Cloud Adaptation: How Legal Teams Can Implement Better Information Governance Structures for Evolving Software
There is much out there about cloud solutions and how they improve the lives of users, offer flexibility for expansion and contraction of business, and can lighten the lift for IT. There is even a lot of specific commentary about how cloud can help legal teams and enable change management for the department. But what about the day-to-day tasks? How does the cloud change the legal team’s work and what new governance and skills are necessary to handle that change? This blog will tackle these questions so you can be more prepared and agile as cloud technology advances.Why does a shift to the cloud matter for legal teams?From a practical perspective, it means having to be reactive in areas where legal has traditionally been more proactive. Things like data storage timelines and locations, internal access permissions, and document history are now ever-changing with software updates being automatically pushed to corporate software environments. Many organizations that manage on-premises software have historically had an effective software governance structure in place. They can meet, discuss upcoming upgrades and their impacts, and make decisions about when to execute a software upgrade. Now, in an agile cloud approach, upgrades come frequently, without much notice, and sometimes have highly impactful changes. Traditional governance structures are no longer sustainable given the new timing and volume of updates – sometimes hundreds in a week. Legal and IT teams now need to collaborate more often to quickly analyze any impacts updates will have on the organization and what, if anything, needs to be done to mitigate cloud security risks.Given this, how should corporate legal teams adapt?A typical legal department is organized around areas of expertise – you may have employment, litigation, business advice, and contracts, for example. The department may also have a legal operations function, or a member of the team assigned to certain process improvement and/or corporate programs. One of these programs covers technology changes at an organization. It is this latter set of responsibilities that become much more important, and more voluminous, in an agile software environment. Analyzing the potential risks of cloud updates, advising the business on how to mitigate those risks, and changing any associated legal workflows can become a full-time or close to full-time set of responsibilities. In addition, the culture of the department must change to one that embraces frequent change, understands change management, and is consistently updating and improving processes and procedures.Traditionally, in an on-premises environment, an IT organization would typically manage an upgrade governance structure. They would plan for a software upgrade every six months, outline the changes that are due with each upgrade, and analyze what departments it impacts and the risks of those impacts. Finally, they would present this information to a cross-functional committee who would discuss when the upgrade can be made and what kind of work needs to precede the upgrade. Legal was typically part of that committee. Now, in a cloud environment dozens (or even hundreds) of changes get pushed out weekly and, although there may be some advanced warning, the timing isn’t as flexible, it isn’t uniform across users, and there is usually less time to prepare. In addition, changes may be pushed out, rolled back, and potentially reversed. Updates may also occur without any warning, which can contribute to the cloud challenges for corporate legal departments[1]. To minimize risk in this agile environment some specific steps can be helpful: a similar governance committee needs to meet more frequently, the analysis of impact and risk needs to be done very quickly, and changes need to be made almost immediately to ensure you get ahead of any potential impacts. Due to the frequent nature of these changes, and supervising process updates to mitigate risk associated with the changes, managing cloud updates can be more time-consumingWithout structure, these cloud updates can add stress and increase reactive work. However, with some structure and clearly delineated oversight, they can be managed more efficiently. Although many organizations may not have a structure in place, those that do pull together a committee for each enterprise technology. This committee has IT, legal, compliance, and business-focused representation. It may have multiple representatives from some of these groups, depending on the perspectives needed. The goal is for the business representative to advocate for users of the technology, the legal and compliance representatives to mitigate risk and take into account regulatory, litigation and privacy considerations, and the IT team to represent management of the platform and be a voice for the platform provider. The committee should have access to a sandbox-type environment where they can test changes and should be empowered to lead companywide changes – or at least be able to work with a project management office or other resource to make these changes.Most legal departments run pretty lean so creating a new governance structure can be a significant challenge, but there are ways to make the process easier. First, you can hire outside support to handle all, or some, of this work. For example, outsourcing the creation of the governance structure to manage software updates and staffing that group with your own resources or have your external partner staff and manage it until a time when you are ready to take it over. Second, instead of hiring outside support, you can share your risk concerns with IT and rely on them to raise any potential impact that upgrades may have on risk and legal processes. For example, when IT receives an email from a software provider outlining updates, they would analyze them for potential impact to legal workflows, retention policies, or any other issues you have flagged. They would then test the updates and remediate any negative impacts. Finally, you can rotate governance committee membership so that the work is being shared across your team. Whatever approach you choose, keep in mind that changes in the cloud environment are happening frequently and having someone within your company watching from a legal perspective will pay dividends when it comes to accessing data for legal, compliance, investigative, or other reasons down the line.[1] Victoria Hudgins, “Big Adjustment: Legal Departments Struggle with Lack of Control Over Cloud Technology,” Legaltech news, November 29, 2021, law.com information-governance; microsoft-365; lighting-the-path-to-better-information-governancecloud-security, cloud-migration, blog, risk-management, information-governance, microsoft-365cloud-security; cloud-migration; blog; risk-managementlighthouse