Managing information risk is no easy task, says Aaron Kotok and Brian Lee pointing out that the legal department reacts and focuses on controls whilst IT plans and owns strategy and operations.
General counsel and their legal departments rank information risk and data privacy among their top three concerns for 2014. This reflects a growing worry that there are unknown, potentially dangerous risks associated with the creation, storage, and use of information within a company. To mitigate risk exposure, in-house lawyers are asserting their control and influence over key information risk management activities. Unfortunately, many of these efforts—including perhaps the ones assumed to be most appropriate for legal to handle—backfire, highlighting the need to think clearly and deliberately about just who manages which activities, and why.
CEB surveyed more than 125 legal departments about their companies’ approaches to information risk governance. While legal departments generally agreed on ownership of traditional legal activities such as drafting third-party agreements and monitoring laws and regulations, the majority of survey respondents selected the same owner for only seven of the 18 information risk activities tested, indicating a lack of consensus in large organisations on who can or should best manage these tasks. The most common owners of information risk activities were indeed legal and information technology and at first glance they appear to play to their strengths.
Common ownership structures bring surprising results
The logical assumption from these survey data would be that, for those activities where Legal or IT is the plurality—if not majority—owner, they must be the most effective. When Legal owns the drafting of third-party agreements, satisfaction with the company’s overall information risk management is 12.5 per cent higher—on average—than when any other function owns the activity. And that makes sense—at 92% of organizations, Legal is responsible for this activity, which is considered by most to be a purely “legal” function.
However, overseeing third-party compliance—owned by only one in five Legal departments—sees a 10.2 per cent jump in satisfaction when Legal is responsible. Most surprisingly, when Legal owns the monitoring of relevant laws and regulations, the second most common responsibility for Legal in information risk, overall satisfaction declines by 12.6 per cent.
Implications for information risk ownership
This analysis provides a possible roadmap for assessing the information risk governance models in place at many organizations. Given the growing need for effective information risk management, companies should consider the following:
Emphasise communications between owners: Due to the evolving needs and risks associated with information management, department responsibilities will often overlap. It is essential that risk owners communicate with each other to clarify expectations and share information. Risks associated with social media and data privacy are especially concerning, given their velocity and potential impact on a company’s reputation.
Let information workflows dictate owners: Often, responsibilities are assigned according to the organizational structure, with Legal overseeing the areas that have traditionally fallen under its purview and IT owning technology-heavy areas. However, this division of responsibilities may not afford the best visibility into risks, and our analysis indicates that it may also not be the most effective. When delegating information risk responsibilities, consider identifying specific business workflows and who within the organization most often handles the specific information.
Cross-functional committees work best when utilizing functional participants: While cross-functional committees often work well for information risks, CEB research shows that these committees work best when they include employees involved in the day-to-day management of information. Some companies have adopted a two-tiered structure with a leadership committee and a specialized working group consisting of core functional participants such as records managers, data managers, systems leads, and legal staff.
In any case, legal departments and their functional partners across the assurance, technology, and security suites should assess their roles and responsibilities related to information risk, consider cross-functional cooperation where possible and appropriate, and be willing to challenge traditional attitudes about ownership.
Brian Lee is a managing director and Aaron Kotok is a senior director in CEB’s Legal, Risk and Compliance practice, based in Arlington, VA.