New Report Shows Organizations Struggling to Implement and Enforce Policies for Managing Records, Despite Increasing Spend
SharePoint and social media records further challenge information ecosystems, driving the need for unified policies for physical and electronic information
Iron Mountain to present report findings during May 24 webcast
BOSTON – May 21, 2012 – Despite greater investments in their information management programs, most organizations still struggle with properly implementing those programs and getting employees to comply with them, putting them at risk for information loss, regulatory non-compliance and litigation. And while an increasing number of companies have one policy for handling paper documents and electronic files, the pervasive growth of new record sources like Twitter, wikis and collaborative software applications like Microsoft SharePoint threatens their ability to keep those policies current and compliant.
These are two of the lead findings from a new report released today from information management company Iron Mountain Incorporated (NYSE: IRM). Now in its third edition, Iron Mountain’s Compliance Benchmark Report examines the information management practices of more than 3,000 organizations – public, private, government and non-profit – providing a state-of-the-industry assessment of how well information is being protected, made available and destroyed.
Last issued in 2010, this recent version of the report shows companies making strides when it comes to adopting one policy for storing and handling both electronic and physical records. Past reports showed company policies designed primarily for paper records and didn’t account for electronic files and email. What’s more, these new findings seem to suggest a growing consensus that the practice of records management is really risk management, with a larger percentage – 60 percent in 2012 vs. 25 percent in 2010 – of legal/compliance and audit/risk departments now responsible for implementing, enforcing and auditing policies.
“This year’s report shows promising trends of stronger oversight of information management and better integration of policies for electronic and physical records,” said Harry Ebbighausen, president of North America, Iron Mountain. “At the same time, however, those gains are threatened by whether organizations can consistently apply records management policies across the organization and how well they enforce them through training and auditing. Until you can manage all your records under one program, regardless of format or location, the road to unified records management will remain a rocky one.”
Key findings of this year’s report, subtitled “A View into Unified Records Management,” include:
- Ninety-four percent of respondents will apply more budget and staff to information management. The growing investment is noteworthy, particularly given the still uncertain economy. Yet, less than one third (28 percent) indicated they have a long-term, strategic plan with executive-level support for records and information management. Lacking a formalized, executive-sponsored plan, many organizations will continue to spend valuable time and resources struggling to implement and enforce effective, long-term best practices.
- Integrated policies for paper and electronic records are on the rise, but adoption is still a challenge. Eighty-three percent of respondents have records management policies that cover both paper and electronic records, and nearly half (48 percent) report that those policies are well integrated into their organization’s data privacy and security policies – a best-practice in information management and a nine percent increase from the 2010 report. But only nine percent have seen those policies consistently adopted.
- Training on those policies is lacking. Organizations have made some strides in employee training on records and information management policies (a 25 percent improvement since 2010), but 36 percent of respondents have no formal training or do it on an ad-hoc basis.
- Monitoring compliance remains a major challenge. Ensuring employees comply with records and information management policy represents a major challenge for organizations, with 74 percent of respondents indicating they monitor on an ad-hoc basis or not at all. This finding is an 11 percent decline from the 2010 report.
- Many report paying money to fix information-related events. Even with more companies adopting comprehensive policies for paper and electronic records, just 37 percent say their organizations consistently apply those policies, leaving them vulnerable to regulatory or litigation non-compliance. Sixty-three percent reported experiencing an event like litigation, disaster, or data loss that cost their company money.
In response to these findings, Iron Mountain encourages organizations to adopt a unified records management approach and recommends the following for creation and implementation:
- Set Proper Policy – Get the fundamentals right to achieve compliance. Include key aspects such as governance, communication, education/training, and implementation; once defined, roll out this policy to the organization and to include all information types.
- Make retention and compliance a priority – Retention covers both the preservation and destruction of information when it reaches the end of its business life and applies to all business records. Effective retention schedules apply to all business records and are regularly updated to comply with changing regulations and business needs.
- Information should be easily identifiable and readily available. An organization capable of quickly identifying and retrieving records enjoys a competitive advantage, enhanced productivity, and greater protection from regulatory or discovery non-compliance. Classify information based on key identifiers such as record location, subject, author, date and method origination, system of creation and intended recipient. Then define authorizations and security controls to ensure it is available when it is needed and who should have access.
- Protect and dispose of records the right way. Following consistent practices for safeguarding and properly disposing of information reduces the risks of exposure and theft while also helping to control storage costs. Documenting detailed instructions on how records are identified and approved for disposal, as well as the processes for destruction can protect against inadvertent disclosure or improper destruction.
- Audit policies and make the organization accountable. Driving enterprise-wide adoption of the records and information management program requires a culture of accountability. Evaluate the success of that program through regular audits that follow defined metrics for success. Make employees accountable for their role in ensuring consistent adherence to policies, and provide visibility, encouragement and support for the overall program at the highest levels of the organization.
Iron Mountain will share the full results of the 2012 Compliance Benchmark Report: A View into Unified Records Management during a webcast with ComplianceWeek on May 24 at 2 p.m. ET. To register for the webcast and obtain a free copy of the report, visit http://www.ironmountain.com/Company/Events/2012/May/24.aspx.
About Iron Mountain
Iron Mountain Incorporated (NYSE: IRM) provides information storage and management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. The Company’s solutions enable customers to protect and better use their information so they can optimize their business and ensure proper recovery, compliance and discovery. Founded in 1951, Iron Mountain manages billions of information assets, including business records, electronic files, medical data and more for organizations around the world. Visit www.ironmountain.com or follow the company on Twitter @IronMountain for more information.