During the summer of 2005, 412 inside corporate counsel answered an online survey sponsored by ACC and Corpedia, a provider of ethics and compliance training. Some 85 percent of those respondents were at US-based companies; and 60 percent were with publicly-traded companies.
The majority of the respondents (69%) from publicly-traded companies said their companies conduct periodic risk assessments, and nearly 80 percent of those estimate both the probability of occurrence and severity of effect of the risks. Boggles my mind!
Lawyers should have a supporting role in this process, targeted at legal risks, but it is surpassingly hard for me to envision how you list legal risks and estimate both their likelihood and consequence.
For example, all companies that export products face a risk that someone connected to them will bribe a foreign government official, in violation of the Foreign Corrupt Practices Act. Beyond that, how can you figure out the likelihood of that happening, let alone the reputational, legal, or economic repercussions if the wrongful act is discovered?