As the risk landscape grows, we're all stepping up both our enterprise risk management plans, and our crisis response preparedness. But we still need help navigating 5 pitfalls that fall between theoretical risks on the one hand, and actual crises on the other. Take a closer look at how to distinguish red flags from red herrings.

The Growing Risk Landscape

We face an increasing battery of risks these days. The number of cyber attacks in western economies in 2017 reportedly increased by 25% over 2016, U.S. foreign corrupt practices investigations nearly tripled between 2015 and 2016, and reports of harassment proliferate as the #MeToo movement expands. These are just a few examples of risks that are top of mind for legal leaders right now.

We tackle these multiplying risks on two fronts. First, organizations are stepping up enterprise risk management practices so as to better "protect and prevent". Second, crisis response plans have moved out of the theoretical and into real-life scenarios, where the goal is "damage control" if an incident does occur. There is no shortage of resources to help you implement an enhanced enterprise risk management plan, or guide you if a crisis occurs.

The Gap Between Risk and Crisis

But there's a gap in the middle where it feels lonely. The gap falls between the theoretical risks you're managing, and a full-blown crisis where a risk has become reality. Someone has raised a small red flag in a sensitive area that could turn out to be a bigger problem, but is far more likely to be a normal course business blip. You don't have many facts, you don't want to bury your head in the sand, but nor do you want to overreact and create a crisis where none existed.

These little red flags are not uncommon, even for businesses with robust enterprise risk management plans. A technology glitch, an HR complaint, a client query about a mistake, an irregularity in how someone has followed a policy - every crisis begins with some such red flag. But the converse is not true - not every red flag signifies a crisis. In fact, most red flags signify honest mistakes or irregularities that can be easily fixed at the operational level. It would not be practical or wise to invoke your crisis response plan for every situation. So how do you navigate through the gap to the right outcome?

There isn't an easy answer. It's a gray area full of judgment calls based on imperfect information, with lots of second-guessing yourself along the way. We'd love to learn from the experiences of others, so please join the conversation if you have observations. In the meantime, to spark the discussion, let me share some common pitfalls.

Bridging the Gap – 5 Pitfalls

1. You don't recognize or surface the red flag in the first place.

I think this pitfall is more common than we realize. Along with our teams, we might need to get better at recognizing real, "micro" risks that have already happened, as opposed to theoretical colour-coded entries on our risk-management spreadsheets.

This is easier said than done because of the sheer number of risks, functional areas, people and geographic locations in many organizations. Ironically, the problem is exacerbated if you have capable empowered people, because they're good at solving operational problems in the trenches without much management intervention. The HR team resolves a complaint, the IT team patches a glitch, the legal team settles a claim in the normal course of their job. The issue does not get flagged as a 'risk' because the focus is on successfully resolving the immediate problem. But other potential risks (reputational, security, financial or legal) outside the person's immediate sphere might go unflagged.

To counter this, we're all thinking about upgrading the tools we and our front line people need in order to recognize and assess "micro" risks. My own personal mental checklist when assessing whether an issue is a "micro" risk needing further assessment, or whether it's a normal course problem I should just fix and move on, is:

  • Could there be a safety or ethical issue?
  • Could there be harm to a client?
  • Could any of these facts give rise to significant legal liability, financial loss or reputational risk?
  • Has the person or team been involved in previous issues?
  • Is this issue outside my field of experience so that I need expert advice to assess its significance?
  • Could this issue impact the firm's core values or culture?

If the answer to any of these questions is "yes" then I think the issue is a red flag requiring further assessment.

2. You don't provide "early warning" to individual(s) who need to know about the red flag now – or you tell too many people.

Resist the urge to investigate without a plan. There are pitfalls to investigations (see below) and they should be handled carefully. Instead you should decide who needs to know this now, consult those individuals, and decide together how to navigate the next steps.

The question of who needs to know what when is a judgment call. It's particularly hard at the outset when, as is often the case, there is the possibility of serious risk, but you don't actually think it is likely. On the one hand, you don't want to immediately consult everyone who would be part of a crisis response team, because you don't know whether it's a crisis, the information you do have is probably sensitive, and you don't want to throw anyone under the bus based on a remote possibility and potentially damaging, as yet unfounded material. But on the other hand, you shouldn't be overly protective of people or information involved, to the point where you don't have the tools to assess the issue, or other leaders would be sandbagged if the information later comes out.

