ERM Chapter 13 Embedding ERM in legal

ISO 31000:2018 12 Minutes

Legal risk management is a new way of thinking for many in-house legal teams. In the financial services industry, other departments and regulators now expect the Legal team to take part in formal risk management. Legal risk includes reputational damage, financial losses, and issues that affect business operations. This means the Legal team must go beyond their usual tasks to identify, manage, and reduce these risks.Legal risk includes risks related to laws, regulations, contracts, and non-contractual obligations. Managing legal risk follows the Enterprise Risk Management (ERM) framework, as outlined in ISO 31000. The level of legal risk management in a company usually matches the maturity of its ERM practices. As a company improves its risk management, legal risks become more clearly defined and are integrated into the overall risk management framework.

Key Elements of a Strong Legal Risk Management Framework:

  • Leverage technology to enhance risk visibility, oversight, and control across the organization.
  • Clearly define legal risk and its relationship with other types of risks.
  • Assess legal risks using a structured approach, including data analysis and scenario planning.
  • Set legal risk appetite at both individual risk and organization-wide levels, ensuring effective resource allocation.
  • Apply the three lines of assurance model to maintain accountability, independence, and oversight of legal risks.
  • Report legal risks to the board and relevant committees, measuring control effectiveness against a clear risk framework.
  • Use key risk indicators (KRIs) to objectively track and report legal risks.

How to Define Legal Risk?

Some companies define legal risk in a narrow way. They see it as risks linked only to the Legal team, such as:

  • Decisions about using in-house lawyers or law firms
  • The quality of legal advice
  • The conduct of lawyers

This narrow view ignores many legal risks that affect the business, such as:

  • Financial crime
  • Contract disputes
  • Intellectual property issues

These risks may be owned by other departments, but Legal still has a role in managing them. If Legal is not involved, important responsibilities might be overlooked. For this reason, many companies use a broad definition of legal risk, covering any business risk that has a legal aspect.

Surprisingly, many companies still do not have a definition for legal risk—41% of non-banking companies and 14% of banking companies lack one. Even where definitions exist, they vary widely because there is no industry-standard definition. In the past, companies did not consider legal risk as a category on its own. Instead, it was included under Operational Risk, Compliance, or Internal Audit. In financial services, this may be because Basel II grouped legal risk under operational risk.

Legal risk has often been seen as less important than other risks, such as:

  • Financial crime
  • Conduct and duty of care
  • IT and cyber security

These risks have a bigger impact on a company’s stability and finances. However, large fines in recent years have increased awareness of legal risk. More important than defining legal risk is identifying and managing it properly. A good risk management framework should clearly assign responsibilities to the Legal team, other departments, and the business. Legal risks include:

  • Narrow risks – Those directly managed by the Legal team
  • Broad risks – Business-wide issues like contracts, intellectual property, legal changes, and legal input on financial crime, employment, and technology risks

Understanding legal risk is not just about knowing the law—it is also about understanding the company’s rights and obligations. Legal risk can be narrowly defined as risks from Legal’s own operations. In this case, the General Counsel (GC) and Legal team are responsible for managing these risks. Under the Three Lines of Defense model, Legal acts as the first line, while Risk and Compliance take the second line role. However, a broader definition includes legal risks across the entire organization. Every department faces risks that may have a legal impact. Legal must work with other teams to identify risks, set risk appetite, and define responsibilities for managing them. GCs and risk experts should collaborate to create an effective risk management framework with proper controls to reduce the most serious risks. Ownership depends on the company structure and expertise. In a broader sense, business management owns legal risk, while Legal provides guidance and oversight. When business functions manage legal risks directly, Legal’s role is to set policies, raise awareness, and ensure controls are effective. Legal must also educate managers about what actions to take and the consequences of mismanaging legal risks. For multinational companies, Legal must monitor legal risks in different countries and how they may impact multiple regions. Some risks, like GDPR violations or corruption, can lead to severe fines or criminal charges. Legal should work with local teams to understand legal consequences and avoid high-risk regions if necessary. Some companies have shut down operations or stopped trading in certain areas to minimize legal risks.Legal must remain independent to provide objective advice. If Legal is in charge of risk management, a strong second line (e.g., Compliance or Risk) should oversee it. However, non-lawyers may struggle to review Legal’s work, which creates challenges in oversight. Policies help ensure clear accountability for managing risks. Legal teams often set policies for hiring law firms, legal referrals, and specialized legal areas. However, some risks, like Anti-Bribery or Conduct, may fall under Compliance. This highlights the need for clear roles and responsibilities between Legal, other departments, and the business to prevent gaps in legal risk management.

