Who should own a company's records and information management program (RIM), legal or IT? I am asked this question often, and here is why this is a tricky question. Records and information management programs can encompass records management, regulatory compliance, litigation readiness and e-discovery, knowledge management, data management, as well as paper document storage. For fun also throw in data privacy, information security and data protection. This is a role that clearly requires legal and compliance skills and capabilities. Yet most RIM execution is done against electronic documents using information technology. In addition to good policies and technology tools, good RIM execution also requires employee training and change management.

Those in legal want to hear that IT should own RIM, because they argue that today most records are electronic. IT on the other hand points out that records management is driven by legal and regulatory requirements, and believes it is therefore logical and necessary for the legal department to own RIM. Some companies do have formal records management groups, but many of these are only responsible for paper document warehousing with token responsibility for electronic information. RIM ownership is often a corporate “hot potato” that no one wants to own, with attempts to pass responsibility from group to group.

Current RIM ownership today is fairly mixed. In our research across small to large corporations, RIM reports into legal in 30 percent of organizations, into IT in 25 percent of the time, and 10 percent of organizations have “stand alone” records management organizations with some responsibility for electronic information. In 35 percent of companies no department has direct responsibility for RIM. Furthermore, one can argue that even if RIM historically reported into a particular group, the changing legal and data landscape should prompt organizations to rethink who should own it.

Both legal and IT should take a strong interest in an effective RIM program. A poorly run RIM program can make litigation and compliance very painful, as well as making IT's life miserable. It is not in legal's best interest to throw RIM over the wall to IT and declare it their problem, nor should IT stick its head in the sand and hope these issues go away. They won't. The problems that result from a poorly executed program are much greater than the pain of owning one. If I were a GC or CIO, I would want to own RIM, if only to ensure it were done right.

We have set up RIM programs for a number of organizations, and have had the opportunity to see what works and what doesn't. So back to the main question: Who should own it? (I was counseled by a client that since this column is part of a legal magazine, I should answer IT.) My answer–certain to disappoint some–is that we have seen it work well in either group. If RIM ownership has to be either legal or IT, then the group that cares about it the most should own it. Which group will go to bed every night, and awake the next morning thinking about records? Who can best build and drive consensus across the organization? Who cares about doing this right? If the group that does own it cares, the funding, headcount, authority and execution often take care of themselves. Good things come to those that care about and own RIM.

It does not have to be in either legal or IT. The best approach is to develop shared responsibilities across both legal and IT, with each group responsible for areas within their expertise, and careful coordination between the two. With good planning, this actually works, and with guidance and practice it can work very well.

Nevertheless, I do not expect legal and IT to stop arguing any time soon about who should own RIM.

Read Mark Diamond's previous column. Read Mark Diamond's next column.