The 2015 survey uncovers the latest issues organizations are facing as they respond to risks, assess the effectiveness of their risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.

1. Corporate counsel say regulatory
climate is bad for business
Concerns mount as resources are diverted from regulatory efforts and
core business to address cyberrisks.
For the third consecutive year, Grant Thornton LLP and Corporate Counsel magazine surveyed corporate
counsel to get their views on the key threats to business growth. The objectives of the 2015 survey were to
uncover the latest issues organizations are facing as they respond to risks, assess the effectiveness of their
risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.
Corporate counsel perceive the current regulatory environment as bad for business. When asked,
“Considering your business’s efforts to comply with the current regulatory environment, what has been
the impact on your business?” more than two-thirds (69%) said that the current regulatory environment
made it harder to do business. Almost two in five (39%) believe the current regulatory environment has
diverted resources from the company’s core competencies, and 29% and 21%, respectively, responded that
the current regulatory environment decreased profits or impeded growth. Brad Preber, Grant Thornton’s
national managing partner of Forensic and Valuation Services, suggested: “The sentiment of the corporate
counsel surveyed is consistent with many corporate officers. On the whole, companies have not yet found
the right balance between regulatory compliance, growth and profitability.”
Grant Thornton LLP 2015 Corporate General Counsel Survey
Impact of current regulatory environment
Made it harder to do business 69%
Diverted resources from company’s core competencies 39%
Decreased profits 29%
Impeded growth 21%
Strengthened our competitive position 20%
Created opportunities for growth 19%
Moved resources to company’s core competencies 12%
Weakened our competitive position 10%
Made it easier to do business 7%
Damaged/impeded relations with key stakeholders 5%
Increased profits 2%
Other 5%
Respondents were able to select more than one answer.
70%
60%
50%
40%
30%
20%
10%
0%

2. Companies are taking new steps to manage their regulatory risk. The most frequent changes are
strengthening policies and procedures (70%) and increasing education and training (60%). However, many
are also engaging outside advisers/consultants (41%) and adding internal compliance personnel (36%).
Bill Olsen, Grant Thornton’s principal-in-charge of Global Investigations and Anti-Corruption Services,
agreed that these types of measures “are important parts of an overall program of regulatory compliance.”
He noted, however, that only 28% have implemented software tools and 21% have utilized data analytics,
and that “many companies are moving from manual intervention to technology-driven compliance efforts.”
Perhaps the reason that 91% of companies made changes tothe way theymanage their risk isthat corporate
counselarestillunsurewhethertheirapproachesareeffective.Themanagementofcorruptionandbriberyriskis
agoodexampleofthisregulatorycompliancedilemma:45%respondedthattheywerenotsurethattheircurrent
approachesareeffectivelyreducingcorruptionandbriberyrisk.“Thisistheepicenteroftheissue,”saidOlsen.
“Many corporate board members and executiveshaveno ideawhether the efforts undertakentocontrol risk and
complywithregulationsareactuallyworking,nottomentionwhetherthereisanyreturnonthatinvestment.”
Olsenadded, “Therearerecognized anti-corruptionprograms thatcanbe implemented, monitoredandmeasured
toaddressthesetypesofunknowns.”
Despite the fact that corruption and bribery risk continue at historically high levels — and they are
certainly on the minds of corporate boards and officers — few businesses have increased resources devoted
to managing them. One possible explanation is the explosion in concern over cybersecurity. While only
21% of corporate counsel say their businesses have increased the time and resources devoted to managing
corruption and bribery risk, an overwhelming 69% have increased the time and resources devoted to
managing cybersecurity and data privacy risk since last year.
+4++D
Yes 51%
No 4%
I’m not sure 45%
Effectively managing corruption and risk?
Changes made in managing regulatory risk
Strengthened policies and procedures 70%
Increased education and training 60%
Engaged outside advisers/consultants 41%
Added internal compliance personnel 36%
Subjected vendors and suppliers to monitoring or audit 33%
Conducted more internal investigations 30%
Implemented software tools 28%
Repurposed internal audit toward regulatory matters 21%
Utilized data analytics 21%
Increased actions against violators 9%
Same as last year, nothing different 9%
Other 2%
Respondents were able to select more than one answer.
70%
60%
50%
40%
30%
20%
10%
0%
2
Corruption/bribery Cyber and data privacy risk
Change in time and resources
21%
Increased Stayed
the same
Decreased
68% 1%
Not sure
10%
69% 23% 0%
8%

