How do you build an information governance program from scratch in a small company?
Building an information governance (IG) program from scratch can feel daunting in a small company, but the lack of legacy systems and layered bureaucracy is actually an advantage. You can start small, focus on the highest-value information, and grow the program in stages.
Start With Why and Who
Begin by defining the purpose: reducing legal and security risk, meeting recordkeeping obligations, controlling storage costs, and making information easier to find. Secure a sponsor with authority — often an owner, CFO, or general counsel — so the program has visibility and budget. In a small organization, one person frequently coordinates IG part-time, drawing on a cross-functional group from finance, HR, IT, and operations for decisions.
Inventory What You Have
You cannot govern what you have not mapped. Conduct a simple inventory of where information lives: shared drives, email, cloud apps, paper files, and personal devices. Capture record types, owners, formats, and rough volumes. This snapshot reveals duplication, risk hotspots, and obvious cleanup opportunities.
Build a Retention Schedule
The core of any program is a records retention schedule that states how long each record type is kept and when it is destroyed. Base retention periods on legal, tax, regulatory, and operational needs rather than guesswork. Tax and employment records, for example, carry their own retention expectations, so confirm the rules that apply to your jurisdiction and industry before finalizing. International standards such as ISO 15489 offer a sound framework for structuring records processes consistently.
Write Lean Policies
Draft a short, plain-language IG policy covering classification, retention, storage, access, security, and disposition. Add a defensible-disposition routine and a legal-hold process to suspend destruction when litigation or investigation is anticipated. Keep policies brief enough that staff will actually read and follow them.
Roll Out and Sustain
Train employees, then enforce consistently. Apply governance to new information first, and tackle backlog cleanup in manageable phases. Measure progress with a few metrics — storage reduced, records on schedule, holds tracked — and review the program annually as laws, tools, and business needs change.
Explore related guidance on the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
How to cite this page
APA
RM University Editorial. (2026). How do you build an information governance program from scratch in a small company?. Records Management University. https://www.recordsmgmt.org/questions/how-do-you-build-an-information-governance-program-from-scratch-in-a-small-company/
MLA
RM University Editorial. "How do you build an information governance program from scratch in a small company?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-do-you-build-an-information-governance-program-from-scratch-in-a-small-company/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?