Iwona Dorota Gajek, Country Head of Legal at BNP Paribas in Warsaw, Poland, sheds light on her approach to managing legal risks before a problem materializes.
In The Future of Law, Richard Susskind predicts a paradigm shift in the approach to legal problems from problem-solving to problem prevention: “While legal problem solving will not be eliminated in tomorrow’s legal paradigm, it will nonetheless diminish markedly in significance. The emphasis will shift towards legal risk management supported by proactive facilities, which will be available in the form of legal information services and procedures. As citizens learn to seek legal guidance more regularly and far earlier than in the past, many potential legal difficulties will be dissolved before needing to be resolved. Where legal problems of today are often symptomatic of delayed legal input, earlier consultation should result in users understanding and identifying their risks and controlling them before any questions of escalation.”
In my opinion, this is also the most important task for in-house lawyers – not just to solve legal problems, but to manage legal risks in such a way as to minimize them.
There is no legal definition of legal risk in European Union law, or in Polish law. For our particular purposes, legal risk can be defined as the probability of incurring material and non-material losses, arising, inter alia, from instability and imprecision of legal regulations, changes in the jurisdiction of courts or public administration bodies, erroneous shaping of the content of legal relations (failure to protect the entity’s legitimate interests), or incorrect or late implementation of internal regulations reflecting changes in the law. If we wish to be more specific, legal risk can be any of the following:
(1) Risk of incurring a material loss, e.g., from improper construction of civil law contracts (imprecisely defined rights and obligations of the parties resulting in interpretation doubts or defective definitions of the scope of the parties’ liability, time limits, or place of performance), or from administrative sanctions (e.g., administrative penalties for unfair market practices or regulatory violations).
(2) Litigation risk – associated with the initiation of civil, criminal, or administrative proceedings, as well as the likelihood of adverse judgments in the course of such proceedings.
(3) Risk of misinterpretation of legal regulations – this risk is particularly significant if legal regulations are highly variable and imprecise.
(4) Legislative risk – this is the risk arising from the adoption of new legislation that may significantly change the principles for conducting business, with the simplest example being the introduction of new taxes or charges, but also other restrictions on activity, both by national and EU legislators.
(5) Reputational risk – in a competitive market, this is of great importance, particularly in the age of social media, where any legal error can be instantly made public and result in the loss of a carefully built image and customer loyalty.
Another division may include risks caused by external actions (such as changes in legislation or case law) or internal events (such as business decisions, operational errors, or incorrect interpretations). In a further classification, the time when a risk is likely to materialize is important – typically, we have short-term risk (where the assumed materialization will occur within up to three years), medium-term risk (three-to-five years), and long-term risk (more than five years).
Working out a definition of legal risk is the first step towards managing it. The next steps are:
– Legal risk assessment using existing data and scenario planning;
– Identifying legal risk appetite on an individual and organization-wide level;
– Taking preventive action (legal information system);
– Transparent reporting of legal risk and control effectiveness to the board and relevant committees.
The second step is to identify the risks and assess them. Broadly speaking, this involves identifying what, why, where, when, and how the risk might affect the organization’s objectives or the value of its assets. In making this assessment we use our knowledge of the law, but also of the organization and its history. At this stage, it is extremely important to have one’s own databases, as the information such databases contain allows for a more accurate estimation of probabilities.
The next step in the management process should be to determine the so-called “risk appetite,” which means an analysis, carried out with the business division, of what risk level can be tolerated. It often depends on the industry or business objectives and the strategy of the entity. It will certainly be different for a bank operating in a highly-regulated market than it is for an aggressively growing chain of online shops. Lawyers tend to think differently from people working directly in individual business lines and rarely like numbers. They are more likely to use qualitative criteria, but determining risk appetite requires combining the two approaches and using quantitative criteria as well. Legal risks are estimated using two basic parameters – “probability” and “consequences.”
On one hand, we analyze the probability of the occurrence of an undesirable event (such as losing a court case, initiating administrative proceedings, the occurrence of a premise resulting in the payment of a contractual penalty, etc.) in percentages; on the other, we also analyze the consequences, i.e., the potential losses, in the broad sense of the term, which may result from the undesirable event. When analyzing impacts, we take into account losses (e.g., the risk of paying contractual penalties or administrative sanctions) but also costs, including the costs of legal services. However, impact analysis is also an analysis of the benefits that may arise from a risky action (e.g., entering into a favorable contract with a high contractual penalty and estimating the probability of its payment).
The next stage of the risk management process is to undertake actions mitigating this risk. To this end, we use the whole spectrum of activities, such as increasing the qualifications of our legal team members, or organizing trainings for business units; selecting proper legal advisors and supervising their work; creating internal regulations precisely defining the rules of operation; preparing multi-variant contract templates; creating systems to supervise court proceedings; introducing the rule of the second pair of eyes when analyzing key legal issues; constant monitoring of legislative changes and the rulings of national courts and the European Court of Justice; properly bringing information about these changes to the attention of business line representatives; and keeping statistics about court cases, unfavorable rulings, misinterpretations of law, and other events causing legal risk.
The risk management process should also include the reporting of these risks, meaning that both significant risk events and the extent to which a predetermined risk appetite has been used are reported. In the first case, the event and its consequences should be presented, as well as the causes and proposals for preventive action for the future and for minimizing the risks that have already arisen.
Risk management understood in this way enables in-house lawyers not only to react and respond to negative legal events but, above all, to co-create, with business lines, an operating model that minimizes the risk of their occurrence. ||
By Iwona Dorota Gajek, Country Head of Legal at BNP Paribas Poland