An article by Jared Wade in Risk Management Magazine references the death of luger Nodar Kumaritashvili and includes an email from VANOC head John Furlong relating to the safety concerns about the luge track raised before the Vancouver Games. Furlong wrote: “…someone could get badly hurt… An athlete gets badly injured or worse, and I think the case could be made we were warned and did nothing. Our legal guys should review at least.”
Furlong had the right approach to manage the related legal risk. But do we do risk management only to mitigate our potential legal risks or the risk related to meeting our strategic objectives? After all, the dangers (risks) associated with the course were identified because they were doing risk management!
It is a slippery slope when, after a Loss, lawyers can do Hindsight Risk Management and question the risk treatments/decisions performed in the past. Ask any consultant and they will tell you that risk management is already hard to sell (e.g, easier to sell the cure than the prevention.) But why the hell would any Board of Directors want to entertain an ERM program and a proactive approach to identifying risks when they could get sued for wrongful death or negligence for making the wrong risk treatment decision in hindsight?
Is there less risk doing risk management or not doing risk management? Would it have been better for VANOC to build the track, fill it with ice and send riders to their death?
Someone suggested that if a lawyer had sent Furlong the email about the luge risk, then the email would have be considered privileged and could not be used as evidence against VANOC. (Legal risk management?)
Is that what ERM will become? Will a risk only get documented if it doesn’t create downstream legal risk? Will all risk-related information have to travel through our external legal counsel so the information cannot be used against us? Do we want lawyers sanitizing the list of risks that management knows about to enable blissful ignorance and no lawsuits?