Sky high thinkers

Welcome to the Libryo blog

Welcome to Libryo’s Sky high thinkers blog, where thoughts on legaltech, sustainability, law, compliance and technology converge. Filter by topic or popular reads and share your thoughts with us and others. If you have a topic that you’d like to see covered, drop us an email:

Stay in the know by receiving monthly email updates directly into your inbox.

Linking Legal Requirements to Risk Assessments? Watch Out!

Written by Garth Watson
on January 23, 2017

If you've ever been on the hunt for a legal register you'll probably have come across the certain aspects of:

  • Identifing the applicable legal requirements
  • Keeping up to date with changes in legislation and regulation
  • Accessing supporting guidance documents
  • Linking legal requirements to risk assessments

In this series, we "look under the hood" at these aspects of legal registers.

Previously in this blog series, we've answered the question: "what is a Legal Register"? We've had a look at the problem of the "as amended curse" and the need for consolidated, up to date legislation. We've also examined some of the difficulties of identifying applicable legal requirements, and we've shown how keeping up to date with changes to regulation is more easily said than done. We've also equipped you to determine whether the guidance that comes along with the legal register will actually help you to know for any given topic, what the law requires you to do, or not.

So, let's have a look at the fourth aspect:

Link legal requirements to risk assessments.

Typically, legal registers form part of a wider management system for a particular domain, such as environment, health & safety, information security etc. There are management system standards for each of these domains (ISO 14001, OHSAS 18001, and ISO 27001 respectively).

Each of these management system standards require continual improvement to be made and this is a hallmark of the standards. Eventually, for companies to continue to maintain their certification, it is a requirement to link operational risk to legal requirements, or legal risk.

Many companies manage their risk assessments using Microsoft Excel and you may be familiar with a document, which looks something like this.

Screen Shot 2017-01-13 at 16.55.32.png

Many companies and other organisations are moving to cloud-based governance, risk and compliance (GRC) software to manage their risk assessments. Nevertheless, the principles of linking legal risk to operational risk are the same whether one’s risk assessment is Excel based or GRC software based.

Somewhere in your company’s ISO journey you’ll get the certification audit finding that you need to link your legal requirements to your risk assessment. What this means is that for each and every line in your risk assessment, and some companies have hundreds or thousands, you will have to determine which legal requirements apply.

“Linking legal requirements to a risk assessment is super fun and easy!”, said no-one ever.

The reality is, to do the job properly, what you need to do is a mini legal research project on each line of the risk assessment, get out your smallest font (size 4 may do the trick) and get to work inserting the relevant legal requirements. Now, this may take you so long to do, that the law will have changed before you are finished, or before you die of boredom (whichever happens first).

The other thing, while we are at it, is that once you have completed this exercise, you may have done enough to pass the certification audit, but the exercise will have been of very little practical use. It is “tick a box” at its absolute worst. This is because of the incredible inertia that must be overcome, even with digital tools, in looking up the legal requirements. This is especially true if there are several specific sections that apply to a given aspect, impact, risk etc. (which is most often the case).

So, when you evaluating whether a legal register can link operational risk to the legal requirements it is important to check whether the legal register in question has the following:

  • Is it based on consolidated, up to date legislation?
  • Is it site specific, as opposed to “company-wide”
  • If it is updated, do you have to take the updates from the “master legal register” or the “company wide legal register” and determine which updates are relevant to which sites?
  • If your legal register is updated, are the linked requirements in your risk assessment automatically updated?
  • Are the legal requirements in the legal register presented in specific enough manner to allow linking of risks to aspects without going from "the specific" to "the general"?

If you enjoyed this blog series, I’d be very grateful if you’d help spread the word by emailing it to a friend or colleague, or sharing it on Twitter or Linkedin. Thank you!

So, a question for you?

Do I need a Legal Register?