Strategies to Manage Legal Risks & Designing an Effective Risk Management Framework

Most types of legal risks inherent in IT businesses are not fundamentally different from traditional businesses. But given the very nature of IT business, which is much more technology-dependent than traditional businesses, legal risk exposures can become particularly accentuated.

The need for a structured and proactive legal risk management system is becoming increasingly a corporate policy imperative, if not one of the defining requirements, in managing businesses in the so-called New Economy. And enterprises with a sound legal risk management framework are likely to command a higher premium than those without one.

So why are IT businesses more vulnerable than traditional businesses in regard to their legal risk exposures?

First, things move at a much faster pace in the IT world than in the bricks and mortar world. Technology develops at such a rapid pace and the turnaround time for IT businesses is extremely fast. Change seems to be the only constant in IT businesses.

Second, IT businesses tend to have instant global reach. With present-day Internet and communication technologies, the time taken by a client to set up an e-business for example can be a matter of days and carried out on a global basis in an instant. In one quick sweep, an e-business model would have multiple and varying legal risk exposures across different jurisdictions.

Third, in IT business and in the Internet economy in general, intellectual property rights have become a key corporate asset, often with values far exceeding some traditional corporate assets such as land and machinery. But oddly, advances in technology make the violation of such intellectual property rights (for example through copying) easier too, therefore raising the legal vulnerability of such enterprises.

Fourth, the area of Internet law or e-business law is still evolving in most jurisdictions around the globe and IT businesses with global operations are not only facing different legal risk exposures but also having to grapple with even more uncertainty.

Reactive Approach No Longer Sufficient

There is a sea change out there. The nature of technology business itself is beginning to compel lawyers to review their legal risk management strategies. Just imagine lawyers simply providing the traditional type of reactive legal services to their clients, ie getting involved often only after the damage has been done. By the time a new e-business model is set up and transactions are carried out across multiple jurisdictions, lawyers who simply react to changing demands of their clients instead of proactively trying to help their clients manage their e-business effectively would find themselves become increasingly sidelined.

Types of Legal Risks

There are essentially two types of legal risks in IT business – the direct and the indirect. The direct legal risks involve potential legal liabilities^{1 in relation to:}

compliance requirements at the regulatory level (both at home and in foreign jurisdictions in regard to the legislative and regulatory environment)
ensuring enforceability of contracts
fulfilment of contractual obligations (for example possible breach of contract)
the securing, exploitation and maintenance of intellectual property rights either to protect intellectual assets or to minimise, if not to eradicate, any legal risk exposures from violation of other parties’ intellectual property rights
third party rights (for example violation of intellectual property rights)
the enterprise’s own employees in their dealings with third parties which may lead to potential liabilities for the enterprise and their employers

Technical Risks

The indirect legal risks in turn are those risks that flow from technical risks such as:

poor system design or architecture that may result in system failure, leading to potential legal liability for the software developer
computer viruses which may cause the whole network to collapse leading to legal liabilities of service providers
intrusion by hackers and other criminal activities like theft or corporate espionage which lead to potential legal liability for both service and content providers.

For ‘technical’ risks, we are mainly concerned here with the legal im-plications that flow from them. Here, we need to distinguish between a risk event, its impact and its legal consequences. For example, hacking (the event) leads to security breach (an impact) and this in turns leads to potential legal liability exposure for the service provider for failure to assure security (the legal consequences).

What is Strategic Legal Risk Management?

I would suggest that for lawyers to serve their clients more effectively in the IT business environment, they would need to take that first step in rethinking how they should manage legal risks at the strategic level for their clients. I call this approach ‘Strategic Legal Management’. This requires a new way of thinking about the legal risk management approach and its impact on the performance of the clients’ businesses.

In the context of IT businesses in general, I would define strategic legal risk management as a series of actions and decisions taken by lawyers (whether in-house lawyers or practitioners in their capacity as external legal advisers) that result in the formulation and implementation of management plans^{2 aimed at reducing if not avoiding potential legal liabilities and ultimately designed to help achieve the enterprise’s business goals.}

Strategic management is often proactive, future-oriented and very much focused on the long term. And the outcome of any review of an organisation’s legal risk management strategy should result primarily in a coherent legal risk management framework within that enterprise. This framework should combine both the elements of ‘legal contents’ or legal guidance and an effective systems-based and IT-driven workflow processes. So the approach is therefore both content-centric and process-centric.

