What lessons does the COVID-19 pandemic have for legal risk management from an in-house perspective? Taking stock could be a good starting point

For most of us, the COVID-19 pandemic is unlike any other risk event we have ever encountered. The uncertainty about the causes of the pandemic, incomplete information, schools being shut, huge numbers of people being furloughed, and emergency powers used by peacetime Government to keep us in our homes: these seem unreal. It is strange and for some unnerving. Sadly, for some, the experience has also involved human cost: death, job loss, and economic hardship.

As lawyers, there is much for us to take on board. The pandemic is a global issue, but many questions about the “new normal” come from the “first world”. We have not seen death first-hand on such a scale since 1945. Ask somebody from Asia or Africa, and their perspective will be different.

Since 2005, five out of the world’s top 10 costliest natural disasters in history have occurred. We probably remember the Asian tsunami (2004) and Hurricane Katrina, but the Haitian and Sichuan earthquakes register less in the consciousness. Between 1995 and 2004 alone there were 595 global epidemics, of which 346 were in Africa and 154 in Asia.

Altered perception

Put candidly, until now, natural disasters happen to others. This is not a political point (although it is easy to see how a political point arises), but from a risk management perspective, an important one. Perception of risks informs our appetite for taking risks and how we attempt to manage those risks.

For many lawyers, risk management is a recent thing. Before, it was the preserve of specialist risk managers who seemed to spend their time preoccupied with complex mathematical models and spreadsheets. We periodically review our risk register and inevitably expand it as we think of new and more exotic risks. That has been the extent of our role.

Can we learn from the current crisis? I suggest the answer to this question is a resounding “yes”. It is too early to reach conclusions, but here are observations that may help you as you think about the future legal risks to your business or clients.

Focus of planning

An immediate risk we face is we may end up in our future planning trying to resolve the pandemic, instead of focusing on the next risk. After 9/11, international risk surveys showed businesses putting terrorism and security fears at the head of their agendas. For years after the 2008 financial crash, financial market resilience was the top of the list. The resources we need to manage risk are finite and sometimes scarce. We must not be conditioned by prior events but keep an open mind. Businesses should revisit their risk planning on a holistic basis. Risks should not be weighted in favour of the one that has just occurred.

Understanding how humans react when hit by events that are low probability of incidence, but major catastrophic impact, is vital. We already do risk preparation: for example, how to avoid being charged under the Bribery Act 2010.

A lot of training has been given since the Act came into force about how we should identify potential situations for bribery and how to manage it. Much of it focuses on what the law says, rather than teaching people the right way to act if a bribe is requested. Is this really the right approach? We need to teach people about behaviour, not the finer points of law.

I imagine pre-COVID-19, most people had business continuity plans. Many have now realised that the best laid plans of mice and men often go awry. The former heavyweight champion, Mike Tyson, expressed it more savagely: “Everyone has a plan until they get punched in the mouth.” It is inevitable that most plans are bent out of shape early on. Adaptability and speed of action will be required in the legal team. This requires teams to act collegially and in confusing situations when information is plain wrong or just speculation. “On the job training” is not always the best way to operate.

Do not see the shortcomings in your pandemic-related decisions as necessarily a failure. You had to make quick decisions and we get those wrong. Good risk managers are those who understand that point. Analyse the divergence from your original plans and understand why it happened. Such an exercise is a great evaluation tool.

Wood and the trees

You may have seen how many entries on the risk register are categorised as single risk events. In reality a major incident is usually a number of unrelated risks, often referred to as a perfect storm. Like storms, risk events come in waves, triggering further direct and indirect events. Those subsequent events generate further events that cause more damage. These situations are described as cascading risk events. They are something else to think about.

For planners, information is important, but you should not allow data to obscure knowledge. I am not sure that 10 weeks of daily Government news conferences are particularly effective in giving people insight. “The problems are solved, not by giving new information, but by arranging what we have known for a long time,” observed Wittgenstein. You will have got lots of insight from the last 10 weeks and it would be foolish when reviewing plans not to draw on those experiences. This seems obvious, but many businesses do not carry out reviews, let alone use such findings.

Lawyers should focus on near hits (“near miss” is a misnomer) in their contracting arrangements, property, health and safety obligations, data privacy responsibilities and other legal areas that the pandemic has affected.

The real world

It is worth reflecting for one moment on a particular legal tool that has received much attention in the last three months: force majeure. Virtually every major law firm has issued scholarly briefings about force majeure and frustration. Informative, but they miss the practical point. Claiming termination for force majeure to replace a supplier when, due to the pandemic, there are no substitute suppliers to go to will be no help whatsoever. Many chief procurement officers who have spent years building complex supply chains, which are based on relationships, are unlikely to be impressed by the lawyer advising termination in this situation. When reviewing your contracts because of the pandemic, organisations need to understand the significant limits to contract remedies in the real world.

The pandemic has underscored the need for an ethical risk decision-making. Criticism of the UK Government for prioritising the NHS over care homes has been huge. The shocking statistics of imbalanced death rates have led to sincere moral outrage. Translated into corporate risk governance terms, the views of those who take the greatest impact of risk incidence should be considered; to ignore them opens the decision maker to potential reputation damage. For example, the horror of the Grenfell fire resulted in anger that the block was occupied by many impoverished, immigrant families living in one of the richest boroughs in the world. Some people considered that to be murder. Lawyers are often seen as the corporate conscience. Exerting influence on risk decisions through an ethical lens may save your organisation’s reputation (and the economic value of its brand) one day. Good ethics is good business.

Hidden lessons

When reviewing the risk management plans, a key balance is vulnerability versus resilience. An excellent example in the legal context is the use of limitation of liability caps. In many contract negotiations, limitation caps are set in a fairly rough and ready way, by reference to the ability of an organisation to insure, or the contract value. A better measure would be the tolerance of an organisation to accept the consequences of a risk incident. Ask: “What resources will we maintain in accepting the consequences of those risks?”

This last point is thrown into sharp relief when an event, like a pandemic, results in many claims. Failing to track the aggregate value of liability caps given spells trouble. If the world stops, like it has done in certain sectors (e.g. airlines, hospitality etc), your organisation’s contingent liabilities may overwhelm its resources when the claims roll in.

So now is the time to take stock for the next major shock to your organisation. It will probably not be a pandemic, but something else that people downplayed or overlooked: remember my earlier comments about perception. Lawyers should use this time to evaluate the legal controls and mitigations that they have available to them to assess fitness for purpose. Like it or not, in the age of lean organisations, “just in time” supply chains may be too high a risk and you may need to build in redundancies to ensure better resilience.

I have lived through and been involved in managing several corporate crises. The main lesson I have learnt is that the world will be just as uncertain in 2021 as in 2020. Do not start ripping up your continuity plans just yet, but use your time wisely to glean the wisdom hidden in the information you have.

In the meantime, keep calm and carry on.

In-house risk online CPD

Ian Jones is currently presenting a series of in-house risk webinars for the Law Society of Scotland. The series will also be made available on demand. Find out more at 


The Author

Ian Jones is a solicitor and former general counsel with particular experience in risk governance, evaluation, planning and training. He also writes and teaches on subjects as diverse as ethics and mental health

Share this article
Add To Favorites