A Practical Guide For A Records And Information Management Risk And Control Framework

Download PDF

Why Read This Document?

In today’s information-driven economy, it’s not enough for organizations to say “we know what our information risks are.” The newspapers are filled with stories about how improper management and control of information have led to regulatory fines, sanctions, reputation damage and loss of customer trust.

All organizations, and in particular those that are highly regulated, must be proactive in designing a risk mitigation and control methodology that covers all stages of the information lifecycle — from information creation to secure disposal.

The volume of information continues to grow exponentially, making the job of controlling and managing it more and more difficult. We are quickly realizing the need to construct a control framework specifically to address the risks posed by information management. This framework is a vital component of an Information Governance program.

Ensuring that information risks are well understood, documented and then controlled in order to mitigate them are practices that every institution should follow. In addition to external threats, our regulators expect no less.

Readers of this paper will find helpful guidance on controls that must be put in place to manage information-related risks effectively, as well as a suggested risk-rating system for capturing the current status of your organization’s control environment


Members of Iron Mountain’s Customer Advisory Board (CAB) formed a Committee in early 2014 to identify and share proven practices around the topic of records and information management (RIM) risk. We started out with the question: “what is the best way to construct, garner support and monitor compliance to RIM policy.”

Through our discussions we determined that while each organization shapes and defines how compliance measurement is conducted to meet their individual requirements and culture, there are certain universal RIM risk and control elements. Recognition of this fact prompted the Committee to create this practical RIM Risk & Control Framework Guide with the objective of establishing a set of common risk controls to share with their peers as organizations continue to build and refine a robust Information Governance program.


Information Governance

Information Governance is the multidisciplinary enterprise accountability framework that ensures the appropriate behavior in the valuation of information and the definition of roles, policies, processes and metrics required to manage the information lifecycle, including defensible disposition.

At the onset of our collaboration, the following topics were selected by the Sub-Committee as being essential to the advocacy and development of the framework:

  • Definition of an RIM Risk Framework
  • Key Drivers for Compliance
  • Identification of Critical RIM Controls
  • Institutionalization
  • Roles and Responsibilities
  • Measures of Success
  • Action Plan for Improvement

The RIM Risk & Control Framework Sub-Committee and Iron Mountain are pleased to provide this Guide for developing and maintaining an RIM Risk & Control Framework for use in institutional compliance and information governance programs. This framework is by no means definitive or final. Rather, it is a first step on a journey to develop clarity and guidance on how to approach proper information compliance. It is our hope that you adopt the Guide to start an internal dialogue to gain the cross-functional executive buy-in mandatory to support your organizational compliance requirements and platform.

Records & Information Management Risk & Control Framework

The RIM Risk & Control Framework establishes an operational self-assessment program that allows business managers to diagnose their own performance against a set of given controls. Such a program provides a comprehensive and consistent protocol for business managers, regardless of their location or the work they perform, to identify and address potential weaknesses in the design or execution of internal RIM processes.

Through a self-assessment process, lines of business can identify problem areas and drive the implementation of corrective actions to prevent, resolve or mitigate key operational, legal, compliance and reputational risks and costs. This process is supported by key functional areas such as RIM, Compliance, IT, Information Security and Privacy and Internal Audit to provide input to the creation of the program. It also helps to support its implementation and to assist in the creation and execution of a remediation plan after assessments have taken place.

All risks associated with the information life cycle must be managed within the context of policies, procedures, industry standards and best or proven practices to ensure that regulatory, operational, compliance and legal requirements are met.

The RIM Risk & Control Framework should be positioned as a component of a broader set of organization-wide compliance controls. Organizational compliance is described as an enterprise’s “tangible efforts to prevent, detect and otherwise respond appropriately to wrongful behavior associated with the actions of those working on an organization’s behalf. This includes directors, officers, employees, agents and independent contractors.”1

A set of standard controls for the business must be established for an organization by an internal governance authority. While all controls may not be applicable to all lines of business, the set of RIM risk controls must be mandatory regardless of the function being performed (e. g., Human Resources or Legal/Compliance) or its location (e.g., North America or Asia).


The compelling reasons for instituting an RIM Risk & Control Framework are in some cases universal and in others specific to a region or individual jurisdiction.

Only 8% of organizations use metrics to “inspect what they expect” and only 17% conduct RIM compliance audits

Universally, the ability to provide proof of proper risk management and compliance protocols for regulatory bodies, customers and auditors is a major driver. Yet, according to the 2013|2014 Cohasset/ARMA Information Governance Benchmark report, only 8% of organizations indicate the use of some form of metrics to track RIM activity and a mere 17% conduct RIM compliance audits. In addition to these low numbers, only 7% of the survey respondents claim that their employees are engaged in their RIM programs.

Only 7% report employees are engaged in RIM.

Examples of drivers include general and industry-specific compliance laws and data privacy obligations. In the United States, regulations include the Dodd-Frank Act, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) and the Sarbanes- Oxley Act (SOX). In the EU, the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) are prime examples. The European Union General Data Protection Regulation (GDPR) that is set to replace the 1995 Data Protection Directive (EU Directive 95-46- EU) is another strong motivation for implementing an RIM Risk & Control Framework.

Given the multitude of drivers and our current inability to track or measure policy compliance to mitigate that risk, there is a substantial gap to be filled between an organization’s commitment to managing information and proof of actual practice. Only 8% of organizations use metrics to “inspect what they expect” and only 17% conduct RIM compliance audits. Only 7% report employees are engaged in RIM. 6 800.899.IRON | ironmountain.com It is unrealistic to expect resource constrained RIM staff to police the entire organization, especially when the volume and variety of electronic records is factored into the information management equation. Therefore, a new method of engaging the lines of business responsible for the creation, receipt, maintenance and disposition of information must be devised and implemented. Evidence of their compliance to a base line set of mandatory Controls will strengthen an institution’s compliance profile and lead to mitigation and/or remediation plans, as required into the information management equation.

Rim Risk Controls

There are nine major categories of RIM Risk Controls featured in this Guide that address the management of information through its lifecycle. They are:

  • Governance
  • Inventory
  • Retention
  • Disposition
  • Legal Holds
  • Privacy and Security
  • Partner Management
  • Staffing
  • Training

For each category we give a brief description that is followed by a table. The table is comprised of four elements:

Control: A standard of performance within the category that has been designated as critical to the RIM Risk Assessment process.

Description: An explanation of the meaning and relevance of the control.

Supporting Information: Additional guidance as to specific actions for evaluation that is associated with the control.

Rating: Guidance for assigning an assessment value to the control to be used in determining the level of line of busines compliance. It is expected that the line of business respondent will select a number from one – four based on its actual adherence to the control (one is the highest attainable rank, four the lowest). Bear in mind that not all lines of business may need to achieve the highest rating for all of the controls.

Click to Download Full Report


Records Management Solution Brief
Records Management Solution Brief

Topics: Govern Information

With Iron Mountain Records Management services, you'll have the resources you need to effectively store and safeguard your information assets, and make them easily accessible to individuals across your organization.