Information Governance as a Management Strategy Task Force Report
This report was created for law firm executive leaders, who are navigating an increasingly complex environment
where the need to drive efficiency and manage cost conflicts with amplified risk management and compliance
requirements, many of which relate to client and firm information. The report sets forth the business case for
information governance (IG) as one strategy law firm leaders can use to achieve their business goals. It also
describes the level of focused leadership necessary to implement IG, and recommends bringing together a variety
of law firm stakeholders within an information governance organization (IGO) to act as the change agent to drive IG
within the firm. Because law firms vary in size, geography, practice group composition and information management
maturity, this report provides considerations for scaling the IGO to meet the firm’s current needs and future IG
growth. An IGO, thoughtfully designed to meet the firm’s specific needs, can implement the changes needed to
leverage IG as a transformative agent for success in a challenging business climate.
The report discusses:
- The business drivers for IG
- The law firm IGO, including goals, scope and composition
- The evolution of the IGO over time
Business Drivers For IG
In today’s legal marketplace, clients rather than law firms define the value of legal services. Competition among
firms for available work has become constant and aggressive.1 This new reality requires proactive law firm leaders to
constantly seek innovative ways to control cost and improve efficiency. They aspire to firms with fewer support staff,
lower operating costs and more productive lawyers. Thus a key goal of many managing partners and C-level leaders
is to streamline the ways lawyers and staff work by reengineering processes related to the delivery of legal services
and the firm’s business activities.
This drive toward heightened efficiency is happening against a backdrop of increased cost and risk related to the
information law firms create, receive, transmit, store and use to provide legal services and manage the firm. The first
report issued by this Symposium described the following pressures: high volumes of electronic information, everincreasing
storage costs, increased regulatory requirements, heightened information security demands from clients,
control risks surrounding the mobility of legal matters and the portability of information and emerging trends related
to third-party access to firm information.2
IG has emerged within the broader business world and the legal industry as a way to address the multitude of
pressures related to information management. IG seeks to treat an organization’s information as a critical business
asset, requiring top-down management to effectively address the organization’s legal obligations, operational
requirements and risks. Additionally, IG can have positive impact on the organization’s larger business concerns,
acting as a catalyst for cost savings and enhanced productivity and for the innovative change that can lead to
competitive distinctiveness. IG can result in reduced cost related to storage, more efficient access to information,
better engineered processes requiring less support and more effective compliance with legal requirements.
The new legal marketplace requires firm leaders to strategically select change management initiatives in which to
invest. IG is a complex undertaking, requiring a commitment by the firm not only to fund specific IG initiatives, but
also to support the cultural and behavioral changes necessary to create an “IG state of mind” in the firm in which all
personnel treat information as a critical resource. Despite these challenges, the rewards can be significant. The value
propositions for IG include better client service, competitive distinctiveness, enhanced lawyer and staff productivity,
more effective cost management and stronger compliance and risk management.
Among its core objectives, IG seeks to improve the availability and security of information. Law firms that implement
IG can improve client service by making it easier for busy lawyers to find needed information, and by assuring clients
that their sensitive, confidential, proprietary or highly regulated information is safe within the firms’ systems.
The practice of law depends on reliable access to information, which in today’s legal environment is almost entirely
electronic, existing in vast quantities within various structured and unstructured repositories. The volume of
electronic information and its dispersion across multiple systems and devices compromises the lawyers’ ability to
access what they need completely and promptly, slowing down or delaying the provision of legal services. Lawyers
who can easily access and leverage information can meet the demands of clients who expect outside counsel to be
immediately and constantly responsive to their concerns.
Additionally, clients are increasingly concerned about the law firm’s ability to protect their information. Law firm
information security is generally perceived as weaker than that of organizations in highly regulated industries,
such as finance or healthcare.3 Thus clients are pressing firms to assume information security obligations that
support their own legal requirements.4 These obligations come to the law firm in the form of agreements, such as
requests for proposal, outside counsel guidelines, engagement agreements and information security questionnaires.
