A conversation on risk

Norton Rose Fulbright and McLaren Honda

Part one: I am #RiskReady. Are you?

What does risk mean to you? For a Grand Prix racing team it can mean managing a multitude of factors to get their drivers across that finish line. For businesses it means recognizing external and internal vulnerabilities and managing them effectively to position themselves more competitively.


We made a conscious decision when managing risk. We had a works team relationship with Mercedes Benz: we were their prime partner for engines for 20 years and we won championships and we won many races with them. As was widely reported in the press at the time, Mercedes wanted to buy their own team but the management here were not prepared to sell the team. So even though Honda at that time didn’t have a power unit to the current regulations that was ready to go, we had been successful with them in the past and we took a big bet and a long-term bet that that was going to provide longer-term return on investment and a much stronger championship-winning position than a short-term view. So we’ve taken some pain in the short term and we’re managing through that.


Part of being “risk ready” is to ensure that the organization has identified the potential risks that could undermine or create barriers in the business and has developed a plan to address, manage, and mitigate those risks in order to achieve those goals. As Jonathan says, proper risk management can be a tool to ensure long term return on investment. 

Part of being risk ready is appreciating that you cannot control everything...it is critical to have a risk response team – Jane Caskey

The notion of “risk ready” also involves the assessment of the probability of other (or unplanned) risks. A company must identify those risks that are most likely to arise and have a plan to manage and mitigate them. However, it must also identify the risks that - however unlikely - would be catastrophic and to have a plan in place. Having said that, part of being risk ready is appreciating that you cannot control everything. Knowing this, it is critical to have a risk response team, methodology, and culture that is nimble enough to deal with whatever happens, even if not anticipated.


I don’t think it’s possible to feel that you’ve ever done enough, because the nature of what drives you forward is that there’s always something more that you can do.


It is important to appreciate that being risk ready is fluid. ….you can identify a set of risks that are relevant today but the risk landscape is constantly evolving. For example, social media has transformed organization’s marketing strategies but in so doing, has also created new vulnerabilities in relation to reputational risk. Similarly, the de-aggregation of the workforce and the emergence of virtual teams has triggered the need to think differently about how to manage that workforce.


Part two: Are your employees #RiskReady?

We find out from McLaren Honda how their employees impact on their risk approach. What is required from employees to not only manage risk but to make the most of it?


You cannot employ managers and decision-makers who are going to be risk averse. In lots of cases, the risk of omission is worse than the sin of commission. Taking no decision can be catastrophic. 


This is a live issue in professional services. We need professionals on our legal team who, while they must be able to identify the key risks, also must bring real value and offer creative solutions to work through those risks to advance clients’ commercial goals. Clients do not need an advisor who paralyses the business so that opportunities are missed.

It’s not about assessing risk from a negative basis. It’s about aligning your risk with your objectives – Mark Barnett


If you can embrace the risk that creates an opportunity that you can benefit from, then obviously the rewards are good. If you can spot an opportunity that other teams may have deemed too risky, or their preparation was such that they never spotted it—and you have, and you take advantage of it—then obviously that leads to a better result, and everybody loves that. It’s all positive if you get it right. It’s not about assessing risk from a negative basis. It’s about aligning your risk with your objectives.


I would add that the culture of the business is also critical and a key driver of the approach that our professionals take to our clients and their risks. Interestingly, as the business model evolves for professional service firms, we need to examine how to manage the workforce and maintain our culture. By way of example, I met with a client recently, which is a leading global technology and consulting business, and discussed the issue of disaggregation of its workforce. There are now so many people working remotely and that changes how employees interact. This creates a challenge to ensure that the culture and the values of an organisation remain top of mind.

There are now so many people working remotely and that changes how employees interact – Jane Caskey


We are actively trying to do something about diversity. We don’t have a gender bias: our market throws a gender bias at us. It is a very male environment, but increasingly less so. Graduate intake now is 40 per cent female. Across the business we are sub ten per cent females, which is tragic. But we find that our recruitment closely follows the UK demographic: the graduates coming out of sciences and engineering are increasingly on 40% and getting up to 50% females, so our intake will follow that. We already have 23 different nationalities in our engineering group.


There are lots of people with Masters’ degrees and PhDs. What you want to do is broaden the base. In my group, for example, you want some mathematicians, you want some engineering, you want physics, some software; what you want is a collaborative base of people who can share different ideas, and that really sets you apart.

