Role Playbook SaaS 200-500 employees General Counsel · Head of Legal

Every contract has to be reviewed. Every regulatory risk has to be tracked. Every dispute has to be managed. That's the General Counsel OKR trap at 200-500 SaaS — a queue with a single brain, and the answer to "how long?" is always "depends."

Standard MSAs take 3 weeks instead of 3 daysSales sends an MSA. You queue it. Customer responds with redlines a week later. You queue again. Net: 3 weeks for a "standard" deal Sales already discounted.

Regulatory risks discovered in board prepQuarterly board pack: "any open regulatory matters?" You scramble. Half the matters you flagged 18 months ago aren't tracked anywhere. You report by memory.

Vendor-contract reviews backlog by 4 weeks23 SaaS tools waiting on legal review. Function teams either bypass review or wait. Either way, risk surface grows and adoption stalls.

You're the deal-cycle bottleneckEvery enterprise deal has a "GC review" gate. CRO complains. CEO complains. Your team is at capacity. The complaint doesn't change the math.

Every contract, regulation, and dispute eventually lands on your desk.

Sales agrees to non-standard terms

→

You fix the contract retroactively

Eng skirts a privacy requirement

→

You take the audit-exposure blame

Vendor slips a control commitment

→

You renegotiate under deadline pressure

The job isn't redlining MSAs. It's making cross-functional risk auditable before it becomes a regulatory matter.

Standard MSA cycle target

≤ 7dBenchmark

Regulatory risk SLA

≤ 60dBenchmark

Median enterprise legal review

2-4 wkBenchmark

Standard MSA cycle typical

14-21 daysThreshold

What's in this playbook

General Counsel OKRs — three objectives that defend the seat
The three strategic bets inside the General Counsel stack
Enforcement rules — the cadence layer
The escalation chain — 5 levels, 48-hour clock
The math — five execution metrics on every KR

THE SCORECARD

Three GC OKRs that defend the seat at 200-500 SaaS.

You're not the contracts paralegal redlining the next MSA. You're not the compliance analyst tracking GDPR. You're not the patent prosecutor filing the next claim. You also don't only own contracts — you own contracts, regulatory risk, IP, disputes, vendor risk, M&A readiness, board governance, employment law, and outside-counsel management on top of that. Three objectives below.

Objective	Key Result	Benchmark / Threshold	Target
Standard contracts close in 7 days — Sales stops routing around legal O1 · Outcome state. When contracts move fast, deals close fast; when they don't, the GC owns the deal-cycle drag.	≥ 90% of standard MSAs (no unusual customizations) close legal review in ≤ 7 days from intake to executed7 days because anything longer means Sales loses quoting confidence; 90% because exceptions legitimately need longer	14-21d typical Threshold	≥ 90%
	Custom enterprise contract cycle ≤ 21 days p75 from intake to executed21 days because enterprise customers tolerate longer; p75 because some genuinely complex deals need more	35-60d typical Threshold	≤ 21d p75
	≥ 80% of contracts close on first redline round (no recursive negotiation)80% because recursive redlines are the single biggest cycle-time drag; below 60% means templates aren't actually standard	~50% typical Threshold	≥ 80%
Regulatory risks resolve before they age into reportable matters O2 · Outcome state. Closure cadence prevents board surprises and regulatory escalation.	Zero open Tier-1 regulatory risks (potential financial impact > $250K) unresolved > 60 days from identification60 days because longer means matters compound or escalate to formal action; Tier-1 because not every state-law update is material	3-7 typical Threshold	0
	Single regulatory-risk register reviewed monthly with CFO + CEO; 100% of identified risks have named owner, identified action, expected closure dateMonthly because quarterly review misses 8 weeks of drift; named owner because shared ownership = no ownership	Quarterly + ad-hoc Threshold	Monthly
Legal lands in commercial decisions before term-sheet — not after O3 · Outcome state. Legal-as-bottleneck is the seat-killing pattern. Legal-as-partner gets invited early.	Vendor-contract review SLA ≤ 5 business days from intake to legal sign-off5 days because longer means function teams bypass review; SLA-driven because queue-driven creates 4-week backlogs	15-25d typical Threshold	≤ 5d
	≥ 80% of major commercial decisions (M&A, large customer, key partnership) include legal input before term-sheet80% because pre-term-sheet legal saves rebuilds later; below 50% means legal is reactive cleanup	~30% typical Threshold	≥ 80%

¹ Contract-cycle benchmarks per Ironclad State of Contracting 2024 + ACC (Association of Corporate Counsel) annual surveys. Regulatory-risk and vendor-review benchmarks reflect modeled directional estimates from public-facing GC writing and ACC community discussions. Specific company benchmarks limited.

How to start in week 1 of the quarter

Don't migrate to Ironclad. Don't hire 2 more associates. Do these five things:

→ Pull last 4 quarters of contract data: standard MSA cycle, custom enterprise cycle, recursive-redline rate. The gaps are your O1 baselines.

→ Build a single regulatory-risk register: list every open matter with severity, owner, action, expected closure. Distribute to CFO + CEO + Board. The act of consolidation is half the value.

→ Audit vendor-review queue: how many SaaS tools awaiting review, average wait time, how many deployed without review? That's your O3 baseline.

→ Build the standard-MSA "fast path": pre-approved fallback positions on top 10 negotiation points (liability cap, indemnity scope, term, auto-renewal, data clauses). Sales redlines from the fast path; legal reviews exceptions.

→ Get a 30-min slot in monthly RevOps + CFO operating reviews. Not as observer — as legal voice on commercial cadence and risk. The bottleneck-not-partner perception starts shifting at exec calendar.

Why O1 is the seat-defining objective

O2 is what the board watches. O3 is what function teams notice. O1 is what determines whether GC enables revenue or constrains it. When contracts move in 7 days, Sales invites legal earlier. When O1 slips, no regulatory discipline compensates — GC becomes the deal-cycle bottleneck in everyone's narrative.

STRATEGIC BETS

The three bets inside every GC OKR stack — and the dozen your team runs without you.

You don't run the redline desk. You don't track every privacy reg. You don't run matter management. You own the three bets that turn the seat from queue-managed to outcome-managed — contract SLAs, regulatory closure, pre-term-sheet partnership. Three objectives below.

Strategy 1 — Replace queue-managed contracts with SLA-managed contracts

→ O1

1.1

Pre-approved fallback library on top 10 negotiation points; Sales redlines from the library; legal reviews exceptions only

CRO + Sales

1.2

Self-serve standard MSA generation: low-risk customers (under threshold ACV) get auto-generated MSA from approved templates; legal reviews exceptions

RevOps + Legal Ops

1.3

Contract-cycle telemetry: every contract has an intake timestamp, exec-signed timestamp, intermediate redline timestamps; weekly SLA review

Legal Ops

1.4

Recursive-redline analysis quarterly: which clauses cause the most rounds? which customer segments? structural fix vs. case-by-case patch

Internal

Strategy 2 — Replace ad-hoc regulatory tracking with a continuous risk register

→ O2

2.1

Single regulatory-risk register: every Tier-1 matter has owner, severity, action, expected closure date, current status

Internal

2.2

Monthly review with CFO + CEO; quarterly review with Board; matter-aging dashboard surfaces aging items before they breach 60-day SLA

CFO + CEO + Board

2.3

Outside-counsel matter discipline: every engagement scoped, budgeted, reviewed monthly; spend tracked against forecast quarterly

CFO

2.4

Regulatory-horizon scanning: quarterly review of pending state/federal/EU regulations affecting the business; pre-emptive impact assessment

Outside counsel

Strategy 3 — Move legal from deal-cycle bottleneck to commercial build-time partner

→ O3

3.1

Vendor-review SLA: 5-day p90 from procurement intake to legal sign-off; capacity sized to meet it

CFO + IT

3.2

Pre-deal legal involvement: GC or designate joins major-deal commercial conversations before term-sheet, not after

CRO + CEO

3.3

Equity-grant cadence: monthly board approvals (not quarterly); offers issued with clean equity terms, not "subject to board"

CFO + Board + CEO

3.4

IP-filing cadence: quarterly engineering review identifies novel features; patent counsel engaged on cadence, not crisis

CTO

ENFORCEMENT LAYER

Enforcement for GC OKRs — the cadence layer above your legal tools.

Ironclad and DocuSign hold contracts. Your matter-management tool tracks outside counsel. Your privacy platform tracks GDPR/CCPA compliance. Each runs in one lane. None enforces whether the contract closed within SLA, whether the regulatory matter aged past 60 days, or whether vendor review held to 5-day turnaround. That's the cadence layer above your stack.

How this works in practice

→ Your team enters KR values weekly — open contracts by stage, risk-register status, vendor-review queue age

→ Each becomes a tracked KR with an owner

→ ShiftFocus runs the cadence and fires triggers when KRs bend

We don't pull from Ironclad or DocuSign. We make the legal KRs your team already maintains catch drift at week 1, not QBR.