Elements of a Legal Risk Management Strategy

A strategic legal risk management approach in IT businesses would typically contain the following substantive elements:

a means of ensuring that the legal risk management strategy is in sync with the enterprise’s overall business vision and strategy
a proactive and structured legal risk management framework which is planned for, documented and periodically reviewed for its effectiveness
fulfilment of the compliance requirements at the regulatory levels both at home and across other jurisdictions
a means of ensuring the securing of legal and commercial interests of the enterprises including addressing issues such as assurance of enforceability of transactions and effective structuring of e-transactions for tax-efficiency etc
protection of assets (particularly intellectual property rights such as patents, trademarks, domain names, copyrights and trade secrets)
exploitation of assets for commercial value (for example, through licensing of intellectual property rights)
a documented programme of action to grow the enterprise through legal means
regular review to keep up with developments in the law, technology and business in general

A starting point in any strategic legal risk management review in IT business would typically involve asking where the enterprise is now in terms of its achievements of its strategic legal goals (for example to be market leader in the exploitation of patents that would increase shareholder value or to proactively secure and defend its intellectual assets in jurisdictions where it could extract the highest business value), where the enterprise would want to go? (example what business position to stake out and what financial outcomes the enterprise wants to achieve in say patent management), and how the enterprise would get there.

The lawyers would then begin to chart the tasks for strategic legal risk management. The roadmap would typically involve the following steps:

development of the enterprise strategic vision and mission (eg to position the enterprise as the leading global patent leader’)
setting measurable objectives (eg, to secure patent registration in key jurisdictions);
designing and implementing the strategy to achieve those objectives; and
assessing performance during the execution phase.

At the senior management level, the translation of the strategic goals into specific plans of action in turn typically involves answers to the following questions :

What are the legal risk exposures and how can the lawyers help the client run the business without risks or with less risks?
How can the proactive management of the legal affairs of the enterprise be carried out in a manner that would strengthen the enterprise’s competitive advantage?
How can the expectations of the stakeholders of the enterprise (eg Board and shareholders) be met?
How can performance targets (eg successful protection of intellectual property rights, successful defence of suit etc) within a specified time frame be achieved?
How do we secure adequate legal protection without having to pay too much or keeping it within the enterprise’s budget?

Finally, at the operational level where the day-to-day servicing of clients are carried out, the sort of questions raised could include:

If the client takes this business direction or if they adopt this business model, what are the legal requirements and how can this be successfully implemented?
How should the business transaction be structured in order to achieve its commercial goals?
What sort of agreements should be drafted?
What specific terms should be included?

Need for a structured legal risk management framework

Over and above traditional legal risk exposures, IT businesses face numerous other kinds ofe-legal risks. The challenge for enterprises operating in this space is to design a well structured legal risk management framework that would help such an enterprise to identify, source and manage such legal risks.

Structured legal risk management is a process of identifying and managing legal risk exposures and taking proactive steps within a clear framework to avoid and/or minimise such forms of legal risk liabilities. This is quite apart from the traditional role of the lawyers in providing legal advice on issues such as compliance, risk avoidance and litigation management albeit often in an ad-hoc manner.

Designing a Legal Risk Management Framework

In designing the overall risk management framework, IT businesses and their legal advisers, as a general rule, should have a proactive programme of action.

It needs to determine the awareness level at both the institutional (corporate) and personal (employee) levels for the need for such a system. An overall strategy has to be designed at the most senior level that meets and is in sync with the enterprise’s vision and mission

An overall structured system to identify, classify, measure, prioritise and assess legal risks that are relevant to the business operations of the enterprise. These exposures would then be prioritised in accordance with their gravity or seriousness. Trigger or alert events should be clearly identified and warning mechanisms put in place.

There is a complementary need to carry out a legal risks audit across the enterprise covering every aspect of corporate work. This should include a review of documentation, seeking legal advice confirming compliance with prevailing laws and regulations and a review of corporate e-policy including terms of employee contracts.

The plan should be documented in the form of an operation manual (both in the form of hard copy as well as one that can be ’embedded’ into the IT system of the company in the form of Web-based documents and workflow management systems) containing policies, practices and procedures that address and control these legal risks.

The framework should also include:

allocation or assignment of specific responsibilities of all parties involved in the whole legal risk management process from the operational level right up to the CEO
a decision on the acceptable level of legal risk tolerance including the tools and the system for management and decision support
a regular test plan which when implemented approximates all possible worst-case scenarios for the purpose of testing the legal risk management system to the fullest
a method for monitoring programme and scheduled reviews to assess all types of legal risks and the evaluation of the effectiveness of such programmes.

Provision should be made for updating and adjustment of such plans in the light of developments in the technology, law and business practices. A decision needs to be made on the most appropriate technologies in the design and development of the whole system that would ensure scalability, seamless integration with existing applications, ease of use for new users and low maintenance cost (Java and XML technologies for instance should be used as these are emerging as industry standards in the design and development of Web-based management systems). A budget for the creation of such a legal risk management system must be established.

The Role of Expert Systems

In a structured and Web-based legal risk management system designed by law firms for their clients, the Web site or the portal can be used to communicate the results of the legal risk assessment based on the rules established by the designers of such a system who are typically the legal advisers themselves. In the design of such a legal risk management framework, expert systems can play an integral part in marrying the content and process aspects of the whole risk management strategy as well as its implementation.

In the context of a legal risk management system, an expert system is a system that uses the expertise or knowhow of the legal advisors in the form of rules to automate the identification of legal problems and the provision of solutions. The source of this expertise is invariably the inhouse lawyers or the external legal advisors. Such legal expertise is organised as simple if-then rules that connect inputs with outputs, or causes with their effects. Sophisticated legal expert systems can incorporate uncertainty and allow for intuitive decision making.

Examples of legal knowledge expertise include:

What types of legal risk exposures do I face in running my technology business?
What incidents in the management of my corporate data can lead to non-compliance with the Data Protection Act?
What terms and conditions should be included in mye-commerce site portal to ensure that the company’s legal risk exposures are eliminated if not reduced?
How do I get to be indemnified in the event of breach of the terms and conditions by the suppliers of my IT systems?
What sort of third-party actions can lead to my own legal liability?
What sort of disclaimer provisions would be adequate for my venture to avoid or minimise legal liabilities?

The output of an expert system in turn can be:

information;
advice, guidance or instruction;
a risk assessment or judgment
simply a possible prediction as to what is the most likely outcome.

For example, in a technology business legal risk exposure case, an expert system can be used to calculate the severity of legal risk exposures for the company from the occurrence of the following sort of ‘input’ events. One of the if-then rules can be:

IF the intellectually property rights belonging to the company are not protected OR the e-commerce website does not have terms and conditions which are clearly communicated to the users of the site OR the manner in which e-contracts are formed on the website does not fulfilled the requirements for effective formation of contract THEN the legal risk exposure of the owner of the business is high

In a third-party procurement case, one of the if-then rules can be:

IF an outsourcing party that provides software development services does not provide any warranty to its client (say a company) that the former has not violated the intellectual property rights of third parties, AND there is no recourse for the company in terms of indemnity provisions against this outsourcing party, THEN the company that engages the outsourcing party would have a legal risk exposure in terms of potential liability to other third parties for the violation of intellectual property rights.

The legal knowledge of the domain experts can be objective or subjective and it can be both certain or uncertain. It could be sourced from publicly available sources or be privileged information that is obtained from transactions based on the lawyer-client confidentiality requirements. The challenge in designing a rigorous expert system for a legal risk management framework is to translate the objective or subjective knowledge of the legal problem at hand into predictions or likelihood of certain types of ‘output’ events resulting.

The aim of developing this legal risk management system is to produce a seamless systems-based and IT-driven workflow process that should preferably be embedded in the enterprise’s day-to-day operations. This clearly has to be done with the aid of professional legal advisers who not only understand IT but should also have domain expertise in IT law. The ultimate objective in designing such a system is to create a system which does not require the inputs of the lawyers every time a legal risk issue has been identified and a solution is required. This assumes of course that a legal issue or problem can be identified by the non-lawyer involved in the day-to-day work at the operational level.

The design of such a structured legal risk management system driven by expert systems, however, is not without problems. For a start, there can be uncertainties in both the likelihood of the input events as well as the uncertainty of the rules themselves (eg, the legal requirements for violation of intellectual property rights). The parameters in assessing the legal risk exposures may also be vague and it is often these ‘shades of grey’ that are likely to cause difficulties in the design of the system.

The utmost care must therefore be exercised in the design of the rules and the ‘if-then’ logic. A particular legal problem more often than not can have multiple and often very different dimensions and the limit of the system will be apparent as projections can only be based on one element out of many in the legal diagnostic review. This is the limit of any expert system that purports to manage complex legal risk assessment issue. But where the rules of law or the outcome of legal judgment can be clearly laid out in terms of the if/then rule, I see no reason why a reasonably effective legal risk management system cannot be designed that will improve the overall process of legal risk management by enterprises. n

Zaid Hamzah is an Advocate & Solicitor of the Supreme Court of Singapore and he is currently the CEO of Lexfutura (Global) http://lexfutura.com as well as Managing Director of i-Knowledge Technologies Private Limited, Singapore http://i-knowledge.com.sg, a legal technology solutions provider. Zaid is also an Adjunct Lecturer on Strategic Management of Legal Issues in e-Business at the Graduate School of Business at the National University of Singapore. He can be reached at zaid@docforte.com

Endnotes

1. Excluding criminal issues as well as the law concerning defamation which is outside the purview of this article.

2. The planning phase includes defining the enterprise mission, performing internal analysis and evaluating the external environment. During the implementation phase, legal managers for example would select an appropriate strategy based on the information gathered in the planning phase and translate the strategy into organisational actions.

Upcoming events

SCL Webinar – Competing Interests at the Competition Appeal Tribunal (CAT): Balancing Technology with Complexity

Controlling Liability in IT Contracts – Clause and Effect

SCL Summer Networking Event – Organised by the Trainee Group

SCL Event: Procurement of Government IT Projects

Generative AI and Deepfakes: Understanding the Illusion