A unique aspect of legal risk is that when an incident occurs, its full consequences might not become clear for a long time—such as a lawsuit over a defective product that takes years to resolve in court. As a result, it’s typical for past incidents to linger on risk registers, since the event has occurred, but its complete impact remains uncertain. This often requires organizations to estimate the potential costs of various outcomes to set aside financial reserves in their accounts. These estimates are guided by accounting standards that categorize outcomes as probable, possible, or remote. Generally, organizations reserve funds for probable outcomes, include a disclosure note for possible ones, and omit any mention of remote possibilities.

Legal risk and technology

The adoption of technology to enhance legal risk management is an emerging field. Our survey found that the most widespread application of technology was the use of organization-wide operational risk systems to identify, evaluate, and report on legal risks and controls across the enterprise. Beyond this, however, technology was rarely utilized for managing legal risk. As technological advancements progress within the legal sector, we expect this area to see substantial growth.

Evolving Skill Sets
As legal risk management gains prominence on corporate priorities and Legal departments refine their operational frameworks, technology is garnering more attention. This shift is evident in the hiring of technologists and data scientists, as well as the use of automation for certain tasks and the generation of detailed reports. Legal teams are likely to address their needs through a mix of specialized risk management tools and by embedding legal risk considerations into broader technological systems. For instance, contract management software could flag high-risk clauses or enforce restrictive controls aligned with the organization’s legal risk tolerance, preventing agreements that exceed acceptable limits. An example might be an organization specifying allowable asset types for contract collateral—if the operations team tries to finalize a deal with unapproved collateral, the system would block it.

High-Quality Data
Technology also aids in monitoring and reporting by creating an auditable environment, improving data access, and speeding up responses to both preempt legal risks and handle those that materialize. Resource allocation tools enable Legal teams to analyze their workload and prioritize effectively. For example, technology could track the frequency of incidents tied to specific risks across the organization, allowing resources to be focused on monitoring and uncovering root causes of elevated legal risk areas. This enhances oversight and control, giving Legal greater visibility into organizational activities—far more than a manual, human-dependent approach could achieve.

Applications of Technology
Technology is increasingly integrated into legal risk management in various ways, including:

  • Non-Compliant Event Reporting: With access to data, technology can transform incidents into actionable insights to bolster legal risk management.
  • Management Information (MI) Creation: This provides organization-wide visibility into risk areas, enabling better planning and risk mitigation.
  • Regulatory Communication: Sharing data with regulators to show compliance efforts are underway.
  • Fraud and Call Monitoring: Especially useful in high-transaction settings requiring quick reporting.
  • eDiscovery: Streamlining the process of identifying and retrieving electronic information for legal purposes.
  • Case Management Tools: Allowing cases to be assessed and rated based on risk.
  • Horizon Scanning: Analyzing vast amounts of online data to detect legislative changes.
  • Litigation Predictive Analytics: Leveraging case precedents to guide decisions on settling or contesting legal disputes.
  • Chatbots for Legal Policies: Offering insights into inquiries received by Legal, highlighting trends and potential risk areas.
  • Whistleblowing: Facilitating reporting mechanisms for internal concerns.

Legal risk standard

In 2020, ISO 31022, a new standard within the ISO risk management suite, was introduced, focusing specifically on risk management from a legal risk perspective.

This standard builds on the ISO 31000 Principles and adapts the core ISO 31000 process to emphasize legal considerations:

  1. Define Context & Criteria
    • External Context: Includes laws, contracts, memoranda of understanding, third-party claims, and legal service providers.
    • Internal Context: Encompasses the organization’s legal structure, governance framework, current legal issues and claims, historical experiences, awareness initiatives, and duties of care obligations.
    • Criteria: Covers relationships with third parties, guidelines for acceptable legal risk levels, and the organization’s goals and priorities.
  2. Assess Legal Risks
    • Identification: Sources include case law, common law, stakeholder input, and non-compliance incidents.
    • Analysis: Evaluates IMPACT (e.g., types of losses, negative publicity, financial impact) and LIKELIHOOD (e.g., applicable laws, enforcement trends, stakeholder compliance history).
    • Evaluation Factors: Considers the broader organizational environment, priorities, values, ethics, and overall risk profile.
  3. Address Risks
    • Choosing Options: Involves weighing costs, legal advice, and the feasibility of transferring risk.
    • Evaluating Current Practices: Depends on resource availability and input from legal experts or counsel.
  4. Communicate and Report
    • Communication: Should be timely and relevant, fostering a culture of openness and accountability.
    • Monitoring: Involves tracking legal changes, triggers/covenants, outcomes, and their organizational impact.
    • Reporting Considerations: Includes legal privilege, document retention policies, evidence chains, and confidentiality.

ISO 31022 also outlines key elements for implementing a legal risk management framework:

  1. Policy: Organizational policies should address specific legal risk management concerns.
  2. Roles: Clear roles and responsibilities should be defined, including those for legal specialists.
  3. Integration: Legal risk management should be embedded within the organization’s broader risk management approach.
  4. Awareness: Systematic training programs for experts, frontline staff, and legal professionals enhance legal risk awareness.

Additionally, the appendices of ISO 31022 provide practical tools for viewing risk through a legal lens:

  • Appendix A: A sample legal risk identification method—the Legal Risk Identification Matrix (LRIM).
  • Appendix B: A template for a legal risk register.
  • Appendix C: A guide for estimating the likelihood of legal risk-related events.
  • Appendix D: A method for assessing the consequences of legal risk events.
  • Appendix E: Key contract clauses to review, featuring a table of example clauses to reduce legal risks, covering areas like capacity, title transfer, cancellation, payment terms, damages, warranties, and indemnities.

Assess and control

Once a broad definition of legal risk is established, both the Legal team and the business share responsibility for managing it. The General Counsel (GC) must understand legal risk levels across the organization and ensure the right structure and skills are in place. This depends on factors like the industry, level of regulation, company structure (centralized or decentralized), and business strategy (e.g., intellectual property or acquisitions). Legal risk should be evaluated across all areas of the business. This process can be subjective, but using a standard framework with risk factors—such as regulatory impact, customer concerns, financial and reputational risks, and historical loss data—helps bring structure. Legal can also adapt methods from other risk functions like Operational Risk to improve the process. Some organizations define legal risk appetite (38% of survey respondents have or are developing a formal statement). Instead of applying one blanket risk tolerance, companies should set different risk levels based on:

  • Risk type (e.g., product liability, intellectual property, competition law)
  • Jurisdiction (some countries have stricter laws)
  • Business unit (different teams face different risks)

Some risks may be eliminated (e.g., canceling a high-risk product launch), transferred (e.g., using insurance), or managed either reactively (handling issues as they arise) or proactively (putting controls in place to reduce the risk). Once risks, owners, and appetite levels are identified, the company must decide how much control is needed.

  • Low-risk areas may not need strict controls. For example, a company with low intellectual property risk may only address IP issues when they arise.
  • High-risk areas (e.g., competition law) require stronger controls, such as clear policies, training programs, and legal oversight in business processes.

Not all legal risk controls belong to Legal. Some are managed by business teams, such as:

  • Contract templates (business teams must use them to reduce contractual risk)
  • Approval thresholds (e.g., requiring Legal review for contracts over a certain value)

Legal must still ensure these controls are effective and determine if more or fewer controls are needed. The organization must also check that Legal reviews are properly conducted, either by another lawyer or through external verification. All of these measures form part of the legal risk management framework, ensuring legal risks are controlled in a structured way.

Influence on Strategy and Operations

Determining where to allocate legal resources is crucial for shaping a company’s legal strategy and operating model. Organizations need to decide:

  • Which legal tasks should stay in-house and which can be delegated
  • The required legal expertise
  • The balance between internal legal teams and external counsel
  • How technology can enhance legal risk management

Working with Specialists

Legal teams should collaborate with experts rather than working in isolation. A strong legal risk management framework benefits from input from:

  • Legal Chief Operating Officers (if available)
  • Legal project managers
  • Risk professionals (to develop effective controls)
  • Technology specialists (to implement legal risk management tools)

These experts also help identify legal risks associated with new technologies the company develops or adopts. While most organizations integrate legal risk management into company-wide operational systems, fewer than 10% use dedicated legal risk platforms.Some companies treat legal risk management as a leadership skill, rotating responsibility among legal staff to enhance expertise and career development.

