Comment: Creating a Culture to Support Stronger Information Governance

By Darrell Mervau, FileTrail, and Christopher Young, Pinnacle

“Culture eats strategy for breakfast . . . and information governance policies for dessert.”

Regardless of who actually said “culture eats strategy” first, the saying implies that any business strategy will prove ineffective if the right company culture is not in place to support it. Without a shared sense of purpose, it’s often an uphill battle to motivate employees to change behaviours and do their part in executing a business plan.

This is definitely the case in information governance. More than a few law firms have brilliantly crafted IG policies – some drafted with little or no input from IT – that are aspirational at best.

And if all your firm has is an IG policy that looks good on paper, you are most likely retaining and failing to dispose of information that exposes the firm to security risks, data privacy breaches, potential fines and future litigation – not to mention the costs of continuing to store more information than you need.

Putting IG policies into practice requires creating a broader culture within the firm recognising the importance of controlling information and minimising the associated risks. The policies themselves require input and buy-in from all departments or administrative functions that manage the firm’s information. Information governance, like cybersecurity and data privacy, also requires individual employees, contractors and vendors to understand their responsibilities in taking IG seriously.

As the 2019 Sedona Conference Commentary on Information Governance states, “Knowingly or not, organisations face a fundamental choice: they can control their information, or, by default, they can allow their information to control them.”

The Key Ingredients

So how can firms create a culture that fosters stronger information governance and puts them in control? Below are some key ingredients to consider.

• Leadership. Within many firms, it is unclear who is accountable for information governance – is it the CIO or the firm’s head of risk or general counsel? And does firm management have visibility into how IG is supporting the firm’s overall business objectives? During a recent webinar, Mark Parr, global director of IT at HFW, shared that while he is currently responsible for information governance at the firm, he plans to transition ownership to the head of risk in the future. He reports on IG in monthly risk committee meetings and updates the management board quarterly on IG progress.

• Organisational structure and communication. Do you have a cross-disciplinary committee in place – perhaps with stakeholders from IT, security, risk, compliance, records management, finance and HR – that is able to break down the silos that typically exist when it comes to managing information and which can impede a coherent IG strategy? Do you have IG specialists as well? Furthermore, if individuals within the business have questions about information governance, do they know where to turn and whom to ask?

• Shared values and behaviours. Law firms tend to be inherently cautious, and many have traditionally adopted a “keep everything just in case” mentality, particularly when it comes to electronic documents, often alongside a general aversion to document destruction. Changing the mindset for your employees requires changing the mantra. Instead of “keep everything,” for example, you could promote “keep only what’s required” and “embrace defensible disposition” of physical and electronic records. “We put data privacy first” and/or “we don’t use printers anymore” are examples of other values that can be part of promoting specific behaviours. And if you can link your information governance objectives to the firm’s brand or mission statement – and establish a shared language in describing the firm’s attitudes towards IG – it can help to reinforce your credibility with clients, employees and partners.

• Control mechanisms. Having processes and systems in place to help employees do the right thing is important. Workflows automating the policy classification of documents in the DMS, or alerting stakeholders when retention periods have expired for client matter files and are due for review and disposition, free employees from having to remember to track and perform manual tasks. Similarly, activity monitoring tools that prevent employees from downloading confidential documents onto personal devices or ethical walls that only allow authorised individuals to access sensitive information help to enforce appropriate behaviours.

• Training and education. Information governance training and educational resources – tailored to individual employees’ specific functions within the firm – are essential for building more individual ownership and responsibility. Training employees on how to use Teams responsibly and securely while protecting client information in line with your firm’s IG policies is now imperative for many firms. Another example is educating employees about clients’ outside counsel guidelines – and specific retention and disposition requirements the firm has agreed to – which can help them to better understand why doing their part in IG is critical to long-term client satisfaction.

• Measurement and rewards. How well is the firm performing when it comes to information governance? The ability to report on progress on the IG front – in terms of how much data the firm is storing where, how quickly it is growing, how well the firm is tracking to the retention and disposition requirements, how the firm is regularly managing the deletion of personal data, the total impact on storage costs – keeps firm leadership informed of progress in IG. (One of our favourite examples is a US firm that reported successfully disposing of 1.5 million electronic matter files it no longer needed.) And while we’re all familiar with using scare tactics to frighten employees with stories of large ICO fines – “which could have been us if we weren’t careful” – it’s important to spotlight positive stories as well. Success stories highlighting how client matter teams have implemented IG policies, resulting in recognition from clients, for example, can be a tremendous motivator for employees.

The Winning Recipe

Of course, building a strong information governance culture requires a thorough assessment of where your firm is today, what your objectives are and how any cultural changes will go hand in hand with your firm’s policies, procedures and internal standards. And while looking at all the key considerations at once can feel overwhelming, as Mark Parr recommends, “don’t try to boil the ocean” and instead break down your information governance challenges into manageable chunks. Indeed, dusting off that brilliantly crafted IG policy to bring it up to date and in line with current realities may make a lot of sense.

The winning recipe will be unique to your firm and may take time to develop and implement systematically – but by keeping culture in mind as you plan your information governance program, you have a better shot at shaping successful outcomes, rather than being consumed, ignored or forgotten until disaster strikes.

About the Authors

Darrell Mervau is a co-founder and president of FileTrail Inc., a global leader in information governance and records management. Mervau can be reached via email at

Christopher Young is head of Pinnacle’s risk and BD practices. He is focused on compliance and is highly regarded for his ability to resolve complex regulatory problems. Alongside continued oversight of Pinnacle’s work in the new business intake and conflict space, Young helps firms minimise the significant risks surrounding information governance and records management.