If I’m working with some people who have been in Formula 1 for a very long time they have a different perspective, because things were different. For one thing, they had a very small group of people involved.

You can always learn from experience. It’s amazing how, because the regulations always change, something that used to happen perhaps in Formula 1 15 years ago will invariably come back at some point…but that’s the same way in life, isn’t it.


Part three: Is speed the biggest risk?

Reaction times at McLaren Honda can mean the difference between winning and losing. This also applies to business. How can risk be managed in this fast paced environment without compromising on quality?


Formula 1TM is a business that’s driven by time. The product has to be faster than everybody else’s and our ability to develop the product has to be faster than everybody else’s. So we’re in a development competition, an exploitation competition and a product competition all at the same time. In a digital age, those insights that enable us to develop the car or develop the organization come at us with incredible speed: we have to be ready to take those decisions.

To get managers in an organization to work in near real time and with the blizzard of data in a digital environment your organization has to work really quickly.

What we don’t want is managers who are paralyzed because in reality there is never enough time, there is never certain data, there is rarely a deterministic outcome of a particular situation —but the real world is going to move, and it’s going to move at that pace.

The speed of change can be a barrier to proper risk management and risk mitigation – Jane Caskey


Speed is a theme that weaves its way through legal risk as well. We see constant and fast-paced change to the legal risk landscape - stakeholders now react and respond immediately to risk issues, the speed with which the regulators engage has also increased, and the use of social media means that coverage and communication about a client’s problems happen almost instantaneously and in multiple media outlets and geographies. For our clients, given the significance and concern about reputational risk, how quickly one can respond to the risk effectively, is a key determinant of how successfully one will manage and limit that risk.

The speed of change can be a barrier to proper risk management and risk mitigation. If a client has developed an analysis of risk but is not keeping up the speed with which the risk landscape is changing, then the client is no longer in tune with the current risks, and that creates a significant vulnerability. There are organizations that are fully aware of the evolving risks around them, and they own them and are able to prioritize the key risks facing their business. There are other organizations who, to their detriment,  do not appreciate how much change is happening and the speed of that change.


How do you break out of the silos?

Risk is not something that one person can manage alone. It has to be a team effort. At McLaren Honda it’s all about teamwork and breaking down barriers.


We see silo-based culture break out every now and then and we take steps to address this (silo-bashing is what we refer to it as). We invent instruments to deal with it. We hold performance reviews on those boundaries where you know that organizational friction or conflict of agendas can arise. Then it’s up to the general management to put in place the necessary steps and administration to cause those sensitive issues to be teased out—but not so much that the weight of process becomes burdensome, because that would slow the organization down.

Making sure that the organization is balanced across the whole is really important. No one set of functional objectives should become a primary focus.


To be successful as a strategy team we have to be good at ensuring that silo-based thinking and operating doesn’t exist.

Our core task is to align the objectives within the race team to achieve our optimum result. To do that we’re like the centre hub pulling in all the different facets of the race team.  For example, if we go to a specific race, or we’re aligning performance to certain race objectives, or preparing to qualify, we bring in the drivers, the different engineering groups, all the elements that make up the decision-making process and we coordinate the information flow between the groups.

Our core task is to align the objectives within the race team to achieve our optimum result – Mark Barnett


We have witnessed silo-based thinking and operating and we have seen the limiting effect that it has. We have also seen the flip side -  where we break apart silo-based thinking and do a more holistic analysis of our clients’ business  — and that actually does give rise to different considerations and a more strategic, helpful, and relevant analysis of our clients’ risk.

In our own world of professional services firms,  while we need to have various industry focused teams and subject matter experts, we must ensure that they do not operate in a vacuum or without being connected to the other teams and the overall strategic goals. We have to be vigilant to make sure that we don’t fall into silo thinking. Otherwise, you fail to capture some of the most relevant interactions: how risks play off other risks, how risks are relevant across different practice areas, geographies, and across business units.

