Preparation and delimitation
First, and most importantly, you need to know where your company stands in terms of risks:
- What are your risks?
- What strategic/commercial initiatives do you expect to make in the coming period of time?
- Who are authorized to do what?
- What kind of risk management have you had so far?
You should convene an initial meeting to assemble a cross-functional team with representatives from i.a. the BoD, management, legal department, and any other relevant employees who can help identify your risk profile. Consider involving an external advisor to help assess your risks.
Based on your company’s risk profile the team will typically identify a handful of primary risk areas. From there, you will work out each party’s tasks and responsibilities in the process.
The next step is to carefully analyse your company’s risks. The team will need to go through relevant contracts, agreements and other documents, also to identify any mutually affecting risks, such as:
- Loan agreements
- Partnership agreements
- Licence agreements
- Supply and purchase agreements
The team should also consider, on a regular basis, the need to adjust the scope of the investigation. For example, the investigations might uncover new risks to be examined. Questions arising should be dealt with continuously, e.g. by interviewing relevant personnel.
Building on the aggregate knowledge accumulated through the initial meetings, the risk analysis, and any interviews conducted, the team will draft a report on the risks identified, including any risks that might potentially arise from any contemplated strategic/commercial initiatives.
Action plan and recommendations
At this point, you need to go over the risk analysis with all relevant parties, including the team, the management, and the BoD. Go for an open and constructive discussion and allow everyone to comment on the conclusions and recommendations in the report.
You have now mapped all relevant information about your risk profile and used the data to analyse what you need to do to stay safe in the future.
Now what you need to do is to translate your recommendations into actions. You could do this by drafting an action plan, which might also be the starting point of your new legal risk management strategy. The plan should be realistic and identify what areas you wish to prioritize.
It should include suggestions on what to do about:
- Current risks, based on current situation
- Potential future risks, based on future strategic and commercial plans
- The immediate threats that are facing all businesses due to the global, general uncertainty.
Also, your action plan could include suggestions for changed procedures and internal rules.
When implementing new procedures and security measures, it is vital that you make sure to properly communicate these new initiatives and your new risk strategy. You need to convey the message to your staff in a way that makes it something they can relate to; they must know what to do in practical terms.
Moreover, and using the recommendations arrived at, the team should consider the following:
- Renegotiation of agreements
- Corporate-law changes
- New internal authorizations
- Employee matters, e.g. rectifying invalid clauses
- Negotiations with authorities and other parties
- Insurance matters, e.g. avoiding under-insurance
- Drafting of new standard contracts
- Information letters
- Implementation of document handling and risk categorization systems, etc.
This will give you a clearer view of your company’s risks and (depending on the focus of your investigation) help you avoid lawsuits, ensure compliance, and stand better equipped to tolerate market fluctuations.
To make sure you keep the overview at all times and keep your risk strategy up-to-date on market developments and your own development, it is necessary that your management/BoD ensures periodic follow-ups. These follow-ups could be at management level and with the persons responsible for each area, but which basically includes a test of the assumptions made, a match against the then current risk strategy and corporate strategy and a renewed analysis of the risks at hand – which should now be mapped in the system.