Article

When information becomes a liability:

Why firms must tackle data sprawl

 

Frame 5708915
Group 117 Information risk to operational readiness ARTICLE 1

This article explores how professional service firms accumulate large volumes of information over time and why unmanaged data can quietly become a source of serious risk. 

After many years working with professional services firms, one pattern appears again and again. Organisations rarely encounter problems with information because they are careless. In most cases the challenge develops simply because the firm is successful, busy and continuously generating information as part of the work it delivers for clients.

Every engagement creates documentation. Financial records, tax filings, audit evidence, advisory reports, internal working papers and correspondence all form part of the professional record of client work. These documents move across systems, are shared among colleagues and are often stored in multiple locations so teams can access them easily when needed.

Over time this activity leads to a gradual expansion of information across the organisation. Documents accumulate within document management systems, email environments, collaboration platforms and historic file shares. Each repository serves a purpose, yet together they create an information landscape that becomes increasingly difficult to understand.

This gradual expansion of stored information is often described as data sprawl.

At first the impact is rarely obvious. Storage systems grow quietly in the background, and teams remain focused on delivering high-quality work for clients. Eventually, however, the scale of accumulated information begins to introduce operational complexity. Locating the correct version of a document becomes more difficult, duplicated information appears across systems and uncertainty begins to emerge about which records should still exist and which should have been disposed of long ago.

The challenge is not unique to any one profession. However, professional services firms face particular pressures because the information they manage often contains sensitive financial or personal data. Client records must be retained for regulatory reasons, while historical documentation may be required to demonstrate how advice was delivered or how decisions were made.

As a result, organisations tend to retain information for long periods of time. Over the years this can create substantial archives of material that few people have reviewed systematically.

When 'secure' does not mean 'under control'

 

Many firms have invested heavily in cybersecurity during the past decade. Infrastructure has been strengthened, access controls have improved and monitoring systems now provide much greater visibility into potential threats. These developments are essential in a world where cyber risks continue to evolve.

However, strong security controls do not necessarily mean that information itself is well managed.

Security protects systems from unauthorised access. Information governance, by contrast, focuses on how information is created, stored, retained and eventually disposed of. Even the most secure environment can still contain unmanaged data if the organisation lacks visibility into what it holds.

This distinction often becomes clear during moments of scrutiny. A regulatory enquiry, client audit or subject access request may require the firm to locate historical records quickly. When information is distributed across multiple repositories, identifying the correct documents can become a complex and time-consuming exercise.

At that point the organisation may discover that the challenge is not security but information discipline.

How information sprawl develops

 

Data sprawl rarely emerges because someone makes a poor decision. In most cases it develops through a series of reasonable choices made under operational pressure.

Teams may store documents locally to meet tight deadlines. Files may be copied into collaboration platforms so colleagues can work together more efficiently. Historic engagement records may be retained because deleting them feels risky or because no one is entirely certain whether they may still be required.

Each of these actions is understandable. The difficulty arises because organisations rarely return later to review whether the information is still needed.

Over time repositories expand and retention practices begin to diverge between departments. Some teams may follow structured retention schedules, while others retain information indefinitely simply because no one has revisited the original decision.

Eventually the consequences begin to appear. Storage costs increase, search processes become slower and responding to regulatory or client enquiries requires far more effort than it should.

Perhaps more importantly, leadership teams may find it difficult to answer fundamental questions about their information environment:

    • How much data do we hold?
    • Where is it stored?
    • Which records still serve a purpose?
    • Which records should have been removed years ago?

Without clear answers, risk remains hidden within the organisation’s information landscape.

Reframing the governance conversation

 

One of the most useful changes firms can make is shifting the way they think about information risk.

Rather than asking how to secure every piece of information the organisation holds, a more productive question is why that information is being retained in the first place.

Information governance introduces intentionality into data management. It allows organisations to distinguish between records that still have operational or regulatory value and information that remains simply because no one has reviewed it.

The objective is not aggressive deletion or restrictive policies. Instead the goal is clarity. Firms should be able to explain why information exists, how it is managed and when it will eventually reach the end of its lifecycle.

When organisations develop that level of visibility, governance conversations become far more practical. Teams can begin focusing on the areas where improved information management will reduce operational risk and improve efficiency.

Building discipline without disruption

 

Many firms hesitate to address information governance because they assume it requires a large transformation programme. The idea of reviewing years of accumulated data can feel overwhelming, particularly in busy environments where client work must always take priority.

In reality the most successful governance initiatives usually begin with smaller, focused steps.

The first priority is improving visibility. When organisations gain a clearer understanding of their information environment, they can begin identifying repositories that contain redundant or outdated records. From there they can introduce retention practices that gradually bring greater discipline to the way information is managed.

Importantly, governance does not need to disrupt everyday work. The most effective frameworks align with the way teams already operate, ensuring that retention decisions and lifecycle management become part of normal workflows rather than an additional administrative burden.

Why readiness begins here

 

Moving from uncontrolled data growth to structured information governance provides the foundation for everything that follows.

Without visibility into the information environment, governance strategies remain theoretical. Technology investments struggle to deliver their full value, and organisations may find themselves reacting to problems rather than managing them proactively.

When firms understand their information landscape, however, governance becomes practical. Leadership gains confidence in how data is managed, operational teams gain clearer guidance and clients gain reassurance that their information is being handled responsibly.

In the next article, we will explore how firms can build on this awareness by developing a governance strategy that reflects operational reality and delivers measurable results.

Strategic governance planning

 Read the other articles in this series by clicking the button below. 

Information risk to operational readiness series

About the author

 

Antony Wells is a seasoned professional committed to helping organisations optimise their information management responsibilities. In his role as Commercial Director, EMEA at LegalRM, Antony leads initiatives aimed at enhancing firms' information governance strategies, with a keen focus on compliance, risk mitigation, and cost reduction.

Before joining LegalRM, Antony amassed invaluable experience guiding firms in selecting and implementing document management solutions, throughout the legal and professional services market.

To get in touch with Antony to discuss how we could help you with your information governance strategy connect on Linkedin.

Originally published in Australia.