I was privileged to present on the topic of contract risk at the recent 2020 LegalWeek, along with Lee Matthews of Wolters Kluwer, one of HBR’s technology partners. The presentation centered around the types and sources of contract risk and how to combat them.
After the presentation, I had a chance to speak with a general counsel from the audience. It was clear this was front of mind to him, but the ability to combat the risk seemed out of reach – he cited the sheer volume of emails and contract issues being volleyed at him any given day. Our conversation caused me to reflect: are we asking too much to be proactive in contract risk? Is reaction the best we can manage when something this large comes our way? The overwhelming number of contracts, abundance of risks and just keeping up with day-to-day management can make the idea of being proactive seem unreachable.
Insidious Contract Risks
It can be difficult enough to keep up with our contracts’ everyday risks related to renewals, obligations, terms, etc. But there are also abundant regulatory risks within our contracts that can incite sheer terror in those not prepared. For example, in the financial industry, LIBOR (London Interbank Offer Rate) has long been the most widely used benchmark for short-term rates. But now regulators plan to phase it out by the end of 2021, a deadline few companies are ready for. There are literally trillions of dollars’ worth of contracts that require revision to provide a reference to a new baseline rate. Is there enough time to identify, draft and execute all the amendments needed, even if you start today?
Another example is the CCPA (California Consumer Privacy Act) that went into effect at the beginning of this year, and the fear of not being able to comply to its requirements. Another 10 states are about to pass similar laws, all of which require some monitoring and control over consumer data and any third parties using that data on your behalf. Many companies are struggling with how to trace the path of their data through their own company, much less any third-party data transfers and whether their contracts have adequate protective language.
Just Get Started
Some organizations are now attempting to mitigate these risks. Do we consider those acting now as proactive, or are they merely the first ones to react? It can be easy to feel overwhelmed and wonder if there is any hope to proactively combat risk, when it seems like it will strike at any time.
My advice to that frustrated general counsel was this...just get started. Start to put together your risk plan. Even with the onslaught of “email bombs” (my phrase for things that blow up on you), knowing that you can start working to identify, combat and avoid risk is an empowering thought.
Here are three steps that anyone can take to get started:
- Know Thy Enemy. Identify what your risks are. In contracts, risks exist in the words written on the page and in the words left out. What risks are most specific to your company, your industry and its regulating agencies? Find the big, scary things and map them to where they appear in the contracts. Is it the financial provisions referencing LIBOR as the baseline rate in mortgages? Is it data privacy covenants in your DPA (data processing addendum)? Is it something softer, like poorly written limitations of liability? Whatever the risk, it is better to shine a light on it than to pretend it doesn’t exist. When you are done with this step, you may have a host of risks listed, but now you will also know where in the document they sit. Once you know what and where risks are, you can….
- Get Everybody in the Pool. Collect your riskiest provisions (or placeholders where you need language and don’t have it) and strategize on better language. The best place to do this is inside a CLM (contract lifecycle management) system where you can interact with the data and metadata quickly through workflows, searching and reporting. But even if you don’t have a system, starting a simple clause library is a powerful step in preparing for combating these risks. This library should include not just the clause itself, but a specific taxonomy for things like proper application and placement of a clause, level of risk, required workflow, who should be notified if it is changed, region or locale limitations, etc. A good taxonomy provides structure to your clause library to help you and your company to organize and react quickly. If you put the effort into the structure as well as the content, then you can be prepared to...
- Strike While the Iron is Hot. Empower a group of people to start the adoption of these practices and use those clauses. If you empower your team with a good set of processes, they will be able to handle the risks better. Yes, this takes some time, and it is important to find the right people to help you. Some companies will work with their outside counsel or LPO to craft new language. Some companies even hire organizations to help them with massive repapering projects. The point is not to take on more than you can handle, but to find the right people in your company and network to help manage well what you can. Even if you can only manage to improve one provision, the risk avoided is well worth the effort.
Whether you’re just getting started or in the middle of a rollout, HBR can help. We design programs that pair technology with processes to ensure greater risk mitigation and efficiencies. Please email me if you have questions or if HBR can be of assistance in mitigating your contract risk.