ISO CD 31022 Committee draft status 19 March

ISO / CD 31022 Committee draft, status 19 March 2018 Best practice on Managing Legal Risks UUSI ISO 31000 STANDARDI JA MUITA RISKIENHALLINNAN TYÖKALUJA seminaari Jan Virtavuori and Suvi Hirvonen-Ere Helsinki 18 APRIL 2018 © Copyright Jan Virtavuori and Suvi Hirvonen-Ere 2018

Agenda • • • Introducing the speakers What is ISO / CD 31022 legal risk management? Key elements of the process for legal risk managament Tools (templates, registers, samples) in the appendices A-E Key take-aways from today Your questions and comments © Copyright Jan Virtavuori ja Suvi Hirvonen-Ere 2018

Introducing Jan Virtavuori • Summary • M. Sc Econ, Professional within the Insurance and Risk Management sector with approx. 19 years experience in various positions and broad • Specialities: Enterprise Risk Management, Insurance Management, Incoterms 2010, ISO 31000 Risk Management Standard, Business Impact Analysis, Business Continuity Planning and Management. Logistics, Supply Chain Risk Management, Captive Insurance, Contract Management, Security, Cyber Security. • • 2006 Risk Manager, Wärtsilä Oyj Abp 1998 – 2006 : Cargo Underwriter, If P&C Insurance Ltd • Since 2009 Member of Finnish ICC: s "Commission on transport and logistics" • Since 2009 Member of Finnish ICC´s Incoterms 2010 panel of experts • Since 2013 Member of Finnish Standards Association SFS´s - ISO 31000 Risk Management standard reference group • Since Nov 2013 Board Member – Finnish Risk Management Association • Since 2015 Selected as Finland´s member in ISO/TC 262/WG 4 working group within ISO family to create Best practices for managing Supply Chain Risks • Since 2017 Member of Finnish ICC: s working group on commenting the new ICC Incoterms 2020 Rules • Since 2017 Selected as Finland´s member in ISO/TC 262/WG 5 working group within ISO family to create Best practices for managing Legal Risk • Since 2018 Selected as Finland´s member in ISO/TC 262/WG 6 working group within ISO family to create Best practices for managing Travel Risk understanding on major corporations risks, insurance solutions and Logistics & Supply Chain, always interested for continuance development and learning new.

Introducing Suvi Hirvonen-Ere • • Now finally catching a long-term dream of writing a doctoral dissertation, topic Contract Management Before the doctorate program, worked for over 15 years in legal, commercial and contract management roles, mainly in leadership positions in global corporations – Nokia Solutions and Networks, Head of Global Contract Management – Accenture, Senior Manager, Contract Management • • Global Contract Management Lead for 2 major client accounts Nordic Contract Management Geography Lead Commercial Lead for a Finnish business unit Mentoring, Coaching and Career Development Lead in the Accenture Finland women network – Honeywell, Manager, Contracts Nordics – Attorneys-at-Law Hannes Snellman, Associate Lawyer – Sonera Smart. Trust in Helsinki, Associate Lawyer, and in Stockholm, head of business-related legal activities Educational background – Master of Laws, Helsinki (2000) – Professional of International Business Law, Fintra (2001) – Six Sigma Plus Green Belt Certification (2004); – Contract Management Certified Member, Accreditation by the International Association for Contract and Commercial Management (IACCM) (2010) – Bar Exam, Finnish Bar Association (2015) – Minor in Leadership and Management, the University of Helsinki (2017) Full-time doctoral researcher at the Faculty of Law, the University of Helsinki, and a member of the Inter. Tran Research Group, that promotes sustainable law and business. Since 2017, one of Finland´s members in ISO/TC 262/WG 5 working group within ISO family to create Best practices for managing Legal Risk

ISO/TC 262 Risk management • • AG 1: Communications – Viestintä/ei suomalaisia WG 2: Core risk management standards – ISO/CD 31000 WG 3: Disruption related risk – (ISO 31020) WG 4: Supply chain risk – To ambitious large scope and result that the “best practice” document never materialized WG 5: Management of Legal Risk – (ISO 31022) work ongoing, planned to be finalized during 2018 NP Managing Travel Risks -- Guidance for organizations – (ISO 31030 ) possible to be started NP Guidance for managing emerging risks to enhance resilience – (ISO 31050 ) possible to be started

What is ISO / CD 31022: Purpose, scope, and concrete tools • Purpose: – Helps organizations and top management to use the principles of ISO 31000 to develop improved understanding and management of the legal, regulatory, and other related obligations • Scope: – Provides additional guidelines on managing legal risk for organizations • As a companion to ISO 31000; however can also be used with COSO or proprietary Enterprise Risk Management systems • The application of these guidelines can be customized to any organization and its context • ”Legal” = what and why; not who – does not refer to the legal function or department – does not replace legal advice on a particular case • Concrete tools for legal risk management: – Process with templates, registers, examples

