Taming the Beast

Comprehensive Strategy Required

Absent a comprehensive and strategic plan to manage and control records and information, organizations have attempted myriad approaches, both manual and technical. Asking employees to spend hours sorting shared drives and e-mails has proven untenable. Technical approaches, such as arbitrary time-based or volume caps on e-mail Inboxes to force e-mail deletion, have often resulted in employee workarounds, including the creation of personal storage tables (PSTs). Costly technology solutions, originally considered the Holy Grail, often fail for lack of upfront comprehensive and holistic analysis of information lifecycle requirements. Many such “solutions” have been implemented by the IT department, ignoring the fact that Legal, IT, Records Management, and the business often speak different languages. A comprehensive analysis of requirements across the organization to yield an acceptable translation of seemingly conflicting priorities is often ignored due to a lack of internal expertise to conduct such an analysis and the amount of time required for its completion.

Faced with the seemingly insurmountable odds against truly comprehensive management and control over digital information, some general counsel have concluded, “we've never had any significant litigation due to keeping records too long, and no 'smoking gun' records have ever cost us a major case or settlement dollars,” and have chosen simply to keep everything. This position, however, is no longer acceptable. Although legal risk may have been low in the past, an organization's inability to promptly retrieve information related to an audit, litigation or investigation may lead to fines, sanctions and penalties in the future.

Further, there is risk of producing an incorrect version or rendition of a document or record. Add to that the inefficiencies and ineffective use of staff time, and the burgeoning cost of storage and e-discovery, and organizations can no longer bury their heads in the sand.

Increasingly, many law departments, along with their IT and Records Management colleagues, agree on three things: 1) information management is not an issue they can adequately solve on their own; 2) it goes far beyond the retention and destruction of documents; and 3) effective information management should be part of a much larger corporate information management strategy. Organizations realize they will not be able to avoid litigation, control spiraling costs, and stay ahead of the proliferation of information without a fundamental shift in approach toward one of information governance, corporate-wide partnership and holistic technology solutions.

Effective Information Governance

Law departments have a vested interest in corporate information governance, and they should be an active participant in the solution. Ineffective records management directly preys on a corporate law department's time, money and people ' hours spent searching for needed records or the proper version of a document, poor partnering with law firms and costly duplicative efforts, and an inability to respond on a timely basis to legal or audit inquiries or government investigations are but a few examples. But ineffective information governance sneaks up on the law department in the form of fallout related to privacy breaches, violations of legal holds, spoliation claims, corporate governance missteps, data leaks and flawed corporate risk strategy and management.

Gartner defines information governance as “the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” See, Gartner IT Glossary. In layman's terms, information governance can be thought of as the application of systematic controls to records and information, regardless of media, through the entire life cycle ' from creation or receipt to destruction or permanent retention. This new lens for viewing information governance brings into focus not just the traditional legal and compliance aspects of records and information management, but those associated with technology, operations, risk management and safety/security/privacy across the business.

Although Legal, Compliance, IT, and Records Management all have various responsibilities and accountabilities for policies, technologies, processes and procedures, the establishment of an information governance strategy will help fuse the seemingly disparate elements into a focused and comprehensive approach. Key activities for the development of an information governance strategy, as well as several essential components, are further discussed below.

Diagnostic Assessment and Information Governance Strategy

In order to ensure all aspects of an organization's information management needs are included in a comprehensive strategy, a cross-functional team of representatives from Legal, Compliance, IT, Records Management and other key business stakeholders should be designated as members of the information governance working group. Ideally, this core team will oversee the information governance initiative, from diagnostic assessment through implementation, bringing in subject matter experts as needed. The working group's job is to assess the organization's current state of records and information management, analyze this “as-is” state against standards and industry best practices, and then identify the gaps between the current state and the desired outcome.

The group's first task is to review the current state of the organization's record or information management program. The initial assessment includes items such as the policies and processes currently in existence, the identification of risks and opportunities, jurisdictions in which business is or may be conducted, applicable regulatory agencies and regulations, and the current information creation and management lifecycle.

One of the key questions to ask during the diagnostic assessment is: “What is impeding the organization's ability to readily apply retention schedules to records and information?” This inability often results in an ever-growing volume of information that is likely being retained beyond all legal, regulatory and operational needs.