IG provides the framework that allows the firm to evaluate these requests, identify security gaps and develop a
roadmap for improved information security to address client needs.
Clients rate their outside law firms on responsiveness and overall service, and firms that exceed expectations in this
regard are more competitive in a tight market. Beyond this, if a firm proactively addresses a prospective client’s
concerns about information access and security by explaining the scope and breadth of its established program to
govern information, the firm can distinguish itself as forward-thinking, technologically astute, service-focused and
in tune with the client’s need to engage law firms that provide cost-effective services and understand their business
requirements. Thus IG can be leveraged as a business development advantage.
While law firms continue to structure fees on the basis of time expended on legal matters, clients increasingly insist
on alternative fee arrangements based on factors other than hours worked. Thus law firm leaders actively seek
greater efficiency in the processes that support the delivery of legal services. IG goals to streamline information
management processes and consistently aggregate, organize and store information, improve the ability of busy
lawyers and staff to find, use and leverage information in ways that get the job done quickly and effectively. They can
serve more clients, sell more work and better support firm business objectives.
An IG emphasis on consistency and efficiency enables the law firm leader to manage costs in two significant areas.
The changing legal marketplace has focused law firm leaders on staffing ratios, i.e., the number of staff per
attorney. Most law firms are actively trying to reduce staffing levels.5 Process reengineering related to IG results in
streamlined processes which can drive strategic reductions in force. Examples include deliberate strategies to limit
paper recordkeeping, thus reducing the footprint of office-based records management teams, implementing various
cloud-based applications which can reduce staff needed to administer on-premise solutions, or outsourcing certain
functions such as records management, the technology help desk or information security operations.
In addition to staff ratios, process reengineering driven by IG can effect a number of additional cost savings:
- Reducing costs for physical and electronic information storage.
- Limiting costs related to regulatory compliance, including discovery costs, civil damages, and court
penalties, data breach notification costs,6 and fines or penalties resulting from the breach of
confidential client information or information covered by federal or state law.
- Reducing insurance premiums through tightened compliance processes.7
- Limiting the loss of fees and/or client relationships resulting from data loss events.
- Recapturing real estate costs as firms release or repurpose space previously used to store
hard copy documents.
There are a variety of risks related to managing information in the law firm. Most of these surround inadvertent
or deliberate data leakage or theft. Through an emphasis on compliance, security and information management
behaviors, IG delivers policy, process, systems, and cultural changes to mitigate the risk that confidential client
information, as defined by the rules of professional responsibility, or information covered by federal or state
regulation, will be breached. Such data loss events can result in serious exposure for the firm, including lawsuits,
court or agency imposed fines and penalties, and reputational damage.8
The Law Firm Information Governance Organization
Although IG is a powerful tool for the law firm executive trying to lead his or her firm through a complex maze of
market pressures and information management risks and requirements, it also requires a significant amount of
change. Implementing an IG program involves developing a framework of policy, process, systems and awareness to
drive behavior and cultural change.9 It requires investment on the part of the law firm in technology and talent, and
a willingness to transform specific operations into more nimble, effective and leaner organizations. It also requires
a consistency of approach, oversight and execution. Although firms generally employ specific individuals who have
some of the knowledge and skills needed for IG, they have not developed or marshalled these resources as the
concentrated force necessary to drive IG implementation.
As with any significant change management effort, IG requires the engagement of multiple stakeholders, supported
by management who together provide the talent, knowledge, skill set and unity of purpose necessary to achieve
the firm’s goals. This report refers to this group as an information governance organization, or IGO. Often, the first
iteration of a firm’s IGO consists of one individual, typically an information management professional from the
technology or records management department, who works to persuade leaders in the firm that creating an
IG culture is critical to the firm’s management of information assets. As firm management becomes increasingly
“IG aware,” it can tie IG to the firm’s larger strategic goals, and begin tasking other stakeholders to participate in
the IGO. Thus the size and composition of the IGO reflects the development of management’s strategic
understanding of IG. Figure 1 illustrates this relationship.