I don’t believe, in a modern organization, that it’s possible to work at the pace of global competition unless you are decentralised – Jonathan Neale


I don’t believe, in a modern organization, that it’s possible to work at the pace of global competition unless you are decentralized. I’m not talking about abdication of responsibility, but certainly where we try to take a decision at the point of most knowledge, that point of most knowledge will vary depending on what the scenario is. When you’re in a real time specialist environment, there’s no central group that’s going to take all of those decisions at the pace at which the business needs to roll. So our high performance organization culture is about trying to take a decision at the point of most knowledge when it needs to be made. This requires careful selection and development of leaders and great communication of priorities and context. Real time decision making requires that the overarching aims are really clear.


Part four: You cannot cover all the risks, can you?

Managing and prioritizing risk is a constant struggle not only for a Grand Prix racing team but for business globally. Prioritizing risk can be difficult and at McLaren Honda the approach has to be based on current success.


No, you can’t (cover all the risks).

Given that we’re a team on the move at the moment, and while we are in recovery, we are inclined to take a different kind of risk profile to a race. We can split strategies. We’ll go for performance over reliability because we know we can always earn our way to reliability. Given the business context and what’s at stake, we’ll put a different emphasis on things, take a different set of decisions. As we work our way back into the rarefied air where there is only 0.15 per cent difference among the top five cars, then at that point there’s a subtle shift in the way in which we execute. Our attitude to some risks will be different at that point.

You can become more risk averse as you get more things in your favour – Mark Barnett


Yeah, that’s true. You try to balance. You can become more risk averse as you get more things in your favour. So you have more to lose, but you’re also happier with where you currently are. You don’t need to risk as much to gain that one extra position.


Not all risks are equal. With our clients, the aim is not how to eliminate risk; that would essentially paralyze their business. Rather, we want to support our clients to manage risks in a way that allows them to achieve their business goals and strategies. As clients pass through different cycles of their development and growth, they have varying degrees of tolerance for risk.

We want to support our clients to manage risks in a way that allows them to achieve their business goals and strategies – Jane Caskey

One comment that comes back to me repeatedly, from GCs and heads of risk, is that they do not appreciate lawyers who come to them and merely identify risks without solutions, or lawyers who see everything as a material risk. That is not acceptable. For them such an approach is completely meaningless and unhelpful.

Once you’ve defined the risks, you have to assist the client to prioritize. There could be a risk that involves devastating consequences, but the likelihood of it happening is not high. It’s actually a matrix. It’s not just, ‘Is there a risk?’ It’s ‘What is the risk?’ ,‘What is the probability of that risk coming to pass?’, ‘What are the consequences?’, ‘Does it get a red, amber or green light in terms of degree of material consequence?’

Finally, where we find we can add real value as advisors to clients, is identifying issues that the clients haven’t yet seen and suggesting a path to address and mitigate those issues. For example, emerging trends or changes on the horizon that will impact the business. Often our clients do not have the time for horizon-scanning.


Safety will always be top of the list - there is no compromise. We accept, to a fashion, that there is inherent risk in putting somebody into a car that’s going to travel that fast and put it round with other people all trying to compete for the same space at the same time.

Nevertheless, as we demonstrated as a team very well, in Melbourne - when Fernando had a huge crash - with the care, the attention, the effort, the rigorous process and the uncompromising attitude to our car design, there are no shortcuts taken. You can walk away. We still feel it was fortunate that Fernando did walk away from that crash; there were a lot of things that could have gone further wrong. But the product that we designed wasn’t designed on the bare minimum from a safety point of view.

We don’t have the same attitude to all risks: some are more important than others.


What risks are at the bottom of the pile?


The risks at the bottom of the heap - that’s an interesting one, because you never think about it from that perspective. You definitely prioritise them but there are some risks that just aren’t worth addressing. If we become overly focused on the negative race strategy risks, then we would essentially underperform compared to our optimum at every race, because we’d be covering all of those and we’d be missing opportunities.

We could cover a scenario where you perhaps had two punctures or a pit lane was closed: well, they virtually never happen, and if I wanted to cover those then I could miss passing one more car via an earlier pit stop or something, and we’d finish further down. So we try not to overly focus on that type of thing.

If we become overly focused on the negative race strategy risks, then we would essentially underperform compared to our optimum at every race – Mark Barnett


There are so many factors involved in assessing a range of risks, that it really depends on that business itself. It needs to be a tailored analysis specific to that client. Whether the organization is a public or private company, how it has evolved, its market share, the regulation of that industry, and the risk culture…there are so many factors.

Often, the things that give rise to reputational harm, financial exposure or sanctions - and any individual or criminal exposure for management - those bubble up as the most significant risks. The risks with less tangible consequences tend not to float up as high.

