Juggling three responsibilities—governance, risk mitigation, and compliance—can pose a daunting task for any in-house lawyer. To make matters worse, rising costs associated with fulfilling these responsibilities have recently fallen under the scrutiny of the CFO. In-house counsel is now charged with proving effective performance on a budget without creating monumental costs to the enterprise.

     This task became exponentially more difficult when, in December 2006, the amendments to the Federal Rules of Civil Procedure went into effect. These rules codified that electronically stored information is discoverable and set out certain practices, policies, and standards that all in-house counsel must implement in order to properly identify, collect, process, review, and produce electronically stored information.

      Nearly two years after these rules were enacted; many organizations still struggle to comply. Legal departments continue to lack the knowledge and the tools to apply good governance; e-discovery risks are difficult to mitigate because these risk areas are difficult to pinpoint; and ensuring compliance across the corporation is a challenge because compliance initiatives involves not only the legal department, but nearly every department and system within the organization.

      Although e-discovery is one of the biggest pain points for in-house counsel, it is certainly not the only one. There are numerous other compliance burdens that corporate legal departments must handle on a regular basis. Some affect all organizations, while others are industry specific. Below are some of the significant laws and regulatory areas that the General Counsel’s office is burdened with:

 

     The overwhelming burden of coordinating compliance initiatives across an enterprise, which itself is often fairly dispersed, is a monumental challenge. This is why many companies are taking a reactive approach to compliance, tackling each government inquiry, regulatory requirement, and discovery request on an ad hoc basis with no set policies in place. However, this not only creates costly inefficiencies, it also exposes an organization to an exponentially higher amount of risk. 

     It is time for in-house counsel to start devising a new approach to their practices, one that is known as Legal GRC.

 

What Is Legal GRC?

     Legal GRC holds the potential to alleviate the pain and reduce risk exposure in-house counsel experience across the myriad of compliance areas. The acronym stands for governance, risk and compliance. It has been applied successfully in other professional spaces, most notably the IT and finance sectors. Although the term is still fairly undefined, it is basically a holistic approach to identifying compliance burdens and risk areas, creating processes and policies to mitigate these risks, instituting controls to ensure compliance with internal and external policies, and benchmarking metrics associated with risk areas in an effort to track the success of the GRC initiative. In other words, rather than taking a reactive stance to compliance and risk mitigation, business professionals implement a proactive approach, anticipating risk exposure by establishing good governance and controls to minimize future risk.

      IT and finance GRC both rose to maturity after the passage of the Sarbanes-Oxley Act in 2002. These departments needed a way to review company systems and financial information as a whole due to the huge penalties that the company and its officers could face for noncompliance. Both IT and finance worked together to identify risk areas within their organizations, create special internal audit groups to oversee the implementation of policies and controls around this space, and tracked the success of their initiatives by identifying quantifiable metrics. By responding to SOX with GRC principles, these departments successfully minimized the burden on resources that SOX posed while reducing their companies’ risk exposure.

      Just like the IT and finance sectors responded to SOX with a GRC approach, legal faces a universal set of compliance burdens of their own that necessitate a holistic solution. This approach is Legal GRC.     

      Legal GRC is a relatively young concept. Although it is still in its infancy, it clearly has tremendous potential to help in-house counsel better manage the risk exposure and compliance concerns that have drained so much time and finances in the past. All too often, corporate counsel has had to spend excessive resources remaking the wheel, so to speak, reacting to litigation requests, government inquiries, and other compliance obligations. Legal GRC holds the power to create efficiencies in internal processes that companies can rely on repeatedly, creating a consistent, stream-lined approach to risk mitigation and compliance. For Legal GRC to reach maturity, in-house professionals must begin working with their colleagues now to help collectively define GRC as it applies to the legal space so that, in the future, ensuring compliance with document requests, government inquiries and even court judgments can be tackled effectively and efficiently.

 

Steps to effective Legal GRC

      Effective management of legal risk and compliance activities has become a business imperative for corporate legal departments. Risks and compliance efforts can no longer be managed in silos—a centralized, holistic, and consistent view of all legal risks and a comprehensive set of automated controls are required.

      The first step for a legal department seeking to develop a holistic approach to tackling governance, risk mitigation, and compliance is to identify the various areas of risk the company faces. Some of these burdens are shared by all companies, such as EEOC information requests, HIPAA compliance and court orders. Others are unique to the company’s industry sector, such as FTC inquiries for financial organizations or FDA informational requests for pharmaceutical companies. Still other areas of risk might depend on a company’s litigation portfolio. For example, an enterprise that handles a high volume of litigation will have additional burdens not shared by entities that face few lawsuits.

      Because few areas of risk and compliance deal solely with the legal department, in-house counsel must identify the processes, information custodians, and stakeholders for each risk area. For example, e-discovery involves a wide-sweeping assortment of personnel from IT to business units to records management to outside counsel. Whatever shape Legal GRC takes, it must incorporate these disparate groups in order to ensure compliance throughout the process.

      It is likely that e-discovery will be the initial focus of many Legal GRC initiatives. This is because compliance with the Federal Rules can affect every department within a company, the tools necessary to ensure speedy and accurate document production are expensive, and the entire process can be extraordinarily time-consuming. However, by proactively educating the various business units, establishing internal guidelines to maximize efficiency and reduce risk, and benchmarking the discovery process using metrics such as cost and time, legal departments can reduce the pain associated with responding to a discovery request.

      For instance, consider the scenario where IT wants to install a new server on the corporate system. By implementing a proactive, Legal GRC approach, IT will already know and plan for the potential legal ramifications of adding a new storage device, including updating the corporate data map to reflect the change. This in turn will allow legal to identify potentially responsive documents on the new server in the event of a request. Meanwhile, records management will know to ensure that proper retention policies are enacted on the new server to help reduce the risks associated with improperly destroying data. 

      Despite its potential impact on e-discovery, it must be made clear that Legal GRC encompasses a much broader spectrum of compliance concerns. All compliance issues, from government inquiries to court orders, should be part of the Legal GRC process. For example, if a court orders an injunction on the selling of a company’s product, there should be a system of controls and policies in place to ensure that every business unit within the company, regardless of geographical location, complies with the order.

      The form that Legal GRC takes will depend on the specifics of the organization. However, it is crucial that legal professionals begin communicating with their colleagues to help define Legal GRC and establish a series of best practices. Fortunately there is now a forum to do just this.

 

The Center for Innovation

      The Legal GRC Center for Innovation was formed to help legal professionals take a holistic approach towards problems daunting the corporate legal departments. Led by a self-governing board of members, the Center for Innovation will serve as a thought leadership forum dedicated to helping companies understand the impact and implications of legal governance and compliance on business performance, processes, and systems. This will be a collaborative effort in which companies and professionals help each other.  Participants will share experiences and develop insights about how legal teams can formulate and implement efficient and effective risk management, governance and compliance processes. Through a variety of informal gatherings, interactive thought sessions, roundtable events, online discussion forums, and other means defined by its membership, the Center for Innovation will provide corporate legal teams with insights into how governance and legal compliance impact business units and will help legal teams formulate and implement efficient and effective responses to increasing regulatory and litigation-related areas of compliance.

      Successful Legal GRC initiatives will require both strategic vision and proactive implementation. That vision leverages a combination of policies, processes, and technologies to manage corporate information at all levels. Effective implementation requires a robust operational framework to enable and enforce legal GRC policies and procedures. Companies adopting these approaches will benefit from a more consistent and policy-based approach to compliance, improved data control and management, and better reporting capabilities. These, in turn, reward companies with mitigated risk, reduced compliance costs, and increased shareholder value.