Legal Risk Assessments – An Essential Risk Management Tool

May 9, 2024 Litigation & Dispute Resolution Bulletin 7 minute read


Businesses tend to deal with legal issues as they arise, when they are able to, when an issue has become unavoidable, or when a proposed or impending transaction demands it. This approach is of course reactive, reflecting a piecemeal approach to problem-solving. It often fails to consider long-term solutions or structural or systemic factors that may be the source of the problem. While often the accepted approach when a legal issue arises, it has significant shortcomings: it is inefficient, often ineffective, and always unpredictable in cost and outcome.

Experience tells us that the best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems. Devised and implemented by practitioners who by training and experience are attuned to legal risk and to what can be done to assess, manage, mitigate or eliminate it, a legal risk assessment (“LRA”) should be an integral part of every company’s approach to risk management.

What is a Legal Risk Assessment?

An LRA is akin to a financial or tax audit but with a focus on the legal risks inherent in virtually every aspect of every business. It is objective and agnostic, not driven by any particular outcome, timeline, or end goal. Instead, an LRA makes proactive use of the litigation and regulatory lawyer’s experience, expertise, and judgment in order to identify and manage legal risk. It mirrors the kind of top-to-bottom due diligence undertaken in the context of M&A transactions but as a regular aspect of everyday risk management.

An LRA is not about fault-finding or about assessing performance, or competence. It is focused solely on identifying, assessing and managing legal issues on an ongoing basis, thereby helping to limit risk, cost, exposure and ultimately liability. It is always forward-looking.

LRAs are most effective when undertaken regularly. They are of particular use to corporations contemplating a major change in leadership, ownership or circumstances, or that are in rapid growth mode. Its results are also of value if the company is contemplating a financing or other transaction. Through regular LRAs, key issues that could negatively affect a company’s value or stock will already have been identified and perhaps even addressed by the time the transactional due diligence is undertaken (which will in any case be primarily driven by the specific goals of the parties and the structure of the deal).

LRAs are precisely tailored to each business and its operations. With the assistance of the LRA team, the client decides which areas of the business will be reviewed, to what extent and how, what degree of risk is acceptable, and how it wants to address (or not) identified risks. The company can decide to move forward on all or on only some of the issues identified based on its priorities, legal advice, budget and other considerations. Appropriate specialized legal or other expertise (trade-specific, government relations, technical, Indigenous relations, public relations, forensic, etc.) can also be brought in to support the LRA team as needed.

The LRA team will further assist in devising and implementing appropriate check systems and controls to monitor the company’s compliance with its response plan. The team can help address whether policies, procedures and practices are adequate and in keeping with the current corporate, business and legal ethos, as well as whether the system in place actually results in them being followed and regularly updated.

What is the Scope of an LRA?

Scope of an LRA

An LRA will uncover the hidden or overlooked legal risks that can lurk in every element of an organization, company or business when there is otherwise no particular driver or incentive to look for them. Many issues uncovered by an LRA would not be revealed by traditional accounting, contingency, transactional due diligence, or single-purpose or tax or financial audits as these are invariably aimed at specific areas or issues and/or are driven by the particular circumstances of the moment and the parties.

An LRA is a process. As no two businesses are alike, it starts with a review of some or all of a company’s business and operations: what the business does, how it does it, and the environment in which it operates. Other factors considered will include the nature of specific relationships with other parties and stakeholders, historic business practices and applicable regulatory frameworks.

Once the business has been well understood, the full range of potential legal issues can be identified. In this way, an LRA can help uncover risks connected to previously undisclosed or undiscovered issues across the entire enterprise, whether structural or related to personnel, governance, facilities, customer or supplier relationships, contracts, operations, past or current practices, etc. There is no limit to the reach of an LRA; it can also cover a company’s supply chain or a company’s (or its business partners’) practices in relation to areas such as procurement, governance, contracting, disclosure and marketing, etc.

The Consequences of a Reactive Approach to Legal Risk Management

Years of dispute-resolution and regulatory compliance experience make for skilled legal risk identification and management practitioners. This experience suggests to us that more often than not a legal issue has as its source one or more of the following:

  • Inadequate corporate practices, policies, or procedures;
  • Shortcomings, gaps, or ambiguities in contractual language;
  • Poorly documented business processes;
  • Poorly structured business relationships;
  • Inadequate contractual provisions;
  • Mistaken assumptions about the nature of the company’s legal obligations or rights;
  • Inadequate due diligence systems;
  • Inadequate incident response preparedness;
  • Poor contract management practices;
  • Inadequate compliance systems;
  • Absence of appropriate oversight and employee training;
  • Inadequate systems for the handling of private, confidential, proprietary or third-party information; and/or
  • Inadequate control, monitoring, risk management, and reporting systems.

Any of these root causes alone or in combination can result in significant adverse consequences for a business such as increased costs, internal strife, operational instability, damage to partner relationships or to public perception and goodwill, lower business valuations, and failed transactions or financings. Other potential consequences include stricter credit requirements, higher insurance costs, loss of confidence from customers, lenders, investors and shareholders, high employee turnover. low morale, increased risk of litigation and regulatory enforcement proceedings and increased fines and penalties.

A properly devised and implemented LRA focused on identifying issues early offers the best chance at avoiding these types of outcomes quietly and with minimum disruption, adverse impact, and costs.

What Benefits Flow From an LRA?

LRAs offer many benefits beyond specific risk identification. They can include better incident and emergency preparedness and response, fewer ongoing compliance issues, improved stakeholder relationships (whether customers, suppliers, employees, lenders, investors, or regulators), reduced risk of disruption to the business or its operations, reduced risk of abuse, fraud, or malfeasance, and lower legal and consulting expenses. An LRA can also contribute to instilling a legal risk-aware culture across an organization and every one of its activities.

