Revisiting legal risk

It is often said that managing legal risk is one of the key roles of an in-house lawyer.

You can find some excellent core articles on defining and managing legal risk in our knowledge section – see Legal risk in an organisation and Legal’s role in managing legal risk


Legal risk in an organisation

Legal risk in an organisation looks at the role which the legal team should play in identifying legal risk, establishing ownership of the risk, assessing it and then managing it. The article also helps you to think about the organisation’s tolerance for legal risk established during the course of the process of risk definition.

It also explains the so-called three lines of defence model of having: 

  • functions which own and manage the risk, 
  • functions that oversee the risk, and 
  • those which provide independent oversight and assurance. 

Typically a legal function will generally operate at the level of ownership and management for some risks, and oversight of others. It will not normally operate as an assurance function – that would usually be for an internal audit, or appropriate outsourced function, to provide.

Legal’s role in managing legal risk

Legal’s role in managing legal risk looks in more detail at the legal function’s role in the first two levels of the three lines of defence. There will be those risks for which the legal team may have primary responsibility, such as litigation and the use of external lawyers. Then, at the second level, of oversight, legal will help to assess, control and manage risks in the organisational context in areas where it is not primarily accountable for the relevant activity – for example competition, regulatory compliance, operational business risks and meeting environmental requirements.

The article goes on to identify seven personal strategies which in-house lawyers can use to help manage risk at the front line, which are very useful to bear in mind:

  • Get out and talk
  • Don’t be overly critical
  • Get in the loop early
  • Get colleagues used to thinking about legal risk
  • Get involved in wider business activities
  • Manage your own risks
  • External relationships.

You might find it useful to look at these two core articles before thinking further about the process which you want to follow in revisiting legal risk, and the documentation which you use.

Revisiting legal risk

One of the risks of risk management, if you’ll pardon the pun, is that risks are dynamic and can change dramatically, both in content and impact, in a short space of time. Add in a changing business environment, the effect of a pandemic, regulatory and political developments and you will realise that the legal risks that you identified even last year are unlikely to be the same as those which impact your organisation now, and still in the future.

Your organisation is likely to have a process for the regular review of risk, but is legal risk fully integrated into the process? And if it is, are the lawyers fully involved and engaged in reviewing the issue – and developing a new risk management plan – on at least an annual basis? If not, you might want to consider setting about the development of a revised plan from a legal perspective, both for your own management purposes and to feed into the overall organisational risk management process.

The legal risk management process

The risk management process is structurally quite simple. Essentially, you are looking to prepare three documents:

  • A legal risk register
  • A legal risk map or matrix (sometimes known as a heat map)
  • A legal risk management plan

Simple frameworks for each of these documents can be found here

There are typically four steps to the legal risk management process, as follows:

Step 1: Preparing a legal risk register

A risk register is effectively a list of all the legal risks which you identify. As with most tasks which might appear to be administrative, it is likely to be best prepared if one person takes on the preparatory role. Compiling the list of risks, though, will need to be a joint task of all the lawyers within the organisation, the external lawyers and resources which you employ, and colleagues within the organisation.

Your risks may include those which are ‘purely’ legal – but in fact they are likely to be fewer in number than those which are the legal aspects of business or operational risks.

These might include strategic risk such as a change in markets, in the strength of competitors, or the impact of regulation on your markets. They could include operational risk, where getting something wrong brings with it the risk of civil, criminal, or regulatory legal action – and which might run into reputational risk. 

Other categories which you will want to explore include the risk of technology failure, the danger of counterparties with whom you work failing, causing a business problem, or perhaps creating a fraud which impacts your organisation. Issues such as compliance and money laundering should also be considered.

You may well want to start with your organisation’s risk register, and analyse it to see which risks may have a legal element, before seeking to prepare a gap analysis, to show any areas which are not on the organisation’s radar but which your expertise tells you may present a legal risk.

The legal risk register should be kept updated on a regular basis, and the legal management processes should include a means of ensuring that risks which come to light are captured and taken forward into the next iteration of the register.

