Sustainable Business




Subscribe to our Newsletter.
Receive useful information and inspiration.


Many companies, especially smaller companies, treat risk management as an after-thought, to be handled by an in-house functionary as part of an annual insurance review. However, as shown in this website, risk management is much more than that.

Risks come in many sizes and flavors, including well-understood risks, like premises and product liability, and more esoteric risks, such as cyber risk. We will not list all the kinds of risks a company may face — a tall if not impossible order — but here are two especially worth remembering:

  1. Mission failure.  All businesses are created with a mission in mind, so there are always risks of mission failure.
  2. Inadequate risk management. Those in charge, from the board down through lower middle management, are graded in part by how they manage risk.


Investors want the companies they invest in to be valuable and increase in value over time. When considering an investment, assessing the downside is equally if not more important than perceiving the upside. Once an investment is made, investors can demand or advocate for the installation and/or improvement of risk and compliance programs, and thereby add value.

Business Owners

Business owners want their companies to be healthy and profitable. Business owners often also want their companies to be saleable to potential buyers for a good price, pursuant to a carefully prepared exit plan, or even in a forced sale. A risky business is a less-valuable business, and it can be unsaleable at any price. Accordingly, governance, risk and compliance deserve high-level attention from business owners.

Acquirors of Businesses

Acquirors want a good “acquisition experience”. Experienced professional investors typically expend considerable effort in due diligence to help form their baseline expectations, the amounts they are willing to pay, and the terms and conditions of buy-sell agreements, including representations and warranties insurance. However, due diligence often misses risks, and rarely takes account of a company’s risk management program or competencies, or the adequacy of the target’s business insurance.

Risk and compliance management are equally or more important post acquisition, to uncover previously unrecognized risks, to make systematic improvements, and to enhance the value of the acquired company.

Board Members

Boards of directors are ultimately responsible for governance, risk and compliance (“GRC”). Governance is a board’s fundamental role, and most directors know that. They may not be as aware of a board’s duties with respect to risk management, which requires, initially, getting a basic awareness of the company’s risk profile, and then creating a legal and practical framework for eliminating or mitigating risks. That requires allocation of responsibilities and lines of communication, monitoring and periodic top/down review. The policy should provide guidance on board involvement in the event of a crisis.

Board members also need to be informed of their legal and reputational risks. Surprisingly, most board members are not aware of the in’s and out’s of directors and officers insurance policies, or that the coverage may be less protective than they thought.


Lenders know that poorly governed, high risk and/or non-compliant borrowers are problematical.

We can help lenders on all matters pertaining to risks, including assessments of potential customers’ governance, risk and compliance programs, and thereby improve the quality of their loan portfolios.

What We Provide


We provide informational resources for individuals and organizations to understand relevant concepts and related obligations and opportunities.

Assessments of vulnerabilities and solutions

The beginning point of risk management is a survey of all aspects of a company to identify risks and assess their significance. We have a unique tool to help C-suite executives and board members make an initial assessment of risks. If the company is ready to proceed, we work with management to dig deeper to find all the material risks and rank them in terms of impact and probability.

With a risk assessment in hand, the company is ready to develop strategies to deal with specific risks and to work with management to create policy and an overall risk management program. We have a network of solutions providers, and we can direct or oversee their efforts.

Board-level assistance

Risk management is increasingly recognized as a matter for boards of directors and trustees. We can assist your board in establishing policies, committees and procedures, and in connection with periodic risk management reviews.

We also provide advice and solutions regarding Board Member Liability for all matters, including the failure of the board to discharge risk management duties.

Risk management

We stand ready to advise you on your risk management concerns. We have procedures and systems for overall, compliance and ESG (environmental, social and governance) management. We can assist in selecting systems to deal with particular matters.

Compliance Management

We assist clients deal with compliance management, and recommend it be integrated with risk management.

Compliance management is inherently linked to risk management, even though they may be managed in different departments. Furthermore, the processes of managing them are similar, which is why advanced on-line risk and compliance platforms typically manage both. (Think of it as Comprehensive Risk Management.)

Due diligence services

Due diligence of a company, in connection with a possible investment or loan, usually serves two primary purposes: (i) to verify representations and (ii) to uncover and assess risks.

