Traditionally, organizations have taken a backward-looking approach to risk, evaluating potential hazards on a siloed, departmental basis after a loss of assets. Organizations often take few proactive steps to detect risks, such as periodic audits and whistleblower training; some employ software to search through structured data for irregularities.
However, a number of factors have coalesced that render this approach untenable. For example, technology has evolved, and with it, a wellspring of unstructured data that has become the primary driver of organizational risk. Further, the decentralization of data through widespread use of mobile devices, cloud computing, and social media dramatically limits the control an organization can exercise over its data and requires organizations to develop new means of handling this information onslaught and the cyber risks it engenders.
In addition, a dizzying array of complex regulatory demands and active enforcement efforts on the federal, state, and local levels have arisen in the wake of federal legislation such as Dodd-Frank. These new laws and regulations have burdened all companies but particularly those in the health-care, pharmaceutical, financial services, and energy industries, which now must find ways to manage their information to keep pace with compliance requirements.
Furthermore, the volume and types of risk have also multiplied as organizations have extended their business activities across national borders. Local laws in foreign jurisdictions, as well as anti-bribery and anti-corruption laws, often impose conflicting obligations on organizations.
Finally, relationships with third parties can saddle organizations with their partners’ risks, particularly when organizations outsource data-driven functions. The more information organizations exchange with external partners, the more scrutiny they are likely to receive from regulators.
As discussed in a recent article in Inside Counsel, for these reasons and more, in-house counsel must work with risk managers to identify potential threats to the enterprise, offer proactive guidance based on their interpretation of the law and regulations, and develop a forward-looking approach. For instance, before new technology is deployed, legal must evaluate any risks that could emanate from the resulting information flow; otherwise, these changes could endanger an organization’s ability to satisfy its data-related obligations, such as privacy, confidentiality, and preservation. Similarly, corporate counsel play an essential role in conducting due diligence on third-party business partners. With the consequences of noncompliance more severe than ever, organizations must transform their approach to enterprise risk management and view the legal department not only as an after-the-fact firefighter but also as a mitigating force in assessing, prioritizing, and addressing risk.