Three Lines of Defense Approach

Many organizations follow the three lines of defense model for legal risk management, where:

  • Legal plays roles in both the first and second lines of defense.
  • It’s essential to avoid conflicts of interest, ensuring Legal does not assess its own risk controls.
  • This model also defines monitoring processes to keep legal risks in check.

Building Awareness Across the Organization

Legal’s role extends beyond direct risk management—it also involves educating other teams about legal risks in their operations. By raising awareness, organizations can prevent risks rather than relying on non-legal staff to follow rules without understanding their purpose. Additionally, risk and technology experts can train the Legal team on best risk management practices and emerging technologies. This knowledge-sharing ensures new legal risks are identified and addressed effectively.

Monitor and report

With a structured legal risk framework, organizations can implement monitoring and reporting systems to evaluate risk management effectiveness, detect emerging risks, and address failures.

  • Technology plays a key role, especially in operational risk management, but its use in legal risk monitoring is still developing.
  • Contract management tools can help assess legal risks by tracking deviations from standard contract clauses across the organization.
  • Regardless of technology, Legal must define what it wants to monitor from the outset.

In multinational organizations, monitoring is most effective when it is close to but independent of the business, allowing for:

  • A deeper understanding of the local context.
  • Faster and more relevant responses.
  • Avoiding delays or misfocused efforts that can occur with centralized monitoring.

However, centralized oversight ensures consistency in legal guidance, particularly in high-risk areas like competition law.

Evaluating Legal Performance

Assessing whether lawyers fulfill their responsibilities effectively can be challenging:

  • Standardized legal processes, such as contract drafting, allow for clearer controls and assurance testing.
  • Legal judgment-based decisions are harder to evaluate.

Some organizations adopt peer reviews or independent legal assurance teams to assess legal work. Other risk-based approaches, inspired by auditing practices, focus on:

  • Testing key controls that address legal risks.
  • Assessing control effectiveness through sample testing.

Reporting on Legal Risk

Effective legal risk management should be regularly reported to risk and audit committees, as well as the board. A clear escalation process should also exist for urgent risk issues.

  • Many organizations primarily report litigation risks to the audit committee.
  • A mature legal risk management approach includes reporting on additional risks such as contractual, intellectual property, competition, data privacy, and regulatory risks.
  • Key Risk Indicators (KRIs) help trigger automatic reporting, reducing reliance on subjective judgments by risk owners.

While many organizations have some form of risk reporting, data quality and accessibility remain major challenges. Legal teams should work with risk and technology specialists to:

  • Identify and access necessary data.
  • Interpret and present data effectively.
  • Ensure governance teams understand legal risk implications.

Interaction with regulators

The General Counsel (GC) is typically responsible for engaging with regulators, primarily on matters related to legal risk. However, the extent of this involvement varies:

  • In large, regulated organizations, legal risk, regulatory risk, and compliance risk are often handled by separate teams, with responsibilities shared between the GC, Chief Compliance Officer (CCO), and Chief Risk Officer (CRO).
  • In smaller or less regulated organizations, all three areas may fall under the Legal department, with the GC overseeing them directly.
  • The level of regulatory engagement by the GC depends on the industry’s regulatory landscape—more regulated industries require more frequent and proactive interaction with regulators.

Adapting to Regulatory Changes

Keeping up with new and evolving regulations—even those focused on operational matters—is crucial for managing legal risk. This requires:

  • Horizon-scanning at both global and local levels to track regulatory developments.
  • Understanding the growing impact of cross-border regulations, as many legal requirements now have transnational effects.
  • Building strong, transparent relationships with regulators, which can help in mitigating penalties across multiple jurisdictions in case of compliance failures.

Monitoring and Reporting

Organizations increasingly expect legal risk reporting to include:

  • Insights into emerging regulations and their associated risks.
  • Identified compliance breaches and their likely consequences.
  • A narrative on regulatory interactions and their implications for the business.

In industries like financial services, regulators are taking a greater interest in how organizations integrate legal risk management within their broader risk frameworks.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply