Hvordan kan rettslige spørsmål
integreres i en risikovurdering?
Tobias Mahler,
Norwegian Research Center for Computers and Law
The Faculty of Law
University of Oslo
1
Legal risk management (NRCCL, Tobias Mahler)
Agenda
•
•
•
•
Risk management (ISO 31000)
Legal risk management
Legal risk
Legal uncertainty
Legal risk management (NRCCL, Tobias Mahler)
Risk management
ISO 31000:2009
Risk
assessment
Risk identification
Risk analysis
Risk evaluation
Monitoring and review
Communication and consultation
Establishing the context
Risk treatment
3
Legal risk management (NRCCL, Tobias Mahler)
Who does risk management in an
enterprise?
• Board of directors/CEO: enterprise risk
• Chief risk officer (CRO)/chief finance officer (CFO): financial
risk
• Product developers (e.g. engineers): product risk
• Safety officer: risk related to health/environment/safety
• Project managers: project risk
• IT system engineers: IT security risk
• Compliance officer: compliance risk
• General Counsel (Legal): Legal risk?
Legal risk management (NRCCL, Tobias Mahler)
Management of legal risk
• Risk related to a legal issue
• Analyse how it contributes to
risk
Legal risk management (NRCCL, Tobias Mahler)
The legal and factual context
Legal risk
assessment
Identification of risks,
particularly legal risks
Risk analysis:
legal & factual uncertainty
Risk evaluation:
quantitative & qualitative
Risk treatment:
legal & factual risk controls
Monitoring and review
of legal issues, disputes and cases
Legal management of
risk
Communication
between client, lawyers and non-lawyers
Legal risk management
5/10
Legal risk
• A legal risk is a risk that has a legal issue as its
source
Legal issue
Risk
• A legal issue is a set of facts that are assessed
under a set of legal norms.
6
Legal risk management (NRCCL, Tobias Mahler)
Legal issue
Legal issue
A set of facts
Risk
Risk
Risk is the effect of uncertainty
on objectives (ISO)
Uncertainty
Assessed under
a set of legal
norms
• Likelihood estimate
• How model legal uncertainty?
Consequence value
Risk level: high or low risk?
Legal risk management (NRCCL, Tobias Mahler)
7/10
Empirical and legal uncertainty
Legal uncertainty
If A
(empirical uncertainty)
THENn
B
8
Legal risk management (NRCCL, Tobias Mahler)
Topics in legal risk management
Legal methods
Structural risk management
Compliance risk management
Contractual risk management
Litigation risk management
Risk management methods
LEGAL RISK MANAGEMENT
9
Legal risk management (NRCCL, Tobias Mahler)
Example risk identified by SAP
BGB Section 434
BGB Sections 437 nr. 3; 280 I
Software sales contract
Does this count as a defect in
the sense of the law?
(Depends on whether the
software purchaser can expect
software which is free from
such errors)
Software seller is obligated to
pay damages to purchaser for
the consequences of a defect.
(Depends on whether the
software seller knew or should
have known about the defect)
The software seller is not liable
for the consequences of
defects, except in cases of
gross negligence.
(Is this entirely valid and does it
cover all cases?)
There is a major
undetected defect in
a software release
(possible)
Defect has measurable
negative consequences
for purchaser
(possible)
Software provider
pays for consequences of
claimed product defect
Effect on financial results
Unlikely
Major
Medium risk
10
Legal risk management (NRCCL, Tobias Mahler)
TAKK FOR
OPPMERKSOMHETEN!
11
Legal risk management (NRCCL, Tobias Mahler)
SAP example
Legal risk management (NRCCL, Tobias Mahler)
A real-life example: SAP
Risk Event
Nr.
Effect on
Legal
sources
1
SAP
results
Contract law Unlikely
Product
defect
claims
Likelihood Consequence
Significant
Risk value
Medium
2
3
13
Legal risk management (NRCCL, Tobias Mahler)
Uncertainty about facts
SAP: “product risk”
• Risk of actual or alleged failures of our software products and
services.
Description of facts/events
• New products and product enhancements may still contain
undetected errors when they are first released.
• As a result, it is feasible that certain customers may bring
claims in certain cases for cash refunds, damages, replacement
software, or other concessions.
• SAP software products are chiefly used by customers in
business-critical applications and processes.
•
Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56
Legal risk management (NRCCL, Tobias Mahler)
14
Uncertainty about legal norms
Description of the law/contract
• Our contractual agreements generally contain
provisions designed to limit SAP’s exposure to
warranty-related risks.
