Risk briefing: managing the legal ramifications of interconnected risks

Risk interconnectivity — the interdependence of various risks, illustrating how one risk can affect or amplify others across systems — is of growing concern to global risk managers.

Seemingly, any event, anywhere in the world, can start a domino effect which can have far-reaching consequences for organisations. While there are several practical implications of interconnected risks, there is also a growing legal component to their reach.

Legal meets business

“Traditionally, risks were categorised as legal risks, when dealing with regulatory or compliance risks or litigation risks, or business risks, where business leaders focus on dealing with financial risk or marketplace risk,” said Albert Yuen, counsel and head of Hong Kong Technology, Media and Communications (TMT) at Linklaters.

“However, in our evolving world with advance of technology, digitalisation and data analytics, new geopolitics, complex global supply chains and workforces, and greater prioritisation and community expectations around corporate citizenship and ‘ESG’ issues, the lines between legal risks and business risks continues to be blurred.”

Yuen said identifying links between risks is crucial for understanding the big picture and crucial in attempts by businesses to try and mitigate the effects of interconnected risks with complex dependencies.

“One area in which legal frameworks address interconnected risk with complex dependencies is in the area of cyber security,” he said.

“The lines between legal risks and business risks continues to be blurred.”

“With businesses increasingly reliant on technology and data in their business operations, cyber risks are not only quantified in terms of data loss but also have more wide-ranging impacts such as threats to business reputation, regulatory and legal risks — both from data privacy laws as well as sector specific laws — and potential financial losses, customer impacts and issues around operational resilience.”

Yuen said that cyber risks may be internal, such as insider threats, or external, such as cyber-attackers or ransomware, and can result from operational IT issues and a lack of the implementation of IT risk management.

“Legal frameworks and regulators understand that technology and use of data is critical to all business. Legal frameworks deal with businesses’ cyber security risks and obligations from multiple angles given the complex dependencies, from personal data privacy frameworks to detailed guidelines around use of technologies like AI and compliance.

He added that prevailing regulations demand organisations in specific sectors to meet technology risk management, and occasionally cyber security standards, for their system operations. This includes obligations related to third-party supplier outsourcing and the now commonly adopted practice of securing cyber security insurance.

Liabilities and responsibilities

As for how liabilities and responsibilities are typically distributed among parties, Yuen said this is a commercial matter, based on negotiating power and other factors.

“In contractual agreements, parties often allocate risk among the provision of goods and services through warranties and indemnity clauses, limitations of liability and insurance requirements, which can shape the liability landscape in the event of interconnected risks causing losses and damages,” said Yuen.

“Parties which are suppliers tend to exclude interconnected risks as far as possible under their contracts”

“Additionally, force majeure clauses limit liability for events outside a party’s reasonable control such as external events like war and pandemics — which may include interconnected risks — providing relief from a party’s delayed or non-performance under a contract.”

Yuen said it is quite common for suppliers to exclude liability for indirect or consequential losses, whether or not they are foreseeable or indirectly connected with their actions or failures under the contract.

“Parties which are suppliers tend to exclude interconnected risks as far as possible under their contracts with focus on responsibilities and liabilities based on what threat parties can control and perform directly,” said Yuen.

Legal challenges

Andrew Chung, litigation, arbitration and investigations partner at Linklaters, said the key enterprise risks that are top of mind for clients today are interconnected.

He explained: “We are seeing how risks across financial crime, cyber, ESG and energy transition, digital transformation and AI, and geopolitics including supply chain and sanctions all have common elements and data, so now require an enterprise-wide and holistic lens more than ever, to properly manage the risks.”

“The life cycle of these risks demands a more integrated approach which drives a better solution. For example, crisis management skills and enforcement expertise when moved up the lifecycle, helps to proactively mitigate risks up front.”

“In-depth mapping of interconnectedness and the rights and obligations of parties throughout the business is required to properly identify these risks” 

Chung said, while consideration of the legal risks and responsibilities is a key part of the process, it is only a part. Ultimately, the allocation of legal risks is a commercial matter, based on negotiating power and other factors and these risks are often, but not always usually addressed by contract.

“However, in many cases, the circumstances that people are focussed on when negotiating contracts are not addressed, adequately or at all, in their agreements, which can give rise to significant uncertainties and exposures.

“There can also be inconsistencies in contractual or other rights, and which entities can enforce them, across multi-layered commercial arrangements such that the financial risks can sometimes not be fully understood where issues occur in one part of a business, but where there are cascading impacts to other parts of a business.

“In-depth mapping of interconnectedness and the rights and obligations of parties throughout the business is required to properly identify these risks,” added Chung.