3. “The courts, public opinion and the federal government have made it clear that cybersecurity and data
privacy are a front-burner issue,” said Skip Westfall, managing director of Forensic Technology Services
and co-leader of Cybersecurity Services for Grant Thornton. “Ignoring this risk is very dangerous and can
be very costly.” In response, more than 90% of corporate counsel say their companies have taken action
to mitigate cyberrisk, most commonly by adding data security measures (67%), preparing policies and
procedures (59%), and conducting training (59%). Westfall agreed that these measures are all “important
steps in a comprehensive cybersecurity and data privacy risk management program.” He also referred to
the National Institute of Science and Technology (NIST) framework for cybersecurity risk management.
“Organizations should be using an established process to assess cybersecurity and data privacy risk, and the
NIST framework is becoming a standard in this space.”
Despite all the efforts on cybersecurity, corporate
counsel remain unconvinced that their companies
are prepared. When asked, “Overall, how prepared
do you believe your organization is to effectively
respond to data breaches?” only 17% responded that
they feel very well-prepared. An overwhelming 58%
responded that their organizations are somewhat
prepared, indicating some question about whether
they were fully primed for these potentially
catastrophic events. “Organizational stakeholders are
demanding an answer to this question,” said Westfall.
“Corporate directors and officers are consistently
asked this question by customers, regulators, banks
and others. In today’s high-risk cybersecurity
environment, preparedness is paramount for
consumer and stakeholder confidence. People will
only do business with organizations they trust with
their personal information.”
One possible reason for the low confidence is a lack of
clarity regarding who has the primary responsibility
for cyberrisk. When asked, corporate counsel cited
more than 10 different titles as having primary
responsibility for responding to data breaches.
Respondents were able to select more than one answer.
Actions taken to mitigate cyber and data privacy risk
Added data security measures 67%
Prepared policies and procedures 59%
Conducted training 59%
Identified sensitive/private data 50%
Employed outside advisers/consultants 45%
Implemented monitoring program 42%
Developed data breach recovery plan 42%
Added cyberbreach insurance 29%
None of these 9%
70%
60%
50%
40%
30%
20%
10%
0%
The totals do not equal 100% due to rounding.
Primary responsibility for responding to data breaches
CIO/CTO 37%
Chief security officer 16%
General counsel 11%
Chief compliance officer 8%
Other management 7%
Chief risk officer 5%
CFO 5%
Other 12%
+++8+7+5+5++D
Current level of preparedness for responding to
data breaches
Very well 17%
Somewhat prepared 58%
Somewhat unprepared 12%
Very unprepared 8%
I’m not sure 6%
+++8+6+DThe totals do not equal 100% due to rounding.
3

4. Most commonly cited was the chief information or technology officer, which is not ideal. “Many CIOs are
unprepared and untrained in what to do when a breach occurs,” according to Westfall. “It is critical to have
a data breach incident response plan and team in place before problems happen.”
The survey again shows regulatory risk as a big concern for corporate counsel, but it also shows that they
are struggling to determine the most effective activities and obtain the right resources for managing it.
Many of those resources are instead devoted to cyberrisks. “As cybersecurity and data privacy climb the
regulatory oversight ladder, it is clear that these risks are a top concern for corporate counsel,” said Brad
Preber. “The trick is going to be in managing that growing risk while maintaining focus on regulatory risk,
which is already impeding companies’ ability to do business.”
About Grant Thornton Advisory Services
Grant Thornton consultants can help your organization design and implement a regulatory compliance program, protect your data
from unauthorized access, handle investigations of potential regulatory violations, and prevent many significant risks related to
regulatory compliance. Our specialists combine insight and innovation to assist dynamic organizations, using a multidisciplined
approach from a wide range of business and industry knowledge. Visit grantthornton.com/advisory to learn more.
About Grant Thornton LLP
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality
service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton
International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International
Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.
In the United States, visit grantthornton.com for details.
Demographics
The Grant Thornton LLP Corporate General Counsel Survey was conducted online March 3–17, 2015, by ALM Marketing
Services. There were 254 respondents. Over half (56%) were either general counsel/chief legal officers or deputy/assistant
general counsel. The respondents were from both publicly traded (42%) and privately held (46%) companies, as well as some
partnerships, government entities and not-for-profits. Respondents’ organizations represented a broad range of sizes, with 22%
falling in the less-than-$100-million-in-annual-revenue range and 23% falling in the greater-than-$5-billion range. Organizations also
were distributed widely across industry sectors.
For more information, contact one of Grant Thornton’s Forensic and Valuation Services leaders:
Brad Preber
National Managing Partner, Forensic and Valuation Services
+1 602 474 3440 | brad.preber@us.gt.com
Mark Sullivan
Principal, Fraud and Investigation Services
+1 312 602 8110 | mark.sullivan@us.gt.com
Craig Casey
Partner, Litigation and Dispute Services
+1 212 542 9810 | craig.casey@us.gt.com
Bill Olsen
Principal, Global Investigations and Anti-Corruption Services
+1 703 847 7519 | william.olsen@us.gt.com
Skip Westfall
Managing Director, Forensic Technology Services
+1 832 476 5000 | skip.westfall@us.gt.com
John Ferro
Partner, Valuation Services
+1 212 542 9574 | john.ferro@us.gt.com
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide
partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services
to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit
grantthornton.com for details.
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
Connect with us
grantthornton.com
@grantthorntonus
linkd.in/grantthorntonus
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For
additional information on the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.