Whitepaper
.png?width=1448&height=853&name=teamwork%201448x853%20-%20Hero%20(case%20study).png)
Information is a critical asset for every business – but for law firms it’s even more serious because information is one of the few real assets you have. As such, firms are waking up to the need for robust, firm-wide frameworks for managing information. As to how that’s done, in truth many firms are still struggling with the practicalities of embedding the information governance (IG) they need.
In this whitepaper, Chris Hockey outlines the approach he’s taken as an information governance director at a mid-sized firm based in upstate New York, while Chris Giles of Legal RM supplies a sector-wide perspective.
We won’t dwell too long on what information governance is and why it matters so much to law firms. IG is simply how firms manage their information assets across the entire organization to help achieve two things: on the one hand business success, and on the other risk mitigation.
The business success bit comes from efficient information management that furthers the firm’s objectives. It’s about how vast amounts of data are held and organized to enable quick retrieval, effective collaboration and overall operational efficiency. It’s about embedding a cross-disciplinary approach to information sharing, and nurturing a climate wherein the adoption of appropriate innovation and emerging technologies becomes easier.
IG also facilitates efficient e-discovery processes that reduce costs and comply with court requirements. It includes effective record lifecycle management and systematically purging records the firm no longer needs to retain. It’s also about identifying gaps in systems or procedures that when filled will make information flow more effectively.
Firms with strong IG also put themselves in pole position to institute effective knowledge management, which is about creating and using knowledge to the firm’s benefit. It could be a case of providing timely access to reliable, relevant and comprehensive information that supports better-informed decision making. Or about capturing, preserving and processing institutional knowledge and extracting the maximum value from the information held in the firm.
Risk mitigation
Meanwhile, the risk mitigation bit of IG comes from the need to consistently safeguard information, especially client confidentiality. This is part and parcel of maintaining compliance with regulations (GDPR, CCPA), with client requirements (letters of engagement, OCGs) and with professional obligations (ABA, SRA), thereby avoiding penalties, potential disputes and reputational damage.
On that note, it’s also critical for law firms to maintain client confidence and trust. Robust information governance will help you build and consolidate your reputation for handling client data responsibly and securely, which is the bedrock of many a long-term relationship.
Still under the risk heading, firms also need information governance to underpin business continuity and disaster recovery planning. If the worst happens your recovery will be infinitely easier and quicker if the firm’s information assets are well organized and protected. Part of information governance is about backups and disaster recovery procedures that minimize potential downtime.
As to what IG is in practice, according to the international standard on IG concepts and principles, it’s basically a bundle of policies, processes, procedures, roles and controls that the firm puts in place to help it meet information-related operational, regulatory, legal and risk requirements.1 But it’s also a lot about buy-in. Everyone in the firm should understand and take seriously their own information-related obligations, risks and opportunities. The question becomes: “How do you make that happen?”
No one can decide where it sits
As with much in life, successful IG is about wanting it enough. Senior management need to be committed to the concept and ideally a member of the senior management team needs to take ownership of driving IG through the firm, from top to bottom. Critically, and among other things (eg: providing direction, helping overcome obstacles, communicating goals) this person will ensure that adequate resources are allocated to IG to enable it to take root and thrive. But who is this person?
“I know of one firm, for instance,” says Giles, “that can’t even agree on a retention schedule because their Head of Knowledge Management wants to keep everything forever and says destruction is not needed and a General Counsel who’s pushing back and asking practice teams to weigh in.”
It's a vexed question. Something that Chris Giles, CEO and Founder at LegalRM, observes is that law firms vary widely in structure, capacity and approach. Each is its own unique fiefdom and one of the sticking points when it comes to embracing IG lies in pinning down who in the senior management team will take ownership of it. The danger is that it either falls between the cracks with no oversight and no cohesive approach to a strategy, or it becomes a bone of contention.
He adds that each firm has a unique set of challenges in terms of getting IG policies and procedures even created, because no one can decide where it sits. He often sees IT working in “its own world” focused on application efficiency, security, backups and business continuity, while Records Management specialists are in a different world, focused more on matter mobility and record lifecycle management, but there is often no discussion between the two. Risk Management is another discipline that might claim IG, yet without IT & Records input may not understand the process, data and application challenges. In reality, however, successful IG really does take a village, or a community at least, within the firm that shares a single vision on the need to get it done.
