Whitepaper

Does anyone actually follow your information governance policies?

iStock-690347246

Information governance is key to any legal firm's smooth and compliant running. To bypass safe and suggested methods of managing and protecting data is to put a firm and its reputation at risk.

In this whitepaper, Peter Lamb outlines the details of how good firms deal with information governance and how to further strengthen a workplace with new strategies regarding sensitive data.

 

Let me guess. You spent months, maybe years, building the perfect information governance policy. You held training sessions. Sent reminders. Got everyone to sign off. Partners nodded enthusiastically in the meeting. Associates clicked "I agree." Staff completed the certification. And then... nothing changed. Even the best-designed policies struggle without the proper cultural foundation.

Information governance fails far more often due to cultural resistance than to technical problems. We spend all our time obsessing over frameworks, tools, and procedures. We treat culture as an afterthought, as if it is something to address through change management or training. But culture is not a barrier to overcome on your way to implementing governance. Culture is the environment where implementation occurs.

The autonomy imperative 

Legal organizations have specific cultural characteristics that make governance particularly challenging. Understanding them is essential for making progress. Lawyers view autonomy as basically sacred. Their professional identity centers on independent thinking, questioning assumptions, and making their own decisions. When your information governance policy mandates "classify all documents within 24 hours," "use only these approved communication channels," or "follow this retention schedule exactly," it implies that the people tasked with following the policies cannot be trusted to make good decisions about information. 

I have watched this play before. Members with 25 years of experience using their own client organization system can find anything in seconds. Then, the information governance team rolls out new policies requiring a standardized taxonomy and folder structure. For practice members, the whole thing feels like someone saying, "Your proven system that's worked for a quarter century? It's not good enough, so we made you a new one to follow. And we didn't include you in conversations about the policies because we know how to do this part of your job better than you." Experienced lawyers do not refuse to adopt IG policies because they are lazy, stubborn, or incapable of understanding why it matters.

The billable hour within the cultural ethos

The billable hour shapes how people think about literally everything they do. There's a constant mental calculation: "Is this generating revenue?" And information governance activities, like classifying documents, applying retention holds, updating matter records, sitting through security training, all read as "non-billable" in that calculation. 

The cultural message becomes crystal clear: Governance is overhead. Time spent on governance is time not spent on what actually matters. Real work is client work. This thinking intensifies with seniority. A junior associate might spend 15 minutes properly filing and classifying documents. They need to look diligent by billing as much time as possible. But the same 15 minutes managing documents feels wasteful to a partner with a packed schedule and major clients. Frivolous, even.

Whether you say it out loud or not, the fact remains that as lawyers become more valuable to the firm, governance matters less. 

Whether you say it out loud or not, the fact remains that as lawyers become more valuable to the firm, governance matters less.

 

Partnership dynamics and accountability

Partners are peers, not subordinates. And that professional dynamic creates an enforcement vacuum. In a typical corporate hierarchy, a manager can require compliance from their team. But the firm's general counsel or CIO? The IG team can make suggestions, advocate for new policies and processes, and build business cases. But they typically cannot compel partner compliance. The managing partner might support the governance conceptually. But spending political capital to enforce it? That's a different conversation. Moreover, practice group leaders usually see governance as outside their domain. So you get this tragedy-of-the-commons situation.

Everyone benefits from good information governance (ie, better risk management, more effortless knowledge transfer, reduced litigation exposure), but any individual partner can free-ride. They get all the benefits while personally avoiding the hassle of compliance. This free-riding goes unchallenged because peers don't want to police peers. Everyone knows who the violators are.

Nobody wants to be the one to call them out. 

Client service above all

"The client comes first" is a deeply held professional value in legal culture, not a marketing catchphrase. And it creates a predictable collision with governance requirements.

Picture this: A client needs a document immediately. Your governance policy says, "Classify it first, then send it through approved secure channels." What the attorney hears is: "Make the client wait while you complete bureaucratic nonsense." Or retention policies say you need to delete old matter files. The attorney thinks: "But what if the client calls asking about something from five years ago?" The cultural weight falls entirely on one side of this equation.

Nobody ever got fired for being too responsive to clients. In that framework, governance always loses. 

1448x853 - Hero (case study)-1

Recognizing cultural warning signs

Before you can shift culture, you need to understand it honestly. These patterns indicate where culture and governance are not yet aligned. These are gaps that policy alone will not bridge.

"That's not my job."

The most common red flag is when everyone thinks information governance belongs to someone else. Attorneys think it's IT's responsibility. IT sees it as a records management problem. Records management thinks it requires buy-in from legal operations. Legal operations thinks attorneys need to drive it.

This fragmented ownership means nobody feels truly responsible. Everyone can point to someone else as the "real" owner. And when everyone can do that, the culture has basically inoculated itself against change. You hear it in the language: "What does IT want us to do about retention?" instead of "What should our retention approach be?" That little shift from "we" to "they" tells you everything. 

Tolerance for star performers

Watch what happens when your highest-billing partner or biggest rainmaker violates governance policies. If the response is silence, or worse, if people make excuses ("She's too busy with the X matter," "He brings in too much business to worry about this stuff"), you're seeing culture in action.

This selective enforcement teaches a brutally clear lesson: Governance applies to people who don't matter enough to be exempt. High performers learn they're above the rules. Everyone else learns that governance isn't essential. The damage extends way beyond the individual violation. Junior people see stars getting away with non-compliance. They internalize that governance is performance theater. 

Workaround culture

In organizations with healthy governance cultures, people who discover legitimate problems with policies propose solutions. They flag issues. They suggest improvements.

In toxic governance cultures, people create workarounds and share them like life hacks. "Here's how to get around the document classification requirement." "Use this method to avoid the approval workflow." These workarounds get passed from person to person. They become part of the informal onboarding. The cultural message: Governance policies are obstacles to work around, not systems to work within. Clever non-compliance becomes a badge of competence. 

Why traditional approaches fail

Understanding why standard governance implementation approaches fail helps clarify what's needed instead.  

Most governance initiatives follow a predictable pattern: Assemble a team and research best practices. Develop comprehensive policies. Select appropriate technology. Announce the new program with great fanfare. Conduct training. Assume adoption will follow naturally. This fails because it treats governance as a technical problem requiring a technical solution. But culture isn't technical. You can't overcome cultural resistance by creating better SharePoint workflows or writing more straightforward retention guidelines. The technology might be perfect, and the policies might be flawless, but if they conflict with cultural values and norms, culture wins every single time. 

Organizations routinely overestimate what training can accomplish. The implicit theory: People don't follow governance because they don't understand it. So explaining it better will solve the problem. But lack of understanding is rarely the real issue. Most governance violations don't stem from confusion about what the policy requires. People know they should classify documents. They know they should follow retention schedules. They choose not to because competing priorities feel more urgent. You can't train people out of believing that attorney autonomy matters more than standardized processes. You can't train away the pressure to bill hours. 

Carrots and sticks don't work either. Rewards for compliance send a weird message. If you have to pay people to follow governance policies, you're implicitly admitting those policies don't serve their interests. Punishments create a culture of fear and minimal compliance. People do exactly enough to avoid consequences and no more. Real cultural change requires governance to become intrinsically valued. People need to follow governance policies because doing so aligns with their professional identity and helps them do their work.  

So if traditional approaches don't work, what does? Transforming culture requires fundamentally different strategies than implementing policies. 

iStock-1783743772(1)

Cultural transformation doesn't happen through one dramatic intervention. It requires sustained effort across multiple dimensions. Start by honestly assessing your current culture through anonymous surveys and by observing actual practices rather than stated policies. Identify your people with genuine influence, or culture carriers. Choose a few high-leverage changes that create visible shifts in what's professionally normal. 

Build governance into existing rhythms rather than creating separate initiatives. Supplement compliance metrics with cultural indicators: Do people feel governance helps or hinders? Do violations decrease from genuine behavior change? Celebrate and reinforce new norms. When people demonstrate good governance, acknowledge it specifically and tie it to outcomes. 

Be patient. You can deploy a system in months. Cultural transformation takes years. Organizations that succeed maintain a consistent focus over extended periods. The work isn't exciting, but persistent effort moves the needle. People who initially resisted start complying, often without even realizing they've changed. Compliance becomes a habit. Habits become norms. Norms become culture. 

Moving forward

Information governance fails in most organizations not because of inadequate policies or insufficient technology, but because of a cultural mismatch. Policies that conflict with deeply held cultural values will be ignored. Culture is stronger than policy every single time. 

You cannot impose governance on a resistant culture. You must transform the culture so governance becomes culturally congruent. This requires understanding the specific characteristics of legal culture -- the autonomy imperative, partnership dynamics, client service orientation, and billable-hour pressure. It requires abandoning approaches that treat governance primarily as technical and adopting strategies that address culture directly: connecting to existing values, leveraging influential partners, creating rituals, telling stories, aligning incentives, and designing for real humans. 

The work is challenging and slow. But it's the only work that produces lasting change. Organizations that invest in cultural transformation create governance that sticks because it makes sense, aligns with their professional identity, and helps them do excellent work. 

The question isn't whether anyone follows your information governance policy. The question is whether you've created a culture where following that policy feels professionally natural, aligned with core values, and worthy of the excellent professionals you've hired. Answer that question first. Really answer it honestly. Then the compliance question essentially takes care of itself.