Earlier this year (May 2020) the International Standards Organization (ISO) published their legal risk management guidelines, ISO 31022:2020, after four years of work. This standard is not industry specific and builds on top of the ISO 31000 risk management framework to address a broad range of areas covering regulatory, third-party, contract and other areas that have a legal implications. One of the most important aspects of this standard is a change in risk definition that has been used in the past which has focused on "loss prevention" to the ISO 31000 definition which focuses on the "effects of uncertainty on objectives." This opens up risk consideration to both negative and positive effects of uncertainty on value creation.
The ISO 31022 guidelines are intended to help organizations:
achieve the strategic outcomes and objectives of the organization;
encourage a more systematic and consistent approach to the management of legal risk, and to identify and analyze a comprehensive range of issues so that legal risks are proactively treated with the appropriate resources and supported by top management and by the right level of expertise;
better understand and assess the extent and consequence of legal issues and risk, and to exercise proper due diligence;
identify, analyze and evaluate legal risks, and to provide a systematic way to make informed decisions;
enhance and encourage the identification of opportunities for continual improvement
provides guidance for the management of legal risk so it aligns with compliance activities and provides the assurance needed to meet the obligations and objectives of the organization;
can be used by organizations of all types and sizes to deliver a more structured and consistent approach to the management of legal risk for the benefit of the organization and its stakeholders across all processes;
offers an integrated management approach to the identification, anticipation and management of legal risk;
supports and complements existing approaches, enhancing them by providing better information and insight on potential issues that the organization could face
supports any process of compliance that organizations could have in place, such as a compliance or other management system;
supports the compliance function by more broadly identifying the organization’s legal and contract rights and obligations.
Although ISO 31022 uses the ISO 31000 definition for risk it does provide the following definition for legal risk to clarify which objectives are within the scope of consideration:
"related to legal, regulatory and contractual matters, and from non-contractual rights and obligations."
with the following notes:
Note 1: Legal matters can have their origin in political decisions, national or international law (3.3), including statute law, case law or common law, administrative acts, regulatory orders, codified law, judgments and awards, procedural rules, memorandum of understanding or contracts.
Note 2: Contractual matters relate to situations where an organization (3.4) fails to meet its contractual obligations or to enforce its contractual rights, or enters into contracts with terms and conditions that are onerous, inadequate, unfair and/or unenforceable
Note 3: Risk from non-contractual rights is the risk that an organization fails to assert its non-contractual rights. For example, the failure of an organization to enforce its intellectual property rights, such as its rights related to copyright, trademarks, patents, trade secrets and confidential information against a third party.
Note 4: Risk from non-contractual obligations is the risk that an organization’s behavior and decision-making can result in illegal behavior or a failure in non-legislative duty-of-care (or civil duty) to third parties. For example, an organization’s infringement of third-party intellectual property rights, failure to meet the requisite standards of care due to customers (such as mis-selling), or inappropriate use or management of social media resulting in a third-party claim of defamation or libel and tortuous duty generally.
ISO 31022 is applicable to all types and sizes of organizations to deliver a more structured and consistent approach to the management of legal risk for the benefit of both the organization as well as its stakeholders. It is expected that organizations will have already adopted the ISO 31000 processes and will use ISO 31022 to provide additional guidance with respect to managing legal risk.
Perhaps, the best way that it does this is by providing a standard method for applying a risk-based lens to the consideration of legal obligations. This will be helpful to provide greater clarity and guidance for other ISO standards where legal risk registers are required such as those connected with environmental and safety objectives.
Organizations will now have a common approach to go beyond simply having a legal risk register to managing the risks that are contained within it. While this was always possible organizations can now look to ISO 31022 to better support these efforts and leverage the body of work available within the ISO 31000 family of standards.
More information regarding ISO 31022:2020 can be found on ISO's website here.