This topic is rife for second-guessing but my own feeling is that a very small 'early warning' team is better at the outset. Even though you may need to bring others into the loop as things progress (and those people might say 'why am I just hearing this now') I think it's best to start with one or two experienced senior people with good judgment who can help navigate all the thorny issues from here.

3. There isn't a clear "issue owner".

Your goal with the 'early warning team' is to get as efficiently as possible to a place where you can make an informed decision on whether your red flag is a red alert to be elevated to a crisis response, or a red herring to be fixed and defused. Most red flags can be resolved without reaching a crisis stage. However, there are several steps to navigate and boxes to check on the risk management checklist before you can make this decision. As with every issue involving many moving parts, it's important to have someone capable and accountable to take ownership of guiding the process and getting to a good result. Often the most effective issue owner is a senior leader on the team where the issue has arisen. Sometimes the issue owner has to be you. But 'role clarity' is important here to ensure the appropriate risk management practices get followed and to avoid a lot of unproductive wheel-spinning.

4. You haven't clearly defined the issue and potential risks.

Some time ago I was on a panel with a senior in-house lawyer from an organization with stellar risk management practices. He emphasized the importance of having an 'issue brief' when a potential risk comes up. I listened to him thinking (in the vein of 'you can always learn and improve') that I had never actually written down a concise summary of the facts and risks when dealing with my little red flags over the years – I would simply carry these around in my head. Similarly other team members would have in their heads their own version of the facts and risks, which might have been slightly different. All this led to cross-purposes discussions, wheel-spinning and covering old ground at meetings.

There are some pitfalls relating to record-keeping (described below) which are important to avoid. Having said that, there is a lot to be gained by having an outline of the issues, which can then frame a common approach for everyone involved. My own approach now tends towards a "less is more" page of point-form notes covering:

  • What are the facts we know now?
  • What is the 'bad story' that might be drawn from these facts?
  • What is the 'good story'?
  • What additional facts do we need in order to determine which story is most likely?

Based on the outline, your early warning team might conclude you have enough facts to decide whether or not the issue should be elevated to a crisis response, so no further fact-finding is needed. Often, however, more facts are needed and in this case the issue brief will evolve. If the red flag does get escalated, then your factual summary, the 'bad story' and the 'good story' will all form a good foundation for the crisis communications that will be needed.

5. In the process of internal fact-finding you can create legal problems down the road.

There are a few pitfalls to avoid in the fact-finding stage. Confidentiality of sensitive information is harder to maintain as more people are drawn into the fact-finding loop so it's important to keep the loop as small as possible, move quickly, and caution people about the importance of confidentiality. Litigation counsel will advise you that any work product created during your internal fact-finding could be produceable, and not necessarily subject to privilege, if subsequent litigation arises out of the facts. Any records and any conclusions you've drawn could be subject to intense scrutiny down the road. It's a judgment call on how much fact-finding (if any) you should do internally before engaging outside counsel. On the one hand outside counsel's investigations and work product should be privileged which is a good thing. On the other hand engaging counsel can trigger practical issues relating to broader communications and other aspects of your crisis response plan that you need to be prepared for – so there can be a delicate balance between doing some internal fact-finding and engaging outside advisors.

Deciding Between Red Alert or Red Herring

Ultimately, you have to decide whether your red flag is a red alert that should be escalated. Here again you are making a judgment call, still without perfect information. The range of factors to consider depends on circumstances and the team needs to give this careful thought. My own thought process is certainly to re-assess the same factors referred to in the context of surfacing the red flag (see above), revisiting them through the lens of new information and analysis. If any of these factors is present, I would think it wise to escalate.

If you decide that the problem is not a potential crisis but rather a normal course business issue to be fixed, the 'early warning team' will want to carefully consider all the circumstances and options in determining the fix. Some common considerations are:

  • Are training or process changes needed to prevent similar issues going forward?
  • Are reporting or record-keeping requirements triggered by the issue or the fix?
  • What else did we learn?
  • What follow up communications are required?

What makes these real life risk-but-not-yet-crisis issues so challenging, but also so interesting and such valuable experience, is that despite everything I've said above, there isn't really a 'playbook'. There are so many judgment calls, so many points where you have to draw on all your past experience, and so many times where you have to think laterally and analogize because it has never happened before. The best you can do is fine-tune your antennae to the red flags, ask questions, use good judgment, and work with a trusted team to help you navigate the pitfalls.

Recognizing that circumstances are fact-specific and often also very sensitive, we'd love to hear if you have practical strategies you've used to navigate red flag situations. We'll include any new ideas you're comfortable sharing in a future post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.