The mere mention of pending or potential legal issues tends to cause a shiver down one’s spine! Hope Mugagga Kiwekete provides insight into ISO 31022:2020 to dispel any chills 

The general school of thought is that legal issues are a nightmare. The complex environment in which organisations operate has equally contributed to an increase in legal risks. Whether it is product liabilities or non-adherence to contractual obligations, any significant risk exposure could spike a legal lawsuit. 

In May 2020, the International Organization for Standardization (ISO) published the ISO 31022:2020 Risk management – Guidelines for the management of legal risk. This guideline is also aligned to the ISO 31000:2018 Risk management – Guidelines. 

Incidentally, ISO 31022:2020 is not intended to:

• be a substitute for risk owners seeking expert legal advice (external or internal);

• apply to the process of law making or lobbying for new laws or changes to existing laws. 

The guideline defines legal risk as “risk related to legal, regulatory and contractual matters, and from non-contractual rights and obligations”. 

Legal risk management process

1) Establish the relevant context and criteria

According to ISO 31000:2018: “The purpose of risk management is the creation and protection of value.” One way to protect this value is by understanding the external and internal context in which an organisation operates. 

Externally, there are factors such as applicable local and international laws that could impact how goods and services are offered or distributed. In addition, external service providers and stakeholders (such as trade unions and regulatory bodies) all have expectations that need to be taken into account. 

Internally, an organisation has the ability to manage factors such as its legal matters, financial capability, operating plans and internal legal and governance structures. ISO 31022 also recommends “awareness campaigns on the orientation and continual improvement of performance in matters of legal risk for stakeholders, and systems and arrangements to improve stakeholder behaviour concerning laws and to deter fraudulent and deceitful conduct, such as compliance management systems”. 

Legal risks may prevent an organisation’s objectives from being achieved. Therefore it is important to define the legal risk criteria during the identification of the legal risks. The significance of the identified risks will depend on the criteria used. Hence decisions can be made on whether an organisation can accept or tolerate the legal risks. 

2) Assessment of legal risk

Uncertainty over any legal implications drives an organisation to shift to high gear.

Here is an example: an ISO-certified company was experiencing cash flow problems and could not keep up with payments to its creditors. One of the creditors, a certification body (CB), was owed surveillance audit fees. Despite numerous follow-ups by the CB’s finance department, the outstanding fees were not paid. 

As a last resort, the CB handed over the account in arrears to its attorneys for debt collection. The attorneys sent a letter of demand indicating that the company would be sued, with a possibility of liquidation. 

In this scenario, one can identify a “breach of contract due to failure to pay fees”. This is because there was a binding contract between the certified company and the CB. 

Some factors may not have been in the control of the certified company. Nonetheless, they should have been taken into account during the initial contractual risk assessment process. 

Organisations might not always have the legal expertise to analyse and interpret legal risks. Where possible, this analysis should be done by a multidisciplinary team and should consider the impact and probability of the risk – taking into account the effectiveness of existing controls. 

3) Evaluate and treat legal risks

Once legal risks are analysed, decisions should be made about the actions to be taken. This could mean not doing anything, continuing with existing controls or reassessing your objectives. 

Back to the legal risk scenario, what should the ISO-certified company do?

Legal risks that have been prioritised need to be supported by choosing the appropriate risk treatment options. Let us assume the company chooses to avoid the risk by voluntarily withdrawing from ISO-certification. This might not be the best option, especially if its external stakeholders require it to be certified in order to do business with them. 

Thus, it is in a fix. It has to retain the risk and possibly renegotiate payment terms with its creditor (CB). 

4) Communication, consultation and reporting mechanisms

An organisation has to continually build trust with its relevant stakeholders. This trust can be earned and maintained through regular communication and consultation, which creates an opportunity to report on identified or potential internal and external legal risks. The criticality of the risks will dictate how confidentiality will be managed. 

The pursuit of compliance is a never-ending activity. Monitoring and reviewing legal risks should therefore form part of an organisation’s performance evaluation process.  

Appropriate recording and reporting of risk events and plans for improving the legal risk environment should be incorporated into an existing governance structure. 

5) Implementation

Depending on the complexity and size of an organisation, a clearly defined policy management of legal risk needs to be developed and maintained. This is complemented by clarifying the roles and functions for those assigned to manage legal risks. The importance of expertise and sound allocation of resources cannot be overstated. 

Manage the legal risks

Organisations are known to tolerate various type of risks within their risk universe. However, when it comes to legal risks, the approach changes. These types of risks should be identified, analysed and evaluated, and treatment options implemented. 

In this regard, it’s worth obtaining a copy of the ISO 31022:2020 Standard Schedule and conducting an enterprise-wide legal risk assessment. The outcome of this exercise should enable your organisation to proactively manage its legal risks. 

Les Brown, a renowned US motivational speaker, once said: “Do what is easy and your life will be hard. Do what is hard and your life will become easy.”  

Leave a Reply

Your email address will not be published.