Whereas risk management as a science is rigorously studied, especially in the fields of security and safety, with specialisations leading to specific role designations, legal risk management has not received special attention by lawyers. As it appears, every lawyer considers him/herself as a legal risk expert, without the requisite training in the specific art/science peculiar to the identification, evaluation, assessment and management of legal risks. Perhaps the reason for this dearth of expertise is the fact that corporate governance executives either lack understanding of, or have not paid the needed attention to legal risks management as a tool for managing reputational and financial loss to their organisations. In addition, legal counsels have not raised adequate notice to the highest decision-makers atop the corporate hierarchy, that their role, as prophets capable of predicting future events, could save businesses from financial and reputational loss which, in some cases, can be huge and devastating to the organisation. According to the Centre for Banking Research, data collected from twenty of the world’s largest banks between January 2008 and December 2018 indicate that those banks paid conduct costs of over GBP 377 million during the data collection period. To illustrate the point further, the reputational loss caused by the Petrobras scandal led to loss of 62 per cent of its market value, and Volkswagen’s cheat device scandal affected its reputation significantly. The case for corporate executives and for lawyers to begin to pay more attention to legal risk management as a specialized area in legal practice is therefore paramount. However, identifying what exactly constitutes legal risk can be confusing.
What is Legal Risk?
The definition of legal risk has evolved significantly over the past two decades. One of such definitions of legal risk is by Whalley and Guzelian, who define it as the risk of financial or reputational loss that can result from lack of awareness or misunderstanding of, ambiguity in, or reckless indifference to, the way law and regulation apply to your business, its relationships, processes, products and services. The risks can manifest in different forms and should be identified, separated and analysed individually for evaluation.
Categories of Legal Risk
Similar to other fields, legal risk is multi-faceted. It is therefore necessary that the various components of legal risk are identified for examination. These are:
• Legislative Regulatory Risk. Legislative regulatory risk arises when an organization, corporate entity or individual fails to adequately implement and comply with the law and regulation.
• Non-contractual Obligations Risk. The non-contractual obligations risk is the risk the business faces, when it fails to meet its duty of care to customers, the environment its stakeholders and the market. This obligation may be likened to the social licence that a business requires to remain in business, failing which it risks losing its legal licence.
• Contractual Risk. The contractual risk refers to those risks that the business is exposed to, by virtue of its current and future contracts. Businesses can manage this risk by ensuring that the terms of the contracts are fair and enforceable, the agreement is commercially viable and that the business uses contracts in the right way at the right time.
• Dispute Risk. Dispute risk is the actions that the business takes within the bounds of a dispute. Here, the focus is on the operational and strategic decisions that the organisation takes, following awareness that a dispute is a potential outcome of their actions.
• Non-contractual Rights Risk. Non-contractual rights risks derive from intellectual property risks, mainly because the business has either failed to register its own rights or failed to enforce against infringement by others.
The cost of reputational damage and financial loss to businesses can be enormous, when businesses fail to identify and manage legal risks in time. More importantly however is the need for business executives to recognise the importance of managing legal risks, and for lawyers to develop an interest in specializing in this area of practice. Having said that, it is pertinent to avoid treating legal risk management as a discrete category; there is the need to appreciate its overlap with operational risks, in order that its output can feed into executive decision-making with the ultimate objective of reducing risk to as low as reasonably practicable.
In the absence of competent in-house counsel, it is suggested that organisations engage the services of external law firms which have the requisite expertise and experience to conduct legal risk assessments on their behalf. This is the preferred approach, as the recommendations emanating from the risk assessments are likely to be more independent and objective, with the potential to attract the attention and buy-in of executive decision-makers. The objective is not only to engage in reactive legal risk management, but to adopt a culture of proactive, long-term, strategic identification of potential risks which require well-thought-out solutions – solutions that are arrived at through cross-functional engagement within the organization. This cross-functional, interactive approach promotes an organisational culture of legal risk awareness which in turn places individual departments in a position to avoid potential legal risk pitfalls. For external counsels engaged in this enterprise, the need to engage with relevant actors within all the organisation’s departments, understand its strategic interests and culture is paramount.
Whalley M, Guzelian C, The Legal Risk Management Handbook, 2017 p23
Major Selasie Atuwo (Rtd) is a lawyer with CQ Legal and Consulting and has a keen interest in Cyberspace Laws and Regulations, ICT Law, Privacy and Data Protection Law, FinTech, Artificial Intelligence and laws relating to National and Private Security.