Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. September 2021
  6. In-house: On harm, stakeholders and risk management

In-house: On harm, stakeholders and risk management

If risk management assessments focus on harm rather than predicting risk probability, decisions can be aligned with wider considerations, and the in-house lawyer becomes central to discussions
20th September 2021 | Ian Jones

One day Amazon will fail. Jeff Bezos, their CEO, says so. There is no caveat. The statement is absolute. Amazon WILL fail.

If Amazon will fail, what does that say about your organisation? We assume that our organisation will carry on despite the world outside. We tell ourselves: “Crises happen to others, and our organisation is different. Isn’t it?”

Many people see risk management as a process: identify the risks, work out the probability and potential impact, and put in place controls and mitigations. Yet all our efforts in carefully calibrating our plans overlook two immutable points: (1) we cannot predict the future; and (2) human behaviour dictates risk decision-making more than carefully laid plans do.

Risky thinking: an analogy

The divorce rate is rising in the UK (about one third of marriages end in divorce). Yet, the average (pre-pandemic) cost of a wedding is also rising and stands at around £27,000. Young couples complain they do not have the money to put a deposit down on a home. Yet £27,000 represents a 10% deposit on the average house in the UK (around £260,000). A rationalist would forego the wedding and use the money to buy the house, as statistically one in three marriages fail. After all, you can sell the house and divide the proceeds. Yet people continue to have big weddings because they treasure the experience. They are in love.

The pandemic is the latest in a long list of seismic events that have caught organisations off guard. I spent much of my career in property finance, and in my working lifetime I have seen the US savings and loans crisis, the 1987 stock market crash, the 1989 junk bond market crash, the Asian markets crash (1997-98), the dotcom bubble (1999-2000), and the 2008 collapse (which compared to the 1929 crash, I read, was a cakewalk). A national pandemic has been the no 1 risk of consequence in the UK National Risk Register since it was first published in 2008, yet most businesses were unprepared.

Behavioural scientists observe that when a major risk event happens, human behaviour overrides rational thinking. Myopia, amnesia, optimism, herd mentality and short term thinking take hold. Cognitive biases further affect our interpretation of situations. So, we either abandon our carefully thought-through plans, muddle through, or religiously follow them only to find they do not work. Some people cannot see a crisis developing because their planning constrains their judgment. If the event does not conform to their plan, they do not recognise what is happening until it is too late.

A fresh approach

Unless you are a psychopath, you will not act to harm either others or yourself deliberately. Most of us act to reduce any harm through our actions. We start assessing personal risk by understanding the harms that affect our needs. Our engaged couple are not contemplating a divorce; they are anticipating happiness. The harm of divorce thus has little or no weight despite statistics to the contrary.

Organisations can adopt a similar approach. People interact (voluntarily or involuntarily) with our organisations. Our organisations can harm those stakeholders, and if they do there will be consequences. The stakeholders could die, suffer injury, or their property and businesses be damaged. Communities could suffer from pollution or loss of amenity. As a consequence of those harms, our organisations can suffer fines, restrictions on business, revocation of any licence to operate, damage to reputation and loss of trust – all forms of harm.

By thinking about these harms, our organisations’ focus shifts away from identifying risk and calculating probability – the “classic” risk management approach (as certain as the horseracing form book). Instead, we think about who we can harm, how that harm occurs, and the resources we must have to avoid/manage the harms we cause. It encourages us to think beyond the cost-benefit analysis of risk decision-making and consider the wider impact of our organisations’ decisions, including the ethical and governance impact.

What is harm?

“Harm” is greater than affecting someone’s legitimate interests. In our complex world, there are always competing interests. To cause harm in risk management terms, the organisation damages the “essential outcome” of the stakeholder. An “essential outcome” is the outcome that stakeholder expects when interacting with our organisation. If we do not deliver their essential outcome, they suffer harm.

