The role of legal is growing in significance as it guides the enterprise beyond putting out the fires of legal matters. It is expanding into a proactive role in legal governance, risk management, and compliance – with a focus on preventative law and becoming a critical pillar in an organization’s broader enterprise/integrated governance, risk management, and compliance (GRC) strategy. This requires that legal be an integrated role in the organization’s proactive enterprise GRC capabilities as well as deliver on governance, risk management, and compliance in the context of legal itself, what is called Legal GRC.
Today’s legal department must have a full understanding of the regulatory, litigation, contractual, transactional, privacy, and intellectual property risks, as well as how they all relate to each other and fit into broader business operational, transactional, and GRC processes. The role of legal must be able to rely on a well-constructed understanding of how legal risks fit into enterprise risk frameworks. The general counsel has a critical role beyond the traditional stance as “protector” of the organization and its assets (via contract negotiation, litigation, and interpretation of legal requirements) and now is an active part of the strategic planning that leads to achieving higher performance and governance of the organization.
Legal has the opportunity to serve as the hub for collaboration about how best to balance legal risks and opportunities presented by the organization’s decisions and actions. Today’s legal function must lead the organization to higher levels of performance while assuring the board and other stakeholders that the company can also maintain integrity, mitigate risk of legal exposure, and operate within legal and ethical boundaries. This means the organization will take full advantage of opportunities that will help meet its objectives, while staying within the boundaries of laws, regulations, contracts, and corporate commitments.
As a key player at the center of the GRC strategic team of the enterprise, the role of legal must address wide-ranging stakeholder demands and concerns to:
- Identify key risk indicators for Legal GRC changes as they occur – which legal is aware of early due to its role in contracts or negotiations, such as merger and acquisition activity, litigation and settlements, licensing arrangements, vendor/partner contracts, and new/changing legislation and regulation.
- Define legal and/or contractual required controls to mitigate legal risk exposure in transactions and relationships and support business strategy and objectives.
- Lead the identification of legal requirements and interpreting the need for controls to address them.
- Monitor contractually and regulatory imposed requirements to ensure controls are correct in the context of the dynamic business environment.
- Participate in the design of the Legal GRC program regarding confidentiality, access limitations, and information governance.
- Assess potential impacts of noncompliance to determine correct level of control and allocation of legal and organization resources.
- Design escalation plans for issues and incidents — when should legal be involved right away, when does privilege have to attach, when does the board or external stakeholder have to be informed, and when does legal conduct certain investigations.
- Determine actions that may have a cumulative effect; for example, settling an environmental noncompliance matter may cause government contracting debarment if not handled properly.
- Understand new business opportunities and enable safe and responsible business growth by avoiding unnecessary legal exposure.
- Articulate to the board why a clear and integrated view of legal governance is critical to the organization’s culture, performance, as well as their fiduciary responsibilities.
- Manage the legal department in an optimized way that delivers effective, efficient, agile, and responsive service to the rest of the organization.
- Demonstrate how centralized oversight and supporting technologies for Legal GRC process management drives predictable behavior and performance results.
- Communicate the benefits of including legal risk management within business performance management and change initiatives.
- Influence other key functional executives to support legal’s role in the GRC strategy alongside the organization’s achievement of business objectives.
- Collaborate with key C-suite executives in developing Legal GRC processes that allow for measurable evaluation of legal effectiveness and efficiency.
- Assist the CEO in evaluating opportunities and preventing adverse legal ramifications and risks from materializing.
- Equip management to appreciate how an integrated Legal GRC model can improve processes while reducing or eliminating redundant efforts and be leveraged across other functions.
- Incorporate legal GRC management and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).
Across all of these points, the role of legal must embrace a strategic view that satisfies the demands of all these forces while keeping an eye on the prize — meeting the organizational objectives for value.
This is driving forward-thinking organizations to define and establish an expanded role for Legal GRC that goes beyond the traditional role of managing litigation, negotiating legal agreements, and protecting intellectual property. Legal is becoming a high-impact GRC advisor that addresses:
- Key stakeholders (investors, regulators, NGOs, local communities, etc.) demand transparency.
- Board and C-suite need for clear, reliable, and measurable information about legal risk that will impact strategic decisions and future outcomes.
- Board needs objective, independent assurance that the legal program is functioning effectively and efficiently as designed.
- Compliance, ethics, privacy, and security in legal’s role of applying regulations and legislation to the specific business context and meeting reporting, access, disposition, and notification requirements.
- Line of business need for matter management, issue identification, investigations, policy management, document and information management, reporting and filing, and legal risk assessments that do not disrupt operations, and are consistent to promote desired behaviors and transactions.
- An overarching need for improved efficiencies and reduced legal risk throughout the extended enterprise.
- Growing the business in a safe, responsible manner that keeps it within established legal boundaries of conduct.
The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design: