GeoLegal Weekly #11 - Defining Geolegal Risk

With geolegal risk, we don't just "know it when we see it." In this issue, we define geolegal risk, restate urgency for why it is critical to manage it, and offer some initial views on how to do so.

I’ve been really excited by the traction this newsletter has gotten and by resultant conversations with each of you. This indicates what I’ve long felt - that legal leaders at least implicitly understand that “geolegal risk” matters to business. For this week, alongside one of my co-founders Steve Heitkamp, who is also a risk expert, we’re going to get much more explicit about what geolegal risk is and unveil the definition of the term as we’ve coined it. But because the definitions are kind of dense, we’re going to start by restating urgency.

Geolegal Risk is a Matter of Urgency

To our mind, there has never been such a clear moment when the linkage between politics and legal risk have moved in tandem. 

First, the law is increasingly becoming weaponized. Sanctions regimes are one manifestation of this - in effect, countries telling each other that if you do something I don’t like, I’ll cut off you and your businesses’ access to my economy or even the global economy.  But there’s also the fact that AI is going to dramatically reduce the marginal cost of legal activity. One can imagine in the not far off future that AI will drop the marginal cost of doing legal work to zero in some forms. I’ll write about scary tech driven scenarios in a couple weeks but for now, we can imagine that a world where legal battles are increasingly cheap to initiate lends itself to the equivalent of denial of services attacks using the courts - perhaps engineered by state actors - who attempt to slow down rivals’ progress and drain their coffers. There are many other examples.

Second, the global economy is fracturing into spheres. Countries and companies are soon going to have to choose if they are in a US-led camp or a China-led camp - a choice many countries will try to resist by hedging. In such a scenario, businesses who have reaped the benefits of a globalized economy are going to have to rethink business models. But, critically, they are going to have to rethink legal risk exposure because the rules of the game are changing. And, increasingly, they are going to be playing with two (or many more) sets of politically motivated frameworks that drive rules which impact their businesses. 

Third, technology is disrupting traditional businesses. Companies with breakthrough technology are able to leapfrog legacy competitors in terms of market value and are then able to use the legal system to try to build a moat around their intellectual property and advancements. Such a dynamic has been going on for some time but I increasingly feel like the latest AI race has a winner-take-all sense that is consolidating capital and talent under singular corporate entities who are aggressive in lobbying regulators and defending their territory through legal means. 

Fourth, the impetus around ESG - and its associated backlash - is creating political cross-currents for companies that are more complicated than most have dealt with. If you don’t care about the environment and diversity, you might run afoul of mandates that you should. But if you do, you might run afoul of interests who are using the court system to stop you from doing so. What’s a company to do except acknowledge the risks and design a strategy that aligns their values with actions anticipated to cause the least harm to their business? (For more on Sean’s views on the ESG dilemma see here).

Fifth, we are living in a period of time where the cost of legal is skyrocketing. In legal operations circles, we hear a lot about bill rates - and, sure, there’s a major issue with those. But the true cost of legal is actually driven by a) how complex legal work has become and b) blockbuster punitive verdicts courts seem increasingly willing to dole out. As Gillian Hadfield notes, citing a Duke University survey, the cost of discovery alone for a large company involved in litigation can range from $600,000 to $10 million - and only 1 page out of 1,000 produced in discovery is used in trial. On the second point, we are living in a time where losing a judgment can kill a product or a business - or dramatically increase the cost of insurance for the system when insurers are backstopping that cost. In a world where rule of law is eroding and courts are potentially politicized, the fact that the stakes are growing is a meaningful development. 

Sixth, the regulatory apparatus we rely on today was not designed for the challenges of tomorrow. Regulation is getting more complex as businesses have a stew of global rules to follow, much of which are trying to anticipate technological changes of the future (for an interesting way to think about measuring regulatory complexity, check out Dan Katz and Michael Bommarito’s paper from a decade ago). Many observers, myself included, bemoan that government simply can’t keep up because it lacks talent to understand and regulate such complexity. To solve this problem, Hadfield has suggested creating a private market of for-profit regulators who are up to the task and who compete with each other to capture economic gains from designing the best regulation and evolving it. There’s a lot that’s compelling in that vision - but the pathway from here to there would probably be one of increasing complexity before arriving at elegance. 

And, of course, there are a bunch of wars and nationalist politicians which could reshape maps and social bargains. Sean’s written a lot about those already.

So, yeah, geolegal risk is on the rise. But what is it exactly?

Defining Geolegal Risk

It’s tempting to treat geolegal risk like obscenity - we know it when we see it. If we did that, we could leave it undefined and let everyone roll their favorite elements into it. But we think the first step in taking Geolegal risk seriously is to give it a clear definition so we can be sure what it includes and what it does not as we build a view toward managing it.

Our house definition of Geolegal Risk is “politics manifesting through the legal vector to cause harm or opportunity.”

Let’s unpack the definition above.

Politics in this definition is much more than national governance or the drafting of laws. Politics is really about the way different groups in society interact. It is about the way different nations interact with each other - what many today would call “geopolitics” even though that term’s origins have more to do with geography. Politics is about the ways businesses try to use the policymaking or regulatory process to their advantage. It is about the government reaction function to economic and social changes. It is about second and third order effects because fundamentally politicians are trying to respond to what’s going on in society and that’s an evolving assessment. 

For example, China moved this week to redefine its purchasing rules for government and state-owned enterprise computers to only allow inputs from a list of Chinese firms, limiting a market opportunity for Intel, AMD and Microsoft unless they want to submit tons of sensitive corporate information to China and substantiate that they are designing and developing their products onshore (hard to imagine). This is politics - not because it is a regulation but because it is driven by rising distrust between the US and China and an effort by both to separate their high-tech supply chains. Crucially, this type of scenario was not far-fetched and probably was anticipated at least in representative form by the companies affected.

