· Explainer · 7 min read
It's 10PM. Do You Know Where Your Legal Risks Are?
Legal risks and reserves are crucial for strategic decision-making and compliance. Only risks that are known and understood can be fully integrated into the decision-making process. Proper internal controls and reporting systems, enhanced by AI and predictive analytics, ensure that legal risks known to the company are known to management. The SEC increasingly requires companies to “show their work” in assessing and disclosing legal risks. Enterprise legal management systems, powered by machine learning, can help capture and manage legal risks effectively.
Whether due to serious potential litigation or simply because the quarter-end is near, management and boards need to evaluate legal risks and exposure often. Sometimes, a crisis may arise if an 8-K or press release needs to be prepared, but even routine filings can be stressful when the information needed to make estimates is not readily available or easily digestible.
This information is important not only for SEC filings but also for each internal decision that management makes. Important decisions, such as disclosure or accrual, are based upon an assessment of legal risks. However, only risks that are known and understood can be fully integrated into the decision-making process.
The Known-Unknown Matrix of Legal Risks
To better understand the landscape of legal risks, we can categorize them using a matrix of known and unknown factors. There are many ways to define the axes, but for the purposes of this discussion, I’m highlighting legal risks by whether they’re known firstly to the “rank and file” company personnel and secondly, the management and board:
This matrix illustrates four categories of legal risks:
- Known Knowns: These are risks that are well-understood (and ideally properly managed), such as active lawsuits (though the degree to which it is a known known may depend upon how far along the lawsuit is), regulatory deadlines, and contract obligations.
- Unknown Knowns: These are risks that known within a lower level of the company, but have not been effectively communicated to management; examples include unreported incidents, potential whistleblowers, and compliance concerns that haven’t been shared with management and/or the board. The occurrence of this type of risk can be reduced by implementing internal controls related to reporting and establishing a tone at the top that welcomes identification of risks by lower-level employees.
- Known Unknowns: These are risks that have been identified by management or the board, but for which the outcome is uncertain, such as pending legislation, ongoing investigations, or market disruptions.
- Unknown Unknowns: These are unforeseen risks that haven’t been identified yet by either management or lower-level company employees. Companies with mature risk management systems reduce the number of risks in this category, but there will always be risks that come out of left field.
The goal of effective legal risk management is to move as many risks as possible into the “Known Knowns” quadrant. This is where AI and predictive analytics are making significant strides.
The Importance of Reporting
Board members and senior executives are generally scrutinized in light of information available across the entire company, even if this amounts to knowledge held by a single employee or outside counsel. We can think of this “hidden” information as an Unknown Known from management’s perspective. Practically speaking, if the information is available but not provided to decision-makers, then it can result in more harm than help.
It’s therefore easy to see why management has a strong incentive and responsibility for developing and maintaining adequate reporting systems and internal controls around company information. Such systems and controls ensure the proper upward flow of information from individuals and divisions within an organization to management.
Legal Reserves and SEC Requirements
Under ASC 450, disclosure is not required if the likelihood of loss is remote, and accrual is not required if the loss or range of loss is not reasonably estimable or if the potential loss is not material. However, the SEC has increasingly required companies to “show their work.” The SEC is effectively shifting to a rebuttable presumption that disclosure and/or accrual is required, thereby requiring companies to contest this assumption through evidence.
Regardless of whether a company ultimately discloses and/or accrues an estimated loss, the decision must be documented and justifiable. This can often be done by explaining the periodic procedures that were undertaken to estimate potential losses, why subsequent determinations were made, and how the loss or potential loss distribution was estimated.
Enterprise Legal Management Systems and AI
Enterprise legal management systems (ELMs) or legal project management systems (LPMs) provide structure for capturing known legal risks. The benefits of these systems depend heavily on how companies design, implement, and utilize them. If companies only record legal risks once they’ve developed into full-fledged cases, they are missing the opportunity to assess and manage risk at an earlier time.
Modern ELMs are increasingly incorporating AI and machine learning capabilities to enhance risk identification and assessment. These AI-powered systems can:
- Analyze vast amounts of legal documents and identify potential risks that human reviewers might miss.
- Use natural language processing to extract key information from contracts, emails, and other communications.
- Employ predictive analytics to assess the likelihood and potential impact of various legal risks.
Capturing Information for Reserves
The first step in capturing information is to record all matters in an intake or triage system, rather than waiting until they are material. This allows for a more thorough and thoughtful assessment of risk and estimation of potential loss. It’s impossible to set legal reserves if data about matters is never recorded in the first place.
AI and machine learning models can significantly improve this process by:
- Automatically categorizing and prioritizing legal matters based on historical data.
- Identifying patterns and trends in legal risks that may not be apparent to human analysts.
- Providing data-driven estimates of potential losses, helping to set more accurate legal reserves. As is often the case with AI, humans using AI are better than either humans or AI alone.
Encouraging Legal Data Capture
Even the best structured legal management systems are limited by the quality and quantity of the data entered. Organizations can encourage personnel to enter pertinent information through:
- Positive feedback and gamification.
- Cultivating a data-centric culture. This is one that I HIGHLY recommend, as it has significant impacts across the entire organization. That being said, change management is generally the hardest part of strategic changes.
AI can further enhance data capture by:
- Using natural language processing (NLP) to extract relevant information from emails and documents automatically. Extractive machine learning (rather than generative, which is the AI du jour) has come a long way in the past decade, but even before selling LexPredict in 2018, my team was successfully using NLP to help global law firms better capture contract data.
- Providing smart forms that suggest relevant information based on the context of the matter. No one likes to type in unnecessary information, so this is a great way to reduce your team’s workload.
- Continuously learning from user interactions to improve data capture processes over time.
Predictive Analytics in Legal Risk Management
Predictive analytics, powered by AI and machine learning, is revolutionizing legal risk management. By analyzing historical data and identifying patterns, these tools can:
- Forecast potential legal issues before they arise, allowing for proactive risk mitigation.
- Provide more accurate estimates of potential losses for better reserve setting.
- Identify factors that contribute to legal risks, enabling targeted risk reduction strategies.
- Simulate various scenarios to help management make more informed decisions.
The Risk of Reserves
There is an inherent risk when financial metrics, such as reserves or financial statements as a whole, are tied to individuals’ remuneration or compensation. It’s important for organizations to understand that certain individuals, or groups of individuals, may have misaligned incentives to properly capture and report information relating to legal reserves.
Moving towards Known Knowns
Tracking legal risks and reserves by implementing robust systems and controls that are enhanced by AI and predictive analytics enables boards and executives to engage in better decision-making, regulatory compliance, and overall risk management for their organizations. These advanced technologies are not just improving efficiency; they’re fundamentally changing how legal risks are identified, assessed, and managed, moving more risks into the “Known Knowns” quadrant and providing a clearer picture of an organization’s legal risk landscape.
That being said, investors and regulators are not willing to accept “the AI told us it’s not a problem” as the sole reserve-setting and risk management strategy; instead, organizations should employ these emergent technologies in ways that can help elevate the existing processes.