The elephant in the room: Who should pay?

While many groups within an organization see benefit in developing a strong information governance program, this enthusiasm is muted by one overriding concern: Which department is going to pay for this type of program? IT thinks compliance should pay because compliance will benefit from better risk management. Compliance thinks IT should pay because technology is involved. Or is it the business units who should pay? One of the risks in engaging a number of stakeholders in this discussion (and understanding their needs) is that it also creates conflicting expectations about who should pay. There have been situations where an email archiving system, for example, would have saved a company literally millions of dollars; however, the project was stalled due to arguments over who would pay. The greatest risk is that no one initiates this discussion for fear that speaking up first will somehow tag them as project funders.

Experience has shown that getting these issues out on the table early it is best. Clearly, information governance initiatives do cost money, but they can save even more money. Often, when the committee highlights the risks of not having a program, senior management will fund or start funding these programs through other sources. Some organizations have been successful in attaching these initiatives to risks that have been highlighted by the board of directors’ audit committee. Sometimes, these committees have negotiated that legal will pay for the policy and IT will pay for the technology components.

Why compliance should be involved

When faced with information governance challenges, often the first question asked by compliance is: Why me? Compliance asks if and when they should be involved and wonders if it is better to let this be entirely an IT initiative—especially as a big focus is on the remediation and proper management of electronic data. At a time when many compliance department budgets are being scrutinized, it is fair to ask if they need to be the ones to lead this dance. In a word, yes. Compliance should participate in information governance programs for the following reasons:

• Compliance experiences the pain of poor information management: Not knowing where information resides forces organizations to drive up risks and costs directly. Failure to retain and provide accessible records can make dealing with regulators more difficult. Privacy and other sensitive information stored in the wrong place can greatly increase the likelihood of a data breach. Compliance, perhaps more than any other group, bears the consequences.

• Compliance owns many policy components: In most organizations, records retention and destruction, privacy, legal hold, and other key information management policies are legal’s purview. It is critical that these policies be designed to be both compliant and executable. These policies should be created or updated early in the process.

• Compliance helps avoid risk: Part of compliance’s charter is to proactively identify and avoid organizational risks. Perhaps more than any other group, they must be forward-thinking, anticipating changes in the legal, regulatory, and business environment and preparing the company to deal with these changes.

• Compliance often has a respected voice in senior management: Unlike other groups, compliance exerts a tremendous influence within an organization. Its voice is respected by both senior management and boards.

• Information governance creates an opportunity for compliance to add additional value: Organizations often start executing information governance programs to address legal or compliance issues and find that these programs also drive employee productivity and save money. These programs often change from something an organization needs to do to something it wants to do. In-house legal departments can demonstrate value by spearheading these programs.