A seismic shift has been occurring over the last several years in the role of general counsel and chief legal officers. This role is now focused as much on business risk as legal risk.
The increasingly overlapping responsibilities among legal, privacy, compliance, security, and IT teams in global companies are creating new challenges for GC and CLOs everywhere. Rapidly evolving regulations and laws are forcing them to assume a broader role in organization-wide compliance and risk mitigation strategies.
Thanks to recent data from the 2021 ACC Chief Legal Officers Survey, we’re finally starting to get a more complete picture of this trend. Results show that legal is exerting more control over business units focused on risk such as privacy and compliance—which are more likely than ever to report to legal—and are carefully coordinating legal governance, risk and compliance (GRC) strategies across the enterprise.
This means legal departments now have more responsibility for, and influence over, processes and technologies that can help mitigate cybersecurity, privacy, and compliance risks. For many enterprises, these risks are increasingly complex and serious, and mitigation typically boils down to how effectively an organization manages their data.
A few key takeaways from the report highlight this new focus on data-based business risks and the leading role that GC/CLOs have assumed in mitigation efforts.
Legal Ops Takes Center Stage
ACC survey responses reveal that legal operations is now a strategic imperative. More than one-third of CLOs say their department’s most important strategic initiative involves legal ops—by far the most common response among a list of other crucial tasks such as insourcing, litigation defensibility, and data security.
Recognizing that information governance and business intelligence are key functions in mitigating data-based risk, legal departments are actively investing in their legal operations personnel. Respondents report a 39% increase in headcount since 2015.
Sixty-one percent of legal departments employ at least one legal operations professional, while 21% employ at least four. The average number has increased from 1.8 in 2017 to 5.2 this year—with 13% of CLOs planning to hire more in 2021.
Convergence Underway: E-Discovery, Data Privacy, and Data Management
Organizations are continuing the trend of breaking down structured, departmental silos and establishing comprehensive, enterprise-wide data management strategies and processes to help ensure that legal and compliance perspectives are in harmony. A host of new national and international data privacy measures, most prominently the EU’s General Data Protection Regulation and the California Consumer Privacy Act, have accelerated this trend.
In response, many enterprises now encourage collaboration between legal, privacy, security, compliance, and IT functions to mitigate risk. While it is hardly surprising that 95% of survey respondents still say an organization’s legal function is responsible for legal risk, this score is down 3 points from the 2020 survey.
At the same time, the percentage of respondents also indicating the compliance function is responsible for legal risk increased 18 points to 40% over the last year—suggesting there is a growing awareness among GC and CLOs that cross-departmental approaches to risk assessment and mitigation are necessary.
Data Management Is Increasingly Important
Most organizations now understand the importance of adhering to a comprehensive data management strategy, according to trends in the ACC survey data we’ve observed over several years. This year, six in 10 respondents say they have a comprehensive data management strategy, as enterprise-wide compliance efforts increasingly focus on data transparency and integrity, and on ensuring harmony between increasingly complex legal processes.
Where your data resides, how much you have, who owns it, which regulations govern it, and which third parties have access to it (and what they are doing with it) are all essential factors for organizations seeking to meet their obligations within the civil litigation, internal investigations, criminal, compliance and data privacy spheres.
In spite of this notable focus on data management, however, only 15% of CLOs say they are “very confident” in their organization’s ability to respond to a big cybersecurity incident, which requires intensive coordination among key enterprise stakeholders and departments to be successful.
To address these concerns, 37% of survey respondents say they plan to use new processes to improve their outcomes, while 27% say they plan to invest in new technologies to help increase defensibility against litigation and compliance threats.
GC/CLOs Are Now Leaders in Enterprise Risk Mitigation
It’s clear technology adoption will be critical in helping legal departments manage their risks and obligations this year and beyond. The vast majority (90%) of survey respondents foresee an acceleration of data privacy concerns in 2021, and more than 40% of legal leaders are planning to adopt new technology over the next year to improve departmental task and process efficiencies.
Perhaps the most important takeaway from the survey, however, is this: Legal executives are spending more time assessing risk as it relates to business strategy because company leadership explicitly recognizes the need for their expertise. Seventy percent of CLOs indicate they meet regularly with other executives to discuss operational issues and potential pitfalls. A similar percentage say they are asked by executives to weigh in on business decisions.
As enterprise risk becomes increasingly complex and dynamic in a data-based business environment, executives across the enterprise now understand that GRC must be a key focus. Accordingly, they also recognize the critical role that GC/CLs must continue to play in mitigating risk and defining organizational success in the years to come.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Bobby Balachandran is the founder, president, and CEO of Exterro., a legal GRC platform company.