With the overwhelming amount of personal data virtually everywhere, managing information risk is no easy task. The “consumerization” of corporate technology means more devices will access this information.  Implementing a comprehensive risk assessment for all enterprise information is costly, time-consuming and can strain available resources. So, it’s difficult for organizations to identify the right level of detail needed to assess risk based on the business criticality of the process or capability.

In the legal world, there is an especially increasing concern that there are unknown, dangerous risks associated with the creation, storage, and use of information within an organization. In order to mitigate risk exposure, in-house lawyers are asserting their control over key information risk management activities, but many of these efforts backfire, so the need to think more critically about who manages which activities and why.

In fact, the Corporate Executive Board (CEB) recently surveyed 125 legal departments about their approaches to information risk governance.  While they agreed on ownership of traditional legal activities, the majority of respondents selected the same owner for just seven of the 18 information risk activities tested, indicating a lack of consensus in large organizations on who can best manage these tasks. 

The assumption from this data would be that, for those activities where legal or IT is the plurality owner, they must be the most effective. When legal owns the drafting of third-party agreements, satisfaction with the company’s information risk management is 12.5 percent higher than when any other function owns the activity.  This is no surprise, as at 92 percent of organizations, the legal department is responsible for this activity, which is considered by most to be a purely legal function.

According to the Global Legal Post, given the growing need for effective information risk management, companies should consider the following:

Emphasize communications between owners: Due to the evolving risks associated with information management, department responsibilities will overlap. So, it is essential that risk owners communicate with each other to clarify expectations. More specifically, risks associated with social media and data privacy are very concerning, given their potential impact on a company’s reputation.

Let information workflows dictate owners: Responsibilities are assigned according to the organizational structure, with legal overseeing the areas that have traditionally fallen under IT owning technology-heavy areas.  When delegating information risk responsibilities, consider identifying business workflows and who within the organization often handles the specific information.

Cross-functional committees work best when utilizing functional participants: While cross-functional committees often work well for information risks, CEB’s research shows that these committees work best when they include employees involved in the day-to-day information management. 

Today’s legal departments should assess their roles related to information risk, consider cross-functional cooperation where appropriate, and be able to challenge traditional attitudes about ownership. 

For more news on information risk management, check out these articles:

The Impact of Information Governance Trends on E-Discovery Practices in 2014

‘Heartbleed’ bug poses major data security risk for all Internet users

With risk comes reward: Compliance roles increase in complexity

Technology: Controlling costs and risk by limiting discoverable data sources