We provide due diligence services on behalf of investors and lenders.

ESG Management

ESG (environmental, social and governance) is a relatively new aspect of business and investment management. Many of the world’s largest businesses are now devoting meaningful resources to ESG. Many other businesses barely know where to begin.

ESG is best managed similarly to risk and compliance. We recommend an integrated system for managing risk, compliance and ESG.

We can help companies of all sizes and levels of sophistication understand and cope with the new challenges of ESG.

Our Approach

Our founder and CEO is a lawyer, and our approach is informed accordingly. We are keenly aware, however of the limitations of a lawyer’s perspective and knowledge. Our approach is therefore comprehensive and multi-disciplinary.

Our information and advice are based on (i) the GRC (governance, risk, compliance) model of OCEG (of which we are a member organization) and (ii) the evolving field of “sustainability” — also known as “responsible business” — which is now guided by “ESG” — environmental, social and governance principles.

Our approach is comprehensive. We look at the vertical, horizontal and contextual aspects of an organization. We see how governance, risk and compliance considerations interact and how purported solutions can create their own problems.

We believe that risk and ESG management should be driven by ultimate decision makers — those who bear ultimate responsibility.

Multiple Perspectives and Competencies

Each of the element-boxes in the diagram is discussed below.


McAlan brings legal expertise to assess a client’s needs and provide counsel. The basic requirement here is legal education and training, supplemented by experience, handling compliance with laws and regulations, and managing disputes.

Every contract creates risks. McAlan can be helpful in connection with Contract Lifecycle Management (CLM), which covers the various stages in the life of a contract, beginning with negotiation, through performance, and post-performance/termination matters. CLM can be the domain of the legal department or some other department and/or shared.

Insurance and risk transfer

Insurance is the industry most closely associated with risk management. We have dedicated resources to find the best insurance solutions.

Risk Transfer means contractual shifting of risk from one party to another, most often seen in financial and commodities hedging operations.


The vast majority of business people and their professional advisors are unaware of ESG risks.

ESG is evolving from “soft law” to “hard law” in the form of laws and regulations.

This new world of ESG expectations, demands and legalities is a special area of competency for us.


IT and systems are at the heart of virtually every business. System integrity is essential.

We live in a world of extreme cyber risk. There is simply no excuse for neglecting cyber risk.

Senior Management Knowledge and Experience

High-level business knowledge and experience are invaluable. They play an important part in risk and crisis management.

The ideal set of knowledge and skills  will vary from company to company. Based on what we learn – what the company has and does not have – it may be appropriate to bring in industry or functional expertise or general experience/skills.

Communications, Public/Investor Relations

It is important to have effective communications to manage risk and even more so to respond effectively to a crisis. These communications can be inward-facing or outward-facing – directed to suppliers or customers, or to “the court of public opinion”.

Finance and Portfolio Theory

Financial resources are of course essential. Cash flow is what keeps a business going. Therefore, you need to understand what lenders and investors want — or demand.

Our founder received advanced education on finance and portfolio theory at the University of Chicago, worked on Wall Street as an investment banker, and ran the corporate finance department of a regional investment banking firm.

Our analysis often includes an assessment of a company’s financial needs and resources. Although a company may have solid financial management, in a crisis, new perspectives and resources may be required, and we can help arrange for that.

“People Solutions”

Successful risk, compliance and ESG management requires good people who are educated, trained and committed to risk, compliance and ESG management. McAlan can provide education, training and engagement resources, and can design and/or oversee programs.

We have dedicated resources to deliver “people solutions” for your risk management program or department — full-time, part-time, fractional or outsourced — tailored to your business needs. We can also provide people solutions to support you in a crisis.

Management of human resources is important but too-often overlooked in risk and crisis management. An organization is well-served if its people have the psychological and wellness attributes that make them strong and effective in their jobs. We call this “resilience”. We have information and resources available to help your people become resilient. Because resilience is built up over time, long-term programs are helpful.

Just as resilience is desirable in a company’s workforce, it is also a hallmark of good management. We can arrange for group wellness programs and individual counseling and coaching.