Risk framework work product

There are four tangible pieces of work product we need to product for our risk framework.

What do we need to produce as part of the risk framework? Is there tangible work product that is practical and actionable?


There are four results we can produce:

  1. Draft legal risk management plan
  2. Risk criteria
  3. Risk rating scales
  4. Reporting

The legal risk management plan is the document that explains the chosen risk management framework, the risk assessment process, and our communication strategy. We will return to this toward the end of the course.

Rating scale

We need rating scales for likelihood and consequences of legal risks. You can establish whatever scale is helpful in your organization. The five point scale is adequate for even very large organizations.

The rating scale needs to include the following elements:

  • A value (or number), and
  • A short description.

It is also useful to include a fuller description in the legal risk management plan along with any bright line distinctions between the ratings, such as the financial value for each consequence rating.

Likelihood and consequences

Here, for example, are the likelihood and consequences we developed earlier.

Risk plot

These rating scales allow us to present a single view of a legal risk that is consistent, scalable, clear, and importantly, visual.

Risk criteria

We have only alluded to risk criteria so far. The Process section covers risk criteria in more detail. For now, we will layer it on our risk ratings to hint at the benefits of our legal risk framework.

Risk criteria separate the acceptable risks from the unacceptable risks. No organization has unlimited resources to reduce every legal risk to zero. Every judgement about what to do with a legal risk is based on an implicit or explicit risk criteria, or risk tolerance policy.

Our framework makes the risk criteria explicit.

Risk plot

Here is our risk plot with the employment litigation risk and the contract risk. The yellow area roughly indicates our risk tolerance.

One we can live with, one we can’t. In the Process section, we will make much more use of risk criteria.

Risk reporting

Again, we have only mentioned reporting in passing. There is one report that is essential to legal risk management: the risk registry.

We will extend the registry as we progress through the course. For now, the risk registry is a list of all our legal risks. The basic registry has five elements:

  1. The name of the legal risk,
  2. The type of the legal risk (contract, litigation, regulatory, or structural),
  3. The likelihood rating,
  4. The consequences rating, and
  5. The overall rating.