Two triggers define daily pain: Trigger 2 (Velocity Drop) when contract cycle time stretches, and Trigger 6 (Dependency SLA Breach) when an upstream dependency from Sales, RevOps, or IT breaks the legal KR.

The two that fire hardest at the GC layer

Trigger 2 · Velocity Drop — when contract cycle time stretches past target

⚡ Fires when

Standard MSA cycle stretches past 10-day p90 (vs. 7-day target), OR vendor-review queue grows by > 25% week-over-week, OR custom enterprise cycle stretches past 28-day p75. Threshold

▎ Why this matters

Cycle time is the seat-defining metric for revenue velocity. When it stretches, Sales loses quoting confidence and starts treating legal as the deal-cycle blocker. Trigger 2 fires when the trend bends — before complaints reach the CRO 1:1.

▎ Why ShiftFocus catches it

Ironclad shows contract status. Salesforce shows deal stage. Neither tracks cycle-time SLA. ShiftFocus runs cycle time as a KR with target — and stretching fires a trigger that surfaces the structural cause (capacity, recursive redlines, exception bottleneck).

▎ Example scenario

Q3 week 4: standard MSA cycle drifted from 7d p90 to 11d. Trigger fires. Root cause: 2 paralegals out simultaneously, queue not redistributed. Fix is capacity routing, not yelling at the team.

Trigger 6 · Dependency SLA Breach — when upstream commits to legal break SLA

⚡ Fires when

A tracked upstream dependency — Sales sending incomplete deal info, RevOps fields not populated for contract intake, IT not flagging vendor procurements until after deployment — misses its SLA by > 48h. Threshold

▎ Why this matters

Most legal cycle-time issues trace to upstream incompleteness. When Sales sends deal info missing pricing or term, the contract bounces back. When IT deploys vendors without flagging, the review queue hits you reactively. Trigger 6 attributes those breaches upstream — not to Legal for "being slow."

▎ Why ShiftFocus catches it

Salesforce holds deal info. Procurement tools hold vendor requests. Neither links them to legal-cycle dependencies. ShiftFocus runs the cadence layer where every upstream commit to legal becomes a tracked SLA dependency — and missing it fires a trigger to the function, not to GC.

▎ Example scenario

Q3 week 5: 4 contracts came to legal missing required fields (term length, payment terms, jurisdiction). Trigger 6 fires to RevOps + Sales VP. Tuesday's exec meeting opens with "deal-info completeness has breached 4× this quarter — process fix needed" — not "legal is slow on contracts."

The other 4 that also fire on your KRs

Trigger 1 · Missed Cadence

⚡ When

Monthly regulatory-register review skipped, OR weekly contract-pipeline review skipped, OR quarterly outside-counsel spend review missed.

▎ Example scenario

Trigger 3 · Momentum Decay

⚡ When

Recursive-redline rate trending up 3 quarters running, OR outside-counsel spend trending up 15%+ YoY.

▎ Example scenario

Recursive redlines: 22% → 28% → 35%. Trigger fires before threshold breach.

Trigger 4 · KPI Drift

⚡ When

Open Tier-1 regulatory matter aging past 50 days, OR vendor-review queue exceeds 10 open items.

▎ Example scenario

3 open regulatory matters past 50 days. Trigger fires before 60-day breach.

Trigger 5 · Owner Absence

⚡ When

Open regulatory matter without named owner, or vendor-review request without assigned legal reviewer.

▎ Example scenario

Audit: 4 regulatory matters with "legal team" as owner-by-default. Trigger fires.

Why this works alongside your existing legal stack

Ironclad, DocuSign, SpotDraft hold contracts. Matter-management tools track outside counsel. Privacy platforms track regulatory compliance. Each does its job. ShiftFocus is the cadence layer above them — every upstream commit becomes a tracked SLA, stretching fires before the CRO complains, and legal KRs run on one weekly review.

ESCALATION DESIGN

The General Counsel escalation chain — 5 levels, all on a 48-hour clock.

Below: an upstream dependency breach (Sales sending deal info missing required fields, slowing contract turnaround) threaded through the ladder.

