Proactive risk assessment can be a powerful tool for an organization seeking to avoid a litigation or regulatory “event.” Failure of the organization to accurately anticipate risk can have serious consequences, including a damaged brand, excessive legal fees and a transformed organizational focus away from generating revenue to responding to discovery or regulatory inquiries.

There are a number of concerns that are often raised as organizations consider conducting a risk assessment. The question for management, in most instances, is whether a risk assessment uncovers information or facts that, once discovered, could potentially be discoverable and damaging — and very costly to address.

Unfortunately, this fear paralyzes many organizations and creates an environment where immediate action is delayed as a result of an unwillingness to address or accept the consequences of the status quo.

The concern for the general counsel is how to properly advise his or her organization in response to the findings of the risk assessment without creating a record that could be discoverable in litigation or that inadvertently compromises the privilege in circumstances where immediate identification and remediation is necessary because of high risk findings. General counsel should consider whether the retention of outside counsel is necessary in light of the severity of risks likely to be identified and retain outside counsel to advise on the risks identified as part of the risk assessment. They should also be prepared at the outset of the risk assessment with the assistance of outside counsel to clearly document the establishment of a communications protocol that can effectively protect and carefully manage the attorney-client privilege, and explain to all parties the rules for communication with respect to the risk assessment.

The time spent preparing this “protocol” can be a valuable investment, as structure will be in place to protect the organization during the risk assessment. The process also encourages proactive remediation of potentially damaging risk through the solicitation of legal advice before, during and after the initiation of the assessment.

(The suggested protocols that follow do not address the Attorney Work Product Doctrine, nor do they discuss concerns related to litigation holds. Rather, this communication protocol assumes the parties have engaged in a proactive assessment where there is no reasonable anticipation of litigation when the risk assessment is initiated.)

Here are 20 guidelines for general counsel to communicate within the organization when establishing a communications protocol for proactive risk assessments.

  1. With respect to communications with internal or external counsel, written or oral, the attorney-client privilege will attach only if the communications are intended to be confidential and for the purpose of obtaining legal advice. Any other communication is potentially discoverable, even if an attorney is included as part of the communication.
  2. Communication via telephone conference call between the parties should be the preferred method of communication.
  3. Email communications regarding substantive matters should be limited to the exchange of records and documents, and the coordination of meetings and telephone communications.
  4. Existing records or documents collected during the risk assessment may not be subject to the attorney-client privilege, which only protects communications between attorney and the client. For example, an attachment of an existing document as part of an email to the general counsel or outside counsel for legal advice may not be protected. The subsequent advice regarding the attachment and the communication soliciting the advice will be subject to the privilege.
  5. Newly created records or documents may be privileged if created for the purposes of obtaining or communicating legal advice, and are intended to remain confidential.
  6. Records or documents created or gathered during the course of the risk assessment by any third party should be stored in a specially designated data room with limited access by either the general counsel or outside counsel.
  7. Items that are not records or documents should not be retained as part of the risk assessment.
  8. An explanation of how the attorney-client privilege attaches and the manner in which it might be inadvertently waived should be communicated to all involved in the risk assessment at the earliest possible opportunity.
  9. One example of the communication could be as follows: communications from management with general counsel or outside counsel are privileged when for the express purposes of obtaining legal advice and when intended to be confidential. All other communications with counsel are not privileged. The organization is the holder of the privilege and can waive it at any time.
  10. Communication between individual employees and counsel may be privileged but no attorney-client relationship exists between counsel and client employees.
  11. All documents created or generated for the purpose of seeking legal advice during the course of the risk assessment should be clearly marked as “privileged.” “Attorney-Client Privileged Communication” is also an acceptable way to mark documents.
  12. In order for communication to be subject to attorney-client privilege, the communication must be with counsel for purposes of obtaining legal advice and intended to be confidential. Just marking “privilege” will not protect the communication. These communications should be made in confidence and not involve anyone that does not explicitly need to know their contents.
  13. Third parties engaged for the purposes of the risk assessment should work at the direction of the general counsel or outside law firm and report directly to the general counsel or outside law firm. General counsel or outside counsel should be copied on all communications between client and any third party.
  14. Carefully handle all records and documents that are created as part of the risk assessment that may be privileged. Access to records and documents to individuals and third parties not covered by the privilege must be restricted.
  15. Determine in advance whether the results of the risk assessment are to be shared with employees other than the general counsel. If shared, consider formally designating the individuals to demonstrate the intended recipients of the legal advice. Specify that no other individuals require access to records and documents generated by the risk assessment.
  16. Corporate oversight for the risk assessment should be the responsibility of the audit committee of the board of directors or similar governing/oversight committee.
  17. The general counsel should be present to preserve the privilege, when possible, and he or she should be required to be present if sensitive information is likely to be disclosed or reduced to writing where legal advice has been requested or provided regarding the disclosed items or writings.
  18. Documents or notes created during the meetings with employees are part of the risk assessment should, upon conclusion of the meeting, be gathered by the general counsel and stored in a separate file marked “confidential” and “privileged.” Failure to mark such documents does not negate the privilege. Notes regarding these meetings should not be retained by individual employees unless they are intended to be discoverable or do not contain information that the organization wishes to retain under the attorney-client privilege.
  19. General counsel should consistently and carefully evaluate all questions related to the assertion of the privilege and catalogue records or documents marked as privileged.
  20. The general counsel should train senior executives and members of management on the importance of the attorney-client privilege so that all employees of the organization understand how the privilege can attach or be waived.

