Business Trends
GRC Tuesdays: The New Requirements of Legal Departments for Governance, Risk, and Compliance
I have been working in the Governance, Risk, and Compliance software sector for over 15 years now, and one of the trends that I have seen over time but haven’t discussed in the GRC Tuesdays blog is the changing role of Legal departments within the GRC tool selection process. And within the entire GRC process for that matter.
Before, when I was invited to a meeting on GRC topics and that Legal was in attendance, they were usually the advisors to the business – and to some extent, silent influencers.
They were the women and men in grey suits, to whom the Compliance team would turn to validate that what was responded and shown would be aligned with the company’s legal framework.
Unfortunately, there was often a lack of clarity as to where their duties stopped and where Compliance’s started.
If we take it quite literally, Legal departments – i.e.: in-house Counsels, are in charge of advising the company when it comes to legal risks. Hence those risks associated with potential non-compliances with laws and regulations the company has to abide by.
But then, the role of Compliance is to make sure that the company has a sound program to respect these legal and regulatory requirements, in addition to complying with internal policies and establishing an ethical culture of course.
There can, therefore, be an overlap. And what’s sure, is that when this is the case and that no role repartition is defined, things can fall through the cracks… When it comes to legal issues, that is not a nice perspective!
As a result, many companies have put together internal control and compliance teams and documented a separation of roles as follows:
* Legal department is in charge of the regulatory intake process: monitoring any change in a legislative context. Does a new or updated regulation impact the organization? If so in what way? But also, Legal is most often lead in compliance investigations and a critical player in 3rd party due diligence.
* Control and Compliance department is in charge of designing, rolling out and monitoring the effectiveness of the framework that will enable the company to apply the regulations and to show its compliance to them – both internally to executives and externally to auditors and regulators.
Pretty straight forward, right?
Over the years, I think this is what has the most changed in GRC: when a company lists its business scenarios for a Governance, Risk, and Compliance solution, Legal is now also been asked to contribute to the requirements and regulation management is featuring in good place.
But one piece that I feel is still often missing and somewhat isolated from the rest of the GRC process relates to the due diligence aspect.
With the fact that companies no longer only need to screen their suppliers, but also, in many cases, their customers and any party they are dealing with for that matter, and that they have to do so against constantly evolving and longer lists, it has become a heavy task for all those involved in the due diligence process. And Legal features in premium place amongst these impacted stakeholders.
To make this even more complex, many organizations now also screen against “exposed parties” which are not necessarily defined sanctioned parties, but could be individuals who hold a prominent public position in a government body or international organization – including family members of these individuals, people or organizations who have been in the news with a negative coverage associating them to fraudulent schemes, drug trafficking, organized crime, terrorism, etc.
To be able to support this process, Legal departments have often relied on external parties that would perform the screening against various lists.
Issues that can be addressed
There are 2 major issues that I have seen been raised in relations to this:
* It makes it a one-shot ad-hoc process as screening is only performed during onboarding and not ongoing;
* This can be lengthy as it relies on external resources who may not have access to internal systems so first they need to receive the request, investigate, and then revert back.
To reduce risks and to address the need of executives for near real time vendor/customer onboarding, I now see more and more Legal teams extending typical GRC to this area as well.
And their requests are simple: in-house most of the 3rd party due diligence process. Yes, they will of course still rely on experts for extended due diligence, but they are looking at rapid screening of new parties, and at carrying out the investigations in the most efficient way possible.
Their intent is also to make this a repeatable process and enable the organizations to learn from past decisions. Externalizing this process makes it more effective in the short term, but it doesn’t support a “learning organization” approach where the company increases its maturity level over time.
By combining the technological capabilities of big data analytics, mass volume automated monitoring, and machine learning, with expert insight of content providers, I believe Legal departments can now have tools at their fingertips that would support their objectives and help them focus on the outcome to answer the million-dollar question: can the company do business with this party?
What about you, is your Legal department involved in the GRC process? If so, have their requirements changed over time? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Wow such a nice information. Thank you so much https://www.upsers.live/
I work for a privately-held company so we have no audit constraints driving SOD KPI's. I struggle getting the attention of leadership to address the SOD violations that exist.
Hello Peter,
First of all, thank you for commenting on this blog.
You are right: in some cases, different drivers will be more relevant.
For access governance for instance, in some cases “Number of segregation of duties audits per year” or “Faster IT audit completion” might not be the right KPIs.
Nevertheless, segregation of duties monitoring is just one aspect of access governance. Maybe some executives will be more receptive to associated benefits such as: improved productivity and cost savings.
In which case, I would suggest looking into the following aspects of the end-to-end access governance process:
* Automating provisioning and policy enforcement: as well as compliant access, it will help decrease the time to request, approve, and assign access. This will result in operational efficiencies since users can obtain the access required to do their job more promptly. In addition, since some estimates are that employees will request 4 passwords reset per year on average, automating the password reset procedure will also support increased productivity for end-users while at the same time reducing time consuming IT tickets processing;
* Streamlined role lifecycle management: will support greater efficiency in access assignments and enhanced security due to assignment of fewer privileges. Reduction in number of composite and single roles, will also translate into cost savings thanks to reduced maintenance efforts.
For segregation of duties more specifically, since this was the area you mentioned, maybe one of the key aspects is that it is still one of the top contributors of fraudulent activities. Instead of highlighting the regulatory aspect of segregation of duties monitoring, maybe some executives will be more receptive to the fact that sound reduces access risk will lower potential for internal fraud.
I hope this helps.
Kind regards,
Thomas
It does, thank you. In some aspects it helps validates the efforts my team has already put forth. We are a 2/3rds remote sales force. So we went after the "low-hanging" fruit and streamlined the processes and workflows involving that organization and we were able to reap the benefits. The other 1/3rd is the messy part. 🙂
In parallel to SOD we are implementing more automation opportunities across the board