GRC Tuesdays: The New Requirements of Legal Departments for Governance, Risk, and Compliance
I have been working in the Governance, Risk, and Compliance software sector for over 15 years now, and one of the trends that I have seen over time but haven’t discussed in the GRC Tuesdays blog is the changing role of Legal departments within the GRC tool selection process. And within the entire GRC process for that matter.
Before, when I was invited to a meeting on GRC topics and that Legal was in attendance, they were usually the advisors to the business – and to some extent, silent influencers.
They were the women and men in grey suits, to whom the Compliance team would turn to validate that what was responded and shown would be aligned with the company’s legal framework.
Unfortunately, there was often a lack of clarity as to where their duties stopped and where Compliance’s started.
If we take it quite literally, Legal departments – i.e.: in-house Counsels, are in charge of advising the company when it comes to legal risks. Hence those risks associated with potential non-compliances with laws and regulations the company has to abide by.
But then, the role of Compliance is to make sure that the company has a sound program to respect these legal and regulatory requirements, in addition to complying with internal policies and establishing an ethical culture of course.
There can, therefore, be an overlap. And what’s sure, is that when this is the case and that no role repartition is defined, things can fall through the cracks… When it comes to legal issues, that is not a nice perspective!
As a result, many companies have put together internal control and compliance teams and documented a separation of roles as follows:
* Legal department is in charge of the regulatory intake process: monitoring any change in a legislative context. Does a new or updated regulation impact the organization? If so in what way? But also, Legal is most often lead in compliance investigations and a critical player in 3rd party due diligence.
* Control and Compliance department is in charge of designing, rolling out and monitoring the effectiveness of the framework that will enable the company to apply the regulations and to show its compliance to them – both internally to executives and externally to auditors and regulators.
Pretty straight forward, right?
Over the years, I think this is what has the most changed in GRC: when a company lists its business scenarios for a Governance, Risk, and Compliance solution, Legal is now also been asked to contribute to the requirements and regulation management is featuring in good place.
But one piece that I feel is still often missing and somewhat isolated from the rest of the GRC process relates to the due diligence aspect.
With the fact that companies no longer only need to screen their suppliers, but also, in many cases, their customers and any party they are dealing with for that matter, and that they have to do so against constantly evolving and longer lists, it has become a heavy task for all those involved in the due diligence process. And Legal features in premium place amongst these impacted stakeholders.
To make this even more complex, many organizations now also screen against “exposed parties” which are not necessarily defined sanctioned parties, but could be individuals who hold a prominent public position in a government body or international organization – including family members of these individuals, people or organizations who have been in the news with a negative coverage associating them to fraudulent schemes, drug trafficking, organized crime, terrorism, etc.
To be able to support this process, Legal departments have often relied on external parties that would perform the screening against various lists.
Issues that can be addressed
There are 2 major issues that I have seen been raised in relations to this:
* It makes it a one-shot ad-hoc process as screening is only performed during onboarding and not ongoing;
* This can be lengthy as it relies on external resources who may not have access to internal systems so first they need to receive the request, investigate, and then revert back.
To reduce risks and to address the need of executives for near real time vendor/customer onboarding, I now see more and more Legal teams extending typical GRC to this area as well.
And their requests are simple: in-house most of the 3rd party due diligence process. Yes, they will of course still rely on experts for extended due diligence, but they are looking at rapid screening of new parties, and at carrying out the investigations in the most efficient way possible.
Their intent is also to make this a repeatable process and enable the organizations to learn from past decisions. Externalizing this process makes it more effective in the short term, but it doesn’t support a “learning organization” approach where the company increases its maturity level over time.
By combining the technological capabilities of big data analytics, mass volume automated monitoring, and machine learning, with expert insight of content providers, I believe Legal departments can now have tools at their fingertips that would support their objectives and help them focus on the outcome to answer the million-dollar question: can the company do business with this party?
What about you, is your Legal department involved in the GRC process? If so, have their requirements changed over time? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard