Tim Barnett-Richards, Co-Head of Commercial at Ignition Law, looks at how businesses need to understand the potential legal and compliance risks they face and be pragmatic in mitigating against them
Are you the proud founder of a start-up or scale-up? Or the business leader of an SME that has scaled up at pace? Whilst spinning the many plates needed to make your business a success, have you had time to fully scope out and appropriately mitigate against the legal and compliance risks faced by your growing business?
How to identify your business risks: the importance of taking a step back
Founders and business leaders under time and cost constraints can easily fall into the trap of taking a scattergun approach to tackling perceived risks, without a coherent strategy. They are forced to jump straight in at the deep end, rushing to plug gaps using generic commercial contracts or policies sourced online.
But often, this is a case of putting the cart before the horse: it’s difficult, if not impossible, to effectively mitigate risk without first taking a step back to gain perspective and see the bigger picture.
Workshop your business risks to truly understand them
Whether you’re at the outset of any new business venture, scaling up or simply taking stock of where you’re at, a proper scoping of your business’ risk profile is always time (and money) well spent. Akin to an occupational safety assessment of a physical workspace, you need to workshop your business risks to identify the key potential threats your business faces.
We understand that taking certain risks is part and parcel of running a successful business. So an important aspect of this exercise is also to define your appetite for risk, which will determine how thorough your risk-mitigation strategy needs to be.
So how should you go about this crucial but often-neglected task? You need to ask yourself the following questions (this list is non-exhaustive, and will vary depending on the nature of your business, but it provides a good starting point):
- Are you operating in a regulated sector?
- Are you selling to consumers?
- Are you operating online?
- Are you confident that you handle personal data in a compliant manner? Do you know if, and how, you are processing personal data?
- Does your business involve cross-border transactions, or dependencies in terms of goods or services coming from, or being located, abroad?
- Do you use third parties to carry out activities on your behalf?
- Do you have supplier dependencies, e.g. are you sole-sourced? Or do you rely on others to get your goods/services to market?
- Is your business vulnerable to pricing volatility, e.g. fluctuating energy costs? Is cashflow a concern?
Planning for the worst is an essential component to any effective risk-mitigation strategy. So you also need to ask what a Doomsday scenario might look like for you – what is the worst that could happen if things go wrong? For example, if you are late in supplying or fail entirely to deliver? Or if you supply defective goods or services? Or lose or inappropriately use customers’ personal data?
We’ve all observed the difficulties businesses have faced over the last few years, for example, with Brexit, Covid-19, the cost of living and fuel crises, and logistics disruptions in the Suez Canal and Russian transit channels. So playing out these sorts of scenarios in answering the questions listed above and thinking about how they might impact your business is an important part of your risk mitigation strategy.
By workshopping your business risks in this way, you can separate the signal from the noise, understand your blind spots and allocate your limited resources appropriately.
Managing your business risks: taking a proportionate and practical approach
Once you’ve identified your key business risks and understand your risk appetite, you can start to come up with a plan.
Rome wasn’t built in a day, and neither was any commercial risk-mitigation strategy worth the paper it’s printed on. You’ll want to ensure that you invest your limited time and resource in next steps that are proportionate, well-considered, practical and aligned to your risk appetite.
These risk-busting tools are just some that are likely to be invaluable to you:
- Terms of Business/Customer and Supplier Contracts: Intelligent use of commercial contracts can:
○ provide clarity on what you are selling/buying, and thereby help you avoid disputes;
○ limit your exposure to customers and ensure your suppliers take responsibility for the part they play in supplying goods/services to you (you don’t want to be the piggy-in-the-middle where any losses land);
○ protect the intellectual property rights in your goods and services and ensure they aren’t lost through your business activities with third parties;
○ ensure compliance with applicable regulatory frameworks, for example, UK consumer law;
○ offer certainty in terms of pricing, payment and supply; and
○ uphold ethical and compliance standards in your supply chain and protect you if third parties are acting on your behalf.
Being intelligent with how you use commercial contracts doesn’t always mean preparing your own suite of legal agreements upfront. Sometimes, commercial realities mean that you don’t have the bargaining power to work off your own legal agreements (yet!). In these cases, a better approach is often to have a clear contracting guide, setting out the dos and don’ts when working off the other side’s legal agreements.
- Website Terms of Use, Privacy Policy and Cookie Policy: These policies provide key information to website users, including summarising any data you’re collecting from/about them, and explaining how they can (and cannot) access and use your business’ website. These policies are key to ensuring your online shop is compliant with applicable legal and regulatory regimes.
- GDPR/Data Privacy: If your business collects and handles personal data (including for marketing and customer analysis), it is critical that you conduct a personal data assessment. Failing to do so can lead to significant fines and irreparable reputational damage. A data-mapping workshop is the best place to start to understand what personal data you collect, how it’s collected and stored, who it’s shared with and what it’s used for. After that, you can build a data privacy compliance programme that protects personal data and individuals’ rights in relation to that data, but which also reflects your way of doing business.
- Insurance: Do you have the right professional indemnity/product liability/cyber insurance in place? Do the policy terms also provide cover in the event of your Doomsday scenario playing out in real life?
- Business Practices: There are many practical ways to manage your business risks that work in tandem with your commercial contracts and policies. For example, incoming and outgoing quality checks to catch any issues before they turn into bigger problems; conducting due diligence on the third parties you want to do business with; structuring your payments to third parties efficiently to incentivise good performance (‘cash is King’, after all); and generally building good, trusted, working relationships with your business partners.