Name: Understanding Risk: A Three-Part Model That Helps You Get Ahead
Uploaded: 2026-03-19T17:30:07.282Z
Duration: 59 min 12 s
Description: Understanding Risk: A Three-Part Model That Helps You Get Ahead

Transcript for "Understanding Risk: A Three-Part Model That Helps You Get Ahead": Alright. Hello, everyone. We are live. I'm just gonna give a couple more seconds for folk to trickle on in, and, we can get going. Thank you for joining us. Excellent. Well, hi, everyone. My name is Navin Mahavijiyan. I'm head of community at Agiloft. I'm a recovering attorney myself. I got my start in oil and gas, which is really funny that that we're having this conversation right now about risk. Those of you that are in the industry and the audience know exactly what I'm talking about. Everyone's suddenly interested in force majeure and price control language, right, with the with the rise of the unfortunate rise of crude oil prices as well. But we're here to talk about understanding risk. And my friend, Alla, is gonna share with us a three part model that's gonna help you get ahead in managing it more effectively. And with that, let me introduce our two speakers because you did not come here to to hear me talk about risk today. First off, Ala Valente is principal analyst at Forrester, and Ala's key focus, surprise surprise, is security and risk. And right now, she's researching and focusing on enterprise risk management around AI risk and other risk management frameworks. So in a conversation about risk, I think we need Ala in the room for sure. And we also have my colleague, another attorney, but not recovering, unfortunately, in his case, Jason Barnwell. So Jason, also needs no introduction for those of you that know him, but I'm going to tell you anyway. Jason's Agiloft attorney. He's our chief legal officer. And, you know, before that, he's been an expert in the enterprise software and technology space. Although, as I'm given to understand it, he doesn't like reading contracts as much as he used to these days. But, you know, I think we can pay AI for that. So with that, a couple of quick, you know, notes for all of you in the audience before we get going. Please drop any questions that you have for Jason and Alla in the q and a section that's on the top right of your screen. If you have a really, really fiery interesting question, I might just interject while they are talking and address the question there and then. Or we can, you know, obviously have a q and a session where we'll go through your questions, and Jason and Alla will weigh in as well at the end of this session. Also, there is a document section also on the right top right corner of your page that you can use to download a bunch of materials that we've loaded up. You probably don't want to read these right now, but, you know, if anything looks interesting, definitely download them and take a look after our session. And finally, if any of you want to take a quick demo of Agiloft, there's a big bright orange, get demo button at the top right of the screen as well. So on that note, boring notes aside, let me kind of hand the reins over to my colleague, Jason. You know, Jason, just to get us started, what what does risk look like to you in the CLOC? The, Navin, thank you so much. And I I am honored and delighted to to spend time with Alla. Before I I try to offer some thoughts on that, I wanted to put a little bit of framing around the conversation today. So I am one of Alla customers. She produces content and advisory services that have basically changed the way I think. And this leads into your question, Navin, which is so I I think, you know, when you when you come into a role like a GC or a CLO role, I think it pushes you to think more broadly about what risk actually means. So when you when you start off as a practicing attorney, if you're doing commercial work or other types of transactional work, for example, how how I grew up. You often think about risk as, like, a as, like, an atom. Like, it's a it's a single thing, and I'm doing this contract, and I gotta get right on this. And I don't wanna step too much on all this content, but she's really helped me broaden my thinking on that to think, you know, molecularly. Like, how do the pieces fit together? How do they reinforce each other? How do you have impacts that over here that shapes outcomes over there? And I think this is incredibly relevant for profession and really the legal function. Because if you think about the change that is happening for us, we are being forced to evolve. And where is that coming from? Well, if you look in the past, the way that we I'm gonna be maybe a little bit spicy here. I can't tell. If you look in the past, the way we would run our practice was, you know, we'd show up, and it was this set of services, and, we'd basically be like, look. Some bad things can happen. I don't really have any numbers around those. I don't have much prediction other than, like, sometimes this happens, sometimes it doesn't. But, basically, it was, I'm managing risk for you. Just trust me. Like, I'm I'm doing a good job. And I don't know that that is gonna work in the future, as the other parts of the enterprise change, as the other functions continue to upgrade themselves and have more, intelligence and data, I think we have to evolve how we engage the rest of our companies. And so if if I think about the things that I'm being pushed by my CEO to deliver, he wants speed, so he wants faster decision making. He wants that to happen at scale, so we need to have the the throughput to really move with the the volume change in the business. And he wants he wants governance. He wants control. He wants it to to the things that we're doing to operate in a kind of known space. And and and he's not saying no risk at all. What he's saying is just get us better tools to stay within our control plane. And so that's that's and that's how I'm evolving to think about this. And this is very much influenced by Alla and the the knowledge that she has put into me both with her speaking and also I will say that Forrester the reports that she puts out are absolutely fantastic. And so I encourage people to go read them because they are highly instructive. And so I hope that gives a little bit of a taste of what the conversation is gonna be today. And so with that, Alla, let's go. Yeah. Thanks so much, Jason. I mean, that's a you set a pretty high bar. So my challenge is to deliver. But, yeah, we're gonna get started because welcome to the era of volatility. And today, this volatility is so unrelenting, and it's creating a lot of uncertainty. Now what is volatility, really? Well, volatility, it's the degree of change or fluctuation in a business environment. And you might say, oh, but that's not new. Right? I mean, we've had volatility. And, sure, to some extent, we have. Right? There's been, you know, the change or fluctuation with economic uncertainty or with maybe some sort of geopolitical event or maybe there's a new regulation. But here's what's new and different today. Today, it's all of these things are happening, and they're happening all at once. Right? You know, it's the geo geopolitics, the economic, the trade wars, the supply chain issues. It's also things like speed of innovation. Right? You know, the proliferation of AI. And what this means for CLM and contract management pros specifically is that our contracts, the way they've set up, have never really factored this degree of volatility or this scale of volatility, and that creates huge risk. Not just the risk to the contract, but the risk to the business. And whenever you have this type of turbulence or volatility, you're going to have some companies that just freeze in fear because we're not sure what to do, so maybe we're not really gonna do anything. But then you also have companies that will make big moves. Right? They'll take big risks because risk is really just the flip side of opportunity. And we also know that, you know, with more risk coming from more places, Forrester data, we do a massive survey of, enterprise risk decision makers, almost half of them are telling us that among all of this uncertainty, they're expecting this volatility to actually increase over the next twelve months. So this isn't going anywhere. But, and thank you for setting me up, Jason Barnwell, very nicely. Right? Because today, every conversation centers centers on risk. And here's what I mean. There's the risk of doing something versus the risk of doing nothing. There's the risk of being first. There's the risk of being last. There's the risk of being bold or being obsolete. And if you remember nothing else from this webinar, I want you to remember this. Risk has four letters, but risk is not a dirty four letter word. Because we can't grow, we can't innovate, we can't expand if we don't take risks. Right? I like to say that risk is the name that we give to opportunity. When the outcome is possible, it's just not guaranteed. And you have to if you're going to take those risks, those risks that are worth taking, you need to understand what is the right cost, when is the right time, and you need to be able to do that in this sort of market of volatility. Now I wanna talk very quickly about where is this volatility coming from. And this is the three part model, or as I like to call, the three E's because I just love alliteration. So first of all, you need to understand that risk only comes from three sources. And each one of those sources gives you a different degree of control. The first the first e is the risk from your business, from your enterprise. And this is the risk that you've created for your company based on the things you did or the things you didn't do. This is your investments. This is your partnerships, your assets, your policies. When things go wrong and they inevitable inevitably will, you have full control to fix it because that's what enterprise risk is about, that full control. Now the second e is that ecosystem, right, that value chain. And I wanna be really specific here because this ecosystem, it's both vendors and suppliers and service providers. It's also an ecosystem of commercial and noncommercial relationships. I mean, think about co innovation partnerships. Right? There might not be a commercial exchange, but there is some sort of data or IP exchange. And the interesting thing about that ecosystem is you can't run a business without it, but you only have partial control over what this ecosystem is going to do to protect you, but also how they manage their own risk. And then the 30 are all of those external forces that these days is really accelerating. And what do I mean by external risks? So at Forrester, we call them systemic risks. Right? Think about things like climate change. Think about, you know, economic fluctuations. Think about tariffs and trade wars and the speed of AI and, you know, things like data integrity. These are big external forces that, you know, they'll build slowly, and then they seem to kind of materialize all at once. And while no one really can control if and when they happen, what companies can't control is are they prepared for them? Are these external factors on their radar? And how they've structured their contracts to be able to hedge against it. You know, you don't own whether they happen, but you do have control over how prepared you are. So, Alla, you have I mean, this you you're you're sideloading a lot of information into our brains right now. And I I wanna go back. I wanted to code a little bit of this a little more slowly, and I'm gonna I'm gonna put it in some framing that, like so I can I can internalize it for myself? So Sure. just rewinding a little bit, what you said resonated deeply with me, which is that there there is just unrelenting volatility. And one of the things that I think you offered is we're seeing the the cycles compress. So, basically, they're they're happening faster. But, also, the other thing that you highlighted is there's layers. So, you know, if in the past, we had a little bit more, time to absorb the wave and then we could rest, and then there'd be another wave. What's happening now is it feels like we're getting hit with all the waves at once, and the waves are bigger. And and part of that is because there's all these things that are happening in, the the macro environment that are basically turning into amplifiers. Right? And. that's why we're experiencing that. And so as you talk about this framework for really, dividing up the the regimes, I think it's really valuable