Using the results of the diagnostic assessment as a baseline, the working team can then begin to identify the specific people, processes and technologies needed to evolve from the current state to the desired future state. The strategy may include:

• An overall vision for information governance that incorporates “best practice” program governance, enabling technology and enhanced business practices;
• Identification of key information management initiatives that will help realize the organization's information governance vision, reducing risk while balancing legal, compliance and business requirements and objectives. Initiatives might include:
• |
  • A strategy for the management of unstructured content, leveraging existing technology and tools where appropriate; and
  • A process for a risk-based assessment and resulting prioritized plan to address structured data and source systems to meet records and information management requirements.
• An overall information governance infrastructure that defines accountability and authority, and related roles and responsibility for comprehensive information governance throughout the enterprise.
• Methodologies for change management to allow for an effective/efficient implementation of change.

In addition to the development of the strategic initiatives, the working group should develop a “roadmap” as a blueprint for prioritizing the implementation of the initiatives. This will allow the organization to move sensibly from its current state to a fully deployed and sustainable program. Identifying high-level, short and long term priorities will allow the organization to address critical improvements in key areas while moving forward with foundational improvements in information management technology and processes that may require several years to fully achieve. A phased approach should also take into consideration the organization's global footprint and differing requirements per jurisdiction.

Transforming a records management process into a comprehensive information governance approach does not happen overnight. Establishing a working group that is dedicated and engaged is a critical first step. The working group's assessment and strategic vision will guide and oversee the quality and progress of the information governance initiatives.

Information Governance Policy and Procedures

Before future specifics can be decided, a working group should be established to assess the current status of records management against the ideal future state, and, from that, design a master plan and “road map” for implementation. Once the guiding principles for information governance are in place, the focus shifts to drafting supporting documents and detailing program specifics, such as technology needs and destruction protocols.

After defining the information governance strategy and approach, the working group should draft governing documents, including policies and procedures as the foundation on which all subsequent implementation activities are built.

An over-arching information governance policy includes the scope, purpose, objectives, responsibilities and standards for comprehensive information management throughout the organization. In addition to the over-arching information governance policy, other existing policies such as those that cover privacy and protection, and electronic communications, should be re-examined and updated as needed to ensure they are in alignment with the information governance policy.

In conjunction with the development of the policy, the information governance infrastructure framework should be designed. The framework details roles, responsibilities, and accountabilities of the information governance executive sponsors, the Advisory and/or Steering Committees, the working teams, as well as the responsibilities of all employees. The identified roles and responsibilities should be documented and formalized as part of the information governance policy.

It is likely that each policy statement or requirement will require additional procedural guidance to ensure its implementation. In addition, any single policy requirement may call for multiple procedures, since implementation tactics may vary depending on the record media or storage repository. For example, the implementation of the policy requirement that “records will be retained in accordance with the Company Retention Schedule” may be relatively straight forward in the hardcopy recordkeeping environment. However, applying the retention schedule in one of the unstructured electronic recordkeeping environments ( i.e. , ECM, SharePoint, shared drives) is challenging without detailed guidance. These additional procedural documents should be authored as the strategy and its related initiatives evolve.

Special mention should be made regarding the organization's retention schedule, since it should be cross-referenced in the policy as defining the organization's official position on retention time periods. The retention schedule is foundational to information governance, since it defines how long an organization is legally or operationally obliged to retain records, and when they can be destroyed. The retention schedule should be based on a review of regulatory requirements, interviews with business representatives/record owners, workflow analysis, and the scope of documents/data. Most retention schedules are developed by the records management department, with review and approval provided by Legal, Compliance and Tax. Retention schedules that were originally developed for paper records only, organized by department, may require revision to ensure they are based on business function and can be applied to electronic records as well.

Enabling Technologies

The goals of information governance and system operations set out in the governance documents provide the basis for identifying the technology necessary to effectuate the plan. Start by evaluating the capabilities needed for implementation, then consider the most pressing priorities, budget constraints, technology in development or slated for purchase, and what is currently used across the organization. Existing technology might provide a viable solution after enhancement or upgrade. In-progress projects or purchases may need to be put on hold or redesigned.

One of the greatest challenges faced by most organizations today is the management and control of “unstructured content.” Unstructured content includes e-mail files, word-processing text documents, presentations files, spreadsheets, JPEG and GIF image files. It may be stored on shared or personal drives, in collaborative environments such as SharePoint, in e-mail systems, and in document or content management systems. Unstructured content poses significant management challenges since its management relies heavily on individual user action and falls outside the purview of the traditional IT system information management model.