You have to be realistic. You can’t do everything with a particular budget or within a certain corporate culture, so you have to prioritize.

But organizations must do the analysis and must stay current - there may be something a little outside of the box or something that is more relevant today than you might have said last week or two years ago. For example, even those of us based outside the UK are all closely monitoring the polls in the UK with respect to the vote on whether the UK will exit or remain in the EU. This is a current illustration of how political issues can dramatically change an organization’s entire risk assessment and, as their advisors; we need to be agile and ready to respond. So even though the UK may not leave the EU, we and our clients do not have the luxury of assuming that - we have prepared and that “readiness” is critical to effectively managing such changes in the risk landscape. A risk analysis done six months or a year ago that did not appreciate the implication of an exit vote would render an organization vulnerable and not ready to manage these new risks, should they materialize.


Part five: Compliance and regulation

Compliance is something that every business is familiar with and the risks associated with it. McLaren Honda hold themselves to a high standard. Managing compliance can be difficult and what it can ultimately come down to is the individual.


The level of bureaucracy required for transparency is high. I think the intent is a good thing—and even though we’re not a listed company we would certainly hold ourselves to the scrutiny of the blue chip organizations that invest in us, to be judged by those standards.

For us to be a successful organization and a high performance one, we have to carry the credibility and the brand values associated with our investors. We take damage to reputation very seriously. As brand ambassadors, there are a series of expectations both codified and not codified that go with that; that also plays a factor in the whole risk management environment.

For us to be a successful organization and a high performance one, we have to carry the credibility and the brand values associated with our investors – Jonathan Neale


The role of individuals is critical in compliance and actually presents quite a difficult issue. An organization can put in place a robust, rigorous compliance programme but ultimately, its execution, its success, and its accountability are all dependent on the individuals involved. 

We see time and again that where there is individual failure to comply, that is what escalates risk and gives rise to exposure. In the chain of compliance, adherence for the organization is only as good as the compliance of each of the individual pieces.

At the same time, an organization has to consider when things go wrong whether it was as a consequence of individual foibles and human error, or whether such individual conduct arose out of the structure, lack of check mechanisms, and culture of the organization. One should be asking whether an issue of failed compliance came about because of failures in structure or was it truly a rogue employee? The individual may get the blame, but there may be a broader context that has to be examined.

Regulators are a constant in the world of Grand Prix and in business. For McLaren it’s about working with the regulators rather than against them.


We’ve seen a variety of moves by the regulators in Formula 1, some of those very good, such as the constant underpinning of safety since the death of Ayrton Senna in 1994. But every three or four years we roll the dice on the technical regulations and we move from one direction to the other without any seeming constancy of purpose. We end up altering the experiment slightly, in the interest sometimes of improving the spectacle of the sport (which begs a series of questions, for whom, and have we measured that, and can we quantify that).

But there’s an obligation on us all, I would say, to work with the regulators: if the industry of the sport is not regulated it becomes chaotic.

Of course, we see this from different vantage points. From our perspective we may not always get what we’re looking for. The regulator’s job is to balance the interests of the teams, which are diverse, alongside the interest of the spectators (also diverse) and the commercial rights holders and then the sports promoters. So there is this quite diverse stakeholder community whose expectations have to be managed. As with all these things, if you hold yourself up to be a moderator or regulator you hold yourself up to be a target, so we take pots at them.

But generally we work pretty closely with them. So I would say a blessing and a curse.


Yeah, that’s probably right. All you can do is try to work constructively with them, try to align changes that we think are good for the sport.


There is one difference though in our sport: we are actively if not encouraged then rewarded for scrutinising the regulations. One of the curious things is that the more detail there is in the specification, the narrower its application. We’re always seeking to find legitimate or innovative ways around the regulations. We look at every clause, every phrase to say, ‘What does this mean? How should we interpret this?’ There are prizes for being innovative with the regulations. The fact that things are meticulously specified is an area of innovation and opportunity for us, because we’ll find the gaps. And if we don’t then others certainly will.

Regulators around the world have become more aggressive and more invasive—and that is a trend that looks set to continue – Jane Caskey


How an organization feels about the regulators depends on your industry, and where you are in the world. The regulators set the tone and set the regulation in order to create the conditions for proper governance.

