5 steps to good

governance
Transforming your
governance strategy
 Table of
contents
03 You need governance that scales

04 Step 1: Start early

06 Step 2: Get all stakeholders on board

08 Step 3: Proactively set guardrails for

document lifecycle management

10 Step 4: Keep it simple

11 Step 5: Talk to our experts

5 steps to good governance 3

You need Two-thirds of

organizations in
an AIIM survey

governance estimated that

2/3 over 60% of

that scales
their information
sprawl was due
to unstructured
content.¹
Digital transformation efforts have resulted in
critical content being spread across different
systems, making it harder to govern.
Only 42% of people believe they’re on track to meet their governance
objectives, according to a Gartner survey. Moreover, lacking a modern
approach, 80% of organizations seeking to digitally scale will fail by 2025.
Only 42% of people
believe they’re on
Today’s digital-first companies use Box to centrally manage their track to meet their
unstructured content across best-of-breed applications. With Box governance objectives.2
Governance, you can create content management policies to properly
retain, dispose, and preserve your content.

Lacking a modern
approach, 80% of
organizations seeking
to digitally scale will
fail by 2025.3

¹ AIIM, Accessible and Secure – Best Practices for Automating Information Governance
2,3
Gartner, Choose Adaptive Data Governance Over One-Size-Fits-All for Greater Flexibility
5 steps to good governance 4

Why companies don’t

Step 1: Start early tackle governance Why governance matters

There’s no time like the present to start tackling information governance.

Most organizations have to adhere to multiple regulations, and it’s likely “Tools for information • You’ll save money by preventing issues in the

yours does as well. governance are complicated first place

and costly to maintain.”
• Over 550 million pounds levied from the UK’s
Seventy-five percent of organizations must adhere to at least two Financial Conduct Authority (FCA) in 20215
regulations, according to AIIM, and many companies are subject to an even • HIPAA fines for large healthcare organizations
greater number of privacy (GDPR, CCPA, etc.) or industry (FINRA, PCI,
have averaged over $2 million over the last
etc.) policies. At the same time, fewer than one in three organizations have
few years6
confidence that their retention policies could stand up to
regulatory scrutiny.4

“ Our employees should • Without good governance guardrails,

focus on growing the employees get bogged down in manual retention
business; training them processes; for example, 46% of organizations
on compliance issues is spend 6+ hours per week in each department
distracting and managing manual retention of content,7 keeping
time-consuming.” employees from more strategic activities
• Over 50% of senior executives deem the ability
to transform the compliance process and
automate information management as highly
important to an organization8

“The risk of deleting • Keeping sensitive information, like credit card

data outweighs that data and personally identifiable information (PII)
of keeping it.” beyond its business use can lead to regulatory
non-compliance and fines9

• 38% of senior executives believe that

4,7
AIIM, The True Cost of Data Retention regulatory action from loss/exposure of
5
Financial Conduct Authority, 2019 fines
6
Compliancy Group, HIPPA Fines Listed by Year
personally identifiable information poses
8
AIIM, Accessible and Secure – Best Practices for Automating Information Governance the greatest risk to their company
9
AIIM, Why is Important Disposition Just as Important as Information Retention?
“We now have more control and more
governance over our data; everything is
encrypted. You can liberate yourself from the
headache of managing your service and really
focus yourself on what your business needs.”
Michael Ibbitson, Executive Vice President,
Technology and Infrastructure, Dubai Airports

To learn more about Dubai Airport’s

partnership with Box, visit
box.com/customers/dubai-airport
5 steps to good governance 6

Step 2: Get all stakeholders on board Executives

Protect the business from excessive litigation costs,
It’s a good idea to assign one person to take the lead on information
compliance risks, and bad press.
governance for your organization. But you will need buy-in from executives
and other stakeholders across your company to be successful.
Legal
Employees need to get their work done one way or another, and if they are
not invested in your system, they will find a way to work outside of it. Show Maintain chain of custody on content and manage ediscovery;

stakeholders how you will make their lives easier so they are motivated to minimize costs and reduce legal exposure from subpoenas or
participate in the process. data spoliation.

HR and finance
Ensure proper retention and disposition of employee and
financial records.

