Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/50887
FEATURE want to do is reduce the probability of the risk and figure out a way to mitigate risk and also report on it." — Michele Nicholas, corporate counsel and assistant secretary, Armstrong World Industries Inc. — in multiple panel discussions — from in-house counsel across North America about developing an ERM program. The following are some of the highlights. Identifying risk There are many defi nitions of risk used within public- and pri- vate-sector management circles. A typical defi nition of risk is "exposure to the chance of loss" or "the degree of probability of such a loss." It's important to distinguish between a problem and a risk. A risk is the possibility of something going wrong, while a prob- lem is something that has gone wrong. Essentially, a problem is a risk that has materialized. Michele Nicholas is corporate counsel and assistant secretary of Armstrong World Industries Inc., a global leader in the de- sign and manufacture of fl oors, ceilings, and cabinets, based in Lancaster, Pa. Armstrong operates 40 plants in 10 countries and has approximately 13,000 employees worldwide, so its risk is far and wide. Nicholas says it's important to know the difference between inherent risk and residual risk. Inherent risk can be a risk that has no mitigating factors or treatments applied to it. It can be the possibility that some hu- man activity or natural event will have an adverse affect on the assets of an organization that can't be managed or transferred away. Meanwhile, residual risk is the level of risk (assessed through likelihood and impact) after controls are applied. It may in- clude, for example, risk due to very severe storms (above design standard) or risks from unforeseen hazards. Once the difference is made, Nicholas says a good ERM plan is "really a way to identify, to accept, prioritize, mitigate, and report on risk. "You need to understand what your objectives are before you start, so that you're going to be left with meaningful informa- tion at the end of the day," she says. "Identifying risks is really just the beginning. Ultimately what you want to do is reduce the probability of the risk and fi gure out a way to mitigate risk and also report on it." Nicholas divided risk into six categories to help manage the process. The categories are: of materials; 8 APRIL 2008 C ANADIAN Lawyer INHOUSE trends; records management; and "We're basically asking our business people, what keeps you awake at night?" says Nicholas. "And we want to start with a very broad view of it, so that we can capture as many risks as possible." Depending on what your company does, the list of risks as- sociated is limited only by your imagination. But Nicholas says this process of naming and listing risk "is really just a way to formalize this and focus and co-ordinate the efforts so we're left with something more standard at the end of the day." Standardizing your findings "One of the biggest challenges we faced in creating our program was to standardize our fi ndings. What were we going to do with them?" says Nicholas. Armstrong World Industries uses a risk matrix to identify and communicate risk. The end result is an easy-to-read heat map. "It's obviously very subjective but it's also a very good visual approach which helps distill the information very quickly; and people tend to like this, as opposed to something all in writing," Nicholas says. "It does get the discussion going and gets things on the table." Jonathan J. Oviatt is general counsel and corporate secretary of the Mayo Clinic, a not-for-profi t medical practice dedicated to the diagnosis and treatment of virtually every type of com- plex illness. He says the ERM model should be similar to company-wide compliance plans, where responsibility is distributed through- out. "You can put everyone into one offi ce and have everybody hate that offi ce, versus having the responsibility be distributed," he says. He says the key members on the Mayo Clinic's ERM team are the legal department, the CFO, the internal audit committee, and a board of directors' liaison. "Our CEO has made quality, transparency, and safety the top "Identifying risks is really just the beginning. Ultimately what you