Legal Challenges in a New Era

Today’s global business environment presents a broad spectrum of economic, political, social, legal and regulatory changes, which continually increase strategic and tactical complexity, and create commensurate pressures on business performance and exponential growth of often conflicting and overlapping legal and business requirements alongside global operations. The enterprise must reliably achieve business objectives while addressing uncertainty and act with integrity – all the while remaining within mandatory legal requirements. It must also manage and maintain legal risk within the limits that the organization has established.

Legal risks include:

  • Regulatory risk: The risk associated with myriad laws, rules and regulations. It includes common regulatory risks associated with labor laws, information privacy and anticorruption, as well as risks specific to industries such as banking, pharmaceuticals, energy and utilities and health care.
  • Entity management and corporate filings risk: The risk associated with keeping the entity in good standing with governing agencies, and filing information with regulators and government agencies.
  • Litigation risk: The risk associated with ongoing, imminent and potential litigation.
  • Contract risk: The risk involved in vetting contracts and monitoring compliance with contract requirements and provisions.
  • Transaction risk: The risk associated with mergers and acquisitions, including the legal risks of the acquired organization.
  • Intellectual property (IP) risk: The risk involved with copyrights, trademarks and patent infringements, as well as leakage and/or loss of confidential corporate information.

Most organizations try to address and effectively manage legal risks, IP protection, contracts, business requirements and compliance obligations. But both internal and external stakeholder forces and events have caused the organization to increase legal risk monitoring and reporting, particularly with regard to changing laws and regulations.

The Role of the Legal Department in GRC

In many organizations, the significance of the legal department is growing. Today, the department guides the enterprise beyond putting out fires in legal matters. It is being tasked to take on a proactive role in legal risk management and preventive law, while functioning as a critical pillar in an organization’s risk management strategy. This requires that legal be integrated in the organization’s GRC management capabilities.

Today’s legal department must have a full understanding of regulatory, litigation, contractual, transactional and IP risks. It must know how these risks relate to each other and how they fit into broader risk and compliance strategies.

Legal must serve as the hub of discussion about how best to balance the risks and opportunities associated with the organization’s decisions and actions. It must actively help the organization achieve higher levels of performance, while mitigating the risk of legal exposure. The organization should be able to take full advantage of opportunities to meet its objectives, while staying within the boundaries of laws, regulations, contracts and corporate commitments.

As a key player in the strategic team, legal must address wide-ranging stakeholder demands and concerns:

  • Identify legal requirements and the controls needed to address them.
  • Monitor contractually imposed requirements and ensure that controls are appropriate.
  • Assess the potential impact of legal exposure to determine the level of controls and resources required.
  • Design escalation plans for issues and incidents—who should be involved right away, should the board or external stakeholders be informed, and when should legal conduct certain investigations?
  • Identify key risk indicators for business changes—legal will be aware of these changes early on due to its role in contracts or negotiations (e.g. mergers and acquisitions), litigation and settlements, licensing arrangements and vendor/partner contracts.
  • Identify actions that may have a cumulative effect. For example, settling an environmental noncompliance matter may cause government contracting debarment if not handled properly.

By adopting an integrated approach to GRC, the organization can better manage legal risks, and ensure value preservation and growth. Legal is a critical player in the strategic design of the integrated GRC approach due to its understanding of matter management, issue identification, investigations, policy management, reporting and filing, legal risk and organizational obligations.

Legal plays a critical role in developing and driving the GRC strategy by understanding the legal risks the organization faces, as well as the opportunities to control cost, improve resource utilization and create sustainable scalability and alignment in legal processes.

Legal should be prepared to champion legal risk management in the following ways:

  • Enable safe and responsible business growth by avoiding unnecessary legal exposure.
  • Manage the legal department in a way that delivers effective, efficient and responsive services to the rest of the organization.
  • Demonstrate how centralized oversight and supporting technologies for legal and GRC process management drive predictable behavior and performance results.
  • Collaborate with executives in developing GRC processes that allow for measurable evaluation of legal effectiveness and efficiency.
  • Assist the CEO in evaluating opportunities, and preventing adverse legal ramifications and risks from materializing.
  • Educate management on how an integrated GRC model can improve processes while reducing or eliminating redundant efforts.
  • Incorporate legal, risk management and assurance across extended business relationships (e.g., supply chain, vendors and contractors).

As the demand for transparency increases, so does the need for the legal department to manage and monitor legal functions and ensure that they are efficient, effective and agile to the needs of a dynamic and distributed business environment. In forward-thinking organizations, legal is expanding beyond its traditional role in managing litigation, negotiating legal agreements and protecting intellectual property. It is becoming a high-impact GRC advisor that addresses:

  • Key stakeholder (investors, regulators, NGOs and local communities) demands for transparency.
  • The board and C-suite need for clear, reliable and measurable information about legal risk that will impact strategic decisions and future outcomes.
  • The board need for objective, independent assurance that the legal program is functioning effectively and efficiently.
  • The line business need for matter management, issue identification, investigations, policy management, document and information management, reporting and filing and legal risk assessments.
  • An overarching need for improved efficiencies and reduced risk throughout the extended enterprise.
  • The need to grow the business in a safe and responsible manner.

Legal Leadership: Building GRC Collaboration

An integrated GRC strategy is a concerted, enterprise-wide effort to deliberately, rather than randomly and haphazardly, architect a process-oriented approach to GRC. An integrated GRC effort is a transforming initiative that brings about change across the four principal operational dimensions: people, processes, technology and culture.

At the center of it all, legal must understand the legal implications of GRC at both the strategic and operational levels, and guide the organization to achieve greater value from the GRC strategy. Legal must be involved in the front-end design of GRC, and ensure that GRC systems are created to meet the requirements of the legal department and its processes.

The great challenge for legal is to energize the business to implement a unified approach to legal processes and risk management. At its core, the message to the business should be that embracing a unified approach will reduce the impact of legal risk, enhance efficiency through streamlined legal processes, and reduce risk-related failures and costs in areas overseen by executives. It will also help executives assess, focus on, and improve activities that are value-creating while eliminating those that are not. 


About The Author

Michael Rasmussen

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 18+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.