By Michael Rasmussen, GRC2020 Pundit & Analyst
In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes continually takes the organization to a new level of strategic and tactical complexity and creating commensurate pressures on business performance. The legal department has become essential in navigating this risk in today’s complex, dynamic, distributed, and disrupted business environment. In this context, legal plays multiple roles in the organization.
One role is as an advisor to the business to ensure the organization can reliably achieve objectives (governance), while addressing uncertainty (risk management) and act with integrity (compliance). This is GRC at an enterprise level, or Enterprise GRC/eGRC. It involves multiple departments and functions working together to ensure the organization as a whole has a capability across functions of governance, management, audit, risk, compliance, legal, ethics, security, and more to work together.
While few would argue with the goal of GRC and the need for effective risk and compliance management as foundational activities, in most organizations risk and compliance activities are undertaken in organizational and functional silos – IT, enterprise/operational risk, internal audit, legal, corporate compliance, and more. This uncoordinated approach with disconnected approaches, different means and methods, costly gaps and redundancies fails to deliver on wide-ranging stakeholder demands. By taking an integrated approach to GRC efforts in the organization, the organization can better manage risk and ensure value preservation and growth as well as report on ESG activities and metrics.
Legal plays a critical role in enterprise GRC strategies. With responsibility for understanding legal matters and issues, investigations, policy management, reporting and filing, legal risk and the obligations faced by the organization, Legal is a core player in the strategic design of integrated enterprise GRC strategies. In this role, legal must be able to rely on a well-constructed understanding of how legal risks fit into enterprise risk frameworks.
HOWEVER, legal also has the role of of managing legal processes and functions within the legal department. These support the business in its broader performance and enterprise GRC strategies and initiatives but are functions internal to the legal department. Legal today is more than legal matters, actions, and contracts. Today’s legal organization has to respond to incident/breach reporting and notification laws in a timely and compliant manner, respond to Data Subject Access Requests (DSAR), harmonize and monitor retention and other privacy obligations, conduct e-discovery, manage legal holds on data, and continuously monitor regulations and legislation and apply them to a business context.
Today’s legal department must have a full understanding of the regulatory, privacy, litigation, contractual, transactional, and intellectual property risks, how they relate to each other, and are managed internally within the legal department. This is Legal GRC and fits into a broader enterprise GRC strategy, but also operates on its own within the legal department to ensure that legal is properly governed. Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they are aligned with business objectives and needs [GOVERNANCE], while addressing legal uncertainty and exposure [RISK MANAGEMENT], and act with integrity to the obligations and ethical commitments of the organization [COMPLIANCE].
While many organizations have worked hard to develop their enterprise GRC strategies to gain visibility into risks as they span the organization and impact objectives, many are only now turning to refining and improving GRC within the department itself in Legal GRC. Organizations need to clearly define a strategy as well as process, information, and technology architecture to enable Legal GRC, support broader enterprise GRC, and enable the legal department to be efficient, effective, and agile in responding and delivering to the needs of the business.