Copy link

The critical task of risk assessments is being done by both in-house counsel and external lawyers, yet few do it with great facility, as the to-do lists may go beyond the literal job description. Aaron Shao, head of Legal of Abbott (Greater China), breaks down what is really entailed and offers advice on how to excel.

LEGAL COUNSEL, whether corporate counsel (in-house counsel) or external counsel, undertake the important task of assisting companies and business units in conducting various types of risk assessments. In practice, many legal counsel find the task challenging, which could be due to the following reasons.

A narrow understanding of the role of legal counsel. They may be of the opinion that the main function of legal counsel is to interpret the law and provide legal advice. As a result, they put themselves in a supporting role in risk assessment, responsible for little else than interpreting the law.

Lacking an understanding of the business. To be able to aptly assess and judge the seriousness of a risk, one must first grasp the specific business circumstances and objectives, whereas many legal counsel (particularly external counsel) lack sufficient information and experience in this regard.

Uncertain and multi-causal nature of risks. For example, a plan that is legitimate and low risk at the outset may give rise to risks in its subsequent implementation due to knowledge and/or management shortcomings, which are factors beyond the control of legal counsel.

Variance in risk appetite and tolerance between companies. Risk assessment inherently requires highly integrated judgement and decision-making, including making, from time to time, decisions that have a material impact on the company and its business. Legal counsel may be unsure of the extent to which they should be involved, and the appropriateness of such involvement.

For these reasons and more, many legal counsel in practice struggle when they are required to provide an explicit risk assessment opinion or, going even further, clear-cut recommendations for corrective action. These, however, happen to be the exact areas in which business units may be most lacking, and accordingly most urgently require assistance from the legal department/counsel.


In the author’s opinion, legal counsel on a day-to-day basis engage mainly in two main types of risk assessment: business risk assessment, and compliance/law enforcement risk assessment.

legal counsel’s role in risk assessment
Aaron Shao

The former deals mainly with the allocation of risks in commercial arrangements between equal subjects that do not involve government and legal regulation. Typical scenarios include risk assessments in commercial contract negotiations, investment projects and mergers and acquisitions.

The latter mainly refers to risk assessments in areas involving legal provisions, government regulation and law enforcement. In these areas, laws and regulations generally set out clear prohibitory or mandatory obligations for enterprises and relevant personnel. Violation could lead to administrative or even criminal liabilities.


In business risk assessment, legal counsel take on the important task of assisting the company in coming up with a solution that strives to balance the risks and gains by detecting, identifying, analysing and handling risks so as to maximise the company’s benefits while minimising the level of risk and risk control costs. In the author’s experience, the following are some of the most important approaches:

    • Start with analysis of legal provisions and law enforcement to determine the risk boundary. Determine, in theory, the scope and intervals within which the risk exists, and what the worst-case scenario, the medium risk value and the best-case scenario would be.
    • Study and foresee the generation of the risk. Analyse, in a real-life scenario, causes that could give rise to the risk, and the various situations and impacts after it occurs, as well as the probability of the occurrence of various risks and of the potential outcomes/impacts.
    • In terms of business, predict the possible gains if choosing to bear each risk, and the probability of such gains being realised.
    • Calculate the possibility of preventing and/or remedying the risks. Analyse the types and circumstances of different risks, whether there are means and measures of prevention and/or remediation, and the cost and effectiveness of such prevention and remediation plans.
    • Taking into account both aspects, consider the relationship of risks to gains under specific scenarios. For example, in a worst-case scenario, can the gain value likewise be expected to be at the highest? Similarly, in the best-case scenario, can the gain value likewise be expected to be at the lowest? In practice, many circumstances defy a linear relationship between potential risks and gains. Often, an increase in risk only creates the potential for an increase in gains without necessarily leading to an increase in gains, if there are any substantive gains at all. It is therefore necessary to analyse and weigh the options. Would taking the riskiest approach be consistent with the fundamental strategy and interests of the company? Can the company bear the consequences that could arise in the worst-case scenario?
    • Based on a comprehensive assessment and balancing of the above-mentioned risks and gains, pick the most suitable business and legal solution. It is worth noting that although a business risk assessment generally does not involve risks associated with a violation of the law, when taking a riskier approach, it is advisable to also comprehensively consider a variety of potential peripheral risks, including their impact on the company and its corporate reputation, goodwill, business ethics, government relations, media relations, employee and customer relations, and trust.


When conducting a compliance/law enforcement risk assessment, legal counsel may, in terms of the framework, refer to the approach in a business risk assessment described above to sort out and preliminarily assess the magnitude of the risks and circumstances of their realisation.

However, it bears emphasising that in a compliance/law enforcement risk assessment, legal counsel must constantly maintain a bottom-line awareness and cannot simply view compliance risks as business risks, or make decisions as if they were business risks.

In particular:

    • Unlike business risks, compliance/law enforcement risks are associated with clear prohibitory or mandatory obligations under laws or regulations. Consequences of violating relevant provisions are much more serious, sometimes leading to catastrophic loss for the company or, on occasion, its downfall. Legal counsel needs to maintain a laser clear understanding and judgement of the legal red lines, and clearly communicate the same to the business units and management.
    • Similarly, the probability of a violation being discovered, and subsequent penalties, should not be viewed as opportunity costs, nor should the amount of a financial penalty imposed for violating the law be regarded as the cost of a “remedy for breaking the law” or a “substitute for abiding by the law”. Legal counsel must strongly emphasise that compliance with the law is not optional but a bottom-line requirement. In the current law enforcement environment, long-term and systematic failure by an enterprise to comply with the law is bound to affect the sustainable development of its businesses and consequently its long-term interests.
    • Legal counsel must clearly inform corporate management and relevant personnel that the risks of, and penalties for, violating the law extend not only to the company but also to the individuals involved, and judging from the macro environment the mechanisms for pursuing personal liability are constantly improving and growing more stringent. Liability under criminal law is a material risk that managers and responsible persons cannot afford to ignore.
    • Emphasis should also be placed on the analysis of peripheral risks such as the enterprise’s social credit (blacklist), reputation and brand, government relations, media relations and the trust of business partners. While these peripheral risks may seem latent in nature, the after-effects from a violation and enforcement of the law could be permanent and irreparable.
    • Furthermore, in a globalised environment, sources and impact of compliance and law enforcement risks are more complex and diverse. Particularly for multinational corporations or enterprises with business involving multiple countries or regions, a violation of the law (e.g., corruption, bribery or monopoly act) often triggers the violation of the laws in multiple jurisdictions, and accordingly the imposition of legal sanctions by multiple jurisdictions and, in the worst case, result in a cascade of enforcement penalties.

When conducting a compliance/law enforcement risk assessment, in what ways can legal counsel create value while adhering to a bottom-line approach?

    • Obtain not only comprehensive and incisive knowledge in laws and regulations, but also a firm grasp on the law enforcement environment and latest trends. This includes the laws and regulations in different sectors and from different authorities, as well as various types of substantive and procedural law, both domestic and overseas. In many cases, legal counsel also need to study and consider the impact of policies. A comprehensive consideration, assessment and weighing needs to be carried out by placing the legal provisions governing any one sector, and the legal requirements of any one jurisdiction, into the overall compliance requirements of an enterprise, along with the overall impact that a violation of the law could give rise to (including the potential contradictions and conflicts that may exist between the legal provisions for different sectors and/or of different jurisdictions).
    • Where laws are silent or legal provisions are unclear, legal counsel need not only to understand the literal meaning of a law but, more importantly, to genuinely and incisively understand the background of its introduction (including policies), its historical evolution, legislative intent, law enforcement trends, and even to anticipate the future direction of the legislation and law enforcement. It is only through such analysis that the core and intent of a law, the context and stance of a policy, or the issues that legislation and law enforcement seek to resolve, can be understood and applied to assist enterprises to maximally achieve their business objectives to the extent permitted by law, while minimising the risk of violation.
    • Where a law sets out an express mandatory obligation but does not specify how an enterprise is to perform such mandatory obligation, legal counsel should utilise his or her experience and skill to assist clients in designing the most balanced and effective compliance policies, internal regulatory models and operating procedures so that the company can adopt a low-cost and effective compliance model most compatible with the company’s actual circumstances so as to comply with legal requirements, guard against compliance vulnerabilities and reduce law enforcement risks.

      You must be a subscribersubscribersubscribersubscriber to read this content, please subscribesubscribesubscribesubscribe today.

      For group subscribers, please click here to access.
      Interested in group subscription? Please contact us.



Copy link