What do we mean by legal risk? Why does legal risk warrant its own categorization and analysis?

Legal risk analysis requires expert judgement and input from professionals who have been trained in the law and are, in many cases licensed for legal work.

What is Legal Risk?

This does not mean that only lawyers can perform legal risk analysis, nor that lawyers are sufficient for legal risk analysis. One of the more powerful, intangible benefits of this course in legal risk management is that it can bridge the divide between legal professionals and their counterparts throughout the organization.

We will explore concrete techniques to promote collaboration on challenges facing the entire organization.

For purposes of this training, a legal risk is where the event or consequences are legal in nature. To put it in ISO 31000 terms, there is a change in circumstances that is legal or the effect of a change in circumstances is legal.

Definition of Legal Risk
Definition of Legal Risk

Let’s illustrate with a couple of examples:

  1. During the storm, the ship takes on water and is delayed. This is a non-legal change in circumstances. The legal consequence is that we might breach our contract to deliver those goods to a customer by a certain date.
  2. If there is a breach of contract — a change in legal circumstances — we can be uncertain about the financial consequences of that breach.

We can subject both of these situations to legal risk analysis.

There are four types of legal risk. Legal risk arises from contracts, regulations, litigation, and structural changes to the market.

Legal Risk: contracts, regulations, litigation, structural changes
Legal Risk: contracts, regulations, litigation, structural changes


Contracts create business relationships that channel money into an organization as revenue and out of an organization as expenses. Contracts can relate to assets and liabilities. Contract risk threatens organizational health quietly and chronically.

Identifying contract risk requires examination of the contract from both the counterparty's perspective as well as your organization's perspective. Contracts cut both ways. Either party can breach. To uncover the risk associated with a single contract, examine each major provision — performance obligations — and ask, "what happens if we breach this provision and what happens if the other party breaches this provision?" The list of contract risks will quickly grow.


Employee conduct, intellectual property ownership, business practices, and more produce lawsuits. Litigation risk receives the lion's share of attention in the media and in the boardroom. Litigation is not necessarily the most pernicious legal risks.

When management meets with the lawyer to discuss "What is the chance we will lose this case and what are the likely damages," it is too late for risk management. Prior to litigation, we need to identify the areas of uncertainty that affect our objectives. Risk management is not fortune telling. Instead, we want to narrow the possible outcomes from particular events.

For example, a court case in an influential state invalidates a fee charged to consumers as an undisclosed interest charge subject to compensatory and punitive damages. Our organization charges a similar fee. However, the fee is charged a certain number of times and in known states. The statute in question carries known penalties. We have the building blocks to measure and manage legal risk from similar litigation.

Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.


For good or ill, government regulations infect every sector of the economy. Those regulations set standards of care, impose requirements, demand reports and filings. With each regulation comes creates the risk of a fine, penalty, or injunction to inspire compliance. Regulatory risk is inescapable and potentially embarrassing.

Regulatory risks come in many colors, which make identifying regulatory risks challenging. Some regulations cross industries, such as tax, and labor and employment. Some regulations are particular to a jurisdiction: national, regional, or municipal. Regulations can focus on specific practices, such as clinical trials, consumer product protection, or financial disclosures. Regulatory risks might be prominent or obscure. What regulations apply to your organization? To wear out a tired phrase, "It depends."


Structural changes to the market typically come from sweeping statutory changes. In financial services in the United States, for example, the Dodd-Frank Act1 overhauled the rules for investment firms and banks.

Deregulation of airlines, antitrust claims, and pricing practices of competitors exemplify structural legal risk.


These risks certainly overlap. Does a breach of contract claim exemplify a contract risk or a litigation risk? They also overlap with other types of risk often beyond the purview of the legal professional. Is the risk that a loan agreement is not enforceable against a borrower properly a contract risk or a credit risk?

Your approach to risk classification should be tailored to your organizational context. We will for the most part gloss over overlapping classifications, except to say that indication of risks in overlapping categories can lead to fruitful risk identification, which is more important than the classification itself.

The Dodd-Frank Act. ↩︎