A Practical Guide For A Records And Information Management Risk And Control Framework
Why Read This Document?
In today’s information-driven economy, it’s not enough for organizations to say “we know what our information risks are.” The newspapers are filled with stories about how improper management and control of information have led to regulatory fines, sanctions, reputation damage and loss of customer trust.
All organizations, and in particular those that are highly regulated, must be proactive in designing a risk mitigation and control methodology that covers all stages of the information lifecycle — from information creation to secure disposal.
The volume of information continues to grow exponentially, making the job of controlling and managing it more and more difficult. We are quickly realizing the need to construct a control framework specifically to address the risks posed by information management. This framework is a vital component of an Information Governance program.
Ensuring that information risks are well understood, documented and then controlled in order to mitigate them are practices that every institution should follow. In addition to external threats, our regulators expect no less.
Readers of this paper will find helpful guidance on controls that must be put in place to manage information-related risks effectively, as well as a suggested risk-rating system for capturing the current status of your organization’s control environment.
Members of Iron Mountain’s Customer Advisory Board (CAB)
formed a Committee in early 2014 to identify and share
proven practices around the topic of records and information
management (RIM) risk. We started out with the question:
“what is the best way to construct, garner support and
monitor compliance to RIM policy.”
Through our discussions we determined that while
each organization shapes and defines how compliance
measurement is conducted to meet their individual
requirements and culture, there are certain universal
RIM risk and control elements. Recognition of this fact
prompted the Committee to create this practical RIM Risk &
Control Framework Guide with the objective of establishing
a set of common risk controls to share with their peers
as organizations continue to build and refine a robust
Information Governance program.
The RIM Risk & Control Framework Sub-Committee and Iron
Mountain are pleased to provide this Guide for developing
and maintaining an RIM Risk & Control Framework for use
in institutional compliance and information governance
programs. This framework is by no means definitive or
final. Rather, it is a first step on a journey to develop clarity
and guidance on how to approach proper information
compliance. It is our hope that you adopt the Guide to
start an internal dialogue to gain the cross-functional
executive buy-in mandatory to support your organizational
compliance requirements and platform.
Information Governance is the multidisciplinary
framework that ensures the appropriate
behavior in the valuation of information
and the definition of roles, policies,
processes and metrics required to
manage the information lifecycle,
including defensible disposition.
At the onset of our collaboration, the following topics were
selected by the Sub-Committee as being essential to the
advocacy and development of the framework:
- Definition of an RIM Risk Framework
- Key Drivers for Compliance
- Identification of Critical RIM Controls
- Roles and Responsibilities
- Measures of Success
- Action Plan for Improvement
Records & Information Management Risk & Control Framework
The RIM Risk & Control Framework establishes an operational self-assessment program that allows business managers to
diagnose their own performance against a set of given controls. Such a program provides a comprehensive and consistent
protocol for business managers, regardless of their location or the work they perform, to identify and address potential
weaknesses in the design or execution of internal RIM processes.
Through a self-assessment process, lines of business can identify problem areas and drive the implementation of
corrective actions to prevent, resolve or mitigate key operational, legal, compliance and reputational risks and costs. This
process is supported by key functional areas such as RIM, Compliance, IT, Information Security and Privacy and Internal
Audit to provide input to the creation of the program. It also helps to support its implementation and to assist in the
creation and execution of a remediation plan after assessments have taken place.
All risks associated with the information life cycle must be managed within the context of policies, procedures, industry
standards and best or proven practices to ensure that regulatory, operational, compliance and legal requirements are met.
The RIM Risk & Control Framework should be positioned as a component of a broader set of organization-wide compliance
controls. Organizational compliance is described as an enterprise’s “tangible efforts to prevent, detect and otherwise
respond appropriately to wrongful behavior associated with the actions of those working on an organization’s behalf. This
includes directors, officers, employees, agents and independent contractors.”1
A set of standard controls for the business must be established for an organization by an internal governance authority.
While all controls may not be applicable to all lines of business, the set of RIM risk controls must be mandatory regardless
of the function being performed (e. g., Human Resources or Legal/Compliance) or its location (e.g., North America or Asia).
The compelling reasons for instituting an RIM Risk & Control
Framework are in some cases universal and
in others specific to a region or individual jurisdiction.
Only 8% of organizations use
metrics to “inspect what they
expect” and only 17% conduct
RIM compliance audits
Universally, the ability to provide proof of proper risk
management and compliance protocols for regulatory
bodies, customers and auditors is a major driver. Yet,
according to the 2013|2014 Cohasset/ARMA Information
Governance Benchmark report, only 8% of organizations
indicate the use of some form of metrics to track RIM
activity and a mere 17% conduct RIM compliance audits.
In addition to these low numbers, only 7% of the survey
respondents claim that their employees are engaged in their RIM programs.
Only 7% report employees
are engaged in RIM.
Examples of drivers include general and industry-specific compliance laws and data privacy obligations. In the United States,
regulations include the Dodd-Frank Act, Payment Card Industry Data Security Standard (PCI DSS) , Health Insurance Portability
and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) and the Sarbanes-Oxley Act (SOX).
In the EU, the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) are prime examples. The European
Union General Data Protection Regulation (GDPR) that is set to replace the 1995 Data Protection Directive (EU Directive 95-46-
EU) is another strong motivation for implementing an RIM Risk & Control Framework.
Given the multitude of drivers and our current inability to track or measure policy compliance to mitigate that risk, there is
a substantial gap to be filled between an organization’s commitment to managing information and proof of actual practice
It is unrealistic to expect resource constrained RIM staff to police the entire organization, especially when the volume and
variety of electronic records is factored into the information management equation. Therefore, a new method of engaging
the lines of business responsible for the creation, receipt, maintenance and disposition of information must be devised
and implemented. Evidence of their compliance to a base line set of mandatory Controls will strengthen an institution’s
compliance profile and lead to mitigation and/or remediation plans, as required into the information management equation.
Therefore, a new method of engaging the lines of business responsible for the creation, receipt, maintenance and disposition
of information must be devised and implemented. Evidence of their compliance to a base line set of mandatory controls will
strengthen an institution’s compliance profile and lead to mitigation and/or remediation plans, as required.
Rim Risk Controls
There are nine major categories of RIM Risk Controls featured in this Guide that address the management of information
through its lifecycle. They are:
- Legal Holds
- Privacy and Security
- Partner Management
For each category we give a brief description that is followed by a table. The table is comprised of four elements:
Control: A standard of performance within the category that has been designated as critical to the RIM Risk
Description: An explanation of the meaning and relevance of the control.
Supporting Information: Additional guidance as to specific actions for evaluation that is associated with the control.
Rating: Guidance for assigning an assessment value to the control to be used in determining the level of line of business
compliance. It is expected that the line of business respondent will select a number from one – four based on its actual
adherence to the control (one is the highest attainable rank, four the lowest). Bear in mind that not all lines of business
may need to achieve the highest rating for all of the controls.