However, regulators around the world have become more aggressive and more invasive—and that is a trend that looks set to continue. It’s placing a heavy weight on the companies and the individuals in those organizations. Many clients are asking whether the regulators are doing this to ensure compliance or has it gone a little beyond that?

When you look at the 2008 financial meltdown and its global consequences for both companies and individuals, one appreciates the motivation to correct for that and put in place greater regulation and compliance obligations to protect against such events from occurring.

Jonathan’s point about regulation in the sport of Formula 1 is interesting and highlights the differences in how regulation and risk are approached across different industries. At a recent GC Dinner event we hosted which included GCs from the pharmaceutical and financial sectors, a common theme related to the ethics of risk. Specifically, several of these clients explained that the majority of their day is spent - not on what their organization can and cannot do from a regulatory perspective - but rather it is spent on assessing what the organization “should” do in given circumstances, whether it is formally obliged to or not.


Part six: Social media

Grand Prix fans are some of the most engaged fans of any sport on social media. That fact not only provides opportunities but such a large audience can also represent risk. For businesses,  social media means being agile and quick to respond when they need to.


I think we need to embrace it and do more with it as a sports marketing proposition. But it is very problematic to manage and stay abreast of.

We court the media. We need the media for our share of voice to get our messages and our partners’ and sponsors’ messages across, so of course we have to be engaged.

It does feel like a mob sometimes. Twitter’s got about 970 million people currently registered: about fifty per cent of them are people who write something; the rest are like myself, observers who sit there and use it as an information aggregator. That means there are now 500 million self-appointed “bedroom bloggers” with 140 characters to say exactly what they like.

There are now 500 million self-appointed “bedroom bloggers” with 140 characters to say exactly what they like– Jonathan Neale

The fact that everybody has a view doesn’t mean that all of those views are of equal importance of carry equal weight. But the fact that they have the right to speak and that you can then mood sense from this by looking at different communities or aggregating the data is very useful, and therefore we have to learn to embrace it—but at the same time we don’t have to kneejerk react to every closet blogger who’s got something that they want to get off their chest. We just have to recognize that that’s one of the things we have to live with, but we certainly don’t have to be yanked around by it. 

Sometimes you have to roll with it and hope that the messages that you are conveying and your actions, which hopefully follow your values, will win out over time. We have a belief in our fundamental values. Over 50 years McLaren has been a successful organization: what it takes to win a race is still largely a very similar formula about the chassis, the drivers, the powering; but  what it takes to be a successful organization over 50 years is constantly evolving. We have to stop and look at ourselves and reinvent ourselves, but the values don’t change.


As Jonathan says it is not possible to control what is written about a business on social media. That said, it is nonetheless important to have a social media monitoring plan which sets out how you monitor what commentators are saying about your brand (whether good or bad). The plan needs to be clear as to where and what media you are monitoring and prioritize what coverage is important.

Companies can also use social media to their benefit when they engage effectively with customers, fans and even detractors. Transparent, responsive and respectful social media interactions can work to increase brand strength.

The days of sitting down and drafting a press statement are over with the unforgiving speed of social media – Jane Caskey

In the era of social media it is more important than ever for companies to also have a crisis management plan that specifically identifies social media and what the response will be in case of adverse coverage from disgruntled customers or angry bloggers.

Sophisticated companies have run through multiple scenarios, and run test cases, they have this completely ready to go. The days of sitting down and drafting a press statement are over with the unforgiving speed of social media.

Readiness and agility - these are the things that matter when managing social media.



The interview participants

Jonathan Neale
Jonathan is the Chief Operating Officer of McLaren Technology Group, with 30 years’ experience in the automotive and defence industries and a strong track record in the business of Grand Prix racing.

Mark Barnett
Engineer Mark Barnett is head of strategy at McLaren Honda: he’s the one who, as the minutes and the seconds tick by, is on the spot directing operations, making real-time decisions. He is supported at the pit wall by his team of eight.

Jane Caskey
Jane Caskey is global head of our risk advisory practice. She is an intellectual property lawyer whose practice is concerned with innovation and developing strategies to protect, monetize, and enforce IP rights. She leads our risk advisory practice which brings together experience from diverse practices, professionals, and geographies to collaborate with our clients to assess their legal and regulatory risks in order to develop a tailored and holistic risk advisory strategy to manage and mitigate those risks.