Workplace law: Doyle Clayton

Workplace Law | 23 January 2019

The Prisoner of (Egon) Zehnder
Non-compete clauses – are they still useful? Do they still work?

There’s no doubting that Anne M Mulcahy, former chair and chief executive of Xerox got it right: ‘Employees are a company’s greatest asset – they’re your competitive advantage. You want to attract and retain the best; provide them with encouragement, stimulus, and make them feel that they are an integral part of the company’s mission.’ [Continue Reading]

The essential facts for real estate projects in Mexico

Real Estate | 23 January 2019

Real estate in Mexico involves several branches of the law. The enforcement of the law varies according to the branch responsible for the matter. Income tax, for example, is a federal tax, but, in general, real estate projects depend on the municipality or state where the development takes place. [Continue Reading]

Contributing Firm

Author image

Real estate projects in Slovenia: the basics you need

Real Estate | 23 January 2019

The Slovenian legal system is a civil law system. Transfer of property is regulated predominantly by the Law of Property Code, the Code of Obligations and the Land Register Act. These regulations lay down rules regarding the acquisition and transfer of property as well as formal contractual requirements, whereas some other restrictions, for example pre-emption rights of municipalities or administrative approvals of transfers, can be found throughout the legislation if the property that is the subject of transaction is located in certain areas of particular importance to the public interest. [Continue Reading]

Technology developments: data to remain in the driving seat in 2019

Intellectual Property | 23 January 2019

2018 was the year when data protection law seemed to be at the heart of many big news stories. The General Data Protection Regulation (GDPR) came into force in May, gathering lots of attention in the media, as organisations worked out what they needed to do to prepare. We have also seen the revelations in relation to Cambridge Analytica and Facebook and use of personal data in political campaigning, as well as major cyber attacks on the likes of Carphone Warehouse and British Airways, to name but a few. [Continue Reading]

The Duty to Insure in Times of Uncertainty – Risk Management and D&O Insurance under the Business Judgement Rule

Insurance | 23 January 2019

Prediction is very difficult, especially about the future.” Managers are faced with the consequences of this aphorism on a daily basis. Even diligent management inevitably means taking risks.

Both statutory as well as contractual liability provisions entail that managers increasingly focus on documentation exercises in order to mitigate risks. For the same reason, risk management systems are constantly refined so as to identify and differentiate risks and reflect these in internal risk and process control systems to allow for quantification and planning. Yet, often it is the risk of (supposed) “fat-tails” that jeopardise businesses and trigger issues of manager liability.

This article examines, primarily from an Austrian perspective, which standard of care directors and officers owe when it comes to quantifying a business’ risks and, subsequently, to providing for adequate safeguards or mitigation measures against those risks.

Duty to Establish an Internal Control or Risk Management System?

Incorporated companies (‘Kapitalgesellschaften) are under a legal duty to establish an Internal Control System (“ICS”). Specifically, this means that directors and officers have to safeguard the establishment of rules and methods ensuring the company’s financial stability, proper accounting and compliance with corporate policy.

The establishment of a – more elaborate and complex – Risk Management System (“RMS”), under Austrian law, is mandatory only for banking institutions, insurance and re-insurance undertakings as well as for some areas of business, for which special sector-specific provisions exist (e.g. investment funds). Thus, on the face of it, there appears to be no (statutory) duty to establish a Risk Management System for all incorporated companies (as opposed to the general duty to establish an ICS, see above). Yet, risk management is an integral component of any internal monitoring or control system. To that effect, the Austrian Corporate Governance Codex (ÖCGC) requires – for the undertakings it applies to – the establishment of a viable RMS (cf rules 9, 69 et seq ibid.).

The concept of risk management, ultimately, does not stem from corporate law but is rather generally considered to be a core task of business management and thus rooted in (micro-) economic rather than legal concepts. As a consequence, from a business administration point of view, the establishment of a tailor-made RMS can be regarded as the expected standard in terms of diligent and modern business management. International standards such as those of the ISO 31000 family can provide guidance when creating Risk Management Systems.

Establishment and Contents of a Risk Management System

In light of the fact that the legislator did not regulate the necessary basic form and minimum content of Risk Management Systems, the relevant parameters are to be drawn from strategic business insights. In this regard, the term “risk“ does not have a strictly negative connotation. In fact, it also includes the taking of entrepreneurial chances in order to realise the potential advantages of the management decision. The goal of any risk management is to avoid situations that could jeopardise the business and, at the same time, to focus on those opportunities that best match the strategic business goals. In this respect, Risk Management Systems are supposed to serve as means to ensure a certain amount of stability. The idea is not, however, to eliminate all risk or to constantly act on the presumption of a worst-case analysis as this would paralyse entrepreneurial behaviour altogether.

