Last year at Legaltech New York I spoke to an in-house attorney about one of her worst days on the job. She was hard at work on litigation related to a compliance breach. The breach had occurred because the compliance staff mistakenly believed that a particular regulation did not apply to their business unit. There had been an internal investigation of the incident, but she was having difficulty verifying the steps the company had taken because the records were in disarray. Some of the investigation files were incorrectly moved into an unrelated archive, while other activities were undocumented altogether.
While trying to navigate the morass, she received a mass email from a colleague instructing everyone, incorrectly, that a certain regulation – yes, the very same one now making my friend’s life so difficult – was not applicable to the company. She feared that another breach could result and that she’d have to go through the process all over again.
Fortunately, the embattled attorney was able to quickly contact the right colleague and have a correction sent out. But she was understandably frustrated by the difficulties she’d encountered, particularly because she knew that better communication, coordination and internal knowledge sharing could have made it simpler for the company to solve their problems or even prevent them completely.
It’s not at all unusual for corporate counsel to be asked to help with the fallout from missteps in the area of governance, risk and compliance (GRC). But when the legal department is brought into all steps of critical GRC processes, attorneys can focus on helping the company avoid problems rather than reacting to them.
Processes and technology should be designed to enable tight cooperation between GRC and legal staff and facilitate the essential communication link that exists between the two. With this infrastructure in place, companies are better equipped to mitigate risk, proactively address their rapidly changing business environments and achieve compliance.
There are many issues that organizations often encounter when legal’s role in GRC efforts is reactive or after the fact. We regularly see clients facing the following pitfalls, all of which can put an organization at greater risk:
- Misunderstandings about regulatory coverage
- Disorganized/incomplete investigations
- Ineffective policies and training
- Third-party incidents resulting from due diligence misses
- Claims and litigation that could have been prevented
- Strategic planning without adequate information or advice
[Illustration – Caption: ©2015 oceg.org. Wolters Kluwer ELM Solutions collaborated with the Open Compliance and Ethics Group (OCEG) on an illustration that demonstrates the importance of close cooperation between GRC and legal staff. To view the full infographic, please visit the Experts’ Corner at wkelmsolutions.com.]
Collaboration is critical
Staff who fulfill GRC functions, whether they are assessing and prioritizing risk, creating policies in response to a new regulation or handling an incident that has occurred, should include their legal counterparts who can advise on the effort. The attorney I met at Legaltech, for example, would have identified the regulation as applying to her company’s business, potentially heading off the breach as well as the subsequent litigation.
The examples below illustrate a few of the circumstances that call for collaboration between the GRC and legal functions.
- Interpretation of and guidance on regulations. Legal service providers often need to be consulted for opinions and guidance on the applicability to the company of a new regulatory requirement or a change to an existing one. They are also called on to assess the implications of a specific regulation on business operations and/or the compliance requirements in a particular situation.
- Risk assessment. The risk management team may solicit in-house legal staff to participate in risk assessments. For example, a risk manager may require the expertise of a regulatory law professional to help determine the impact of noncompliance related to a newly identified regulatory risk.
- Obtaining policy reviews and approvals. Legal is naturally a key contributor in the review and approval of any draft policies and should also be included in consideration of any policy exception requests.
- Third-party due diligence and contract development. When a company intends to bring on a new third-party supplier (or renew a contract with an existing one), an effective compliance team goes through a due diligence process to determine the risk level of the third party. The legal department may participate in approving the third-party relationship and will certainly be engaged in determining the specific compliance terms and conditions required for the contract.
- Dealing with a compliance incident that becomes a litigation matter. Some compliance incidents result in litigation or the need for other legal involvement. When this is the case, the sooner the legal team knows about the incident, the better, and it is important for litigators to have easy access to any information gathered by investigators or other staff involved in handling the incident. It is equally important for members of the incident and compliance management teams to have a clear picture of the results of any legal action as well as the associated costs.
What are the right tools?
While proactive legal involvement in compliance, risk and audit is key to effective GRC strategy and favorable outcomes, it needs to be supported by technology that is built with close collaboration in mind. Integrated enterprise technology can provide a common platform for both GRC management and legal management, encompassing matter and spend solutions. By combining the tools used by GRC and legal staff on one platform, both teams are able to benefit from efficient shared workflows and access to common data and document repositories.
Perhaps the clearest illustration of how this type of integrated technology benefits companies is when a compliance incident becomes a legal matter. Using rules established in the common platform, the triage of a compliance incident can trigger the system to generate and send a notification to legal staff, providing them with an early warning of a potential new litigation matter. Any evidence gathered during the incident/loss investigation is stored in the common document management system – tied to the appropriate matter. Should litigation ensue, legal staff can access the investigation findings to prepare their case. As the matter progresses, the system provides analytics and reporting to GRC staff, returning data on outcomes, including judgments, damages and the legal costs of litigation.
All of this shared information remains connected to the initiating incident, providing a complete accounting of the full cost of compliance breaches for legal, compliance and senior management. Having the GRC and enterprise legal management systems on the same technology platform creates a closed loop between the functions by eliminating gaps in communication and facilitating information sharing and cost management for compliance incidents.
The complexity of managing compliance and legal efforts will not diminish in the foreseeable future. The good news, though, is that proactive legal involvement in GRC, supported by integrated enterprise technology, can help with the following:
- Reducing inefficiencies, lack of visibility, and confusion
- Controlling risk exposure and strengthening regulatory compliance
- Providing meaningful input for assurance and strategic planning
By driving good communication, manageable workflows and controlled information access, good internal collaboration can even help ensure that my beleaguered attorney friend can accomplish her goals and avoid days like the one she suffered through last year.
Published September 1, 2016.