The concept of risk and reward is as old as time itself.

Corporate risk is increasingly complex, encompassing lots of different specialisms to address a multitude of specific opportunities and threats, such as cyber, regulatory, compliance, policy and public affairs, business continuity – and yes, legal.

While the risks businesses and society face have evolved over time, the general principle that taking risks is necessary to generate reward has remained the same.

Although that simple principle has not changed, the risks faced by businesses are dynamic.

The Burness Paull disputes group – which brings together experts in contentious matters from across the firm’s practice areas – hosted a series of conferences where we looked at risk in depth and what it means for modern businesses, drawing on insights from leaders operating in a range of industries. Several common themes emerged:

• Most notably, risk must be embraced if businesses are to innovate, build resilience, and succeed. Indeed, the greatest risk of all is standing still and stagnating.
   
• As business advisers, the greatest value we can add is early advice in the form of external input on governance, risk and resilience planning. This will help ensure that risks are taken for the right reasons, the threats are mitigated as far as possible, and the potential benefits are maximised.
  
  

Here, we offer our take on what is an ongoing and dynamic challenge for all businesses, along with some general guidance on how to approach risk:

• Establish your risk appetite
  
  
• Create the structure and governance to fit that appetite 
  
  
• Put the right controls and people in place – using both in-house resource and external expertise where required 
  
  
• Create an environment that welcomes challenge and scrutiny 
  
  
• Regularly review your requirements
  
  

There is no one-size-fits-all approach to risk. From a business point of view, the key to success is knowing how to embrace the risk necessary to support your strategy while also having the appropriate controls in place. It is not always an easy balance to strike, in part because no organisation operates in isolation. Ultimately, governance provides the thread around which the systems, safeguards and resourcing should be built.  

A key question for management teams and boards to ask themselves is, where does the business sit on the risk spectrum and what reward is required to justify that risk? Once a business has decided its approach, it becomes a case of creating structures and systems for the risk to be managed appropriately, in line with that appetite.

Effective governance is the first step in this process, as it defines the organisation’s approach, provides the framework for decision making, and dictates how risk management operates within the business. While planning for risk might sit at board level, the design and execution of policies is usually a task for management, with the controls that manage calculated risks ideally sitting at all levels of the organisation – overseen by the right people, which is just as important as the structure.

Structure and process on their own are not enough. For example, the failures of the Post Office and its role in the Horizon scandal were linked to a passive board and the leadership not being adequately equipped with the knowledge or advice on topics they didn’t understand, such as IT and legal risk.

Therefore, putting the right people in place, and creating a culture that welcomes challenge and scrutiny, is vital.

Plans and risk registers also need to be reviewed regularly to ensure they remain appropriate and relevant.

This is a task which can fall down the list of priorities – sometimes until it’s too late. It takes a rigour and a discipline to set aside time for that, which is an area where external advisers can add value.

"The organisation and board need to understand and own their risk. It’s important to empower the board to understand risk."

GEORGE LOWDER - CHAIR, TRANSFORM SCOTLAND

• Hope for the best, prepare for the worst 
  
  
• Monitor for these risks and ensure your teams are trained on them 
  
  
• Establish a triage and escalation process with clearly assigned responsibilities 
  
  
• Scan for new and emerging risks
  
  
• Review your register and policies appropriately 
  
  
• Manage existing contracts effectively to reduce risk and escalation of issues 
  
  

Risk means different things to different organisations. Some risks affect all businesses while others are more specific to a sector, jurisdiction or individual organisation. Risks are also evolving all the time. For example, climate, cyber and AI are all big themes today that only properly emerged in the last decade.

As a result, the risk register of each business will be unique based on various factors - which is why it’s important to personalise your risk outlook.

You need to be imaginative during your planning and ask yourself, what is the worst thing that could really happen in our organisation? Then prepare your plans and test your systems accordingly.

Risks can stem from a host of different areas, including:

• IT systems being down as a result of a data breach (malicious or otherwise), an outage, or disruption from a third-party supplier
  
  
• Facilities becoming inaccessible to staff and/or customers due to fire, flood, natural disaster, major accident or terrorist incident
  
  
• Misconduct or criminal activity among your employees, which is one of the hardest challenges to mitigate
  
  

Impact is often subjective and can be measured in a number of ways:

• Financial – the effect on trading and any requirement to pay fines and / or compensation to customers
  
  
• Legal – if it triggers the threshold for reporting to regulators or results in litigation
  
  
• Reputational – if it damages trust among your customers and other stakeholders
  
  

Once you have identified your principal risks, you need to monitor those risks and have a plan in place should you need to respond, with a triage process, escalation procedure, clear lines of responsibility, and regular training for your decision-makers.

Consider holding regular exercises – perhaps annually or every six months – to stress test your response and amend your plan as necessary. When conducting these exercises, it’s vital to involve all parts of the business, particularly those on the frontline who are dealing with customers every day, not just management teams.

