Why Reducing Risk Requires New Skills
Knowing the law is necessary but not sufficient
When I started practicing law, we called ourselves lawyers or attorneys (some used the archaic attorney-at-law). After a decade, I moved in-house where I picked up a new name for what I did: I was a risk manager. Corporations had two basic categories of risk managers: those who handled insurance and those who handled the law. Today, the title has shifted and now everyone is a risk manager, but lawyers still see that as a primary focus of what they do.
As a lawyer-risk manager, I had two principal functions. Firstly, I was tasked with minimizing the harm that came to the company when bad legal things happened. Lawsuits presented one type of risk. But regulatory issues, contract failures, and policy lapses were a few of the other areas where the company faced risk from legal issues. The bad thing had already happened so the best I could do was find a graceful and hopefully inexpensive exit.
Secondly, I was supposed to prevent bad legal things from happening. Preventive law has been around for almost 70 years, but it has traveled under many names. It has been the flip side of minimizing risk from bad things that already happened. Create a clever contract and you may never have a contract dispute. Plug legal holes before the product is released and you may see fewer lawsuits. Draft some policies and employees may know what to avoid easing regulatory risk. The least expensive and easiest to fix legal problem is the one that never happened.
The risks clients face today overlap some with the past, but are shifting into new areas. We know how to create contracts and draft policies that minimize risk. We can do preventive lawyering so that lawsuits are few and far between. In other words, law and lawyering have evolved to the point where avoiding the risks of old is relatively easy (though it may often fail in the execution, but that is another post).
Where the law and lawyers have not kept up is in the area of emerging risks. These are the risks that can’t be solved by the simple contract, policy, or procedure. These are the risks that take serious thinking, knowledge across many substantive areas, and an appreciation for complex problems. They require collaborative effort, curiosity, and a willingness to shift business models. In sum, they are the areas lawyers are least prepared to handle and, it seems, most willing to avoid.
Let’s be a bit paranoid and play a game — is there a Russian hacking risk? These are a few of the data points from this week (again, this is a game so bear with me if the details are weak in a few places):
- Equifax is hacked to the tune of 143 million accounts.
- Vladimir Putin says world domination will go the country that wins the AI race.
- Elon Musk says the race for world domination through AI will lead to WWIII.
- It appears that an infiltration into the U.S. power grid earlier this year, where the hackers go to operational controls, came from Russian state-sponsored hackers.
You could add to the list, but this is enough to get us started.
On any scale, the risks from a hack into your systems greatly exceed the risks that come from ordinary legal foul-ups. Most lawyers, however, put this risk on the IT group. Cybersecurity is an IT thing. But, of course, the legal ramifications of a cybersecurity breach are widespread and could be damaging for years. As another data point, consider your company’s stock price. A recent study shows that stock prices take a nose dive from cybersecurity breaches and don’t recover for years.
If the legal consequences of a cybersecurity problem are enormous, why aren’t there more lawyers involved in the risk management process? I have asked that same question of general counsel and others in the business. The most common answer I get is that there are too few lawyers who know anything about cybersecurity. At best, the lawyer may have some understanding of the law. But, to be a competent player in cybersecurity, you must go well beyond the law and understand some of the technology.
Why aren’t lawyers trained to handle modern risks? Because those who teach law school aren’t trained to teach the law related to these modern risks. They also don’t have competency in related domains, or at least sufficient knowledge to provide the law students with a well-rounded education in the field. Cybersecurity is one field, but there are many others. Compliance, AI, bockchain, CRISPR, 3D printing, and nanotechnologies all present new and complex risks. Yet law schools, unlike business schools and other academic areas, are slow to adapt when change happens.
There are some schools who seem to realize the substantive and competitive advantages of teaching law students about these emerging risks. The George Washington University Law School has The Cybersecurity Law Initiative directed by Orin Kerr. The New York Law School has the Institute for CyberSafety. The Arizona State University Sandra Day O’Connor School of Law has a Center for Law, Science & Innovation that touches on many of these issues. Northwestern University’s Pritzker School of Law (my alma mater) has many courses and degree combinations offered under the broad heading “Law, Business, and Technology.” In Canada, Osgoode Hall Law School is offering a course in Blockchains, Smart Contracts and the Law. There are others, but the list is short compared to the list of schools offering an overabundance of courses in fading areas of law.
How do we change law schools’ grip on the past. It would help if law schools hired deans who are in touch with the future of law instead of bonded to the past. Leadership starts at the top and it will take those with vision about where the legal profession can go to shake up academia.
Another good starting point would be for law schools to educate law faculty on changes in risk areas in the real world. Law school faculty live in echo chambers just like the rest of us. They get caught up in the soap operas that are the law schools and lose track of real world dilemmas. Bringing in people from outside the law to talk about the problems they face would help (though how to get the professors to attend these talks is another problem).
Getting a better grip on what employers want (pull) rather than what law schools want to churn out (push) would help shift the focus. Around two-thirds of law school graduates get jobs in a decent year. Asking the simple question “what do you need from graduates” would produce some interesting responses.
Finally, addressing the curriculum challenge would help. Creating integrated programs leading to higher skill levels in broad areas, bringing into the classroom modern teaching methods, and changing the focus in many schools from “take what will be tested on the bar” to “take what will help you in your career” would bring significant gains. As with the other areas I’ve mentioned, there are professors and schools making changes in these areas, but too few and too slowly.
The legal industry is an oddity in many ways. Demand goes down, but prices go up. Demand increases in certain areas, but supply doesn’t change. It seems like the basic rules of economics have skipped the legal industry. There is a bright future for those institutions who want to delve into law and risk management for the 21st century. Employers need qualified grads, students want the jobs, and in-between sit the law schools stiff arming both groups. If law schools want to manage their risk, they need to stop avoiding the future and embrace the new challenges all around them.
Ken is a speaker and author on innovation, leadership, and on the future of people, process, and technology. On Medium, he is a “Top 50” author on innovation and leadership. You can follow him on Twitter, connect with him on LinkedIn, and follow him on Facebook.