Most unstructured content is created in an ad hoc fashion by individual business users, with little consistency in creation, naming, storing, disposing, etc. As mentioned throughout this article, if left unmanaged, the sheer volume of unstructured content that is generated each year within an organization can be costly in terms of storage. In addition to these “hard dollar” costs, significant inefficiencies result from ineffective use of staff time when searching for needed information. Unmanaged content can also pose a liability if information cannot be located in the event of an audit, investigation, or litigation.

One “enabling technology” that organizations may wish to consider is an enterprise content management system. These systems, if properly designed, developed and deployed, may allow an organization to apply the lifecycle controls (including disposition) to the terabytes of unstructured content in existence today.

Once initial needs are established, making sure to account for projected corporate expansion, vendors can be contacted to present potential solutions, RFPs can be issued, and a technology plan created.

Key Benefit of Information Governance: Defensible Destruction

A primary objective of a comprehensive information governance system is the disposition of data that has surpassed defined retention requirements. As discovery and storage costs skyrocket, the days of keeping everything forever have past. Defensible destruction helps control discovery costs on the front end, before the need for discovery even arises, narrowing the amount of data that must be searched, collected and reviewed; in fact, the Electronic Discovery Reference Model (EDRM) specifically prescribes information management as the first step in the discovery process.

Defensible destruction also helps manage data privacy issues. By methodically and consistently disposing of data that has exceeded its retention requirements, legal departments are left with a much smaller pool of information that is subject to regulatory and privacy laws, saving the company significant cost, time, and risk. This alleviates challenges not only in the United States, but also globally, where both complexity and cost of missteps often far surpass those domestically and have been a continued source of difficulty for multi-national companies.

Defensible destruction is just that ' destruction that is neither arbitrary nor sporadic, does not violate a legal hold, and can be defended in a court or regulatory proceeding. As a result of implementing strategies for the lifecycle management of information, defensible destruction will be one of the key benefits. (Note: An organization should ensure it has a robust and comprehensive legal hold policy and procedures in place before undertaking any disposition activities.)

Change Management

A critical success factor to implementing the many aspects of information governance is a solid change management plan. In all likelihood, the information governance plan will entail departures from past records management processes. Employee acceptance and positive adoption of the new way of managing information is critical to the plan's success and realizing a return on potentially significant technology investments. Detailed communications plans and training should be offered at the initial roll-out of the each initiative and periodically reinforced. Usage metrics can be a powerful tool to manage change. Monitoring usage can reveal signs of resistance to program adoption or decreased utilization over time (which may illuminate technology or process inefficiencies that can be corrected). It is important to develop relevant audit and compliance plans under those departments' leadership and link them to the Governance, Risk Management and Compliance (GRC) system, if applicable. Lastly, a mechanism for employee feedback during the first year is a valuable tool for achieving program acceptance and optimization.

The information governance working team should take an active role in creating communications and conducting training. Providing examples of lawsuits or penalties incurred for poor information governance can help underscore the importance of corporate-wide adoption and 100% employee participation.

Information creation has come a long way since documents were created on manual typewriters and old files placed in boxes and shipped off to storage facilities. The speed and volume of information creation will only increase as new platforms evolve and lines between personal and work devices grow hazier. Similarly, the complexity of the regulations regarding that information will only increase as organizations grow globally or conduct more cross-border business. A traditional approach to records management does nothing to reduce the root causes of information volume, and even the best programs remain susceptible to human error and gaps in participation. By championing a comprehensive, inclusive information governance program that utilizes technology strategically, organizations can reduce costs, minimize failures, and free up time and resources for other priorities.

Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak combines consulting with prior legal practice in the areas of tax and employee benefits.

Ninety percent of information in existence today was created in the last two years and experts estimate that, currently, over 90% of corporate data is in a digital format. Data is currently being created at a rate of two million terabytes per year, and industry analysts surmise that number will explode to four million terabytes per day in the near future. See, “What Is Big Data?” IBM.com.

Corporate law departments acknowledge the need to manage and control this unabated and explosive growth of digital information, yet understand that the traditional approach will not work. In the past, the responsibility for creating and implementing an organization's records management program has typically fallen to the records manager, with support from the corporate law department for certain activities such as approving the company records retention schedule. Records management programs focused primarily on paper records management. Now, with information ever growing and primarily in digital format, most organizations acknowledge that a different approach needs to be taken.

