A central tenet of risk management is that managing the legal and business risk of a particular business opportunity or course of action involves (1) reducing risks by shifting and mitigating them as much as possible, and then (2) having an authorized decision-maker “call the ball” on whether the benefits from the opportunity or course of action outweigh the remaining risks (risk acceptance), or vice versa (risk rejection). Each company has its own tolerance for risk, and its risk tolerance evolves over time — for example, a start-up is generally more willing to take risk to land business than a mature company. A company may also have different risk tolerances for different divisions or product lines. Reducing risk to within the applicable risk tolerance can make the difference on whether the business decision-maker will accept or reject the risks from your proposed opportunity or course of action. Therefore, attorneys and business owners should use every tool in their toolkit to mitigate and shift as much risk as possible before asking the business decision-maker for approval on a certain opportunity or course of action. But all too often, risk decisions are presented to the decision-maker before risk reduction strategies are fully implemented or leveraged. Why is this?
One reason for this is the mistaken belief that reducing risk is too time-consuming, and if a quick risk management decision is needed there is no time for anything more than cursory risk reduction. However, many risk reduction strategies can be implemented quickly and in parallel, or even proactively, to minimize the time impact of risk reduction. You can also pick and choose those risk reduction strategies which “move the risk needle” the most to ensure the time you are devoting to risk reduction will generate the strongest return before a risk decision is needed. Another reason for this is a failure to know and understand all of the risk reduction tools that may be available. The less residual risk a business risk decision-maker is asked to accept, the more likely the answer will be that the potential benefits to the business outweighs the risks. Given this, it’s essential to know all of the available risk reduction tools in your toolkit.
When working with a client, supplier, vendor or business partner, one of the best risk reduction strategies is to build a strong and effective working relationship. If an issue or potential risk exposure arises, the ability to leverage your relationship to work quickly and effectively to resolve the issue, and lessen or eliminate its impact to you and your company, will pay huge dividends.
Here are 10 additional risk reduction strategies to equip your risk management toolkit:
1. Separate factual risks from perceived risks with good research and information.
Risks can be generally grouped into two categories — perceived risks and factual risks. Once the facts related to a particular risk are known, a perceived risk from an opportunity or course of action may turn out not to be a risk at all. For example, a perceived risk of doing business with a particular vendor may be the potential impact to your Payment Card Industry Data Security Standard (PCI DSS) compliance. If the facts show that the vendor will not handle any PCI data, or is already PCI compliant, the risk may not play into the risk acceptance decision. Investigate each business opportunity or course of action thoroughly to ensure you are shifting and mitigating factual risks, not perceived risks. Investigate your prospective client or partner thoroughly and as early as possible. Look at publicly available information regarding the prospective partner to better understand the risks of doing business with the business partner, including its current website and former versions, its BBB rating, its capitalization and liquidity, its litigation history through PACER and other online search tools, and (if public) its security filings. Investigate whether there is a potential for disputes or litigation around a particular business opportunity (e.g., if the technology you are seeking to acquire has been the subject of intellectual property litigation). Check business references and ask what they view as the biggest risks of doing business with that vendor.
2. Shift risk through indemnification.
One of the most common ways to shift risk is through indemnification. An indemnity is a contractual provision through which one party (the “indemnifying party”) agrees to be responsible for certain monetary costs and expenses incurred by the other party (the “indemnified party”) which arise from, result from or relate to certain acts or omissions of the indemnifying party or other indemnified acts. A party will generally indemnify, defend and hold the indemnified party harmless in connection with indemnified losses and claims. Consider whether to include an indemnity obligation for breaches of representations, warranties and covenants, breach of material obligations, breach of confidentiality/security, misappropriation or infringement of IP, and other risks your company may suffer, which will shift risk and cost to the other party if paired with the right limitation of liability and other risk allocation terms. Consider whether to use a third-party indemnity (insulation from damages and losses resulting from lawsuits and other causes of action by a third party against the indemnified party), or a first-party indemnity (insulation from damages and losses suffered directly by the indemnified party, which is essentially insurance and is often hard to get). Remember that an indemnity is only as good as the company standing behind it (this ties into parental guarantees and insurance requirements, below).
3. Shift risk through insurance requirements.
Another way to shift risk to a client, vendor or business partner is to require them to maintain certain levels of insurance during the term of the relationship (and for a period of time thereafter). This can help ensure that the other party will have the resources necessary to pay you in the event their performance (or lack thereof) under your agreement with them creates a liability on the part of your company. Ensure you are requiring the appropriate types of coverage to protect against the risks you may face under the agreement (e.g., not just a commercial general liability policy, but an errors & omissions policy, cyber liability policy, etc. Consider insisting on being added as an additional insured, and ensuring that the insurance is primary and non-contributory. Consider whether to ensure it covers ongoing and completed operations, and waives the right of subrogation against you (so the insurer cannot “step into the shoes” of the insured party by paying the claim, giving them a claim against you) and the “insured vs. insured” exclusion (so a claim by you, an additional insured, against the named insured under the policy is not excluded from coverage). Strongly consider requiring a certificate of insurance for your records evidencing the coverage.
