Risk management

10% complete. Frame risk management levels to inform processes and decisions across the company

The purpose of our risk management policy in agreements is to provide efficient and safe contract execution by categorizing the levels and types of risk we may face and clear process in signing off of acceptance of risk.
Risk Levels
Level 1 - Low risk or documented accepted risk, and 90% probability worst case < $10K
Level 2 - Risk to address before IPO and 90% worst case < $100K
Level 3 - Risk to address before Series C
Level 4 - Risk to address from 6 months from discovery
Level 5 - Risk to address ASAP
Level N - Needs Investigation
Risk Types
Intellectual property - including copyright
Tax - including corporate tax, employment tax, sales tax, and other forms
Liability - including risk from lack of/commitment to indemnity from/to 3rd parties
Jurisdiction - including material risk from mechanisms other than JAMS or California law
Export compliance - including U.S. embargo
Employment law risk - including statutory benefits
Internal consistency - including compensation
Business risk - including non-market terms and ability to meet expectations
System security - exposure to potential security breaches
Contract compliance risk - risk of being in breach of customer contracts or other contracts
Agreements
Risk levels are most commonly addressed in agreements of the following types:
Customer agreements
Vendor agreements
Employment agreements
Partnerships agreements
Mattermost Templated Agreement
Mattermost Templated Agreements (MTAs) have significant reduced risk and in general can be reviewed and executed within 1 business day.
Examples include:
Mattermost Mutual Non-disclosure Agreement (link needed)
​Mattermost U.S. Consulting Agreement​
Custom Agreements
All custom agreements require approval by procurement and may take days to weeks to complete depending on their complexity.
Risk Types and Risk Levels for Custom Agreements
Note: Risk levels are expected to change over time. For example: Contracts in foreign jurisdictions may be less of an issue over time as we establish infrastructure in those jurisdictions.
Risk Type
Level 2
Level 3
Level 4
Level 5
Jurisdiction
U.S. jurisdiction outside of California in combination with potential for $100K+ in uninsured liability
Canadian or U.K. jurisdiction in combination with potential for $100K+ in uninsured liability
Non-English-speaking, non-U.S. jurisdiction in combination with potential for $100K+ in uninsured liability
Jurisdiction in a restricted list region/country, e.g. U.S. embargoed countries. ABSOLUTELY DO NOT SIGN
Risk Acceptance Process
The following summarizes the process for review and risk acceptance on any agreement that binds Mattermost, Inc.
Legal Review and Approval ("LRA")
This step is not required for MTAs, only custom agreements.
Legal review and approval is required for all custom agreements and department heads should ensure their teams plan their work to provide at least 1-2 weeks for the review of any custom contracts.
If a department head anticipates more than 3-5 custom contracts of similar types (e.g. advertising purchase agreements), they should inform procurement in advance to create an MTA to speed contract execution.
Risk Acceptance ("RA")
Risk Acceptance Initial ("RAI") is provided by a Mattermost staff member who is a non-interim department head or someone director-level or higher and who has also completed Mattermost procurement and risk management training within the last 12 months.
RAI initial should appear within 2 inches of the FCA signature it maximize clarity that RAI is complete when FCA is executed.
Final Company Approval ("FCA")
To bind the company to any agreement Final Company Approval ("FCA") is provided by the company CEO, and potentially board members, via physical or electronic signature.
E-sign Process
HR-related E-sign
All HR-related e-sign should be conducted via either:
a HelloSign account controlled by Mattermost (which is only accessible by staff approved for handling confidential HR data)
an e-sign system controlled by our partner law firm, Cooley
HR-related agreements should not be executed using the company-controlled DocuSign account given HR privacy requirements.
Agreement
Risk Types
Risk Acceptance (Initial)
Final Company Approval (Signature)
U.S. W-2 Employee MTA
​IP, tax, liability, export compliance​
DirHR or VPF
CEO
General Agreements
The following table summarizes general agreements to be completed via company-controlled DocuSign or vendor-controlled DocuSign with written sign-off from Mattermost staff member requesting the agreement that the vendor will send the fully-executed contract to procurement within 1 business day after execution.
Agreement
Risk Types
Risk Acceptance (Initial)
Final Company Approval (Signature)
Banking Agreement
​Business risk, system security ​
DirAccounting or VPF
CEO

Naming files and agreements

Mattermost U.S. consulting agreements

Last modified 2yr ago

Risk Type	Level 2	Level 3	Level 4	Level 5
Jurisdiction	U.S. jurisdiction outside of California in combination with potential for $100K+ in uninsured liability	Canadian or U.K. jurisdiction in combination with potential for $100K+ in uninsured liability	Non-English-speaking, non-U.S. jurisdiction in combination with potential for $100K+ in uninsured liability	Jurisdiction in a restricted list region/country, e.g. U.S. embargoed countries. ABSOLUTELY DO NOT SIGN

Agreement	Risk Types	Risk Acceptance (Initial)	Final Company Approval (Signature)
U.S. W-2 Employee MTA	IP, tax, liability, export compliance	DirHR or VPF	CEO