Risk Management
10% complete. Frame risk management levels to inform processes and decisions across the company
The purpose of our risk management policy in agreements is to provide efficient and safe contract execution by categorizing the levels and types of risk we may face and clear process in signing off of acceptance of risk.

Risk Levels

    Level 1 - Low risk or documented accepted risk, and 90% probability worst case < $10K
    Level 2 - Risk to address before IPO and 90% worst case < $100K
    Level 3 - Risk to address before Series C
    Level 4 - Risk to address from 6 months from discovery
    Level 5 - Risk to address ASAP
    Level N - Needs Investigation

Risk Types

    Intellectual property - including copyright
    Tax - including corporate tax, employment tax, sales tax, and other forms
    Liability - including risk from lack of/commitment to indemnity from/to 3rd parties
    Jurisdiction - including material risk from mechanisms other than JAMS or California law
    Export compliance - including U.S. embargo
    Employment law risk - including statutory benefits
    Internal consistency - including compensation
    Business risk - including non-market terms and ability to meet expectations
    System security - exposure to potential security breaches
    Contract compliance risk - risk of being in breach of customer contracts or other contracts

Agreements

Risk levels are most commonly addressed in agreements of the following types:
    Customer agreements
    Vendor agreements
    Employment agreements
    Partnerships agreements

Mattermost Templated Agreement

Mattermost Templated Agreements (MTAs) have significant reduced risk and in general can be reviewed and executed within 1 business day.
Examples include:

Custom Agreements

All custom agreements require approval by procurement and may take days to weeks to complete depending on their complexity.

Risk Types and Risk Levels for Custom Agreements

Note: Risk levels are expected to change over time. For example: Contracts in foreign jurisdictions may be less of an issue over time as we establish infrastructure in those jurisdictions.
Risk Type
Level 2
Level 3
Level 4
Level 5
Jurisdiction
U.S. jurisdiction outside of California in combination with potential for $100K+ in uninsured liability
Canadian or U.K. jurisdiction in combination with potential for $100K+ in uninsured liability
Non-English-speaking, non-U.S. jurisdiction in combination with potential for $100K+ in uninsured liability
Jurisdiction in a restricted list region/country, e.g. U.S. embargoed countries. ABSOLUTELY DO NOT SIGN

Risk Acceptance Process

The following summarizes the process for review and risk acceptance on any agreement that binds Mattermost, Inc.
This step is not required for MTAs, only custom agreements.
Legal review and approval is required for all custom agreements and department heads should ensure their teams plan their work to provide at least 1-2 weeks for the review of any custom contracts.
If a department head anticipates more than 3-5 custom contracts of similar types (e.g. advertising purchase agreements), they should inform procurement in advance to create an MTA to speed contract execution.

Risk Acceptance ("RA")

Risk Acceptance Initial ("RAI") is provided by a Mattermost staff member who is a non-interim department head or someone director-level or higher and who has also completed Mattermost procurement and risk management training within the last 12 months.
RAI initial should appear within 2 inches of the FCA signature it maximize clarity that RAI is complete when FCA is executed.

Final Company Approval ("FCA")

To bind the company to any agreement Final Company Approval ("FCA") is provided by the company CEO, and potentially board members, via physical or electronic signature.

E-sign Process

All HR-related e-sign should be conducted via either:
    a HelloSign account controlled by Mattermost (which is only accessible by staff approved for handling confidential HR data)
    an e-sign system controlled by our partner law firm, Cooley
HR-related agreements should not be executed using the company-controlled DocuSign account given HR privacy requirements.
Agreement
Risk Types
Risk Acceptance (Initial)
Final Company Approval (Signature)
U.S. W-2 Employee MTA
DirHR or VPF
CEO

General Agreements

The following table summarizes general agreements to be completed via company-controlled DocuSign or vendor-controlled DocuSign with written sign-off from Mattermost staff member requesting the agreement that the vendor will send the fully-executed contract to procurement within 1 business day after execution.
Agreement
Risk Types
Risk Acceptance (Initial)
Final Company Approval (Signature)
Banking Agreement
DirAccounting or VPF
CEO
Last modified 1yr ago