4. Shift risk by limiting contractual liability.
Another tool for shifting risk is to set a contractual risk allocation (disclaimer of certain damages and limitation of liability for direct damages) beyond which the other party is liable. For example, consider warranty disclaimers and disclaimers of liability from certain types of behaviors, e.g., a party may disclaim any liability resulting from force majeure events and/or disclaim all warranties, express or implied, not expressly set forth in the agreement. Include an appropriate disclaimer of consequential damages and the like, and limit your direct damages (but also consider whether exceptions to the general disclaimers and limits are appropriate – consider a “second tier” of liability for direct damages of a certain type, or exclusions from the limitation of liability). Consider a liquidated damages provision for certain issues that may arise. Ensure you understand what cannot be limited under applicable law (e.g., in certain states, it’s against public policy for a party to disclaim liability for its own gross negligence or willful misconduct).
5. Shift risk by using subcontractors.
Another risk shifting approach is to utilize subcontractors for certain responsibilities where the risk associated with performing the responsibilities in-house are greater than the risk your company is willing to take. For example, suppose you are refurbishing an office which will need a considerable amount of work to bring the electrical system up to code. Instead of using your own electrician, you may choose to outsource the electrical work to a more experienced subcontractor to whom you can contractually shift the risk from performance. The risk allocation and indemnity provisions in your subcontractor agreement will be critical here. While in some cases the primary contractor may remain liable in the event of a problem causing damage or liability to a third party, the risk-shifting terms in your independent contractor agreement may help protect your company.
6. Shift risk through a parental guaranty.
If the potential counterparty or business partner is not fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a parental guaranty. Guaranty agreements typically include a payment guaranty requiring the guarantor to stand behind the guaranteed party’s payment and indemnification obligations, and/or a performance guaranty requiring the guarantor to perform obligations under the agreement if the guaranteed party fails to perform its obligations. A guaranty ensures you can compel the guarantor to perform the guaranteed payment or performance obligations if the party with which you are contracting fails to comply with its payment and performance obligations. There are many tricky provisions in a guaranty, so ensure you use good counsel to help you construct the guaranty. The guaranty should survive the termination or expiration of the underlying agreement for as long as guaranteed obligations survive. Also, if you are considering a parental guaranty, think about whether it would make more sense to contract directly with the parent and not the subsidiary (which would eliminate the need for the guaranty).
7. Mitigate risk through internal processes.
When evaluating the impact of a business risk, consider whether the risk can be mitigated through existing or new business processes. Are there administrative, technical and physical safeguards or processes in place at your company, or that could easily be put in place, that would reduce the chance of a risk exposure? For example, suppose a contract requires that your software is free of viruses, spyware, malware, and the like. If you have existing technology in place to scan your software for viruses, or can easily put it in place, you may feel comfortable taking this risk as the risk of an exposure is mitigated. However, be careful implementing a manual process to mitigate risk — they can be prone to error as they are often dependent on employees manually adding a few tasks to their already crowded plate. Even if a manual risk mitigation process is well documented, it may just be replacing one type of risk with another.
8. Mitigate risk through third party certifications.
Another risk mitigation approach is to require your business partner or vendor to maintain and certify compliance with third party certifications or industry standards which demonstrate that the partner or vendor has implemented steps reasonably designed to protect your company against certain risk exposures. For example, if a partner or vendor will be handling personal information or sensitive confidential information, consider asking for a SOC 2 Type 2 report which is a statement of the effectiveness of a company’s non-financial controls. It’s important to require an unqualified report — a qualified report means that one or more of the controls covered by the report are not effective and the report should not be relied upon in that area. Other common certifications include ISO 27001 for information security management systems, SOC 1/SSAE16 for financial controls, and HITRUST certification for HIPAA business associates.
9. Mitigate risk through your own insurance.
Consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance. Consider asking your broker to walk you through your coverage on an annual basis.
10. Mitigate risk through contract provisions.
Finally, consider mitigating risk with your business partners through contractual provisions other than limitation of liability. For example, consider requiring your business partner agree to agree not to engage in risky behaviors, or to not provide you with data types you don’t want to receive (e.g., trade secrets, PCI data, HIPAA data). Include appropriate representations, warranties and covenants applicable to your business partner, and ensure yours are not overbroad. Consider your rights in the event of non-payment under the agreement. Consider whether an escrow provision would help mitigate risk. Consider rights to injunctive relief (including whether to waive posting a bond or other security, or proof of actual damages). Financial and security audit rights may be important. Ensure your business partner has implemented its own strong risk reduction strategies, such as implementing a business continuity plan/disaster recovery plan and anti-phishing training.
Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.