IT and security
Confirm classification levels and other requirements for
protecting sensitive documents.

Compliance and records managers

Ensure the most important regulations and internal policies
for document compliance and retention are met.

End users
Preserve the ability to get work done without friction from
security, governance, and compliance requirements.
“We are a FINRA-regulated company, so
compliance and security are always a key
foundation for any solution. We chose Box
because it met our security and compliance
requirements and for its ease of use.”
Kathyrn Dundas, Vice President Technology, LPL Financial
5 steps to good governance 8

Step 3: Proactively set guardrails Here’s a handy checklist for how to get started:
for document lifecycle management
Retention policies
Protect sensitive or regulated data by applying intelligent policies
Determine time periods for which you will retain content, and
that automatically follow your content. When you set guardrails for
set disposition actions for when the retention period ends.
your users — from classification levels and retention and disposition
schedules timeframes, to rules for external sharing — you make adhering
to governance requirements much easier on your teams. Legal hold export
Export documents on legal hold for legal review and select custom
filters to narrow scope and improve relevancy of exported content.

Compliance support
Configure policies to comply with regulations like FLSA, OSHA, and
SOX as well as industry-specific regulations like FINRA for financial
services or HIPAA for healthcare.

Deletion control
Decide who can permanently delete items from the trash. Create an
automatic email archive of user activities.

Data protection
Protect high-value data from accidental or malicious deletion by
setting protective policies.

Version control
Maintain an unlimited number of versions for all files, enabling the
ability to preserve and restore all previous versions. Keep as many
versions of files as you need for retention and identify potentially
relevant content for discovery requests.
“When we rolled out Box in our litigation
practice, we were able to then collaborate
and share content with courts much more
easily and effectively, and clients were
able to share data with us on a digital
basis much more securely.”
Shawn Curran, Head of Legal Technology, Travers Smith

To learn more about Travers Smith’s

partnership with Box, visit
box.com/customers/travers-smith
5 steps to good governance 10

Here’s how we’ve seen forward-thinking companies keep

Step 4: Keep it simple
information governance simple, secure, and seamless:
Don’t succumb to analysis paralysis and worry about accounting for
every last use case before implementing your information governance
“Big bucket” strategy
plan. Instead, work with broad strokes to apply appropriate policies
to as much content as possible — especially for high-risk or regulated Group your content into big buckets wherein you apply
departmental content. appropriate policies. For example, rather than having separate
policies for all accounts payable files (vouchers, invoices, receiving
reports, purchase orders, checks, etc.), bucket them into one
policy based on the most high-risk content.

Self-governing documents
Make retention simple for users and administrators so they don’t
have to interact with files in a separate, siloed repository or go
through cumbersome, manual processes. Instead, use lifecycle
management policies that follow documents where people engage
with them across all their workplace applications.

Classification cues
Remind employees what category a document falls into (contract,
employee record, etc.) and if it contains sensitive data with
visual cues. If a file meets a specific confidentiality or regulatory
threshold, proactively set the right lifecycle management and
security guardrails. This takes the burden off the user.

Defensible preservation
Preserve content for subpoenas or legal action without impacting
user productivity or requiring significant time and effort from
your legal or IT teams.
5 steps to good governance
Step 5: Talk to our experts
Compliance remains a key driver for organizations to expand their data
governance strategy, and as the regulatory landscape grows more complex,
it is more important than ever. Discover better ways to easily configure
your systems to meet compliance regulations, reduce corporate risk, and
build the right content management policies into your business. There’s no
time like the present to start tackling information governance with the Box
Content Cloud.
To learn more, visit box.com/security/governance-and-compliance
11
Box (NYSE:BOX) is the leading Content Cloud, a single platform that
empowers organizations to manage the entire content lifecycle, work
securely from anywhere, and integrate across best-of-breed apps.
Founded in 2005, Box simplifies work for leading global organizations,
including AstraZeneca, JLL, and Nationwide. Box is headquartered in
Redwood City, CA, with offices across the United States, Europe, and
Asia. Visit box.com to learn more. And visit box.org to learn more about
how Box empowers nonprofits to fulfill their missions.
To learn more about Box, visit box.com