Can Legal And IT Agree On Compliance?
Perhaps the biggest hurdle on meeting compliance requirements is simply having IT and legal agree on policy and approach. IT organizations often get frustrated by the “demands” of the legal team, and just as often legal gets frustrated with IT. The Chief Information Officer of a medium sized organization the recently complained to me that “I can’t get anything out of legal.” He went on to explain that when seeking advice from his legal group on what e-mail to save in their archiving system, their response was to form a committee. “All the committee does is meet and meet. I can’t even get them to agree we should even save e-mail.” Expand this discussion across privacy, eDiscovery, FCPA and the many other areas IT and legal must cooperate, and the frustration multiplies. Some may argue that in a difficult economy with limited budgets the conflict between legal and IT is inevitable. I disagree. Corporate Legal and IT organizations each have much more to lose by failing to cooperate. It’s just finding that middle ground that sometimes seems very difficult.
It is interesting to note that as both IT and legal have more in common than not: They are being asked to do more with fewer resources. They need to adapt to changing business climate. Also, both functions tend to get negative attention when things are going wrong, but little credit when the ship is on course. Having worked many years both with legal and IT, I believe that the differences between these two groups are more cultural and stylistic, not substantive. Still they don’t always get along. So if legal and IT should be working together, how?
“Corporate Legal and IT organizations each have much more to lose by failing to cooperate. It’s just finding that middle ground that sometimes seems very difficult”
This relationship is fixable, and here are five steps for getting there: Step 1: Start the Conversation Together – There is a tendency for each group to want to develop a strategy and approach and then inform the other of the decision. One IT group for a large transportation company recently choose a large content management system with almost no input from legal. IT of course wants to ensure that the system meets its needs, but in this case failure to include legal in the decision making process created significant resistance by the legal team to endorse the technology as a viable retention strategy. In truth in was not so much that the product they purchased did not fit legal’s need, but failure to include them needlessly raised suspicions and resistance. Don’t worry, including legal will not force you to adapt a system that only meets legal’s needs.
Step 2: Address the “Who Pays” Elephant in the Room –An IT project manager for a large retailer told me she knew one particular IT technology that could save the legal group and the company potentially millions of dollars per year. I asked her why she had not suggested this system to the legal group. “Even though I know this will save the company money overall, currently IT has no funding for this type of system,” she explained. “If I as an II person suggest it, IT would have to budget for it. That would be career suicide for me.” Many legal and IT groups play a similar budgetary game, creating a stalemate where each side awaits the other side to raise their hand first, and hence take budgetary ownership of a project.
Legal and IT should work together to break this habit. Address the budget issue elephant in the room early and often. Discuss the benefits and cost savings, and get creative about funding. Look at other groups that may benefit and contribute to the funding of IT/Legal projects (audit, finance and business units to name a few). You might be amazed how monies can be found with some more open communication.
Step 3: Be Prescriptive – One legal group wanted IT to implement a record retention policy for electronic documents, but would only provide a vague, high-level retention policy. Legal thought it was being clear, IT didn’t. Nothing got done. Coming from different cultures, legal and IT need to make an extra effort to be prescriptive on policies and processes when working together. Be clear about what legal specifically wants IT to do. Make sure you are open for questions and follow up. Use specific examples. While you may be believe you are being perfectly clear, what matters is the recipient understands exactly what you want.
Step 4: Pull in other Allies – If your joint IT/legal initiatives only include these two groups, you may be excluding other valuable stakeholders who can help drive and possibly even fund your initiative. Increase the members of your steering committees to include privacy, risk, audit, finance and even business units. Often the control of information derived from one type of compliance initiative can be leveraged to help other types of initiatives. Yes, including more stakeholders initially slows things down a bit. Yet the critical mass achieved when multiple groups are engaged more than makes up any slow approach.
Step 5: Find and Communicate the Common Win– When looking at a new initiative, don’t focus on the win for just legal or IT. Nearly every joint legal and IT initiative has a win for both, as well as other groups in the organization. Don’t talk only about how a particular project will help legal. Talk (and sell) the benefits for others. When compliance is approached the right way, believe it or not there really is a way for everyone.