Legal risk management, sometimes referred to simply as “LRM,” is one of the core activities of any corporate legal department, regardless of the size of the department or the company itself. If there is just a single lawyer in the legal department, he or she must develop a basic LRM initiative that takes into account the dearth of time and other resources available. In larger legal departments, LRM will involve all of the attorneys and paralegals and will include extensive and continuous outreach to personnel and resources from the company’s outside law firms and business partners.
Any LRM initiative will have a handful of key objectives: identifying potential legal and regulatory issues as soon as possible and quickly and efficiently assessing those issues to develop a profile of potential legal risks; avoiding and mitigating legal risks through proactive initiatives such as compliance programs and dialogue with government officials responsible for promulgation and/or enforcement of laws and regulations; and management of legal risks as they materialize and begin to impact the company.
Activities of the legal department to achieve those objectives are outlined below:
1. Risk identification and assessment. The legal department should have systematic processes in place for regularly and continuously identifying and assessing relevant legal risks associated with the current and proposed business activities of the company. Among other things, the legal department should update, distribute, collect and carefully analyze risk assessment questionnaires covering topics such as compliance, business operations, product liability, litigation and business ethics. In addition, the legal department should systematically collect and review all complaints from customers, employees and investors, and analyze the factual details of all pending and threatened litigation to identify emerging legal risks to the company that require remediation. Other scanning activities of the legal department should include review of new and proposed laws and regulations, review of litigation and regulatory actions involving competitors and business partners, assessment of trends in insurance coverage available to firms engaged in comparable business activities, and surveys of law department members and attorneys from outside law firms to elicit their views on potential legal risks associated with the company’s activities.
2. Practice groups. Each practice group within the legal department should meet regularly to discuss guidelines for managing legal risks associated with the company’s business activities and the company’s relationships with outside law firms and business partners. Each practice group also should have a member who has been designed as the “risk management leader” for the group with responsibility for coordinating the group’s risk management activities. The risk management leaders from each practice group should meet regularly to discuss their roles, identify overlapping risk areas, discuss methods of collaboration and information sharing, share best practices regarding procedures and training, and develop recommendations on risk management issues to be presented to the general counsel.
3. Development, implementation and monitoring of risk management strategies. The legal department, under the direction of the general counsel and other senior attorneys, should be responsible for developing and implementing a comprehensive risk management strategy for the company that involves close collaboration with all business units within the company and includes clear and objective metrics that can be used to measure the effectiveness of the program. The strategy should be presented to the senior executive team and the members of the board of directors, and the same groups should be provided with regular updates on the effectiveness of the strategy. The risk management strategy should be developed through a working group headed by the general counsel and staffed by the risk management leaders from each of the legal department’s practice groups. Data for development of the strategy should be collected through questionnaires and interviews with the heads of each business unit, engagement partners at outside law firms, and executives and managers from key business partners. The working group should meet on a quarterly basis to review the strategy and discuss then-current, high-risk projects to assess the efficacy of the management of those projects and consider additional steps that should be taken to mitigate risks.
4. Senior management communications and consultations. The general counsel and other members of the executive team should establish clear and consistent communications channels to ensure that information regarding legal risks is promptly delivered to executives of the company and the board of directors. Among other things, regular quarterly meetings should be scheduled between members of the legal department and executives and other senior managers to review the current status of all projects that have been identified as having significant levels of risk for the company. The general counsel should also be prepared to make recommendations to senior management regarding efforts that the company might make to lawfully influence the decisions of legislators and regulators with respect to the implementation of laws and regulations that might have an adverse impact on the company’s legal risk profile.
5. Working with outside law firms. The general counsel should ensure that outside law firms are provided with specific guidance regarding the level of legal and business risk that the company is willing to assume with respect to each case or transaction for which the law firm represents the company. The general counsel or other senior attorney responsible for a particular matter should regularly communicate with the engagement partner for each case or transaction to assess risk-related issues, and all crucial decisions regarding management of the case or transaction should explicitly include consideration of risk issues. Advice from outside law firms should be solicited on improving the company’s risk management strategies and processes. Outside law firms should be expected to be involved in briefing and training members of the legal department, as well as relevant executives and managers, on legal risks and the strategies and practices that can be used to mitigate those risks. Competence in risk management, including preparation and delivery of risk assessment reports throughout the course of each engagement, should be part of the metrics used to evaluate the performance of outside law firms. The general counsel and practice group leaders should develop standardized templates for engagement letters to ensure that risk management is consistently addressed in each engagement with an outside law firm.
