A System to Managing Legal Risk

CEEIHM Issue 1.3.
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Yota Kremmida, Regional Counsel Greece, Turkey, and Africa and EMEA & LatAm Indirect GTM & Competition Law GBU Counsel at Hewlett Packard Enterprise in Athens, explains how standardization and solid operational preparedness can help mitigate legal risks.

CEEIHM: Would you agree with the assertion that every company has to incorporate some form and level of legal risk?

Yota: There is no such a thing as a risk-free business and the legal risk naturally goes together with, or comes after, commercial risk. Even the most risk-averse organizations will necessarily have to incorporate some form of legal risk in areas they cannot control. As an example, legal risk may arise from external factors such as country risk (an enhanced risk for companies operating in many jurisdictions), or currency risk, or change-of-legislation risk, just to mention a couple of areas beyond one’s control. Legal risk may also arise from the business operation itself. Businesses make profits by undertaking risks and consequently every business organization is designed to tolerate a level of legal risk – and thus every organization must be well prepared for it. Thus, avoiding legal risk is not an option. A reasonable business person will, instead, invest in foreseeing, assessing, and addressing risks. So, yes, I agree with the statement.

CEEIHM: Can you give us some examples of “acceptable” risks within your company, and what steps you are taking to mitigate potential fallout from them?

Yota: The level of risk appetite a business has, in my opinion, is one of the first elements an in-house counsel has to discuss and understand. The better this risk appetite is defined and communicated, the more efficient the operation of the business is. The in-house counsel can be an important partner for a business when defining the company’s risk appetite and can help the business put in place appropriate rules for risk identification and assessment.

In my company, we accept contractual risks in order to simplify and expedite the closing of deals and to improve the contracting experience of our customers. Several years ago we simplified our contracts by using plain language instead of the usual difficult-to-understand legalese, accepting, on a standard basis, a high limitation of liability cap irrespective of the value of the deal, and offering warranties. Where permissible, we are comfortable with bypassing formal signature requirements and we accept electronic transactions. We assess the risk on the basis of the history with our customers, but also on our proven high-class performance and our “customer first” attitude. 

CEEIHM: On the flip side, what are some of the types of risks you’ve categorized as zero-tolerance risks?

Yota: Definitely reputation risks. There is zero tolerance for this. In my company, how we do business is as important as the business we do.

Violation of the law is also not an option. We do not violate the law. On the contrary, we will spend as much time, effort, and money as it takes to ensure that our company complies with the law. We follow our Standards of Business Conduct while doing business and we avoid red flags.

CEEIHM: As a GC, what tools are at your disposal to identify current risk elements within your company, and how do you set up a system to constantly monitor for the ones that might come up?

Yota: Standardization of contractual terms and operation processes is the most common and most effective way to predict, streamline, and quantify acceptable risk. It is also a way to expedite deal closing and ensure operational efficiency. We have put in place a pre-approved set of contractual terms which reflect acceptable commercial and legal risks. The vast majority of our business runs under these pre-approved terms. An established deal governance process with identified roles, rules, and escalation paths is also in place. We follow policies with standard commercial norms on the risks we can accept and under which criteria or conditions we can accept them. We use technology and base our judgments on data. The deal risk assessment is a team effort where experts in legal, finance, tax, credit, business, and delivery operations collaborate to best position, quantify, and mitigate the risk if acceptable, or reject it if unacceptable.

There are obviously risks a company cannot foresee, and this became painfully obvious last year when most businesses found themselves addressing the impact of the pandemic. Good preparation on the operational front ensures business continuity in such circumstances, reducing legal risk. While most of our colleagues in legal went back to their law school books to refresh themselves on force majeure, well-prepared businesses mobilized their business-continuity processes and continued delivering essential services seamlessly. Some of them even grew their footprint during these times. While this is specific to only some business sectors, as certain industries have been totally grounded, it is also a result of the solid preparation via processes and operational readiness to affront disruption risk and avoid legal exposure. 

CEEIHM: Once you’ve identified a new risk, what is your methodology and metrics to assessing it internally?

Yota: It depends on what the new risk is. In our team, we address risks based on their nature and the impact they will likely have on our operations in terms of the likelihood of occurrence, the duration of the disruption, cost, reputational exposure, time to recover/rectify, and many other parameters. We are known for being diligent in adapting our operational models to the prevailing circumstances on the market.

Our assessment of the potential impact and our response to the risk is a team effort that involves several departments, with legal as an essential stakeholder, because we believe that most legal risks are usually better addressed via appropriate, simple-to-follow but robust business processes, policies, and controls, rather than through contractual clauses or sophisticated legal processes. As an example, the ability of a company to collect payments – or, in contrast, the risk of not collecting payments – may not be any different for customers who were sent an invoice than those having signed a 100-page contract. A good payment plan or a robust credit check on a customer is more effective most of the time. Commercial companies have no interest in entering into disputes with their customers anyway. In other words, a good contract is a contract that is signed and stays in the drawer and none of its parties ever have to invoke it.

CEEIHM: How do you train your in-house legal team members both on how to identify risks?

Yota: The ability to identify risks and to decide when and how to escalate them, are important skills for an in-house lawyer. I would say that, if there are two qualities a successful in-house lawyer should have, those would be good judgment and appropriate internal reporting.

We focus a lot on the training of our legal counsels in my company, and as much as we believe in good legal knowledge, we also invest in creating a culture of adequate legal risk assessment and empowering them to make decisions. Lawyers, like everyone else, are usually averse to change and see risks in innovative ideas. Throughout the years, I have found that the “what if” question helps younger company lawyers to appropriately address legal risks. So, my advice to team members is usually, “ask the ‘what if’ question.” What if we do not ask for a wet signature during the pandemic? What if we are not able to prove a transaction via a signed document?

Another good learning method is to make a judgment on data. I ask team members to collect appropriate information and explore their risk area to get to know it inside out. Partial information can itself be a risk, so accurate data is very important. Historical data may help assess customers’ behaviors, country data may help with the assessment of a country’s legal system, and performance data can help understand the risk of failure of suppliers.

Last, but not least, following the governance processes ensures the appropriate level of risk review and the appropriate level of decision-making. While our lawyers are empowered to make a number of important assessments, they are also trained to follow our internal governance processes so that the decision is made at the appropriate level each time.

By Djordje Vesic

This article was published in issue 1.3 of CEE In-House Matters. The full edition is available here in pdf format, here in e-reader format, and here in electronic format.