Hence, as a first step, one has to identify the company’s individual willingness and ability to take risks. In this regard, effective risk management requires a detailed, case by case analysis of any and all risks arising out of the business activities carried out. This exercise is necessary even in cases where – due to an increased willingness to take risks – certain risks are eventually disregarded in the planning of the desired risk control. Once the entirety of risks has been identified, their individual connections and possible reciprocal relationships have to be established.

Before deciding on the appropriate means and measures to control or steer the risks identified and quantified as relevant, an in-depth risk assessment and risk analysis is to be carried out. This enables an undertaking’s management to identify the extent and probability of harm or damage that certain individual risks may cause. Based on these cost-benefit findings, directors and officers can make informed decisions on tackling undue risks and controlling tolerable or even viable risks. Potential risk management measures include (i) the general avoidance of risk (discontinuation of risk-prone business activities), (ii) the reduction of risk (quality inspections), (iii) the reduction of potential damage amount (hedging of price risks), (iv) the decision to bear the risk (when sufficient equity or liquidity is available) as well as (v) transferring the risk to a third party (e.g by way of taking out insurance).

In order for the RMS to function and have a lasting effect, the steps outlined above have to be checked and repeated on a regular basis.

Effects of the Business Judgement Rule on the Establishment of Risk Management Systems

According to the Business Judgement Rule (“BJR“) a decision taken by a director or officer is considered to have been in line with the general requirement of acting with the care of a prudent businessman if the decision is made ”on an informed basis, in good faith, and in the honest belief that their actions are in the corporation’s best interest”.

Where a decision taken fulfils the criteria of the Business Judgement Rule but eventually turns out to be detrimental, the responsible directors or officers will – as a general rule – be exempt from liability. Austrian law explicitly sets forth this rule for private limited companies (‘Gesellschaft mit beschränkter Haftung’ or ‘GmbH’) and public limited companies (‘Aktiengesellschaft’ or ‘AG’).

Consequently, obtaining sufficient data first and only then making an (informed) decision is quintessential for avoiding liability. However, the Business Judgement Rule can only provide for a safe harbour to the extent that the decision is not contrary to statutory provisions, stipulations in the articles of incorporation or basic principles of business administration.

Therefore, in the given context, it is necessary to distinguish between compliance with basic principles of risk management (identification, evaluation and controlling of risks) on the one hand and their implementation on the other hand. Directors and officers are – as a consequence of their obligation to exercise the care of a prudent and diligent manager – obliged to adhere to these principles. This, in turn, means that reliance on the Business Judgement Rule is not possible if these principal duties are neglected.

However, directors and officers have a certain discretion when deciding which instruments and measures are to be implemented in order to mitigate and control the various risks identified. The same level of discretion applies with regard to the chosen method of risk evaluation. This creative freedom is limited in the sense that outdated or completely unorthodox methods may not be taken into account.

The extent to which risk management is to be implemented as well as the choice of instruments to be applied will depend on factors such as (i) the size, complexity and economic capacity of the business, (ii) the specifics of the market in which it operates, and (iii) any specific factors, such as a shortage in liquidity.

Summing up, the establishment of an appropriate Risk Management System is obligatory for all undertakings. Directors and officers are, however, relatively free in deciding on the methods of identifying and assessing risks as well as on which means and instruments to implement in order to control the respective risks. In order to avoid liability in light of the principles of the Business Judgement Rule, each director or officer concerned has to be able to prove that the decision in question was taken on an informed basis, i.e. based on a thorough risk analysis.

Is there a Duty to Insure?

The materialisation of risks often results in deviations from an undertaking’s economic planning (e.g. loss of profits, unexpected expenses) One method of counterbalancing these discrepancies is to take out insurance. This, in essence, transfers the insured risks to a third party with the goal to minimise, and if possible, to fully balance any future losses.

From a strictly statutory point of view, this approach is optional for most companies doing business in Austria. Austrian law – except for certain particular business activities and risks – does not provide for a general obligation to take out business liability insurance or any other form of (pecuniary damage) liability insurance such as Directors and Officers Liability Insurance (“D&O insurance”). If, in economic terms, this form of risk management is the most appropriate solution, obtaining adequate insurance coverage should be considered.

The decision whether to take out insurance and, subsequently the choice of insurance product can and should be based on the findings of the risk analysis already carried out. Thus, the potential extent of loss and occurrence probability will have to be evaluated against the background of insurance premiums. This deliberation process should also consider the differences between the various insurance products available on the market (or individually customised insurance solutions) e.g. in terms of sum insured, deductibles and coverage exclusions as well as, more generally, other ways of loss mitigation. Where, however, the materialisation of a certain high-stake risk has the potential to endanger the economic existence of an undertaking, management is obliged to ensure adequate insurance coverage even where other (less effective) means of minimising risk are more affordable.

It should be noted that not all risks are insurable for legal or factual reasons and that it does not necessarily make sense to obtain coverage for each and every risk regardless of the costs. Risk mitigation by way of taking out insurance is only advisable when it comes at a commercially reasonable price (cost-benefit analysis).