The legal vector is the channel by which political events transform into legal risks. Companies and other organizations deal with seemingly non-political legal risks every day: Defending the company in court against a government inquiry, suing foreign competitors for patent infringement, complying with local regulations and the like. And they manage those risks as they arise.

What’s often missed about legal risk is that it may not actually be a series of unrelated one-off events. Legal risks come about because political forces in society conspire to produce sustained changes in the operating environment to their advantage using the law as a tool. The government may be investigating you because it is politically popular to do so. Your competitor may be infringing on your patent because they believe they have sway to prevail in local court if you challenge them. 

So, China’s move above, then, is not just a single offshoot of US-China tension. It is a signal that China is seriously decoupling technologically from the US. It is part of the story of the US doing the same thing - some of which I wrote about last week with respect to TikTok. When thought of like this, often the way companies experience the manifestation of political changes is through the legal vector - when policies go from idea to legal ramification. Those ramifications are foreseeable, as is the core policy change itself. 

Risk, to most people, is an exposure to a potential harm that is mathematically represented as Risk = Probability X Impact and often categorized onto an enterprise risk map where representative one-off events with more probability and more impact are the top concerns.

To us, risk is a multifaceted concept that extends beyond Probability X Impact of some negative event. Risk management is about constantly revising what you think can happen, the likelihood of those things happening, and the impact if they do based upon a stream of new data layered upon prior events.

And risk management is not just about negative events, but the positive actions you can take to mitigate risks while simultaneously seizing opportunities. Where can you be bold because others are afraid? Where should you step cautiously even as others run ahead? For instance, a new law might threaten your company with a big fine. But if, instead, your competitor is more at risk of a big fine, that might actually be a good thing for you. And if you are evolving your products not just to avoid fines, but to adapt to the sentiment driving their enforcement, even better.

Risk further involves not just the anticipation of what has happened before but preparing for the unprecedented, with a keen understanding of how global affairs translate into tangible impacts on our operations. As we’ve outlined above, the world is changing rapidly - much of what we will experience in the next ten years, we have never experienced before: Cars will drive themselves; computers representing companies will negotiate with each other until they reach optimal solutions; deepfakes will sway elections.

Risk demands a holistic approach that values a systematic mindset towards all potential eventualities, including the intricate dance of legal and political influences that shape our world. Our view of risk is about recognizing patterns while being agile enough to adapt when those patterns evolve, ensuring we are always ahead in managing not just the probabilities, but the full spectrum of impacts these risks entail. Most traditional models today skew toward the biggest events. Yes, we all need to allocate time and resources to the things that matter most. But the reality is that geolegal risks are coming at us from all sides - what we really need is to systematize a risk mindset with respect to interpreting global affairs and prepare for many potential eventualities. 

A further limitation of the traditional model is that it can often encourage a focus on understanding probability rather than truly understanding impact. For instance, a state-sponsored hacker shutting down the energy grid in Boston would have a catastrophic impact on most businesses in the area. If you accept that, then you list impact as “high” and spend much more time trying to really understand what the odds are of the event - after all 2% and 20% are both low probability but very different propositions. Sean spent nearly 15 years in the political risk sector forecasting primarily the probability element of the standard equation because that was what investors and businesses would pay for.

With geolegal risk, however, impact might actually be the whole game. First, most companies do not have a systematic understanding of how politics translates into legal risk, as outlined above. Therefore, when trying to understand the company’s overall exposure to political risk, the legal risk variable is often underweighted because it is unarticulated - saying it is “high” for an event is not that helpful. Solving the specificity of how politics manifests as legal risk goes a long way to geolegal risk management. Second, impact is dynamic and must consistently be remapped to fully understand it. Pattern recognition can be crucial so long as you realize where in the pattern you are - and if the pattern is changing.

Where Do You Start?

So geolegal risk is now a real, defined category of risk and in general it’s rising. What should you do? At risk of making an already long note longer, we’ll give a few quick hints at points we’ll expand in future notes:

1. Know Yourself : First it is critical that you know yourself and your exposures. Geolegal risk doesn't just affect you but it affects your customers and your suppliers too. Do you understand the full value chain of your business and are you able to anticipate how political shifts will create legal risks for those entities that blow back to you? For instance, often risk matrices will have general risks like “economic downturn affecting customers” but in reality specific verticals of your customer base can have the same dynamic play out if a set of political choices are made that disadvantage them. And a change of political circumstances does not affect all customers equally.

2. Know the World: Businesses are increasingly aware of the world around them - they monitor their complex exposures and they engage with governments to try to shift their opinions and policies. The world is changing rapidly and not all businesses can afford large scale teams dedicated to monitoring, analysis and influence. Even those that can would benefit from specialized external expertise to help them really understand what’s going on. But most importantly companies need to realize this is a dynamic and real-time exercise. You do not “know the world” if you produce quarterly assessments. You need a process to pick up signals about the direction of key drivers of risk on an ongoing basis.

3. Link the two together in your operations: What really matters is your context in the world and the actions you are taking as a business within that context. Based on your footprint and based on what’s going on in the world at that moment, what are the key geolegal risks you face? How are those risks evolving? And what are you doing to modify yourself to adapt to the world? And don't just do this as the executive level or within a risk function. Integrate this understanding and your response into daily operations.

Now that your eyes are fully opened to geolegal risk, the real work begins. Have no fear, we’re on the journey with you. 

-SW & SH