Hvordan kan rettslige spørsmål integreres i en risikovurdering? Tobias Mahler, Norwegian Research Center for Computers and Law The Faculty of Law University of Oslo 1 Legal risk management (NRCCL, Tobias Mahler) Agenda • • • • Risk management (ISO 31000) Legal risk management Legal risk Legal uncertainty Legal risk management (NRCCL, Tobias Mahler) Risk management ISO 31000:2009 Risk assessment Risk identification Risk analysis Risk evaluation Monitoring and review Communication and consultation Establishing the context Risk treatment 3 Legal risk management (NRCCL, Tobias Mahler) Who does risk management in an enterprise? • Board of directors/CEO: enterprise risk • Chief risk officer (CRO)/chief finance officer (CFO): financial risk • Product developers (e.g. engineers): product risk • Safety officer: risk related to health/environment/safety • Project managers: project risk • IT system engineers: IT security risk • Compliance officer: compliance risk • General Counsel (Legal): Legal risk? Legal risk management (NRCCL, Tobias Mahler) Management of legal risk • Risk related to a legal issue • Analyse how it contributes to risk Legal risk management (NRCCL, Tobias Mahler) The legal and factual context Legal risk assessment Identification of risks, particularly legal risks Risk analysis: legal & factual uncertainty Risk evaluation: quantitative & qualitative Risk treatment: legal & factual risk controls Monitoring and review of legal issues, disputes and cases Legal management of risk Communication between client, lawyers and non-lawyers Legal risk management 5/10 Legal risk • A legal risk is a risk that has a legal issue as its source Legal issue Risk • A legal issue is a set of facts that are assessed under a set of legal norms. 6 Legal risk management (NRCCL, Tobias Mahler) Legal issue Legal issue A set of facts Risk Risk Risk is the effect of uncertainty on objectives (ISO) Uncertainty Assessed under a set of legal norms • Likelihood estimate • How model legal uncertainty? Consequence value Risk level: high or low risk? Legal risk management (NRCCL, Tobias Mahler) 7/10 Empirical and legal uncertainty Legal uncertainty If A (empirical uncertainty) THENn B 8 Legal risk management (NRCCL, Tobias Mahler) Topics in legal risk management Legal methods Structural risk management Compliance risk management Contractual risk management Litigation risk management Risk management methods LEGAL RISK MANAGEMENT 9 Legal risk management (NRCCL, Tobias Mahler) Example risk identified by SAP BGB Section 434 BGB Sections 437 nr. 3; 280 I Software sales contract Does this count as a defect in the sense of the law? (Depends on whether the software purchaser can expect software which is free from such errors) Software seller is obligated to pay damages to purchaser for the consequences of a defect. (Depends on whether the software seller knew or should have known about the defect) The software seller is not liable for the consequences of defects, except in cases of gross negligence. (Is this entirely valid and does it cover all cases?) There is a major undetected defect in a software release (possible) Defect has measurable negative consequences for purchaser (possible) Software provider pays for consequences of claimed product defect Effect on financial results Unlikely Major Medium risk 10 Legal risk management (NRCCL, Tobias Mahler) TAKK FOR OPPMERKSOMHETEN! 11 Legal risk management (NRCCL, Tobias Mahler) SAP example Legal risk management (NRCCL, Tobias Mahler) A real-life example: SAP Risk Event Nr. Effect on Legal sources 1 SAP results Contract law Unlikely Product defect claims Likelihood Consequence Significant Risk value Medium 2 3 13 Legal risk management (NRCCL, Tobias Mahler) Uncertainty about facts SAP: “product risk” • Risk of actual or alleged failures of our software products and services. Description of facts/events • New products and product enhancements may still contain undetected errors when they are first released. • As a result, it is feasible that certain customers may bring claims in certain cases for cash refunds, damages, replacement software, or other concessions. • SAP software products are chiefly used by customers in business-critical applications and processes. • Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56 Legal risk management (NRCCL, Tobias Mahler) 14 Uncertainty about legal norms Description of the law/contract • Our contractual agreements generally contain provisions designed to limit SAP’s exposure to warranty-related risks. • However, these provisions may not cover every eventuality or be entirely effective under applicable law. • Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56 15 Legal risk management (NRCCL, Tobias Mahler) Risk Effect on SAP’s objectives • Such claims could adversely affect our assets, finances, income, and reputation. Risk estimation • We believe it is – unlikely that our planned results will be – significantly impaired by product defect claims from SAP customers. • Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56 16 Legal risk management (NRCCL, Tobias Mahler) Treatment • We counter these risks with – thorough project management, – project monitoring, – rigid and regular quality assurance measures certified according to ISO 9001, and – program risk assessments during product development. – AND CONTRACTUAL MEASURES • Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56 17 Legal risk management (NRCCL, Tobias Mahler) Graphical modelling of legal risk Legal risk management (NRCCL, Tobias Mahler) Why visualisation? The graphical language Communication Expressiveness Usability Analysis Comprehensibility Risk Legal reasoning 19 Legal risk management (NRCCL, Tobias Mahler) Modelling risk Why would this company decide to pay? 1) There may be a product defect (likelihood: probability/frequency) 2) There may be an obligation to pay (legal uncertainty?) Legal risk management (NRCCL, Tobias Mahler) 20/10 Facts lead to risk There is a major undetected defect in a software release (possible) Defect has measurable negative consequences for purchaser (possible) Software provider pays for consequences of claimed product defect Effect on financial results Unlikely Major Medium risk 21 Legal risk management (NRCCL, Tobias Mahler) Legal norms contribute to risk BGB Sections 437 nr. 3; 280 I Software seller is obligated to pay damages to purchaser for the consequences of a defect. (Depends on whether the software seller knew or should have known about the defect) 1. Defect has measurable negative consequences for purchaser (possible) 2. Software sales contract The software seller is not liable for the consequences of defects, except in cases of gross negligence. (Is this entirely valid and does it cover all cases?) Software provider pays for consequences of claimed product defect Effect on financial results Unlikely Major Medium risk 22 Legal risk management (NRCCL, Tobias Mahler) Different types of norms Norm proposition Deontic Obligation Prohibition Conceptual Permission No obligation Power Qualification 23 Legal risk management (NRCCL, Tobias Mahler) Case study 24 Legal risk management (NRCCL, Tobias Mahler) Case study • Large industrial contract, long-term commercial relationship • Risk assessment from one contractor’s perspective • Collaboration between lawyers, managers and engineers 25 Legal risk management (NRCCL, Tobias Mahler) Overview of hypotheses Better understanding of risk Risk identification Better priorities Risk analysis & evaluation Risk controls Better risk management Increased utility Comprehensible models Collaboration Facts and law Better risk treatment Low costs Legal & empirical uncertainty Interdisciplinary assessment Legal risk models Costefficiency 26 Legal risk management (NRCCL, Tobias Mahler) Example risk diagram Section 9 Section 21 Seller obligated to pay damages, including consequential damages Seller guarantees for good material and workmanship Each supplier produces only a minor part of the complete assembly Buyer affected Seller’s Supplier furnishes substandard material or workmanship Part produced with low quality material or workmanship A major part of the damages cannot be recovered from Seller’s Supplier Tier-2 supply contracts Are Seller’s suppliers obligated to reimburse Seller for consequences of low quality supplies? Possible A case in which Seller pays damages for Supplier’s low quality material/workmanship Effect on contract profit Possible Moderate High risk Improve contracts with suppliers 27 Legal risk management (NRCCL, Tobias Mahler) Case study results • Evaluation – Lawyers were able to prioritize better, based on understanding of factual uncertainty – Graphical modelling of norm propositions increased understanding by non-lawyers – Modelling of legal uncertainty: inconclusive – Time consuming! OK for selected large scale contracts Legal risk management (NRCCL, Tobias Mahler) 28/10 Concluding remarks • Risk management can be applied in a legal context, – as a complement to existing methods – in collaboration with non-lawyers • Graphical modeling may be useful – to achieve a better understanding of facts – to explain legal consequences and simplify the results of a legal assessment 29 Legal risk management (NRCCL, Tobias Mahler)