Guidelines: What is intended? What is not intended? • Guidelines intend to: – Help organizations and top management to: • Achieve strategic outcomes and objectives of the organization • Encourage structured and consistent approach of legal risks via proactive management, appropriate resources and right level of expertise • Understand evidence the extent and impact of legal risk and carry out due diligence • Identify and analyze, provide a systematic way to make informed decisions • Enhance and encourage the identification of greater opportunities for continuous improvement • Guidelines do not intend to: – Substitute the risk owners in seeking expert legal advice (external or internal) for a particular case – Apply to the process of law-making or lobby for new laws or existing laws – Replace (but instead, intends to compliment) any compliance process that organizations may have in use, such as ISO 19600

Terms and definitions • Legal Risk – The effect of the uncertainty on the organizations’s objectives related to legal, regulatory and contractual matters • Laws – System of rules which a country or community recognizes as regulating its individuals and organizations. • Laws may include: a) any statute, regulation, by-law, ordinance or subordinate legislation in force from time to which an organization is subject to; b) the common law as applicable to the organization; c) any binding court order, judgment or degree; d) any applicable industry code, policy, in each case enforceable by law; and e) all applicable statutory and all other rules.

Why Legal Risk Management 31022 ? Increased complexity in the risk universe Contracting and contracting quality sets the ”rule book” Contract & legal risk management has to continuous Money flow Procurement Material flow Finance Legal Production Sales

Structure of ISO / CD 31022 • The ”Body” of the guidelines provides the general guidelines, terminology and the detailed description of the process for legal risk management • Appendices A-E to give concrete guidelines, and tools such as templates, and registers regarding: – – – A: Legal risk identification method = LRIM B: Legal risk register C: Assessing the likelihood of legal risk D: Assessing the impact of legal risk E: Key clauses to consider when reviewing contracts • Each appendix includes a sample template / register • However, enterprises are encouraged to customize these

Process for the management of legal risk

Process for the management of legal risk Refers to factors which are outside the organization but related to the management of legal risk. It includes as example: ü relevant laws and their changes; ü industry organizations; ü etc Includes: ü organizational financial health and the organizational model, process and functions; ü the status of the organization‟s legal affairs and the management of legal ü etc Communication and consult with relevant stakeholders at each stage managing the legal risk. The stakeholders should understand the legal risk and the effect on organization, as well know their role in decision making Should reflect the objectives, values, resources, preferences and tolerance of overall risk management in relation to legal risk. Legal risk criteria can be imposed by or derived from the application of Laws or contractual obligations or liabilities. Follow changes in the environment, as new laws and monitoring of events triggered by legal risk The overall process of legal risk identification, legal risk analysis and legal risk evaluation, and it is essential to have the participation of an appropriate crosssection of experts. To consider legal professional privilege, attorney-client privilege, data destruction and retention policies To identify how an organization‟s management of legal risks may inhibit or enable the achievement of its objectives, including legal risks relating to operational activities and working processes. Includes qualitative or quantitative analysis of the identified legal risks. The outcome of this analysis becomes the input for legal risk evaluation and treatment. . Can be evaluated by comparing the results of various risk analysis with its risk criteria and then prioritizing those legal risks. This evaluation should help decision makers to consider various legal risk treatment options ISO 31000 PROCESS After selecting the appropriate legal risk treatment, organizations should evaluate whether they can accept residual legal risks. If the residual legal risks are unacceptable, organizations should adjust or develop a new legal risk treatment option. Treatment of legal risk refers to the corresponding strategies implemented by an organization to deal with its legal risks. A risk treatment plan should consider a range of treatment options that may include legal remedies as well as financial, operational and reputational remedies for each individual prioritized risk. Strategies for the treatment of legal risk include risk aversion, risk reduction, risk sharing, and risk acceptance, some of which can be used either alone or in combination. Chooses a strategy for the treatment of legal risk, further evaluation of the current status of the legal risk should be taken to understand the limitations and areas of improvement to the strategy, and also to provide support for developing the legal risk treatment plan

Process for the management of legal risk Refers to factors which are outside the organization but related to the management of legal risk. It includes as example: ü relevant laws and their changes; ü industry organizations; ü etc Includes: ü organizational financial health and the organizational model, process and functions; ü the status of the organization‟s legal affairs and the management of legal ü etc Communication and consult with relevant stakeholders at each stage managing the legal risk. The stakeholders should understand the legal risk and the effect on organization, as well know their role in decision making Should reflect the objectives, values, resources, preferences and tolerance of overall risk management in relation to legal risk. Legal risk criteria can be imposed by or derived from the application of Laws or contractual obligations or liabilities. Follow changes in the environment, as new laws and monitoring of events triggered by legal risk The overall process of legal risk identification, legal risk analysis and legal risk evaluation, and it is essential to have the participation of an appropriate crosssection of experts. To consider legal professional privilege, attorney-client privilege, data destruction and retention policies To identify how an organization‟s management of legal risks may inhibit or enable the achievement of its objectives, including legal risks relating to operational activities and working processes. Includes qualitative or quantitative analysis of the identified legal risks. The outcome of this analysis becomes the input for legal risk evaluation and treatment. . Can be evaluated by comparing the results of various risk analysis with its risk criteria and then prioritizing those legal risks. This evaluation should help decision makers to consider various legal risk treatment options ISO 31000 PROCESS After selecting the appropriate legal risk treatment, organizations should evaluate whether they can accept residual legal risks. If the residual legal risks are unacceptable, organizations should adjust or develop a new legal risk treatment option. Treatment of legal risk refers to the corresponding strategies implemented by an organization to deal with its legal risks. A risk treatment plan should consider a range of treatment options that may include legal remedies as well as financial, operational and reputational remedies for each individual prioritized risk. Strategies for the treatment of legal risk include risk aversion, risk reduction, risk sharing, and risk acceptance, some of which can be used either alone or in combination. Chooses a strategy for the treatment of legal risk, further evaluation of the current status of the legal risk should be taken to understand the limitations and areas of improvement to the strategy, and also to provide support for developing the legal risk treatment plan

