Businesses enter contracts every day for a variety of commercial transactions and corporate counsel are typically called on by their colleagues to review, negotiate and advise on them. A legal review encompasses many objectives, but the most critical one is usually the identification, evaluation and management of risk.

Lawyers are generally adept at identifying contractual risk but are often less so at determining the likelihood of that risk actually happening. Often because of their years of reading about worst possible outcomes and risk-adverse nature, they tend to evaluate (and exaggerate) risk based on the worst happening. But is that outcome a likely or probable one? It’s prudent to consider the worst-case scenario, of course, but to be meaningful that must be done in the context of risk likelihood. 

As corporate counsel, we typically weigh risk impact by looking at, among other things, the nature of our company’s prior and current commercial dealings, the reputation, quality and stability of companies it does business with, its claims history, its litigation history and the regulatory landscape. To contextualize and holistically evaluate that risk, we need to (but typically don’t) also assess risk probability. So how does one determine the likelihood that a risk will come to be?

Risk probability

Let’s look at an example. Party A, which is in the data research and licensing business, is in discussions with Party B to license its proprietary data for $1 million. Party A is willing to indemnify Party B in the licensing agreement for data-related claims up to a cap of $1 million, since that’s the consideration it’s receiving from Party B. Party B, however, would like the cap to equal $2 million to protect it against data-related claims that might arise – third-party IP infringement, personal data breaches, corrupt data, etc.

In this example, Party A and Party B might be at a standstill. Party A’s lawyer will argue that it can’t do a deal where its risk ($2 million of indemnity exposure) is far greater than its reward ($1 million) while Party B’s lawyer will argue that it can’t do a deal where its reward ($1 million of data access) is far less than its risk ($2 million of liability exposure for data-related claims). 

How do they bridge the gap? How can the parties holistically evaluate the risk they face? Is there an indemnity cap that would be mutually satisfactory from a risk perspective?

Let’s assume that the parties can agree that the severity or impact of all data-related claims Party B can suffer under this licensing deal is $15 million. The inquiry does not stop there. What is the likelihood that Party B will incur or suffer these claims? To get at risk likelihood, Party A and Party B can make several, reasonable inquiries. 

What sources does Party A obtain its data from? Are those sources established and reputable? What quality control measures does Party A undertake? Is Party A providing Party B sensitive personal data? Does Party A employ reasonable processes and procedures to ensure its data-related activities are compliant with law? How many data licensing deals has Party A done in the past three years? Of those deals, how many resulted in data-related claims? Of those data-related claims, how many gave rise to liability for Party A? In cases of liability, what was the nature and amount? How have Party A’s competitors fared with data-related claims?

The inquiries above are not exhaustive (and would need to be tailored for other types of commercial transactions), but are hopefully illustrative of the nature of questions and answers counsel need to explore to arrive at risk likelihood. Not every commercial transaction will merit undertaking this analysis, but this inquiry can be especially helpful when parties are otherwise unable to move forward on risk matters stemming from a commercial contract.

Back to our example. After going through this analysis, the parties were able to agree that the risk likelihood for data-related claims in this deal is 10%. As such, the risk exposure for data-related claims in this licensing deal can be thought of as $1.5 million (the severity of the risk ($15 million)) multiplied by the likelihood of the risk (10%)). 

With this actionable insight in hand, the parties are now in a much better position to bridge the gap and agree on an appropriate indemnity cap that most appropriately accounts for risk.