Legal risk management for ICT contracts

The essence of this article is that risk in contracts can be reduced considerably by simple means through risk analysis and management. The biggest challenge lies not in the method itself, but in training, deeply rooting at the company’s management and the constant repetition of risk analysis throughout the birth, life and death of a contract. My recommendations are summarized at the end of this article.

The consequences of missing, or incorrect, risk assessment may be that you suddenly are in breach of the contract. Breach of contract will quickly become costly for both parties. While the vendor may be faced with a claim for price reduction, compensation, liquidated damages and termination, the customer will be delayed and may experience loss of income and increased costs. Both customers and vendors should implement routines for risk management to avoid unwanted situations.

The purpose of the contract is to divide risk between the parties

Naturally as an attorney-at-law, I am quite concerned about law and I see legal issues where non-lawyers wander happily by. Currently, it is not customary to treat and assess legal risks with common risk management. However, increasingly more and more see the benefit of monitoring contracts and adapt legal risk management into their existing risk management, i.e. on financial and technical issues.

One should remember that a contract consists of clauses, which divide risk between the parties and also regulates the transfer of risk from one party to the other. The contract specifies mutual obligations, with a purpose to work both as conflict prevention and provide conflict resolutions. In that sense, the contract is a tool to control the direction the deliveries evolve and reduce the likelihood that unwanted events occur. An analytical approach to risk management in the contract is a natural consequence.

Both at work and home we make subconscious and on-going assessments of risks and take steps to reduce the likelihood that unwanted situations evolve. In certain areas and in certain industries, risk assessment is a systematic part of everyday life, for example within the fields of finance, oil or health. No project managers will in any project be able to avoid risk analysis and taking precautions.

My message is that this habitual practice should start earlier and before the signing of a contract, in fact already when the customer considers his needs and requirements or when the vendor considers how and whether he should provide an offer.

Assessment of acceptable and unacceptable risks is done to some extent at all businesses, whether you call it risk management or not. In a varying degree, it is usual to assess risk of both economic and technical aspects, but as mentioned legal matters should also be on the agenda.

Risk assessment and risk management

An analysis of risk involves trying to figure out what can go wrong, what probability that the unwanted events will occur is, and if it occurs, what will the consequences be.

You will then perform a risk evaluation, where mitigation and alternative solutions are considered. This part of the process can be described as risk assessment. Based on the assessment you exercises risk control, i.e. to make decisions about risk-reducing measures, implement the measures, monitor and communicate risks in the organization. All of this, together with the risk assessment, is often referred to as risk management.

There are several well-developed and sophisticated models for risk management, such as ISO 31000 and Coso Enterprise Risk Management. I am using the simple formula where Probability x Consequence = Risk. Risk can also be described as the effect of uncertainty on objectives, ref. ISO 31000. The effect is a combination of the probability of an event occurring and the consequences if it does. Risk management activities are to identify and control risks in the organization.

Usually I make use of a scale from 1 to 5 with axes of the mentioned probability and consequence. When the two factors are multiplied one gets a value representing the risk level. This level can for example be linked to an informative colour and initiate escalation procedures for notification of various people in the organization. These people can be tasked to make their own assessments, propose actions, accept the risk or decide that you should avoid the activities that trigger the risk.

Legal risk management

Frameworks for both financial and technical risk management are well developed and proven. After the financial crisis there have been some movement within the legal risk management too, but to date I am not aware that there are any universal methods or frameworks for legal risk management.

Legal risk areas can for example be grouped as follows:

  • Compliance with legislation
  • Contracts
  • Intellectual Property Rights
  • Litigation risk, risk related to the process associated with existing and potential litigation

A prerequisite for making a legal risk analysis is that you understand the law; you will apply the analysis on imaginary situations. A part of the challenge is that the law is not mathematics and that there may be several “right” answers. Different interpretation principles are to be applied in accordance with the legal method, knowing that the other party will surely choose the interpretation principles and arguments favouring the interests of his client at the time a dispute have arisen.

Legal risk management in contracts

As mentioned, the contract divides risk between the contracting parties. It is obviously easier to negotiate the terms of a contract before it is signed, than afterwards when you see the consequences of the contractual provisions.

Just this factor alone, is an argument for adding some extra resources in the initial stages before signing the contract. For customers this first of all means thorough requirements analysis. For the vendor it usually implies thorough solution specification, with both positive and negative delimitations. If the risks related to a contract is to high, one might consider workarounds, reservations or not entering into the contract at all.

Even before the parties finalize their first documents in a request for proposal or providing an offer, there has been a whole range of matters relevant to the contract that advantageously could be subjected to risk management.

Some conditions will have financial aspects, while others may have technical or safety aspects. Further, there will be legal issues related to the specification of what is to be delivered, when, how and at what price, and of course the consequences in the event of delays, defects, infringements or issues of cooperation between the parties.

Calibration of terms and conditions

In negotiations there are usually spent a fair amount of time and efforts on adjustments of the terms. The terms and conditions are of course important, but be aware that the documents specifying the requirements and solution is at least as important. Often only lawyers are allowed, or just interested in, negotiating the terms and conditions in the contract.

