Legal obligation lies at the heart of governance, risk, and compliance (GRC). The law compels action, and, in many cases, specifies the terms and conditions under which compliance is achieved. Whether compliance will be achieved is rarely in question, given the fines and penalties that can be issued by the court and regulatory bodies as consequences, but how compliance is achieved is always in question.
Will compliance initiatives be comprehensive? Will they be achieved in a timely and economical manner? Will they be defensible, representing a reasonable and prudent approach?
Compliance strategies do not have to be gold-plated, nor do they have to be part of a massive multiyear project. But they can be costly. The odds of a favorable response to the above questions increase dramatically and proportionally to the degree “legal” (also known as in-house counsel) is integrated into the multidisciplinary team that develops and maintains the policies, processes, procedures, and technologies constituting today’s corporate enterprise resource management systems.
Data stands in mute testimony to compliance. It is, in a word, evidence of compliance, or noncompliance as the case may be. More than that, it is discoverable evidence.
That is why counsel should be involved in all phases of ERP planning and implementation. In the event of litigation, counsel needs firsthand knowledge of what’s inside the ERP. This is a lesson learned during the early days of e-discovery and one worth repeating.
There’s lots of data out there, and it is never a good idea to surprise counsel. Data is evidence of performance, or in this case, evidence of compliance. And evidence can work for or against us, depending on a great many variables. So it’s important to fully integrate and inform legal as ERP systems are tuned to respond to the growing compliance requirements borne of the information age, personal privacy, and fiduciary responsibilities.
What does this integration with legal look like? In the best case, an organization will seek counsel’s advice as decisions are being made and control strategies are being developed in the ERP. Virtualizations, such as the decoupling of IT in the cloud and through personal IT devices that can access data from around the world are changing how we do business and, necessarily our understanding of what we need to do to stay compliance.
ERP itself is a model for virtualization and the economic and managerial advantages of decoupling IT assets. It is also one enormous, rock-solid source of consistency in a quickly evolving technology-dependent world — it is where the data is.
The data may be physically stored in multiple places, and it can be accessed through laptops, desktop computers, or personal data devices through multiple public/private networks, which presents some interesting security and privacy challenges. But the processes that monitor, check, control, alert, and store data are still going to be in the ERP. That, amid a sea of uncertainty, is one comfort, which is why the ERP is the logical place for legal’s place on the team.
It is better to engage counsel early and often to avoid missteps and assumptions that can become compounded over time, making a retreat difficult and costly. It is also incumbent on counsel to go beyond templates and checklists in prescribing a list of do’s and don’ts.
Today compliance is too broad in scope. The rules and regulations are complex, the liabilities (for corporations and individuals) are all too real, and the tempo of operations is too fast to proceed at a leisurely client-counsel pace.
Counsel’s opinion is always valuable, but it is especially valuable in setting scope, as in determining when enough is enough and deciding when we have met or exceeded the bar. Does the program do what we claim that it does? Can we demonstrate such claims should we be called on to do so? Can we demonstrate compliance?
There are two things to consider in attempting to answer the last question. First, compliance is a moving target. People, technology, political and social imperatives, and economies change. So our ability to demonstrate compliance is never absolute.
Technology can breed unforeseen consequences that appear seemingly out of nowhere. Corporations need a variety of perspectives to make sense of emerging technological issues that may quickly evolve into a legal/regulatory firestorm. Do not discount the value of voluntary compliance, a pre-emptive act to show corporate good faith in the absence of mandated regulations.
Our compliance strategies must adapt with the times. The challenge lies in knowing when it’s time to revisit our compliance framework and the supporting ERP system. This is primarily a Legal call.
The second challenge is dealing with ambiguous or incomplete statutory guidance. For example, ISO 14001 was an early “voluntary” standard adopted by industries under the Environmental Protection Agency during its early years when there was a degree of ambiguity in interpreting environmental law and regulations. It demonstrated a good faith attempt to develop a compliance program in the absence of case law and specific agency guidelines.
In the absence of well-defined compliance guidelines, remember this: Developing compliance guidelines is the providence of two disciplines, law and accounting. And the addition of a third profession, ERP, provides the all-important technological framework and platform for compliance. Each can draw from analogous compliance initiatives and together provide a better informed approach to ambiguity than any one of them can provide separately.
Good compliance is manifestly good business. An integrated team on a focused, well-defined project is a formula for success. Legal must be integrated as part of a multidisciplinary team whose combined commitment and expertise contribute to achieving corporate compliance. Legal and IT/ERP need to work together in a synergistic manner because the success of one reinforces the success of the other.
About the Author
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.