One of the first things someone said to me when I started working in information governance was, “there are no records management emergencies.” I had spent the previous twenty years in public relations and corporate communications, where the phone could ring at any hour. A job without emergencies sounded appealing. Then I started working with regulatory and litigation attorneys, and I learned the statement isn’t quite right. My revised version: there are no records management emergencies until someone makes a mistake.

That framing has stayed with me, because it captures something important about what makes unstructured data cleanup so hard. It isn’t finding the data. It’s deciding what to do with it once you know what it is. In a legal environment, the stakes are real: spoliation, regulatory penalties, legal malpractice, breach of contract. A large unstructured data set presents an overwhelming number of decision points, and the consequences of getting them wrong are significant enough to stop teams from acting at all. Psychologists call it analysis paralysis, and it’s one of the most common reasons cleanup projects stall before they start.

Crisis communications is built around exactly this problem. Everything about the discipline aims to prevent analysis paralysis so teams can act quickly and consistently. When I made the pivot into IG, I found that the frameworks I had spent years working with translated more directly than I expected.

Start with the risk, not the data

The first principle of crisis communications is that not all crises are equal. A product recall for health and safety reasons and a social media post that draws criticism both carry risk, but the nature and proportion are completely different. Under-reacting to the first is dangerous. Overreacting to the second can make the situation worse. Good crisis plans group situations by risk level, the areas each one impacts, and the scale of response each requires.

A cleanup project benefits from the same starting point. Working with your IG committee and the General Counsel’s office, identify the consequences of disposition errors and rank them by impact. A firm actively defending litigation will likely put the destruction of data on a legal hold at the top of that list. Understanding the scope of the hold, confirming what preservation steps are in place, and assessing what risk the remaining dark data presents are all action items for designing a mitigation strategy. A firm with no active litigation will arrive at a different list in a different order, perhaps ranking privileged and confidential communications for an active matter first.

What you’re building is a ranking of your data from highest risk to lowest: privileged and confidential material at one end, system-generated ROT at the other. That ranking is what makes the rest of the project manageable.

 

Map the scenarios before you touch the data

In crisis communications, scenario mapping is where the real work happens. For each situation a team could potentially face, there is a framework that defines how they’ll act based on governance, principles, priorities, and risk tolerances. The goal isn’t to predict every possible crisis. It’s to anticipate high-stakes situations you could reasonably encounter and eliminate ambiguity from how you respond.

In IG, the scenarios look different. But you can anticipate which situations carry risk and outline how to approach them before the project begins, before ambiguity stops the team cold or pushes a decision to the next IG Council meeting. Examples of tough-call scenarios you’re likely to encounter when discovering legacy data include:

  • Dark data that isn’t easily categorized because files are corrupt, in an unreadable format, or missing critical metadata such as dates or ownership
  • Files for a closed matter that has completed its required retention period for a client that is still active with the firm
  • Attorney work product for a closed matter that was one of the firm’s highest-profile victories, where both the attorney and client are no longer with the firm
  • Content on a legal hold for an active matter that was previously unknown and therefore not reviewed in discovery
  • Transient data belonging to a long-tenured Trusts and Estates partner with hundreds of active clients
  • Back-office content that is not a record, for current and departed employees
  • Back-office records stored outside the designated system of record
  • Data on an active legal hold that was previously unknown and unreviewed
  • Active matter content for current and departed clients
  • Closed matter content with retention remaining, for current and departed clients and attorneys
  • Closed matter content with retention completed, for current and departed clients
  • Work product for current and departed attorneys, across current and departed clients
  • Files nominated for the knowledge management platform or curated AI content library

Talking through these scenarios with your stakeholders in advance gives you something more valuable than a list of answers. It gives you a defined position, grounded in the firm’s risk tolerance, that you can build policy around if existing procedures don’t cover it.

 

Build the playbook

The output of those two exercises is a playbook. In crisis communications, the playbook is the source of truth when an issue lands. It lays out parameters and options clearly so teams don’t spend time figuring out what to do: they follow the instructions and focus on execution. It details the step-by-step actions teams will take with clear definition of stakeholders and roles, detailed process instructions, and timeframes.

A cleanup playbook works the same way. It breaks the project into manageable categories organized by risk and defines a disposition approach for each one, keeping decisions compliant, consistent, and scalable across the full data set. The playbook is what allows a team to work through a petabyte without reinventing the decision for every file.

Your playbook should define a workflow for each combination of data type, risk level, disposition authority, and special-case scenario you identified. Plays worth including:

  • Back-office content that is not a record, for current and departed employees
  • Back-office records stored outside the designated system of record
  • Data on an active legal hold that was previously unknown and unreviewed
  • Active matter content for current and departed clients
  • Closed matter content with retention remaining, for current and departed clients and attorneys
  • Closed matter content with retention completed, for current and departed clients
  • Work product for current and departed attorneys, across current and departed clients
  • Files nominated for the knowledge management platform or curated AI content library

The purpose of this work is to make the decisions in advance, with the support of your stakeholders, so that no one is making them under pressure when it counts.

 

Test it before you need it

Crisis communications playbooks aren’t static documents. Teams test them regularly through tabletop exercises: structured sessions where everyone works through mock scenarios to validate the process, identify gaps, and sharpen the playbook before a real issue arrives.

Running a mock cleanup exercise for your highest-risk scenarios has the same value. Before the project begins, gather stakeholders from IT, Legal Operations, a practice area, and your IG team, and work through the data disposition scenarios using the playbook as the guide. What you find will improve the process and give your team the confidence to decide quickly when it counts. Update the playbook based on what you learn.

Then you’re ready. The tough decisions were made with your stakeholders, tested on the tabletop, and documented in the plays. What’s left is execution.

Most public relations professionals will tell you that you can’t predict a crisis, but you can prepare for one. In information governance, I’d put it differently: you can predict a crisis if you fail to prepare for the decisions your data will force you to make. You never know exactly what you’ll find. But when you’ve mapped the risks, defined the scenarios, built the playbook, and tested it before you need it, you’re not deciding under pressure. You’re executing a plan.

There are no records management emergencies until someone makes a mistake. The playbook is how you avoid one.