Structure of ISO / CD 31022 • The ”Body” of the guidelines provides the general guidelines, terminology and the detailed description of the process for legal risk management • Appendices A-E to give concrete guidelines, and tools such as templates, and registers regarding: – – – A: Legal risk identification method = LRIM B: Legal risk register C: Assessing the likelihood of legal risk D: Assessing the impact of legal risk E: Key clauses to consider when reviewing contracts • Each appendix includes a sample template / register • However, enterprises are encouraged to customize these

Appendix A: Legal risk identification method (LRIM) • Table and example LRIM: Legal risk Typologies Business activity 1 Business activity 2 Business activity 3 etc. Category 1 Category 2 Category 3 Category 4 Category 5 Category 6 Uncertainty Non-compliance with applicable law or regulation Breach of contract Infringement of rights Omission in exercising rights Improper choice

Appendix B: Legal risk register • Part I: An example of legal risk register Operational activities Legal risk category Legal risk event identified (dates, occurrences) Applicable relevant Laws Legal consequences Past cases Opinion of internal/inhouse legal teams Opinion of external legal advisor Recommended solution • Part II: Legal advice received, quantitative /qualitative analysis and board recommendation

Appendix C: Likelihood • Assessing likelihood of legal risk: – Step 1: Can a risk event occur? If yes, with what degree of certainty? – Step 2: Has the risk event legal consequences? If yes, what scale of legal consequences from 1 -5 will it have? • 1 = minor = no or little likely regulatory or monetary consequences • 5 = significant = enterprise-threatening regulatory or monetary consequences • Example: assessing the legal risk regarding the effectiveness of polices and procedures: 5 The effectiveness of policies and procedures as set through internal controls Policies and procedures for internal controls are nonexistent. Policies and procedures for internal controls are not implemented. 4 Policies and procedures for internal controls are incomplete. Policies and procedures for internal controls are insufficiently implemented. 3 Policies and procedures for internal controls are more likely than not complete. Policies and procedures for internal controls are more likely than not implemented. 2 1 Policies and procedures for internal controls are complete. Policies and procedures for internal controls are implemented. Policies and procedures for internal controls are well designed. Policies and procedures for internal controls are fully implemented and reviewed regularly to ensure that they remain robust and appropriate to the changing needs of the organization.

Appendix D: Impact • The impact of legal risk manifests itself via – – – Financial impact Regulatory impact Reputational impact Geographical impact and Intra-organizational impact on the organization. • Organizations are encouraged develop their own weightings. • An example: 1 2 3 4 5 Monetary impact 0 to 100, 000 € 100, 001 to 1, 000 € 1, 000, 001 to 5, 000 € 5, 000, 001 to 10, 000 € 10, 001+ € Non-monetary impact Minor loss of reputation, corporate image, Intellectual property Small loss of reputation, corporate image, intellectual property. Loss of reputation, corporate image, intellectual property. Big loss of reputation, corporate image, intellectual property. Significant loss of reputation, corporate image, intellectual property.

Appendix E: Key contract clauses to review • Appendix E sets out a brief summary of key clauses to consider when reviewing contracts • Target is: to minimize legal risk; to provide a checklist of issues. • Target is not: no substitute to legal advice. No comprehensive list. • Example: Issue Considerations Capacity to contract Check whether the counterparty has the legal capacity to enter into a binding legal agreement. Delivery/Shipping Terms Does the purchaser require the goods for a specific date (perhaps in order to meet its obligations under a contract with a third party)? If so, the delivery clause should be drafted to ensure: • �time is of the essence for delivery; and • �the purchaser can recover any actual losses suffered as a • result. • The vendor should be concerned if (i) the losses stipulated in the clause are uncapped; or (ii) the delivery dates specified by the purchaser have a high risk of not being met.

Key take-aways from today • • • ISO 31022 accompanies the ISO 31000 new standard and helps to use it ISO 31022 provides concrete guidelines and tools (templates and registers) for legal risk management Almost for free! Proactive lifecycle view - risks must be followed-up Enterprises are encouraged to customize the tools and examples according to their needs à Still a committee draft, next comment round by 15 May, target commencement day within year 2018.

QUESTIONS OR COMMENTS? Thank you! Contacts : Jan. virtavuori@wartsila. com Suvi. hirvonen@helsinki. fi