Breaking Silos with GRC and Legal

Michael Rasmussen |

Organizations take legal risks all the time but often fail to integrate these risks effectively in an environment that is continuously changing and requires agility.

Too often legal is seen as a siloed exercise and not truly integrated with the organization’s strategy, decision-making, objectives, and overall enterprise risk management strategy. This results in inevitable exposures in legal risk and compliance, providing case studies for future generations on how poor legal governance leads to the demise of organizations; even those with strong brands

Most organizations today at least try to address legal risks, intellectual property protection, contracts, business requirements, and compliance obligations they face. Boards and executive management desire a deeper understanding of how their teams address legal matters, whether activities are effective and efficient, and how they can enhance activities to create the greatest reward for their shareholders and mitigate legal damage. As this demand for transparency increases, so increases the need for the legal to manage and monitor legal risks within a defined GRC capability.

Gone are the years of simplicity in business operations.

Exponential growth and change in business strategy, risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. The lack of a coordinated strategy for Legal GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between legal risk management and decision-making, business strategy, objectives, and performance. Managing the complexity of business from a legal perspective while keeping continuous business and legal change in sync is a significant challenge for boards, executives, as well as legal professionals. Organizations need an integrated strategy, process, information, and technology architecture to govern legal, meet legal commitments, and manage legal uncertainty and risk in a way that is efficient, effective, and agile.

The role of legal is growing in significance as it guides the enterprise beyond putting out the fires of legal matters. It is expanding into a proactive role in legal governance, risk management, and compliance – with a focus on preventative law and becoming a critical pillar in an organization’s broader enterprise/integrated governance, risk management, and compliance (GRC) strategy. This requires that legal be an integrated role in the organization’s proactive enterprise GRC capabilities as well as deliver on governance, risk management, and compliance in the context of legal itself, what is called Legal GRC.

What are the Legal GRC capabilities?

Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they have aligned with business objectives and needs GOVERNANCE, while addressing legal uncertainty and exposure RISK MANAGEMENT, and act with integrity to the obligations and ethical commitments of the organization COMPLIANCE. This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, Legal GRC delivers:

Legal Governance

Governance of the legal function that sets direction and strategy for legal to reliably achieve objectives within the department and support the business in achieving its objectives.

Legal Risk Management

Legal risk management seeks to manage and understand uncertainty in the business, particularly the legal impact of activities by the identification, assessment, and monitoring of legal risk within the context of business and to act on legal risk through acceptance, avoidance, mitigation, or transfer.

Legal Compliance

Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on legal risk treatment plans to assure that legal risk is being managed within limits and controls are in place and functioning.

Legal GRC can do more than prevent undesirable outcomes

The primary directive of a mature Legal GRC management program is to deliver effectiveness, efficiency, and agility to the business in a way that is responsive and resilient in today’s chaotic business environment. This requires an integrated approach to manage the breadth of legal risks to organizational performance, objectives, and strategy that connects the enterprise, business units, processes, transactions, and information to ensure transparency, discipline, and control of the ecosystem of legal risks within the organization and across the extended enterprise.

Legal GRC processes and technology enable the organization to use its resources wisely to prevent undesirable outcomes and maximize advantages while striving to achieve its objectives. A key focus is to provide legal assurance that processes are designed to mitigate the most significant legal issues and are operating as designed. Effective management of legal risk and exposure is critical to the board and executive management, who need a reliable way to provide assurance to stakeholders that the enterprise plans to both preserve and create value. Mature Legal GRC enables the organization to weigh multiple inputs from both internal and external contexts and use a variety of methods to analyze legal risk and provide analytics and modeling.