Understanding the Interrelationship of Legal Risk and the Business
In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes are continually bombarding the organization. The organization continues to see exponential growth of regulatory requirements and legal obligations (often conflicting and overlapping) that must be met, which multiply as the organization expands global operations, products, and services. This requires an integrated approach to legal governance, risk management, and compliance (GRC) with a goal to reliably achieve objectives while addressing uncertainty and act with integrity. This includes adherence to mandatory legal requirements and voluntary organizational values and the boundaries each organization establishes. The legal department, with responsibility for understanding matter management, issue identification, investigations, policy management, reporting and filing, legal risk, and the regulatory obligations faced by the organization, is a critical player in GRC (what is understood as Enterprise or Integrated GRC), as well as improving GRC within the legal function itself (what is defined later in this paper as Legal GRC).
Most organizations today at least try to address legal risks, intellectual property protection, contracts, business requirements, and compliance obligations they face. Both internal and external stakeholders and events have caused many to increase legal monitoring and reporting, especially with regard to changing laws and regulations where demands grow every day. Boards and executive management desire a deeper understanding of how their teams address legal matters, whether activities are effective and efficient, and how they can enhance activities to create the greatest reward for their shareholders and mitigate legal damage. Legal risk is a significant exposure that fits into a broader enterprise risk management strategy to address the strategic, operational, and financial risks bearing down on the organization. As this demand for transparency increases, so increases the need for the legal to manage and monitor legal risks within a defined GRC capability.
The physicist, Fritjof Capra, made an insightful observation on ecosystems that rings true when applied to legal governance in the modern organization:
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”
Fritjof Capra
Capra’s point is that ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts the entire ecosystem.
Legal GRC: a New Paradigm for Governing Legal
Legal governance, risk management, and compliance as it is conducted in the business is pervasive, complex, and interconnected; when it comes down to it, legal risk and exposure goes beyond the legal department as it intersects with other departments and their strategy, obligations, processes, transactions, relationships, information, and contracts. Business functions are often taking legal risks without involving legal, or legal does not have the resources to get involved.
What complicates this is the exponential effect of legal governance on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Silos of data, systems, processes, activities, and transactions can leave the organization with fragments of truth that fail to see the big picture of legal risk exposure. Legal risk, such as in DSARs, could unfold inappropriate use of personal information and exposure of that information that could have a cascading impact on the brand, reputation, as well as fines to the organization. The organization has to have holistic visibility and 360° contextual awareness into legal risk relationships across the enterprise and its operations. Complexity of business combined with the intricacy and interconnectedness of legal data, requires that the organization implement a new strategy and paradigm for legal governance, risk management, and compliance (Legal GRC).
Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they are aligned with business objectives and needs [GOVERNANCE], while addressing legal uncertainty and exposure [RISK MANAGEMENT], and act with integrity to the obligations and ethical commitments of the organization [COMPLIANCE]. This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, Legal GRC delivers:
- Legal Governance. Governance of the legal function that sets direction and strategy for legal to reliably achieve objectives within the department and support the business in achieving its objectives.
- Legal Risk Management. Legal risk management seeks to manage and understand uncertainty in the business, particularly the legal impact of activities by the identification, assessment, and monitoring of legal risk within the context of business and to act on legal risk through acceptance, avoidance, mitigation, or transfer.
- Legal Compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on legal risk treatment plans to assure that legal risk is being managed within limits and controls are in place and functioning.
The lack of a coordinated strategy for Legal GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between legal risk management and decision-making, business strategy, objectives, and performance.
The bottom line: Organizations need to adopt a new paradigm of an integrated approach to Legal GRC. This is done through a common Legal GRC strategy, process, information, and technology architecture that supports overall legal activities, as well as integrates and supports the broader business objectives and GRC activities from an enterprise view. Organizations need to clearly define and develop the breadth and depth of their Legal GRC management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of Legal GRC management needs for today and into tomorrow.
The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design: