Legal governance, risk management, and compliance

Last updated

Legal governance, risk management, and compliance (LGRC) refers to the complex set of processes, rules, tools and systems used by corporate legal departments to adopt, implement and monitor an integrated approach to business problems. While Governance, Risk Management, and Compliance refers to a generalized set of tools for managing a corporation or company, Legal GRC, or LGRC, refers to a specialized – but similar – set of tools [1] utilized by attorneys, corporate legal departments, general counsel and law firms to govern themselves and their corporations, especially but not exclusively concerning the law. [2] Other specializations within the realm of governance, risk management and compliance include IT GRC and financial GRC. Within these three realms, there is a great deal of overlap, particularly in large corporations that have legal and IT departments, as well as financial departments.

Contents

Legal governance refers to the establishment, execution and interpretation of processes and rules put in place by corporate legal departments in order to ensure a smoothly-run legal department and corporation. [3]

Legal risk management refers to the process of evaluating alternative regulatory and non-regulatory responses to risk and selecting among them. Even with the legal realm, this process requires knowledge of the legal, economic and social factors, as well as knowledge of the business world in which legal teams operate. [4] In an organizational setting, risk management refers to the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization's business objectives, and manages and mitigates risks throughout the organization.

Legal compliance is the process or procedure to ensure that an organization follows relevant laws, regulations and business rules. [5] The definition of legal compliance, especially in the context of corporate legal departments, has recently been expanded to include understanding and adhering to ethical codes within entire professions, as well. There are two requirements for an enterprise to be compliant with the law, first its policies need to be consistent with the law. Second, its policies need to be complete with respect to the law. The role of legal compliance has also been expanded to include self-monitoring the non-governed behavior with industries and corporations that could lead to workplace indiscretions. [6] Within the LGRC realm, it is important to keep in mind that if a strong legal governance component is in place, risk can be accurately assessed and the monitoring of legal compliance be carried out efficiently. It is also important to realize that within the LGRC framework, legal teams work closely with executive teams and other business departments to align their goals and ensure proper communication.

Legal consistency is a property that declares enterprise policies to be free of contradictions with the law. Legal consistency has been defined as not having multiple verdicts for the same case. [7] The antonym Legal inconsistency is defined as having two rule that contradict each other. [8] Other common definitions of consistency refer to “treating similar cases alike”. [9] In the enterprise context, legal consistency refers to “obedience to the law”. [10] In the context of legal requirements validation, legal consistency is defined as, " Enterprise requirements are legally consistent if they adhere to the legal requirements and include no contradictions." [11]

Legal completeness is a property that declares enterprise policies to cover all scenarios included or suggested by the law. Completeness suggests that there are no scenarios covered by the law that cannot be implemented in the enterprise. In addition, it implies that all scenarios not allowed by the law are not allowed by the enterprise.

Enterprise policies are said to be legally complete if they contain no gaps in the legal sense. Completeness can be thought of in two ways: [12] Some scholars make use of a concept of ‘obligational’ completeness such as Ayres and Gertner. [13] According to this usage, a system or a contract is ‘obligationally’ complete if it specifies what each party is to do in every situation, even if this is not the optimal action to take under some circumstances. Others discuss ‘enforceability’ completeness in the sense that failing to specify key terms can lead a court to characterize a system as being too uncertain to enforce (May & Butcher v the King 1934), [14] and hence a system may be complete with respect to enforceability. This leads to the following definition: enterprise regulations or requirements are legally complete if it specifies what each party is to do in each situation while covering all gaps in the legal sense. [11]

History

Lebogang says. [15] Like the Sarbanes-Oxley act, legal industry thought leaders saw a need for a new framework for legal GRC, and borrowed heavily from IT, RIM and other industries to try to come up with new, clear processes and rules to make navigating the choppy waters of the post-financial crisis legal world go as smoothly as possible.

Organizations

The Legal GRC Center for Innovation is a nonprofit institute for the advancement of the concepts and applications of Legal GRC. The LGRC Center for Innovation serves as a forum for legal industry leaders to discuss and determine ways to systematize and streamline within the legal industry. The membership of the LGRC-CFI is made up of a group of [thought leaders] in the legal, business, IT, and RIM fields. They meet in online forums and at periodic conventions and summits to determine best practices for Legal GRC. The LGRC-CFI also publishes a blog and several industry-specific white papers regularly. The LGRC Center for Innovation addresses legal governance, risk management, and compliance exclusively.

Institute on Governance

The Institute on Governance (IOG), although it does not address LGRC exclusively, is a useful resource for knowledge on governance in general, and has collected some significant basics about legal governance online. The IOG is an independent, Canadian, nonprofit [think tank] founded in 1990 to promote better governance for public benefit. Through our research and services we help public organizations and societies realize their objectives by putting good governance into practice.

Association of Corporate Counsel

The Association of Corporate Counsel ("ACC"), formerly the American Corporate Counsel Association ("ACCA"), is an association of in-house counsel, attorneys who work for corporations. The association publishes the magazine ACC Docket and arranges one of the United States’ largest annual meetings for in-house attorneys. ACC was founded in 1982. It currently has more than 24,000 members from over 10,500 corporations in 77 countries.[1] The ACC does not address LGRC exclusively, but can be credited with laying some foundations for corporations – the original practitioners of governance, risk management, and compliance – and legal departments to begin to work together on overarching issues of governance, risk management, and compliance.[ citation needed ]

See also

Related Research Articles

<span class="mw-page-title-main">Audit</span> Independent examination of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

Corporate governance are mechanisms, processes and relations by which corporations are controlled and operated ("governed").

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.

Records management, also known as records and information management, is an organizational function devoted to the management of information in an organization throughout its life cycle, from the time of creation or receipt to its eventual disposition. This includes identifying, classifying, storing, securing, retrieving, tracking and destroying or permanently preserving records. The ISO 15489-1: 2001 standard defines records management as "[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

A general counsel, also known as chief counsel or chief legal officer (CLO), is the chief in-house lawyer for a company or a governmental department.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

A Company secretary is a senior position in the corporate governance of organizations, playing a crucial role in ensuring adherence to statutory and regulatory requirements. This position is integral to the efficient functioning of corporations, particularly in common law jurisdictions. The Company Secretary serves as a guardian of compliance, a facilitator of communication between the board of directors and other stakeholders, and a custodian of corporate records.

Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

The chief governance officer (CGO) is normally a senior vice executive reporting to the CEO; however, in the not-for-profit sector, when an organization uses policy governance, the chair of the board often takes on the role of CGO, who is tasked with directing the people, business processes and systems needed to enable good governance from inside the corporation in support of the board of directors. In some geographies the role is assumed by the chief counsel, in others by a corporate or company secretary.

The Network, Inc. is a technology and services company that develops and delivers integrated GRC solutions designed to help organizations mitigate risk and promote organizational compliance. The network's solutions are proprietary SaaS-based technology. The company uses the phrase "Protect, Detect, Correct" to describe its solutions.

Enterprise legal management (ELM) is a practice management strategy of corporate legal departments, insurance claims departments, and government legal and contract management departments.

References

  1. Adams, R., Mann, G., & Hobbs, V. (2017). ISEEK, a tool for high speed, concurrent, distributed forensic data acquisition. Paper presented in Valli, C. (Ed.).The Proceedings of 15th Australian Digital Forensics Conference 5–6 December 2017, Edith Cowan University, Perth, Australia
  2. Musthaler, Linda and Brian. Governance, risk management and compliance and what it means to you. Network World, March 7, 2007.
  3. Konkle, Joshua L. Legal risk management requires a corporate strategy, mindset and commitment. DCIG,January 9, 2008.
  4. US Army Corps of Engineers Glossary. August 1998. Archived 2008-11-20 at the Wayback Machine
  5. "Home | Staff | Records Management | Definitions". Archived from the original on 2008-12-05. Retrieved 2008-11-10.
  6. Bauer, Christopher. An ethics self-exam: ethical compliances is not just an issue for external review; auditors must look inward to ensure their own integrity is not compromised. Bnet, June 2004. Archived 2007-12-18 at the Wayback Machine
  7. International Law and International Relations: An International Organization Reader. By Beth A. Simmons, Richard H. Steinberg Contributor Beth A. Simmons, Richard H. Steinberg Edition: illustrated Published by Cambridge University Press, 2007. ISBN   0-521-86186-1, ISBN   978-0-521-86186-1
  8. Legisprudence: A New Theoretical Approach to Legislation : Proceedings of the Fourth Benelux-Scandinavian Symposium on Legal Theory By Luc Wintgens Contributor Luc Wintgens Edition: illustrated Published by Hart Publishing, 1998 ISBN   1-84113-342-6, ISBN   978-1-84113-342-3
  9. Law and justice in the courts of classical Athens By Adriaan Lanni Published by Cambridge University Press, 2006 ISBN   0-521-85759-7, ISBN   978-0-521-85759-8
  10. The Measurement of Moral Judgment By Anne Colby, Lawrence Kohlberg Contributor Lawrence Kohlberg Edition: illustrated Published by CUP Archive, 1987 ISBN   0-521-32501-3, ISBN   978-0-521-32501-1
  11. 1 2 Hassan, Waël. PhD Thesis. University of Ottawa. University of Ottawa Press. 2009
  12. Armour, J. Share Capital and Creditor Protection: Efficient Rules for a Modern Company Law. ESRC Centre for Business Research - Working Papers wp148, ESRC Centre for Business Research. 1999.
  13. Ayres, Ian and Gertner, Robert (1992), ‘Strategic Contractual Inefficiency and the Optimal Choice of Legal Rules’, 101 Yale Law Journal 729
  14. Cases and Materials on Contracts By S. M. Waddams, Waddams, S. M., 1942-, Waddams, Trebilcock, mccamus, Neyers, Waldron Edition: 3 Published by Emond Montgomery Publication, 2005 ISBN   1-55239-166-3, ISBN   978-1-55239-166-2
  15. Kim, Won-Kyu. The effect of industrial restructuring policy post-financial crisis. September/October 2007.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.