IM BLOG: Why Information Governance Fails and How Harmony Fixes It

Who hasn’t been in this situation? Legal wants everything preserved forever. Privacy wants it deleted immediately. Cybersecurity wants it locked down tight. You want it accessible and manageable. And the business? They just want to actually use the information.

Welcome to the daily reality of records and information management in 2026 - where every stakeholder has legitimate needs, conflicting priorities and the absolute certainty that their requirements matter most.

This isn't a problem to solve. It's a tension to harness.

The question isn't which discipline wins. It's whether you can create harmony from the chaos - aligning legal, privacy, cybersecurity and records management into something that actually works instead of a bureaucratic nightmare that satisfies no one.

The Clash: Why Good Intentions Create Bad Outcomes

Let's take a look at what each discipline wants:

• Legal worries over compliance and protecting organisational interests. Their nightmare scenario? Missing a regulatory requirement or losing critical evidence in litigation. So they default to ‘keep everything, just in case.’
• Privacy focuses on protecting individuals and meeting data protection laws. Their nightmare? A data breach exposing personal information that should have been deleted years ago. So they push for aggressive minimisation and deletion.
• Cybersecurity guards against threats to confidentiality, integrity and availability. Their nightmare? Unauthorised access to sensitive information. So they lock everything down with layers of controls that make access nearly impossible.
• Records management ensures information is accessible for business needs while maintaining compliance. Your nightmare? Being pulled in every direction while blamed for whatever goes wrong. So you try to balance it all and end up satisfying no one.
• Business wants to generate profit (or serve their mission for nonprofits and government agencies). Their nightmare? Bureaucratic processes that slow them down and prevent them from serving customers or making informed decisions. So they work around the systems you've built.

See the problem? Every discipline is optimising for their own goal without considering the whole. The result isn't governance - it's gridlock.

Would you believe about 80% of most organisation's information is clutter with minimal business value, yet we apply the same heavyweight governance to everything. Meanwhile, the 20% that actually matters - information with high business, regulatory or legal value - often gets the same generic treatment as the garbage.

Three Battlegrounds Where Tension Becomes Opportunity

The clash plays out across three critical areas. Master these and you transform tension into synergy.

Data Protection and Accessibility: The Classification Conundrum

Everyone wants to classify information but nobody agrees on what matters:

• You classify by work-in-progress versus final, by business purpose, mapping to retention categories
• Legal classifies by relevancy to matters and potential litigation exposure
• Cybersecurity classifies by risk level - restricted, sensitive, confidential, internal, public
• Privacy classifies by types of personal information and data subject rights
• Business classifies by customer value and revenue opportunity

Five different classification schemes. Five different priorities. One impossibly confused workforce.

The breakthrough? These classifications don't compete - they layer. Your retention categories provide the foundation. Security classifications determine protection levels. Privacy mapping enables data subject access requests. Legal overlays identify litigation risk. Business context drives value decisions.

But layering only works with the right protection mechanisms: encryption to secure data at rest and in transit, data loss prevention to stop unauthorised sharing, access controls that give people what they need without exposing what they don't and portability that lets information move where business requires while maintaining governance.

Compliance and Regulatory Alignment: When the Rules Don't Make Sense

We all know that technology outpaces regulation. Always has, always will. You're implementing AI, cloud platforms and automation while regulations are still catching up to email.

This creates a brutal balancing act between ethics and profit, between regulatory requirements and business innovation, between legal mandates and operational reality. Add in self-regulatory organisation between standards, consent decrees and industry best practices.  It’s a compliance landscape that's impossible to navigate perfectly.

The organisations that thrive don't aim for perfection - they aim for intelligent prioritisation. They understand the Electronic Discovery Reference Model and build preservation capabilities that balance precision (finding what matters) with recall (not missing critical evidence). They implement legal holds that protect what needs protecting without freezing the entire organisation.

Most importantly, they accept that compliance isn't binary. It's a continuous process of alignment, adjustment and advocacy.

Retention and Disposition: Where Everything Converges

This is where the rubber meets the road. Retention and disposition decisions must simultaneously serve:

• Business needs (keep information while it's valuable)
• Legal requirements (preserve evidence and meet regulatory minimums)
• Compliance obligations (satisfy auditor and regulator expectations)
• Information security (minimise breach exposure by not keeping unnecessary data)
• Privacy mandates (delete personal information when no longer needed)

And they must account for holds that can stop disposition at any moment for litigation, investigations, audits or regulatory inquiries.

