Five steps to managing risk in your business as usual contracts

Published on 17 January 2024
Stuart Padgham
Partner
Dial Stuart Padgham's mobile Stuart Padgham's LinkedIn Profile

You’re locked in negotiations with the counterparty on a high-value strategic transaction. Neither side wishes to concede an inch. Seemingly minor issues result in extensive discussion even though (deep down) both parties consider them to be low risk. 

We’ve all been there. 

Eventually, such transactions will complete on the basis of a heavily negotiated, carefully thought-through agreement that balances the competing commercial positions of both parties.

However, it’s highly likely that while the transaction is being negotiated, both parties are negotiating and entering into hundreds or thousands of lower value business-as-usual (BAU) contracts. Contracts that may well have a greater collective value and pose a greater collective risk than this single, high-value, strategic transaction. 

Often these BAU contracts receive limited or no legal review and often only a cursory commercial one. 

Indeed, in an organisation that isn’t built on, or has very few, large-scale supply contracts, there may be minimal “single points of failure”. Instead there needs to be an oversight of a broader range of contracts in order to manage the organisation’s contract risk.

We have a five-step approach to gaining this oversight and effectively managing risks in your BAU contracts.

1. Establish your risk tolerance

As a starting point you need to be clear on what your organisation’s risk tolerance is. This needs to be an objective exercise, based on its risk profile rather than that of any individual in it. This tolerance then needs to be agreed at board level so it applies across the organisation.

The risk tolerance may be driven by many factors – for example:

  • The importance of maintaining a brand, goodwill and reputation.

  • The extent to which the organisation is regulated and the nature of the applicable regulatory framework.

  • The attitudes and concerns of key stakeholders, such as customers, colleagues and investors.

  • The financial position of the organisation - high-margin, low-turnover organisations are likely to take a different view of risk to those with high turnover and low margins.

In corporate groups it’s likely that different group businesses may, justifiably, have different risk profiles. Care needs to be taken to not impose a single approach across the group that potentially doesn’t fit with any of the individual businesses.

2. Understand your contracts

You need to understand, at a high level, the commercial contracts being entered into by your organisation. This should include not only those high-profile, heavily legalled contracts but all those entered into by all departments in your organisation, irrespective of whether they’re currently subject to any legal oversight.  For example, is your IT team entering into a large number of SaaS contracts or is your marketing team undertaking brand licensing?

Understanding the likely contract types your organisation’s entering into enables you to develop a contract risk management approach that fits them. This is both in terms of identifying potential solutions and also identifying the contract types that, as a whole, pose the greatest risks to the organisation.

3. Identify your stakeholders

Most contracts have multiple aspects to them, so it’s impossible for them to be appropriately reviewed and approved in a vacuum by legal. They’ll need to be reviewed and approved by the department that requires them, as well as by specialist teams such as procurement, compliance, legal, information security, and finance (to name a few).

You then need to decide who makes the final decision to accept the risk. Depending on the size of the risk, that might be the board, the department head who “owns” the contract commercially, or an authorised person in that department.

Depending on the nature and risk tolerance of your organisation, it may be that it’s appropriate for specialist departments to approve specific areas of the contract. For example, the legal team may be required to approve the limitations of liability included in the contract.

4. Implement your solutions

The next stage is to develop and implement a solution that both records and mitigates the contractual risks across the full range of your organisation’s contracts. It’s likely that you’ll need to use a mixture of the following resources to find a solution that works best for your organisation:

  • Self-service by the business itself

  • In-house and external lawyers

  • Managed services

Your earlier work in understanding your organisation’s risk tolerance and contract types will be invaluable in deciding how to deploy each resource. 

5. Monitor the data

Once you have your solution in place, this final step is the most important. You need to  actively monitor the risk information produced by your solution, to understand the contract risks, where they can be reduced or where additional mitigations can be put in place. By doing this - and by taking contract risk decisions at an organisational level rather than on an individual contract basis - you should then be able to tackle contract risk in a far more informed and efficient way than before.