because it does help somebody like me focus on look. If I'm trying to measure and manage risk, I need to, like, make the big problem into smaller problems. Because if it's if I trade it all as, like, one big problem, it's I can't I can't put it in my head. I can't do useful things with it. I can't talk to my business people about what that actually means. And so what you're giving us is a way to chop the world into smaller pieces so that we can have more fruitful conversations where we actually start turning this into a what does this mean for you, and what can we do about it together to measure it and manage it? And then as you noted, one of the important measurement and control planes that we have is is our contracting because it's basically the mechanism that we use to to to document our commitments with everybody that we work with. Like, that's what contracts really are. Like, hey. I'm I'm gonna do this. You're gonna do that. And they the the nice thing is because we've, you know, written that down, we can actually interrogate what's in there and turn that into a thing that has useful information for us. So, for example, as you're breaking the problem into these these spaces, you can imagine that there are things that might happen, and you can use your contracts to functionally model. Like, if this happened, then what might my response be? What are my obligations? What are my commitments? What what help can I ask for from my supply chain, my vendors? And so I think you're giving us a very, a very instrumental approach to actually taking these giant problems that you're you're talking about that can be overwhelming and breaking them into more digestible pieces. So I I I just just wanted to like, as you're giving me these words, this is how I receive this. Does this am I am I tracking? Oh, you're you're right on you're right on point. Look. We thought of contracts as, well, this is a procurement thing or maybe this is a legal thing. But thinking about what's happening at the moment or probably for the last, you know, a year or so, right, every time there's one of these big critical risk events, and you're spot on to say that they're happening more often, and they're much more impactful. Right? Because risk isn't just, you know, probability and impact. It's actually a three-dimensional game where we now have to also factor for the velocity of these things. And when one of these events occurs, you'll have CEOs saying, okay. I need to understand what is my risk exposure. What are my obligations to my customers? What could I expect from my, you know, vendors and suppliers? What can I exit? What can I consolidate? What am I on the hook for? And the best place to get all of those answers, in fact, it's one of the most critical places to get all of these answers, is in the contract. So you are spot on. So what's funny is you're you're by the way, you're you're explaining a very real world thing that happens. Right? Like, what I'll what I was talking about is not hypothetical. Like, this is not, like, hand wavy. Like, things happen. And if in a function like mine, there's a person who comes to you and is like, so what can we do now? What does this. mean? What can we do? And it's not an academic exercise. It is deeply pragmatic. Yeah. And one of the things that has has been very helpful for us when we've had these moments is having tools that help us act like, at scale, understand exactly what is talking about. So you'll often hear the term, like, contract analytics, and it sounds like this, like, high minded, weird abstract thing. No. It's when the moment happens, and you need to understand those key features of your relationships that Ola just described, it's how you go understand those quickly at scale with accuracy. That's that's so in, the past I like to call it the oh, crap analytics. Yes. Yes. And I'm trying to have fewer of those, but guess what? The world is not being kind to me. It's not. And I actually you know, also, as part of our research, one of the survey questions was around discrete critical risk events. Right? So these are the big significant risk events that impact operations, revenue, customers, reputation. And on average, last year, organizations had at least four of them. Right? So that is the world is on fire at least once a quarter. I mean so once you know that that's it like, this is the treadmill we're on, and you embrace that. Like, look. Once a quarter, some expect something spicy is gonna happen. Like, do you have any thoughts on how like, how how should I start preparing? How should I get myself ready, Alla? This this. sounds dire. Well, look. I mean, I have some examples, so let's get through them. Okay. Full control. Right? What does it mean to have full control? It means that you can act quickly. If you look at here are two examples, one from Amazon, one from Google. You know, both companies, they took those big risks, the right risks, right, with AI, and, you know, things didn't work out exactly as intended. For example, Google used AI to do their these, like, summaries and for a lot of their health care information, they found that, the information was actually inaccurate and potentially dangerous. Oh, crap. Then you have Amazon who decided they were going to, you know, have fully autonomous AI, kind of code releases, no human in the loop, well, looks like some things may have broken. They may have lost a whole bunch of revenue. Oh, crap. The thing is is that they had full control to immediately pull them back. And in my so I've been in risk management for a little over, I would say, just about twenty five years, which is right around the same time as Sarbanes Oxley. So one could say, regulation is what made me a risk manager. But organizations love to look at risk in the enterprise because they have full control. It's, you know, it's a way to cross off your to do list. But we can't just stick to this full control because both the enterprise, the ecosystem, and those external factors, think of them as balls, and you have to keep all of those balls in the air. You don't have a choice. Now this is a really interesting one because when we're talking about our ecosystem, those partnerships, those vendors, those suppliers, you have partial control over how, you know, monitoring