Comment on page
10% complete. Frame risk management levels to inform processes and decisions across the company
The purpose of our risk management policy in agreements is to provide efficient and safe contract execution by categorizing the levels and types of risk we may face and clear process in signing off of acceptance of risk.
- Level 1 - Low risk or documented accepted risk, and 90% probability worst case < $10K
- Level 2 - Risk to address before IPO and 90% worst case < $100K
- Level 3 - Risk to address before Series C
- Level 4 - Risk to address from 6 months from discovery
- Level 5 - Risk to address ASAP
- Level N - Needs Investigation
- Intellectual property - including copyright
- Tax - including corporate tax, employment tax, sales tax, and other forms
- Liability - including risk from lack of/commitment to indemnity from/to 3rd parties
- Jurisdiction - including material risk from mechanisms other than JAMS or California law
- Export compliance - including U.S. embargo
- Employment law risk - including statutory benefits
- Internal consistency - including compensation
- Business risk - including non-market terms and ability to meet expectations
- System security - exposure to potential security breaches
- Contract compliance risk - risk of being in breach of customer contracts or other contracts
Risk levels are most commonly addressed in agreements of the following types:
- Customer agreements
- Vendor agreements
- Employment agreements
- Partnerships agreements
Mattermost Templated Agreements (MTAs) have significant reduced risk and in general can be reviewed and executed within 1 business day.
All custom agreements require approval by procurement and may take days to weeks to complete depending on their complexity.
Note: Risk levels are expected to change over time. For example: Contracts in foreign jurisdictions may be less of an issue over time as we establish infrastructure in those jurisdictions.
The following summarizes the process for review and risk acceptance on any agreement that binds Mattermost, Inc.
Legal review and approval is required for all custom agreements and department heads should ensure their teams plan their work to provide at least 1-2 weeks for the review of any custom contracts.
If a department head anticipates more than 3-5 custom contracts of similar types (e.g. advertising purchase agreements), they should inform procurement in advance to create an MTA to speed contract execution.
Risk Acceptance Initial ("RAI") is provided by a Mattermost staff member who is a non-interim department head or someone director-level or higher and who has also completed Mattermost procurement and risk management training within the last 12 months.
RAI initial should appear within 2 inches of the FCA signature it maximize clarity that RAI is complete when FCA is executed.
To bind the company to any agreement Final Company Approval ("FCA") is provided by the company CEO, and potentially board members, via physical or electronic signature.
All HR-related e-sign should be conducted via either:
- a HelloSign account controlled by Mattermost (which is only accessible by staff approved for handling confidential HR data)
- an e-sign system controlled by our partner law firm, Cooley
HR-related agreements should not be executed using the company-controlled DocuSign account given HR privacy requirements.
The following table summarizes general agreements to be completed via company-controlled DocuSign or vendor-controlled DocuSign with written sign-off from Mattermost staff member requesting the agreement that the vendor will send the fully-executed contract to procurement within 1 business day after execution.