1 Legal Risk Management

Learning Objectives

After completing the material in this chapter, you should be able to do the following:

  1. Understand the importance of legal risk management to business strategy
  2. Know how to assess their attitude towards risk
  3. Show how to model legal risk
  4. Identify ways to manage and mitigate liability risks, such as through liquidated damages clauses and insurance


Often, law for business students is taught as a sort of compressed version of law school. Subjects are taught much like they might be for law students, albeit at a simplified level. This sort of training can be very useful, but it ignores a crucial difference between how lawyers and managers relate to the law: lawyers are trained to argue for specific legal conclusions on behalf of a client, while managers make decisions to manage legal risk. Law is rarely black and white, such as “don’t do this or you’ll go to jail.” Rather, legal decisions often involve questions such as “Our trademark is similar to several others. Is it too similar?” Or, “Adding this statement to the label of our product might expose us to liability, but it’s not prohibited by regulation. Should we proceed?” This leaves many managerial decisions involving law up to the risk tolerance of the manager. Compared to how attorneys operate, this requires a very different approach to legal reasoning! In this sense, a business-focused course on legal topics should essentially be a course on business strategy related to legal issues. It should equip managers with a broad overview of legal risks associated with running a business, how their decisions alter those risks, and how to minimize or otherwise use those risks to their advantage.

For these reasons, this text begins with a broad discussion of how one might evaluate risk generally. In this chapter, we will learn techniques for assessing, evaluating, and managing legal risks. Risk management is a topic for an entire course by itself, so in this chapter we will only touch on several major points and then apply them to the law. Throughout the course, examples and exercises will relate back to these concepts.

AN approach to evaluating Risk

Risk management will be a major focal point of business and societal decision making in the twenty-first century. Businesses face an incredible variety of risks everyday, which range both in severity and in frequency. Some risks are minor (e.g., an employee might steal paperclips), and others may entail losing the business (a pandemic arises which eliminates demand for certain services). Some risks are frequent (bad weather for a drive-in movie theater), and some are infrequent (new government regulation alters the healthcare landscape). Legal risks span these same spectrums. Some legal risks are constant (potential slip and falls in a grocery store) and some are infrequent (a major intellectual property lawsuit). Some are minor (producing a product label well within regulatory standards) and some are significant (criminal negligence results in the death of customers).

A grid contrasting risk severity and risk frequency
Businesses face a variety of risks everyday.

In this section, we will discuss legal risk, which is one of a variety of risks businesses face everyday. If we wish to understand and use the concepts of risk and uncertainty, we need to be able to measure (at least roughly) these concepts’ outcomes. Psychological and economic research shows that emotions such as fear, dread, ambiguity avoidance, and feelings of emotional loss represent valid risks. Such feelings are thus relevant to decision making under uncertainty. Our focus here, however, will draw more on financial metrics rather than emotional or psychological measures of risk perception.

We will discuss one particular approach to measuring risk here, which is a useful model in the legal context. We will not impose a mathematical framework on this model, for two reasons. First, this is a course on business law, not a course on statistics or probability models, and developing those models together would exceed the time available in this course. Second, and more foundationally, assuming exact probabilities for potential legal events implies a level of certainty that will likely never exist in real life.[1] We also emphasize from the start that measuring risk using these the model in this chapter is a multi-step process. We must evaluate how appropriate the underlying model might be for the specific occasion. Further, we need to evaluate each question in terms of the risk level that each entity is willing to assume for the gain each hopes to receive. Firms must understand the assumptions behind worst-case or ruin scenarios, since most firms do not want to take on risks that “bet the house.” To this end, knowing the severity of losses that might be expected in the future is a first step (legal consequences). However, financial decision making requires that we evaluate severity levels based upon what an individual or a firm can comfortably endure (attitudes towards risk,  or risk appetite).

A person cliff diving into the ocean
Risky behavior?

