By Bobby Balachandran, Exterro | May 11, 2021
As compliance, privacy, and information governance increasingly overlap with General Counsel duties, a new model has surfaced: Legal GRC
Much has been written about the prevailing pace of change in today’s business environment. Increasingly, it seems, a broad spectrum of economic, political, social, legal, and regulatory challenges conspire to punish those lacking the means and vigilance to address them. The confluence of these changes has created a new level of strategic and tactical complexity for organizations, and generated increasing interest in approaches to governance, risk, and compliance (GRC). Fortunately, legal departments are by and large embracing the GRC challenge and taking on new responsibilities, becoming an essential player for organizations navigating today’s convoluted business risk environment.
Legal’s first role is as an advisor to the business, ensuring the organization can achieve objectives (governance), while addressing uncertainty (risk management) and acting with integrity (compliance). Most organizations today recognize the importance of GRC as a general framework for managing risk and compliance across the organization Yet many of these same organizations fail to effectively coordinate GRC activities among legal, IT, enterprise/operational risk, internal audit, and corporate compliance. This results in disconnected strategies, conflicting methods, costly gaps, and redundancies – and ultimately a failure to deliver on wide-ranging stakeholder demands. The lesson here is that organizations need to take a more rigorously integrated approach to GRC to effectively manage risk, remain in compliance, appropriately respond to privacy regulations and security incidents, and address ESG concerns.
Because it already plays a critical role in the enterprise GRC (eGRC) strategies listed above, legal is in a unique position to guide this integration. In addition to managing legal matters and providing counsel on the risks and the obligations faced by the organization, the legal department takes responsibility for investigations, policy management, reporting and filing. Building on these competencies, legal should play a key role in the strategic design of integrated enterprise GRC strategies and develop a detailed and nuanced understanding of how legal risks fit into enterprise risk frameworks.
But once an organization has developed a framework for managing eGRC and has begun to develop a technology infrastructure that can bring more efficiency to these activities, it’s time to devote more attention to GRC activities that fall squarely on the legal department itself. These activities focus on compliance – compliance with FRCP rules in e-discovery, for example, but also compliance with privacy regulations like GDPR, CCPA and CPRA in the organization’s responses to data subject access requests (DSARs), as well as compliance with data breach notification requirements, and data retention/disposition rules. This is what we mean by Legal GRC.
Legal GRC is a subcategory of eGRC that has received relatively little attention until recently. It is one of 10 categories of eGRC that industry pundit Michael Rasmussen has identified:
- Corporate legal
- Compliance and ethics
- Risk management
- Environmental, social & governance
- Third-party & supply chain
- IT security & privacy
- Internal control & audit
- Finance & accounting
- Health and safety
- Human resources
While most organizations are intimately familiar with GRC in the context of subcategories like IT, finance or human resources, that hasn’t been the case with Legal GRC, which must coordinate a diverse set of important GRC activities within the legal department – harmonizing data retention and other privacy requirements, carefully managing legal holds and e-discovery, continually monitoring changes in regulations and laws, and so on.
We have seen an increased emphasis on Legal GRC only recently. In part, this is because as privacy and compliance regulations and risks increase, GCs are finding much of the orchestration is landing on their desks. Even if GCs don’t necessarily want those responsibilities or to oversee privacy and compliance, it is imperative each organization at least has a process in place for each of these departments to collaborate, with the GC playing quarterback to some degree.
Implementation of Legal GRC still requires cross-functional communication and collaboration to be effective. To remain in full compliance with GDPR, for example, legal must not only be able to map the organization’s data footprint in the European Union (an increasingly difficult task when you factor in cloud storage, decentralized international workforces and third party access to corporate data), but also work closely with departments as diverse in their goals as marketing, IT, security, and HR. In fact, legal’s ability to see both the forest and the trees in pursuit of GDPR compliance is a crucial component in their success in broader GRC efforts, requiring the application of pragmatic and specific solutions to multifaceted strategic business challenges.
Another example of a Legal GRC framework in action would be data breach response. When a security incident takes place, it is up to IT and compliance to work together to understand the scope and regulatory ramifications. However, only legal can determine if the incident meets the qualifications of a true breach, as outlined by laws such as CCPA. If legal makes that determination, it must step in as the steward to assess jurisdictional mandates, implications for litigation, notification requirements, and time frame. Mitigating the ripple effects of a data breach and the adverse impact to the business as a whole falls squarely on the legal team. This is where a general eGRC concern (reputational or financial risk associated with security incidents) pivots into a Legal GRC issue (breach notification laws).
Today’s economic, legal, and regulatory challenges constantly intersect to create novel risks. Organizations must be prepared to break down traditional silos to improve their bench strength and tap the collective expertise of all their resources. Because legal is already in the position of leading the process, it is important for organizations to clearly develop a strategy, a set of processes, and a technology architecture that enables GCs to effectively manage the risks their own department is responsible for (Legal GRC) at the same time they are contributing to the overarching eGRC strategy.
About the Author: Bobby Balachandran is CEO of Exterro.