For example, the essential outcome of an electricity company’s customer is the continuous supply of electricity to keep their home or business functioning. If the supply ceases, for whatever reason, the electricity company “harms” its customer. The focus moves from the cause of the outage to its effect on the customer. It concentrates on the resources it will need to restore service as soon as possible and how it properly compensates the customer. There may be many causes, but the harm is the same.

Who are the stakeholders?

By identifying the stakeholders and their expectations and needs, you can assess the harms you can cause. For example, most organisations have the following stakeholders:

  • customers/consumers/clients/service users;
  • employees;
  • shareholders;
  • suppliers;
  • alliance partners;
  • lenders;
  • key advisers;
  • Government;
  • regulators;
  • trades associations;
  • the media;
  • interest groups;
  • future stakeholders.

Treat these stakeholders badly and they will repay you in kind – lawsuits, fines, bad press, etc.

A social licence to operate

The greatest harm to an organisation is the loss of its social licence to operate. Unlike a formal licence issued by a regulator, this licence is subject to a constantly shifting, complex, informal, ill defined, unpublished, social “regulatory” regime. It is a licence based on trust. Loss of trust in your organisation will cause it to be revoked. This informal licence underpins the organisation’s ESG values as measured by the stakeholders. In the world of social media platforms, your organisation can have this licence when you go to sleep, but the stakeholders may revoke it before you wake up.

By focusing on harm and its resilience rather than trying to predict risk probability, the organisation aligns commercial and legal risk decisions with ESG considerations and wider ethical questions. Today, risk management is not just about protection of the tangible assets of your organisation. In this century, protecting intangible assets such as reputation, relationships and trust is just as valuable, particularly given that such assets can be ephemeral.

By understanding the role of “harm” in risk, the in-house lawyer becomes central to discussions as laws and regulations reflect our stakeholders’ expectations. Understanding legislative developments gives us insight into changing expectations and needs. A lawyer can thus move from a reactive to a proactive position.

Risk assessment and using evidence to consider probability still have value. We should not deny ourselves the value of information we have. But it is the focus on harm that is paramount. After all, as Jeff Bezos also predicts, “If we start to focus on ourselves instead of focusing on our customers, that will be the beginning of the end.”

The Author

Ian Jones writes about risk, ethics and compliance, and teaches risk management for the Law Society of Scotland accreditation in risk management and governance. He is the author of Butterworths’ In-House Lawyers’ Handbook.

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: September 2021
  • Book reviews: September 2021
  • Reading for pleasure: September 2021

Perspectives

  • Opinion: Rupa Mooker
  • President's column: September 2021
  • Editorial: Stay on screen
  • Viewpoints: September 2021
  • Profile: Tatora Mukushi

Features

  • Action stations: the case for a Conveyancing Task Force
  • Finding the value in valuations
  • Farming: fertile ground for mediation
  • Law lessons learned
  • Parole: the Board as court

Briefings

  • Civil court: Legacy of COVID
  • Corporate: The enigma of economic duress
  • Employment: where will work be found?
  • Intellectual property: David v Goliath battle continues
  • Agriculture: Crofting disputes: some first principles
  • Sport: Arbitration – within the rules?
  • Property: ADS: the hidden traps
  • In-house: On harm, stakeholders and risk management

In practice

  • Ask Ash: Colleague's chat is my privacy
  • Lockdown no more
  • The Word of Gold: The potency of passion
  • Get interactive at the Law and Technology Conference
  • Ten red flags for conveyancers
  • The Eternal Optimist: So, what do you want to be?
  • Commissary: the top 10 failings
  • Mobility challenges – and the kindness of strangers
  • When all is remote

Online exclusive

  • Victim support – in road traffic?
  • More than just a game
  • He said, she said
  • So what makes a good judge?
  • Data breaches: the grounds of claim

In this issue

  • Homeworking burnout
  • Income tax: really becoming simpler?
  • What the best High Street law firms do...
  • Cashroom: seamless financial support for law firms
  • A bright future at Edinburgh Dog and Cat Home

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited