Legal GRC (Governance, Risk and Compliance) Management by Design

Philipp Rosenauer
Partner Legal, PwC Switzerland

Caitlin Hemminga
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

In today’s fast-paced environment, organisations are increasingly having to face economic, political, social and legal challenges. This may lead to operational and reputational risks and impact their ability to comply with all regulations. This blog post outlines how the Corporate Legal Department can help address these challenges. 

What is Legal GRC?

Legal Governance, Risk and Compliance (GRC) is a systematic and proactive approach to managing legal governance, risk and compliance within an organisation. Key components of Legal GRC Management by Design include risk assessment, policy development, training and communication, monitoring and reporting. The goal is to manage legal risk effectively and to ensure compliance with relevant laws and regulations, while also promoting a culture of ethical behaviour and accountability within the organisation.

Today, the Corporate Legal Department is not only focused on legal matters, actions and contracts. Legal organisations must now respond to incidents and breaches, and notify authorities in a timely and compliant manner. They must also respond to Data Subject Access requests, harmonise and monitor retention obligations, conduct eDiscovery processes, manage legal holds on data, and continuously monitor regulations and legislations and apply them to their business. 

Common pitfalls

Organisations continue to face exponential growth in regulatory requirements and legal obligations, which are often conflicting and overlapping. Addressing all these obligations requires an integrated approach to legal governance, risk management and compliance. Legal GRC supports the achievement of the objectives of the legal department and the business at large, while also addressing legal uncertainty and its risks. It also helps the organisation to respond with integrity and due consideration of its legal and ethical obligations.
Nevertheless, many organisations fail to effectively coordinate Legal GRC principles throughout their various branches – IT, legal, internal audit and so on. This quickly leads to disconnected strategies, costly gaps and ultimately a failure to deliver on wide-ranging stakeholder demands. Thus implementing a succinct and comprehensive GRC framework is important for organisations because it helps them to to proactively manage their risk and compliance obligations.
The risk and compliance obligations that a GRC framework can address vary depending on the organisation’s industry, size, and operations. However, some common risk and compliance obligations that a GRC framework can address include:

  • Financial risks
    Sound GRC principles and implementation can help organisations to identify and manage financial risks, such as credit risk and liquidity risk. From a compliance perspective, a GRC framework can (for instance) address obligations concerning financial reporting and anti-money laundering laws.
  • Regulatory compliance
    Organisations are under more pressure than ever to comply with a wide range of laws and regulations, including (but not limited to) data protection regulations, environmental regulations and employment laws. Effective GRC frameworks ensure that organisations identify and develop procedures to ensure compliance.
  • Reputational risks
    GRC principles and frameworks can help in identifying and managing risks that could damage reputations. A data breach or ethical violation can be avoided through correct implementation and collaboration and by creating a culture of compliance and risk management, which will help ensure long-term success as an organisation.

Recommendations for successful implementation of GRC programmes in the business strategy

To be effective and to address the aforementioned concerns, the creation of a comprehensive and tailored GRC framework is essential. This means including clear policies and procedures as well as effective risk management strategies and creating a culture of compliance throughout the organisation in a way that is specific to the identified needs of each organisation. Collaboration is very much required across all functions and branches.

The most relevant considerations for implementing a successful GRC programme and for the associated role of the corporate legal department include:

  1. Building a culture of compliance
    When it comes to facing the challenges of adapting to rapidly changing regulatory environments and emerging risks, building a culture of compliance is essential. This process should incorporate strong leadership support and effective training programmes to ensure that all aspects of GRC are addressed. The involvement of the corporate legal department to strengthen a culture of compliance within the organisation is crucial, as this department possesses the specialist expertise required to provide legal guidance, establish clear policies and assist in developing effective compliance training programmes.
  2. Developing clear policies and procedures
    Organisations often struggle to implement GRC programmes due to a lack of resources, insufficient support and siloed risk management. However, when the corporate legal department creates and executes clear policies and procedures, it becomes possible for an organisation to effectively manage legal and regulatory risks and protect its reputation despite resource constraints.
  3. Integrating GRC considerations into the business
    It is essential that GRC considerations are integrated into all aspects of business decision-making. This will ensure that transparency and clear communication (and ultimately the organisation’s legal obligations) are managed. The involvement of the corporate legal department in this process helps to establish a strong foundation for aligning business decisions with regulatory requirements, reducing legal exposure and fostering a culture of proactive risk management throughout the organisation.
  4. Aligning with business objectives
    It is necessary to ensure that risk management strategies are aligned with the overall business objectives and that they make sense to all involved. The participation and expertise of the corporate legal department within the organisation will spearhead this collaboration and alignment.
  5. Ongoing process for monitoring and evaluation
    A GRC programme can only be successful if it is subject to a process for the continuous monitoring and evaluation of its effectiveness. The corporate legal department plays a vital role in this by using its legal expertise to monitor regulatory changes and identify areas for improvement. Its involvement ensures that the GRC programme remains up to date and in line with evolving regulatory requirements, and effectively mitigates regulatory risks, thus safeguarding the organisation’s reputation.


Today’s economic, legal, and regulatory challenges constantly intersect to create novel risks. Organisations must be prepared to break down traditional silos to improve their strengths and tap the collective expertise of all their resources. It is important for organisations to develop a clear strategy that enables risks to their department to be managed effectively.

Legal GRC is an approach – from a technological perspective – to becoming more efficient and productive and putting all these different tasks and activities into operation across the various departments.

This new paradigm presents the corporate legal department with fresh challenges, including the need to adapt to rapidly evolving technology, manage complex legal and regulatory landscapes, and effectively integrate legal perspectives into the organisation’s broader risk management framework.


Contact us

Feel free to contact us if you’d like to talk about the specific challenges you face and how we might help you overcome them.