June 20, 2016

Data, Contracts, and Making Hard Decisions – Changing the Way We Manage Risk

James Wendell May

This is the second article in a three-part series focused on the evolution of risk management and the business lawyer. The first article, titled “The Moroccan Souk and Your Commercial Contract Headaches,” featured in last month’s BLT, focused on solutions to problematic negotiations over limitations of liability, indemnity, and insurance clauses. This month’s article argues that contracts are expensive and inefficient, and proposes a better way to assess and manage business risk, through systematic and methodical assessment, using data collection, analysis, and pragmatic risk management tools.

*     *     *

Contracts are a ubiquitous feature of modern business, and their value is rarely questioned. The proliferation of contract-management teams, commercial attorneys, and a dizzying array of contract-related software tools are testaments to our devotion to contracts. As cost and resource pressures on in-house business lawyers rise, it is time to rethink this devotion and to spend more time and money on more robust risk-assessment and risk-management strategies.

The Current State of Affairs

The amount of time and resources devoted to contracts in the in-house legal environment is truly remarkable. In addition to in-house lawyers and legal work contracted out to law firms, many companies employ devoted “contract management” teams to help draft, negotiate, review, and organize the deluge of contracts that are used in the modern business environment. Despite the many resources that are devoted to the contract generation and maintenance process, the demand continues to outstrip the capacity of those resources.

Sophisticated companies have pursued a number of avenues to stem the tide: adopting standards for contract drafting, using contract automation software, adopting contract lifecycle management technology, and applying LEAN manufacturing principles to legal departments, to name just a few. However, few (if any) companies have questioned why we are devoting such time and resources to contracts, and whether there is a better way.

There is indeed a better way, but to understand how to improve the status quo regarding contracts, we must understand what contracts are, what they do, and what impact they have on businesses.

What Is a Contract and What Does It Do?

If you ask those questions to 100 different contract professionals, you will get 100 different answers. In fact, law school trains lawyers to have an armory of responses to that question, such as “a bargained-for exchange” or “offer + acceptance + consideration.” Black’s Law Dictionary offers seven different definitions of the term, accompanied by 32 subdefinitions of specific types of contracts. Although the term “contract” means different things in different contexts, this article focuses on the typed, signed document that memorializes a business agreement (excluding conversations, e-mails, purchase orders, and other communication that may be considered part of the contract).

Fundamentally, this typed, signed contract is a risk-management tool because each of its provisions tries to manage specific risks related to the transaction. Conventional wisdom says that contracts help to manage risk by having the parties agree on their respective rights and obligations, thereby minimizing the risk of disputes if something goes wrong.

Contracts are just one of the many risk-management tools at a company’s disposal. In fact, almost every department or function in a business has a risk-management responsibility and a set of tools to help accomplish this responsibility. For example, credit departments evaluate the creditworthiness of counterparties using Dunn & Bradstreet reports; procurement and corporate responsibility departments evaluate vendor sourcing standards and audit them through recognized third-party auditors; and insurance departments negotiate insurance policies to cover certain business-related losses. In many companies, these risk-management tools are constantly evaluated to determine their effectiveness, often using cost-benefit analysis. Interestingly, companies rarely (if ever) employ such a rigorous and methodical approach to evaluating the utility of contracts as a risk-management tool.

In searching for a cost-benefit analysis of contracts, I found some data on several large, publicly traded, international companies. These companies each reported on material legal issues affecting their businesses. For each of these companies, less than 10 percent of their reported material legal issues (both in number of claims and financial exposure) arose out of, or could have reasonably been prevented by using, a contract. The remaining 90+ percent of material legal issues were unrelated to contracting (e.g., consumer class actions, government tax cases, regulatory issues, product recalls, to name just a few). With these companies, contracts were not the source of their legal headaches.

One response to this might be that contracts were not legal headaches for these companies because their contracts successfully minimized ambiguity and risk. Personal experience suggests otherwise. Many of my former clients in marketing, procurement, and supply-chain functions whose responsibilities require investing a lot of time in contract negotiations have asserted that they have never or almost never referred to a contract to solve a business problem with a third party. Business problems with counterparties are almost always negotiated and, at best, the contract is a starting point for the negotiation.

In today’s business world, relationships are decreasingly transactional and more often oriented to sustainability and long-term value. That trend is evidenced by initiatives like supplier relationship management and development and co-innovation. Most companies rely on their counterparties for more than a single transaction, meaning that there is little chance a contract will be litigated, mediated, or subject to arbitration. In addition, the risk-management protection that contracts afford is recourse-oriented rather than preventative. In the unlikely event that a contract is litigated, mediated, or subject to arbitration, the damage is already done – a business has already experienced a loss and whatever can be recovered through these dispute-resolution processes is likely to be much less than the losses the company actually suffers. In this context, using a contract as a primary risk-management and dispute-resolution tool is often counterproductive, expensive, and ineffective.