Legal Consequences

Legal consequences range dramatically from minor to severe. Most of the consequences we will look at in this textbook are civil in nature. Civil cases involve one party suing another to seek compensation for a wrong. Criminal cases are certainly of interest to business, especially as companies may break criminal laws. A criminal case involves a governmental decision—whether state or federal—to prosecute someone (named as a defendant) for violating society’s laws. If you break a criminal law, you can lose your freedom (in jail) or your life (if you are convicted of a capital offense). We will discuss criminal law mainly in the context of insider trading, which can easily come with jail time. In a civil action, you would not be sent to prison; in the worst case, you can lose property (usually money or other assets), such as when Ford Motor Company lost a personal injury case and the judge awarded $295 million to the plaintiffs or when Pennzoil won a $10.54 billion verdict against Texaco. Damages can be compensatory (to put someone in the same position as if they had not been harmed) or punitive (intended to punish wrongdoing). If you are sued, you should also expect to spend a substantial amount on attorney fees, regardless of whether you win or lose.[2]  On the civil side, courts can also impose injunctions, which is an order to perform, or not perform, a specific action.


If the financial consequences are severe enough, the firm might risk bankruptcy. Bankruptcy law governs the rights of creditors and insolvent debtors who cannot pay their debts. In broadest terms, bankruptcy deals with the seizure of the debtor’s assets and their distribution to the debtor’s various creditors. In bankruptcy, the firm might be liquidated or reorganized. As we will see later in the text, bankruptcy provides debtors a fresh start, but for many firms the consequences of bankruptcy are severe enough that they will avoid actions that likely lead to bankruptcy.


  1. Search the news and find examples of recent lawsuits or judgments in an industry of interest to you. Have there been criminal charges or liability? On the civil side, what kind of lawsuits do you find? Do you see examples of significant awards, such as the Ford and Pennzoil cases discussed above?

Attitudes towards risk

Risk Aversion

Different people and companies can view the legal risks above very differently. Some individuals do not mind the prospect of personal bankruptcy, for instance, and some companies are structured to take substantial risk. Others view the prospect of being sued with trepidation. In other words, different people and firms have different attitudes toward the risk-return tradeoff. People are risk averse when they shy away from risks and prefer to have as much security and certainty as is reasonably affordable in order to lower their discomfort level. They would be willing to pay extra to have the security of knowing that unpleasant risks would be removed from their lives. Economists and risk management professionals consider most people to be risk averse. So, why do people invest in the stock market where they confront the possibility of losing everything? Perhaps they are also seeking the highest value possible for their pensions and savings and believe that losses may not be pervasive—very much unlike the situation in the financial crisis of 2008.

A risk seeker, on the other hand, is not simply the person who hopes to maximize the value of retirement investments by investing the stock market. Much like a gambler, a risk seeker is someone who will enter into an endeavor (such as blackjack card games or slot machine gambling) as long as a positive long run return on the money is possible, however unlikely.

Finally, an entity is said to be risk neutral when its risk preference lies in between these two extremes. Risk neutral individuals will not pay extra to have the risk transferred to someone else, nor will they pay to engage in a risky endeavor. To them, money is money.  Economists consider most widely held or publicly traded corporations as making decisions in a risk-neutral manner since their shareholders have the ability to diversify away risk—to take actions that seemingly are not related or have opposite effects, or to invest in many possible unrelated products or entities such that the impact of any one event decreases the overall risk. Risks that the corporation might choose to transfer remain for diversification.

Attitude towards risk often changes when children are involved.


  1. Would you describe yourself as a risk seeking, risk neutral, or risk adverse individual? Why? Does it depend on what activity you’re considering?
  2. Choose a company you know well. How would you describe their attitude towards risk using the framework above?

A model for Evaluating legal risk

This section combines the ideas from the prior sections to implement a simple, non-mathematical model for evaluating legal risk. A “model” is a simplified framework for evaluating a real-life situation. It will never capture all of the nuance involved in a particular choice, but it may be useful to decisionmakers. In particular, the model presented here is non-mathematical. It relies on simple categorization of the likelihood of an event, the consequences of that event, and the decisionmaker’s approach to evaluating risk. We will use this model throughout the exercises in the text.

