By Alice Raynard (Waterloo, Canada)
In an article published five years ago, Kenneth Jull, Adjunct Professor at the Faculty of Law of the University of Toronto, stated that “risk assessment and risk management are popular terms these days, but these skills are rarely taught in law school” (1). Risk management terminology is even more widely used today in businesses everywhere and lawyers are not immune to this tendency. This in itself, if we follow Dr. Jull’s reasoning, is a risk for lawyers. Indeed, we might have to do more than put fires out, defend rights and draft contracts.
There is now a lot of literature on risk management and the terminology is used at will but somehow, it remains rather cryptic to lawyers, with the exception of those who have undertaken studies in other fields such as accounting or insurance or who work in the finance sector.
Determining a definition of what constitutes a risk is a complex task. Some researchers have counted over 14 definitions (2). But this is only the beginning as there is a significant number of words, trivial in appearance, that have specific meaning when navigating the treacherous waters of risk management: risk appetite, risk tolerance, risk matrix, risk register, risk optimization, to name but a few. Those terms are part of Enterprise Risk Management (ERM) (3) and setting apart ERM (4) from traditional risk management is a very useful asset for lawyers and their clients.
There are several differences between the two approaches. In traditional risk management, risks tend to be managed in silo; every risk should be identified and mitigated; and responsibility for each risk is not ascribed to anyone in particular. In ERM, strategic risk thinking enables an organization to look at a portfolio of selected, significant risks that can be optimized and that are everyone’s responsibility.
If an organization simply has a series of policies regarding health and safety or a list of insurance forms posted on its website, in all likeliness, it is not enough to support the expectations and responsibilities of a board of directors. Lawyers can make a difference in avoiding silo-thinking. The practical experience of a lawyer can help in that regard, but actual training in ERM and contribution to effective ERM in an organization are ways to add value to the work of a lawyer.
There are various categories of risks (strategic, operational, financial and hazards) and regulatory compliance, for instance, is just one risk that touches a bit on of all of those categories. It is a giant step, in my opinion, for lawyers to be able to recognize that regulatory compliance isn’t a catch-all solution and that there is value in working with all aspects of an organization, especially in effective risk management. Following this strategy, more boards are now shifting their ERM approach from a compliance to a strategic orientation (5). This shift may indeed improve the competitiveness and business practices and, in the case of a university (and potentially of other public institutions), greater achievement of organizational objectives (6).
Now, how does risk management intersect with regulatory compliance? Both can be stand-alone activities but, in order to yield true benefits, neither should be managed separately. This is where enterprise risk management can become handy.
Looking at ERM from a systemic viewpoint should be key. For instance, at the University of Waterloo, we have integrated the activities of internal audit, university risk management (URM) and statutory (or regulatory) compliance under the umbrella of the University Secretary & General Counsel. Our URM program is ERM tied into our strategic plan; although we do not have shareholders, we have a clear mission that is laid out in that plan.
As we are implementing our URM program, we are looking at ways of ensuring that all sub-functions are connected to each other and remain organic. The conceptualization and implementation take time and energy, but the benefits are immense. Employers and stakeholders are more risk-aware and risk-conversant. They feel more engaged, hence are more prone to disclose risks and, probably more importantly, think ahead of time to manage risks. This is valuable for our institution to continue to thrive and be on the edge of innovation.
Alice Raynard is an Associate University Secretary (Risk & Compliance) at the University of Waterloo.
(1) Jull, K. (2011). The Canadian Corruption of Foreign Public Officials Act: Mandatory Risk Assessment. Document accessible at: .
(2) Hesloot, I. and Jong, W. (2006). Risk Management in Higher Education and Research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159.
(3) ERM is otherwise known in French as gestion intégrée du risque or gestion du risque d’entreprise and, in Spanish, as gestión del riesgo institucional.
(4) Various ERM frameworks can provide guidance, such as that of COSO or ISO 31000.
(5) Beasley, M. S., Frigo, M. L. (2007). Strategic Risk Management: Creating and Protecting Value. Strategic Finance, 25-31, 53.
(6) Galarza López, J., Almuiñas Rivero, J. L. (2015). La gestión de los riesgos de planificación estratégica en las instituciones de educación superior / Managing strategic planning risks in higher education institutions. Revista Cubana De Educación Superior, (2), 45.
