Every operation and function of an organization runs business risks that need to be controlled – or avoided altogether. And many of those same risks have a crucial legal and regulatory component.
In the not-too-distant past, companies did not consider legal and compliance risk management to be important in their own right. In fact, they saw them as separate from the business activity that legal operations support. That was especially true when they compared both to other risks arising from product liability, market changes, sustainability, employee conduct, cybersecurity, and much more.
But in recent years, companies have faced a number of exposures that have affected the profile of legal risk significantly. So, to manage these more meaningfully, legal and compliance have had to understand fully the level of risk within their own legal operations.
Some examples have to do with exposure to litigation, and the policies and procedures around electronic contract management, especially when contracts are more complex and higher in volume. These are also relevant to the support of legal hold and eDiscovery processes. Others, meanwhile, relate to the precision and quality of contracts as actually executed. And, of course, the regulatory environment is in constant change and yields risks of non-compliance, particularly for older contracts that are still in force.
In fact, general counsels (GCs) and legal teams need to work across the entire enterprise to identify these risks, set the appetite for each, and agree on the roles and responsibilities for managing them. What is more, they need to develop an effective process framework and design reliable controls to mitigate the most critical ones. And they need to correctly institutionalize these policies and procedures with risk officers, insurance coverage, records management, strategic sourcing, health and safety, and sales, as well as many other parts of the organization.
Risk Management is Now a Top Priority
In its “3 Strategies to Overcome Legal Technology and Implementation Challenges” report, Gartner says that “legal departments are seeing an increase in their volume of work related to labor and employment activities (44 percent), government affairs and relations (42 percent), and regulatory and compliance matters (39 percent)” – due to the COVID-19 pandemic.
So increasingly, legal and compliance departments are making risk management a top priority – and a core department mandate – according to another Gartner report. Both departments’ value comes from “the ability to help the business achieve strategic objectives while managing exposures to legal and regulatory risk, reputational damage and asset loss.”
Although aspects of legal and compliance risk management vary from company to company, there are general principles that GCs and chief compliance officers (CCOs) would do well to follow. Here are eight of them, based on Gartner’s findings.
1.Harmonize Risk Management with Company Strategy
True risk management is the pursuit of the right level of risk. It means considering the goals of the company and the cost of mitigation. To manage risks more meaningfully, legal and compliance must simply understand the level of risk. They must know the trade-offs the company is willing to make while pursuing its strategic objectives. Think revenue growth, profitability, reliability, safety, and sustainability.
By specifying these risk appetites for their strategic objectives, companies can make clear their decision-making around priorities.
2.Provide Context to Business Decisions
These days, risk oversight is becoming more and more complex. Public companies are scrutinized more because of data breaches, for example. And this greatly changes business models and shifts risk exposures. As a result, legal and compliance must go beyond merely reporting information and risk insight. It needs to involve a ‘dashboard’ that is not only business-relevant and consumable but also timely and accessible.
3. Ingrain Risk Discipline into Operations
In many instances, legal and compliance risk management activities are distinct from everyday business operations. Basically, they function as ‘bolt-ons’ to regular business workflows.
Legal and compliance must coordinate with other assurance functions, given the increasing importance of corporate agility and speed. They need to fully embed requirements and guidance into current business processes. And they need to provide business leaders with risk information in real-time. This is connected with the actual line of business but seen through a legal and compliance perspective.
Further, built-in legal and compliance activities – and contract management software, for example – are tightly linked to workflows and systems that manage purchasing, sales, customer-facing self-serve platforms, HR and employee relations, marketing and PR, products, and corporate governance, as well as statutory reporting and audits. And they are designed to be less of a burden on the company as a whole.
4.Bring Into Line Assurance Efforts
Over the past decade, the number of distinct assurance functions – like compliance, risk, and privacy -has doubled at the average company. Gartner points out that the poor alignment of efforts “increases the direct cost of assurance, increases operational burden, and serves as an anchor on corporate growth.” Moving forward, GCs and compliance executives will be tasked with “aligning corporate assurance efforts to provide a holistic view of risk, reduce the total cost of risk management, and support achievement of long-term corporate objectives.”
To help with this alignment, ISO 31022 – Risk Management: Guidelines for the Management of Legal Risk has been established. It “articulates a number of principles that need to be satisfied to make risk management effective.”
5.Nurture a Culture of Integrity
A strong culture of integrity improves reporting while reducing non-compliance. “Employees with unfavorable perceptions of company culture observe nearly nine times more misconduct and report 36 percent less misconduct than employees with the most favorable perceptions of culture,” Gartner says. “A strong culture means less risk occurs and when it does, executives hear about it more quickly.”
Interestingly, individuals who have the most favorable perceptions of culture are almost nine times less likely to observe misconduct. That is compared to employees with unfavorable perceptions.
6.Value the Local Climate
What determines employees’ compliance behavior the most is the teams’ own behavior. This is driven by a group’s shared perceptions of the nature of work, including the processes and practices they follow, and the signals they receive.
7.Refine Information Flows
Today, data is more abundant than ever before. But both GCs and CCOs struggle to gather up existing information about legal and compliance risks. According to Gartner, only 13 percent of known information about potential misconduct finds its way to the Compliance function. And this limits the understanding of individual behaviors and the mitigation of risks.
8.Use the Right Contract Management Tool For Legal and Compliance Risk Management
Indeed, the use of legal technology to better manage legal risk is growing quickly.
A contract lifecycle management (CLM) solution is an organization-wide operational system that helps with risk identification, assessment, and reporting. As companies become more digitally mature, using CLM software, GCs and legal teams will be able to capture and present underlying contract data. As a result, they will meet increased expectations by controlling legal risks in companies’ operations.
One of the latest features of ContractPodAi’s CLM solution is Contract Risk & Compliance. It helps you understand all contractual risks while reducing the time and effort spent on manual contract review and renewals. To find out more, download our Contract Risk & Compliance Datasheet.
Author:
Edward Chick
Connect with us on Linkedin