Meanwhile, one possible way to resolve the turf wars, that’s been around maybe for the last decade or so, is to create an Information Governance Director role. This is what brought Chris Hockey into the legal sector as Director of Information Governance and Management at Bond, Schoeneck & King (BSK) in 2019. BSK doesn’t consider itself a large firm, with approaching 300 lawyers in offices in particular in New York state, but also dispersed along the eastern seaboard from Boston to West Palm Beach and inland all the way to Kansas City. Yet the firm could see a clear need for greater information governance control, or at least it’s CIO could. Hence Hockey’s role sits within IT and he reports to the CIO.
Policies and procedures
How do you get IG started at a law firm? One of Chris Hockey’s first big tasks at BSK was drafting the firm’s information governance policy. To do so, he looked at other organizations’ information governance policies in other industries – not least because, as he drily notes, “Legal is not always ahead on these things.” He also reached out to different people in the info-gov world and asked if they could share their thinking and draft policies. He then applied what he’d learned to the BSK context.
Hockey explains that the information governance policy exists to establish the fundamental high-level principles of IG at the firm, set responsibilities and reporting guidelines for committee members and other personnel, and to provide a framework for IG across the firm.
It also references the key components of IG for BSK, which include matter lifecycle management, information security and incident management, technology and data governance, IG awareness and education, and privacy and regulatory compliance. Each of these in turn may well merit its own policy. Hockey says he’s currently working on a data governance policy that is looking at data classification systems, tagging and metadata.
He also notes that to some degree his information governance policy is aspirational. “It’s consciously meant to be kind of future thinking, in terms of what is the ideal state. This policy represents our ideal set-up and configuration, and how we’re going to get there. I really wanted to leave room for us to grow into the policy we were creating.”
Once drafted, it was reviewed by the CIO and sent out for a further review to a third-party Chief Information Security Officer (CISO) with lots of IG policy experience. She mainly checked if anything was missing, not clear, or redundant, e.g. covered by another policy. Then other members of the administrative team had sight of the policy before it went forward to the steering committee (see below). This sequencing is because, notes Hockey, “We really want to make sure that we’re uncovering any potential pitfalls ahead of time.
We want to understand what might cause consternation with the end users that ultimately we’re trying to affect change with. Not necessarily to remove those issues but to at least be in a position to be upfront and say, ‘We understand this might be alarming, or maybe it’s not what you’re used to doing, but here is why we’ve put it in the policy.’”
Steering a path
Thereafter, the linchpin of BSK’s successful IG strategy is the firm’s monthly Privacy and Security Committee on which there are 12 members, including the COO and the General Counsel. The other members represent the different practice groups across the firm. They come from different levels and locations, and include some more senior members, some associates and generally one or two summer clerks. This core is refreshed every January to ensure a continual infusion of new blood.
Including lawyers from different practice groups and levels is key. “What we’re trying to do,” Hockey explains, “is to make change happen with the attorneys. If we can get the representative attorneys on the committee behind our ideas and efforts and really explain the challenges to them, it’s much easier for change to happen because they will take it to their peers. It’s coming from attorneys not some guy higher up. It has a bigger impact.”
Rolling an information governance policy out
The committee’s formal role is to approve and sign off on all the related IG policies. Policy enactment is largely controlled by processes and procedures. Hockey tries to keep committee members out of the weeds to some degree when it comes to procedures.
His tactic is to identify ahead of time those procedures that need to be brought to the group that might cause consternation and on which there might be some pushback.
“We bring these to the group to say: ‘This is what we are proposing, I need your help in backing us up on this and helping us communicate it out.’ It's not every procedure, but we identify the key procedures that we know are going to cause some issues.”
A good example right now is that the firm is pushing for a 365-day email retention policy. This is a big change management issue affecting everyone, as currently there is no retention policy for email. “For something like that, we really have to engage with the committee to identify how to go about communicating this and getting folks behind it.
Conversely, another procedure, where it's of minimal impact, I wouldn’t take to the committee. I can just send out an email saying ‘FYI, we’re now doing it this way instead.’”
Aside from their formal role, then, when it comes to rolling IG policy out into the wider business, steering committee members also act as emissaries and champions of change. Hockey observes, “I can say we need to do X, Y and Z, but the firm’s attorneys could just say, ‘No, we’re not doing that.’
“But when I propose it to the committee and say why and how I believe we should be handling this type of procedure… when the attorneys on the committee get behind that, it’s much harder for the end-user attorney to say no. Not least because it now has the backing and support of the firm’s established and sanctioned committee.”
