BP Perspective Insights from a Business Partner

Keeping Score: Why Legal Organizations Should Develop a Risk Scorecard

The business of running a law firm or corporate legal department has many challenges, but in an environment where cyber threats run rampant and the regulatory landscape is seemingly evolving by the day, managing the risk around sensitive information has to rank as a top priority.  

Aaron Rangel

This begs the question: How can a legal organization determine how prepared they are for this weighty task? Is there a way to benchmark their information security risk profile against industry standards and best practices to get a sense of overall systemic risk? 

Legal organizations can start to wrap their arms around this challenge through the development of a risk scorecard that allows them to evaluate themselves in four keys areas: 

  1. Adoption and usage of an information management product like a document management system (DMS)
  2. Categorization of content and application of security policies
  3. Examination of ancillary information management systems 
  4. Ongoing content maintenance and records management


A DMS is a useful central repository for managing sensitive and privileged content — but only if people actually use it.  
Quite often, firms and corporate legal departments find that adoption of a DMS throughout the organization is somewhat patchy, with some departments or users actively using it and others barely at all. This inconsistent usage presents a security risk because the DMS offers layers of governance and security that other storage options — such as local drives, network drives and Outlook folders — do not. 
To benchmark risk around information management, firms should determine if there is active adoption of the DMS, with a goal of having at least 80% of the organization consistently using it. Additionally, they should ensure professionals are using the DMS to file emails as well as documents. After all, sensitive information comes in many forms. 

After this foundational first step, the next step in managing risk involves categorizing the content in the DMS so that it can successfully be protected. 

“The final critical area for the information management risk scorecard is to assess whether you are archiving or purging content that is no longer relevant as you continue to file information into the DMS.”
Classifying and securing data appropriately — for example, does it contain personally identifiable information or protected health information?  — helps legal organizations navigate the challenges of the General Data Protection Regulation (GDPR) and other emerging data protection and privacy regulations to ensure compliance with any relevant laws. It’s also necessary for effective implementation of need-to-know security, which can lock down information by project, office or department. For instance, maybe only a certain team needs access to a particularly sensitive set of files rather than the whole organization. 
The goal here is to maximize the amount of information that is categorized and has appropriate security policies in place, and then to perform regular benchmarking on an ongoing basis to ensure the same is done to new content. In other words, this is not a “one and done” task.  


After centralization and categorization have been addressed, legal organizations should turn their attention to other areas where systemic risk lurks — like ancillary systems. 
While a DMS might serve as a central hub, it’s only one part of a larger content ecosystem. The information stored in the DMS needs to be shared with internal and external collaborators via a web of other tools (think here of Slack, Microsoft Teams, third-party file sharing solutions and other mainstays of the modern workplace). It’s important for security and governance policies to apply to content in those ancillary systems.  
Are multiple copies of the same piece of content being stored in more than one system? To maintain security and avoid running afoul of compliance and regulatory requirements, legal professionals should share links to secured and categorized content stored within the DMS, rather than uploading copies into multiple different places. 
Again, this is not a “one and done” task: After addressing any vulnerabilities around existing ancillary systems, legal organizations need to ensure the same careful eye is applied to any new ancillary products that are deployed if they wish to minimize systemic risk. 
The final critical area for the information management risk scorecard is to assess whether you are archiving or purging content that is no longer relevant as you continue to file information into the DMS. If not, end users are going to get overwhelmed with irrelevant content when they access the DMS, which makes them less likely to use it — which then creates risk for the organization.  
Having a separate library for old content and an active library for frequently accessed content is a good way to make old knowledge accessible without compromising the search experience.  
A word of caution here: While old or irrelevant information should be purged on a regular schedule in accordance with a clearly defined policy, there’s certain content that needs to be kept and retained — for example, if a piece of content is declared as a record or has a legal hold placed on it in response to a subpoena. With a deliberate and mindful approach, legal organizations can successfully prune their content “garden” without inadvertently increasing their risk profile. 


By measuring their information security risk profile against these benchmarks and best practices, legal organizations can start to develop a risk scorecard to get a clear assessment of where they stand. In doing so, they will give themselves a powerful way to effectively address systemic risk across the organization. Simply put, knowing where you stand reduces risk.