6. Working with business partners. The legal department should proactively engage with key business partners to ensure that legal risks are adequately addressed and managed throughout the course of the company’s business relationship with such partners. The process should include identification and assessment of legal risks through questionnaires, interviews and inspections; educational programs for business partners that begin with identifying the company’s tolerance for legal risk and continue with presentations on how the company expects those risks to be managed; coverage of risk management issues in contracts with business partners; development of processes for communication between business partners and the legal department regarding potential legal risk issues; and regularly scheduled meetings (i.e., quarterly, semi-annually or annually) among members of the legal department, managers and executives of the company, and managers and executives of the business partner to discuss the management of legal risks associated with the relationship and other operational matters. For each key business partner, a member of the legal department should be designated as the lead attorney for risk management issues associated with that partner and should be responsible for assessing and improving the processes used to identify and mitigate legal risk issues in the relationship with that partner.
7. Resource materials and training programs. The legal department should develop and disseminate resource materials to all personnel to provide guidance on identifying legal risks and the steps that non-legal personnel should take to bring those risks and other concerns to the attention of the legal department. The resource materials should be continuously reviewed and updated, and the use of such materials should be tracked and analyzed to determine their efficacy. The legal department should also work with human resources personnel to create and present educational and training programs throughout the company on legal risk issues and mitigation strategies. Such programs should be mandatory and should include instruction on procedures to be followed by employees for identifying potential risks and promptly bringing them to the attention of members of the legal department and nonlegal executives and managers. The training should begin at the orientation stage, when new employees are hired by the company. Training should cover resources that the legal department creates and maintains on the company’s internal website. If appropriate, training programs should be opened to business partners, and business partners can be given access to all or a portion of the company’s resource library.
8. Project risk management. A standard protocol should be established for management of legal risks associated with projects (e.g., a case, transaction or an ongoing compliance program initiative) undertaken by the company. Among other things, a specific attorney should be identified as “legal risk coordinator” for each project in which two or more members of the legal department will be involved. Attorneys working on the project should prepare a risk profile for the project that is reviewed with members of the project’s business team and regularly updated during the course of the project. The roles and responsibilities of each of the legal and business team members involved with the project should be carefully laid out, and channels for sharing information should be formalized. Once a project is completed, a list of ongoing obligations and activities relating to the project (e.g., payments, reports, meetings etc.) should be prepared. Project risk management should be supported by investment in relevant technology and training relating to project management and tracking, contingency planning and dispute resolution.
9. Department procedures and reporting channels. The general counsel and each practice group leader should establish a working group to develop, publicize, and maintain standardized procedures for the legal department with respect to case management and budgeting, audit letters, interactions with outside counsel and business partners, and the preparation of reports for senior management. The legal department should also have operational procedures in place that cover escalation of risk issues from lower-level members of the legal department to the general counsel and/or senior management of the company.
10. Department human resources procedures. Human resources procedures for the legal department should incorporate the company’s concerns for maintaining a high level of diligence with respect to identification and management of legal risks. The orientation process for new members of the legal department, both attorneys and paralegals, should include training in risk management techniques and dissemination of information on the company’s legal risk management protocols. Ongoing training should be provided on a regular basis with attendance tracked. The legal department should develop manuals and other resources that can be used in the course of resolving legal risk issues. The performance of members of the legal department with respect to risk management should be measured as part of their overall performance assessment, and the failure of attorneys or paralegal to meet their duties and responsibilities with respect to handling legal risks should be cause for discipline. In turn, positive contributions to the legal department’s risk management programs should be recognized.
For further discussion of procedures and practices relating to risk management activities, see Risk Assessments (§§ 226:1 et seq.) in Business Transactions Solution on Westlaw.
Alan S. Gutterman is the founder and principal of Gutterman Law & Business, a leading provider of timely and practical legal and business information for attorneys, other professionals and executives in the form of books, online content, newsletters, programs, training and consulting services. Mr. Gutterman has three decades of experience as a partner and senior counsel with internationally recognized law firms counseling small and large business enterprises in the areas of general corporate and securities matters, venture capital, mergers and acquisitions, international law and transactions, strategic business alliances, technology transfers and intellectual property. He has also held senior management positions with several technology-based businesses including service as the chief legal officer of a leading international distributor of IT products headquartered in Silicon Valley and as the chief operating officer of an emerging broadband media company. His publications are available on the Legal Solutions website. Mr. Gutterman can be reached at firstname.lastname@example.org.