In a nutshell, there is no general (legal) duty to obtain insurance coverage. However, the standard of care of a prudent and diligent manager requires directors and officers to review, for all risks identified as relevant, the financial reasonableness of obtaining insurance coverage.

D&O Insurance – The Panacea Insurance Policy?

Directors and Officers Liability Insurance policies are often presumed to be some kind of “super-insurance” addressing all business risks. Consequently, one might expect that D&O insurance policies were to also cover situations in which the responsible directors and officers consciously failed to ensure risk-adequate insurance coverage for a certain hazard or contingency (thus providing insurance coverage for risks not insured). This conclusion can of course not be drawn. It goes without saying that the D&O insurer will not compensate losses accrued as a result of management’s conscious or even deliberate failure to manage the risk in question (or, all the more, where management did not provide for risk control mechanisms at all). Additionally, one has to keep in mind that the typical D&O policy merely covers pecuniary losses (‘Vermögensschäden) and generally excludes indirect losses, e.g. those resulting from personal or material damage (‘unechte or ‘abgeleitete Vermögensschäden).

All the same, the popularity of D&O insurance remains high, inter alia owing to the fact that most D&O products offer a fairly reasonable, cost-effective protection against risks that were previously unknown (despite a thorough risk analysis). The presence of D&O coverage as an addition to an existing control system – be it an ICS or an RMS – enables an undertaking’s directors and officers to act more freely in reaching business decisions by reducing the impact of liability risks.


Based on the above illustrations, every executive is obliged to not only see to the establishment of an effective Risk Management System but also to intervene appropriately where (considerable) risks are in fact identified. Directors and officers may, on the other hand, decide at their own discretion on the exact means and methods to implement as well as on whether to obtain insurance coverage for certain risks.

Fintech – Trends and Developments in France

Finance, Legal Technology | 12 November 2018

Overview of the current legal market in France and recent developments

French authorities and regulators have exhibited constant interest for FinTechs, which are driving technological innovation and providing additional financing sources . François Villeroy de Galhau, Governor of the French central bank and Chairman of the French banking regulator, said in 2017 that “the digital revolution is creating challenges but also incredible opportunities that are just waiting to be seized, whether by FinTechs themselves, by the entire financial system – banks and insurers – or by the French and European economy as a whole.” Regulations implemented in the last few years demonstrate French regulators’ commitment to quickly establish appropriate frameworks that foster the development of FinTech companies while ensuring investors’ protection. [Continue Reading]

Grave professional misconduct; a remaining ambiguity in EU public procurement

Public Sector | 01 November 2018

The legislation regulating public procurement procedures in the EU is the Directive 2014/24/EU, which repealed Directive 2004/18/EC. In Cyprus the Directive has been transposed into national law under the Law no. 73(I)/2016 (hereinafter “the Law”). Under Article 57 the Law refers to public procurement procedures which entail, inter alia, the grounds for exclusion of economic operators. Article 57 of both the EU and national law serves as a guide to national authorities when deciding on the possibility of excluding economic operators who have placed bids on public tenders, whilst concurrently serves as a guidebook to economic operators as to what behaviours to avoid in order not to be excluded. [Continue Reading]

A Blockchain Reaction

Disruptive tech, Finance, Legal Technology | 31 October 2018

Malta’s proactive approach towards asserting itself as a leader in the regulation of virtual financial assets

Anyone taking even the slightest interest in FinTech over the past few years would be very much aware of the increased adoption of cryptocurrencies, ICOs and utility tokens as alternative methods of raising finance or creating a challenge to the world’s standard ‘fiat’ currencies. These phenomena are not entirely new, with cryptocurrencies having risen from the proverbial ashes of the 2008 financial crisis. However, the increasingly widespread adoption of cryptocurrencies, which ostensibly create a medium of exchange that could challenge regular government issued money, have made them central to national and international efforts to address these phenomena through proper legislation and regulation. Perhaps – many argue – too little too late. [Continue Reading]

Brexit and mergers

Brexit | 04 October 2018

Losing the ‘one-stop-shop’: the real cost of a dual UK/EU merger process post-Brexit

With only a matter of months left before the UK officially leaves the EU, the Government is no clearer as to what a deal (if indeed there is one) will look like.  Meanwhile businesses across the country remain largely in the dark as to what Brexit will mean in practice.  This is particularly problematic for companies planning their corporate M&A strategy.  The statistics suggest that Brexit has not resulted in the expected downturn in merger activity.  However, if the UK is no longer a member of the European Economic Area (EEA), then there will be no ‘one stop shop’ for mergers at the EU level and a separate review may need to be carried out by the UK Competition and Markets Authority (CMA).  This means merger notification may be required to both the European Commission (Commission) and the CMA.  Although the UK regime is voluntary, notification is advisable if competition issues are likely to arise.  This will result in a significant increase in transaction costs, time and administration for UK companies faced with an additional merger filing.  There is also potential uncertainty as UK companies face possibly divergent or inconsistent decisions.

[Continue Reading]