A risk-based approach to Legal

Marcus MølleskovMarcus Mølleskov
Written by
Marcus Mølleskov
June 8, 2023

The following article is a conversation between Charlotte from Openli Community and Marcus Mølleskov (Chief Risk & Compliance Officer at Januar) on how to implement a risk based approach to in-house Legal.

When talking about a risk based approach to legal, what’s the first thing that comes to mind for you?

Marcus: Well, having worked with financial risk management for a while I always try to pull on that. So I will always work in two dimensions: probability and impact. What’s the probability of something going wrong and what’s the impact if it does? And that’s the mental model that I use - even in private when I cross the street: what’s the probability that a car will come and what’s the impact if I get hit? And the same for bicycles where probability might be higher living in Copenhagen but the impact is much less.

And that’s the approach I’m implementing in Januar as well. So for instance, if we have a contract review: how big is the vendor? How critical is the vendor for us? What's the probability of something going wrong where we would need to actually go in and look at the fine print of the contract? And what's the impact if it does go wrong? So for instance, if we have big players such as Google or Microsoft: the probability that there's something wrong in that particular contract is very, very little. And then, the impact if it happens: what are the chances that we're going to have Microsoft change that contract anyway? So we might not send our contract with Microsoft to our external lawyers for review. 

But for some of the more critical, third-party vendors for our underlying banking platforms or banking systems, that’s very critical if something goes wrong. The probability that something goes wrong is relatively high because even though it’s a professional company, it's still a somewhat new, medium-sized company. So for that, it makes complete sense to send the contract to an expert lawyer for external review and pay the money it costs. So we try to graduate and scale it based on those two dimensions.

What's your process for implementing a risk-based approach in Januar? How do you go about it?

Marcus: Well, you need to take it piecemeal, right? That said, one of the first things I did when I came to Januar was to do a risk assessment. So I created an Excel sheet and I had a meeting with all the team leads. Back then, we were only eight people, so it didn't take as long as it does now. In the assessment, we go through: what are the risks you see in your area of the business? And then we document all of that and people assess it based on probability and impact on a grade from one to five in both dimensions.

For probability, it's between a daily to a less-than-yearly probability that we will see one of these risks actually materialising. And for impact, it's from not important to critical (potentially business ending).

Can you give examples of these risks?

Marcus: We try to cover everything from a meteor hitting the office, to a key employee being sick for two weeks, or a small vendor not living up to the contract like mentioned earlier. That kind of thing. And everything in between, really. 

So that is the entire risk framework that we have. And we have a risk register with almost  300 identified risks, but we still have a long way to go. I spoke at a conference the other week and another speaker from a small bank had a similar approach with +1100 identified risks. For every risk, we then try to come up with mitigants that work in the same two dimensions. Mitigants that reduce either probability or impact or both.

So for all new employees, to give them an understanding of how we talk about risk and how we work with it, I usually give the example of having a firewall: if you want to prevent the hacker from coming in, you can put up a firewall. A firewall reduces probability because it makes it more difficult for the hacker to get into your company. But once the hacker is actually past the firewall, the firewall doesn't do anything. So firewalls change the probability of cyber attacks but don't alter the impact of actually getting hacked. For that, you would need to encrypt the data on your servers, or separate data into different servers and that kind of stuff to reduce impact.

So again with mitigants, you have to consider those two dimensions. Because you can have drastically reduced a potential risk by e.g. installing layered firewalls. But at some point, the probability of the risk materialising is so small that it becomes very, very difficult or very, very expensive to reduce the probability further. Then it might be much cheaper and easier to reduce the impact. So you need to work in both dimensions. 

Do you have any advice for how to decide which risks to focus on first? How to prioritise?

Marcus: Yes, I use a five by five matrix. And then it becomes easy to gauge. 

After doing the risk assessment and identifying the probability and impact for each risk, you see where it lands in the matrix and that gives you its priority.

The probability is self explanatory but for the impact, we are using this matrix, which should of course be altered to fit the company. The risk rating (low to critical) in the matrix can also be adjusted to fit the company. I have seen some companies work with only the top right (5,5) being critical or supercritical as a 5th risk rating.

What are some of the common pitfalls you see when legal teams start implementing a risk based approach?

Marcus: I think a lot of people when trying to do a risk-based approach, they just go with their gut feeling. But if you actually take the time to do the risk assessment, then it becomes much more evident what the risks actually are. You can have board members saying “oh, no, this is the highest risk. This is what I want to be informed about”. But then you do a risk assessment that reveals it to only be a moderate level risk, for instance. And that’s why doing the risk assessment is such an important exercise to do.

When implementing a risk based approach in your organisation, who do you need buy-in from?

Marcus: It depends on the company you're in and what the rest of the organisation looks like. If there is a risk department, it would be very natural to go to the Head of Risk and say: “okay, I want to implement a risk-based approach in Legal. Could you please help me? Do you have any internal frameworks in use that I can utilise?” Because then things are aligned and people speak the same language. And that reduces complexity and will be worth much more down the road. But if there is no Risk department, then maybe try speaking with Compliance. They might have some experience working with a risk-based approach as well. 

But as a general rule of thumb, having management buy-in is always a good idea. And again: if management is saying “I want to know about X” or “I want to know about GDPR because that's the biggest risk”. But you sit in Legal and know that you don't really have consumer data and that the risk is actually low. Then you must consider and convey: how many resources do we want to spend on mitigating a risk that's relatively low instead of looking at e.g. ESG or some of the new, upcoming regulations where the company might be more exposed.

Any final thoughts?

Marcus: One of the things that has come to my attention after becoming Chief Risk and Compliance Officer is how important culture is. So in my view, the basis of all risk management is making sure that you have a good risk and compliance culture within your company. That's why, except for our Head of HR, I'm literally the first person all new employees meet. I go through this whole setup: how we talk about risk, think about risk, and how important risk is to the organisation. Because we want to drive that culture. We want to drive a really good risk and compliance culture because that sets the foundation for everything else. Everything else builds on top of that and makes sure that things are done correctly and that people aren’t cutting corners, which increases risk.