What Is a Culture of Compliance?

Topics: Govern Information

Keeping your enterprise compliant with industry regulations takes time, resources and continual vigilance. Learn how to create a culture of compliance that keeps you on the right side of the law.


FAST FACT: According to the Best Practices for Data Management, only 17% of survey respondents have enterprise-wide, consistent retention policies. This leaves them vulnerable to noncompliance risk, reputation damage and fines.

DID YOU KNOW? Email is data, too, and regulations often demand that you back up and store it in a way that is easily recoverable and searchable. For example, the Securities Exchange Act, updated in 2003, requires “all communications received and all communications sent” be backed up.


Compliance—or rather, lack of it—is never far from the headlines. They just don’t call it “compliance.” Instead, it’s “horsemeat in the hamburger” “questionable spending of campaign funds” or “credit card breaches.” Noncompliance is a less direct way of saying, “breaking the rules,” or, simpler still, “cheating.” Noncompliance starts with individuals—and it can stop there, too.

Does your company usually follow the rules, or does it break them? There’s probably some of both. Noncompliance, however, is an issue you must minimize in the interest of your long-term success.

The Cost of Noncompliance

Huge fines for noncompliance always seem to make the news. Some companies pay up, but others simply go under. Choosing to be noncompliant (and it is a choice) is a game in which there are a number of ways to lose—all of them costly.

For example, the government could throw a big red penalty flag. There could be a large fine. Audits and litigation could crop up. Shareholders could get angry. Customers and talented employees could flee. Or all of the above—at the same time.


Destroy Data, But Not Too Quickly

It’s important to have a plan for secure media destruction to get rid of hard drives, backup tapes and other media after their useful lives. But what do you do if some of the data you marked for destruction is suddenly needed for discovery?

If you can’t put a quick stop to the destruction process, you may find yourself subject to fines and other penalties related to the incomplete backup of required data. That’s why it’s important that your media destruction practice includes a formal destruction hold policy. With such a policy in place, you’ll likely be able to stop the disposal of data that may turn out to be relevant to an investigation or audit.


Making Compliance Part of Your Culture

The best way to achieve compliance is to make it an unalterable part of your corporate culture. By creating a “culture of compliance,” you might not solve all your problems, but you should be able to show that noncompliant employees are just that, rather than symptoms of a systemic problem. That critical distinction can reduce the cost of enforcement actions should they become necessary.

Corporate culture reflects what managers reward. Making compliance a way of life often requires board and C-level support, but it can also take hold at the workgroup level. Anyone can make the decision to be compliant and encourage or demand that others do likewise.

Simply put, compliance means playing by the rules. How can you be compliant yet play to win? The answer: Establish and maintain a company culture that embraces compliance and builds compliance management into the everyday workflow.

First, make sure you have a firm grasp of your current organizational culture and its existing compliance problems. Then make sure to get buy-in from department heads by explaining to them what’s at stake. Once they take compliance and its best practices seriously, their teams are much more likely to get on board as well. Also remember to loop in the corporate legal team, which has a large stake in compliance issues.

Getting Down to Work

Using data policies as an example, your goal is to develop a formal and defensible company-wide data retention schedule that clearly outlines what should be backed up, how and for how long. Your policy must also account for information in electronic formats, no matter where it lives: PCs, servers, backup tapes, mobile devices, flash drives and the like.

That last point is important, because knowing where any record is at any given moment is key to compliance and to running your business in the most secure way. You already know the flipside: An inadvertent breach in information security leads to fines, penalties and damage to your reputation.

That’s scary stuff—but if you need to use scary stories to make your point, go right ahead. Communication and education are critical to the success of your compliance efforts.

Employees need training, frequent feedback and opportunities to practice a compliant work style, as well as constant reminders of why compliance matters. It won’t be a true culture of compliance until everyone is part of it.

Compliance isn’t about any individual part of a business, though it must be implemented at a granular level. The same ideas that relate to data compliance have parallels throughout a business. The universal goal is to get everyone working together.

Finding the Help You Need

Compliance is important in all areas of your business. Trusted partners, both internal and external, can mean the difference between success and failure in transforming corporate culture. Lawyers, accountants, consultants, and corporate responsibility and industry groups can all help companies understand compliance issues.

Iron Mountain is one such trusted partner, and its specialists can help ensure compliance with data backup, retention and related requirements. Companies don’t often intend to break the rules in these areas, but they cut corners or fail to make necessary investments in them. Iron Mountain can be your partner in a compliance program.


Compliant Backup to the Cloud

When building your culture of compliance, it’s worth considering whether the cloud can be a shortcut to reaching your goal.

Cloud backup services from a trusted partner let you move your data offsite to a secure facility with the assurance that the data remains safe during transmission, storage and access. That partner should also be able to offer Web-based management tools to help make cloud-based backup easy and cut down on training time.

With a partner that has repeatable processes in place for getting backed-up data to and from its secure location, your backup can meet regulatory requirements. Your partner should also be able to update you when the rules change, as they often do.


Enjoying the Results

Developing a proactive compliance program can ultimately help you cut your operational costs, improve efficiencies and reduce risks. Once you’ve developed your plan, you can relax—at least a little—knowing that you’re well set up to:

  • Demonstrate your adherence to laws and regulations
  • Speed your response times when audits or litigation occur
  • Reduce the risk of fines and penalties
  • Improve your business efficiencies
  • Reduce your administrative costs
  • Get control over your critical records

That’s the kind of business you want to run—and the kind of culture you want to promote. Compliant data backup and recovery practices can help you get there.

Compliance Comes From Above

A real culture of compliance requires top managers to set an example of honesty, transparency and fair dealing. At these companies, employees are expected to do the right thing—not the fast thing, the most profitable thing or the thing that makes them look good.

Such companies have ways for workers to report noncompliance that don’t allow for retaliation by those found cheating. And it can’t just be lip service. Employees figure that out quickly, and it can actually encourage noncompliance.


Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

Data Recovery Assess Your Downtime Risks

From Creation to Destruction: The Story of Your Data's Lifecycle

Four Reasons Why You Need a Backup of the Backup