Defining the Intersection of Legal and GRC

While the convergence of legal management and enterprise governance, risk, and compliance (GRC) is not new, more recent efforts to manage this development through integrated technology are fast becoming a strategic imperative. This still relatively young area of focus is already showing significant potential to help corporations better manage the risk exposure and compliance concerns that have drained so much time and finances in the past. For the intersection of legal and GRC to be fully realized, these functions must work collaboratively to define how these areas interact in holistic terms, ensuring that the overlap between the legal function and GRC tasks (e.g., assessing and prioritizing risk, creating policies in response to a new regulation, or handling a compliance incident) can be tackled effectively and efficiently to the benefit of the enterprise.

Pressures on legal organizations to reduce costs, keep up with regulatory complexity, and serve a global client base have steadily increased in recent years. Between 2012 and 2014, a growing need to control legal costs led corporate legal departments to nearly double the percentage of their budgets allocated to outsourcing work to non-law firm vendors, according to a 2014 survey of chief legal officers from Altman Weil. By 2020, according to some estimates, the share of U.S .and UK corporates expected to be using legal process outsourcing could reach as high as 75%. At the same time, in-house counsel regard regulatory issues as the number-one litigation threat, according to a 2013 study by Grant Thornton. The complexity of these efforts is compounded by the need for large organizations to operate on a global scale, managing processes, spend, compliance, and risk across international borders.

Key Areas of Overlap

To appreciate the potential benefits of the successful integration of legal and GRC, it is helpful to consider the key ways in which, de facto, these areas intersect. The range of circumstances calling for collaboration between legal and GRC functions are considerable. Here are just a few examples where the sourcing of legal opinions within a wider GRC framework can come into play:

• Regulatory interpretation and guidance. Legal service providers often need to be consulted for opinions and guidance on the applicability of a new regulatory requirement or a change to an existing one, the implications of a specific regulation for business operations, or specific compliance requirements in the context of a particular situation.
• Risk assessment. Similarly, the risk management team may solicit in-house legal support for participation in risk assessments. A risk manager, for example, may require the expertise of a regulatory law professional to help assess the impact of non-compliance related to a newly identified regulatory risk.
• Third-party due diligence and contract development. Companies will need to conduct a thorough due diligence process on any new third-party supplier in order to determine the supplier's risk profile. Customarily, the legal department may participate in approving the third-party relationship. In almost all events, they will be engaged in determining the specific compliance terms and conditions required for the contract.
• Addressing a legal matter that has grown from a compliance incident. Some compliance incidents result in the need for other legal involvement. In such cases, the sooner the legal team knows about the incident, the better. Additionally, legal staff needs to have ready access to any information gathered by investigators or staff involved in handling the incident. Having a clear picture of the results of any legal action, as well as the associated costs, is equally important for members of the incident and compliance management teams.

The importance of establishing a collaborative relationship between GRC and legal functions is clearly essential to a company's overall GRC strategy. The roles of Chief Compliance Officer and General Counsel often and demonstrably overlap in creating an ethical and compliant corporate environment, and there are numerous GRC concerns that cannot be successfully addressed without the close involvement of legal professionals.

The key to bringing this convergence to fruition hinges on the shared information and processes being managed under a common technology solution. GRC processes must be designed to address the need for frequent tight cooperation between GRC and legal staff ' with an outcome that supports a single, coherent business process spanning GCs and other executive leadership.

A Comprehensive Solution

The important, supportive role that the legal function plays in GRC takes on added significance when measured against the current gamut of technology solutions for GRC. These solutions continue to evolve, from point solutions focused on a specific GRC function (such as risk management or policy management), to enterprise GRC platforms designed to break down silos (and the associated inefficiencies) of GRC activity and information. Nonetheless, it remains to be seen whether some of these systems are at risk of turning into yet another silo, preventing the GRC program from achieving optimal efficiency, transparency, and effectiveness. This goes to the heart of the challenge ' beginning with the acknowledgement that legal departments have their own set of requirements for technology, which intersect with, but go beyond, those created for GRC.

The ultimate solution must revolve around the development of a broader technology platform, one that enables the integration of comprehensive, enterprise-class GRC management and core legal department systems, such as matter management. Such a platform would need to comprise a variety of shared components, including: a workflow engine; rules engine; notifications; document management and database components; audit and logging capabilities; and reporting. How these and other related components could bring clear value as a common, convergent technology platform can be illustrated by considering a selection from the examples cited earlier.

Regulatory Compliance

When it comes to change management, a compliance professional contending with whether a legal opinion is required to address how a new regulation might impact company operations can leverage data and workflows established in the legal matter management system to identify and engage outside counsel with specific regulatory specialties. Through shared document management, the outside counsel's opinion can be captured in the matter management system, tied back to the regulation record in the GRC system, and referenced by policy management staff to inform policy development.

Risk Assessment

Looking at the pharmaceutical company example, the advertising review workflow can seamlessly support incorporation of legal review. The resulting judgment ' on FDA-governed advertising, for example ' can then be associated in the GRC system with the FDA rule and available for reference for future advertising initiatives. This obviates duplicative work, ensuring consistency in the company's advertising practices while avoiding unnecessary risk.

