The Role of Corporate Legal in Managing and Mitigating Risk

Published On : December 14, 2022

When it comes to Risk Management, legal risk is not always shown as an entirely separate category of risk but may be considered as a subset of the key risks affecting the organization, such as in relation to operational, financial and data risks. This is because many areas of an organization’s activities, whether it is a business or not, will have some kind of legal element to them and it may be easier to define and manage the relevant legal risk by reference to an operational function. But in whichever way it may be categorized or defined, legal risk is likely to be concerned with a potential breach of legal obligations giving rise to possible harm to the organization, most likely in relation to its finances, reputation, and ability to carry out its functions in some material respect.

Legal should expect to play an important role in helping to identify, control and manage legal risk within the organization, both as a primary actor in relation to risks flowing from the running of the legal function and as a secondary line of defense working in collaboration with others across the organization. Here we consider several factors relevant to the managing of legal risks and look briefly at the “Three Lines of Defense” model for risk management.

How to identify legal risks?

The organization’s risk framework will usually identify and prioritize those risks that would impact the ability of the organization to carry out its functions in some material aspect and give rise to financial or reputational harm. Here, what may be ambiguous is what actually constitutes a legal risk. This is where your in-house legal can play an important role in helping the organization understand the range of legal risks and their nature i.e., the universe of legal risks for the organization. To do this effectively, Legal clearly needs an in-depth understanding of its organization and its operations. Some of these risks will be closely linked to the work of Legal, such as in relation to contracts and contract management and disputes, for which Legal may already be accountable. Others may fall within the responsibility of other functions and be familiar to Legal through its work for those functions.

Who owns the risk?

When identifying risks, it becomes very important to establish clear lines of responsibility for the legal risks identified. This matters as there may otherwise be a tendency for all corporate legal risks to be seen as Legal’s responsibility, which can then result in potentially damaging risks falling through the cracks. Except for those legal risks for which Legal is accountable, all others should ideally be owned by management. It should be clearly understood that Legal advises and is not in any way the owner of the legal issue in question. As in-house lawyers are aware, advising on legal risk is as much about understanding the rights and obligations of the organization as it is about understanding the letter of the law itself.

Assessing legal risk

Having identified the legal risks and allocated accountability for them, how are the different risks to be assessed so that control measures can be put in place? There are several factors that can influence the organization’s approach to managing its legal risks, including the level of regulation in the sector and its business strategy. For instance, an acquisitive commercial business may well have a different approach to certain risks compared to a public body. Many organizations will use a framework against which to assess legal (and other) risks. This will typically include such categories as:

• Finance

• Customers

• Operations

• Reputation

• Property/assets, and

• Regulation.

Different risk scenarios can then be mapped against each of these factors to identify the potential impact of the legal risk. For example, in relation to a data breach, a product recall, a major litigation case, or a regulatory intervention.

What is the tolerance for legal risk?

As part of the processing of assessing legal risk, it is important to determine the appetite or tolerance for each identified risk within the organization. This will depend on a number of factors relating to the type of your organization, its business, and strategies. As such, different risks will have different levels of tolerance. Legal Department’s role here is to help management understand the impact of a legal risk and to advise on mitigating controls that will help manage the risk. Some legal risks for instance, may have zero or near-zero tolerance because of the impact of a failure, whereas others will be managed within a range of tolerance acceptable to management. It is not Legal that sets the risk appetite, although its advice will be influential.

How to manage legal risks?

The controls that are put in place to manage legal risks will vary depending on the likely impact of the risk and the accepted appetite for that risk. Generally, the purpose is to bring the risks within the organization’s risk appetite. The impact of the risk will influence the extent of the controls. Typical control measures will include the implementation of checklists and policies, the use of technology, horizon scanning, escalation procedures (including to Legal), training and guidance and the provision of bespoke legal advice.

In this way, Legal can play an important role in helping to manage legal risk by:

▪ Drafting and updating policies

▪ Proving generic guidance

▪ Training, and

▪ Giving specific advice