If risk management assessments focus on harm rather than predicting risk probability, decisions can be aligned with wider considerations, and the in-house lawyer becomes central to discussions

One day Amazon will fail. Jeff Bezos, their CEO, says so. There is no caveat. The statement is absolute. Amazon WILL fail.

If Amazon will fail, what does that say about your organisation? We assume that our organisation will carry on despite the world outside. We tell ourselves: “Crises happen to others, and our organisation is different. Isn’t it?”

Many people see risk management as a process: identify the risks, work out the probability and potential impact, and put in place controls and mitigations. Yet all our efforts in carefully calibrating our plans overlook two immutable points: (1) we cannot predict the future; and (2) human behaviour dictates risk decision-making more than carefully laid plans do.

Risky thinking: an analogy

The divorce rate is rising in the UK (about one third of marriages end in divorce). Yet, the average (pre-pandemic) cost of a wedding is also rising and stands at around £27,000. Young couples complain they do not have the money to put a deposit down on a home. Yet £27,000 represents a 10% deposit on the average house in the UK (around £260,000). A rationalist would forego the wedding and use the money to buy the house, as statistically one in three marriages fail. After all, you can sell the house and divide the proceeds. Yet people continue to have big weddings because they treasure the experience. They are in love.

The pandemic is the latest in a long list of seismic events that have caught organisations off guard. I spent much of my career in property finance, and in my working lifetime I have seen the US savings and loans crisis, the 1987 stock market crash, the 1989 junk bond market crash, the Asian markets crash (1997-98), the dotcom bubble (1999-2000), and the 2008 collapse (which compared to the 1929 crash, I read, was a cakewalk). A national pandemic has been the no 1 risk of consequence in the UK National Risk Register since it was first published in 2008, yet most businesses were unprepared.

Behavioural scientists observe that when a major risk event happens, human behaviour overrides rational thinking. Myopia, amnesia, optimism, herd mentality and short term thinking take hold. Cognitive biases further affect our interpretation of situations. So, we either abandon our carefully thought-through plans, muddle through, or religiously follow them only to find they do not work. Some people cannot see a crisis developing because their planning constrains their judgment. If the event does not conform to their plan, they do not recognise what is happening until it is too late.

A fresh approach

Unless you are a psychopath, you will not act to harm either others or yourself deliberately. Most of us act to reduce any harm through our actions. We start assessing personal risk by understanding the harms that affect our needs. Our engaged couple are not contemplating a divorce; they are anticipating happiness. The harm of divorce thus has little or no weight despite statistics to the contrary.

Organisations can adopt a similar approach. People interact (voluntarily or involuntarily) with our organisations. Our organisations can harm those stakeholders, and if they do there will be consequences. The stakeholders could die, suffer injury, or their property and businesses be damaged. Communities could suffer from pollution or loss of amenity. As a consequence of those harms, our organisations can suffer fines, restrictions on business, revocation of any licence to operate, damage to reputation and loss of trust – all forms of harm.

By thinking about these harms, our organisations’ focus shifts away from identifying risk and calculating probability – the “classic” risk management approach (as certain as the horseracing form book). Instead, we think about who we can harm, how that harm occurs, and the resources we must have to avoid/manage the harms we cause. It encourages us to think beyond the cost-benefit analysis of risk decision-making and consider the wider impact of our organisations’ decisions, including the ethical and governance impact.

What is harm?

“Harm” is greater than affecting someone’s legitimate interests. In our complex world, there are always competing interests. To cause harm in risk management terms, the organisation damages the “essential outcome” of the stakeholder. An “essential outcome” is the outcome that stakeholder expects when interacting with our organisation. If we do not deliver their essential outcome, they suffer harm.

For example, the essential outcome of an electricity company’s customer is the continuous supply of electricity to keep their home or business functioning. If the supply ceases, for whatever reason, the electricity company “harms” its customer. The focus moves from the cause of the outage to its effect on the customer. It concentrates on the resources it will need to restore service as soon as possible and how it properly compensates the customer. There may be many causes, but the harm is the same.

Who are the stakeholders?

By identifying the stakeholders and their expectations and needs, you can assess the harms you can cause. For example, most organisations have the following stakeholders:

  • customers/consumers/clients/service users;
  • employees;
  • shareholders;
  • suppliers;
  • alliance partners;
  • lenders;
  • key advisers;
  • Government;
  • regulators;
  • trades associations;
  • the media;
  • interest groups;
  • future stakeholders.

Treat these stakeholders badly and they will repay you in kind – lawsuits, fines, bad press, etc.

A social licence to operate

The greatest harm to an organisation is the loss of its social licence to operate. Unlike a formal licence issued by a regulator, this licence is subject to a constantly shifting, complex, informal, ill defined, unpublished, social “regulatory” regime. It is a licence based on trust. Loss of trust in your organisation will cause it to be revoked. This informal licence underpins the organisation’s ESG values as measured by the stakeholders. In the world of social media platforms, your organisation can have this licence when you go to sleep, but the stakeholders may revoke it before you wake up.

By focusing on harm and its resilience rather than trying to predict risk probability, the organisation aligns commercial and legal risk decisions with ESG considerations and wider ethical questions. Today, risk management is not just about protection of the tangible assets of your organisation. In this century, protecting intangible assets such as reputation, relationships and trust is just as valuable, particularly given that such assets can be ephemeral.

By understanding the role of “harm” in risk, the in-house lawyer becomes central to discussions as laws and regulations reflect our stakeholders’ expectations. Understanding legislative developments gives us insight into changing expectations and needs. A lawyer can thus move from a reactive to a proactive position.

Risk assessment and using evidence to consider probability still have value. We should not deny ourselves the value of information we have. But it is the focus on harm that is paramount. After all, as Jeff Bezos also predicts, “If we start to focus on ourselves instead of focusing on our customers, that will be the beginning of the end.”

The Author

Ian Jones writes about risk, ethics and compliance, and teaches risk management for the Law Society of Scotland accreditation in risk management and governance. He is the author of Butterworths’ In-House Lawyers’ Handbook.

Share this article
Add To Favorites