L1
Auto-Nudge — to AE + Sales manager
Friday 4pm: contract intake missing 3 required fields. Trigger 6 fires. AE + Sales manager get Slack + email: contract-info SLA breached.
Immediate
L2
Peer Flag — RevOps + Sales VP + GC see it
Monday: still incomplete. Visible in RevOps, Sales VP, and GC dashboards. Resolution at sales-management layer.
+48h
L3
CRO Review — direct conversation with Sales VP
Tuesday: still stuck. CRO directly asks Sales VP about repeat incompleteness pattern. Conversation is CRO-to-Sales-VP, not GC-to-Sales.
+48h
L4
Pattern Brief — recurring breaches surface
Q3 audit: 9 contract intakes incomplete this quarter. Pattern goes to CRO + GC + RevOps — sales-process problem, not legal-team problem.
Week 7
L5
Intervention — operating-cadence review
Quarter close. Standard MSA cycle stretched from 7d to 12d driven by upstream incompleteness. Full Sales + Legal + RevOps exec team in the room. Decision: enforce contract-intake requirements at AE-scorecard level, or accept the structural cycle-time drift.
Quarter-end

What this kills

The failure mode where you spend Q3 chasing AEs for missing intake, present a "we're working on cycle time" Monday that's already out-of-date by Tuesday's next incomplete handoff, and absorb deal-cycle blame at QBR. Trigger 6 fires the moment intake is incomplete — at the AE, not your desk.

EXECUTION INTELLIGENCE

How the 5 ShiftFocus metrics read on your GC KRs.

ShiftFocus runs five health metrics on every KR — same five whether the KR is "Standard MSA ≤ 7d, 90%" or "Zero open Tier-1 regulatory risks > 60d" or "Vendor-review SLA ≤ 5d." Here's what each tells you on a GC KR.

Velocity

"Is this KR moving fast enough this week?" If standard MSA cycle was 9d last week and 7d this week, velocity is positive. If vendor-review queue grew from 6 to 12 items, velocity is negative. Below 0.5 = behind.

Momentum

"Is the trend bending right over weeks?" Recursive-redline rate creeping from 22% → 28% → 35% bleeds momentum. Below 60 = decaying.

Alignment

"Are upstream dependencies clean?" Your "≥ 90% standard MSAs in 7d" depends on Sales sending complete intake, RevOps holding template discipline, and IT not deploying vendors without review. Below 70 = inputs broken.

Execution Risk Index

"How exposed is this OKR to missing the year?" Combines KR status and depth. Crossing threshold mid-quarter fires L4 brief.

Success Probability

"What are the odds this OKR lands?" Not "we're trending toward 7d cycle" — "70% probability of holding 7d standard MSA cycle; largest risk is recursive redlines on liability-cap clause."

What this looks like at week 6 of Q3

$40M ARR SaaS, 320 employees, 4-person legal team. GC has three OKRs running mid-quarter:

O1 — Standard contracts close in 7 days.

Velocity 0.62 (cycle stretched 7d → 11d this quarter) · Momentum 55 · Alignment 60 (Sales intake completeness breached 4×) · Risk 60 · Success Probability 44%

O2 — Regulatory risks resolve before they age.

Velocity 0.84 · Momentum 71 · Alignment 78 · Risk 38 · Success Probability 65%

O3 — Legal lands in commercial decisions before term-sheet.

Velocity 0.75 · Momentum 67 · Alignment 72 · Risk 45 · Success Probability 56%

What you read in 30 seconds: O2 is solid. O1 is at risk because Sales-side intake completeness keeps breaching. CRO 1:1 conversation: "intake completeness has breached 4× — fix the AE-scorecard requirement before Q4" — not "legal is slow on contracts."

What the legal-cycle gap actually costs

The primary case is operating quality. Dollar leakage varies by ARR — but four costs reliably stack the same year:

→ Deal-cycle drag from slow contract turnaround — close-rate impact on enterprise deals waiting on legal

→ Outside-counsel spend creep — reactive matter routing without scope discipline

→ Hiring close-rate drag — quarterly equity batches mean offers go out with "equity TBD"

→ Risk surface from unreviewed vendors — function teams bypass review when SLA is too long

Each costs more than the cadence investment that prevents it.

The case to make to your CRO and CEO

Convert "legal is slowing deals" into "of 18 contracts past 14-day cycle this quarter, 12 trace to incomplete Sales intake, 4 to recursive redlines on liability-cap, 2 legitimate complexity; here's the AE-scorecard fix." The seat-defining moment is when the CRO sees cycle drag as a Sales-process problem with a Legal-process partnership fix.

▶ Pilot-verifiable

See where your legal KRs actually break — and which upstream function caused it.

Connect your contract, matter-management, and procurement systems. We'll audit the last 4 quarters for contract-cycle drift, regulatory-aging patterns, and upstream incompleteness causes — and show you which functions' missed commits caused which legal-cycle issues, week by week.

Run my General Counsel OKR audit → Run 90-day Parallel Pilot →