Vendor Due Diligence

For legal professionals engaged in risk assessments, policy reviews and approvals, and reviews of policy exception requests, platform-level workflow and rules engines, notifications, database, and document management are central ingredients for an efficient, comprehensive solution. In the same way, multiple legal professionals may be involved in determining a supplier's risk profile and approving the selection and development of appropriate contract clauses, which is often the case in the course of complex, multi-stage processes for third-party due diligence and contracts. The availability of audit trails, ability to create status and tracking reports, as well as streamlining these and related processes at the platform level collectively make for an essential communication link between the GRC and legal teams.

Incident Management

An especially clear illustration of the benefits of integration between GRC and a legal matter management system can be found in the case of a compliance incident. Any evidence gathered during incident/loss investigation is stored in the common platform document management system and tied to the appropriate legal matter once it has been set up. In the event of litigation, for example, investigation findings can be accessed by the legal staff as they prepare their case. Data on outcomes, including judgments, damages, and litigation costs that are tied back to the initiating incident, can be generated by the legal matter and spend management system, enabling a feedback loop to GRC staff, and providing a more complete accounting of the full cost of compliance breaches. By eliminating gaps in communication, information sharing, and cost management for compliance incidents through a unified technology platform, GRC and enterprise legal management can constitute a synchronized, unified network that bridges all of these functions.

Successful Collaboration

A reliance on discrete, unintegrated point solutions has shown itself to be insufficient at providing legal and compliance professionals with the visibility they need to successfully manage and protect world-class organizations. The corporate legal team plays a vital role in fulfilling the objectives of an enterprise GRC program, regardless of where the legal and GRC functions reside in the organization. As evidenced by the examples discussed here, the integration of GRC management with enterprise-class legal matter and spend management using a common technology platform is central to the successful collaboration between a corporation's GRC and legal functions. Indeed, compliance professionals, in-house counsel, and their outside counsel and other legal vendors have a greater need than ever to address these issues.

Timely, clear communication between compliance and legal professionals is central to an effective and efficient GRC program. A single, shared technology platform helps facilitate communication and strengthen the work of both functions. Strategically managing the areas of convergence for legal and GRC has the potential to create efficiencies in internal processes that companies can consistently rely on, allowing for a reliable, streamlined approach to risk mitigation and compliance.

Daniel de Juan is director of product management for ELM Solutions Passport' GRC.

While the convergence of legal management and enterprise governance, risk, and compliance (GRC) is not new, more recent efforts to manage this development through integrated technology are fast becoming a strategic imperative. This still relatively young area of focus is already showing significant potential to help corporations better manage the risk exposure and compliance concerns that have drained so much time and finances in the past. For the intersection of legal and GRC to be fully realized, these functions must work collaboratively to define how these areas interact in holistic terms, ensuring that the overlap between the legal function and GRC tasks (e.g., assessing and prioritizing risk, creating policies in response to a new regulation, or handling a compliance incident) can be tackled effectively and efficiently to the benefit of the enterprise.

Pressures on legal organizations to reduce costs, keep up with regulatory complexity, and serve a global client base have steadily increased in recent years. Between 2012 and 2014, a growing need to control legal costs led corporate legal departments to nearly double the percentage of their budgets allocated to outsourcing work to non-law firm vendors, according to a 2014 survey of chief legal officers from Altman Weil. By 2020, according to some estimates, the share of U.S .and UK corporates expected to be using legal process outsourcing could reach as high as 75%. At the same time, in-house counsel regard regulatory issues as the number-one litigation threat, according to a 2013 study by Grant Thornton. The complexity of these efforts is compounded by the need for large organizations to operate on a global scale, managing processes, spend, compliance, and risk across international borders.

Key Areas of Overlap

To appreciate the potential benefits of the successful integration of legal and GRC, it is helpful to consider the key ways in which, de facto, these areas intersect. The range of circumstances calling for collaboration between legal and GRC functions are considerable. Here are just a few examples where the sourcing of legal opinions within a wider GRC framework can come into play:

• Regulatory interpretation and guidance. Legal service providers often need to be consulted for opinions and guidance on the applicability of a new regulatory requirement or a change to an existing one, the implications of a specific regulation for business operations, or specific compliance requirements in the context of a particular situation.
• Risk assessment. Similarly, the risk management team may solicit in-house legal support for participation in risk assessments. A risk manager, for example, may require the expertise of a regulatory law professional to help assess the impact of non-compliance related to a newly identified regulatory risk.
• Third-party due diligence and contract development. Companies will need to conduct a thorough due diligence process on any new third-party supplier in order to determine the supplier's risk profile. Customarily, the legal department may participate in approving the third-party relationship. In almost all events, they will be engaged in determining the specific compliance terms and conditions required for the contract.
• Addressing a legal matter that has grown from a compliance incident. Some compliance incidents result in the need for other legal involvement. In such cases, the sooner the legal team knows about the incident, the better. Additionally, legal staff needs to have ready access to any information gathered by investigators or staff involved in handling the incident. Having a clear picture of the results of any legal action, as well as the associated costs, is equally important for members of the incident and compliance management teams.

