A new member of the ISO 31000 risk management family
ISO 31022 Risk management — Guidelines for
the management of legal risk, is a new member of the ISO 31000 family. While ISO 31000 provides general principles and guidelines for all risk groups to which organizations are exposed, ISO 31022 addresses a specific risk category in the legal area. It is clear that all risks must be effectively managed to ensure the safety and development of the organization. But any organization is exposed to legal risk, and most often it is a big challenge. The ISO 31022 standard, based on the principles set out in ISO 31000, adapts risk management and processes to the needs of legal risk management. ISO 31022 has the same structure as ISO 31000.
The structure of ISO 31022
Foreword
Introduction
- Scope
- Normative references
- Terms and definitions
- Principles
- Legal risk management process
- Implementation of the management of legal risk
Annex A (informative) An example of a legal risk identification method — Legal risk identification matrix (LRIM)
Annex B (informative) An example of a legal risk register
Annex C (informative) An example for estimating the likelihood of events related to legal risk
Annex D (informative) An example for estimating the consequences of events related to legal risk
Annex E (informative) Key clauses to consider when reviewing contracts
Bibliography
Legal risk management in practice
Let see, step by step, what needs to be done to implement legal risk management in the organization using the ISO 31022 standard.
Here we go!
Step 1
Defining the context
Understanding the external environment:
- national and international legislation (including countries where we operate and provide services; extraterritorial application of local laws);
- agreements,
- actions and requirements (possibly lawsuits and claims),
- third parties,
- shareholders,
- other stakeholders (external advisers, regulators, trade unions, etc.)
Understanding the indoor environment:
- organization and structure,
- business model and financial condition
- procedures / codes of conduct and policies,
- intellectual property and other legal assets,
- past experiences and disputes
- fulfilment of the obligations
Step 2
Defining the risk assessment methodology, establishing criteria.
Part of the general risk criteria:
- defined legal risk tolerance based on goals, values, resources and preferences
- based on the categories of legal risks
- it takes into account management, rules, relationships and policies.
You can take as criteria: probability, effect (financial impact) and set values for them, eg from 1 to 5. The risk will be determined by multiplying these values.
Step 3
Legal risk assessment and analysis.
3.1 Identification and description of actual and potential events triggered by internal or external factors, known or unknown, affecting process objectives
The sources of information for identifying legal risks are:
- organizational goals
- organizational structure and rules and procedures in the field of ethics and operational activities
- consultation with stakeholders
- violations of the law
- criminal and civil liability and financial penalties
- application of specific rules
- monitoring of legal changes
3.2 Legal risk analysis
Performing the risk estimation. The input to this stage is the probability of an event and its consequences and impact.
Use of historical data and / or simulations, business analytics, artificial intelligence and modeling, expertise, etc., taking into account data on the consequences of past losses and benefits from legal risks arising.
3.3 Assessment of legal risks
In this step, the designated risk levels are compared with the established criteria and individual risks are prioritized. It is nothing else than assigning risks to a given group. Depending on the methodology adopted, the risks are usually divided into low, medium and high. The result of this stage should be a list of risks (risk table).
Step 4
Determining priorities
Based on the results obtained from the analysis and risk assessment (the result can be presented in the form of a risk table), we define the appropriate procedure. Particular attention should be paid to the risks that require action (reducing their value to an acceptable level).
The options for dealing with risk most often come down to the choice of four options: reduction, acceptance, avoidance, transfer.
Step 5
Appropriate management of access to information related to the analyzed risks (risk table and risk treatment plans) in order to protect sensitive information and prevent unauthorized changes to information and individual documents.
Step 6
Internal and external communication
Internal communication is about keeping records, reporting, reporting training on risks and dealing with them, etc. External communication mainly focuses on confidentiality and professional secrecy; cooperation with regulatory, legislative and judicial authorities.
Step 7
Risk monitoring and review.
Monitoring should ensure that all new risks and their factors are identified in a timely manner to enable their analysis and adoption of adequate management.
Keep abreast of changes in the legal context by identifying early warning signals among stakeholders.
If a change in any of the factors affecting the risk is identified, the risks should be re-reviewed and their values should be updated if deemed necessary.
In addition to the risk review, it is recommended to periodically monitor and review the entire risk management process (especially in the event of organizational changes, business requirements or the external environment), because the current risk management methodology may become inadequate and / or ineffective with time and changes.