The Logic Behind Implementing Legal Department Indicators

Incorporating legal department indicators on a balanced scorecard is indeed an effective technique that should be used by companies to determine progress and performance of their own legal departments. These indicators function much like the way KPIs or key performance indicators would, in the fact that they are quantifiable in nature already. This makes it much easier for your company’s legal department to check its performance because the measures are already translated into significant figures. All that has to be done would be interpretation and analysis of these figures and you would then have a clean-cut description of just how your legal department is presently doing.

In just about any corporate setting and industry, the legal department is actually that particular division that is responsible for the creation of policies, rules, and regulations that each member of the company or organization has to carry out and observe. Apart from that, the legal department is also in charge of handling any legal matter that the company faces. This includes the event of entering contracts or agreements, creating such contracts, creating proposals, dealing with internal legal disputes, incorporating discipline amongst members of the organization, and so many more. Such roles and responsibilities are very important and should be carried out with utmost care by any company. This is precisely why it is important for a company to monitor the performance and the effectiveness of its legal department – for there is just so much entailed in its tasks and responsibilities.

At present, there is much demand for performance measures and metrics to be more than satisfactory so that these would be effectively used in gauging the performance and value of any company’s legal services. It goes without saying that the success of any company also comes with the effectiveness of its legal department.

There are actually several perspectives to keep in mind here – financial, customer, internal business processes, and learning and growth. All of the perspectives here should have corporate goals and objectives incorporated here, as well as the company’s vision and strategy. This is something that should be practiced by retailers and manufacturers – how much more by legal departments. More importantly, the performance measures and indicators to be used here should be just a few relevant, to give way better interpretation and analysis. It might be tempting – even too tempting – to go with a lot of indicators. But really, it would be better to go with a relevant few.

Contrary to popular belief, the balanced scorecard is not a complicated tool to use at all. In fact, using the tool entails a simple process and it economical as well. You do not really need to be a master at measurement or an expert at evaluation and analysis to use the tool efficiently. Your company does not even have to shell out that much money for the development of the tool itself! The internet is laden with sources and materials that you can use in developing your scorecard. And if you are not too sure which particular legal department indicators to use, you can resort to using the ones used by other legal departments – only as mere guides, of course. The bottom line is, for your scorecard to be effective; you need to use indicators or measures that are relevant to your company.

How to Define Legal Risk

What is risk?
The informal notion of risk as the chance that something bad might happen is not a bad place to start defining risk. Better management requires a better definition though. We need to break risk into distinct parts that are measurable.

Risk is the probability of loss given an event
Mathematical precision is possible and desirable in some cases. Large financial firms, for example, have sufficient data about operational losses that they can build predictive models based on experience to measure risk. They are the exception.

To illustrate how we might define risk in statistical terms take the formula:

R = p * LGE

In this case R stands for risk, p for Probability of Event expressed as a percentage, and LGE stands for Loss Given Event. LGE is a measurement of the financial harm from an event. LGE can include non-financial losses, but they must yield to measurement for the formula to quantify risk.

Most organizations do not have the data or resources (or confidence in) abstract models of risk. Organizations without statistically valid loss data can still measure and manage risk, particularly legal risk, by simply moving a few steps toward quantification, away from the “bad stuff” notion.

Risk under ISO 31000 offers an alternative approach
The traditional approach to risk suffers from another important deficiency. It focuses only on losses, presumably because the origins of risk models are in insurance (how much to charge for protection from “bad stuff”?) and credit risk (what happens if the borrower doesn’t pay?).

In 2009, the International Organization for Standardization (ISO) released a fresh approach to risk and risk management: ISO 31000:2009 Risk management – Principles and guidelines.

ISO 31000 provides a new definition of risk that is especially useful for measuring legal risk. Risk is the “effect of uncertainty on objectives.” Risk management then starts with identifying uncertainty and then evaluating effects (positive and negative).

Legal risk is difficult to measure. However, with the help of the ISO 31000 definition of risk, we can express legal uncertainties and then measure them and their potential effects. We may not achieve mathematical precision, but we can achieve better management.

Four types of legal risk
There are four broad categories of legal risk, or four areas of legal uncertainty: structural, regulatory, litigation, and contractual.

Litigation risk
Litigation is the most discussed legal risk in organizations. Litigation is often public and always distracting. The range of events that cause litigation is broad: employee misconduct, accidents, product liability and so on. The list can seem endless.

