In corporate risk management, a lot is often lost in translation between IT and legal. These two groups sit at the heart of information governance (IG) and corporate risk management, but because many organizations continue to address legal, privacy, data, and security risks in silos, collaboration between IT and legal teams has become the exception rather than the rule. The result of this lack of unity between key stakeholders is a myriad of unnecessary challenges, lack of requirement understanding, gaps in governance, and increased risk. Organizations looking to take a strong, practical approach to risk management must start by building bridges between legal and IT, ensuring that IT buy-in is established at the outset of a new IG initiative.
A recent roundtable with IG leaders at Fortune 500 organizations discussed this and other risk concerns. Several participants shared stories of legal issues, and other corporate risk arising from a lack of shared oversight between IT and legal, and the discussion indicated two primary culprits for the disconnect. The first is that IT and legal typically speak different languages—one is responsible for logistical and operational effectiveness, while the other is responsible for reducing and mitigating liability on all fronts. The second is that that the scope of IG is expansive. IG policies can reach across a wide range of functions, systems, and business processes that may fall under the purview of legal, security, IT, HR, records management, and other groups. If legal and IT haven’t established a strong line of communication and collaboration, the breadth of IG programs can muddy the waters of understanding roles, responsibilities, and decision-making power.
But there’s another way of viewing this: that IG’s inherent broadness and complexity position it as an effective bridge between disparate groups and can provide a unified direction on complex legal and IT directives. It sits at the perfect cross-section to advise and connect IT, legal and other stakeholders. When executed well, IG can help translate the company’s legal and compliance requirements into terms that make sense to IT, and IT requirements into terms that make sense to in-house and outside counsel.
At FTI, we have seen this work first-hand. One prime example is a massive IG initiative that took place at a global health care organization. The project was led by the legal team, but many critical decisions—especially for the data remediation portion of the project—relied on IT stewards. We worked closely with IT to translate the legal and compliance requirements and its effect on IT operations, including benefits that would result from the new program. Ultimately, the project served as a forcing function to bring many groups together and establish a culture of cross-collaboration that will support ongoing, future efforts.
Building strong bridges in this way is critical to successful, practical IG. Strategies legal and IT leaders can apply to improve communication and collaboration across groups and ensure the bridges are strong include:
- Flex your core networking muscles. Internal relationships with peers in other departments will prove useful when reinforcements are needed to move something forward. As an extension of this, make sure an IT stakeholder always has a seat at the table in IG projects. The more IT and legal work together in this way, the more natural the collaboration will become over time.
- Engage one another early. When a legal matter may touch on an IT issue, involve IT early to weigh in and be part of the process. Likewise, whenever there is a new IT initiative, legal should be looped in early in the process. Also, consider going directly to the CIO to establish a relationship will help secure IG involvement in business process changes, new technology roll-outs, and other decisions that may impact governance and compliance.
- Overcommunicate and act as a team. Legal and IT should actively and regularly reach out to each other to share updates, needs, concerns, etc., to ensure everyone stays on the same page. This will help facilitate a better mutual understanding of each group’s ‘language’ and priorities. One of the participants in the roundtable mentioned earlier, an IG leader at a media organization, said, "I know I've done my job right when people I've never heard of [in IT] call me and ask if they can turn off a server or launch a new app."
- Break down traditional viewpoints. IT may typically view legal as a roadblock to transformation. Legal may view IT as unsympathetic to compliance challenges. In reality, both groups are critically important to managing risk, and these stereotypes only get in the way of progress. Instead, teams should educate each other about how and why they all have skin in the game.
- Address key tension points. Retention and deletion policies can cause a lot of friction between IT and legal. The addition of new apps and tech providers is also a common source of conflict. Recognize the unexpected areas where conflicts or risks are likely to emerge and work proactively with cross-department allies to create awareness around them.
- Align on budgets. Projects that reduce costs are universally attractive. Programs like defensible disposition and data-mapping are great opportunities for legal and IT to combine budgets and reap joint benefits. When both groups contribute to the cost of a project, their money goes further, and they establish a shared interest that that drives increased collaboration.
In many cases, a neutral, third-party “translator” may be needed to help strengthen mutual understanding between IT, legal and other stakeholders. Outside experts fluent in technical and legal speak can help build awareness of the benefits of IG across each group and the organization as a whole while providing a clear third-party perspective. This year, the landscape of corporate risk has become increasingly intense and complicated, making sound, practical IG more important than ever before. Solidifying internal relationships and bringing IT and legal stakeholders together in partnership is the most effective way for organizations to reduce risk and establish a cohesive and strong posture for long-term governance, security, and compliance.
Louise Rains-Gomez, Melissa Cohen, and Jon Ringler oversee information governance and IG strategy at FTI Technology.