and forcing these third parties to kind of prioritize risk management the same way you do, but you own all of the responsibility. Very recent headline of Stryker medical device, manufacturer, you know, cyber attack, but now all of a sudden, it rippled through their manufacturing, their operations. So that was and still continues to be an unfolding story. Similarly, Amazon, Amazon's Ring partnered with a company called Flock. They put out a Super Bowl ad. It didn't exactly go as planned. The problem is with these third parties, these companies can't take immediate action. And when we think about this unbalanced equation, right, I own all the risk, but I only have partial control. Well, here's what you need to remember. You don't always have partial control. There is one part of this process, this one moment where you're holding all the cards, and that moment is before the contract is signed. And not enough organizations look at and do that risk evaluation, not the risk, you know, within the four corners of the contract document, but what are the implications for my company? Can I exit? Can I consolidate? You know, what are what does my get out of jail free card look like? And that's why it's really critical to make sure that you are evaluating that third party risk from multiple risk domains. And then and only then, when you understand the level of risk that you're taking on, you make sure you use that contract as a risk mitigation tool. Do I have the right language to protect my company? And based on the risk that I'm taking on, is this still the right cost? Because I certainly don't wanna be paying this price if I'm taking on additional risk. So it's about rightsizing and making sure that all of that analysis and evaluation is done and then imparted into the contract. That is how you're going to turn partial control and into more like full control. So this this deeply resonates with me, and it ties back to a couple of the things that you were were talking about before. So one of the biggest challenges is balancing the equation as you described it, which is look. There's a business that we're trying to run here. There are a set of things that we bring in that create value and capacity for us. And then whatever it is, we we deliver something to somebody else, and that creates value for them. And, historically, talking about somebody else clearly. Historically, not not really never for a I've I. know you're asking for a friend. Asking for a friend. Never anything I've done. There, you know, there are some organizations where those things can be, disconnected, where, basically, you can imagine that you are making a bunch of commitments downstream that have, deep dependencies on the things that you're doing that are upstream, and those things may not be connected. And the reason they're not connected is because, the world is big and and and things are hard. Right? Like, it's it's literally, it's it's it is very hard for us all to find a way to marshal all the information we need to make coherent decisions so that we're actually thinking about the risk holistically, and we're balancing that equation that you're talking about. And the idea that we're we're gonna you're gonna magically find a human who can shove all this stuff in their head, like, balance it out, feels unrealistic, especially in the context of all the things you're describing, Alla, where things are moving faster, scale is increasing, like, you know, like, the like, the the velocity is just off the hook, and you're you're seeing these big volatile oscillations. And so as you kind of offer these case studies, it does feel like we are going to have to like, the the the the mental like, the models that you're giving us, I think, are are critical for figuring out how we're gonna balance the equation, how we're going to purse like, think about the things that could happen, like those those things that we know about. There's, of course, some unknown, you know, unknown unknowns, unknowns. all? those ones that. you're going. But, basically, like, what you're what you're, I think, telling us is it's time to stop solving the local problem alone and start linking the chain together and looking holistically at how all of these things impact your business. And to the specific point that you you you highlighted here, the moment you have to wire in the things you need is before you execute the contract. Absolutely. So start flowing the information into the features of your contract that you need to actually balance that equation, and don't let people continue rolling out the contract template from seven years ago when the world looked very different. Yeah. Before we had force majeure clauses, before we had clauses around data and training and sovereignty and incidents and vulnerabilities and all of those things. Right? Because the world is changing that quickly. Now the other complexity with this ecosystem risk is so third party risk is this shared responsibility. And I think of third parties as almost a hot potato. They come into the organization through procurement, then contracting, and they kind of move around, and everyone touches them and passes them on. What we need to start understanding is the folks that are negotiating these contracts and looking at these clauses to say, is this sufficient? And using historical contract information or language when the world looked very different, they're also not the folks that are going to be, you know, delivering or responsible for meeting those obligations. So that's why it's so critical to make sure depending on what is it that we're contracting for, what is the data exposure, what is the risk exposure, do we have that pricing right, but also do we have the right language in there based on our company's new policies? I mean, think about AI. Right? You know, generative, and now we're moving towards agents, and companies are like, okay. We need these AI policies. And they rolled them out for the most part to their employees and completely missed. We need to also impart those same policies into our contracts because we need to hold third parties at least as accountable as we're holding our employees. So that is a perfect example of that the like, literally balancing a risk. And I'm not using. the right