Most companies undertake at least some degree of legal risk management every day, via inhouse lawyers or consulting with external legal advisers. But as day-to-day tasks and urgencies pile up, it is all too easy to lose sight of the greater picture and the mutually-affecting risks across contracts, departments, and subsidiaries.
Legal risk management seeks to uncover these "hidden" risks, including those mutually affecting or mutually accumulating risks that could potentially evolve into a 'perfect storm', even if each of those risks individually might have been manageable if only it had been identified sooner.
What are the benefits for you of a legal risk management process?
The objective of a legal risk management process is to map the legal risks facing your company. It will also tell you in what way or to what extent those risks interact, potentially building into a mutually accumulating risk, sometimes referred to as the ‘snowball effect’.
A legal risk management process will also help you draft and implement a forward-looking legal risk management strategy to make sure:
- that you get a better picture of the total risk exposure;
- that your business does not accept any risk in conflict with the agreed risk strategy;
- that both management and employees understand the risk strategy; and
- that there is an acceptable cost-(risk)-benefit ratio behind every risk your company chooses to accept.
Legal risk management in companies big and small
Whatever the size of a company, the legal risks can vary greatly from section to section, organisation to organisation, etc. Subsidiaries, sections, and employees each have their respective responsibilities, projects, businesses, and authorisations.
If they launch initiatives independently that are mutually conflicting or which, when combined, serve to expose the company to risks, problems can arise sooner than you know it.
Risks may also come about as a result of changes to laws and regulations, outdated routines and procedures, or because the company’s growth or development has caused it to move into other risk zones.
To help survey your legal risks, Kromann Reumert has developed a building-block-style process that does just that:
Legal Risk Management
– the process
There are five overall steps in the legal risk management process
- Preparation and delimitation
- Risk analysis
- Action plan and recommendations
- Implementation, communication and anchoring
- Periodic follow-up
1. Preparation and delimitation
First, and most importantly, you need to know where your company stands in terms of risks:
- What are your risks?
- What strategic/commercial initiatives do you expect to make in the coming period of time?
- Who are authorised to do what?
- What kind of risk management have you had so far?
You should convene an initial meeting to assemble a cross-functional team with representatives from i.a. the BoD, management, legal department, and any other relevant employees who can help identify your risk profile. Consider involving an external advisor to help assess your risks.
Based on your company’s risk profile the team will typically identify a handful of primary risk areas. From there, you will work out each party’s tasks and responsibilities in the process.
2. Risk analysis
The next step is to carefully analyse your company’s risks. The team will need to go through relevant contracts, agreements and other documents, also to identify any mutually affecting risks, such as:
- Loan agreements
- Partnership agreements
- Licence agreements
- Supply and purchase agreements,
The team should also consider, on a regular basis, the need to adjust the scope of the investigation. For example, the investigations might uncover new risks to be examined. Questions arising should be dealt with continuously, e.g. by interviewing relevant personnel.
Building on the aggregate knowledge accumulated through the initial meetings, the risk analysis, and any interviews conducted, the team will draft a report on the risks identified, including any risks that might potentially arise from any contemplated strategic/commercial initiatives.
3. Action plan and recommendations
At this point, you need to go over the risk analysis with all relevant parties, including the team, the management, and the BoD. Go for an open and constructive discussion and allow everyone to comment on the conclusions and recommendations in the report.
You have now mapped all relevant information about your risk profile and used the data to analyse what you need to do to stay safe in the future.
Now what you need to do is to translate your recommendations into actions. You could do this by drafting an action plan, which might also be the starting point of your new legal risk management strategy. The plan should be realistic and identify what areas you wish to prioritise.
It should include suggestions on what to do about:
- Current risks, based on current situation
- Potential future risks, based on future strategic and commercial plans
- The immediate threats that are facing all businesses due to the global, general uncertainty.
Also, your action plan could include suggestions for changed procedures and internal rules.
When implementing new procedures and security measures, it is vital that you make sure to properly communicate these new initiatives and your new risk strategy. You need to convey the message to your staff in a way that makes it something they can relate to; they must know what to do in practical terms.
Moreover, and using the recommendations arrived at, the team should consider the following:
- Renegotiation of agreements
- Corporate-law changes
- New internal authorisations
- Employee matters, e.g. rectifying invalid clauses
- Negotiations with authorities and other parties
- Insurance matters, e.g. avoiding underinsurance
- Drafting of new standard contracts
- Information letters
- Implementation of document handling and risk categorisation systems, etc.
This will give you a clearer view of your company’s risks and (depending on the focus of your investigation) help you avoid lawsuits, ensure compliance, and stand better equipped to tolerate market fluctuations.
5. Periodic follow-up
To make sure you keep the overview at all times and keep your risk strategy up-to-date on market developments and your own development, it is necessary that your management/BoD ensures periodic follow-ups. These follow-ups could be at management level and with the persons responsible for each area, but which basically includes a test of the assumptions made, a match against the then current risk strategy and corporate strategy and a renewed analysis of the risks at hand – which should now be mapped in the system.
When 1 and 1 is more than 2!
There is no ‘one size fits all’ solution, but most companies will be off to a good start following the five steps outlined above. You can choose for yourself the extent of your legal risk management process so that it fits your business. Some companies may choose to start off with a strictly defined focus on one or more risk areas.
But do keep in mind that risks often exert a mutual influence on one another - and may at times have en accumulating effect on each other. If you limit your legal risk management process to address only some risks, therefore, it is important that you achieve an understanding of how one area might potentially influence another.
Kromann Reumert's assistance
If you are uncertain as to the relevance of having a legal risk management review of your business, we will be happy to talk to you about what kind of risk profile your company has and what we would propose to do in order to identify the risks that your company is facing.
We can assist on the structuring of a legal risk management process, conduct the review of specific documents and procedures, assist with the setting up of a legal risk management reporting system and a document management system and a stream lining of various contractual terms across the contract portfolio in order ensure corporate compliance with the risk strategy.
IDENTIFY YOUR RISKS USING OUR LEGAL RISK RADAR
As business increases in complexity, pace and connectivity, managing risk has become the cornerstone of informed decision-making. However, before you can take steps to manage risks, you need to first identify and assess the risks, including how those risks may interact with other potential risks. Try our Legal Risk Radar, which gives you an indication of some of the potential risks to which your company is exposed.