In today's global business environment, risk is present in virtually every industry, business process, and supply chain relationship. Government regulations have made compliance a challenge, necessitating formal enterprise-wide risk management strategies for all companies. The anticipation of increased regulatory mandates has caused many companies to reevaluate their risk process, which for the most part has been inadequately aligned with business strategy and poorly integrated into business operations.
The market collapse of 2008 outpaced the abilities of companies' internal systems and risk management to be successful. Traditional capabilities overwhelmed and fragmented most corporate risk management processes and systems. This economic crisis was the ultimate stress test for existing law firm management tactics. Financially dedicated products performed dismally, along with existing alignments between strategy and growth process. Ambiguous risk responsibilities between the firm as a whole and various departments showed a flawed culture that needed to be revolutionized.
According to a 2009 Global Risk Management Study by Accenture, a global management company, present-day management attitudes and capabilities of more than 250 of the world's largest enterprises show the following:
- Risk management and capabilities are not currently equal to today's challenges.
- Risk management is inadequately aligned with business strategy and poorly integrated with business operations.
- The integration of risk management and preventative management is lacking.
- Increased regulation is expected.
- The costs of effective risk management are increasing.
- Outsourcing part of risk management is proving efficient and companies are investing to improve their risk management. There is optimism that strong risk management will drive business performance.
Company departments can no longer operate as silos within their organizations. The old paradigm of managing risk and compliance in a fragmented, department-by-department manner does not relate to a much needed broader risk and compliance policy for a firm. Reactive, "siloed" approaches are lacking the big picture, resulting in complexity, redundancy, and failure for a company. Chief executives on the whole seem to feel that the biggest challenge they will be facing over the next two years will be a need for more rigorous management capabilities, in particular a better risk management alignment with a firm's overall business strategy to include effective collaboration with business units. Also, in the future, risk management officers and managers need to be more involved in a company's goal setting, objectives, and performance management.
Inefficiencies in systems and data processing costs for risk management have increased significantly over the past few years (easily exceeding $100 million for a large company with an estimated $50100 million more for future upgrades). And we can only expect a more stringent regulatory and compliance environment in the coming years. Using information derived from risk assessment and analysis, even though it is a major cultural change for law firms, is seen by many senior executives as enabling a better decision-making process. By protecting value and guarding against failure, risk management initiatives can become proactive versus reactive. As firms increase their investments in risk management, executives need to believe that a strong risk management capability supports profitable growth. It is becoming apparent that an organization's ability to improve risk management will drive business value only if integrated risk management capabilities are developed, the frequency of risk reporting information is improved, the company readjusts its management performance process, and the risk management team becomes the driving force in value creation.
Surely the financial crisis underscored the fact that significant improvement in companies' risk management is not just needed, but mandatory, making risk management possibly today's biggest corporate challenge. The Sarbanes-Oxley Act, passed in 2002, set corporate governance standards for public companies, their management boards, and accounting firms. The law is responsible for organizations increasingly adopting the use of consolidated and harmonized compliance controls, ensuring that companies can no longer permit departments to operate as silos in addressing compliance. Tracking risk in a siloed manner renders companies virtually incapable of assessing and compounding interrelated issues or their risk. Future successful companies will practice a much more holistic approach in meeting government regulatory requirements.
A variety of products addressing governance, risk, and compliance (GRC) have been introduced to the legal industry. Examples include the following:
- Oracle Enterprise GRC Manager, which facilitates a holistic approach to risk management by addressing individual departmental needs with natively built modules.
- SAP ERP, founded in 1972 by five former IBM employees, which consists of several modules whose data is collected and combined to provide enterprise resource planning and which has an aggressive policy of notifying users via emails and white papers of product updates as well as changes in the regulatory landscape.
- IBM's OpenPages, which promises enterprise-wide GRC initiatives (operational risk management, compliance management, financial controls management, IT governance, and audit management) within an integrated platform that will adapt seamlessly to a company's existing risk management system.
Due to the nuances of governmental agency regulations for various practices, be they corporate, environmental, health, energy, or law, it is difficult for one company-wide solution to provide total risk management. Rather a company must purchase and integrate individual solution units for each legal practice identified at risk. For example, Cura Comply, a LexisNexis product, navigates South African regulations. Like IBM's OpenPages, Thomson Reuters Accelus provides a suite of "solution sets," which can be purchased separately. Accelus addresses several aspects of risk management, including corporate board management, compliance training, due diligence, internal audits, and policy management, as well as disclosure and business law. An enterprise GRC enables Accelus regulatory compliance with internal management control. MEGA is a suite that offers comprehensive solutions for GRC, operational risk management, and enterprise risk management. These tools help companies control operations, reduce risks and costs, and increase confidence in overall operations.
In addition, several companies offer management consulting, including Gartner and Accenture. Regardless of which route a law firm takes (and it has been proven that outsourcing may be the most cost-effective manner by which to meet global regulations), customers should ask themselves what is it that the product or service does and what can it offer the organization? Coordinating the linking of complex business systems should not just increase overall risk management costs, but deliver positive bottom-line results.
According to Accenture's 2009 Global Risk Management Study, in the past, risk management capabilities have been overly isolated and not a full part of the organization. For a company to succeed today, risk management must be better aligned with a company's goal-setting process as well as fully integrated into all the company's business units including its culture and management process. Executives surveyed felt strongly that such investments, when integrated, will drive profitable growth for their organizations. Indeed, according to a white paper published by Corporate Integrity, a research, training, and advisory firm providing leadership on issues and corresponding solutions for GRC, managing accountability where a business has a complete system of record, and providing visibility across a multitude of risk and compliance issues, is not a choice these days, but a requirement.
When assessing a possible product purchase, regulatory officers should ask themselves the following:
- How do I obtain future proactive insight into the ever-changing regulatory landscape?
- How do I connect these regulatory changes to my firm's risk management and overall business strategy?
- How do I deliver a relevant set of programs and reports that will provide senior management with the necessary information that will enable informed choices?
As it becomes increasingly clear that governance, risk, and compliance activities are by nature interconnected, four stages emerge in a GRC life cycle:
- Stage one: Identifying, researching, and understanding risks and regulations and evaluating their impact on business strategy.
- Stage two: Developing, implementing, and communicating policies and putting appropriate controls in place.
- Stage three: Managing processes, monitoring changes, tracking issues and loss events, and screening clients and employees, including arranging the appropriate audit trails.
- Stage four: Reporting and disclosure, providing visibility and transparency of information between internal assurance groups.
By using these stages as a checklist, companies will be provided with proactive insight, enabling them to make informed choices and obtain a competitive edge in the marketplace.
Reducing overlapping policies, risks, and control to streamline GRC platforms is pivotal. Getting started on a sustainable GRC strategy requires that a law firm assess its current situation with regard to GRC requirements as well as identify technology redundancies before deployment of new initiatives. One thing is certain, risk and compliance burdens will not be going away.
Back to Contents