words. We're you're basically saying that, look. You you you've done a a a a good job kind of, like, understanding something, creating empowerment and management within this one set of controls that you have, which are inside. So that is in. the enterprise. Like, you you. you figured that out. And you're you're potentially leaving your flank exposed if you don't do you go. symmetric action because guess what? You bring lots of value from outside too. And so it would be unwise to not have a nice kind of symmetric, approach across the portfolio unless that is an intentional decision because there's something really beneficial that you get. So make it a? choice. Make it something that is part of your design, your intention, your strategy, not just because, like, oh, I I couldn't get around to it. Absolutely. And that actually takes me to my last example. Right? These external systemic risk events. So you don't have control over if they happen, when they happen, but you do have control in terms of understanding, hey, these are some of, like, the top systemic risks. And by the way, every year Forrester puts out a report called the top systemic risks of whatever that year is. Understanding that my company, based on the context of what I do, what I sell, who I support, even where I'm located, I'm going to be exposed to different systemic risks. Are they on my map? And are they also, do they flow through my contracts? Because to your point, Jason, yes, it is a choice whether or not to apply those controls to that counterparty you're contracting with. But now we also have to be keenly aware of these external forces to say, do we have the right language in there? I'll give you a great example. Acts of war. Right? Well, since COVID and a lot of the cyber attacks on supply chains, right, the insurance companies have redefined what acts of war really mean. It's not it's no longer just physical attacks now. It's also digital cyber attacks as well. Do we have the right language in the contract to factor for the new type of warfare? Do we have language of the contract if all of a sudden someone, you know, decides by tweet or social media posts that they want to change the tariffs? How about any geopolitical actions that are now sending economic financial markets and technologies into a tailspin? How have we factored for those what ifs in the language of our contract? Because if we've ignored them, I'll tell you, you know, it's it's going to seem like it's okay for a while until it's really not okay. And when it's really not okay, it's gonna come at you all at once. And that's what I meant about the or the velocity of how these risks are now manifesting. It's going to feel like it's all at once. So, again, I have a friend who, Uh-huh. might might currently be in the process of, bidding out some coverage. And so what you're saying is incredibly relevant. And so I think you're offering us a really good approach to thinking about, like, look. Literally, just just go look at the headlines. Look at the the the interesting things that are happening in the world and flow the consequences of those things through these kind of, like, core risk allocation mechanisms that you you have that support your business. of of these external risks. Yep. Yes. And just say, like, okay. Like, what what so if if you flow the water through the pipes, where does it where does it can successfully get to the other end, and where does it leak? And where it leaks, is that a problem for you? Because if it is, like, to. to to your point, the best time to to patch the leak is is is before the water starts flowing through. Because as you said, it comes through fast, and and it it's it comes through heavy and, you know, the the there's only so many buckets to go around. It it gets really tough. Absolutely. And it's not just companies. And that's this is the interesting part is that we are announcing regulators using the contracts to help with their regulatory requirements. So this is a a a very recent example. The EU is updating their cybersecurity act because, you know, cybersecurity definitely looks different today than it did a few years ago when they, first put out this this, requirement. And one of the things that they are explicitly saying or in the proposal once it's adopted is, hey. You know, companies that are in scope for this regulation, you need a kill switch. You need to be able to quickly exit in case one of your counterparties is now classified as high risk. Now high risk means different things to you know, based on the regulation, but we are seeing that, all countries and regions are now very highly sensitive to things that they consider to be of national security importance. So now you have you're doing business with a vendor or supplier that has now been designated, you know, a risk a national security risk or put on some sort of sanctions list. How are you gonna get out of that contract? How are you going to be able to withdraw any, you know, technology that's already been deployed? What you need is an ability. You know, think of it as, you know, when you're on a plane and they do that PSA message and you kinda tune out, but there's always that slide to get you, like, off the plane quickly. You need that inflatable slide because you wanna make sure that you could do it easily, but also without additional consequences. And by the way, the EU is not the only one, right? DORA, you know, that's been out for a little while, they definitely talk about those contractual protections, contractual provisions, but also in New York, my home state. New York Department of Financial Services, when they put out their cybersecurity updated requirements a couple of years ago, they specifically called out, make sure that you have the right contractual protections and contractual provisions. They even said, you have to do the risk assessment to be sure that you can even contract with them. So this is a framework that is being adopted by the folks that are watching. A 100%. And you you also saw that in EU Data Act. You saw that in GDPR with model clauses. You're absolutely seeing these, regulators using private contracting infrastructure as a way to drive policy objectives. You also see it in other, more subtle ways. So, for example, like, the the NIST frameworks