The biggest risks to your business are never in the obvious places. It’s the fine print in a dark corner of a filing cabinet, a small team you have never met, a regulator nobody has heard of, or a junior developer who rewrote your terms and conditions.
Sarah Binder’s career has covered some of the most varied regulatory environments in global business. She’s currently General Counsel at BetterUp and has led legal across British Telecom, Lime, and Yum! Brands. Sophie McNaught is Managing Director at Silicon Valley Bank covering strategic investors and corporate development. Prior to her current role, Sophie spent years advising hundreds of tech companies on AI risk and insurance at Vouch.
"Risk is normally never where you expect it,” Sarah said. “What you need to do is think about where risk could really impact your ability to achieve your business objectives. It sounds basic, but it's extraordinary how many times those potential obstacles don't get thought about until much later down the path."
GC AI founder Cecilia Ziniti has known both Sarah and Sophie for years, and this conversation began over a casual brunch chat on what risk management looks like on a global scale, across companies of every size, stage, and regulatory context.
Why Risk Depends on Your Company’s Size and Stage
Risk will mean something different for a Fortune 500 company than it does for a small startup. For a seasoned GC at a growth-stage company, risk is mostly litigation exposure, regulatory compliance, and fixing reputational damage from minor PR crises. By contrast, for a seed-stage company, risk is simpler: figure it out or go out of business.
Sophie spent years at Vouch advising hundreds of tech companies across every stage of development. She observed that most of the people making risky decisions at early-stage companies are thinking about what is slowing them down from becoming profitable.
"At seed, Series A, Series B… and honestly even C and D in this day and age, the biggest risk is that you don't exist in a year because you couldn't figure out how to sell to your customers," said Sophie.
She says that the companies that get risk right in the early stages understand which risks are worth treating as existential and which are worth parking. The ones that get it wrong are usually the ones that spend significant time and energy on the wrong things.
Sarah adds that risk should be viewed as a data-driven analysis of how likely something is to happen, how much you can control it, and what the impact on the business's core objectives would be if it did.
"It's not that something could happen. Anything could happen,” Sarah said. “It requires being incredibly data driven and analytical to reach a conclusion as to how likely something is going to happen and the extent to which you can control or mitigate that."
Fortunately, the genuinely uncontrollable risk is rarer than many founders imagine. Most things can be mitigated if you get ahead of it early enough.
Note from CZ: At GC AI, we think about risk constantly, but the risk that consumes most of our attention is whether we are building the right things fast enough, and whether our customers are getting enough value to stick around. Our legal risk is real, but it is downstream of the existential one. Getting that priority order right is the most important thing a legal leader can do for an early-stage company.
Know Thy Product: The Best Legal Leaders Are Embedded
Sarah’s most consistent guiding career principle is simple: know thy product and know thy customer. It’s your best risk management tool. At British Telecom, every employee was expected to understand what the engineers did, regardless of their function. At Yum! Brands, every new employee spent two weeks working on the front line in a restaurant before starting their role.
"It was very important to both companies that you really, really knew what they were selling,” Sarah said.
Sophie illustrated the importance of this by describing a company that sped up the speed of deals by adding a lawyer to their engineering team. They had noticed most of the sales team’s biggest blockers were related to legal matters: security requirements, indemnity questions, model training disclosures, and insurance requirements. The embedded lawyer could speak to all of them.
"The best way to be valuable as a legal person in a tech company is to genuinely understand the technology,” Sophie said. “They ended up with all of these insights that they were able to translate to sales.”
For a GC, It’s Not Enough to Be Right
Sarah's most direct piece of advice for in-house lawyers is a bit counterintuitive: being right is not the job. And if being right is your primary goal, in-house is probably the wrong place to be.
After several years of high-tier M&A work after law school, Sarah joined a startup as its first ever GC. Shortly into her tenure, a junior web developer rewrote her terms and conditions. He had changed the notice period from 28 days to 14 because he felt it was better for the customer. She went to find him and kindly explained that she was the lawyer and needed to retain control over legal wording. She won the argument, but ultimately lost the T&C battle.
"It's not enough to be right. You're the lawyer and you'll probably be right,” Sarah laughs. “That's not actually enough. You may well be right on a technical point of compliance, but that's got absolutely nothing to do with what your business is trying to do."
The developer wasn’t wrong; the customer experience also mattered. Sarah learned that to convince people, the law had to be connected to something the business cared about, and the connection had to be made by the lawyer on the business’ own terms. In-house lawyers who focus on relationship building are most successful at this.
"It really is an art and it is all about building relationships. Information is just power,” Sarah said. “The more people tell you, the more information you have access to, the better you're going to be able to forecast where issues might arise."
Personal Liability, Duty of Care, and When Things Go Wrong
Early in Sarah’s career as a GC, a series of errors caused massive emotional trauma to a family. The situation was so delicate that she needed to visit the family in their home and apologize for the failures that had caused this trauma. This unlikely and tragic experience taught Sarah about the ethical responsibility that comes with any role that touches real people's lives.
"Imagine that you're going to go and sit in their living room and tell them what you got wrong,” Sarah describes. “You have a really deep ethical responsibility to make sure that you fix those things so those things can't happen again."
What makes this moment instructive beyond the obvious ethical dimension is the CEO's role in it. He trusted Sarah completely and gave her the space to act on her judgment. That kind of trust between a CEO and a GC is what made this repair work possible. You cannot do the right thing in a crisis if the relationship that allows you to act on your judgment has not been built before the crisis arrives.
“If in doubt, do the right thing,” Sarah said. “We all want to be doing things that make a real difference to people's lives. That comes by creating moments of joy and success, but it also comes in creating moments of compassion, professionalism, and empathy when things don't go as you intend.”
Who Sets Standards When AI Regulation Has Not Caught Up?
Sophie says that a lawyer’s duty of care is getting sharper, not softer, as technology reaches further into regulated and high-stakes industries. In the absence of federal AI regulations, a patchwork of state laws are all lawyers have to rely on. Most of the actual standard-setting is being dictated by consumers.
"It's the buyers that are really dictating what standards these companies are expected to uphold,” Sophie said. “The standards for making a transaction happen end up being the standards we abide by."
When the executive of a major bank requires specific security controls before a deal closes, that requirement travels. The vendor builds it into their own requirements, and within a cycle or two, what started as an enterprise buyer's security checklist becomes an informal industry standard.
Sarah adds that the most difficult regulatory environments are those where there is a genuine duty of care, the regulatory framework has not been written yet, and there’s a lot on the line.
"What's harder is being in an industry where there is a very clear duty of care and the regulatory framework is not defined or is patchwork or unclear,” she said. “You're having to piece it together and know that three years down the line, someone is going to look back on the decisions that you made."
That is exactly where AI sits right now. Sophie and Sarah believe that the legal teams that move fast, stay embedded in the product, build relationships across the business, and treat risk as a forward-looking discipline rather than a reactive one will create the most durable advantage.
GC AI is built to give those teams the leverage they need to move faster on the work that can be accelerated, and spend more time on the judgment calls that cannot. Try it for free.