The precision levels tend to decline in the appendices. Precise, exhaustive and delimiting wording is still very important. Not all contracts are based on the extensive use of appendices, but most standard agreements require use of a standardized document structure.

Depending on which profession is dominating the negotiations, it is often customary to begin with terms and conditions, before examining the appendices. Sometimes different teams negotiate the terms and appendices respectively, and very often the lawyers leave when the appendices are negotiated or are not part of the appendices team. I do not think that is a very clever practice, as the appendices often will be the most important part of the contract. Anyhow, this is a great opportunity to rectify shortcomings in the terms and avoid that the remedies ever will be used. If I had to choose one over the other, I would have chosen to negotiate the content of the appendices. You should naturally endure and do both.

In negotiations between small and major players, relative strength, purchasing power, legislation and internal policies are often used as arguments that the latter gain support for their conditions. The room for negotiations is therefore quite small and basically it is difficult to negotiate away the risks for the underdog. However, risk in the terms and conditions may sometimes be eliminated in the appendices, and of course by delivering according to contract. Even the underdog is able to demand a higher level of precision in the appendices and directing all efforts where the risk level is high.

Increase the level of precision!

Appropriate analysis of risk in such situations is even more important for the underdog. The management need to make decisions on acceptance of risk or mitigation measures, either by heightening the precision level in the appendices or implementing specific measures related to contract performance.

First and foremost, the easiest risk reduction measures are to increase the level of precision in the appendices. Make sure that your own deliverables, conditions, reservations, dependencies and limitations are as precisely formulated as possible. No one will have any good arguments to deny a party a higher level of precision. Secondly, it is important to understand contractual counterparty preconditions and obtain confirmation that the wording is understood in the right way. Doing so, you will often end up contributing to a higher level of precision in the terms and conditions.

What risks should you look for?

When reviewing a contract, the first thing I am looking for is deviations from the balanced, standard way to regulate contract terms. This presupposes knowledge of common law and declaratory statute law. A deviation will usually represent an elevated risk level. For Norwegian contracts, the Norwegian Sale of Goods Act of 1988 is in fact a very nice and short textbook on standard terms for contracts. You should not take everything literally, especially not § 63 on differentiation between direct and indirect losses.

The preamble in a contract might seem harmless at first sight. They are informative and help putting the terms and conditions in perspective. Basically, preambles should not in them selves be perceived as conditions in the contract. The purpose might say something about the parties’ common understanding of what should be delivered and preambles may be relevant to make a choice between different interpretations where for example, only one is in accordance with the stated purpose.

It could be noted that the deliverables the vendor shall present should be fit for the purpose and needs of the procurement the customer had at the time the contract was concluded, cf. the principle expressed in the Norwegian Goods Act § 17 (2) (b). In contracts between professional parties, I believe that the purpose sections are primarily useful as reading aid to the rest of the terms, conditions and appendices. To some extent they might also be helpful when interpreting minor ambiguities. I have seen it a few times, but in my opinion, treating them as terms and conditions is both disorderly and wrong. Take extra care when you come across purpose sections formulated in a way that the contractual obligations of the vendor can be read as they are infinite, without a clearly defined end.

The obligations in a contract is should never be infinite. When a dispute situation arise parties tend to chose the interpretation that suits them best, whether they originate in original preconditions or not. Neither the scope nor requirements of a contractual obligation should be stated in the purpose section. Purpose sections belong in the beginning of a contract or in the requirements set forth in an appendix, not scattered across the terms and conditions.

Other clauses that should be examined carefully are the regulation of liability, intellectual property rights, payment and choice of law and venue, to name a few.

Measures for successful risk reduction

I do believe that many businesses very easily can be able to achieve gains by being a little more conscious of contract risks. What seems insignificant and trivial at the time of signing a contract can later become very important in a dispute. When making routines for legal risk management in contracts, my recommendation is that you start in a simple way and don’t go for the perfect solution immediately. The simpler and more intuitive regime, the greater the likelihood is that tasks will be performed. Time-consuming procedures without immediate impact are the first to go when the workload increases.

In short, my recommendations are:

  • Do not be too strict on whether a risk is legal, financial, technical or in an other category. The most important task is to capture and evaluate the risk, not placing it in the correct category.
  • Provide support and attention of the management. Risk analysis that are not read, requested or monitored has little value.
  • Training and change management is important. Nice spread sheets and software is not enough. Support for the desired direction must be created. Change processes must both be created and managed.
  • Let the risk management live through the whole lifecycle from a need arises, contract negotiations, deliverables are presented and the contract is terminated. Often someone thought something wisely at an early stage, something that others do not have time or qualifications to think about later. A proper system for risk management let knowledge be shared and live throughout the entire lifecycle of a contract.
  • Be wary of selective choice of risks. It’s tempting not to report unpleasant risks, especially if they are difficult to handle.
  • Continuous risk management is a source to success.
  • Have a plan if the risk occurs and the unwanted happens
Kontaktskjema (en)