The importance of establishing a collaborative relationship between GRC and legal functions is clearly essential to a company's overall GRC strategy. The roles of Chief Compliance Officer and General Counsel often and demonstrably overlap in creating an ethical and compliant corporate environment, and there are numerous GRC concerns that cannot be successfully addressed without the close involvement of legal professionals.

The key to bringing this convergence to fruition hinges on the shared information and processes being managed under a common technology solution. GRC processes must be designed to address the need for frequent tight cooperation between GRC and legal staff ' with an outcome that supports a single, coherent business process spanning GCs and other executive leadership.

A Comprehensive Solution

The important, supportive role that the legal function plays in GRC takes on added significance when measured against the current gamut of technology solutions for GRC. These solutions continue to evolve, from point solutions focused on a specific GRC function (such as risk management or policy management), to enterprise GRC platforms designed to break down silos (and the associated inefficiencies) of GRC activity and information. Nonetheless, it remains to be seen whether some of these systems are at risk of turning into yet another silo, preventing the GRC program from achieving optimal efficiency, transparency, and effectiveness. This goes to the heart of the challenge ' beginning with the acknowledgement that legal departments have their own set of requirements for technology, which intersect with, but go beyond, those created for GRC.

The ultimate solution must revolve around the development of a broader technology platform, one that enables the integration of comprehensive, enterprise-class GRC management and core legal department systems, such as matter management. Such a platform would need to comprise a variety of shared components, including: a workflow engine; rules engine; notifications; document management and database components; audit and logging capabilities; and reporting. How these and other related components could bring clear value as a common, convergent technology platform can be illustrated by considering a selection from the examples cited earlier.

Regulatory Compliance

When it comes to change management, a compliance professional contending with whether a legal opinion is required to address how a new regulation might impact company operations can leverage data and workflows established in the legal matter management system to identify and engage outside counsel with specific regulatory specialties. Through shared document management, the outside counsel's opinion can be captured in the matter management system, tied back to the regulation record in the GRC system, and referenced by policy management staff to inform policy development.

Risk Assessment

Looking at the pharmaceutical company example, the advertising review workflow can seamlessly support incorporation of legal review. The resulting judgment ' on FDA-governed advertising, for example ' can then be associated in the GRC system with the FDA rule and available for reference for future advertising initiatives. This obviates duplicative work, ensuring consistency in the company's advertising practices while avoiding unnecessary risk.

Vendor Due Diligence

For legal professionals engaged in risk assessments, policy reviews and approvals, and reviews of policy exception requests, platform-level workflow and rules engines, notifications, database, and document management are central ingredients for an efficient, comprehensive solution. In the same way, multiple legal professionals may be involved in determining a supplier's risk profile and approving the selection and development of appropriate contract clauses, which is often the case in the course of complex, multi-stage processes for third-party due diligence and contracts. The availability of audit trails, ability to create status and tracking reports, as well as streamlining these and related processes at the platform level collectively make for an essential communication link between the GRC and legal teams.

Incident Management

An especially clear illustration of the benefits of integration between GRC and a legal matter management system can be found in the case of a compliance incident. Any evidence gathered during incident/loss investigation is stored in the common platform document management system and tied to the appropriate legal matter once it has been set up. In the event of litigation, for example, investigation findings can be accessed by the legal staff as they prepare their case. Data on outcomes, including judgments, damages, and litigation costs that are tied back to the initiating incident, can be generated by the legal matter and spend management system, enabling a feedback loop to GRC staff, and providing a more complete accounting of the full cost of compliance breaches. By eliminating gaps in communication, information sharing, and cost management for compliance incidents through a unified technology platform, GRC and enterprise legal management can constitute a synchronized, unified network that bridges all of these functions.

Successful Collaboration

A reliance on discrete, unintegrated point solutions has shown itself to be insufficient at providing legal and compliance professionals with the visibility they need to successfully manage and protect world-class organizations. The corporate legal team plays a vital role in fulfilling the objectives of an enterprise GRC program, regardless of where the legal and GRC functions reside in the organization. As evidenced by the examples discussed here, the integration of GRC management with enterprise-class legal matter and spend management using a common technology platform is central to the successful collaboration between a corporation's GRC and legal functions. Indeed, compliance professionals, in-house counsel, and their outside counsel and other legal vendors have a greater need than ever to address these issues.

Timely, clear communication between compliance and legal professionals is central to an effective and efficient GRC program. A single, shared technology platform helps facilitate communication and strengthen the work of both functions. Strategically managing the areas of convergence for legal and GRC has the potential to create efficiencies in internal processes that companies can consistently rely on, allowing for a reliable, streamlined approach to risk mitigation and compliance.

Daniel de Juan is director of product management for ELM Solutions Passport' GRC.