VUCA and the Management of Legal Risk

VUCA is an acronym for volatility, uncertainty, complexity, and ambiguity – four dimensions of risk – and a tool that can used to better manage legal risk. Designed by the U.S. military and reinforced by business,[1] it describes an environment that is so continuously buffeted by legal, social, and economic risks that it’s persistently at the edge of chaos. Threats are uncertain and diffuse and conflict is inherent and unpredictable.

In a new paper, available here, I show how firms can respond to legal VUCA in order to capture value and manage risk. In this post, I first define each element of VUCA, then describe the sources of legal VUCA, and, finally, summarize some of the ways that firms can manage legal VUCA.  The four risks and firms’ responses to them are summarized in Table I.

Defining VUCA

Volatility imposes a sudden and unstable risk. Volatile events tend to appear in bursts, whereby sudden surges generate significantly enhanced activity over short periods of time followed by a longer period of stability. Firms facing volatility may be fully aware of the causes and consequences of a volatile event, but unaware of when and where the next volatile event will strike. A natural disaster and a factory fire are examples of volatile events.

Firms facing uncertainty are afflicted with a lack of knowledge and an unawareness of whether the cause or effect of an event is significant enough to be a significant risk. This lack of knowledge can be caused by too little information, information overload, or information that is conflicting or unstable. A firm facing the introduction of a rival’s product into the market, and remaining unaware of whether the rival product will be a game-changing device or merely incremental improvement, is an example of uncertainty.

Complexity is created when a network of interconnected variables and stimuli is difficult to understand. Observed causality between system inputs and outputs are opaque, causing firms that must engage with the complex system to make decisions in the absence of full information. A company bureaucracy, a financial market, and a legal system are examples of complex systems. Ambiguity is the most challenging risk condition. It creates risk so nebulous that it defies prediction. Causes and consequences of the risk are unknown. Multiple options appear to be equally viable. Ambiguity leaves risk-bearers unable to conduct even basic inquiries about risk management and control. Paradigm challenging events such as the rise of the internet, blockchain technology, and the transition from print to digital media are examples of ambiguity.

Sources of Legal VUCA

Legal volatility can originate from a variety of legal shocks to the firm. The risk of litigation can arise from most branches of a firm’s operations. Regulators can demand sudden inspections or pursue sanctions with little warning. Routine changes in legislation can also generate volatility for firms that are surprised by them. Managers can also generate legal volatility through excessive confidence in their ability to manage away legal risk.

Legal uncertainty arises from the flexibility inherent in a legal system. As lawyers know, judges have significant discretion to interpret prior cases pursuant to stare decisis according to their best judgment. Appointed administrative agency heads can emphasize some rules over others and have their own discretion. Individual agency regulators act as a multiplier of that discretion, potentially incorporating their own preferences in choosing when and how to enforce rules. These discretionary behaviors create uncertainty about what is the least risky action.

Legal complexity arises from the density and interconnectedness of the legal system and the inability of an outside observer to readily assess cause and effect. Vertical complexity arises when higher courts change legal doctrine that must be disseminated and adapted in lower courts. Horizontal complexity appears when sub-systems within a larger legal code interact with one another. A single title of the U.S. Code can have as many as 535 internal citations to another code title. Such complexity is difficult to manage except for experienced lawyers, increasing a firm’s costs of managing legal knowledge.

Legal ambiguity appears when a misalignment exists between the legal system and the subject of regulation. Traditional methods of legal analysis cannot predict how the law will develop. Legal ambiguity is uncommon, but most often occurs as a result of a regulatory lag between innovations and the ability to regulate them effectively. Traditional analogy-making is sufficiently tenuous in ambiguous environments that lawyers cannot clearly advise clients on how the law will develop. The result is a gap between policy and practice where the rule of law does not guide actors toward acceptable action.

Managing Legal VUCA

Law and business are inseparably linked. As long as there are legal systems, organizations must manage legal risk. Each VUCA legal risk has distinct characteristics, and so requires distinct responses.

A firm can improve its responsiveness to legal volatility by developing agility. Organizational agility is the capacity to adapt to rapid and disruptive change. To manage legal volatility, firms can stockpile funds in anticipation of legal defense or gradually increase capital investments to prepare for regulatory demands. Firms can also develop crisis management plans involving the general counsel, public relations experts, and senior level executives. Finally, firms can closely watch for favorable legislative updates, react quickly, and benefit from first-mover advantages. For example, preparation by hotel giant Starwood Hotels and Resorts Worldwide enabled it to quickly leverage the relaxation of U.S. embargo regulations, enabling it to be the first hotel chain authorized to operate in the Cuban market.

