Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


The challenges of managing information risk in the digital era

General counsel and legal departments rank information risk and data privacy among the top three concerns for 2014

With the overwhelming amount of personal data virtually everywhere, managing information risk is no easy task. The "consumerization" of corporate technology means more devices will access this information.  Implementing a comprehensive risk assessment for all enterprise information is costly, time-consuming and can strain available resources. So, it's difficult for organizations to identify the right level of detail needed to assess risk based on the business criticality of the process or capability.

In the legal world, there is an especially increasing concern that there are unknown, dangerous risks associated with the creation, storage, and use of information within an organization. In order to mitigate risk exposure, in-house lawyers are asserting their control over key information risk management activities, but many of these efforts backfire, so the need to think more critically about who manages which activities and why.

In fact, the Corporate Executive Board (CEB) recently surveyed 125 legal departments about their approaches to information risk governance.  While they agreed on ownership of traditional legal activities, the majority of respondents selected the same owner for just seven of the 18 information risk activities tested, indicating a lack of consensus in large organizations on who can best manage these tasks. 

The assumption from this data would be that, for those activities where legal or IT is the plurality owner, they must be the most effective. When legal owns the drafting of third-party agreements, satisfaction with the company’s information risk management is 12.5 percent higher than when any other function owns the activity.  This is no surprise, as at 92 percent of organizations, the legal department is responsible for this activity, which is considered by most to be a purely legal function.

According to the Global Legal Post, given the growing need for effective information risk management, companies should consider the following:

Emphasize communications between owners: Due to the evolving risks associated with information management, department responsibilities will overlap. So, it is essential that risk owners communicate with each other to clarify expectations. More specifically, risks associated with social media and data privacy are very concerning, given their potential impact on a company’s reputation.

Let information workflows dictate owners: Responsibilities are assigned according to the organizational structure, with legal overseeing the areas that have traditionally fallen under IT owning technology-heavy areas.  When delegating information risk responsibilities, consider identifying business workflows and who within the organization often handles the specific information.

Cross-functional committees work best when utilizing functional participants: While cross-functional committees often work well for information risks, CEB’s research shows that these committees work best when they include employees involved in the day-to-day information management. 

Today’s legal departments should assess their roles related to information risk, consider cross-functional cooperation where appropriate, and be able to challenge traditional attitudes about ownership. 

For more news on information risk management, check out these articles:

The Impact of Information Governance Trends on E-Discovery Practices in 2014

‘Heartbleed’ bug poses major data security risk for all Internet users

With risk comes reward: Compliance roles increase in complexity

Technology: Controlling costs and risk by limiting discoverable data sources

Contributing Author

author image

Amanda Ciccatelli

Amanda G. Ciccatelli is a Freelance Journalist for InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more. She earned a B.A....

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.