FileTrail: Creating a culture to support stronger information governance
“Culture eats strategy for breakfast . . . and information governance policies for dessert.”
Regardless of who actually said “culture eats strategy” first, the saying implies that any business strategy will prove ineffective if the right company culture is not in place to support it. Without a shared sense of purpose, it’s often an uphill battle to motivate employees to change behaviors and do their part in executing a business plan.
This is definitely the case in information governance. More than a few law firms have brilliantly crafted IG policies – some drafted with little or no input from IT – that are aspirational at best.
And if all your firm has is an IG policy that looks good on paper, you are most likely retaining and failing to dispose of information that exposes the firm to security risks, data privacy breaches, potential fines and future litigation – not to mention the costs of continuing to store more information than you need.
Putting IG policies into practice requires creating a broader culture within the firm recognizing the importance of controlling information and minimizing the associated risks. The policies themselves require input and buy-in from all departments or administrative functions that manage the firm’s information. Information governance, like cybersecurity and data privacy, also requires individual employees, contractors and vendors to understand their responsibilities in taking IG seriously.
As the 2019 Sedona Conference Commentary on Information Governance states, “Knowingly or not, organizations face a fundamental choice: they can control their information, or, by default, they can allow their information to control them.”
The Key Ingredients
So how can firms create a culture that fosters stronger information governance and puts them in control? Below are some key ingredients to consider.
- Leadership. Within many firms, it is unclear who is accountable for information governance – is it the CIO or the firm’s head of risk or general counsel? And does firm management have visibility into how IG is supporting the firm’s overall business objectives? During a recent webinar, Mark Parr, global director of IT at HFW, shared that while he is currently responsible for information governance at the firm, he plans to transition ownership to the head of risk in the future. He reports on IG in monthly risk committee meetings and updates the management board quarterly on IG progress.
- Organizational structure and communication. Do you have a cross-disciplinary committee in place – perhaps with stakeholders from IT, security, risk, compliance, records management, finance and HR – that is able to break down the silos that typically exist when it comes to managing information and which can impede a coherent IG strategy? Do you have IG specialists as well? Furthermore, if individuals within the business have questions about information governance, do they know where to turn and whom to ask?
- Shared values and behaviors. Law firms tend to be inherently cautious, and many have traditionally adopted a “keep everything just in case” mentality, particularly when it comes to electronic documents, often alongside a general aversion to document destruction. Changing the mindset for your employees requires changing the mantra. Instead of “keep everything,” for example, you could promote “keep only what’s required” and “embrace defensible disposition” of physical and electronic records. “We put data privacy first” and/or “we don’t use printers anymore” are examples of other values that can be part of promoting specific behaviors. And if you can link your information governance objectives to the firm’s brand or mission statement – and establish a shared language in describing the firm’s attitudes towards IG – it can help to reinforce your credibility with clients, employees and partners.
- Control mechanisms. Having processes and systems in place to help employees do the right thing is important. Workflows automating the policy classification of documents in the DMS, or alerting stakeholders when retention periods have expired for client matter files and are due for review and disposition, free employees from having to remember to track and perform manual tasks. Similarly, activity monitoring tools that prevent employees from downloading confidential documents onto personal devices or ethical walls that only allow authorized individuals to access sensitive information help to enforce appropriate behaviors.
- Training and education. Information governance training and educational resources – tailored to individual employees’ specific functions within the firm – are essential for building more individual ownership and responsibility. Training employees on how to use Teams responsibly and securely while protecting client information in line with your firm’s IG policies is now imperative for many firms. Another example is educating employees about clients’ outside counsel guidelines – and specific retention and disposition requirements the firm has agreed to – which can help them to better understand why doing their part in IG is critical to long-term client satisfaction.
- Measurement and rewards. How well is the firm performing when it comes to information governance? The ability to report on progress on the IG front – in terms of how much data the firm is storing where, how quickly it is growing, how well the firm is tracking to the retention and disposition requirements, how the firm is regularly managing the deletion of personal data, the total impact on storage costs – keeps firm leadership informed of progress in IG. (One of our favorite examples is a US firm that reported successfully disposing of 1.5 million electronic matter files it no longer needed.) And while we’re all familiar with using scare tactics to frighten employees with stories of large ICO fines – “which could have been us if we weren’t careful” – it’s important to spotlight positive stories as well. Success stories highlighting how client matter teams have implemented IG policies, resulting in recognition from clients, for example, can be a tremendous motivator for employees.
The Winning Recipe
This article was originally published March 22, 2021 by Legal IT Insider.