Compliance as part of an Enterprise Legal Management strategy: An ounce of prevention is worth a pound of cure
Comment by Martin Goulet, Sr. GRC Product Manager, Mitratech
The office of General Counsel, especially those in large global enterprises, has placed a great deal of focus in recent years on improving the value received for their legal dollar. They have implemented legal management solutions, like matter management, that help them manage and measure the effectiveness of their legal efforts, and make better decisions about how to manage certain types of matters. They have implemented e-billing solutions to help them gain better control over their sometimes significant spend with outside counsel. And they have used these integrated solutions to help them manage the very mix of internal and outside counsel efforts. Through these investments, GCs have made significant strides in managing their “ex post” legal challenges.
Recent trends are demonstrating that while these investments have largely been successful, they are not sufficient to managing the growing list of significant “a priori” compliance risks that these organizations face. In 2014, the Securities and Exchange Commission and the Department of Justice spearheaded Foreign Corrupt Practices Acts judgments against global powerhouses like Avon Products at $135 Million, Hewlett Packard at $108 Million, and Alcoa, at a staggering $384 Million. Informed watchers expect 2015 to bring a record $1+ billion settlement with Walmart for their alleged FCPA violations related to their Mexican market entry. The value of these judgments, and the brand / reputation harm that these organizations have incurred, have raised the awareness of compliance risks within the community of global GCs. One response to this increased risk awareness has been to refocus technology investments to solve some of the underlying weaknesses that lead to violations in the first place. This shift in focus to prevention reflects what compliance and legal professionals have learned from these very public failures, as well as from the less public successes in the compliance realm.
A recent survey of legal departments shows that overall regulatory compliance responsibility is still a priority for GCs. Despite a shift in some cases to the creation of a Chief Compliance role reporting outside of legal, legal departments in many organizations still own either the overall organizational mandate for compliance or the functional responsibility for certain key aspects of a compliance program. At Mitratech, we are seeing a fairly consistent response to this organizational mandate and the increase in awareness of compliance risk. With overall pressure on costs still prevalent within their organizations, GCs are responding with technology investments to increase efficiency, information sharing, and silo-breaking investments that increase compliance effectiveness.
There are at least two tiers of capability maturity that we see legal departments investing in. The first tier, and most consistent and mainstream, includes basic blocking and tackling required to demonstrate an adequate compliance framework, including the requisite transparency and accountability of employees and other stakeholders. Specifically, legal departments are investing in policy management, awareness, and attestation tools. While it may seem obvious that employees are subject to the written policies of their employer, being able to demonstrate that stakeholders are aware of, and acknowledge ethics, business conduct, and other policies can go a long way in absolving a firm of responsibility for any future alleged wrong-doing of their employees. Accordingly, organizations are investing in technology that enables maintaining a set of policies of record, tracing these versions to specific points in time, demonstrating who read these policy versions and when, identifying educational activities that employees engaged in related to these policies, and affirmatively acknowledging these policies by employees. This core technology foundation provides a baseline of protections for an enterprise based simply on a solid building block of transparency and accountability.
While many legal teams are content with this level of protection, many others are going at least one step further, by investing in tools to define and assert business controls consistent with their policies and procedures. These tools can help a legal department demonstrate not only the strength of their stated compliance position (as articulated by their policies and procedures), but also their commitment to realizing this compliance goal in the organization’s business activities through proactive enforcement. To be most effective, these control frameworks must integrate with the business processes of the organization and should be audited and otherwise assessed for their effectiveness. To give an example, most organizations will have segregation of duty policy in their purchasing processes so that the same individual cannot both acknowledge receipt of goods and authorize payment of an invoice. Some organizations take the additional step of adding a control to their procurement process, either in their purchasing automations systems, or through manual interventions, to make sure this important policy is enforced.
The natural corollary to an effective control framework is an oversight and accountability framework that dictates the mechanisms by which management will hold themselves and other firm stakeholders accountable for living up to these compliance standards. This tends to be the next step in the adoption and evolution of an effective compliance framework. As it did in the 2007 FCPA allegations against Morgan Stanley, the DOJ will often examine the role of management in overseeing decisions and other transactions to ensure that they comply with the spirit and letter of the firm’s policy framework. In absolving MorganStanley of wrongdoing, they referred back to management’s consistently applied role in overseeing the activities of its employees, as well as the extraordinary steps that the employee in question engaged in to circumvent these controls and oversight. Legal departments are investing in solutions that help manage and automate the implementation of these types of oversight frameworks.
While policy management, an effective control framework, and management oversight and accountability are all part of “blocking and tackling” tier of compliance maturity investments, we see many organizations moving beyond these basic capabilities to a more robust position of compliance readiness. As the maturity of a firm’s compliance program grows, and they see the tangible benefits of the framework and tools they have adopted, many will often invest in more advanced capabilities and tools. The next tier of compliance maturity is even more proactive than the first. While the first tier tends to look at the compliance framework of a firm as a fixed entity, treating all compliance goals as equal, a more mature approach typically ads two critical elements. One is the ability to manage the regulatory change process itself, addressing all requisite obligations…what we call “regulatory intelligence”. Another is the ability to apply a risk-weighted assessment across the compliance framework, and adjust all aspects of the framework to the results of that risk assessment.
The organizations we see investing in regulatory intelligence solutions are staying ahead of the potentially expensive trend of increasing regulatory change. Whether it is newly passed legislation, associated rule making, enforcement actions, or judicial interpretations, the pace of change in the regulatory landscape never slows. To respond, and minimize the risk of compliance failures, without incurring the very high cost to their legal departments of manually scanning and interpreting this high volume of change, advanced legal departments are investing in solutions that help manage the regulatory content (essentially the language of the changes themselves), and the regulatory change workflow, so that they can focus on their important role in managing their organizations interpretation and response to any changes.
One of the most mature responses we observe in legal departments to their compliance mission involves the implementation of a risk aware approach to their framework. When organizations reach a certain level of maturity in the compliance program, they realize that not all compliance obligations are equal, and they could benefit from assessing each for their level of risk, and modifying their response accordingly. Given both the highly integration nature of this task, and the very large volumes of data required to achieve it, investments in automated solutions in this area are beginning to be seen in legal department budgets. Tools that help these mature clients measure and quantify the differential risks of obligations across the jurisdiction where they conduct business, as well as tools that help measure and control the cost of their compliance response, help implement a risk-weighted compliance framework where each dollar of investment can be justified in its own right, but also compared to that dollar invested elsewhere.
Legal departments have been adapting to the combined pressures of their evolving role in their organizations, and the increasing challenges in the compliance component of this mandate. Most large company legal teams have successfully realized the benefits of technology solutions that target the “ex post” component of their legal challenges, and in particular, leverage enterprise legal management platforms that can be configured to consolidate matter management, e-Billing, and compliance functions in one place. As they consolidate these functions, and seek to add even more value to their organizations, more and more are able to shift their focus to managing the “a priori” aspects of their legal mandate.
As they do, many are realizing that Ben Franklin’s wisdom can truly be timeless, as an ounce of “ a priori” prevention, can truly be worth a pound of “ex post’ cure.