Legal and compliance department investment in governance, risk, and compliance tools will increase 50% by 2026, says Gartner, with assurance leaders seeking out technology solutions to help them address increasing regulatory attention on executive risk oversight and monitoring.
“Recent actions ranging from the US Securities and Exchange Commission (SEC) to the US Department of Justice (DOJ) signal a focus on executive risk oversight and monitoring,” says Lauren Kornutick, director analyst in Gartner’s Legal Risk & Compliance practice. “For example, the DOJ is encouraging companies to voluntarily disclose misconduct, but firms can only do so if they’ve set up effective compliance programmes and risk management strategies that leverage controls to prevent and detect misconduct.”
Without effective self-discovery, companies risk being subject to criminal prosecution, and officers and directors may be subject to shareholder derivative litigation for failing to fulfill their duty of oversight.
“While most organisations already have existing compliance programmes, legal and compliance leaders need to ensure they are empowered to capture and elevate the right information to management and the board, take the appropriate action, and maintain documentation related to these processes,” Kornutick says.
GRC tools for assurance leaders help compliance, enterprise risk management (ERM), and other assurance teams build a more holistic understanding of risks. The tools integrate and consolidate risk and compliance data, as well as processes and terminologies.
In practical terms, GRC tools can help assurance teams with evaluating and modifying compliance programs in near-realtime, pressure-testing system operations and, together with management and the board, improving oversight processes.
Gartner experts have identified three initial areas of focus in light of recent regulatory actions:
Leverage risk management methodologies to verify control effectiveness
With increasing focus on reporting misconduct as soon as it’s known, legal and compliance leaders should consolidate existing risk management methodologies from their partners in assurance. ERM and audit may have an existing methodology they can contextualise to predict or detect misconduct that hasn’t been reported and help validate the effectiveness of controls.
“Understanding existing methodologies from assurance partners can help legal and compliance leaders more precisely understand the likelihood and probability of misconduct occurring depending on the data source available,” Kornutick says.
Analyse the impact of changing expectations on board and officer oversight
Organisations have focused traditionally on establishing sufficient board oversight processes.
However, recent regulatory activity signals that officers must also have effective oversight processes. Legal and compliance leaders should build a comprehensive view of controls and procedures, clarify officers’ roles and responsibilities, improve compensation structures, and establish clawback policies.
Renew and raise compliance and governance standards
Recent enforcement actions signal that all employees – with heightened scrutiny placed on officers – are expected to conduct themselves in accordance with company values, policies, and all legal obligations.
When compliance leaders update policy and procedures in response to regulatory changes they should prioritise testing the effectiveness of policy change by measuring whether employees understand their obligations with respect to both business conduct and reporting misconduct.
“Compliance leaders should also conduct role-based refresher training with a focus on ensuring understanding by including gamification, scenario-based role play, and improving two-way communications in the learning process,” Kornutick says.