Richard S. Fuld Jr., the chief executive of Lehman Brothers Holding that owns the financially charred remains of a once formidable investment bank, didn’t look very happy answering angry questions from Henry A. Waxman’s House Committee on Oversight and Government Reform yesterday or when dodging the protesters waiting for him outside who hurled insults and held up signs reading “crook” and “shame.”

I bet Mr. Fuld is not used to people talking to him like that.

He’s also not used to being held accountable to people who talk to him like that.  The only problem now is that he can’t flick them off like flies the way he did back in June when he dismissed a call by certain shareholders to forgo bonuses this year and mockingly noted “they are only people who think about their own pockets.”

The tide has now turned against him.  The FBI and at last count 3 U.S. attorneys offices are investigating whether positive statements made by Fuld to analysts about the health of Lehman’s balance sheet five days before the company filed for bankruptcy amounted to fraud.  The Securities Exchange Commission is also examining Lehman’s asset valuation practices.

One internal Lehman document dated June 8, 2008 shown to Fuld during yesterday’s hearing warned about Lehman’s financial condition and asked, “Why did we allow ourselves to be so exposed?”  Yet Fuld claimed he never saw the document before.  Maybe he didn’t see that particular document before, but had he heard that there might be a problem from some other source?

It’s hard to believe he could be that clueless.  It makes you wonder how someone so smart could be so blind.

That incongruity offers a few interesting leadership/ legal lessons for managers of any size business:

1.  Periodically reexamine the assumptions of your cash cows.  Those cows are not sacred.  Everyone loves to make money and no one wants to lose out on the latest market trend; but, if you don’t respect business fundamentals you stand to lose even more — maybe everything.

2.  Hedge your assumptions — the goal is to survive and thrive, not gamble and hope for a bailout from Uncle Sam, your shareholders, your friends, or your family.

3.  Remember who your business is serving and serve those constituencies with integrity.

4.  Create checks and balances in your business processes and systems to avoid overconfidence and Hummer-sized blind spots.

5.  Keep your finger on the business pulse more than in the cookie jar.

Keep those 5 principles in mind and you won’t be staring down a legal nightmare or find yourself starring in a Congressional Jerry Springer Show.

The troubles on Wall Street have created a renewed and heightened interest in business governance, risk and compliance (GRC) issues.  The Open Compliance and Ethics Group is a leader in this area and a great resource for those interested in strengthening their own corporate cultures. 

A recent set of OCEG initiatives focusing on technology solutions that can help achieve unified GRC caught my eye, particular an article titled “Risk Intelligence”.  The premise is that information technology tools are available to assist companies in achieving “risk intelligence”, but there are three steps that need to be taken before companies develop such knowledge.  

First, companies must identify their risks and determine at what level each risk becomes an “issue” worth addressing or resolving.  It’s basically a process of categorizing and prioritizing risk.  Once identified, that information becomes the building block for determining what risk indicators need to be tracked and how they should be quantified.

Second, the collected information must be evaluated and quantified. Third, the risk must be responded to and the response data collected and examined for effectiveness.  This response database can then serve as a resource if the problem recurs and management wants to see what’s been done before and whether it worked.  It’s an institutional memory.

The technology tool sounds wonderful and will no doubt play an important part in automating and integrating GRC initiatives.  But I can’t help comparing the situation to the fellow who buys a big fancy project planner in the hope that he’ll get better organized.  Buying the planner may make him feel better, but if the data is not input properly and maintained, the system will be just as cluttered and ineffective as the pile of jumbled post-it notes on his desk.  Relying on an IT system could therefore lull some companies into the same complacency trap.  

Quantifying risk may create the appearance of turning soft concepts into hard science.  But, IT systems are no substitute for good GRC practices any more than a project planner will organize your projects for you.  To be effective, the IT system and the project planner will require care and feeding on both the front and the back end.  Sure, the data being collected will need to be analyzed and responded to.  But, the risk being measured will also require a periodic reassessment of whether it is still an appropriate risk to be measuring.    

Markets and business climates change.  They are dynamic.  These changes can impact your company’s legal risk profile.  That’s why there must be a periodic review of what is being measured to determine whether the metrics continue to be meaningful.  If not, you could be measuring the wrong thing and wind up with a bunch of feel good numbers that offer a false sense of security instead of a robust system for identifying and managing unwanted legal risk.

What could your business be doing to keep its finger on the pulse of its changing legal risk profile?