and things like that where, basically, they say, hey. We're gonna come up with a set of standard definitions that will that will become de facto integrated into things like, compliance, motions, the the standards. And so I think you're you're spot on that the regulators are getting very, clever about how to start advancing the larger policy agendas that they're responsible for. And they're using the infrastructure of contracts. And and when that's one of the reasons I think they're doing it that is it it's effective. it's works. effective. Yes. Yes. So I I'm in violent agreement. Well, so speaking of contracts, right, and how contracts are just increasingly becoming, like, the center of attention. I mean, making headlines, but in terms of organizational priorities and really, you know, bringing their contracts forward at the same speed of innovation and to support their business strategy, contracts have taken on this far greater and more prominent role in business. And I don't know about you, but I certainly would not have predicted that three simple words would have been this consequential. But if you look at the standoff between anthropic and the Pentagon, what you see is that this makes perfect sense. Because as anthropic and the Pentagon, and by the way, anthropic at the time was the only, well still is to some extent, only model that is used in the Pentagon's classified systems. They have other models, but those are used in their unclassified systems. And anthropic has two red lines, so to speak, that they will not cross. One is they don't want their models to be used for autonomous weapons, and the other is they don't want their models being used for mass surveillance of The US citizens. And what they weren't comfortable with was this all lawful purposes being part of the contract. Now you could say, but that's standard language. Right? Yes. It is. It's standard. However, it doesn't look. From a risk perspective, this has more holes than Swiss cheese, and here's why. Because what is lawful or rather what is unlawful today when you sign the contract, that could change next year. That could change two years from now. Once the law changes, they are you know, whoever is using it is well within their contractual right. And Anthropic realized that this wasn't satisfactory for what they were going for, and that's why they refused to accept those terms. Now, on the other hand, you have OpenAI that kind of swoops in and says, we're we're you know, we've renegotiated, and we've gotten to a place that feels comfortable. Except when OpenAI put, you know, some snapshots of what their what contractual provisions they accepted, turns out the language wasn't strong enough to protect those red lines. And so I think what we're seeing is that contracts seem to be that guardrail that provide legal and enforceable protections in a world where there's a lot of at least in The US, there's a lot of deregulation or the regulations that are still on the books. Enforcement is, you know, inconsistent at best. So contracts are your new guardrails. I I think that's right. The and one of the the wonderful things about contracts is we can we can evolve them fairly quickly. Right? And so we can adapt. We can learn something, and then we can say, that didn't go quite as expected. And then we can project forward a better version of kind of the guardrails that we wanted to play we wanna put into place to get more of the kinds of outcomes that we want. The other thing that strikes me as you you talk about this is this feels like a a yet another example of the mat of the, like, the larger pattern you described where there is a large surprising thing that happens amongst some, like, very large powerful players, and there's all these downstream impacts. So, for example, when the Pentagon decides to to designate Anthropic, if you are a supplier to the Pentagon and you're taking dependencies on those models and those capabilities, all of a sudden, like, what do I do? Can I perform on my contract? And so as you're talking about this, like, I can't help but put it back into your three e's model and, like, think, like, okay. So how can I understand this problem? How can I work this problem? What would I do? So it it also feels like a good capsule of of of kind of it's a perfect yet another example of some of the things that you're talking about that are almost certainly impacting many businesses right now. Absolutely. Because, you know, great point. Right? For federal contractors or even subcontracts, this is their oh crap moment. Now the Pentagon has given Anthropic a a six month sort of, exit period, and so that's what their suppliers are going to get as well. However, what happens when the next model is designated a supply chain risk? Right? It doesn't have to be, you know, because of this particular standoff. But what if there's another model that maybe, is proved to be inadequate or has some sort of risk, how are companies going to exit that? And I don't think that organizations have really thought about the, the musical chairs that seems to be happening more often these days. And here's the other interesting piece of it, right? Because in The US, the absence of regulations, especially, you know, here we're talking about things like AI regulations, means that we have this hyperlitigation. You know, if Congress is not going to tell us the rules, then questions about how to play will be answered in that court of law. This is extreme. In fact, in last year's Forrester's prediction for this year, actually I think it was the year before, what we said was that when you look at the cost of litigation versus even, regulatory fines and penalty, litigation is like two x, three x of that. I mean, when a regulator would fine you, that amount of money was you know, you sort of knew how much it was going to be. It was fairly contained. And quite honestly, when you compare it to litigation, it looks like peanuts. Because even if you win in a court of law, you still lose. Right? You know, the longer the litigation goes on, the more you pay. Also, during discovery, you have to produce materials that might be your IP. It might be information or details that you don't want getting out. And so what we're seeing is that with litigation, we have these