That is not to say that contracts do not have a purpose – they do. If done well, a business contract provides clarity and can facilitate business relationships. However, that is a very big “if.” As the International Association for Contract & Commercial Management (IACCM) statistics consistently show, contract professionals spend a disproportionate amount of time attending to value-destroying issues rather than those they believe are really important. In addition, as legal writer Ken Adams has persuasively argued, conventional contract drafting is notoriously ambiguous, duplicative, antiquated, and confusing (see A Manual of Style for Contract Drafting, Ken Adams, Introduction, xxx-xxxi). One solution is to wait until a critical mass of lawyers adopts a rigorous set of contract-drafting parameters (such as Adam’s A Manual of Style for Contract Drafting). Given the nature of lawyers and the history of our profession, I am not holding my breath. A better way is to systemically reduce the importance businesses assign to contracts in favor of robust risk assessments and pragmatic risk-management strategies.

The Basics of Risk Assessment

As stated earlier, a contract is a risk-management tool. Whether a company should use a contract or another of the myriad risk-management tools available should be determined after performing a proper risk assessment. Here is how a standardized risk assessment might work: A project leader for the transaction is selected. The project leader is responsible for completing a standard form chart with five columns, based on available data and using the input of the company’s subject-matter experts. Column 1 lists categories of risks for that business deal. That column could include categories like “Product Safety” or “Creditworthiness of Counterparty.” Of course, the anticipated risks vary from deal to deal, so the project leader would have the autonomy to list categories of risks as appropriate. Column 2 is labeled “Detailed Description of Risks,” allowing the project leader to describe the particular product safety (or other) risk of that transaction. Column 3 is labeled “Likelihood of Adverse Event,” with a drop-down list of options available, like “High,” “Medium,” or “Low” to be assigned for each category of risk. Column 4 is labeled “Potential Financial Impact” to the company, and Column 5 is labeled “Potential Reputational Impact” to the company, each with a similar drop-down list of options. Here is what such a risk assessment would look like:

When completed properly, this tool effectively gives the project leader a heat map of risks for the transaction, allowing the team to tailor risk-management strategies accordingly. Assume, for example, that the project leader (along with his or her colleagues in corporate finance) deems the “Creditworthiness” risk of the counterparty to be “High” across the board for “Likelihood of Adverse Event,” “Potential Financial Impact,” and “Potential Reputational Impact.” One risk-management strategy is to have a clear contract governing the transaction that includes financial covenants, an insurance provision, and audit rights. However, a more robust risk-management strategy might be to require audited or verified financial statements to be delivered on a regular basis, with the project manager using an internal company resource to verify the validity of those reports. That strategy could be coupled with other risk-management strategies, such as formulating a plan with public relations/corporate affairs to address the “Potential Reputational Impact” if the adverse event occurs, or obtaining a letter of credit from a bank to mitigate the “Potential Financial Impact” of an adverse event.

This kind of risk-assessment tool could be valuable in helping clients judiciously use contracts and eliminating those rigid standards for when to use contracts that currently plague companies. Those rigid and imprecise standards take forms like minimum payment thresholds (must have a contract for any deal where more than $10,000 is paid) and category requirements (any deal related to intellectual property must have a written contract). Risk is not correlated with amounts paid or – the kind of assets or services involved in the deal – cheap goods and services are sometimes risky, whereas transactions for expensive goods and services often are not. Similarly, a business deal that includes IP with a counterparty whose business model does not rely on IP is extremely unlikely to dispute IP ownership. These examples demonstrate the waste created by the rigid standards that currently predominate.

One potential objection to performing such a risk assessment is that some might regard the process as additional bureaucratic red tape. As stated earlier, however, all functions in a business are already (either formally or informally) performing risk assessments and employing risk-management tools. Using a standard process and form for every business transaction actually makes the process more efficient and consistent and gives the company better data for future risk assessments.

