A Discussion of Mastering Risk and Compliance for Legal Departments
FTI Technology Senior Managing Directors David Meadows and Al Park recently joined the Canadian Legal Innovation Forum (CANLIF) for its “Fall Webinar Series” to discuss mastering risk for legal operations in an evolving risk landscape. Chaired by ADB Insights Founder Andrew Bowyer, the panel also included Loblaw Companies Limited Senior Director Jennifer Jobanputra and Eckler Ltd. General Counsel Rustam (Rusty) Juma. This blog focuses on FTI Technology’s insights, and a look at best practices for anticipating and responding to risk.
Regulatory compliance continues to be a top priority for legal and compliance teams today. In addition to tracking against numerous and evolving global regulations, maintaining strict data privacy and security, and anticipating and responding to risks faced by business units, legal and compliance professionals must also address rising labour/employment risks, as well as environmental, social and governance (ESG) challenges. To best prepare for and respond to these ongoing challenges, legal departments must determine compliance processes and business strategies to be a more engaged advisor and partner within their organization.
Reviewing the Evolving Risk Landscape
Regulatory risk often leads to financial risk, and can quickly spiral into reputational risk. To stay ahead of these issues, legal teams and business leaders must continually ask questions. What is in place that’s working and not working? Do our systems have integrity? Are they fit for purpose?
There are several things to consider in regularly updating a risk register. Risk drivers and trends should be reviewed each quarter, looking at what adjustments need to be made, key factors at the board level and where the compliance and legal function needs to focus its strongest effort.
For example, employee-related risk is continually evolving, particularly as employees increasingly use programs that aren’t necessarily approved by the organization. Or, they may be tempted to act improperly when morale is low or they are considering a new position (e.g., implications relating to the ongoing Great Resignation and Great Reshuffling). In other scenarios, heavy pressure to hit sales targets and meet shareholder expectations could inadvertently motivate certain employees or function leads to commit fraud.
Additional aspects to address include:
- Vertical regulatory landscape, reviewing and preparing responses for any unique risks relevant to that particular industry.
- Emerging digital data sources, where the amount and types of data are constantly expanding, and there are complex compliance issues due to the nature of the data.
- Litigation holds in respect to electronic monitoring, ensuring employees are clear regarding oversight.
- M&A post integration, where due diligence might have missed associated third-party risk.
- Managing regulation and interaction with various parts of the business for anti-bribery, corruption and supply chains.
- Resourcing and setting processes to identify governance, risk management and compliance (GRC) needs relating to an enterprise risk management (ERM) program.
- Big data and privacy, adapting to new regulations and managing the differences between provinces and/or jurisdictions.
Automating Legal Functions for Added Support
Even if separate functions at an organization, legal and compliance work closely together. While legal departments address the broader scope of legal issues and risks that may affect an organization, compliance officers are more directly focused on industry-specific guidelines and government regulations. Compliance officers are responsible for regulatory risks and misconduct, and therefore must ensure company policies are effective and enforced. Both departments must be proactive, anticipating and uncovering issues before they become problems.
Given the volume of information that may need to be monitored, analyzed and reviewed for these purposes, this is an area primed for automation. By developing and implementing tech-forward solutions and marrying these with advanced processes, teams can be proactive about their biggest risk areas. Automation also makes it easier to audit processes and perform internal testing. This may include applications for legal holds, sending notices and monitoring actions. In addition to using technology specifically for compliance function automation, technology can be leveraged across the organization to help manage risk, uphold ongoing awareness and provide insights about internal activity and attitudes.
Implementing Strategy Across the Company
Companies need a defined culture and clear code of conduct to drive compliance and ensure it stays top of mind. Compliance needs to be a central part of the company ethos, where all colleagues understand what it is, why it’s important and their role with it. This includes consistent education and training, providing scenarios that explain the hows and whys of the program. Employees should be encouraged to ask questions, so they’re comfortable raising concerns early versus fearful. Tying compliance to goals and bonuses is one effective technique to firmly ingrain compliance within the company culture.
Finally, a current area of focus for many organizations is the changing privacy landscape within and between countries. Corporations should manage to their greatest restriction. GDPR provides a good baseline, even if not directly applicable to a company’s particular geographical situation.
Ensuring regulatory compliance requires ongoing vigilance and frequent review. As the risk landscape continues to evolve, legal departments can’t set it and forget it. Automation can help with this. There are programs that take some of the burden off of legal departments, and engaging the entire company in compliance matters strengthens and reinforces those programs. Compliance is mandatory, but it’s also good for the business, with a direct impact on the bottom line.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.