settlements. Companies are settling more often and for far, far greater, at far greater price points than those regulatory fines. And in fact, there's a study that shows that today, US companies face or rather 72% of US companies face at least one class action lawsuit. And two thirds of corporate councils are expecting class actions to rise because of AI, because of AI adoption. We don't have the rules. So we're not sure if we're doing it right. And that just opens up the window for that type of mass litigation. So I I don't I I almost don't wanna say these words out loud because I'm I'm I'm worried about inviting the outcome, but I do expect that plaintiff's counsel are going to be early adopters, and they're they're gonna get very real about using every tool that is available because their business works on being able to basically generate claims, aggregate them, and turn those into, an asset. The the thing a thing that I'm also I don't kinda wanna touch, but I feel like I have to say it, is we might be seeing a denial of service attack on litigation infrastructure on, like, the on the courts because as it basically, there is more capacity to start pushing more claims, through from every possible vector, then it it like, we might see that happen. In that instance, we are probably going to start we're gonna need to start thinking about how do we do con if that happens, and I hope it doesn't. But if that happens, we're gonna need to start to think about how do we do contracting so that we have resolution mechanisms that are not dependent upon the carrying capacity of the courts if they are overwhelmed. Because if if they're literally just gummed up with all kinds of inbound traffic from all over the place, and we need we have serious issues that we need to get resolved amongst commercial operators, We're gonna need to we're gonna need ways to resolve that somehow. And as you know, like, one of the biggest things we're trying to do in business is just have, like, certainty. Like, hey. Let let like, even if it's a bad situation, like, let's understand it and, like, work it and then move forward. And if you're stuck in this kind of perpetual limbo of not being able to resolve issues, complaints, disputes, that's really tough. The other thing that you're pointing at that I really agree with is, look. Look. You know, regulators are trying to do a job. They're often repeat play. They're often highly informed about what's happening. And even if you don't necessarily enjoy the process or you're like, oh, I don't really care for the outcome, They they are usually expertized on the the space that they're operating in. And so you can you can work with them. You can reason with them. When you start going into the litigation path of things, sometimes you have repeat play. Sometimes you have people who are paying attention, and sometimes you hit random number generation. And so, again, this creates that volatility that you were talking about where you you you go in and chances. you don't pick with slot machine. Like, what what. like, like, it it starts to feel like gambling. And so I do expect that as this new regime evolves, which I it's very hard for me to, like, really predict what's gonna happen, we are going to go back to contracting and figure out how can we create, you know, better, more consistent outcomes and start designing those from the front side knowing, like, what's happening in the messy middle and trying to work around that and and mitigate that as much as possible. So everything you're saying makes sense. to me, and I almost don't wanna speak the words out loud. No. Well, actually, it doesn't matter that you said it out loud because it's already happened. So cyber attacks on states and municipalities have already shut down courts. But, also, you bring up a really interesting point and something that happened, I wanna say it was, like, a week after the Pentagon standoff, which is, you know, some hacktivists broke into one of the federal procurement systems and was able to get contracting details on all of these companies that contract with the federal government. The other thing we need we really need to factor for is that contracts are a treasure trove of highly sensitive information. You know, if you ask me to tell you what my company does without telling you what my company does, all you have to do is look in the contract and you would, you know, look through contracts and you would see, right, who, you know, who we work with, what the products are, you know, all these other details. I think that CLM systems, unless they are starting to be keenly aware of just how critical they are to a company's operations, but also the wealth of data that that they hold. The other change that really needs to happen today is making sure that all of those privacy and security controls are actually turned on. I know that, you know, as with many, software, right, SaaS software vendors that have really good product security controls, they still need to be enabled. And something that we're seeing just kind of across the board is that depending on what that system is, you know, some organizations maybe undervalue the criticality of some systems and maybe forget to turn on those protections. It's like, you know, plugging in, Alexa and forgetting to change the password from password, I is why I do not have Alexa in my home. I'm I'm just glad nothing, like, spoke back when you said the words. The I think you're right. And what you're talking about becomes even more important in a world where we start moving more of our work into, agentic workflows. Let me give an example as to why. So it is very tempting to wrap everything in some kind of, agentic capability. And we are like, and we I if I am about as bullish on AI as you could imagine. But one of the things that you highlighted is, like, is that the information that sits in certain systems is incredibly sensitive. It's almost like the diary of the company. And. if you don't wrap that in governance mechanisms that constrain, basically, who can ask what and extract information out of that, Mhmm. if you if you don't have that as a designed experience that, you know, make sure that the right things get filtered out and the right things are left behind, then you basically