To enable law firms of all sizes to visualize the complete function and scope of the IGO, this report portrays a
robust IGO populated by a significant number of stakeholders, but also recognizes the need for scalability. Below is
a discussion of the critical requirements for an effective IGO, including the firm’s definition of its IG goals, the IGO’s
scope of responsibility and structure of the IGO.
Firm Goals For IG
Identifying firmwide goals for IG first involves an assessment of the firm’s current information management state,
as well as its capabilities. There are a variety of ways to assess the law firm’s information management maturity.
This task force recommends the Maturity Model put forth by ARMA International, which cites five levels of IG
maturity, modified below to fit the law firm environment.10 For the purposes of this report, this model is referred
to as the “IG Maturity Scale.”
- Substandard (Level 1): Information management, including recordkeeping, is not addressed at all or is at
a minimum level. The firm should be concerned about security, data loss and ethical or legal compliance.
- In Development (Level 2): There is a growing recognition that IG will benefit the firm, but efforts are ad hoc
and the firm is still vulnerable to data breach and non-compliance.
- Essential (Level 3): Minimum policies, processes and systems are in place to manage information and
ensure compliance. Nevertheless, significant opportunities exist to streamline processes, control cost
and improve access.
- Proactive (Level 4): IG considerations are actively and routinely being integrated into the firm’s information
management processes and culture. Firms at the proactive state may be ready to take steps to transform
all stakeholders to an IG culture.
- Transformative (Level 5): IG has become so embedded into firm process and culture that compliance is
routine behavior for all firm personnel. Firms at the transformative state have achieved their business
and IG goals.
In addition to information governance maturity, there are a number of additional factors the firm should consider
when defining its IG goals.
IG seeks to create a culture in which all firm personnel understand their responsibilities to manage information in
their possession. Law firm leaders creating an IGO should consider the unique culture of their firm, and how much
authority the IGO has to drive this level of change. In general, it takes a “tone from the top” to create organizational
change. As will be seen below, this report suggests that the IGO include executive sponsors who ensure that the
firm’s IG program reflects the goals of senior management.
Small Firm Vs. Large Firm
The size of the firm, its existing organizational structure and its ability to provide resources will impact its overall
information management strategy. Smaller firms may be able to achieve change in a more nimble fashion, even
if they do not have the financial ability to invest in high compensation for IG leaders or in sophisticated systems.
On the other hand, the information management needs of larger firms may be more complex, requiring greater
investments in people, systems and processes.
The geographic spread of the firm has definite implications for IG and will affect the composition and scope of the
IGO. A firm that operates only in the United States will have very different compliance obligations than if it has
offices in other countries. In addition, the IGO must be aware of cultural differences in international offices that will
affect IG implementation. Firms that operate internationally are advised to involve stakeholders from a variety of
countries in the efforts of the IGO.
Practice Group Considerations
The practice composition of the firm will affect the IGO’s focus on specific information activities. The IGO may need
to apply IG requirements to a variety of functional areas including litigation support, or litigation or intellectual
property docketing systems. Firms with transactional practices might use collaborative electronic “deal rooms” to10
store critical data. Estate planning and tax attorneys routinely transmit personal information such as social security
or bank account numbers to their clients. Health care attorneys and others might routinely receive protected health
information (PHI) covered by HIPAA in their matters. The IGO should be tasked with an evaluation of all practice
areas to determine unique IG considerations.
Once the firm explores these issues and benchmarks its place on the IG Maturity Scale, it can then develop its
overarching goals and objectives, which will in turn drive the IGO’s scope of work and structure. For example, if the
firm is at Level 1 or 2 on the IG Maturity Scale, its long-term goals might be to achieve Level 3 or 4 (and potentially
Level 5), but its first concerns will be to establish fundamental recordkeeping and information management policies