Limitations of a Basic Risk Assessment and How to Improve It

Companies could greatly improve their risk management by using a simple risk-assessment tool like the one described above. The success of that tool relies heavily on the project manager, however, and his or her assessment of risk. Yes, that project manager should consult with subject-matter experts in functions like finance, legal, and insurance. Yet, even those companies who select conscientious project managers and institute standards are still reliant on the subjective evaluations of those people. Those subjective evaluations are important, but they are even more powerful when coupled with good, reliable data. Let us use an example to illustrate:

Suppose that there is an anticipated global shortage of a commodity that is essential to a business. The company’s CEO reads about the anticipated commodity shortage in the newspaper and appoints his or her supply-chain leader as the project manager for ensuring supply of that commodity. The supply-chain leader performs the risk assessment and, based on the newspaper articles and the CEO’s statement, deems the “Risk of Adverse Event” to be “High.” Because of that determination, the company employs a host of expensive risk-management strategies, such as stockpiling the commodity at high prices, limiting its commitment to sell end products made with the commodity to customers, and negotiating a new supply contract with its primary vendor. As part of the new contract negotiation, the vendor insists on its standard force majeure clause, which would protect the vendor if the shortage occurs. The company’s attorney objects, leading to a contentious, protracted negotiation and no signed contract.

Now suppose those same facts, except that this time the company has good data related to its past sales activity during similar commodity shortages and the vendor’s activities during those shortages. That data reveal that the vendor has fairly and equally distributed its available inventories of the commodity during past shortages to all of its customers, as opposed to supplying some customers rather than others. Additionally, the company’s historical data reveal that similar commodity shortages have had only a minor impact on its sales while increasing product margin. The company lawyer again resists the vendor’s standard force majeure clause because of the impact that clause might have on the company if the shortage occurs.

Of course, when given this data in context, a CEO likely would not pursue the expensive risk-management strategies of stockpiling supplies and limiting sales contracts. However, I wonder how many CEOs would rein in an overzealous lawyer who fought the vendor’s insistence on its standard force majeure clause. In this context, the force majeure clause negotiation should be evaluated with the same cost-benefit analysis applied to the other risk-management options considered by the company. Given the resources required to fight the clause, the delay in signing a contract, and the contentiousness involved, a cost-benefit analysis based on that data would likely result in a calculated risk to accept the vendor’s standard clause.

Cost-Benefit for Contracts

One reason that cost-benefit analyses are rarely used in determining whether a contract (or a contract provision) should be used is the dearth of contract-related data. Most of the contract-related data generally available today (such as the IACCM’s data mentioned above and in my previous article, “The Moroccan Souk and Your Commercial Contract Headaches”) rely on responses from disparate sources and is insufficient to allow a particular company to perform a refined cost-benefit analysis for a particular deal.

The kind of data that would be more beneficial is more granular data based on industry or particular company experience. In the example above, the valuable data were past behavior and experience of the vendor and the company in similar circumstances.

Companies that are collecting data must ensure that it is used not just for sales projections and marketing campaigns, but for risk assessment and risk management as well. Companies that are not collecting data that can be utilized for these purposes must start, or they risk miring themselves in a cycle of speculative “what ifs” and worst-case scenarios that create significant waste.

Even for companies that consistently and methodically assess risk based on reliable data, someone must make the determination of which risk-management tools are appropriate for the transaction. In most companies, the determination of whether to use a contract is left to the lawyers. Although that delegation makes some intuitive sense, it is often not in the best interest of the company to do so.

A more effective way to manage risk is to allow the project manager to decide which tools are most likely to work, rather than deferring to the subject-matter expert (e.g., legal, finance/credit, or insurance). The project manager has the best overall perspective on the deal and is in the best position to combine various cross-functional, risk-management strategies. Think back to the example of the commodity vendor who once went bankrupt: it is the project manager who can gather the expertise of the credit/finance department, the insurance group, and the legal department to create a risk-management approach that utilizes the best of all available resources. In my experience, project managers are extremely reluctant to make determinations that touch any legal-related issue, but that aversion is generally unwarranted. Risk is risk, and the distinction between legal risks and other risks is often overstated. Ultimately, the consequence of realizing a risk is lost money or liberty, and that is true of every risk a business takes.

The Way Forward

Businesses have over-relied on contracts to manage risk. Shifting to broader risk-assessment and risk-management strategies as described in this article will save money and more effectively protect businesses. Doing so will also allow lawyers and other risk-management professionals to focus on those issues that are more essential to the future success of their business.

Additional Resources

For other materials on this topic, please refer to the following.

ABA Web Store

A Manual of Style for Contract Drafting
From an award-winning author in legal writing, this is an updated and expanded ABA best-selling guide. It is an in-depth survey of the building blocks of contract language and explains how to express contract terms free of the archaisms, redundancies, and ambiguities.

Business Law Section Program Library

Get Lean, Add Value: Lean Six Sigma Principles for Every Legal Department and How to Do More with Less (PDF)
Presented by: Corporate Counsel
Location: 2015 Spring Meeting

James Wendell May

Associate General Counsel, University Hospitals

Jamie May is associate general counsel at University Hospitals in Cleveland, Ohio, and serves as vice chair of the ABA Business Law Section’s Joint Working Group on Legal Analytics. He can be reached at james.may@uhhospitals.org.