Mr. Giordano is an attorney who is both a Certified Information Security Systems Professional (CISSP) and Certified Information Privacy Professional (CIPP) with more than 14 years of legal, technology and risk management consulting experience. As Mitratech's Corporate Technology Counsel, he is a subject-matter expert on the interaction of law, technology and business requirements for the company. Previous to Mitratech, he maintained his own law practice and has also held positions as a Senior Manager at Fios Consulting and as a risk management consultant for LexisNexis. Mr. Giordano is a member of the State Bar of California and the DC Bar.
Editor: How have the general counsel's responsibilities expanded, and what factors have necessitated this new role?
Giordano: Due in part to scandals involving insider trading, white collar crime and fraud, we've seen an increase in corporate governance regulations, and the GC's role has evolved beyond traditional chief legal officer (CLO) in charge of litigation, transactions, cost reductions and legal outsourcing. Today's GC needs to oversee corporate governance and compliance areas as well as play a key role in shaping governance, risk and compliance (GRC) management policies. The role has expanded to include proactive legal risk management and preventative law, becoming a critical pillar in an organization's risk management strategy.
As such, the GC needs to work directly with the board of directors both to keep them apprised of the daily operations of the company's compliance programs - keeping the best interests of the shareholders at the forefront - and to proactively advise on risks and ways to safeguard company profits by demonstrating that proper policies, procedures and controls were in place to monitor violations.
Thus, added to the traditional CLO role is the requirement to help drive risk assessments, policy management, internal investigations, corporate social responsibility and compliance management.
Editor: What issues and conflicts emerge from this expanded role, and how are organizations addressing them?
Giordano: Well, as Ben Heineman (former GC of GE) aptly put it - the greatest challenge for the GC is to reconcile the dual and sometimes contradictory role of being a partner to the business and a guardian of its reputation and integrity. Increasingly, we've seen the GC charged with the dual role as the company's CLO and a member of its executive team, and adding governance, risk and compliance responsibilities raises some important issues.
There is a conflict, for example, when the GC's compensation package is tied to company profitability and stock options. It raises questions of impartiality when there is a personal incentive to disregard playing the corporate cop and maximize payouts that might be a result of manipulated financial numbers. Similarly, when an M&A or joint venture may affect the GC's company shares, it raises the question of whether the GC will advise the board as a lawyer or as a business executive interested in passing an initiative.
On the flip side, other executives might see the GC as a corporate cop - an obstacle to their objectives - and intentionally keep him or her out of any important discussions.
Some organizations have attempted to address these issues by implementing a separate and distinct role - that of the chief compliance officer - that often reports to or collaborates with the GC. Others have opted to place limitations on the GC's authority to minimize conflict. Regardless of how your company is structured, however, it's clear that the GC has a key role to play in designing and developing an integrated GRC program.
Ultimately, effective GRC is a collaborative, cross-team, multi-function process. The CLO, with responsibility for the organization's legal matters, issue identification, investigations, policy management, reporting and filing, and risk exposure is uniquely positioned to oversee the process.
Editor: What advice do you have for corporations that want to establish an effective GRC program?
Giordano: An integrated GRC strategy is a concerted, enterprise-wide effort to deliberately, rather than randomly and haphazardly, architect a process approach to governance, risk and compliance activities. An integrated GRC effort is a transforming initiative that brings change across the four principal operational dimensions: people, process, technology and culture.
At the center of it all, the GC must understand the legal implications of GRC at both the strategic and operational levels, and must be prepared to guide the organization to achieve the greatest value from the GRC strategy.
To initiate the process, the GC should lead the organization through a series of conversations to develop and drive the GRC strategy by first understanding the risks the organization faces. The GC's conversation with the board should focus on how he or she can bring assurance that legal risks are effectively and proactively monitored. With the CEO, discussions would focus on how Legal can help plan business strategy both safely and responsibly. Further discussions include, with the chief financial officer, how to help grow and protect value; with the chief risk officer, how to communicate legal risks as part on an enterprise risk management program; with the chief ethics and compliance officer, how to communicate legal and regulatory change that may affect ethics and compliance programs, and so on.
Once the company's GRC strategy has been designed and implemented, it's critical to provide the means for various business groups that are involved in executing the program - Human Resources, IT, Risk, Internal Audit, and others, as well as outside experts and regulators - to collaborate, while providing transparency and visibility for the board and management.
Editor: How can corporations maintain control throughout the process of establishing compliant GRC management programs?
Giordano: All compliance is collaborative, and managing your GRC obligations falls into place when you organize your actions around four simple principles, and follow through with corresponding systems to execute them. First, you need to know your compliance circumstances and then know your response. Once that's set, you need to make sure you do what you promise and are able to prove what you did.
Regarding accountability, demonstrating that all four principles were followed is paramount for establishing your organization's integrity. To that end, TeamConnect GRC focuses collaborative accountability functionality into corresponding areas.
To get control over your compliance obligations, collaboration with regulators, internal teams, outside counsel and relevant contractors is essential to unifying the information streams about regulatory change. Legal must have a clear understanding of existing regulations, changes already coming, proposed changes under consideration and the impact of regulations, to be able to comply responsibly. TeamConnect unifies the pertinent information streams, individual contributors and group workflow accountability, creating a referenceable record of all participation.
Policy management then allows the GC to document and communicate the company's response to obligations. Responses must include detailed follow-through in business operations. Compliance officers and regulatory managers, along with key managers, must work with relevant line-of-business owners to ensure operating practices embed processes and behavior compliant with rules. TeamConnect is the information backbone for developing and implementing policies, providing the means to establish and document procedures and communicate them to staff. Attestation of policy execution is supported via email or paper, and training on policies and procedures can be centrally referenced.
Once policies managing GRC are in place, you need to make sure policy becomes a sustainable practice. You have to support internal audit of practices, sampling to determine the efficacy of GRC procedures using branch office visits, continuous tracking of disputes resolution and customer complaints. Such procedures provide a unified view of both offline and online channels for relevant communications. TeamConnect GRC provides the collaborative features to support controls over practices and procedures, and the recall to satisfy accountability.
Editor: How can companies both ensure that GRC policies are up to date and monitor internal compliance with procedures?
Giordano: No matter how perfect your procedures are on roll-out, the practical reality is that people make mistakes and practices fall out of compliance over time. Discipline wanes. Staying on track with GRC concerns requires remedial action plans and tracking for revisions to procedures. Procedure gaps must be identified, filled and tracked for effectiveness. Moreover, proactive remedial action pays, as compliance audits by regulatory agencies tend to be more punitive if procedural lapses are discovered by them rather than surfaced by you.
With regulators increasingly rigorous and data driven in their judgments, TeamConnect GRC protects you with procedural repeatability, thorough compliance forensics and superior holistic traceability of your organization's actions. It also provides full functionality for issue identification and internal investigation management.
Editor: You mentioned the critical need for collaboration among disparate groups within an organization. How does TeamConnect enable this process?
Giordano: TeamConnect allows your legal and compliance committees, key stakeholders, internal audit, and outside experts to view and contribute to GRC activities in real time, while ensuring ownership and accountability for every step. Workflows, task management and notifications coordinate responsibilities and contributions from your distributed team. Workloads, delays and assignment status are documented so that the organization can better manage its resources, cost and risk. Key players can collaborate on policies, investigations, reports and fillings to proactively contribute to the overall health and integrity of the organization. You are able to define each stakeholder's role, including security permission, to ensure open participation while limiting access to only necessary information.
Editor: Can TeamConnect serve functions other than GRC management?
Giordano: The beauty of the system is that TeamConnect functionality isn't limited to GRC management. The platform offers modules for policy, investigation and compliance management as well as for legal-specific functions, such as matter management, contract management, e-billing and legal hold. The GC can leverage a single technology to manage all facets of its expanding role and provide full automation for the legal department.
Editor: How can our readers find out more about TeamConnect?
Giordano: The best way to really understand the benefits of the TeamConnect platform would be to explore how various Fortune 500 organizations are currently using it. Readers can access a variety of case studies at www.mitratech.com/ resources/case-studies. Additionally, we're always happy to set up an exploratory call to discuss unique needs.
Published May 31, 2011.