First, evaluate the likelihood of the event. We will categorize the likelihood as “low”, “medium”, or “high”. Much of this course will aim to teach you how to categorize potential legal events in this framework. For example, as we study intellectual property law you will gain a sense of the likelihood of being sued based on similarity of your trademark to existing trademarks, and as we study tort law you will get a sense for which torts are common and uncommon. We won’t use specific probabilities for these events in formal calculations, but you might think of a low probability event as one that rarely occurs for similar companies, a medium probability event as one that has occurred several times in the last year for similar companies, and a high probability event as one will almost certainly result in litigation.

Next, categorize the severity of the outcome as “slight”, “manageable”, or “severe”. Again, much of this course aims to teach you which events are which. As you did the Exercise under “Legal Consequences” above, you likely started to see some of the newsworthy severe events faced by firms in your industry. For modeling purposes, a slight outcome is one which would not harm the financial health of the company in a significant way. An example might be a somewhat frivolous lawsuit which is settled as a "nuisance suit" for a few thousand dollars. A manageable outcome is one which would generate discussion among managers about potential budgets for a loss, such as a small-business customer injured in an accident who has major medical bills. This kind of outcome might worry managers, but does not risk the future of the business. A severe outcome is one which risks bankruptcy, criminal charges, or other substantial long-term consequences for the firm.

Finally, decide the correct attitude towards risk. Is the firm risk averse, risk neutral, or risk seeking? In our model, the attitude towards risk forms the shaded “danger zone” in the grid, dividing causes of little from significant concern. The more risk averse the individual or firm, the farther up and to the left we shift the dividing line, and the more risk-seeking the firm, the farther lower and to the right we shift the line. An extremely risk averse firm would avoid even low probability severe events (as shown in the first figure below), while an extremely risk-seeking firm might avoid only high probability severe events (as shown in the second figure below).

Chart showing legal risk assessment model
A highly risk averse firm avoids the possibility of severe legal outcomes.
Chart showing legal risk assessment model
A risk seeking firm might avoid only the most likely and severe legal consequences.

Applying this model might look something like the following. We (1) classify the risk tolerance of the firm, (2) then the likelihood of the legal event, and (3) the severity of the consequence. Finally, (4) we analyze how those three interact and offer a conclusion: is this a high risk decision, in the legal danger zone, or a low risk decision, in the zone of safety? Suppose the firm under consideration is a tech startup like Uber. The firm consistently pushes legal boundaries, such as in classifying workers as independent contractors rather than employees, as it attempts to increase market share in a quickly growing industry.[3]  Suppose also that the firm was considering whether to expand to a city that has somewhat hostile regulations for ride-sharing. At the same time, the consequences for entering the market and losing a legal challenge are simply to withdraw or pay an insubstantial fine. Let’s apply the model:

  1. We might thus classify this firm as risk seeking based on its past attitude towards the law and the potential rewards at stake.
  2. As the new market appears hostile, the likelihood of legal challenge is probably medium or high.
  3. Relative to the size of the firm, a modest fine is a relatively small consequence. We might then classify the severity of outcome as low.
  4. Although the likelihood of legal action is moderate to high, the potential consequence is slight. This decision is likely a low-risk legal decision, in the legal safety zone for the firm.


  1. Jane’s Diner is a small restaurant in Boise. It is a family owned business without substantial assets beyond a trademark recognizable in the local area. It prides itself on deep commitment to retaining employees through thick and thin. Bankruptcy isn’t an option. The diner is considering how to respond to recent public interest in socially-distanced dining spaces for health reasons. If the tables are far apart, fewer customers can attend, which will have worrying negative financial consequences. If the tables are close together, there is a small chance that a customer could contract a fatal disease from another and sue, which the diner worries could cost millions. Use the framework above to analyze the diner’s options.
  2. Using a company with which you are familiar, analyze a potential future strategic decision using the framework above.
  3. Consider this article about Uber’s growth. Describe Uber’s behavior in terms of the legal risk model above.

Mitigating and managing legal risk

We conclude this chapter by highlighting methods to mitigate legal risk. We will cover many of these topics in greater detail later, but it is worth noting them in abbreviated form now, both to round off this initial topic and to preview what we will study throughout the semester.

  • Insurance. Both individuals and businesses have significant needs for various types of insurance, to provide protection for health care, for their property, and for legal claims made against them by others. Insurance allows individuals to pay a certain amount today to avoid uncertain losses in the future. Businesses face a host of risks that could result in substantial liabilities. Many types of policies are available, including policies for owners, landlords, and tenants (covering liability incurred on the premises); for manufacturers and contractors (for liability incurred on all premises); for a company’s products and completed operations (for liability that results from warranties on products or injuries caused by products); for owners and contractors (protective liability for damages caused by independent contractors engaged by the insured); and for contractual liability (for failure to abide by performances required by specific contracts). Some years ago, different types of individual and business coverage had to be purchased separately and often from different companies. Today, most insurance is available on a package basis, through single policies that cover the most important risks. These are often called multiperil policies.
  • Smart contracting. As we will study in contract law later in this text, in order to limit risk in contracts, many contractual drafters choose to include “liquidated damages” clauses. These are statements in the contract that spell out what damages will be if the contract is broken. This makes the damages certain, which lowers risk for the contracting parties. For example, in a contract for sale of a home, a party might lose their “ready money” if they back out of the agreement without cause.
  • Regulatory review. Many firms find it worthwhile to preemptively hire an attorney to review products for regulatory and litigation risk before launching the product. For a fee, a specialized attorney can examine the product and provide a report on potential regulatory violations and lawsuit risks. Many firms might be surprised at the substantial increased risk of litigation based on innocuous statements on packaging, for instance. We will return to this theme when we cover administrative law (the law of government regulation of business).
  • Preemptive tort defense. The liberal use of liability waivers, warning labels, caution signs, safety rails, handguards, and so on, can help prevent against tort litigation. Liability waivers reduce litigation risk by having individuals specifically agree they will not sue in case of injury during an activity. In other cases, often such litigation turns not on whether someone was injured from a product, but whether they were appropriately warned that such injury could occur. Physical safeguards against injury can help reduce the probability of potential negligence lawsuits by preventing injury in the first place. Businesses that practice prudent preemptive tort defense can lower their legal risks substantially.
  • Knowing the law. Finally, a prime way to reduce legal risk is to simply be familiar with the law. An attorney will not always be around to consult, or it may be cost-prohibitive to use their services at times. Law is vast and complicated, but many legal concepts foundational to business are easy to understand. The more one knows about the law, the easier it is to avoid compromising legal situations, to be conversant with those that can offer legal counsel, and to make decisions that balance legal and ethical interests with other strategic concerns.

The Role of Ethics in Legal Risk

While the material in this chapter aims to introduce you to useful models for evaluating legal risk, it should not be read as encouraging illegal or unethical behavior. Companies have a duty to obey the law and behave ethically. The model in this chapter will be most useful when the law is unclear or when the question before the manager is what steps to take, and costs to incur, to avoid legal risks. Immediately following a general introduction to the law in Chapter 2, we will devote all of Chapter 3 to principles of ethical business conduct. A company’s attitude toward legal risk must be informed be these principles as well.

Key Takeaways

  • Approaching law from a risk management approach is crucial to evaluate the legal environment of business.
  • Evaluating legal risk requires understanding the likelihood of legal action, the severity of the consequences, and the risk tolerance level of the company. Even low probability legal events can be so severe that risk averse firms should take action to avoid them, while even high probability legal events may not bother risk seeking firms.
  • Much of this text will offer ways to reduce legal risk associated with business decisions, such as preemptively avoiding tort liability and employing smart contracting principles. Insurance against legal claims can also reduce uncertainty, at a price.


  1. Consider the simplest possible business: a child’s lemonade stand. What advice would you give the young proprietors based on this chapter?
  2. Take a few minutes and familiarize yourself with the general content of the text. You might read the chapter objectives and key takeaways to become familiar with what we will cover in the text.

  1. For an introduction of some basic mathematical models which may be useful in certain contexts, please see the Appendix.
  2. Courts will sometimes grant attorneys' fees, but this is not typical of litigation in the United States.
  3. They might also be classified as risk-neutral because the company simply finds it advantageous to engage in legally risky behavior.


Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Business Law: A Risk Management Approach Copyright © 2022 by Jeff Lingwall is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book