He adds, “For me that’s really the crux of having that group. It helps you move these initiatives along and get the buy-in from other end users. Because ultimately nothing can happen without that.”
Oversight and controls
The next step is ensuring that processes and procedures are faithfully implemented. To a large extent this is down to resources. Either people need to be in a position to monitor activity, or systems can be implemented that monitor or enforce new processes and procedures.
For example, BSK has introduced a firmwide implementation of Microsoft OneDrive. Among other advantages, this is helping solve the problem of ‘shadow IT’ where individuals inadvertently or habitually save matter material in places where the firm formerly couldn’t see it, eg: their desktops. Now desktop folders are connected to OneDrive. The firm has also developed the capacity to run various reports that are evidencing the transition away from what Hockey calls “the old Wild West” when anyone could create a folder anywhere, and save anything in it.
Also, in relation to oversight and controls, Hockey is following the 80:20 rule, which is another way of saying he’s solving the bigger problems first. “There’s no way for us to monitor everything happening everywhere,” he says. “It’s for us to identify the really big things we need to attend to.
For instance, we have a big push now on email filing into iManage, because we’ve found this is a big pain point when attorneys leave. If they’ve not filed their emails it creates a massive headache for the attorneys taking over and for IT who need to run Outlook searches.
We’ve identified this as a priority so one control is making sure attorneys have filed all their emails before they depart.”
Upstream thinking
While Chris Hockey accepts that not everything can be monitored, he’s also found that another helpful strategy is ‘upstream thinking’. In essence, this means that rather than cleaning up data in every system, it’s about ensuring it’s complete and accurate in the primary upstream data repository.
In BSK this is the firm’s new business intake system. Then, as data flows down into other systems – iManage and the time and billing system – it doesn’t need any more work.
Hence he’s put a lot of focus into working with the new business intake team on the controls that could be put in place. This is a realm where system design and perhaps even some automation can be brought in.
For example, to rein in inaccuracies when form filling, they looked at implementing drop down options menus to replace certain free text boxes. Hockey adds, “More and more we’re also exploring how we can automate different controls, trying to take some of the choice out of various forms.
Although we’re not really deep into the automation piece just yet, it’s definitely part of our aspirational best practice.”
Culture club
In the round, information governance best practice for all law firms should probably include establishing clear objectives, defining roles and responsibilities, and establishing standards and policies that govern how data is captured, stored, processed, shared and protected within the firm. There will be elements of data quality management, and compliance will be a big focus.
Alongside these, firms will also want to develop and nurture a data culture, recruiting everybody in the firm onto the “data team” – so everyone is taking ownership and caring about data. Meanwhile the performance of policies needs to be enforced and monitored. And there will also be a need for continuous improvement, and for policies, processes, procedures and controls to be revisited and updated to reflect the changing needs of the firm and changes in the external environment, including advancements in technology and also changes to regulation.
Chris Giles believes that on the whole it’s a tougher journey for smaller firms, who don’t necessarily have the bandwidth, or the skill sets on hand with which to tackle all the elements of IG. “I think the smaller firms will look to the big firms for a sort of template and thought leadership and to help them understand some of the challenges.” He adds: “They may well know they have problems, but don’t have the skills or the time to deal with it.”
Chris Hockey agrees. From what he’s seen, BSK is relatively mature in IG practice for a firm of its size. “I think larger law firms have been doing this for a longer time, and they have the resource behind it,” he says, “but for everyone else these conversations are going to be very different depending on the size of firm. It also depends on who in the firm is bringing up IG between the firm management saying ‘we need it’ and the CIO. If it’s the latter, it sometimes takes a bit of a sales pitch to convince the lawyers to get on board.”
At BSK, he says, “We’ve made tremendous strides in just four years, but we are nowhere near where other firms are that have had an IG director for longer. It comes back to when did the firm realize that this was something it needed, and who brought it to the table initially.”
Thereafter it’s about building the teamwork that makes the IG dream work: building cooperation and synergy between all the parts of the firm to ensure that IG is inclusive, comprehensive and consistent throughout, leading to a more efficient, effective and resilient law firm.
Webinars-on-demand
ILTA masterclass: How teamwork makes the information governance dream work!
Register to watch this Team IG webinar where, Chris Hockey outlined the approach he took as an information governance director at a mid-sized firm based in upstate New York, while Chris Giles of Legal RM supplied a sector-wide perspective.
