# Risk management The purpose of our risk management policy in agreements is to provide efficient and safe contract execution by categorizing the levels and types of risk we may face and clear process in signing off of acceptance of risk. ## Risk Levels * Level 1 - Low risk or documented accepted risk, and 90% probability worst case < $10K * Level 2 - Risk to address before IPO and 90% worst case < $100K * Level 3 - Risk to address before Series C * Level 4 - Risk to address from 6 months from discovery * Level 5 - Risk to address ASAP * Level N - Needs Investigation ## Risk Types * Intellectual property - including copyright * Tax - including corporate tax, employment tax, sales tax, and other forms * Liability - including risk from lack of/commitment to indemnity from/to 3rd parties * Jurisdiction - including material risk from mechanisms other than JAMS or California law * Export compliance - including U.S. embargo * Employment law risk - including statutory benefits * Internal consistency - including compensation * Business risk - including non-market terms and ability to meet expectations * System security - exposure to potential security breaches * Contract compliance risk - risk of being in breach of customer contracts or other contracts ## Agreements Risk levels are most commonly addressed in agreements of the following types: * Customer agreements * Vendor agreements * Employment agreements * Partnerships agreements ### Mattermost Templated Agreement Mattermost Templated Agreements (MTAs) have significant reduced risk and in general can be reviewed and executed within 1 business day. Examples include: * Mattermost Mutual Non-disclosure Agreement (link needed) * [Mattermost U.S. Consulting Agreement](https://handbook.mattermost.com/operations/finance/risk-management/mattermost-templated-agreements#mattermost-u-s-consulting-agreements) ### Custom Agreements All custom agreements require approval by procurement and may take days to weeks to complete depending on their complexity. #### Risk Types and Risk Levels for Custom Agreements **Note:** Risk levels are expected to change over time. For example: Contracts in foreign jurisdictions may be less of an issue over time as we establish infrastructure in those jurisdictions. | Risk Type | Level 2 | Level 3 | Level 4 | Level 5 | | ------------ | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | Jurisdiction | U.S. jurisdiction outside of California in combination with potential for $100K+ in uninsured liability | Canadian or U.K. jurisdiction in combination with potential for $100K+ in uninsured liability | Non-English-speaking, non-U.S. jurisdiction in combination with potential for $100K+ in uninsured liability | Jurisdiction in a restricted list region/country, e.g. U.S. embargoed countries. ABSOLUTELY DO NOT SIGN | ## Risk Acceptance Process The following summarizes the process for review and risk acceptance on any agreement that binds Mattermost, Inc. ### Legal Review and Approval ("LRA") This step is not required for [MTAs](#mattermost-templated-agreement), only custom agreements. Legal review and approval is required for all custom agreements and department heads should ensure their teams plan their work to provide at least 1-2 weeks for the review of any custom contracts. If a department head anticipates more than 3-5 custom contracts of similar types (e.g. advertising purchase agreements), they should inform procurement in advance to create an [MTA](#mattermost-templated-agreement) to speed contract execution. ### Risk Acceptance ("RA") Risk Acceptance Initial ("RAI") is provided by a Mattermost staff member who is a non-interim department head or someone director-level or higher and who has also completed Mattermost procurement and risk management training within the last 12 months. RAI initial should appear within 2 inches of the FCA signature it maximize clarity that RAI is complete when FCA is executed. ### Final Company Approval ("FCA") To bind the company to any agreement Final Company Approval ("FCA") is provided by the company CEO, and potentially board members, via physical or electronic signature. ### E-sign Process #### HR-related E-sign All HR-related e-sign should be conducted via either: * a HelloSign account controlled by Mattermost (which is only accessible by staff approved for handling confidential HR data) * an e-sign system controlled by our partner law firm, Cooley HR-related agreements should not be executed using the company-controlled DocuSign account given HR privacy requirements. | Agreement | Risk Types | Risk Acceptance (Initial) | Final Company Approval (Signature) | | --------------------- | ---------------------------------------------------- | ------------------------- | ---------------------------------- | | U.S. W-2 Employee MTA | [IP, tax, liability, export compliance](#risk-types) | DirHR or VPF | CEO | #### General Agreements The following table summarizes general agreements to be completed via company-controlled DocuSign or vendor-controlled DocuSign with written sign-off from Mattermost staff member requesting the agreement that the vendor will send the fully-executed contract to procurement within 1 business day after execution. | Agreement | Risk Types | Risk Acceptance (Initial) | Final Company Approval (Signature) | | ----------------- | ---------------------------------------------- | ------------------------- | ---------------------------------- | | Banking Agreement | [Business risk, system security ](#risk-types) | DirAccounting or VPF | CEO | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://handbook.mattermost.com/operations/finance/risk-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.