Feedback from the frontline is really valuable as it helps you to understand what your employees are seeing and dealing with. To facilitate this, making sure that the language and terminology around risk is commonly understood – both what’s being communicated down and what’s coming back – is key.

"We can also learn about risk from the frontline colleagues who talk directly to our customers – they often have insight about the risk that can assist the risk professionals."

IAN MCLAUGHLIN - CHIEF EXECUTIVE, VANQUIS BANKING GROUP

It’s also important to be scanning for new and emerging risks and updating your register and plans appropriately to ensure they remain fit for purpose.

"I’m always trying to work out what is coming down the tracks. It’s important to stay networked and plugged in through trade body memberships, being active at Holyrood, and monitoring the news."

LOUISE MACLEAN - BUSINESS DEVELOPMENT DIRECTOR, SIGNATURE PUB GROUP LTD

Lastly, remember that not all risk is ‘new’. One eye should always be on the here and now, on maintaining and improving delivery and performance of existing, ongoing contracts. Effective contract management lessens risk. Organisations should manage their existing contracts proactively: actively monitoring performance; clearly communicating any intended changes; escalating and tackling issues at an early stage; adopting a transparent approach to resolving issues; taking a collaborative approach to contract delivery in order to create trust and goodwill that will in turn enable issues to be navigated successfully.

"Change of personnel in charge of a contract can create risk. There can sometimes be an element of personal trust and an evolved shared understanding as to how something will work in practice but is different to what is on paper. Someone new comes along and reads the contract differently or to the letter, and trust or mutual understanding goes out the door."

BARRY WHITE - CHAIRMAN, INFRASTRUCTURE MANAGERS LTD

• Acknowledge that you cannot prepare for every eventuality 
  
  
• Focus on developing strong governance and robust decision-making processes 
  
  
• Identify gaps in your resourcing and seek external advice where required 
  
  
• Ensure accurate information is shared in a timely manner
  
  
  

"As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know."

DONALD RUMSFELD

Donald Rumsfeld was widely mocked for the above remark when he delivered it as US secretary of state for defence in 2002, during the build up to the 2003 invasion of Iraq.

However, it’s a remark that has since undergone a period of convalescence – to the extent that Rumsfeld called his memoir Knowns and Unknowns.

In a business context, it’s a welcome acknowledgement that you cannot plan for every single outcome. Instead, this is where the strength of your governance and processes will really be tested.

"You can spend a huge amount of time on risk but it’s always the unforeseen that occurs. But existence of process allows you to deal with the unforeseen better."

GEORGE LOWDER - CHAIR, TRANSFORM SCOTLAND

The critical question for any organisation facing a black swan-type event is, how damaging is this situation, and at what point does the risk become existential? It then becomes a case of crisis response.

Even the most well-prepared organisations can be caught on the hop, and putting plans in place is very different to delivering on them.

"The first report you get will invariably be wrong in that black swan event so take time to properly assess what’s in front of you, and the sources of the information you are receiving. Don’t take too long, but take a breath, let everyone take a breath, then come back to the table to come up with an appropriate first response."

MARK KENT - CHIEF EXECUTIVE, THE SCOTCH WHISKY ASSOCIATION

While each crisis is different, some common themes will serve you well regardless of the situation:

• While you can’t pause for too long before taking action, stopping for a breath first is important. While “nice systems look great” and there is a natural desire to start implementing them quickly, getting to grips with the subjectivity of the situation at hand is key
  
  
• Know where your expertise is and recognise where your limits lie. Do you have all the capabilities you need or is external resource required? For example, your in-house IT team may be very proficient at designing and maintaining your systems on a day-to-day basis, but they may not be best placed to deal with a ransomware attack. If that is the case, it’s worth considering bringing in cybersecurity specialists to provide additional, expert support
  
  
• Communication and timely sharing of information is key, which Kent reflects on drawing from his former career as a diplomat
  
  

  "Often when you have issues arising in a big operation like the foreign office, by the time a dossier reaches the board it will have gone through a number of filters which can mean they are taking decisions on something that isn’t necessarily reflective of what’s happening on the ground,” he said. “Identifying that ground truth is really important. You have to identify where your reliable sources of information are to be able to identify the risk." Mark Kent, Chief Executive of the SWA
  
  

Risk is a complex and dynamic area, but a necessary one to allow businesses to grow and build resilience. As a firm, we are committed to supporting our clients to maximise business opportunities and mitigate risks.

We offer:

• Horizon scanning and risk identification
  
  
• Change implementation and compliance monitoring
  
  
• Risk audits
  
  
• Risk mitigation strategies
  
  
• Crisis and claims response
  
  

We would love to speak with you about how we can help your organisation. 

We’re running our next series of risk conferences this autumn, where we’ll hear from legal experts and business leaders on some of the most pressing risks facing organisations today and how to navigate through the current risk climate. Sign up here to ensure you hear about the conference dates as soon as they are announced.

Key Contacts

Related News, Insights & Events