I attended Practical Law’s GC Leadership Summit last week. This year’s central theme was innovation which set the scene for some interesting discussions on corporate governance, the changing role of the general counsel and approaching the GDPR and cyber challenges, amongst other things. Here’s a whistle-stop tour of some of the key messages.
Corporate governance: purpose and tone from the top
Corporate governance reform may have been kicked into the long grass since the general election, but the need for a strong corporate culture and an overarching “purpose” is as important as ever for a successful business.
Will Hutton’s thought-provoking keynote focused our minds on the challenges to Enlightenment values posed by Brexit and the urgent role of the “purposeful” company (that seeks to profit by fulfilling a useful purpose in society) in steering us out of a contemporary humanistic crisis. Hutton encouraged all present to consider our role in defining corporate purpose, its value, and how the corporate governance framework should be organised to deliver purpose.
The “tone from the top” of an organisation dictates its corporate culture and, although the culture may differ slightly between HQ and its regional offices, a company requires a shared set of core values that bind everyone in the organisation together to succeed.
Changing corporate culture can be challenging and is often only prompted by a crisis within the business, such as a health and safety incident. Promoting the company’s values as part of the induction process is a good start but the key is ensuring that senior management get out into the business and talk with existing staff about those core values. Technology, such as the use of multimedia platforms, can also play a part in getting the message out to the wider business.
Innovation: “cooking the food in the restaurant”
The recurring theme throughout the day was innovation. One panel discussion involving lawyers from across a range of industries prompted several interesting ideas:
- Try and test. Rather than trying to create the perfect solution to a problem from scratch, first aim to create a MVP (Minimal Viable Product), which can be improved upon through a process of testing and iteration. One panelist described this idea as “cooking the food in the restaurant”, so the business can see the legal team at work solving a problem.
- Repeat requests. If you have been asked the same question or have repeated the same task more than twice, use that as a signal to the team that a solution could be created: consider creating an FAQ or standard form, for example.
- Jive talking. Use internal messaging apps (such as Jive) to collaborate with colleagues from across the business. Business colleagues can often provide useful insights into problems that the legal team is trying to solve. Getting the legal team involved in early-stage product development can also be useful.
Leadership: tackling the location, culture, diversity and development challenges
A breakout group took on these challenges and shared some innovative solutions. Some highlights:
- Decentralise thinking. The challenge of keeping a multi-hub team engaged can be met my allowing leadership of certain projects to take place out of different locations.
- Repeatable, regular team communication. Let rotating teams set the agenda. Overcome time zone challenges by making videos available.
- Focus on strengths. Traditional focus on improving people’s weaknesses is being eschewed as GCs seek to blend a set of complementary personalities performing at their best.
- Team-building on a budget. Virtual film clubs and quizzes pitting time zone vs. time zone or office vs. office have proved very successful.
GDPR and cyber: “people, paper and machines” and incident planning
When preparing for a substantial compliance challenge, such as that presented by the GDPR (to be implemented by 25 May 2018), it helps to take a step back and simplify the way we look at it. At its core, GDPR affects people, paper and machines:
- People. Engage closely with the multiple stakeholders. Obtain board-level buy-in and support. Consider a DPO-type role even if not a legal requirement for your business.
- Paper. Look at all of the business’ GDPR-relevant legal relationships, not forgetting its most vital ones, with its employees. Communicate with employees about the “legitimate interest” condition for processing.
- Machines. Interrogate how consent is given virtually. Map virtual data flows. Review the fitness for purpose of tech and those providing it.
The GDPR regulatory burden coinciding with the rapidly-increasing cyber threat underlines the need to review and improve incident response plans. Key stakeholders include legal, IT forensics, communications, risk / insurance / compliance as well as external expertise. There should be no overbearing voice – all stakeholder voices are vital. Decide what constitutes a “breach” for GDPR purposes. Who is responsible for calling this? Who is responsible for communicating with the ICO, FCA, OFCOM, data subjects and anyone else?