Samenvatting

Over the past decades, laws and regulations have been incorporating obligations for major organisations in almost all sectors of society to integrate risk management in their governance. Against this background, this study focused on the degree and the way in which legal departments of Dutch organisations practice legal risk management. This study poses the following key questions: How do legal departments contribute to the risk management of organisations, how to explain possible differences between organisations and what lessons can we take from this? To answer these questions three case studies were performed in organisations in different sectors: a bank, a municipality and a university medical centre. These organisations have in common that they have a large staff and a large number of organisational entities, operate in highly-regulated sectors and have (comparatively) large legal departments. The case studies were preceded by literature research and background interviews with experts and professionals. Based on the outcome an analytical framework was formed that gave direction to the empirical study. In addition to the case studies, the empirical study comprised three roundtable discussions, where the results of the case studies were presented to a wide selection of experts and professionals for them to validate and supplement. The main conclusion of this study is that legal departments in most Dutch organisations do not yet contribute to risk management in a proactive and systematic manner. Most organisations have developed a policy on risk management, but legal departments do not yet have a clear position or role in this policy. This implies that in many organisations risk management is still characterized by a silo approach. In identifying and controlling legal risks, legal departments mainly use reactive methods and instruments. In practice this means that the initiative for contacting the legal department is often left to other departments. This does not mean that the legal department will not be consulted at all, but rather that frequently this is not done at an early stage, when legal advice is most valuable. The overall picture is that legal risk management is still in its infancy in most organisations. Legal risk management in large financial institutions is slightly more mature, partly because these organisations are subject to the most stringent statutory regime in terms of risk management. In addition to the size of the staff, the organisational structure and the number and nature of an organisation’s relations, the applicable legal framework is an important factor that explains differences between (the maturity of) the legal risk management of organisations. The overall picture is that legal risk management still functions insufficiently in most organisations. At the same time, the conclusion is that solid legal risk management can contribute to the success of organisations and the quality of the performance of legal departments. Based on the study several lessons have been created that organisations can use to enhance the quality of their legal risk management. The gist of those lessons is to develop a well-wrought and systematic approach, tailored to the organisation’s general risk management while considering user needs. The insights formulated could help legal departments to leave behind the clichés about risk-averse legal professionals that think in worst-case scenarios only and to create a good practice of sustainable, data-driven, legitimate and fair legal risk management.