The results of an LRA (as well as the simple fact that one has been undertaken) can prove invaluable when the company and/or its officers or directors (or corporate parent or subsidiary or related entity) are faced with having to assert a legal defence in the context of litigation or regulatory proceedings or in face of negative publicity.  Currently, LRAs remain an optional tool but in time, LRA-type assessments will form a part of the legal concepts of fiduciary, due diligence, or similar legal duties such as the American duty of oversight. A history of regular LRAs will help demonstrate a positive history of voluntary due diligence and risk management.

Sometimes the problem a company thinks needs to be solved is not the one that poses the greatest risk or the one that will cost the most money to resolve. An LRA aims not only to identify risk but also to ferret out where the greatest risks to the company lie through a determination of the likelihood of a specific risk occurring and an assessment of the severity of its consequences. With the results of an LRA on hand, the client can focus on mitigating the risks that pose the largest threat thereby using time and resources more effectively.

LRAs in Action

To illustrate the impact that an LRA can have, we examine next some real-life instances in which a properly-devised LRA would have prevented an adverse outcome.

  • A shipping company contracts for consulting services. The contract was to have a two-year probationary period after which long term provisions would apply. The contract language regarding what the company needed to do to end the relationship within the probationary period was deficient. No one turned their mind to it at the time of contracting, leaving the company in the belief that, if dissatisfied with the performance of the supplier, the contract would come to an end on its own terms. The court, however, found the relationship to have become long-term, at a cost of $9.2 million, in circumstances where the company derived no benefit from the services. An LRA at either the time of contract inception or during the probationary period would have avoided this result by focusing on this gap in what was otherwise a straight-forward contract.
  • In the context of an acquisition of a former competitor, a key permit was not transferred by the purchasing company after closing. The deficiency was found several years later and on the eve of the company going public. The result was a delay in the IPO and lower proceeds. The deficiency would have been identified by an LRA before it became urgent or impacted the IPO, giving the company time to address this simple issue in the ordinary course.
  • A company bought a portfolio of facilities. One facility had an environmental contamination remediation program in place, which the vendor agreed to continue post-transaction (the facility would not be used by the purchaser). Over time, the vendor was taken over and the program gradually wound up without a review of any resulting sampling data. Some years later, when the purchaser (current owner) wished to sell, it was discovered that the property was seriously contaminated (at levels well above those at the time of the portfolio purchase) and that the contamination had spread to neighbouring lands. As a result, the purchaser (current owner) was now on the hook for tens of millions of dollars of further remedial work and unable to sell the property which now had a negative worth. An LRA would have asked what actions were being taken to deal with legacy contamination issues and obligations on a timely basis, preventing later surprises and managing the contamination before it worsened.

In hindsight, each of these instances look like easily-preventable situations, yet in every case they were overlooked and in time led to real-world problems. Similar examples can just as easily arise in any of the following areas: tax, anti-money laundering, distribution, health and safety, transactional, governance, corporate responsibility, ESG, Indigenous matters, procurement and supply, financings, records management, climate change, information technology, third-party contracts, human resources, human rights, product liability, regulatory obligations (the list goes on).


The complexity of the legal environment for businesses today ensures that nearly every company can benefit from an LRA. No business is free from regulatory requirements, from the prospect of costly or crippling litigation, or from legal risks that lie undiscovered in, for example, past transactions, inherited, legacy, stranded or secondary assets or long-standing contractual and other business relationships.

An LRA allows the company to avoid pitfalls and manage its exposure and potential liability proactively instead of responding to a situation when it arises, dealing with the aftermath of the problem or litigating the situation after the fact. With measurable, tangible and often immediate positive results, an LRA is a key complement to a company’s existing risk-management practices. It ought to be an essential part of every organization’s risk management approach writ-large, regardless of size, type, or structure.

McMillan’s legal risk assessment team would be pleased to have an opportunity to assist in devising and implementing an appropriate LRA for your organization.

by Ralph Cuervo-LorensTalia Gordner and Emily Hush

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Sanctions Enforcement Rising: Border Seizures and Forfeitures, Administrative Penalties and a New Reporting Obligation for Sanctions Evasion Offences

Changes to Canada’s sanctions regime under Bill C-59 will add reporting requirements for importers/exporters, create AMPs, and grant new CBSA seizure powers.

Read More
Jun 13, 2024
Featured Insight

Goodbye CDOR, Hello CORRA: CDOR’s Final Month and CORRA Loan Trends

CDOR will cease being published after June 28, 2024; CORRA is now used in credit agreements with certain trends developing in its use.

Read More
Jun 11, 2024
Featured Insight

Anonymization of Personal Information under Quebec Law

On May 15, 2024, Quebec published its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information.

Read More
Jun 5, 2024
Featured Insight

Far from being FARA – Canada’s Proposed Foreign Influence Transparency Registry Law Leaves the Details for Another Day

Canada's proposed foreign agent registry doesn't mirror the problematic aspects of FARA, but many details are left to future regulations and guidance.

Read More
Jun 5, 2024
Featured Insight

Building Uniformity: Saskatchewan’s Franchise Disclosure Act Receives Royal Assent

First introduced last fall, Saskatchewan’s Bill 149, The Franchise Disclosure Act, received Royal Assent on May 8, 2024 (the “Act”).[1] In doing so, Saskatchewan now joins British Columbia, Alberta, Manitoba, Ontario, New Brunswick, and Prince Edward Island as the seventh Canadian province to enact franchise-specific legislation.

Read More
Jun 4, 2024