Proactive risk assessment can be a powerful tool for an organization seeking to avoid a litigation or regulatory “event.” Failure of the organization to accurately anticipate risk can have serious consequences, including a damaged brand, excessive legal fees and a transformed organizational focus away from generating revenue to responding to discovery or regulatory inquiries.

There are a number of concerns that are often raised as organizations consider conducting a risk assessment. The question for management, in most instances, is whether a risk assessment uncovers information or facts that, once discovered, could potentially be discoverable and damaging — and very costly to address.

Unfortunately, this fear paralyzes many organizations and creates an environment where immediate action is delayed as a result of an unwillingness to address or accept the consequences of the status quo.

The concern for the general counsel is how to properly advise his or her organization in response to the findings of the risk assessment without creating a record that could be discoverable in litigation or that inadvertently compromises the privilege in circumstances where immediate identification and remediation is necessary because of high risk findings. General counsel should consider whether the retention of outside counsel is necessary in light of the severity of risks likely to be identified and retain outside counsel to advise on the risks identified as part of the risk assessment. They should also be prepared at the outset of the risk assessment with the assistance of outside counsel to clearly document the establishment of a communications protocol that can effectively protect and carefully manage the attorney-client privilege, and explain to all parties the rules for communication with respect to the risk assessment.

The time spent preparing this “protocol” can be a valuable investment, as structure will be in place to protect the organization during the risk assessment. The process also encourages proactive remediation of potentially damaging risk through the solicitation of legal advice before, during and after the initiation of the assessment.

(The suggested protocols that follow do not address the Attorney Work Product Doctrine, nor do they discuss concerns related to litigation holds. Rather, this communication protocol assumes the parties have engaged in a proactive assessment where there is no reasonable anticipation of litigation when the risk assessment is initiated.)

Here are 20 guidelines for general counsel to communicate within the organization when establishing a communications protocol for proactive risk assessments.

  1. With respect to communications with internal or external counsel, written or oral, the attorney-client privilege will attach only if the communications are intended to be confidential and for the purpose of obtaining legal advice. Any other communication is potentially discoverable, even if an attorney is included as part of the communication.
  2. Communication via telephone conference call between the parties should be the preferred method of communication.
  3. Email communications regarding substantive matters should be limited to the exchange of records and documents, and the coordination of meetings and telephone communications.
  4. Existing records or documents collected during the risk assessment may not be subject to the attorney-client privilege, which only protects communications between attorney and the client. For example, an attachment of an existing document as part of an email to the general counsel or outside counsel for legal advice may not be protected. The subsequent advice regarding the attachment and the communication soliciting the advice will be subject to the privilege.
  5. Newly created records or documents may be privileged if created for the purposes of obtaining or communicating legal advice, and are intended to remain confidential.
  6. Records or documents created or gathered during the course of the risk assessment by any third party should be stored in a specially designated data room with limited access by either the general counsel or outside counsel.
  7. Items that are not records or documents should not be retained as part of the risk assessment.
  8. An explanation of how the attorney-client privilege attaches and the manner in which it might be inadvertently waived should be communicated to all involved in the risk assessment at the earliest possible opportunity.
  9. One example of the communication could be as follows: communications from management with general counsel or outside counsel are privileged when for the express purposes of obtaining legal advice and when intended to be confidential. All other communications with counsel are not privileged. The organization is the holder of the privilege and can waive it at any time.
  10. Communication between individual employees and counsel may be privileged but no attorney-client relationship exists between counsel and client employees.
  11. All documents created or generated for the purpose of seeking legal advice during the course of the risk assessment should be clearly marked as “privileged.” “Attorney-Client Privileged Communication” is also an acceptable way to mark documents.
  12. In order for communication to be subject to attorney-client privilege, the communication must be with counsel for purposes of obtaining legal advice and intended to be confidential. Just marking “privilege” will not protect the communication. These communications should be made in confidence and not involve anyone that does not explicitly need to know their contents.
  13. Third parties engaged for the purposes of the risk assessment should work at the direction of the general counsel or outside law firm and report directly to the general counsel or outside law firm. General counsel or outside counsel should be copied on all communications between client and any third party.
  14. Carefully handle all records and documents that are created as part of the risk assessment that may be privileged. Access to records and documents to individuals and third parties not covered by the privilege must be restricted.
  15. Determine in advance whether the results of the risk assessment are to be shared with employees other than the general counsel. If shared, consider formally designating the individuals to demonstrate the intended recipients of the legal advice. Specify that no other individuals require access to records and documents generated by the risk assessment.
  16. Corporate oversight for the risk assessment should be the responsibility of the audit committee of the board of directors or similar governing/oversight committee.
  17. The general counsel should be present to preserve the privilege, when possible, and he or she should be required to be present if sensitive information is likely to be disclosed or reduced to writing where legal advice has been requested or provided regarding the disclosed items or writings.
  18. Documents or notes created during the meetings with employees are part of the risk assessment should, upon conclusion of the meeting, be gathered by the general counsel and stored in a separate file marked “confidential” and “privileged.” Failure to mark such documents does not negate the privilege. Notes regarding these meetings should not be retained by individual employees unless they are intended to be discoverable or do not contain information that the organization wishes to retain under the attorney-client privilege.
  19. General counsel should consistently and carefully evaluate all questions related to the assertion of the privilege and catalogue records or documents marked as privileged.
  20. The general counsel should train senior executives and members of management on the importance of the attorney-client privilege so that all employees of the organization understand how the privilege can attach or be waived.