In March, I had the good fortune of speaking at this year’s General Counsel Roundtable event in Geneva. Organised by Development Institute International, the full-day conference provided an opportunity for GCs and other high-ranking corporate legal professionals to learn about best practices in governance, risk, and compliance (GRC), security, and innovation. Presenting with Riccardo Ventura on best practices in GRC, I had the opportunity to hear from the attendees and better understand their important concerns in that area, particularly when it comes to addressing a crisis situation.
Data protection was also a focus of many discussions as legal departments are expected to both deal with emergencies arising from data breaches and take part in preventing such issues. Conference attendees, especially those working for organisations with a strong U.S. presence, were also concerned about how to approach the new Privacy Shield agreement that will replace Safe Harbor. Across the board it was clear that, more than ever, legal professionals are expected to participate in compliance efforts as the two disciplines are closely connected.
The Right Tools
Along with Riccardo Ventura, vice president and General Counsel of General Motors Europe/Opel Group, I presented a session on how to best handle compliance, with a focus on crisis conditions caused by media or regulatory investigations. During our discussion, we talked about a hypothetical regulatory and public relations crisis at a fictional chocolate company, how the legal department should respond, and the benefits gained by leveraging an Enterprise Legal Management system.
An Enterprise Legal Management, or ELM, platform unites a company’s systems that manage legal, risk, and compliance activities on one secure and collaborative framework. It allows legal and compliance departments to work together managing legal matters, legal spend, and GRC, as well as integrated functions such as claims defense (for insurance carriers) and outside counsel collaboration. The platform also enables the company to use data from across functions to mitigate risk and more strategically manage costs.
Preventing a Crisis
The key to an effective risk management strategy is a comprehensive global process for identification, analysis, evaluation, mitigation, and monitoring of risks. It is this process of setting out controls and monitoring compliance that allows the company to prevent many crises from occurring. And if they do, the company is protected by having a process that clearly separates its role from the role of the individuals involved. Compliance systems offer oversight preventing employees from engaging in non-compliant activities. If those controls are circumvented by rogue employees, even a serious incident doesn’t have to be a crisis when a GRC system with robust audit reports is in place.
While it is difficult to quantify the impact of having proper policies and procedures to prevent incidents, there are examples of courts and tribunals deciding that, even though a breach had occurred, the corporation in question had sufficiently robust checks in place to absolve the company. (For instance, the U.S. Department of Justice has declined to prosecute when companies with strong compliance programs cooperated with investigations.)
Further, businesses not only need to have defined policies and procedures, but must also pay genuine attention to adherence and be able to show that commitment. In our hypothetical crisis, the company would try to demonstrate compliance with regulations. But, even if the investigation found that regulatory breaches had occurred, they would still be well served by a solution that could prove the company made a genuine attempt to comply and that the non-compliance represented actions by employees who knowingly ignored company policy.
Managing a Compliance Incident
Sometimes it is impossible to avoid a crisis. In that circumstance, an incident and inquiry module is essential. Such a module should:
- Manage tasks, workflows, documents, interviews, findings, and other assignments
- Control access so that that legal and compliance personnel have access to only the appropriate data and functionality
- Interface with related systems, such as matter management and legal holds
- Provide accurate data to senior management
When an incident management tool is used as part of a GRC solution that also documents internal controls and procedures, corporations can not only execute an effective response, but also understand the genesis of issues. A platform that includes matter management also offers litigation management benefits, when necessary, by seamlessly transitioning an incident into a matter, carrying with it all associated documentation and data.
The shared core concern of the General Counsel Roundtable attendees is to protect the company while demonstrating the value of the legal organisation. Having the right tools to respond to incidents and inquiries is an important part of meeting these goals. In addition, having tools to prevent those problems before they occur provides just as much, if not greater, value to the company.