Information governance is key to any legal firm's smooth and compliant running. To bypass safe and suggested methods of managing and protecting data is to put a firm and its reputation at risk.

In this whitepaper, Peter Lamb outlines the details of how good firms deal with information governance and how to further strengthen a workplace with new strategies regarding sensitive data.

Let me guess. You spent months, maybe years, building the perfect information governance policy. You held training sessions. Sent reminders. Got everyone to sign off. Partners nodded enthusiastically in the meeting. Associates clicked "I agree." Staff completed the certification. And then... nothing changed. Even the best-designed policies struggle without the proper cultural foundation.

Information governance fails far more often due to cultural resistance than to technical problems. We spend all our time obsessing over frameworks, tools, and procedures. We treat culture as an afterthought, as if it is something to address through change management or training. But culture is not a barrier to overcome on your way to implementing governance. Culture is the environment where implementation occurs.

The autonomy imperative 

Legal organizations have specific cultural characteristics that make governance particularly challenging. Understanding them is essential for making progress. Lawyers view autonomy as basically sacred. Their professional identity centers on independent thinking, questioning assumptions, and making their own decisions. When your information governance policy mandates "classify all documents within 24 hours," "use only these approved communication channels," or "follow this retention schedule exactly," it implies that the people tasked with following the policies cannot be trusted to make good decisions about information. 

I have watched this play before. Members with 25 years of experience using their own client organization system can find anything in seconds. Then, the information governance team rolls out new policies requiring a standardized taxonomy and folder structure. For practice members, the whole thing feels like someone saying, "Your proven system that's worked for a quarter century? It's not good enough, so we made you a new one to follow. And we didn't include you in conversations about the policies because we know how to do this part of your job better than you." Experienced lawyers do not refuse to adopt IG policies because they are lazy, stubborn, or incapable of understanding why it matters.

The billable hour within the cultural ethos

The billable hour shapes how people think about literally everything they do. There's a constant mental calculation: "Is this generating revenue?" And information governance activities, like classifying documents, applying retention holds, updating matter records, sitting through security training, all read as "non-billable" in that calculation. 

The cultural message becomes crystal clear: Governance is overhead. Time spent on governance is time not spent on what actually matters. Real work is client work. This thinking intensifies with seniority. A junior associate might spend 15 minutes properly filing and classifying documents. They need to look diligent by billing as much time as possible. But the same 15 minutes managing documents feels wasteful to a partner with a packed schedule and major clients. Frivolous, even.

Whether you say it out loud or not, the fact remains that as lawyers become more valuable to the firm, governance matters less. 

Partnership dynamics and accountability

Partners are peers, not subordinates. And that professional dynamic creates an enforcement vacuum. In a typical corporate hierarchy, a manager can require compliance from their team. But the firm's general counsel or CIO? The IG team can make suggestions, advocate for new policies and processes, and build business cases. But they typically cannot compel partner compliance. The managing partner might support the governance conceptually. But spending political capital to enforce it? That's a different conversation. Moreover, practice group leaders usually see governance as outside their domain. So you get this tragedy-of-the-commons situation.

Everyone benefits from good information governance (ie, better risk management, more effortless knowledge transfer, reduced litigation exposure), but any individual partner can free-ride. They get all the benefits while personally avoiding the hassle of compliance. This free-riding goes unchallenged because peers don't want to police peers. Everyone knows who the violators are.

Nobody wants to be the one to call them out. 

Client service above all

"The client comes first" is a deeply held professional value in legal culture, not a marketing catchphrase. And it creates a predictable collision with governance requirements.

Picture this: A client needs a document immediately. Your governance policy says, "Classify it first, then send it through approved secure channels." What the attorney hears is: "Make the client wait while you complete bureaucratic nonsense." Or retention policies say you need to delete old matter files. The attorney thinks: "But what if the client calls asking about something from five years ago?" The cultural weight falls entirely on one side of this equation.

Nobody ever got fired for being too responsive to clients. In that framework, governance always loses. 

Recognizing cultural warning signs

Before you can shift culture, you need to understand it honestly. These patterns indicate where culture and governance are not yet aligned. These are gaps that policy alone will not bridge. 

"That's not my job."

The most common red flag is when everyone thinks information governance belongs to someone else. Attorneys think it's IT's responsibility. IT sees it as a records management problem. Records management thinks it requires buy-in from legal operations. Legal operations thinks attorneys need to drive it.

This fragmented ownership means nobody feels truly responsible. Everyone can point to someone else as the "real" owner. And when everyone can do that, the culture has basically inoculated itself against change. You hear it in the language: "What does IT want us to do about retention?" instead of "What should our retention approach be?" That little shift from "we" to "they" tells you everything. 

Tolerance for star performers

Watch what happens when your highest-billing partner or biggest rainmaker violates governance policies. If the response is silence, or worse, if people make excuses ("She's too busy with the X matter," "He brings in too much business to worry about this stuff"), you're seeing culture in action.

This selective enforcement teaches a brutally clear lesson: Governance applies to people who don't matter enough to be exempt. High performers learn they're above the rules. Everyone else learns that governance isn't essential. The damage extends way beyond the individual violation. Junior people see stars getting away with non-compliance. They internalize that governance is performance theater. 

Workaround culture

In organizations with healthy governance cultures, people who discover legitimate problems with policies propose solutions. They flag issues. They suggest improvements.

In toxic governance cultures, people create workarounds and share them like life hacks. "Here's how to get around the document classification requirement." "Use this method to avoid the approval workflow." These workarounds get passed from person to person. They become part of the informal onboarding. The cultural message: Governance policies are obstacles to work around, not systems to work within. Clever non-compliance becomes a badge of competence. 

Why traditional approaches fail

Understanding why standard governance implementation approaches fail helps clarify what's needed instead.  

Most governance initiatives follow a predictable pattern: Assemble a team and research best practices. Develop comprehensive policies. Select appropriate technology. Announce the new program with great fanfare. Conduct training. Assume adoption will follow naturally. This fails because it treats governance as a technical problem requiring a technical solution. But culture isn't technical. You can't overcome cultural resistance by creating better SharePoint workflows or writing more straightforward retention guidelines. The technology might be perfect, and the policies might be flawless, but if they conflict with cultural values and norms, culture wins every single time. 

Organizations routinely overestimate what training can accomplish. The implicit theory: People don't follow governance because they don't understand it. So explaining it better will solve the problem. But lack of understanding is rarely the real issue. Most governance violations don't stem from confusion about what the policy requires. People know they should classify documents. They know they should follow retention schedules. They choose not to because competing priorities feel more urgent. You can't train people out of believing that attorney autonomy matters more than standardized processes. You can't train away the pressure to bill hours. 

Carrots and sticks don't work either. Rewards for compliance send a weird message. If you have to pay people to follow governance policies, you're implicitly admitting those policies don't serve their interests. Punishments create a culture of fear and minimal compliance. People do exactly enough to avoid consequences and no more. Real cultural change requires governance to become intrinsically valued. People need to follow governance policies because doing so aligns with their professional identity and helps them do their work.  

So if traditional approaches don't work, what does? Transforming culture requires fundamentally different strategies than implementing policies. 

The most powerful cultural strategy is demonstrating how governance serves values people already hold. Don't position governance as competing with client service, attorney autonomy, or professional excellence. Show how governance enables those things. 

For client service: Our retention policies ensure we can quickly find precedents to better serve clients. Our security protocols protect client confidentiality, which clients increasingly audit. Our matter management system helps us avoid conflicts that could damage client relationships. Not governance versus clients, but governance for clients. 

For professional excellence: Good governance is good lawyering. Judges increasingly impose sanctions for retention failures. Clients audit our security practices before hiring us. Bar associations are adding data privacy to ethical requirements. This works because it doesn't ask people to abandon their values for governance. It shows how governance aligns with what they already care about. 
Cultural change in partnership organizations absolutely requires leadership from the top. Start with firm management—managing partners, department heads, and executive committee members. These are as close as you get to bosses in a partnership structure, and their visible, sustained support is essential. Not just an email saying governance matters, but active sponsorship: discussing governance in partner meetings, including it in strategic planning, and making it part of their leadership messaging. 

You also need influential partners who have genuine respect within their practice groups and peer networks. Not necessarily the governance enthusiasts, but the partners that other partners emulate. The litigation partner everyone admires for their trial skills. The corporate partner who built the M&A practice from nothing. The senior partner who mentored half the partnership. These partners need to model governance behaviors visibly and articulate governance as part of their practice excellence.

When firm leadership sets the direction and respected practitioners demonstrate it in action, that's when the cultural mechanism of social proof kicks in. People adopt behaviors they see high-status peers performing. 
Culture lives in the regular activities that reinforce what's valued. Organizations serious about governance culture build governance into existing rituals rather than creating separate governance activities. Practice group meetings include a five-minute governance segment. Not a lecture. A story. Someone shares a success: "The matter management system helped us spot a potential conflict early." Brief stories. Repeated regularly. This makes governance a normal topic of conversation. 

New matter intake processes include governance components presented as essential rather than optional. Performance reviews and partner evaluations include explicit governance criteria. When governance shows up in conversations about whether someone's ready for partnership or what their compensation should be, it signals that governance matters for professional success. The key is integration, not separation. Make governance part of practice, not apart from practice. 
Humans think in narrative ways more naturally than in abstract ways. Governance initiatives typically communicate through statistics: "Our retention compliance rate is 73%." These abstractions don't stick. But stories stick. The partner who lost a motion to compel because of retention failures, and how humiliating that was in front of the client. The firm that won a significant piece of business because its security practices impressed the GC. The associate who saved hours of weekend work by finding a perfect precedent in the properly managed knowledge system.

Stories make governance concrete instead of abstract. They create shared narratives about what good practice looks like. 
Cultural change ultimately requires aligning incentives with desired behaviors. If your compensation system, evaluation criteria, and recognition mechanisms all reward behaviors that conflict with governance, culture won't change. Consider making certain governance activities billable. Matter setup. Retention decisions. Security protocol compliance. If partnership evaluation ignores governance entirely, add it as an explicit criterion if stars get away with violations; that has to stop. I know this is not easy because it requires confronting valuable people. But selective enforcement is cultural poison. If governance doesn't matter for stars, it doesn't really matter at all. 
Many governance policies assume ideal actors. Perfectly rational people who carefully read policies, understand their importance, and diligently comply. Real humans are distracted, forgetful, overwhelmed, and influenced by social context. They're doing their best, but they're juggling seventeen things, and governance is just one of them. Governance systems designed for real humans build in defaults, prompts, and friction reduction. The document management system that auto-classifies based on matter type. The email encryption happens automatically.

When governance feels burdensome, people resent it. When systems work with human reality rather than against it, people experience governance as helpful.

Cultural transformation doesn't happen through one dramatic intervention. It requires sustained effort across multiple dimensions. Start by honestly assessing your current culture through anonymous surveys and by observing actual practices rather than stated policies. Identify your people with genuine influence, or culture carriers. Choose a few high-leverage changes that create visible shifts in what's professionally normal. 

Build governance into existing rhythms rather than creating separate initiatives. Supplement compliance metrics with cultural indicators: Do people feel governance helps or hinders? Do violations decrease from genuine behavior change? Celebrate and reinforce new norms. When people demonstrate good governance, acknowledge it specifically and tie it to outcomes. 

Be patient. You can deploy a system in months. Cultural transformation takes years. Organizations that succeed maintain a consistent focus over extended periods. The work isn't exciting, but persistent effort moves the needle. People who initially resisted start complying, often without even realizing they've changed. Compliance becomes a habit. Habits become norms. Norms become culture. 

Moving forward

Information governance fails in most organizations not because of inadequate policies or insufficient technology, but because of a cultural mismatch. Policies that conflict with deeply held cultural values will be ignored. Culture is stronger than policy every single time. 

You cannot impose governance on a resistant culture. You must transform the culture so governance becomes culturally congruent. This requires understanding the specific characteristics of legal culture -- the autonomy imperative, partnership dynamics, client service orientation, and billable-hour pressure. It requires abandoning approaches that treat governance primarily as technical and adopting strategies that address culture directly: connecting to existing values, leveraging influential partners, creating rituals, telling stories, aligning incentives, and designing for real humans. 

The work is challenging and slow. But it's the only work that produces lasting change. Organizations that invest in cultural transformation create governance that sticks because it makes sense, aligns with their professional identity, and helps them do excellent work. 

The question isn't whether anyone follows your information governance policy. The question is whether you've created a culture where following that policy feels professionally natural, aligned with core values, and worthy of the excellent professionals you've hired. Answer that question first. Really answer it honestly. Then the compliance question essentially takes care of itself. 

Does anyone actually follow your information governance policies?

The autonomy imperative

The billable hour within the cultural ethos