In last month’s column, I discussed how to apply analytics to a Strategic Technology Plan. This month I discuss the next layer of technology planning—addressing risk. Risk management is top of mind for most legal leadership teams these days. However, the methods and mechanisms for identifying, quantifying, tracking and mitigating risk differ widely amongst law departments.
While all law departments must consider legal risk, the level of formality in the process varies. Further, risk management can mean many different things to different departments. As law departments define the role and function of the legal team in the risk management process, the department may broaden its definition of risk management to include a wide variety of regulatory, business and other types of risk management activities. Following are some examples of how law departments have characterized risk and used technology to formally manage it:
1. Legal Risk: Identifying the level of legal risk involved in a matter is an activity that is common across many law departments. In its most basic form, departments simply set criteria for identifying the riskiest or most significant matters. They use technology to track the risk rating of a matter, and subsequently pull active “risky” matters into reports and other monitoring processes.
A more formal and detailed approach is to identify discrete legal risks within a matter and evaluate each one in terms of two dimensions: probability or likelihood of occurrence, and impact of significance to the business. Each risk is evaluated against each dimension on a 1-5 scale, with 1 = low and 5 = high. The two values are multiplied to create a combined score for each risk category. The results are then classified to indicate their relative priority and need for management attention. Technology may be used to monitor and report on each risk and the various activities and mitigation plans surrounding each.
2. Litigation Risk: In terms of technology, litigation process risk management tools are perhaps the best defined and most mature available. Many tools that track litigation matters come prepopulated with fields for tracking details about litigation exposure and outcome probabilities. As well, a department need only define which steps of the litigation or e-discovery process in which it would like to be involved and then choose relevant risk tools such as legal hold management or early case assessment products to help evaluate and manage the process.
Litigation risk may also be defined as relating to the nature of the business. Some departments have turned to technology to identify trends or patterns that help to identify when the business may be at risk for litigation. This is common in industries that supply goods or services and have the potential for complaints and litigation resulting from use of said goods or services. Law departments are in a unique position to be able to identify when there is an uptick in certain types of complaints or litigation and report back to the business when corrective action may be required.
3. Regulatory Risk: Law departments are playing ever greater roles in helping organizations to manage regulatory risks. Some departments have taken the initiative to use technology to monitor changes in regulations, communicate changes and track the measures the company takes to comply with new regulations.
Some departments take on a more formal role, playing a quasi-compliance function, by automating processes to address regulatory and compliance requirements such as regulatory reporting. In some cases, departments have configured or customized software to support complex regulatory and compliance processes.
5. Operational & Internal Risk: There are yet an extensive set of internal and operational activities for which a legal team may hold itself accountable. Records management is one of the most common processes in which legal is often involved and for which there are a variety of tools available for managing and disposing of physical and electronic records. Another example is that law departments often take on the role of enforcing corporate policies and procedures. These manifest themselves in both tools for communicating policies as well as tools for gathering acknowledgements of policy receipt and review.
I could easily continue the list of potential risks and tools to track and mitigate those risks – the variations are wide to say the least. Because the definition of risk management can be so broad yet is so specific to an industry, business and role/function of a legal team, identifying a department’s responsibilities in the risk management process and then selecting the most appropriate tools and technology to support those responsibilities is an important step in strategic technology planning. This step is not one that can or should be duplicated from other organizations.
In next month’s article I will discuss a final layer of strategic technology planning—knowledge management.