Legal Risk Exposure Handbook

No organization can function safely without an effective framework that protects it from legal risk exposure. How do you limit legal risk exposure in your organization, and what steps do you need to take to create and implement a legal risk management framework?

Share on twitter
Tweet
Share on linkedin
Share
LEGAL RISK handbook
In this Handbook:

Although the scope of Legal Ops’ role in organizations has evolved, one of its core functions remains limiting legal risks. But as that role has changed, so has the scope of what constitutes legal risk—and of what is the best way to account for it. 

What is legal risk exposure?

Legal risk exposure refers to the potential impact on an organization from risks that arise from any failure to meet a legal obligation. Risk, generally, is about uncertainty management as it pertains to your goals. There are always things nobody can predict, which is to say, there’s no such thing as zero risk. Every business involves taking risks; it’s in the very nature of running a business. Accounting for legal risk is part of an organization’s overall risk management plan.

An organization’s legal team is of course responsible for protecting the company from things like lawsuits, reputational damage, and helping it avoid or overcome legal barriers to being able to do business. Reducing your legal risk exposure is a complicated undertaking, requiring the management of minor details like ensuring the contract language of a purchase order is correct, to conducting large-scale risk assessments, like deciding whether or how to begin doing business in a different geographic region. 

 

Some legal risk management tasks will be the domain of other business units, even though the general counsel (GC) or chief legal office (CLO) is ultimately responsible for them. That means the legal department’s aegis includes educating other teams about legal risk exposure.  

No organization can function safely without an effective framework that protects it from legal risk exposure. How do you limit legal risk exposure in your organization, and what steps do you need to take to create and implement a legal risk management framework?

1. Identify and define legal risks as they pertain to your organization

Every organization needs to identify and define the legal risks it faces as well as the scope of those risks. Risks vary according to the field or market your organization is in, as well as the geographic regions in which it operates. It’s important to understand those nuances so you can effectively gauge the type, severity, and scope of your legal risks.

 

  • What does “good” look like? A comprehensive taxonomy of risk vectors and types of legal risks germane to the organization   
  • What do you need to achieve that? List of common risk factors (eg, regulatory, structural, customer, financial, reputational, litigious); system for fielding comments and overall feedback from stakeholders across all business units of the organization about which risk factors their unit faces; system for tracking “legal risk appetites” for each factor; process for assigning risk factor ownership assigned to the optimal business unit;  process for mapping risks and responsibilities mapped to the organization’s overall strategic goals

 

Dive deeper: Think of legal risk management as more of a discipline than a set of neatly defined tasks. Creating the right risk profile for your organization requires broad and precise thinking, as well as a dose of creativity. Never let your legal risk exposure be vulnerable to your lack of imagination. 

 

It’s also important to understand that this assessment will be different for every organization. Factors to consider include the regulatory environment in which you conduct business, especially if that includes multiple jurisdictions, as laws can be significantly different in North America versus the UK versus the EU. Consider both internal (eg, liability from employee behavior) and external (eg, regulatory changes) risk factors, as well as your business model or growth strategy (eg, if you’re developing your own IP versus growing through acquisition). 

 

A crucial filter is the amount of legal risk the organization is willing to shoulder balanced against the stakes of exposure. It may be worth taking a large gamble on a key acquisition, for example. But there’s a difference between risking a large monetary investment on an acquisition that may not provide enough ROI and one where the acquisition target is facing potential litigation that could introduce liability. The key is knowing what’s at risk going into it.

2. Establish a framework for risk management

Some aspects of risk management will be the responsibility of business units outside of the legal department. A risk management framework ensures that the risks you identify and define will be assigned to the right people and processes. It also determines the company’s appetite for various risks and serves as a guide for where to assign legal resources and where to place accountability. 

 

  • What does “good” look like? 100% alignment on who is responsible for which component of legal risk exposure; access to the risk management framework for 100% of stakeholders; defined defense model
  • What do you need to achieve that? Legal risk exposure education and training for all business units; systems and processes for ensuring constant communication between those units and the legal department; “three lines of defense” model

 

Dive deeper: Education is an underrated means of minimizing legal risk exposure. Everyone in an organization is invested to some degree in protecting the company from harm caused by legal problems. But if teams don’t understand broad risks the organization faces as well as the specific ones that their department can be responsible for, they can’t help be part of the overall risk management plan. A simple example is making sure a junior salesperson understands how critical it is to get a contract signed before moving to the next step in a process with a customer.

 

A close cousin of education is communication, because training doesn’t work if it’s not communicated to teams in a way that they understand. By the same token, legal departments need to be open to learning about emerging risk vectors from other teams so they can respond with advice and support. It’s a virtuous cycle. 

 

Although you can develop your own structure for establishing legal risk accountability in your organization, the “three lines of defense” model created by the Institute of Internal Auditors is a commonly used one. Fundamentally, it’s a way to ensure accountability in your risk management profile. The idea is that the first line of defense comes from those who have management over risks and controls. The second line is those who have the expertise to closely monitor and understand risk and control processes. The third line is an internal audit that examines the effectiveness of the first two lines of defense.  

3. Create monitoring and reporting plans and procedures

Once you have a risk management framework in place, you need a set of policies and procedures to evaluate how you’re faring in terms of legal risk exposure as well as a plan to address any threats that arise.

 

  • What does “good” look like? Balance of automated and manual monitoring procedures; report at least quarterly; defined escalation routes
  • What do you need to achieve that? High-quality data strategy; automatic reporting triggers via key risk indicators (KRIs); risk-based sample testing; regular reporting presentation to authority (eg, risk assessment committee, audit committee, or board) 

 

Dive deeper: There are many ways to create and implement an effective monitoring and reporting plan, depending on your organization’s particular needs and preferences. But any plan at its core needs to start with a data strategy that ensures information about legal risk exposures is coming in. You can compare the data to whatever KRIs you’ve determined, and from there you should have in place automatic reporting triggers that send alerts through a predefined escalation route so the right people are aware of issues—and can take action—as quickly as possible. You should also ensure that following legal procedures and reporting issues is seamless and simple, lest people circumvent them simply because of friction, thereby ironically introducing additional risk.

4. Optimize and automate processes with technology  

Technology use among legal departments has historically been relatively low, to the detriment of risk management. Technology can not only help track legal risk exposures, but by automating some tasks, it can remove risks that manual processes can introduce. 

 

  • What does “good” look like? Systems to automate and/or empower 100% of legal risk exposure assessment, monitoring, and reporting tasks
  • What do you need to achieve that? Operational risk system; access controls; eBilling; eDiscovery; predictive analytics; fraud monitoring and detection; workflow automation; document management system; knowledge management; contract management

 

Dive deeper: The opportunity for legal departments to implement technology to accomplish legal risk exposure management is enormous. Most of the core tasks of a legal department can be automated or aided by technology, not the least of which is ensuring access to clean and complete data. 

 

In addition to the obvious benefits of employing technology to empower employees, it has the side benefit of providing auditability. That will help your organization spot and solve problems that come up, but it also makes communicating with regulators much simpler and comprehensive—and less risky. 

Glossary of terms

  • Legal risk exposure – the potential impact on an organization from risks that arise from any failure to meet a legal obligation
  • Risk management – the discipline of identifying uncertainties facing an organization, evaluating the potential effects, and minimizing negative consequences
  • Legal Ops – all the business activities, processes, and people that enable an organization’s legal department to focus on core competencies
  • Risk assessment – evaluation of risks to an organization and their consequences 
  • GC – General counsel 
  • CLO – Chief legal officer
  • Risk management framework – a template and guideline for an organization that ensures the identified and defined risks will be assigned to the right people and processes
  • Risk profile – prioritized analysis of the types of risks an organization faces and its willingness to take them
  • KRIs – Key risk indicators 
  • Three lines of defense model – a way to ensure accountability in your risk management profile by assigning three levels of roles and responsibilities to different parties within an organization