Step 2: Deciding how to treat the risk

Identifying the risk is not, of course, enough. You need to consider what to do with it, and how serious it is – both before and after any mitigation.

Typically, there are considered to be a number of possible responses to an individual risk, and legal risk is no different:

  • Accept the risk as a fundamental part of the activity which you carry out, which cannot be dealt with in any other way. Typically, this would occur once you have considered all other options in relation to it, and understood the extent of the remaining risk.
  • Mitigate the risk, perhaps by changing the activity in some way so as to reduce the risk.
  • Eliminate the risk, perhaps by choosing not to carry out the activity which generates the risk at all. This may have operational consequences but reduces the risk to zero.
  • Manage the risk, by accepting it but changing the way in which you carry out an activity to manage its potential impact.
  • Transfer the risk to another party – perhaps by the use of your contractual arrangements.
  • Insure the risk – which is of course another form of risk transfer - but of course bearing in mind that this brings with it the risk that the insurance may not pay out at the appropriate time.

Step 3: Categorising the risk and preparing a legal risk map

The next step is to assess the risk both before and after you have chosen the response mentioned in the previous section.

Here, you seek to identify the likelihood of the risk occurring, and the severity of the impact if it does. Typically, risk maps use a scale of 1-5 for each of these categories, with 1 being the least likely or severe, and 5 the most. 

Some risk management processes add the two scores to give a total out of a maximum of 10; others multiply them to give a total out of a maximum of 25. In either case, typically the post-response score is taken, and the risks can be ranked so the most dangerous risks can be identified. Many organisations will produce a list of the top ten risks and ensure that that is reviewed regularly at Board level.

The risks and their scores can then be set out graphically, perhaps with red, amber and green emphasis.

Step 4: Managing legal risks

By this stage, you will have identified the key risks, decided what best to do about them, categorised and mapped them. The critical activity is then ensuring that you continue to manage them. It is at this stage that it is very helpful to prepare a legal risk management plan. In simple terms this needs only to set out, in one place:

  • The key legal risks and their severity and likelihood scores
  • The activities which are to be carried out to reduce the risk
  • The individual(s) responsible for any necessary activity
  • How performance is measured and monitored
  • What reporting is done
  • How feedback is captured to identify whether the plan needs to be amended.

For all but the smallest legal teams, this can be something which allows responsibility for activities in relation to particularly legal risks to be shared amongst the team, with particular individuals taking responsibility for individual risks, monitoring and reporting them. 

Thinking about legal risk

Many organisations have a thorough and detailed risk process which works well, and gathers risks from across the organisation. Be aware, though, that often colleagues and external advisers will not think about issues in the way that you will do so as a lawyer. They may also not have the institutional history which you have, nor access to the resources to horizon gaze issues of regulatory concern. 

Equally, remember that lawyers are trained to think about issues, and to analyse them. Those skills are really valuable in considering legal risk and you should allow them to be brought afresh to each review process. You might also like to involve new legal colleagues, whether in-house or in external providers, to see if they bring a fresh approach to the process. There is always a danger that looking from within you see the risks you expect to see, or even are willfully blind as to issues which may arise because of your familiarity with the circumstances. 

Be aware too that you may not identify a risk because you expect something to happen which will mitigate it – or that a process in place in the organisation will deal with it. Is that really still the case, or has something changed which will impact the situation differently?

Experience can be a very helpful factor in identifying and managing risks, but understand too that it can lead you to assess a risk as limited because it hasn’t caused a problem in the past, rather than understanding that it might well be a problem for the future as the environment or other factors have changed.

Embedding the legal risk process

It can be said that in-house law is all about managing legal risk. By embedding a process to identify and deal with legal risk, using it to inform your legal strategy, and tying it into the training, operational, and exposure activities of the legal team, you can create a really effective risk management loop which brings significant benefits to the organisation.

Some further resources

CLL Resources

Legal Risk in an Organisation

Legal’s role in managing legal risk

Other resources

Fundamentals of Risk Management Paul Hopkin (Kogan Page)

The Risk Management Handbook Ariane Chapelle (Kogan Page)

Legal risk management process framework documents (PDF 22 KB)