Published on:

Let me raise the lance again against “risk management”

The new general counsel of General Mills, Roderick Palmore, is responsible not only for the company’s legal function but also for compliance and risk management. As reported in InsideCounsel, March 2008 at 13, the three areas are not uncommon responsibilities of a US general counsel. I thought again about that will-o’-the-wisp, “risk management.”

My view is that responsibility for enterprise risk management extends far beyond the appropriate role of a general counsel. To corral legal risk is hard enough, not to mention to ride herd on a company’s panoply of risk (See my posts of Nov. 8, 2007: enterprise risk management and general counsel’s unclear role; Jan. 10, 2006: enterprise risk management; and Aug. 27, 2005: general counsel as “reputational risk protector”).

Even trying to rein in legal risks is a bronco hard to break (See my posts of Jan. 3, 2008: even “legal risk” has unclear meaning; Aug. 14, 2005 with its skeptical view of that amorphous term; Nov. 15, 2005: references cited which grapple with definitions of “legal risk”; Jan. 13, 2006 on uncertainty vs. risk; and March 1, 2007 on compartmentalization in a law department and legal risk.).

True, frameworks exist for assessing legal risks, such as the COSO model (See my post of Dec. 22, 2006: severity, likelihood and controllability.). To deal with legal risks you need to identify them and then estimate their potential impact (See my post of May 14, 2005: “identify, size, and match” risks.). Other steps in legal risk management include to map such risks (See my post of Aug. 26, 2005.), to quantify them (See my post of Nov. 11, 2005.), and periodically to assess them (See my posts of Dec. 22, 2005; March 27, 2005: three ideas for dealing with risk; and Nov. 15, 2005 which collects references.).

Even with these supposed methodologies, no one knows how to quantify the risks that any staff function faces (See my post of Nov. 15, 2005: no standard measures of risk; July 25, 2005: survey results about legal risk management, July 30, 2005: measuring legal risks in China.). To be saddled with responsibility for “legal risk management” is to be riddled with unknowns.