When Enterprise Legal Management and GRC Collide

Corporate legal departments are happy to use enterprise legal management—also known as “practice management” to lawyers of a certain age—for the unsexy stuff: managing invoices from outside counsel, studying legal budgets to see where the dollars go, tracking regulatory enforcement, etc.

There is a theory, however, that looking more deeply at the data in ELM might help compliance officers responsible for that other acronym, GRC. Since legal spending and data are so often rooted in some governance or compliance concern, the thinking goes that perhaps ELM can help inform corporate leaders trying to make better decisions about compliance and risk management.

Research by Gartner last year went so far as to argue that ELM could be, and perhaps should be, treated as a subset of governance, risk, and compliance platforms. A report by its analysts refers to ELM as “part of a growing category” of GRC solutions focused on supporting interactions between general counsel and other executive leadership.

Another optimistic view comes from David Houlihan, principal analyst for Blue Hill Research. Over time, he says, opportunities are bound to arise for the convergence of ELM and GRC—leading to stronger, more unified management of compliance, risk, and legal functions. (Exactly how or when that might happen is still anyone’s guess, he adds.)

“GRC is very convenient shorthand for a wide variety of solutions that address compliance and risk in a variety of different ways, and for a number of different audiences,” he says. “I don’t think ELM is quite as diverse. There is a real disparity between the opportunity presented by the concept of legal enterprise management, and the scope of what the implementations actually look like.”

Others take a more dubious view. “We are not convinced this convergence will happen,” one ELM vendor admitted. “We’re looking at it, but haven’t formed a strong view.”

Houlihan says convergence is logical, since GRC programs exist to manage incidents and investigations “on the front end,” and convergence would connect those efforts to what goes on at the legal department. “Once a matter hits legal, we are talking about an explosion of costs and exposure,” he says. “The earlier you can address, identify, and respond to problems, even if the organization was liable or there is wrongdoing, the less the ultimate impact will be.”

“GRC is very convenient shorthand for a wide variety of solutions that address compliance and risk in a variety of different ways, and for a number of different audiences. I don’t think ELM is quite as diverse.”
David Houlihan, Principal Analyst, Blue Hill Research

“I love that story and believe in it,” Houlihan continues. “But what ELM really means in most deployments is better management within the legal department and better project and spend management with outside vendors. It is very much a reactive solution.”

That focus is hardly a bad thing. “There is a really clear value proposition” Houlihan says, citing research by his firm that a properly executed ELM system can cut legal costs by 4 percent or more.

Getting to Phase 2

While cost savings may be the focus for now, pressure is growing for legal departments—and compliance and audit departments too—to better understand enterprise risk. That means taking the data companies have in their ELM systems and applying it more broadly. How difficult will the evolution be?

ELM IN ACTION

The following is a selection from a case study detailing how Mitratech worked with British American Tobacco, an international tobacco company headquartered in London, on implemementing an Enterprise Legal Management System.
The framework helped the legal team to identify project phases and deliverables within each phase of their legal processes. They then applied the methodology to different types of cases, by breaking down the work needed into elements and classifying those as products.
For example, discovery includes various elements that belong in the matter phase, including:

Scanning and coding of electronic documents

Electronic review and processing of documents

Quality control of documents
Within BAT, a Responsible In-House Counsel (RIC) is assigned to each product – to oversee the work and manage the budget. For example, an RIC would review invoiced spend to-date, remaining budget, the average monthly spend for a similar product and remaining average spend for a similar product. All are good indicators as to whether a vendor or law firm is on an expected resource and spending trend. If not, the assigned RIC can identify risk earlier in the matter phase. This systematic approach allows BAT more insight and control over their total legal spend. The team is now more aware of where money is being spent and is alerted earlier in the process when budgets are fluctuating or off target.
Vendors and outside counsel have direct access to TeamConnect [the ELM system] to enter strategy, tasks, projected time and budget requests. They can collaborate with other vendors that may be working on a particular product, and access like documents from the system that can be repurposed for current work. They also upload all work products in the system, so they can be leveraged in the future. Outside counsel sees virtually the same view as inside counsel, provided they have the required access for each matter which is provided through a sophisticated security model, but without the ability to get into the invoices.
Source: Mitratech.

“It depends a lot on the organization,” Houlihan says. “The no-brainer opportunities are where compliance or risk is considered a sub-section of legal. In that case, it’s just a political and visibility conversation to connect those dots. The harder story is where they are separate organizations and independent functions. That’s a much harder bridge to build.”

The biggest opportunity, Houlihan says, will come from pressure put upon the compliance function to provide greater visibility about risk issues to senior leadership and directors. “The more we can go from risk scoring to meaningful business context, the more opportunity there is,” he says. “The general counsel sits in on all those conversations and the more those opportunities are there, you can start making the case at that highest level.”

“Enterprise legal management has been around in some form or another for almost 30 years, essentially as project management within the organization and the ability to manage the budget,” says Jason Parkman, CEO of Mitratech, a software vendor in the ELM market. “We have seen the legal department’s purview getting wider and wider, and getting more involved in other parts of the organization because so many compliance and regulatory matters go way upstream, including supply chain and intellectual property management issues, international concerns with data security and privacy, and compliance requirements for Systemically Important Financial Institutions.”

Over time, ELM has expanded within the law department and now has the potential to become the system of record for all these areas that could become legal risk. “Legal, risk, and compliance all start to come together,” Parkman says. “One of the things you are always trying to do as you evolve as an organization is get more and more proactive and ahead of issues. The convergence, in some sense, of legal and compliance seems to be a natural direction.”

French Caldwell, “chief evangelist” for software vendor MetricSteam, says the need to forecast potential losses or costs tied to risks means companies will, somehow, need to improve their data analytics. “There is an opportunity in helping general counsels better understand the true cost and give them better predictive value,” he says. “Of course, a lot of that is a risk-management exercise.”

“It is still open to interpretation as to what extent the ELM platform itself will lend itself to some of these new types of capabilities, but I do see some areas of overlap,” says Martin Goulet, senior project manager for Mitratech. For GCs who have expanded their focus from beyond just blocking and tackling to managing risk, the information provided by ELM systems is one of the core data sources for doing a reasonable, quantified risk assessment.”

Putting Data to Work

Over time, Goulet expects that general counsels will want to do more with that data. “There is more than just efficiency-related decision making they can do now with an ELM system, and those are some of the same types of decisions that would have traditionally been thought of as a GRC question,” he says. “If you see matters creeping up in certain jurisdictions or certain business units you have potentially identified an underlying issue with your control framework or some other elements of your GRC framework. It is a good, fundamental base to build off of.”

The appetite for EML-GRC convergence may depend on where the compliance function sits in a company, Goulet says. “You have the Walmarts of the world, where they want to make the role of compliance officer more independent and take it out of the legal department,” he says. “But you still have a majority, or at least a large minority, of complex global organizations where that role still sits within the general counsel’s office. Anywhere the GC has that mandate, they are going to be looking to expand the platforms they have already put in place to do a better job across the full scope of their mandate.”

That push may manifest itself even when compliance and legal are kept separate. “The GC still has a very significant role with many parts of the compliance framework overall,” he says. “They are largely the organization that compliance, even an independent compliance executive, would go to for the legal interpretation of the various part of the regulatory framework that they are subject to.”

Goulet expects that ELM may evolve along the same lines as supply chain management and enterprise resource management. “You needed tools to stabilize the process, but once you were able to collect information about the various steps in the process, you found ways to optimize the data,” he says. “You couldn't’t even imagine all that information that you had at your finger tips.”