk and the reasonable amount of effort and time to expend in trying to mitigate or eliminate a particular risk. This is easy for a senior leader to say, but harder for people on the ground to comfortably do when their question is “how much risk is too much?”  When in doubt, my door was always open.

I never did find a clear or satisfying answer to the question of “what’s our risk tolerance?” and would be interested to hear how others approach this problem.  My experience is that (1) openly discussing questions of risk, (2) talking through real life examples in public forums and (3) acknowledging that despite the best analysis mistakes will be made, gives people a better sense of how they should approach risk tolerance.  The upside is that a well coached team will better calibrate what to push on and what to let slide, and ultimately increase their efficiency, job satisfaction and the appreciation of their colleagues.