With the overwhelming amount of personal data virtually everywhere, managing information risk is no easy task. The "consumerization" of corporate technology means more devices will access this information. Implementing a comprehensive risk assessment for all enterprise information is costly, time-consuming and can strain available resources. So, it's difficult for organizations to identify the right level of detail needed to assess risk based on the business criticality of the process or capability.
In the legal world, there is an especially increasing concern that there are unknown, dangerous risks associated with the creation, storage, and use of information within an organization. In order to mitigate risk exposure, in-house lawyers are asserting their control over key information risk management activities, but many of these efforts backfire, so the need to think more critically about who manages which activities and why.