There's no doubt that the importance of effective legal risk management is a high priority for many business executives. Moreover, some survey reports indicate that the traditional approach to relying heavily on experience, judgment and intuition in a predominantly reactive style is being shunned at a faster rate than ever before. Nevertheless, many business executives, irrespective of their seniority, have never had any formal training directed on how to manage their legal risks effectively. With this requirement in mind, how business executives understand and manage legal risks in the coming year will have an impact on the bottom line.
The focus here is on managing legal risks ensuing from future illegal conduct, not court action, investigations or liability — these being the consequences of past illegal conduct or misbehaviour. Legal risks are distinguishable from financial risks, because businesses can and should shrewdly take financial risks, such as, if approved, CAPEX, corporate acquisitions, employment negotiations and recruitment, etc. As well, legal risks are clearly embedded in some of the financial risks, and it is those embedded risks that must be handled.
As regards legal risk arising from an employee’s illegal conduct, many businesses implicitly adopt a “zero tolerance” policy. Unfortunately, this policy does not lead to zero risk. Likewise, establishing codes of conduct or ethics is simply an opening gambit since the shared attitude and culture that develop within the business towards obeying the law or authority will depend, to a large extent, on action than mere words. Given the foregoing background, in practical terms, there are 4 steps businesses can take to manage legal risks:
Risk Identification: This should bring business executives to the question: Where is it most likely that legal risks will arise? For instance, in connection with documentation, businesses need to carry out a detailed review of the legal documents they use, and whose responsibility it is to ensure the legal effectiveness of the documents. Similarly, businesses need to scrutinize the nature of possible legal exposures in, and the litigation “culture” of, the country in which they operate.
Risk Analysis: Here, businesses need to develop an understanding of the possibility of occurrence and scale of effects. This is crucial in prioritising, budgeting and allocating resources. In analysing legal risks, the existing legal infrastructure could be taken into account: How independent are the judges? How complex are contract law concepts? How timely are judgments and arbitral awards enforced? Such analyses should be conducted every year and punctually in the face of changes in business operations, sectoral developments, and applicable policies, laws or regulations. Appropriate prioritisation is indispensable because of the copious amounts of foreseeable risks, yet it’s true that some risks demand urgent attention than others.
Risk Monitoring: Monitoring involves empowering designated staff to frequently report critical information so that executive managers are able to assess its significance in a timely manner. In discharging this function, however, all reasonable steps should be taken to avoid conflicts of interest. It is also essential that lawyers working with the risk monitoring team have sufficient independence. It would be improbable that lawyers would have exclusive control over all decisions that come from the monitoring process, as their main role is to provide technical legal advice. In addition, there should be clarity as to who is responsible for what and the reporting lines.
Risk Mitigation: Although commercial insurance is widely used by businesses to extenuate loss caused by legal risks, it will not cover all manner of legal risks. And, it will be very important that the limits and conditions of insurance policies are well analysed and understood. Mitigating loss will require businesses to review their legal documentation, avail resources for defending or prosecuting claims, and examine the probable financial impact. Given the enormous speed at which deals are executed nowadays, businesses will need to ensure that their mitigation strategies encourage as immediate a response as possible.
It's true that every business will have legal risks peculiar to it, but taking the above steps will help manage the legal risks (for example, defective documentation) that may give rise to serious difficulties. Here's a case in point: A security interest held by a supposedly “secured” commercial bank and which turns out to be invalid – and therefore unenforceable – in the context of a customer’s insolvency is virtually sure to result in loss for the bank and the cause de origen of the loss might be a fundamental flaw in procedure which is in the nature of legal risk. Perhaps, that's all the more reason for banks and other businesses in general NOT to take lightly legal risk management.
Ultimately, in order to manage legal risks effectively, businesses will need to establish functional management structures to help make sound decisions and coordinate the efforts of the board of directors, executive managers and lawyers in this endeavour. Save for some common characteristics, there’s obviously no universal structure that's well-suited to all businesses. But at any rate, the board of directors should set policies; require executive managers to provide periodic reports on legal risk management; and develop a good rapport with savvy lawyers who can apprise the business of potential legal problems. Executive managers, on their part, will need to walk their talk when it comes to implementing board-approved policies and guidelines and to devoting adequate resources to the management of legal risks.