"While legal problem solving will not be eliminated in tomorrow’s legal paradigm, it will nonetheless diminish markedly in significance. The emphasis will shift towards legal risk management supported by proactive facilities, which will be available in the form of legal information services and procedures. As citizens learn to seek legal guidance more regularly and far earlier than in the past, many potential legal difficulties will be dissolved before needing to be resolved. Where legal problems of today are often symptomatic of delayed legal input, earlier consultation should result in users understanding and identifying their risks and controlling them before any questions of escalation."[1]
This raises the questions of what kind of methods a lawyer can employ to perform legal risk management. The conventional legal method commonly discussed in legal literature focuses on identifying which law applies to a given case (“da mihi facta dabo tibi jus”). In this sense, it is a reactive method, because it reacts to a given case. Proactive thinking is of course well known to many legal practitioners, but doesn’t always follow a clearly defined and well-described method. This is to a certain degree different in other disciplines, where risk management methods are subject to a considerable amount of research and where such methods are readily available to support a proactive practice with respect to risk. To the degree the legal discipline wishes to increase its focus on proactive methods, it could use the risk management methods developed in other disciplines as a starting point. This thesis is an attempt to assess the degree to which risk management methods from other disciplines can be usefully adapted to a use in the legal domain.
“Risk management” is a technical term that refers to a set of co-ordinated activities to direct and control an organisation with respect to “risks” of a nature to be specified.2 Disciplines like business management, engineering and computer science use a variety of methods to manage risks of different kinds related, for instance, to products, markets, or information systems. The “risk” may be economic loss, negative effects on the security of a system, a delay in system development, etc.
Lawyers sometimes use the term “legal risk management” in the marketing efforts of law firms to advertise or promote their services, mainly addressed to the corporate client. The use of the term “risk management” in a legal context could be taken to imply that there is a clear understanding of how methods for risk management can be applied within the legal domain. However, in most cases the term is probably used in an informal sense, indicating that lawyers will offer their services to clients with the objective of reducing risks, typically of an economic nature, but also for running into future disputes (with the implied costs and economic uncertainty of such a situation). The use of the phrase is not always explained with reference to a certain method or standard.
By comparison, other disciplines use the term “risk management” as a reference to a well-defined approach, a specific method, or a set of specific methods. According to the ISO, risk management “involves applying logical and systematic methods for [...] identifying, analyzing and treating risk with any activity, process [or] project […].”3 Risk management is today used in many different disciplines as a structured approach for dealing with risk. Enterprise risk management4 focuses on risks to an enterprise, while financial risk management deals with risk in the financial sector.5 Engineers use risk analysis methods, e.g., to assess the risk of technical failure of a system. In law there has been some focus on legal risk management6 and, more generally, on preventive and proactive law7, but methods for legal risk management are still described as “in their infancies”8.
According to the ISO standard 31000, risk management consists of one or more risk assessments. Typically, a risk assessment involves risk identification, risk estimation, risk evaluation and risk treatment. For example, a strongly simplified version of an engineering risk assessment may (1) identify the risk of a bridge collapse because it cannot withstand an earthquake (risk identification). Then, (2) the engineer would analyze the uncertainty and assess the likelihood and the consequences of a bridge collapse due to an earthquake (risk estimation). The next step (3) would be to assess whether this risk is acceptable (risk evaluation). Depending on the evaluation results, the engineer would then (4) proceed to discuss the effect and cost of possible technical or other measures to manage the risk (risk treatment).
Could a similar approach be used to assess risk in a legal context? This would require a risk assessment that, unlike e.g. an engineering risk analysis, not only focuses on factual events, but also on the application of legal norms to these facts. Thus, a legal risk assessment could assess how the application of legal norms may have an effect on the client or stakeholder.
It is submitted that the characteristic element in legal risk management is the focus on legal issues in the context of risk. This legal perspective on risk becomes visible in the identification of legal risks and in the use of legal measures to treat risk. Legal risk management can thus be defined as a structured approach which focuses on managing a particular set of risks, namely (1) legal risks and (2) risks that can be “treated by legal means”9. If we conceptualize proactive legal counselling as a type of risk management, then we can apply and potentially benefit from the structured approach offered in standards and methods for risk management.
Collaboration
ENFORCE is funded by the Research Council of Norway and runs from January 1, 2005 until October 15, 2009.
ENFORCE is a joint initiative between
- Department of Information Science and Media Studies, University of Bergen
- Norwegian Research Center for Computers and Law, University of Oslo
- SINTEF ICT in Oslo
[1] R. SUSSKIND, The Future of Law (1998), p. 290.
[2] See definition in ISO, Committee Draft 2 for Risk management - vocabulary (Guide 73, 2008).
[3] Ibid.
[4] COSO, Enterprise risk management: an integrated framework (2004)
[5] BASEL COMMITTEE ON BANKING SUPERVISION, International Convergence of Capital Measurement and Capital Standards. A Revised Framework, Comprehensive Version (2006), hereinafter Basel II
[6] E.g., R. MCCORMICK, Legal risk in the financial markets (2006), J. TRZASKOWSKI, 'Legal risk management -- some reflections'Julebogen 2005 (2005), J. TRZASKOWSKI, Legal risk management in electronic commerce managing the risk of cross-border law enforcement (2005), P. WAHLGREN, Juridisk riskanalys: mot en säkrare juridisk metod (2003), P. KESKITALO, From assumptions to risk management: an analysis of risk management for changing circumstances in commercial contracts, especially in the Nordic countries: the theory of contractual risk management and the default norms of risk allocation (2000).
[7] P. WAHLGREN (ed), A Proactive approach. Scandinavian studies in law vol. 49 (Stockholm Institute for Scandinavian Law Stockholm 2006).
[8] R. BURNETT, 'Legal risk management for the IT industry' Computer Law & Security Report 21 (1) 61-67.
[9] T. MAHLER and J. BING, 'Contractual Risk Management in an ICT Context -- Searching for a Possible Interface between Legal Methods and Risk Analysis' Scandinavian Studies in Law 49 339-358.