One of the most frequent pain points inside any business is distinguishing what is business and what is legal. Everything is ultimately business if it touches the bottom line. Everything is effectively legal if it touches on some obligation or liability. Strong—or weak—personalities can easily shift something from one box to the other.
Business vs. legal isn’t just a theoretical question—it manifests itself in all kinds of practical ways. Who is responsible for reviewing which clauses in a contract? Which department absorbs the cost of insurance? Who must respond if something goes wrong?
This post breaks down: (1) what is business risk; (2) what is legal risk; and (3) how healthy organizations are able to distinguish the two.
- Business Risk. Business risk is uncertainty about outcomes over which we have some control. Will this deal be profitable? Will we be able to pay on time? Is this vendor the right one for our needs? Business risk lives in the realm of judgment, strategy, and tradeoffs. The key marker: a business risk is one a founder or CEO can own without legal training. You might bring in a lawyer to document the decision, but the decision itself is commercial. If something touches on the 4 Ps—price, product, placement, promotion—timing, or logistics, it is firmly within the realm of business risk.
- Legal Risk. At its core, legal risk is externally defined and enforced—by courts, regulations, counterparties—regardless of our actions. Regulations—and penalties—exist regardless of whether we choose to follow them. Our employment practices must comply with local labor laws. Contracts create obligations that may not benefit us commercially. If there is an indemnification clause, we are on the hook—even if it is not in our commercial interest. The key marker: legal risk is typically defined by someone outside the company—a court, a regulator, a counterparty. This is where lawyers earn their keep.
- How Healthy Organizations Distinguish the Two. We may intuitively know the difference between business and legal risk. But many organizations encounter paralysis when legal and business collide. After all, a bad business judgment may result in a lawsuit. A few principles help to draw the line in practice:
- Clarify Decision Rights. While legal flags the risk, the business team decides whether to take it. The lawyer’s job is to make sure the decision-maker understands what they’re accepting, not to make the decision for them. In practice, this frequently involves escalating. Good in-house counsel know when a question requires senior sign-off rather than a junior business team member—accepting unlimited liability or providing third-party indemnity, for instance.
- Know Your Lane. Legal teams that make business calls create bottlenecks and resentment. Business leaders who dismiss legal concerns—or don’t consult with legal at all—create liability. Both failure modes are common.
- Make Obligations Explicit. Healthy organizations name it out loud—”this is a business call, here’s the legal guardrail”— rather than letting the two blur through force of personality or organizational politics. A best practice is to identify in advance which stakeholders have decision-making authority on which types of issues.
Effective risk management requires ownership of the risk. If everyone is responsible for something, then no one is. Distinguishing legal and business risk prevents a tragedy of the commons—and puts responsibility in the right hands.
Disclaimer: This blog is for informational purposes only and does not constitute legal advice. Reading or interacting with this content does not create an attorney–client relationship. You should consult a qualified attorney for advice regarding your specific situation. Mehaffy, PLLC disclaims all liability for actions taken or not taken based on this blog.