“There’s simply no way to make a business 100% risk-free,” argues Jan Klouda, Vice President Legal, Risk & Corporate Security at Vodafone Czech Republic, who talks to CEE In-House Matters about how to identify and manage risk within a company.
CEEIHM: You have worked in the telecoms sector for almost your entire career. What drew you to it and what made you stick around for so long?
Jan: Indeed, I had a brief experience with an international law firm – Squire, Sanders & Dempsey, now Squire Patton Boggs – after graduating law school and then moved in-house. In 2004, I joined Eurotel (the former mobile network, acquired and transformed into O₂ in the Czech Republic), and remained in the telecommunications sector since, having later worked for UPC and then joining Vodafone in 2007.
I decided to go in-house because, while private practice can be satisfying, you have a limited ability to influence what your clients do, and, generally, a limited visibility of their strategic decision-making, which, in turn, limits your ability to advise them properly.
When choosing an industry, it is always difficult to foresee which one will survive for a long period of time and what its market will look like 20 years down the line but I chose telecommunications because I thought TMT had a good future. “People like to talk to each other and be connected and they always will need tools to do so,” I thought to myself and, it turns out, I was right!
CEEIHM: You are Vice President Legal, Risk and Corporate Security at Vodafone CR. While every GC has to deal with risk in some form or another, what does managing risk mean in terms of your role?
Jan: First, I believe that risk is not a concept that is relevant for management or security professionals only. It is rather useful as a general commercial concept. I think most people, and especially lawyers, often believe that whatever their companies do must be 100% safe and that adopting risk is something filthy – especially not something appropriate for lawyers. That thinking is, of course, correct to some extent, especially when we are talking about junior legal roles, though even at that level, I try to make my lawyers understand what risk is and how to advise their colleagues as to what an appropriate level of risk is. The simple reality is that the higher up the food chain you are within an organization, the more risk you need to be mindful towards adopting. There’s simply no way to make a business 100% risk-free.
Naturally, different businesses have different risk profiles and different approaches to how they manage it (which, in itself, is proof that there is no perfect way of managing risk). For bankers, for example, the very profit that they make comes from financial risk. Other businesses perceive risk as a threat to their bottom line rather than what is making their profits. I think it is simply important to internalize that there is always some level of risk and one needs to identify what a healthy amount of risk that can be adopted is and how to create the right internal mindset to adopt that right amount.
CEEIHM: How does one go about doing that?
Jan: Yes, it sounds much easier than it is in reality but it always comes down to setting up the right systems to begin with.
A basic level requires an alignment between the GC and the CEO and Board Members as to what risk levels are tolerable – especially taking into account the different personalities that are usually present in a board.
A second step is clearly defining the main areas of risk that need to be supervised and setting clear standards for each. I am talking here about common areas, from competition to AML, to anti-bribery, to health and safety, and so on. For some, you may decide to accept a higher degree of risk, for others, you may decide that you will have a zero-tolerance of risk in them because you do not want to expose the company to any pure costs. Take GDPR compliance, for example, where you can decide to implement a zero-tolerance approach because there isn’t really any potential upside to adopting any risk, while the potential fine is massive.
Once this is done, you need to look at what the law defines as the duty of care for each area and educate your board to allow them to incorporate these into an approach that balances the desire to maximize the upside for shareholders whole minimizing the potential downsides.
CEEIHM: Is there a checklist that should be used to identify the areas of risk for a company?
Jan: I wouldn’t say there is one answer that fits all organizations – it really depends on the business running its own risk analysis and deciding these are the top areas we need to look at because they can really hurt if they materialize. And, based on the company, it can be 20 areas, or 100.
I do think there are types of risk that should always be taken into account, especially those that are criminal law in nature and which may create criminal liabilities for either the company or individuals. Another example involves risks that are regulatory in nature since those tend to involve high fines or, depending on the industry, can even mean losing the license to operate (which would obviously kill the business).
Then, of course, there are industry-specific aspects to consider – those that won’t necessarily get you in jail or end up in you losing your license but might have serious implications. For example, if you are a credit organization, you will be looking out for credit fraud. In the telecommunications sector, there are specific risks related to electromagnetic fields (it is more of a big PR problem than a factual one but still need to be mindful of it and ready to address it), and even physical risks to keep in mind: With thousands of antennas in place to help you provide your services, you need to make sure you take care of your infrastructure, which may cause someone to be harmed if they climb up one to fix it and fall, which would have serious health and safety consequences. Last but definitely not least, since telecommunications involves an IT environment, cybersecurity is a big concern since you need to protect and ensure the integrity of the network.
CEEIHM: How do you go about identifying the risks that you need to take into account on a rolling basis – keeping a lookout both for current threats and those that might arise in the future?
Jan: I think there is one more important thing to consider first: What is the purpose of identifying risks? I went through this mental development myself. At first, I was assessing risks as I would see them at first sight, factoring in what I believed represents a risk and trying to factor in how important its potential impact would be, which I would then weight against the scarcity of financial resources or human capital I could employ to address them.
Over time, I learned to look at it slightly differently. Now, I think to myself: “Ok, we have this list, but does it add value? If I go and tell my board about it, how likely are they to simply ask ‘Ok, and?’” I’ve learned that we, as an organization, may have been dealing with many of the elements I may identify as risks on a daily basis. And that might have very well been the case for ages – way before I identified them. There is no real point in drawing my board’s attention to this if it is incorporated in our daily operations within the parameters of that tolerable risk level, especially if there are few actionable elements I can suggest to address it. This deeper analysis cannot happen in a void – a GC needs to talk to as many relevant people as possible from other business functions to understand what is potentially truly important to raise for the management team to incorporate in its business decisions.
Beyond internalizing this thinking, don’t be afraid to benchmark. Look around – both in your country at other players in the market as well as globally, especially if you are part of a larger group – and compare your checklist with those that others are looking at.
CEEIHM: You mentioned that you try to train your younger colleagues to move away from the ‘risk is something filthy’ mentality. How do you go about training your team member towards that?
Jan: I make it a point to sit down with them and ask a couple of questions: (1) “What does your internal client want?” and (2) “What do they need?”
When a lawyer comes in and says “We can’t do X,” I make sure we first look at the request and try to figure out how it could be done. Are there other ways of doing it that were not yet considered? I try to teach them to not say “No” without first searching for a solution, and, ideally, we can come up with several recommendations to put forward, after weighing the pros and cons of each.
The second question seems like it might be the same thing but what is needed and what is wanted can be quite different. If a client wants an amendment, you may, after analyzing the issue, see that you may simply need a quick e-mail clarifying certain matters. It is a process you need to engage in, trying to understand what needs to be achieved and, at the end of the day, internalize that it is up to you to provide advice – but it is ultimately a business decision if an action is taken (with notable exceptions that involve criminal matters, privacy, and health and safety issues, where we, as lawyers, have a veto).
Beyond that, it is always a matter of reflecting on the commercial strategic context of the issue you are assessing, and encouraging them to do the same.