Cadillac, Chevy, or Golf Cart: Are You Targeting the Right Records Management Program?
 
					By Mark Diamond
July 9, 2025
 
					Mark Diamond, founder & CEO of Contoural, is a leading expert in records management, privacy, AI governance, and compliance strategies. He and his company help bridge legal, compliance, security and business needs and polices with effective processes, technology and change management. He can be reached at markdiamond@contoural.com.
In the world of records management and information governance, there’s a temptation to either build a big and sophisticated program or do the bare minimum and hope for the best. The smartest, most cost-effective path usually lies somewhere in the middle. Finding that “sweet spot” means developing a program that meets legal requirements and business needs without overshooting, costing too much, or never getting fully developed. The ideal program maturity is different for every organization.
When “More” Isn’t Better and “Less” Isn’t Enough
We’ve seen organizations pour time and budget into building a “Cadillac”-level records and information governance program. This might include voluminous retention schedules, complex and under-deployed record retention systems, and months (or years) of data mapping.
The problem is that over-engineered programs tend to collapse under their own weight. They’re too complex to implement, too expensive to maintain, and too confusing for employees to follow. One company we assessed had built a highly detailed retention schedule with hundreds of categories only to realize that almost no one in the organization could apply it correctly. Despite shooting for a highly compliant program, the company’s compliance was actually lowered by the lack of execution. They ended up facing much greater risk.
On the flip side, some organizations swing too far toward minimalism. They slap together a basic retention policy, leave key risks unaddressed, or rely on informal, easily ignored retention processes that aren’t documented or defensible. They are complacent with their “bicycle”-level approach, until their practices are put to the test by an aggressive litigant in discovery or a regulator comes knocking demanding information. Without a consistent or defensible process, they are continually forced to discover everything to prove they do not have information, an expensive task. Too immature is not good either.
Often, the smartest and ultimately most compliant approach is to target a “Chevy”-level maturity for various program components. For smaller, less-regulated companies, a “golf cart”-level will often suffice for many areas, while large, highly-regulated companies may target “Cadillac”-level for certain elements.
Program Elements Comprising Maturity
Program maturity does not consist of only a single element but rather a variety of pieces. This includes foundational elements such as policies, processes, and training; managing information types including files, emails, structured data and paper; and legal requirements and risk such as sensitive information and discovery response.
We take a number of factors into account when determining the target maturity for the above elements, including:
- Legal and regulatory recordkeeping requirements, largely based on the industry
- Personal information collected that is subject to data minimization rules
- Business needs for accessing high-value information
- Amount of confidential information or intellectual property
- Jurisdictions operated in
- Litigation profile
- Company size and organizational structure
- Current or intended use of generative AI
- Company culture
Equally important is the average maturity in your industry. Most companies do not want to be the laggard that attracts attention during a regulatory sweep across their industry. Likewise, they don’t want to overdesign and overinvest. Most want to be at, or slightly above, industry averages.
Pick Your Target Maturity
We really don’t like “out of the box” records polices or programs. Why? Because they are almost certainly misaligned to the organization’s ideal program maturity. It’s easy to get caught up in a product vendor’s automatically generated “recommendation” for a “Level 5” program. But the goal isn’t to max out a model, it’s to take a “Goldilocks” approach that balances required capabilities with being defensible, efficient, and sustainable.
One client came to us with a detailed gap analysis showing that they were “only” at Level 2 maturity. But when we dug deeper, we found that their existing controls were already fit for purpose. Rather than chasing unnecessary features, we focused on tightening automation and aligning their schedule with privacy requirements. This resulted in a leaner program with fewer costs and less risk. For this client, their “Chevy” worked just fine; it just needed a tune-up.
Your Program Will Ultimately Be Evaluated on Execution
Despite intentions or money invested, programs are ultimately judged on their ability to execute. Is the right information retained and managed for the right period of time? Is sensitive information properly protected? Is older, unneeded information defensibly and routinely deleted? How well can you demonstrate all of this?
Keep your records management program simple enough to execute, strong enough to protect, and flexible enough to grow. A right-sized program will offer you more benefits than just time and money saved. It will make governance a natural part of how your organization works, not a burden it has to carry.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.
 
				 
	 
	 
	