• However, these provisions may not cover every
eventuality or be entirely effective under applicable
law.
•
Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56
15
Legal risk management (NRCCL, Tobias Mahler)
Risk
Effect on SAP’s objectives
• Such claims could adversely affect our assets,
finances, income, and reputation.
Risk estimation
• We believe it is
– unlikely that our planned results will be
– significantly impaired by product defect claims from SAP customers.
•
Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56
16
Legal risk management (NRCCL, Tobias Mahler)
Treatment
• We counter these risks with
– thorough project management,
– project monitoring,
– rigid and regular quality assurance measures certified according to ISO
9001, and
– program risk assessments during product development.
– AND CONTRACTUAL MEASURES
•
Source: SAP, IFRS FINANCIAL REPORTS (2007), p. 56
17
Legal risk management (NRCCL, Tobias Mahler)
Graphical modelling of legal risk
Legal risk management (NRCCL, Tobias Mahler)
Why visualisation?
The graphical language
Communication
Expressiveness
Usability
Analysis
Comprehensibility
Risk
Legal reasoning
19
Legal risk management (NRCCL, Tobias Mahler)
Modelling risk
Why would this company decide to pay?
1) There may be a product defect (likelihood:
probability/frequency)
2) There may be an obligation to pay (legal uncertainty?)
Legal risk management (NRCCL, Tobias Mahler)
20/10
Facts lead to risk
There is a major
undetected defect in
a software release
(possible)
Defect has measurable
negative consequences
for purchaser
(possible)
Software provider
pays for consequences of
claimed product defect
Effect on financial results
Unlikely
Major
Medium risk
21
Legal risk management (NRCCL, Tobias Mahler)
Legal norms contribute to risk
BGB Sections 437 nr. 3; 280 I
Software seller is obligated to pay damages to
purchaser for the consequences of a defect.
(Depends on whether the software seller knew or should
have known about the defect)
1.
Defect has measurable
negative consequences
for purchaser
(possible)
2.
Software sales contract
The software seller is not liable for the
consequences of defects, except in cases
of gross negligence.
(Is this entirely valid and does it cover all
cases?)
Software provider
pays for consequences of
claimed product defect
Effect on financial results
Unlikely
Major
Medium risk
22
Legal risk management (NRCCL, Tobias Mahler)
Different types of norms
Norm
proposition
Deontic
Obligation
Prohibition
Conceptual
Permission
No obligation
Power
Qualification
23
Legal risk management (NRCCL, Tobias Mahler)
Case study
24
Legal risk management (NRCCL, Tobias Mahler)
Case study
• Large industrial contract, long-term commercial
relationship
• Risk assessment from one contractor’s perspective
• Collaboration between lawyers, managers and
engineers
25
Legal risk management (NRCCL, Tobias Mahler)
Overview of hypotheses
Better understanding
of risk
Risk identification
Better
priorities
Risk analysis
& evaluation
Risk controls
Better risk
management
Increased
utility
Comprehensible models
Collaboration
Facts and law
Better
risk treatment
Low costs
Legal & empirical uncertainty
Interdisciplinary
assessment
Legal risk
models
Costefficiency
26
Legal risk management (NRCCL, Tobias Mahler)
Example risk diagram
Section 9
Section 21
Seller obligated to pay
damages, including
consequential
damages
Seller guarantees for
good material and
workmanship
Each supplier produces
only a minor part of the
complete assembly
Buyer affected
Seller’s Supplier
furnishes substandard material or
workmanship
Part produced with
low quality material
or workmanship
A major part of the
damages cannot be
recovered from
Seller’s Supplier
Tier-2 supply contracts
Are Seller’s suppliers
obligated to reimburse
Seller for consequences
of low quality supplies?
Possible
A case in which Seller
pays damages for Supplier’s low
quality material/workmanship
Effect on contract profit
Possible
Moderate
High risk
Improve
contracts with
suppliers
27
Legal risk management (NRCCL, Tobias Mahler)
Case study results
• Evaluation
– Lawyers were able to prioritize better, based on understanding of
factual uncertainty 
– Graphical modelling of norm propositions increased understanding
by non-lawyers 
– Modelling of legal uncertainty: inconclusive
– Time consuming! OK for selected large scale contracts
Legal risk management (NRCCL, Tobias Mahler)
28/10
Concluding remarks
• Risk management can be applied in a legal context,
– as a complement to existing methods
– in collaboration with non-lawyers
• Graphical modeling may be useful
– to achieve a better understanding of facts
– to explain legal consequences and simplify the results of a legal
assessment
29
Legal risk management (NRCCL, Tobias Mahler)