The larger your organization, the more legal suits and regulatory investigations you can expect to have to deal with. And while the amended Federal Rules of Civil Procedure (FRCP) help clarify requirements for electronic discovery, the cost of holding, preserving and producing information for legal cases can run into millions of dollars.
- Jim Hurley, Managing Director IT Policy Compliance Group
But how much you spend on legal costs does not depend so much on the size of your organization, but, rather, on the policies, processes and practices you have in place, according to results of a survey of 235 U.S. firms released today by the IT Policy Compliance Group (IT PCG).
In fact, by following best practices, a company with $25 billion annual revenue can expect to spend only about $500,000 a year more than a $500 million company demonstrating the worst practices. Even more striking, best practices yield enormous reductions in the total annual cost of legal fees and settlements.
"The differences in performance outcomes in terms of spend were not related to size of company or industry grouping," said Jim Hurley, IT PCG managing director, "but what we did find was differences in outcome by spend were very related to practices."
Regardless of size, companies following best practices spent a small fraction on legal fees than those following the worst. Firms following what IT PCG describes as "normative" practices still spent just roughly a third of their less diligent counterparts.
The numbers are eye-popping. For example, best-practice companies with $500 million annual revenue spent an average of $174,000 on legal fees and settlements, compared to almost $3 million by those with worst practices. For $25 billion firms, the numbers were $3.6 million and $68 million.
Best practices yield similar annual savings in IT spending to find, produce, protect and preserve information. For $500 million companies, the best-worst number were $89,000 and $1,125,000; for $25 billion firms, about $1.6 million and $22 million.
The legal custody of information affects organizations across the enterprise: legal, IT, finance, HR and senior management and employees.
IT PCG has some 3,000 members, more than half in the U.S. There are 20 advisory members taking the lead in guiding research and setting the editorial calendar, and several supporting members, including The IIA The Institute of Internal Auditors, the Information Systems Audit and Control Association, the IT Governance Institute, Protiviti and Symantec, which provides funding for ITpolicycompliance.com.
The report cited a number of strategic actions and practices by the best-performing companies:
- Notifying affected employees of legal holds on data within one hour
- Responding to legal requests within one day
- Maintaining evidence of the handling of data
- Delivering training to employees
- Improving the quality of legal counsel
Tracking results to make subsequent improvements
These firms also showed sound information lifecycle management for legal information, including converting as much as possible to electronic formats (not surprisingly, costs are highest for paper records and archived tapes); inventorying and indexing information for fast search, and updating police for record retention and destruction.
In the U.S., FRCP is the prime driver for adopting sound processes for handling legal information, Hurley said. But while the survey was limited to the U.S., he believes many European companies are shoring up their practices for privacy compliance.
"It's interesting to see that some of the firms in Europe I spoke with are implementing the same kind of practices even though external pressures are different," he said.