Defining "legal risk" is tricky. Risk management professionals disagree as to whether the risk that a company would breach anti-corruption laws constitutes a legal risk: some say it does, because a law would be breached, while other say it does not, because the breach as such is not a matter of law but a matter of behavior (so it should belong to the category of governance risk, or operational risk, or whatever).
The truth is that risks are multi-dimensional situations that can be looked at from a variety of points of view: legal, financial, operational, strategic, human, reputational, etc. They are most of the time complex, meaning that they are not linear (one event causing one consequence). They are webs of interlinked events. Therefore, is it adequate to (try to) categorize a risk as entirely and exclusively "legal" or this or that? And to be honest, who cares? If your biggest client could become bankrupt next week, is it really important to decide whether this constitutes a legal risk, or a financial, commercial, strategic or whatever else risk? Would that discussion make your business more effective? Come on. Don't waste your time. The right reaction is to get the right people to work together on a transversal strategy to address the situation.
Nevertheless, a risk manager in your organization could have been mandated by the Board or the top management to produce an overview of all the risks incurred by the company (enterprise risk mapping). To accomplish this, risk managers break down risks into categories, and "legal risks" is one of them. The risk manager will come to you, the legal counsel, and ask you to prepare the section on legal risks. A legitimate reaction of yours might be to ask what the risk manager means by "legal risks", but you might be disappointed. Risk managers do not always have an elaborate answer, or any answer at all. It may well be up to you to define the meaning of what the risk manager has asked you to report on! So, if you need inspiration, read on.
"Legal risk" can mean at least five different things (although they may be overlapping):
- Sometimes, what people mean by legal risk is legal compliance risk, i.e. the risk that the company (or entities linked to it such as affiliates, subcontractors, etc.) could fail to comply with binding legal rules, when such failure could have adverse consequences for the company. The binding legal rules may be laws and regulations (most of the time, this is what people have in mind), but it could also be contractual obligations.
- Legal risk could also mean the risk to enter into sub-optimal agreements. This is why lawyers spend so much of their time reviewing and negotiating agreements, to spot provisions that are economically unfavorable, or illegal, or not enforceable, or inadequate for another reason. You may call it "contractual risk" if you wish.
- The possibility that laws could change in a way detrimental to the company is another type of legal risk. This change of law could be a new piece of legislation or a new regulation, but it could also be a new interpretation by the courts of an existing law or a change in the enforcement policy by governmental agencies. (Some purists would argue that it should be categorized as a political risk.)
- Liability risk is the risk that the company gets sued for a breach of its general duty of care (e.g. article 1382 of the Civil code) and similar general liabilities. Think of BP in the aftermath of the Deepwater Horizon oil spill in Florida and of asbestos-related class actions.
- Litigation risk is the risk of losing pending litigation. It might also include, if you decide to define it so, the risk of being involved in litigation in the first place (for example, if you are a pharma company, the risk that generic drug companies would challenge your patents in courts). Note that litigation risk can be overlapping with the other definitions of legal risks, because litigation may result from a failure to comply with laws or with contractual obligations, or consist in a liability claim, etc.
This list is far from final. You could certainly fine many other definitions (starting with criminal prosecution risk). Which one(s) to choose, if you ever have to make that tricky decision? Should you pick just o ne, or embrace them all? It depends on the context (what is the issue at stake?), on the relevance of the exercise (does it really matter, or is it just a bureaucratic lunacy?), on the internal politics at stake, on the business model of your company, on your ambitions, on the risks that you want people to be aware of, etc.
Remember that whatever definition you choose, colleagues from other departments will always have grounds to criticize it, because risks are multi-dimensional and complex, and therefore always support a variety of view points, all of them legitimate and relevant. Finally, what does "legal risk" mean? Intrinsically, nothing. Or everything. So, it's up to you.
Antoine Henry de Frahan, Partner
Frahan Blondé