A Cheerful Guide to Legal Risk
The law school exam you never took
Great news! Its your first week as in-house legal counsel. You meet with the General Counsel. She lays out the grim facts.
There are hundreds of unanalyzed legal issues, any one of which could cripple the company. The management team does not trust the legal department because the lawyers keep changing the priorities. The uncertainty is affecting business. Insurance rates are high. Customer satisfaction is low. To compound matters, there are only five in-house lawyers, and you cannot use outside counsel.
The legal department uses a case management approach to legal risk. Something happens, start a file. Go to senior management about the latest problem. Rinse and repeat.
In one sentence, describe how you will review all outstanding issues, set priorities that almost never change, improve interdepartmental trust, and make customers happy within an acceptable time frame.
“I quit” is not a valid answer.
The A answer
Implement a qualitative risk model to measure and manage legal risk.
To unpack this answer, we need to examine three concepts: (a) What is a qualitative risk model? (b) What is a qualitative model for legal risk? and (c) What is legal risk?
Qualitative risk model
What is a risk model?
A risk model is a process for breaking risk into component parts. Each component part has a value. The model describes how to derive the risk based on an operation performed with the component values.
Financial services companies use quantitative risk models to predict the probability of default and the resulting expected loss given default. A large amount of empirical data and statistical analysis support their quantitative models.
Most organizations, however, do not have enough data or resources for (or confidence in) abstract statistical models of risk. We need an alternative to a statistical or quantitative model.
We need a qualitative model, one that we can adapt to legal risk.
What is a qualitative risk model?
A qualitative risk model is a framework for rating and ranking risks. Qualitative models use a formula and component values, like quantitative models, but the inputs are often informed or expert opinions (in the general business sense, not the litigation definition).
An effective qualitative risk model has three characteristics:
- Simplicity. A qualitative risk model should be simple, not simplistic. Each decision maker should understand the model.
- Consistency. Each component of the model should use the same vocabulary to describe risks and use the same scale to rate risks.
- Durability. A risk management framework should cover every type of risk we care about.
Legal risk model
In 2009, the International Organization for Standardization (ISO) released a fresh approach to risk and risk management: ISO 31000:2009 Risk management — Principles and guidelines.
The new ISO 31000 definition is especially useful for measuring legal risk. Risk is the “effect of uncertainty on objectives.” Risk management starts with identifying uncertainty and then evaluating effects (positive and negative).
Risk evokes losses, but it includes gains as well. What is the effect of uncertainty on our growth objectives: the new product, the new alliance, or the acquisition?
Viewed through the lens of uncertainty, risk helps us analyze any change, any decision, any issue. Legal risk management helps make money and keep the money the organization makes.
If we reduced the ISO 31000 standard to a formula, it might look like this:
R = L * Cwhere R stands for risk, L for likelihood, and C for consequences. Risk is the product of the likelihood of an event and its consequences.
Likelihood and consequences
Should we expect the consequences to materialize? When we answer this question with a measurement, we determine the likelihood.
Why not just say likelihood is probability? Because probability is a mathematical and statistical notion. In most cases, legal risk managers should avoid the term. Probability implies a precise value that you probably (pun intended) cannot calculate.
Instead of a quantified value for probability, a qualitative rating suffices to measure likelihood in our legal risk framework. A five point scale for likelihood might look like this:
4 Almost certain
3 Highly likely
2 Somewhat likely
1 Unlikely
0 UnknownWith a qualitative model, you rate the likelihood of an uncertain event, even if you do not know the probability of it happening. The idea is simple (but not simplistic). A consistent rating over time, across risks, contributes to sound risk management.
You can use a similar five point scale to rate the consequences of an event in broad strokes, not with precision. To illustrate:
4 Substantial
3 Significant
2 Material
1 Immaterial
0 UnknownThe amounts at each cut off will differ for each client. What is “immaterial” to a Global 100 company is “substantial” for a local doughnut shop.
The overall risk rating is the combination of the likelihood and consequences for a given event:
4 High risk
3 Medium risk
2 Low risk
1 Insignificant risk
0 Unknown riskManage legal risk
Obviously, choosing the correct values for likelihood and consequences is critical for a proper risk rating. Legal risk management requires close collaboration with professionals in the client organization and a consistent process of (a) risk identification (“issue spotting”), (b) risk assessment (initial risk rating), and (c) risk evaluation (research and refinement of risk ratings).
From that process emerges an inventory of risks all within a single framework and vocabulary. That inventory is called the risk register. The risk register allows senior management to understand their entire risk portfolio at a glance. Business lawyer and business client can now undertake a comprehensive review of legal risks and prioritize those that need risk management.
Legal risk
So what is legal risk after all?
There are four broad categories of legal risk: litigation, contracts, regulations, and structural changes.
Litigation risk
Litigation is the most discussed legal risk in organizations. Litigation is often public and always distracting. The range of events that cause litigation is broad: employee misconduct, accidents, product liability and so on endlessly.
When management asks the lawyer to discuss “What is the chance we will lose this case and what are the likely damages,” it is too late for risk management. Well in advance of litigation, we need to identify the areas of uncertainty that affect our objectives. This enables us to narrow the possible outcomes from particular events.
For example, a court case in an influential state invalidates a fee charged to consumers as an undisclosed interest charge subject to compensatory and punitive damages. Our organization charges a similar fee. We know how many times the fee is charged and in which states. We know the penalties in question. We have the building blocks to measure and manage legal risk from similar litigation.
Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.
Contract risk
Contract risk is pernicious and difficult to track. The traditional approach to contract risk focuses on a breach of contract by one party and the extra-contractual liabilities that might arise. This approach treats each contract individually and in isolation.
Most organizations focus their contract risk management strategy on drafting effective agreements. Quality contract drafting is necessary, but not sufficient to manage contract risk. There are cases where one contract can create significant risk, such as:
- An exceptional share of revenue is tied to one contract,
- Procurement or service contracts for critical components allow for disruption or price escalation, and
- The counterparty does not indemnify us for damages that carry exceptional consequences like unpaid taxes and environmental problems.
In most cases, however, individual contracts do not, on their own, have the gravity of litigation. The substantive, common and difficult-to-track risk is the uncertainty that arises from the contract portfolio in its entirety. Systemic under-management of contracts creates expense leakage and missed revenue opportunities.
Regulatory risk
The growth of the administrative branch of government is daunting to most business leaders. Regulatory risk represents the uncertainty of the consequences of an agency’s action.
For example:
- A transportation company applies for a license to expand its operations to a new hub. Uncertainty regarding the agency’s decision as well as the scope of the decision create risk. Under ISO 31000 the agency’s decision can have positive effects, but the uncertainty creates risk.
- A product manufacturer offers a novel product warranty to generate additional revenue. State insurance commissioners can determine that the warranty should be classified as insurance. They can then levy fines, require insurance applications, impose conditions on the product or pursue civil remedies.
Identification of regulatory risks is challenging, but the uncertainty about the effects is measurable in terms of penalties from fines to administrative orders.
Structural risk
Structural legal risk is rare for most organizations. Structural legal risks arise from uncertainty about the underpinnings of a particular industry, technology or method of doing business. When the airline industry was regulated, for example, there was a structural legal risk that the industry would be deregulated.
Structural legal risks can arise from sources other than legislation. Antitrust litigation can significantly alter pricing in an industry or key business relationships. Consumer protection enforcement actions can also change the fundamental assumptions of an industry, rendering a marketing practice (multi-level marketing, for example) unacceptable.
Structural legal risk is also a good example of the ISO 31000 definition of risk. We can be uncertain about the change from a regulated to a deregulated industry. The potential effects are varied, some are positive; some are negative. A structural change can benefit one organization while harming another.
Conclusion
The effort to measure and manage legal risk pays dividends in the reduction of real losses from legal issues. It also pays dividends through improved collaboration between the legal team, operations, and senior management.
