In order to seek to manage risk one first needs to identify it. Whilst there are myriad different classifications of risks, corporate risks can be separated into three simple categories: establishment risks, operational risks and reputation risks.

Establishment risks

Establishment risks are those risks which companies face during start up and throughout the life of a business.

The core of establishment risk is the way in which a company is structured. A company’s structure will entail risks of its own – for example, a company with branches in different jurisdictions may face tax liabilities as a result of its activities which it could manage by reorganising its group structure with the benefit of specialist tax advice. Furthermore, a company’s structure may change as it grows and its financing requirements become more complicated, and this may attract different establishment risks. For example, if a company decides to access the equity capital markets by way of a listing on an exchange, it will take on a number of additional compliance obligations in areas such as directors’ duties, transparent accounting, disclosure and the listing rules which apply to the relevant exchange.

In addition to establishment risks which are determined by the way in which a company is structured, a new company must consider how it will deal with its stakeholders. Stakeholders include a company’s management, employees, suppliers and customers. Each document governing such a relationship is a source of potential risk for the company, both of itself and in connection with the rules which govern the content of contracts in applicable jurisdictions around the world.

It is important to note that the word “documents” in this context does not mean only contracts: internal relationships within a company may be subject to chains of command and written procedures which take the form of manuals or guidebooks. In the most obvious example of a risk management measure, most companies impose health and safety measures upon their employees. These measures may not be a matter of contract, but they are a means of dealing with a company stakeholder. Where contracts are put in place, it is important that those contracts are checked for consistency and correct use of terminology, that they contain appropriate law and jurisdiction clauses and a properly thought-out dispute resolution mechanism.

Operational risks

The risks which a company faces as it conducts its day-to-day business are called operational risks. Such operational risks may be mitigated by insurance (e.g. policies include property/assets coverage, business interruption, general liability, financial lines cover, P&I cover and D&O cover).

Operational risks can be divided into sub-sets. Firstly, there are practical risks: what happens if a major incident occurs and/or the company suffers a catastrophic loss? Mitigating these practical risks is a matter of effective incident management and having disaster plans and manuals in place. Issues to consider include corporate manslaughter, document management, employee relations and publicity strategies.

The other sub-set of risks is legal risk. The starting point for mitigating legal risks is: what laws apply to the company under review? By answering this question, a company can adapt its behaviour when those laws change.

A good example of a legal risk is the obligations which arise from competition and anti-trust legislation. These obligations include the impact of competition legislation on contractual arrangements with competitors as well as other forms of co-operation and information exchange. Without an understanding of the law in this area, a company (and a particularly a company which does business with counterparties in Europe or the United States of America) runs the risk of engaging in conduct which it may not consider to be “illegal” but which offends the competition authorities such as the US Department of Justice and the European Commission. Even if a company is not based in Europe or the United States, it may come within the ambit of each of these organisations by interacting with consumers in these areas.

The extra-territorial effect of some jurisdictions’ legislation – but particularly that of the United States – is important to recognise. For example, a company which has a connection with the United States (perhaps because it maintains a listing on a US exchange, or has operations in the country) comes within the ambit of the US Foreign Corrupt Practices Act 1977 (the “FCPA”), the principal purpose of which is to outlaw bribery. Bribery in the context of the FCPA encompasses a range of behaviours, and can include seemingly innocuous acts such as taking a contact for lunch if that contact is a government official or someone acting in an official capacity.

Reputation risks

Reputation risks may flow from other risks (for example operational risks such as a “dawn raid” by competition authorities or an allegation of bribery under the FCPA would clearly be a matter which would affect a company’s reputation unless appropriately managed. As well as being risks in their own right, reputation risks are risks to a company’s “brand”.

How should in-house counsel deal with these risks?

The first step in managing risk is to understand to which risks the company is most likely to be exposed. This can be done by creating a risk management matrix on which each risk is plotted by reference to (i) the likelihood of the risk arising, and (ii) the impact on the business of that risk arising – if both score highly there is a greater need to actively manage the risk to, say, seek to minimise the possibility of the risk arising. Only once such an understanding is gained can those risks be managed.

Each risk must be identified and dealt with in turn. Different risks can have different impacts, depending on whether the result is a loss of profits, a fine, damage to a company’s reputation or a company’s rating with external agencies.

Each risk will require its own practical control mechanism. In some cases, this will require effective monitoring or contingency planning. In others it will require the preparation of response scenarios. In order to be effective, risk assessment and mitigation strategies must be adequately resourced.