From Policy to Practice: Why Law Firm IG Fails Without Enforcement
- Jul 6
- 4 min read
Law firms invest heavily in drafting comprehensive Information Governance (IG) policies. But even with meticulously written plans, compliance gaps persist. From engagements across Am Law 100 and mid-sized firms, we find that the issue is rarely a lack of intent; it’s execution.
Across practice groups, departments, and individual offices, retention and disposition schedules are handled in vastly different ways. That variation creates latent security risks, inflates data footprints, and makes it difficult to satisfy client mandates. Without a consistent operational foundation, even the most robust policy is just words on a page.
Where the Compliance Gap Shows Up
In most firms, a lack of compliance doesn't announce itself through a major data breach; it shows up in small, everyday ways.
An email containing sensitive matter data is archived indefinitely by a partner in New York, while similar files are purged after five years in Chicago. Matter closing workflows vary depending on which legal assistant handles the file. Retention timelines aren’t systematically tied to closing dates, so data storage decisions become entirely subjective.
Individually, these don’t seem like critical failures. Collectively, they create massive data bloat. Staff spend time guessing what to keep rather than executing a defensible disposition plan, and firms accumulate mountains of dark data. Managers, in turn, are left wondering whether their actual risk exposure matches what is written in their policy manuals.
The result is an information governance model that exists on paper, but isn't reliable in practice.
Why Firms Avoid Strict Enforcement
There’s a common misconception that enforcing rigorous information governance equals partner alienation. Firm leadership often hesitates to enforce hard timelines because legal work is nuanced, and partners routinely claim they "might need that file someday."
However, what tends to happen is that a lack of structure doesn’t protect partner autonomy; it creates systemic liability. Without system-driven boundaries, every data retention choice becomes a partner judgment call. That introduces unnecessary risk and makes scaling modern data platforms difficult.
Enforcement isn’t about stripping attorneys of control; it’s about creating a stable risk-management framework so that exceptions are handled deliberately rather than by default.
The Real Cost of Outside Counsel Guideline (OCG) Non-Compliance
When data retention policies aren't strictly enforced, inefficiencies and liabilities compound quickly. Outside Counsel Guidelines (OCGs) are rising sharply in complexity. Clients are no longer asking if you have an IG policy; they are mandating specific retention limits on the sensitive data they hand over.
When a firm relies on an endemic culture of granting "informal exceptions" to internal partners, it introduces a major compliance blind spot. An exception granted to a billing partner is often an explicit breach of an OCG contract signed with a corporate client. If a client agreement mandates a data purge five years post-matter closure, and your internal repositories are still holding those files eight years later, you are operating outside of your contractual boundaries.
Furthermore, leadership loses all visibility. If every practice group or partner manages retention differently, compliance cannot be monitored in a meaningful way. That makes it incredibly difficult to identify data risk, evaluate storage overhead, or prove compliance during a client audit.
Information Governance in Practice
One law firm Mattern worked with recognized that its records management practices had evolved over time without a unified information governance strategy to support them. Although attorneys and staff were managing information every day, there was no consistent framework defining what constituted the official record, how documents should be classified, or when information should be retained or destroyed. As a result, records existed across multiple repositories, duplication was common, and retention practices varied from office to office.
Rather than beginning with new technology, Mattern started with a comprehensive assessment of the firm's current workflows. We evaluated how information moved through the organization, reviewed existing policies and systems, interviewed stakeholders across multiple departments, and identified the operational gaps preventing consistent governance.
Using those findings, Mattern developed a customized Information Governance framework that aligned policy, technology, and day-to-day operations. The engagement included practice-specific retention schedules, standardized document classification and naming conventions, clear user expectations, training recommendations, and procedures covering the entire records lifecycle from creation through final disposition.
The result was more than a new policy manual. The firm established a practical governance program that improved consistency across its offices, strengthened its ability to manage both electronic and physical records, reduced unnecessary paper creation, and positioned the organization to apply retention requirements in a far more defensible and sustainable manner. As Rob Mattern often notes, successful information governance is not created by policy alone. It succeeds when policy, technology, workflow, training, and leadership all work together.
How Structure Safeguards the Firm
Consistency creates security, and security drives compliance. When support teams and attorneys operate within a shared, automated structure, data is classified and purged systematically. Leadership gains a clear, unvarnished view of the firm’s total data liability, making client audits straightforward instead of frantic fire drills.
A structured approach also makes technology transitions manageable. When data is governed properly at the matter level, future system upgrades and cloud migrations become predictable operational exercises rather than massive data-cleansing nightmares.
The Mattern Perspective
Information governance isn’t about writing the perfect policy or simply investing in the latest classification software tool. It’s about creating consistency in how data is handled from matter opening to final disposition.
From our perspective, firms don’t struggle with IG because they lack capable IT professionals or sophisticated software. They struggle because those resources aren’t tied to a strictly managed operational model. Structure is what creates that alignment. Once it’s in place, risk mitigation, cloud storage spend, and client compliance all become far easier to manage.
If your firm is dealing with rising OCG pressures, unmanaged data bloat, or an information governance policy that everyone ignores, it may be time to take a more structured approach. That’s typically where we see the most immediate and measurable opportunities.
If you’d like to compare notes or understand what this could look like at your firm, feel free to reach out to us at info@matternassoc.com.
.png)