Legal uncertainty is essentially a knowledge problem, and it can be managed through dismantling information barriers. Firms can diminish uncertainty by encouraging engagement between stakeholders in legal decision making. Lawyer-executives, led by the chief legal officer, must be involved in core decisions and outside law firms kept aware of latest developments in the corporation. For example, Enron’s board of directors facilitated wronging – and eventually doomed the company – by blocking law firm Vinson & Elkins from fully tackling accounting regularities at the company. In contrast, PepsiCo formed the PepsiCo Legal Academy and encouraged its lawyers to work more closely with its business units. Attorneys and other legal stakeholders were encouraged to speak up about the negative business implications of a proposed transaction rather than just its legal implications, thereby increasing coordination between law and business and reducing the potential for errors.

A firm can manage irreducible legal complexity by restructuring its internal operations to mirror and thereby respond to that complexity. A firm’s compliance program should be no more complex than necessary to manage its legal and ethical obligations. If managers and even lawyers feel burdened by legal jargon or constrained by excessive bureaucracy, compliance is not managing legal complexity effectively. DuPont’s legal team once used 350 law firms and 150 outside vendors of legal services. After a thorough review of its legal needs, the company reduced these stakeholders to only 34 law firms and four vendors. The results were millions of dollars saved, a streamlined process of legal management, and potentially far fewer errors.

Legal ambiguity represents unique challenges, largely because it derives from a lack of enough information to make an intelligent decision. Firms can respond to legal ambiguity in three ways. First, they can seek to develop new standards jointly with public authorities. If that’s not possible, a firm can set its own standards through self-regulation. Finally, when a firm cannot co-regulate or self-govern, it must experiment with the legal environment. That requires the firm to carefully attempt new strategies in order to assess responses by regulatory authorities. Rideshare giant Uber was forced to experiment in a legal environment that had little or no infrastructure to regulate the rideshare industry. The internet of things, legal artificial intelligence, and aspects of data protection are other examples of environments that are legally ambiguous for firms.

The potential for applying VUCA to improve risk management is virtually limitless. Fields as varied as banking, corporate governance, information technology, and the legal profession all face risk management problems and can benefit from VUCA. The application of VUCA to legal challenges can help organizations manage risk better than their rivals do and capture value previously unavailable to the firm.

Table I: VUCA Environment and Firm Responses

Definition Sources of Legal Instability Coping Strategy Steps Toward Mastery
Volatility Volatility is an environment where change is fundamentally unstable and unpredictable. Forces in volatile conditions tend to fluctuate sharply and without warning. Threat of private litigation; government enforcement of legal rules; sudden legislative enactments and judicial rulings Train agility to react with creatively and decisively when even when external pressures demand immediate action. 1) build lean absorption through stockpiling of resources, 2) establish rapid response plans to deploy legal resources, 3) leverage preparation for volatility to outflank firms and gain first-mover advantage
Uncertainty Uncertainty is driven by a lack of knowledge. This lack of knowledge is not of the cause or effect of a particular event, but whether an event is significant enough to require a meaningful response. Finite rules tasked with regulating an infinite set of problems; courts giving conflicting interpretations of the same rule; government agency discretion encourages varying applications of regulations Obtain knowledge about the legal environment that is shareable across functional units and is integrated into decision-making processes. 1) bridge the knowledge and attitudinal gap between lawyers and businesspeople, 2) foster partnered engagement between business and legal departments, 3) involve key legal executives to improve core decision-making functions
Complexity Complexity is the presence of numerous interconnected parts and variables in a given environment that are difficult to process by an organization and as a result drain resources and cofound decision making. Necessity of legal rules to apply to complex transactions and withstand circumvention; imperfectly written rules generate unnecessary complexity; refinement of rules to increase fairness also increase complexity Restructure intra-organizational legal structures to align the firm with irreducible complexity of the legal environment 1) eradicate unnecessary convolution of legal rules, 2) manage irreducible intricacy  in order to optimize utility for decision making, 3) restructure operations to align legal rules with environmental complexity through a effective system of compliance
Ambiguity Ambiguity arises when relationships between cause and effect are largely unclear, weak historical precedent exists for a decision, and consequences are largely indeterminate. Rapid changes in technology; accelerating growth in innovation; limited ability of government officials to anticipate and regulate in advance of new ideas Experiment with new strategies, collaborate with regulators when possible, process feedback, and adjust subsequent plans according to the feedback received. 1) co-regulate with public entities, 2) develop proactive self-regulation, 3) build a learning organization that can process and improve upon legal experimentation


[1] See George W. Casey, Jr., Leading in a VUCA World, Cornell S.C. Johnson College of Bus. (2017),; Nathan Bennett & G. James Lemoine, What a Difference a Word Makes: Understanding Threats to Performance in a VUCA World, 57 Bus. Horizons 311, 312 (2014).

This post comes to us from Professor Robert C. Bird at the University of Connecticut’s School of Business. It is based on his recent paper, “VUCA and the Management of Legal Risk,” available here.

Leave a Reply

Your email address will not be published. Required fields are marked *