Home      Smart Legal Counsel     How Can Organizations Monitor Legal Risk

How can organizations monitor legal risk

Published On : October 18, 2022

Typically, most modern organizations will have a well-defined and properly fleshed-out Risk  Management Process by which significant risks are monitored and reported. Whether or not  legal risk is itself a defined category of risk or is a sub-set of other key risks, it is important to  have a methodology for reporting on legal risks wherever they sit in the risk management  framework for the organization. This may include the use of key indicators of risk levels and  thresholds through dashboard reports, using a traffic light system to indicate current  compliance levels. Periodic stress testing and reports from risk owners will often also be part  of the reports escalated to different levels of management and the board.

What are the “Three Lines of Defense”?

Although Legal will often play an important role in the management of legal risks, in larger  organizations they are likely to be one of several specialists concerned with risk management.  These will typically include risk and compliance managers, fraud specialists and internal  auditors. A commonly used risk management model is known as “The Three Lines” system. This is a  method of risk management that allocates responsibility for managing risks between three groups within the organization on these lines: -

▪ The functions that own and manage the risks
▪ Functions that oversee the risks
▪ Functions providing independent oversight (assurance)


In this model, the 1st line of defense rests on management controls where operational  management manages the risks in the area for which they are accountable. This will include  the organization’s Legal Department. Depending on Legal’s areas of responsibility they may,  for instance, own risks in relation to the use of external lawyers; litigation; contract  management; anti-bribery and corruption; and the quality of legal advice, among others. It is  for local managers to identify and assess risks and set controls, including monitoring and  reporting requirements.


The 2nd line of defense has an oversight function to help build the architecture for the 1st line  and to monitor that different areas of risk are being adequately controlled, monitored, and  reported. Depending on the size and complexity of the organization, this oversight may comprise  specialist groups (including committees) concerned with areas such as financial controls, risk  management, compliance, quality, and security.  Legal will typically be part of this second tier, looking at legal risks across the organization,  assisting with policies, procedures, and training to manage them, compliance with relevant  laws and regulations and identifying legislative and regulatory changes and their potential  impact.


The 3rd line of defense is usually an internal audit function providing the board and senior  management with an independent oversight and assurance regarding compliance and risk  management controls operating in lines 1 and 2.

How to manage relationship with regulators?

In heavily regulated sectors, the relationship with regulators forms a critical part of the risk  management strategy of the organization with Legal playing an important role in helping  maintain effective relations. Now, of course, there’s a fine balance that needs to be maintained between having good lines  of communication and being too open and conciliatory in circumstances where it’s  unnecessary. Good lines of communication will help with horizon spotting by enabling Legal  to learn quickly about proposed changes in the regulatory landscape and should also help to  manage tensions and disputes in a way that de-escalates them, wherever possible.

Global aspects

In a multi-national organization, legal risks will not only arise across the organization, but they  may also vary in different jurisdictions and thus the assessment and management of the risk  may not be universal. Here, Legal and external counsel are likely to play a key role in advising  on this diversity of regulation and in helping to construct management controls on both a  local and pan-organization basis.

Smart working

Legal’s advice to other areas of the organization on legal risks that arise in their respective  operations will play an important role in how well these risks are managed. To help business  colleagues become familiar with legal risk and to help them in assessing it, it can be useful for  lawyers to incorporate in their advice the impact of the legal risk by reference to the  framework of risks utilized by the organization – finance, customers, operations etc. Additionally, the legal risk can be quantified by reference to a narrative summary  complimented, where possible, by a defined percentage range or ‘score’ in respect of each  affected business area.

To summarize…

The increasing complexity of laws and regulations impacting organizations and the financial  and reputational consequences of non-compliance, that have been highlighted in some  recent high-profile failings, has meant that in-house legal teams now often play a more critical  role in their organizations in relation to the identification and management of legal risks. Thus,  Legal’s role in identifying, managing, and mitigating risks cannot be emphasized enough, in  today’s modern organizations.


share with us your thoughts / your legaltech automation needs