Published Version
Digital Version
Last year at Legaltech New York I spoke to an in-house attorney about one of her worst days on the job. She was hard at work on litigation related to a compliance breach. The breach had occurred because the compliance staff mistakenly believed that a particular regulation did not apply to their business unit. There had been an internal investigation of the incident, but she was having difficulty verifying the steps the company had taken because the records were in disarray. Some of the investigation files were incorrectly moved into an unrelated archive, while other activities were undocumented altogether.
While trying to navigate the morass, she received a mass email from a colleague instructing everyone, incorrectly, that a certain regulation – yes, the very same one now making my friend’s life so difficult – was not applicable to the company. She feared that another breach could result and that she’d have to go through the process all over again.
Fortunately, the embattled attorney was able to quickly contact the right colleague and have a correction sent out. But she was understandably frustrated by the difficulties she’d encountered, particularly because she knew that better communication, coordination and internal knowledge sharing could have made it simpler for the company to solve their problems or even prevent them completely.
Prevent problems
It’s not at all unusual for corporate counsel to be asked to help with the fallout from missteps in the area of governance, risk and compliance (GRC). But when the legal department is brought into all steps of critical GRC processes, attorneys can focus on helping the company avoid problems rather than reacting to them.
Processes and technology should be designed to enable tight cooperation between GRC and legal staff and facilitate the essential communication link that exists between the two. With this infrastructure in place, companies are better equipped to mitigate risk, proactively address their rapidly changing business environments and achieve compliance.
There are many issues that organizations often encounter when legal’s role in GRC efforts is reactive or after the fact. We regularly see clients facing the following pitfalls, all of which can put an organization at greater risk:
[Illustration – Caption: ©2015 oceg.org. Wolters Kluwer ELM Solutions collaborated with the Open Compliance and Ethics Group (OCEG) on an illustration that demonstrates the importance of close cooperation between GRC and legal staff. To view the full infographic, please visit the Experts’ Corner at wkelmsolutions.com.]
Collaboration is critical
Staff who fulfill GRC functions, whether they are assessing and prioritizing risk, creating policies in response to a new regulation or handling an incident that has occurred, should include their legal counterparts who can advise on the effort. The attorney I met at Legaltech, for example, would have identified the regulation as applying to her company’s business, potentially heading off the breach as well as the subsequent litigation.
The examples below illustrate a few of the circumstances that call for collaboration between the GRC and legal functions.
What are the right tools?
While proactive legal involvement in compliance, risk and audit is key to effective GRC strategy and favorable outcomes, it needs to be supported by technology that is built with close collaboration in mind. Integrated enterprise technology can provide a common platform for both GRC management and legal management, encompassing matter and spend solutions. By combining the tools used by GRC and legal staff on one platform, both teams are able to benefit from efficient shared workflows and access to common data and document repositories.
Perhaps the clearest illustration of how this type of integrated technology benefits companies is when a compliance incident becomes a legal matter. Using rules established in the common platform, the triage of a compliance incident can trigger the system to generate and send a notification to legal staff, providing them with an early warning of a potential new litigation matter. Any evidence gathered during the incident/loss investigation is stored in the common document management system – tied to the appropriate matter. Should litigation ensue, legal staff can access the investigation findings to prepare their case. As the matter progresses, the system provides analytics and reporting to GRC staff, returning data on outcomes, including judgments, damages and the legal costs of litigation.
All of this shared information remains connected to the initiating incident, providing a complete accounting of the full cost of compliance breaches for legal, compliance and senior management. Having the GRC and enterprise legal management systems on the same technology platform creates a closed loop between the functions by eliminating gaps in communication and facilitating information sharing and cost management for compliance incidents.
The complexity of managing compliance and legal efforts will not diminish in the foreseeable future. The good news, though, is that proactive legal involvement in GRC, supported by integrated enterprise technology, can help with the following:
By driving good communication, manageable workflows and controlled information access, good internal collaboration can even help ensure that my beleaguered attorney friend can accomplish her goals and avoid days like the one she suffered through last year.
Matt Kivlin leads the product management team responsible for identifying, prioritizing, validating, and incubating new growth markets for Wolters Kluwer ELM Solutions.
You can reach the author at matt.kivlin@wolterskluwer.com with questions about the article.