Establishing a Plan to Mitigate Risk with Information Governance

Here are some important steps for getting started in developing an IG program along with useful tips for increasing long-term success to mitigate risk for the organization.

This article is part of a three-part series. Part 1, “Understanding the need for IG,” discussed the key value proposition of IG, including examples of the cost of failure to proactively govern information, and offered background on what governance is as well as how it fits into a bigger picture of investigations and litigation readiness.

Why do some companies treat information governance as a critical business function, while others barely have it on their radar? Among the reasons is a lack of understanding and awareness about the value of IG.

Beyond that, IG can be an intimidating topic to even talk about for corporations that have never addressed the issue before. Taking it a step further by committing to the initiative and getting started is even harder for some.

Here, we share important steps for getting started in developing an IG program along with useful tips for increasing long-term success to mitigate risk for the organization.

Successful IG, like many things in life, requires vision and thoughtful planning. You wouldn’t build a house without a blueprint. You wouldn’t climb Mount Everest without doing a lot of research, properly planning the excursion and training to ensure you’re prepared. Likewise, creating an IG program requires diligence. 

What is vision? The business definition includes the ability to have a greater perception of the big picture or to have the imagination to see what things can be. For example, Jack Nicklaus is among the best golfers to ever play the game professionally.

He was a master at ball-striking because he had the ability to visualize the entire shot – his stance over the ball, the velocity of his swing, the angle at which the clubhead struck the ball, the flight of the ball, where it would land, how far it would roll and where it would come to a stop. His ability to see these things – his vision – defined Nicklaus’ approach to every shot and to his entire game, which led to incredible success.

In the context of IG, leaders must also have a clear vision. The process begins by taking an honest look at where you are today, where you need to go and what the steps are to get there. You must recognize any shortcomings that need to be addressed and have the vision to see the path forward.

Just as the approach to golf is different for all players, IG is different for each organization. Team leaders must determine the appropriate vision for their organization and then ensure the entire team shares that vision. From there, stakeholders can champion the initiative, supporting the effort and promoting the program throughout the organization.

Key Considerations

Among the most important aspects of IG is establishing the facts related to every piece of information that flows throughout your organization. The who, what, when, why, how, how long, with whom and excluding whom, etc., are the elements that form the basis around compliance.

Another key to comprehensive IG is thoroughly reviewing and identifying every step in the information life cycle. What does creation or ingestion look like in your unique environment? How is information used, modified or shared in your organization? What factors must be considered around storing and retrieving documents? This can vary greatly depending on the subject matter you’re dealing with.

While each step in the life cycle matters, among the most important steps in the process is the deletion or destruction of data. What must be retained and what must be destroyed, and what is the timetable for these actions? Determine a reasonable policy for these critical steps and follow it religiously.

When you can demonstrate that you’ve followed a consistent protocol, your company’s risk of having to produce old data drops significantly. On the flip side, inconsistent adherence to this aspect of the IG policy can have devastating consequences.


Once you’ve invested the time and effort to establish sound IG policies, don’t stop there! It’s not enough to simply create the program and walk away. Staying compliant requires diligence. Effectively dealing with noncompliance issues can be difficult, but this is another critical step in governance.

Ongoing training and development are a critical piece of everything we do – both in IG and in most aspects of life. The importance of learning and practicing what you learn, of implementing knowledge gained, cannot be overstated. They call it the “practice of law” for a reason – you keep doing it over and over, each time learning more and getting better at the profession. Likewise, the more training we employ, the more we practice what we’re learning and the better we’ll be at governing our information and mitigating risk.

You can build the best IG program in the world, but without a commitment to ongoing training and development, you will not maintain long-term success. Things like noncompliance should be reviewed multiple times every year, both to ensure policies stay current and to keep it top of mind in daily work processes.

Managing Risk for Reward

Attorneys inherently understand the importance of managing risk. And while prioritizing IG won’t make you friends or increase your billable hours, being proactive will put mechanisms in place to protect your organization from undue risk.

The best way to build a successful IG program is to prepare. Keep in mind one of Benjamin Franklin’s most notable quotes: “Failing to plan is a plan to fail.” Preparation makes all the difference, just as it would to embark on an Everest climb without sufficient preparation. Establish a vision for where your organization needs to go and to help you get there, assemble a solid team who agrees with the vision and will assume ownership to achieve it. Prepare, envision and create; and then, enforce compliance.

Implementation may take time, but will be worth it in the end. When the organization understands the purpose of IG, it will appreciate the efforts to mitigate overall risk. 

Contributing Author

author image

Bill Millican

Bill Millican is an expert in the field of records and information management and governance. He has nearly 40 years of experience in various hands-on...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.