start creating surface area for all kinds of exploit and attack. And so that's why I'm I I this is a very self serving comment, but I'm very amused right now by the idea that, like, oh, you can make any kind of software yourself. And the answer is yes. You can. Oh, vibe coding. Yeah. You can. I love I love making software. I make it all the time. But there like, people who have a product taste and experience, like, building things, there is real value in that because it turns out there's a whole bunch of stuff that doesn't look like features that you are features that you care about that are called, like, governance, security, control. Like, all these things that you're talking about, that is the stuff that, like, you you is often not sold as, like, the, oh, this is the amazing thing. But, actually, this is the thing that allows you to sleep at night, that allows you to, like, have some some, like, peaceful rest. And so I'm super excited about the world that we're gonna go build, and I know that we're just gonna have so many of these experiences where you and I are gonna have, like, converse it's like future conversations where, like, oh, yeah. That happened. Well, we we I think you kinda called that all out and, like but I guess we had to stub our toe and go through it. So everything you're saying completely resonates with me. Yeah. I look. I I totally see vibe coding becoming, you know, increasingly popular. And there are some systems that you can vibe code your way through. I just don't think that CLM is one of those, at least not yet. Because there are a lot of significant, not just third party risk, but, like, think about the APIs. Think about all of the systems that will take the output of a CLM and embed it into their process. You know, to your point earlier about the plumbing, you need to understand where everything flows, And you you don't want to just vibe code your way through without thinking about those downstream implications, at least definitely, you know, not at this moment. What you said. I I yeah. You did you nailed it. I so I always tell all of us that I'm gonna put it, put it back out there that every time we have one of these conversations, I know I should be submitting it to the Washington State Bar Association for CLA credit. And I think we're actually gonna have a transcript for this one. So I'm going to submit a petition to get credit for this because, like, Let me know if it works. I'm I will. I will. I'll I'll I'll put it out there for you. I I think my chances are very good because the the content that you offer is so rich and the insights are so on point. But the thing that I really love is you give me actionable tools and frameworks to solve my real world everyday problems because those oh crap moments, they they keep happening. And if we don't have the the the tools that you give us to work with those, then it's very easy to have that flight fight freeze response. and not go in the right direction. Abs absolutely. And, you know, I think one last point I really wanna make about CLM in general. Right? There are a lot of organizations where CLM sits as almost this connective tissue. Maybe it's between sourcing and payment or procurement and, you know, invoicing. And CLM is not a connective tissue. CLM, like, it's the main it's I I believe where we are going and where we need to be, CLM is going to be as critical as an ERP. Because the not just the insights, but, the organization's business strategy is wrapped within its contracts. And we cannot be driving our strategy forward, certainly not in a way that's flexible and agile and allows us to respond to those oh crap moments if we're just looking at CLM as like, oh, that's just a side dish. No. It's it's the main entree. There are things that we are doing as a company that I wish I could talk about right now that are so aligned with what you are saying. And so you see me, like, nodding violently because the words you're saying are are are what I'm living right now, and I I could not agree more. And so we are we are using our tools to literally start redesigning and reengineering how we do our business flowing through those those those contracts, in the ways that you described. And I hope that there's a future where I can talk about that with more precision, but, unfortunately, I think it would be it would be irresponsible of me to to go into greater detail today, but you are spot on. Well, I I can't wait to continue this conversation at, the clock conference. So because there's so much more to say. And doesn't it feel like every day there's a new, you know, headline or or a new, you know, new cycle where it's just more uncertainty being piled on on top of, like, what's already existing. Yes. It does. I think you've and I think you you've literally given us the data. Navin, are we did did we We we you got no. We are perfect on time, Jason. okay. Thank you both. I I was just sitting here and and letting the knowledge wash over me. So I have so many questions that we do not have time for on what remains of this call, but I'm willing to roll the dice and say after everyone logs out, there will be a new risk event for us to consider sometime tomorrow morning as well. So so on that on that horribly, positive note, just, thank you again to the audience for, joining us for this discussion. Alla, Jason, thank you so much, for sharing your thoughts and insight with all of us as well. If any of you have further questions, burning questions, or that, you know, risk event that Navin predicts next, this Friday morning comes to pass and you have questions, please reach out to all of us on LinkedIn. We're happy to discuss further as well. Of course, come in and watch our session at clock as well. Don't forget that there's a document section in your panel as well in the top right if you want to download anything as well that we've loaded up for you to for further reading and knowledge building as well. And if you want to take a look at the Agiloft CLM platform that that Jason and his team use to manage risk internally, you can grab a quick demo by hitting the button as well. So on that note, thanks again, Alla, Jason, for the discussion, and thank you audience, for joining us. Thank you for having me. This was great. Thank you so much. Alright.