Most organisations treat this as an impossible puzzle. Smart organisations recognise it as a forcing function - the mechanism that makes everyone get their act together.

But you can't apply disposition to what you haven't classified. You can't apply holds to what you can't find. You can't minimise data exposure if you don't know what you have or where it lives. Retention and disposition forces the discipline that makes everything else possible.

The Framework: Building Harmony from Chaos

So how do you actually make this work? Start with these seven principles:

1. Define clear policies that acknowledge different stakeholder needs without drowning in exceptions. Your retention schedule is foundational - a standard with documented deviations, not a suggestion.

2. Implement risk-based approaches that focus heavy governance on the 20% of information that matters most. Stop treating convenience copies and drafts like regulatory records.

3. Protect strategically using encryption, access controls and monitoring where it counts. Not everything needs Fort Knox security.

4. Adopt role-based access controls that balance security with usability. People need information to do their jobs - make legitimate access easy and illegitimate access hard.

5. Align with other disciplines by creating retention guides that show applicability across business areas, staff, geographic scope and information function. Map applications to retention requirements. Connect security classifications to information types.

6. Collaborate across departments by knitting governance together - common legal holds tied to custodians and information types, common investigations linked to staff and data, business continuity events mapped to critical systems.

7. Regularly refresh retention schedules because business changes, regulations evolve and systems multiply. Last year's perfect schedule is this year's obstacle.

The goal isn't perfect alignment - it's productive tension. You want healthy debate about retention periods, security classifications and access controls. What you don't want is each discipline building parallel systems that never talk to each other.

Making It Real: From Theory to Practice

The difference between organisations that achieve harmony and those that don't comes down to execution:

Map everything once, use it everywhere. When you classify information by business purpose and map it to retention categories, that same mapping supports legal holds, privacy assessments, security controls and business analytics. Build the taxonomy once. Apply it consistently.

Leverage your retention schedule as the coordinating mechanism. It sets periods that meet business needs, regulatory obligations and legal requirements. It allows exceptions. It authorises (but doesn't mandate) disposition, barring holds or other exceptions. Every other discipline aligns to it.

Focus applicability, not just categories. Your retention guide should show which business areas, staff, geographic locations and information types each category covers. Then map source applications - all 100 or 1,000 of them - to those categories. Then layer security classifications. Then connect hold and investigation frameworks.

Get it right where it matters most. Ask three questions about every piece of information: Is it final? Is it a duplicate? Does it have regulatory, legal or high business value? Works-in-progress, drafts and convenience copies get deleted when no longer needed. Everything else follows retention requirements or hold obligations.

This isn't academic theory. This is practical governance that works because it acknowledges reality: you can't govern what you can't classify, can't find what you can't map and can't protect what you don't understand.

The Choice: Harmony or Chaos

Here's what you need to understand: the tension between legal, privacy, cybersecurity, records management and business isn't going away. It's inherent in having multiple legitimate stakeholders with different responsibilities.

You have two options: let that tension create chaos or harness it to create better outcomes than any single discipline could achieve alone.

Chaos looks like: duplicative classification schemes, conflicting policies, shadow IT, business workarounds, compliance failures, security breaches, privacy violations and you stuck in the middle blamed for all of it.

Harmony looks like: aligned frameworks leveraging common foundations, clear policies with reasonable exceptions, risk-based approaches that focus resources where they matter, collaborative decision-making that respects each discipline's concerns and you positioned as the conductor making the orchestra work.

Which organisation do you want to be?

Because effective information lifecycle management doesn't happen when records management works in isolation. It happens when you balance value, risk and cost across all stakeholders - turning tension into synergy and creating governance that enhances rather than impedes organisational success.

The question isn't whether you can afford to align these disciplines. It's whether you can afford not to. Start knitting your governance together. The harmony you create will be worth the effort.

Meet your blog authors:

 

Carol Stainbrook is the Executive Director of Cohasset Associates and has 20 plus years of experience enables IG implementations for domestic and multi‐national clients that support business goals, increase information value, improve compliance, and mitigate risk. Carol deftly deciphers her clients’ operational paradigms, technology complexities and regulatory challenges, achieving IG results her clients can measure. As a thought-leader, Carol is an author, and a frequent speaker on information-centric topics.

 

 

Michael Haley is the Principal Consultant at Cohasset Associates, Inc.