Compounding the problem are regulatory and privacy issues. There are thousands of regulations, both in the United States and abroad, that affect recordkeeping and require research and compliance. Further, there is no single set of global data privacy criteria, and laws outside the U.S. ' particularly in the E.U. ' are more stringent. In addition, business units within a single company may have very different information management needs and have developed their own policies and procedures, often in contradiction of one another. Resolving these issues, including the immediate need for institutional policy consistency, as well as the exceptionally complex aspects of policy implementation across all electronic repositories, seems a Herculean task.

Comprehensive Strategy Required

Absent a comprehensive and strategic plan to manage and control records and information, organizations have attempted myriad approaches, both manual and technical. Asking employees to spend hours sorting shared drives and e-mails has proven untenable. Technical approaches, such as arbitrary time-based or volume caps on e-mail Inboxes to force e-mail deletion, have often resulted in employee workarounds, including the creation of personal storage tables (PSTs). Costly technology solutions, originally considered the Holy Grail, often fail for lack of upfront comprehensive and holistic analysis of information lifecycle requirements. Many such “solutions” have been implemented by the IT department, ignoring the fact that Legal, IT, Records Management, and the business often speak different languages. A comprehensive analysis of requirements across the organization to yield an acceptable translation of seemingly conflicting priorities is often ignored due to a lack of internal expertise to conduct such an analysis and the amount of time required for its completion.

Faced with the seemingly insurmountable odds against truly comprehensive management and control over digital information, some general counsel have concluded, “we've never had any significant litigation due to keeping records too long, and no 'smoking gun' records have ever cost us a major case or settlement dollars,” and have chosen simply to keep everything. This position, however, is no longer acceptable. Although legal risk may have been low in the past, an organization's inability to promptly retrieve information related to an audit, litigation or investigation may lead to fines, sanctions and penalties in the future.

Further, there is risk of producing an incorrect version or rendition of a document or record. Add to that the inefficiencies and ineffective use of staff time, and the burgeoning cost of storage and e-discovery, and organizations can no longer bury their heads in the sand.

Increasingly, many law departments, along with their IT and Records Management colleagues, agree on three things: 1) information management is not an issue they can adequately solve on their own; 2) it goes far beyond the retention and destruction of documents; and 3) effective information management should be part of a much larger corporate information management strategy. Organizations realize they will not be able to avoid litigation, control spiraling costs, and stay ahead of the proliferation of information without a fundamental shift in approach toward one of information governance, corporate-wide partnership and holistic technology solutions.

Effective Information Governance

Law departments have a vested interest in corporate information governance, and they should be an active participant in the solution. Ineffective records management directly preys on a corporate law department's time, money and people ' hours spent searching for needed records or the proper version of a document, poor partnering with law firms and costly duplicative efforts, and an inability to respond on a timely basis to legal or audit inquiries or government investigations are but a few examples. But ineffective information governance sneaks up on the law department in the form of fallout related to privacy breaches, violations of legal holds, spoliation claims, corporate governance missteps, data leaks and flawed corporate risk strategy and management.

Gartner defines information governance as “the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” See, Gartner IT Glossary. In layman's terms, information governance can be thought of as the application of systematic controls to records and information, regardless of media, through the entire life cycle ' from creation or receipt to destruction or permanent retention. This new lens for viewing information governance brings into focus not just the traditional legal and compliance aspects of records and information management, but those associated with technology, operations, risk management and safety/security/privacy across the business.

Although Legal, Compliance, IT, and Records Management all have various responsibilities and accountabilities for policies, technologies, processes and procedures, the establishment of an information governance strategy will help fuse the seemingly disparate elements into a focused and comprehensive approach. Key activities for the development of an information governance strategy, as well as several essential components, are further discussed below.

Diagnostic Assessment and Information Governance Strategy

In order to ensure all aspects of an organization's information management needs are included in a comprehensive strategy, a cross-functional team of representatives from Legal, Compliance, IT, Records Management and other key business stakeholders should be designated as members of the information governance working group. Ideally, this core team will oversee the information governance initiative, from diagnostic assessment through implementation, bringing in subject matter experts as needed. The working group's job is to assess the organization's current state of records and information management, analyze this “as-is” state against standards and industry best practices, and then identify the gaps between the current state and the desired outcome.

The group's first task is to review the current state of the organization's record or information management program. The initial assessment includes items such as the policies and processes currently in existence, the identification of risks and opportunities, jurisdictions in which business is or may be conducted, applicable regulatory agencies and regulations, and the current information creation and management lifecycle.

One of the key questions to ask during the diagnostic assessment is: “What is impeding the organization's ability to readily apply retention schedules to records and information?” This inability often results in an ever-growing volume of information that is likely being retained beyond all legal, regulatory and operational needs.

Using the results of the diagnostic assessment as a baseline, the working team can then begin to identify the specific people, processes and technologies needed to evolve from the current state to the desired future state. The strategy may include:

• An overall vision for information governance that incorporates “best practice” program governance, enabling technology and enhanced business practices;
• Identification of key information management initiatives that will help realize the organization's information governance vision, reducing risk while balancing legal, compliance and business requirements and objectives. Initiatives might include:
• |
  • A strategy for the management of unstructured content, leveraging existing technology and tools where appropriate; and
  • A process for a risk-based assessment and resulting prioritized plan to address structured data and source systems to meet records and information management requirements.
• An overall information governance infrastructure that defines accountability and authority, and related roles and responsibility for comprehensive information governance throughout the enterprise.
• Methodologies for change management to allow for an effective/efficient implementation of change.

In addition to the development of the strategic initiatives, the working group should develop a “roadmap” as a blueprint for prioritizing the implementation of the initiatives. This will allow the organization to move sensibly from its current state to a fully deployed and sustainable program. Identifying high-level, short and long term priorities will allow the organization to address critical improvements in key areas while moving forward with foundational improvements in information management technology and processes that may require several years to fully achieve. A phased approach should also take into consideration the organization's global footprint and differing requirements per jurisdiction.

Transforming a records management process into a comprehensive information governance approach does not happen overnight. Establishing a working group that is dedicated and engaged is a critical first step. The working group's assessment and strategic vision will guide and oversee the quality and progress of the information governance initiatives.

Information Governance Policy and Procedures

Before future specifics can be decided, a working group should be established to assess the current status of records management against the ideal future state, and, from that, design a master plan and “road map” for implementation. Once the guiding principles for information governance are in place, the focus shifts to drafting supporting documents and detailing program specifics, such as technology needs and destruction protocols.

After defining the information governance strategy and approach, the working group should draft governing documents, including policies and procedures as the foundation on which all subsequent implementation activities are built.

An over-arching information governance policy includes the scope, purpose, objectives, responsibilities and standards for comprehensive information management throughout the organization. In addition to the over-arching information governance policy, other existing policies such as those that cover privacy and protection, and electronic communications, should be re-examined and updated as needed to ensure they are in alignment with the information governance policy.

In conjunction with the development of the policy, the information governance infrastructure framework should be designed. The framework details roles, responsibilities, and accountabilities of the information governance executive sponsors, the Advisory and/or Steering Committees, the working teams, as well as the responsibilities of all employees. The identified roles and responsibilities should be documented and formalized as part of the information governance policy.

It is likely that each policy statement or requirement will require additional procedural guidance to ensure its implementation. In addition, any single policy requirement may call for multiple procedures, since implementation tactics may vary depending on the record media or storage repository. For example, the implementation of the policy requirement that “records will be retained in accordance with the Company Retention Schedule” may be relatively straight forward in the hardcopy recordkeeping environment. However, applying the retention schedule in one of the unstructured electronic recordkeeping environments ( i.e. , ECM, SharePoint, shared drives) is challenging without detailed guidance. These additional procedural documents should be authored as the strategy and its related initiatives evolve.

Special mention should be made regarding the organization's retention schedule, since it should be cross-referenced in the policy as defining the organization's official position on retention time periods. The retention schedule is foundational to information governance, since it defines how long an organization is legally or operationally obliged to retain records, and when they can be destroyed. The retention schedule should be based on a review of regulatory requirements, interviews with business representatives/record owners, workflow analysis, and the scope of documents/data. Most retention schedules are developed by the records management department, with review and approval provided by Legal, Compliance and Tax. Retention schedules that were originally developed for paper records only, organized by department, may require revision to ensure they are based on business function and can be applied to electronic records as well.

Enabling Technologies

The goals of information governance and system operations set out in the governance documents provide the basis for identifying the technology necessary to effectuate the plan. Start by evaluating the capabilities needed for implementation, then consider the most pressing priorities, budget constraints, technology in development or slated for purchase, and what is currently used across the organization. Existing technology might provide a viable solution after enhancement or upgrade. In-progress projects or purchases may need to be put on hold or redesigned.

One of the greatest challenges faced by most organizations today is the management and control of “unstructured content.” Unstructured content includes e-mail files, word-processing text documents, presentations files, spreadsheets, JPEG and GIF image files. It may be stored on shared or personal drives, in collaborative environments such as SharePoint, in e-mail systems, and in document or content management systems. Unstructured content poses significant management challenges since its management relies heavily on individual user action and falls outside the purview of the traditional IT system information management model.

Most unstructured content is created in an ad hoc fashion by individual business users, with little consistency in creation, naming, storing, disposing, etc. As mentioned throughout this article, if left unmanaged, the sheer volume of unstructured content that is generated each year within an organization can be costly in terms of storage. In addition to these “hard dollar” costs, significant inefficiencies result from ineffective use of staff time when searching for needed information. Unmanaged content can also pose a liability if information cannot be located in the event of an audit, investigation, or litigation.

One “enabling technology” that organizations may wish to consider is an enterprise content management system. These systems, if properly designed, developed and deployed, may allow an organization to apply the lifecycle controls (including disposition) to the terabytes of unstructured content in existence today.

Once initial needs are established, making sure to account for projected corporate expansion, vendors can be contacted to present potential solutions, RFPs can be issued, and a technology plan created.

Key Benefit of Information Governance: Defensible Destruction

A primary objective of a comprehensive information governance system is the disposition of data that has surpassed defined retention requirements. As discovery and storage costs skyrocket, the days of keeping everything forever have past. Defensible destruction helps control discovery costs on the front end, before the need for discovery even arises, narrowing the amount of data that must be searched, collected and reviewed; in fact, the Electronic Discovery Reference Model (EDRM) specifically prescribes information management as the first step in the discovery process.

Defensible destruction also helps manage data privacy issues. By methodically and consistently disposing of data that has exceeded its retention requirements, legal departments are left with a much smaller pool of information that is subject to regulatory and privacy laws, saving the company significant cost, time, and risk. This alleviates challenges not only in the United States, but also globally, where both complexity and cost of missteps often far surpass those domestically and have been a continued source of difficulty for multi-national companies.

Defensible destruction is just that ' destruction that is neither arbitrary nor sporadic, does not violate a legal hold, and can be defended in a court or regulatory proceeding. As a result of implementing strategies for the lifecycle management of information, defensible destruction will be one of the key benefits. (Note: An organization should ensure it has a robust and comprehensive legal hold policy and procedures in place before undertaking any disposition activities.)

Change Management

A critical success factor to implementing the many aspects of information governance is a solid change management plan. In all likelihood, the information governance plan will entail departures from past records management processes. Employee acceptance and positive adoption of the new way of managing information is critical to the plan's success and realizing a return on potentially significant technology investments. Detailed communications plans and training should be offered at the initial roll-out of the each initiative and periodically reinforced. Usage metrics can be a powerful tool to manage change. Monitoring usage can reveal signs of resistance to program adoption or decreased utilization over time (which may illuminate technology or process inefficiencies that can be corrected). It is important to develop relevant audit and compliance plans under those departments' leadership and link them to the Governance, Risk Management and Compliance (GRC) system, if applicable. Lastly, a mechanism for employee feedback during the first year is a valuable tool for achieving program acceptance and optimization.

The information governance working team should take an active role in creating communications and conducting training. Providing examples of lawsuits or penalties incurred for poor information governance can help underscore the importance of corporate-wide adoption and 100% employee participation.

Information creation has come a long way since documents were created on manual typewriters and old files placed in boxes and shipped off to storage facilities. The speed and volume of information creation will only increase as new platforms evolve and lines between personal and work devices grow hazier. Similarly, the complexity of the regulations regarding that information will only increase as organizations grow globally or conduct more cross-border business. A traditional approach to records management does nothing to reduce the root causes of information volume, and even the best programs remain susceptible to human error and gaps in participation. By championing a comprehensive, inclusive information governance program that utilizes technology strategically, organizations can reduce costs, minimize failures, and free up time and resources for other priorities.

Laurie Fischer is a Managing Director at Huron Legal. She has extensive expertise in the design, development and implementation of records and information management programs for organizations of all types and sizes. Heather Yanak is a Manager at Huron Legal. With a background in corporate law, compliance, and risk management at companies both in the United States and abroad, Yanak combines consulting with prior legal practice in the areas of tax and employee benefits.