Putting the “L” for Legal into GRC
I was an environmental lawyer in private practice back in the day, and during the 20 years I had that job I served dozens of in-house legal departments that made important contributions to governance, risk management and compliance (GRC) in their...
I was an environmental lawyer in private practice back in the day, and during the 20 years I had that job I served dozens of in-house legal departments that made important contributions to governance, risk management and compliance (GRC) in their companies. As I worked environmental due diligence for acquisitions, or advised on the regulatory impact of changes in manufacturing operations, or conducted assessments of compliance programs, I saw firsthand the significant role that Legal has in GRC, both as an adviser and as a conduit of information that is critical to the strategic leaders of the organization.
So, I was well positioned to develop the GRC Capability Model that is the center of OCEG’s work. And I can tell you, that even though the “L” for Legal didn’t make it into the GRC acronym, the importance of the legal department as a key GRC capability that must be integrated with the rest can’t be overstated.
Legal plays a critical GRC role — from regulatory interpretation and policy design, to involvement in third party due diligence and compliance investigations, to advising both internal audit and risk management based on legal findings. Yet, in too many organizations Legal is largely positioned to only be reactive, to only get involved after it is too late. Regulatory changes, or changes in operations that give rise to different regulatory requirements, are missed. Third parties are engaged without appropriate due diligence and that leads to potentially disastrous incidents. Investigations are disorganized and items that should be elevated to Legal aren’t, resulting in potentially more significant litigation down the road.
We’ve issued this new infographic with the support of our Solutions Council member, Wolters Kluwer ELM Solutions. Use it to drive discussions about how to better engage Legal in GRC.
One reason that Legal is frequently out of the loop is the absence of any unified or shared vision, processes or technology. It’s time for better coordination and the opportunity to have that is greater today than ever before. More organizations are forming GRC executive committees, and these should include the General Counsel. More are using the OCEG GRC Capability Model to drive integrated and uniform processes, and this applies to the legal department as well. More are seeking to employ user-friendly and integrated technologies through which personnel in all GRC capabilities get the right information as they need it, and this includes use by Legal. All of these efforts together ensure a stronger, more collaborative relationship between Legal and other GRC roles and departments to the benefit of the organization.