Complexity of Business Demands a New Paradigm in Legal Governance, Risk Management & Compliance

Understanding the Interrelationship of Legal Risk and the Business

In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes are continually bombarding the organization. The organization continues to see exponential growth of regulatory requirements and legal obligations (often conflicting and overlapping) that must be met, which multiply as the organization expands global operations, products, and services. This requires an integrated approach to legal governance, risk management, and compliance (GRC) with a goal to reliably achieve objectives while addressing uncertainty and act with integrity. This includes adherence to mandatory legal requirements and voluntary organizational values and the boundaries each organization establishes. The legal department, with responsibility for understanding matter management, issue identification, investigations, policy management, reporting and filing, legal risk, and the regulatory obligations faced by the organization, is a critical player in GRC (what is understood as Enterprise or Integrated GRC), as well as improving GRC within the legal function itself (what is defined later in this paper as Legal GRC).

Most organizations today at least try to address legal risks, intellectual property protection, contracts, business requirements, and compliance obligations they face. Both internal and external stakeholders and events have caused many to increase legal monitoring and reporting, especially with regard to changing laws and regulations where demands grow every day. Boards and executive management desire a deeper understanding of how their teams address legal matters, whether activities are effective and efficient, and how they can enhance activities to create the greatest reward for their shareholders and mitigate legal damage. Legal risk is a significant exposure that fits into a broader enterprise risk management strategy to address the strategic, operational, and financial risks bearing down on the organization. As this demand for transparency increases, so increases the need for the legal to manage and monitor legal risks within a defined GRC capability.

The physicist, Fritjof Capra, made an insightful observation on ecosystems that rings true when applied to legal governance in the modern organization: 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Fritjof Capra

Capra’s point is that ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts the entire ecosystem. 

Legal GRC: a New Paradigm for Governing Legal

Legal governance, risk management, and compliance as it is conducted in the business is pervasive, complex, and interconnected; when it comes down to it, legal risk and exposure goes beyond the legal department as it intersects with other departments and their strategy, obligations, processes, transactions, relationships, information, and contracts. Business functions are often taking legal risks without involving legal, or legal does not have the resources to get involved. 

What complicates this is the exponential effect of legal governance on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Silos of data, systems, processes, activities, and transactions can leave the organization with fragments of truth that fail to see the big picture of legal risk exposure. Legal risk, such as in DSARs, could unfold inappropriate use of personal information and exposure of that information that could have a cascading impact on the brand, reputation, as well as fines to the organization. The organization has to have holistic visibility and 360° contextual awareness into legal risk relationships across the enterprise and its operations. Complexity of business combined with the intricacy and interconnectedness of legal data, requires that the organization implement a new strategy and paradigm for legal governance, risk management, and compliance (Legal GRC).

Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they are aligned with business objectives and needs [GOVERNANCE], while addressing legal uncertainty and exposure [RISK MANAGEMENT], and act with integrity to the obligations and ethical commitments of the organization [COMPLIANCE]. This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, Legal GRC delivers:

  • Legal Governance. Governance of the legal function that sets direction and strategy for legal to reliably achieve objectives within the department and support the business in achieving its objectives. 
  • Legal Risk Management. Legal risk management seeks to manage and understand uncertainty in the business, particularly the legal impact of activities by the identification, assessment, and monitoring of legal risk within the context of business and to act on legal risk through acceptance, avoidance, mitigation, or transfer.
  • Legal Compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on legal risk treatment plans to assure that legal risk is being managed within limits and controls are in place and functioning.

The lack of a coordinated strategy for Legal GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between legal risk management and decision-making, business strategy, objectives, and performance. 

The bottom line: Organizations need to adopt a new paradigm of an integrated approach to Legal GRC. This is done through a common Legal GRC strategy, process, information, and technology architecture that supports overall legal activities, as well as integrates and supports the broader business objectives and GRC activities from an enterprise view. Organizations need to clearly define and develop the breadth and depth of their Legal GRC management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of Legal GRC management needs for today and into tomorrow.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design:

Legal at the Center of GRC Leadership and Strategy

Legal Challenges in a New Era

Today’s global business environment presents a broad spectrum of economic, political, social, legal and regulatory changes, which continually increase strategic and tactical complexity, and create commensurate pressures on business performance and exponential growth of often conflicting and overlapping legal and business requirements alongside global operations. The enterprise must reliably achieve business objectives while addressing uncertainty and act with integrity – all the while remaining within mandatory legal requirements. It must also manage and maintain legal risk within the limits that the organization has established.

Legal risks include:

  • Regulatory risk: The risk associated with myriad laws, rules and regulations. It includes common regulatory risks associated with labor laws, information privacy and anticorruption, as well as risks specific to industries such as banking, pharmaceuticals, energy and utilities and health care.
  • Entity management and corporate filings risk: The risk associated with keeping the entity in good standing with governing agencies, and filing information with regulators and government agencies.
  • Litigation risk: The risk associated with ongoing, imminent and potential litigation.
  • Contract risk: The risk involved in vetting contracts and monitoring compliance with contract requirements and provisions.
  • Transaction risk: The risk associated with mergers and acquisitions, including the legal risks of the acquired organization.
  • Intellectual property (IP) risk: The risk involved with copyrights, trademarks and patent infringements, as well as leakage and/or loss of confidential corporate information.

Most organizations try to address and effectively manage legal risks, IP protection, contracts, business requirements and compliance obligations. But both internal and external stakeholder forces and events have caused the organization to increase legal risk monitoring and reporting, particularly with regard to changing laws and regulations.

The Role of the Legal Department in GRC

In many organizations, the significance of the legal department is growing. Today, the department guides the enterprise beyond putting out fires in legal matters. It is being tasked to take on a proactive role in legal risk management and preventive law, while functioning as a critical pillar in an organization’s risk management strategy. This requires that legal be

The rest of this post can be found a guest blog on Wolters Kluwer ELM Solutions Blog . . .

[button link=””]READ MORE[/button]

Exploring the New Frontiers Between Legal and GRC