When management meets with the lawyer to discuss “What is the chance we will lose this case and what are the likely damages,” it is too late for risk management. Prior to litigation, we need to identify the areas of uncertainty that affect our objectives. Risk management is not fortune telling. Instead, we want to narrow the possible outcomes from particular events.

For example, a court case in an influential state invalidates a fee charged to consumers as an undisclosed interest charge subject to compensatory and punitive damages. Our organization charges a similar fee. However, the fee is charged a certain number of times and in known states. The statute in question carries known penalties. We have the building blocks to measure and manage legal risk from similar litigation.

Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.

Contract risk

Contract risk is the most pernicious and difficult to track among legal risks. The traditional approach to contract risk focuses on a breach of contract by one party and the extra-contractual liabilities that might arise. This approach treats each contract individually and in isolation.

Most organizations focus their contract risk management strategy on drafting effective agreements. Quality contract drafting is necessary, but not sufficient to manage contract risk. There are cases where one contract can create significant risk, such as:

  • An exceptional share of revenue is tied to one contract,
  • Procurement or service contracts for critical components allow for disruption or price escalation, and
  • The counterparty does not indemnify us for damages that carry exceptional consequences like unpaid taxes and environmental problems.

In most cases, however, individual contracts often do not, on their own, have the gravity of litigation. The substantive, common and difficult to track risk is the uncertainty that arises from the contract portfolio in its entirety. Systemic under-management of contracts creates expense leakage and missed revenue opportunities.

Regulatory risk

The growth of the administrative branch of government is daunting to most business leaders. Regulatory risk represents the uncertainty of the consequences of an agency’s action.

A few examples will illustrate the point:

  • A transportation company applies for a license to expand its operations to a new hub. Uncertainty regarding the agency’s decision as well as the scope of the decision create risk. Under ISO 31000 the agency’s decision can have positive effects, but the uncertainty creates risk.
  • A product manufacturer and distributor offers a novel product warranty to generate additional revenue. State insurance commissioners can determine that the warranty should be classified as insurance. They can then impose fines, require insurance applications, impose conditions on the product and pursue civil remedies depending on the state statue.

Identification of regulatory risks is challenging, but the uncertainty about the effects is measurable. Regulations grant powers to the agencies charged with enforcement of the statute and regulations. Penalties range from fines to administrative orders.

Structural risk

Structural legal risk is rare for most organizations. Structural legal risks arise from uncertainty about the underpinnings of a particular industry, technology or method of doing business. When the airline industry was regulated, for example, there was a structural legal risk that the industry would be deregulated.

The scope of a structural legal risk is broad and it usually alters the competitive landscape.

Structural legal risks can arise from sources other than legislation. Antitrust litigation can significantly alter pricing in an industry or key business relationships. Consumer protection enforcement actions can also change the fundamental assumptions of an industry, but rendering a marketing practice (multi-level marketing, for example) unacceptable.

Structural legal risk is also a good example of the ISO 31000 definition of risk. We can be uncertain about the change from a regulated to a deregulated industry. The potential effects are varied, some are positive; some are negative. A structural change can benefit one organization while harming another.

Effective risk identification

To identify risks reliably requires a workable definition of risk. The ISO 31000 definition of risk usefully includes “positive risks.” This is right lens for identifying legal risks and, ultimately, managing legal risks.

Risk in an information problem. We can manage risk when we understand the scope and components of our uncertainty. The approach to risk can guide the organization to develop a risk management strategy.

2009 Resolution – Give Your Site a 10-Point Legal Check-Up

It’s early in the year, and it’s time to fulfill your resolution to give your site a quick legal check-up.

Online businesses are now highly regulated, and there’s substantial liability if you site’s not legally compliant. In addition, your customers are becoming more Internet savvy, and a site that’s not legally compliant is not going to be trusted. So, let’s get started.

Use This Checklist If You Already Have The Basic Site Documents In Place

1. Copyright Notice. Check Your Copyright Notice. Your copyright notice consists of the following elements: the word “copyright” or copyright symbol (c in a circle) followed by the year of first publication followed by the name of the copyright owner. It’s also a good idea to add “All rights reserved worldwide”. Example: Copyright 1996-09 Digital Contracts, Inc. All rights reserved worldwide. Note that if you update your site from time to time, you should add a date range reflecting the fact that the site has been updated each year within the date range. If you haven’t updated yet for 2009, do it now.

2. Blogs, etc. Have you recently added a blog or any other functionality that permits visitors to post text or digital files to your site? Or, do you plan to do so as part of your marketing plans for 2009? If so, you need to have a DMCA notice in your Terms of Use and you also need to file a DMCA Registration form with the U.S. Copyright Office. These steps will create a “safe harbor” from strict liability for copyright infringement if a site visitor posts infringing material to your site.

3. Personal Information. Do you collect personal information from site visitors? If so, review your Privacy Policy to make sure that you identify all of the categories of personal information you collect and the way in which you share this personal information. If you’ve changed these policies since you posted your Privacy Policy, amend it now… without delay.

4. Data Security. Check your data security measures. If you collect personal information, you are required to implement “reasonable and appropriate” data security measures. These measures are essentially moving targets since data security technology evolves at a relatively rapid pace. What may have been “reasonable and appropriate” a couple of years ago may not pass muster today. Update your security procedures, if necessary.

5. Future Sale of Your Business? If your online business is starting to be successful and generate positive revenue, have you ever considered that you might want to sell it for a profit in the future? If so, be sure that your Privacy Policy specifies that personal information collected may be transferred and shared in the event of a sale. If you don’t do this prior to collecting personal information, you won’t be able to pass it on to your purchaser. The Federal Trade Commission (FTC) stipulated in recent settlements that personal information collected prior to posting this notice in your Privacy Policy will not be transferable in the event of a sale. And this personal information (your opt-in lists and customer lists) are the real value of your online business.

6. Service Providers. Do you use service providers to provide hosting, site maintenance, SEO services, or other site functions where they have access to your server? If you don’t collect personal information, your answer to this question is immaterial, but if you do (and only an email address will suffice), you need to enter into privacy and security agreements with your service providers. The FTC stipulated in a couple of recent settlements that you would be liable if you don’t.

7. Registration Agreement. Does your site require site visitors to register for certain benefits such as a membership or subscription rights? If so, you need an electronic agreement (a so-called “click-wrapped” agreement where the user clicks on “I ACCPET”). Your agreement should be presented conspicuously in the registration process and it should require an affirmative act (clicking on “I ACCEPT”) to complete the registration. You also need to be sure that all of your warranty disclaimers and limitations of liability pass muster.

8. Collect Birth Dates? Do you collect the date of birth as part of your registration process? If so, and if this date indicates that children under 13 are registering, you will be liable for substantial damages under the Children’s Online Privacy Protection Act (COPPA) if you do not comply with COPPA’s stringent requirements. You should either modify your information collection practices or comply with COPPA, or both.

9. Creditor Under FACTA? Do your registered users make periodic payments payable as monthly or quarterly installments, or do you extend credit so that payment is made after receipt of the product or service? If so, you fall within the statutory requirements of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA requires that you adopt a “Red Flag” Identity Theft Policy before May 1, 2009, or face substantial liability.

10. Sales Intermediaries? Do you use affiliates or resellers? If so, a recent New York case illustrates that you may be liable for their actions if they violate certain laws acting on your behalf. For example, are your affiliates engaged in illegal spamming activities? If they are offering their own end user license agreements, do they properly disclose certain activities such as the use of pop up ads? You should check your affiliate and reseller agreements and modify them, if required.

Use This Checklist If You Don’t Have Your Site Documents In Place

You may be just starting your online business, or you may have procrastinated a little with your website legal compliance. If you fall into this group, you should get started without delay.

I’ve developed a procedure that will help you determine the correct mix of legal compliance documents for your site. Part of it is set out below.

First, if your site does not collect personal information, you should consider these documents:

* a Legal page for your intellectual property notices; and

* Terms of Use.

* And if you allow site visitors to post text or digital files to your site (for example via a blog, forum, or chat room), you’ll need a DMCA Registration Form (see No. 2 above).

Second, if your site collects personal information, but does not require registration to open an account or to use or purchase a product or service, you should consider these additional documents:

* Privacy Policy.

* And if you have service providers that have possession of your server or have access rights to it, you’ll need a privacy-security agreement for these service providers (see No. 6 above).

Third, if your site requires registration to open an account or to use or purchase a product or service, you should consider in addition to the foregoing documents, a customer agreement such as:

* a software as a service (SaaS) agreement; and/or

* a Software License Agreement (for software downloads).

* And if you are regulated by FACTA (see No. 9 above), you’ll need a Red Flag Identity Theft Policy — before the May 1, 2009 deadline.


The checklists provided above are not exhaustive. However, they should point you in the right direction as you give your site a new year’s legal compliance check-up. A simple check-up — and remedial action if necessary — is one of the best investments you can make in your online business.