A Practical Guide for a Records and Information Management Risk & Control Framework for Financial Services
Why Read This Document?
As regulated financial services entities, it’s not enough to say “we know what our information risks are.” The newspapers are filled with stories about how improper management and control of information have led to regulatory fines, sanctions, reputation damage and loss of customer trust.
Financial institutions in particular must be proactive in designing a risk mitigation and control methodology that covers all stages of the information lifecycle — from information creation to secure disposal.
The volume of information continues to grow exponentially, making the job of controlling and managing it more and more difficult. We are quickly realizing the need to construct a control framework specifically to address the risks posed by information management. This framework is a vital component of an Information Governance program.
Ensuring that information risks are well understood, documented and then controlled so as to mitigate them are practices that every institution should follow. In addition to external threats, our regulators expect no less.
Readers of this paper will find helpful guidance on controls that must be put in place to manage information related risks effectively, as well as a suggested risk-rating system for capturing the current status of your organization’s control environment.
Members of Iron Mountain’s Financial Services Customer
Advisory Board (“CAB”) formed a Committee in early 2014
to identify and share proven practices around the topic of
records and information management (RIM) risk. We started
out with the question: “what is the best way to construct,
garner support, and monitor compliance to RIM policy that’s
applicable to our respective companies and the financial
Through our discussions we determined that while each
financial institution shapes and defines how compliance
measurement is conducted to meet their individual
requirements and culture, there are certain universal
RIM risk and control elements. Recognition of this fact
prompted the Committee to create this practical RIM Risk &
Control Framework Guide with the objective of establishing
a set of common risk controls to share with their peers
as organizations continue to build and refine a robust
Information Governance program.
At the onset of our collaboration, the following topics were
selected by the Sub-Committee as being essential to the
advocacy and development of the framework:
- Definition of a RIM Risk Framework
- Key Drivers for Compliance
- Identification of Critical RIM Controls
- Roles and Responsibilities
- Measures of Success
- Action Plan for Improvement
The RIM Risk & Control Framework Sub-Committee and Iron
Mountain are pleased to provide this Guide for developing
and maintaining a RIM Risk & Control Framework for use
in institutional compliance and information governance
programs. This framework is by no means definitive or
final. Rather, it is a first step on a journey to develop clarity
and guidance on how to approach proper information
compliance in the context of financial services. It is our hope
that you adopt the Guide to start an internal dialogue to gain
the cross-functional executive buy-in mandatory to support
your organizational compliance requirements and platform.
Records & Information Management Risk & Control Framework
The RIM Risk & Control Framework establishes an operational self-assessment program that allows business managers to diagnose their own performance against a set of given controls. Such a program provides a comprehensive and consistent protocol for business managers, regardless of their location or the work they perform, to identify and address potential weaknesses in the design or execution of internal RIM processes.
Through a self-assessment process, lines of business can identify problem areas and drive the implementation of corrective actions to prevent, resolve or mitigate key operational, legal, compliance and reputational risks and costs. This process is supported by key functional areas such as RIM, Compliance, IT, Information Security and Privacy, and Internal Audit to provide input to the creation of the program. It also helps to support its implementation, and to assist in the creation and execution of a remediation plan after assessments have taken place.
All risks associated with the information life cycle must be managed within the context of policies, procedures, industry standards and best or proven practices to ensure that regulatory, operational, compliance and legal requirements are met
The RIM Risk & Control Framework should be positioned as a component of a broader set of organization-wide compliance controls. Organizational compliance is described as an enterprise’s “tangible efforts to prevent, detect and otherwise respond appropriately to wrongful behavior associated with the actions of those working on an organization’s behalf. This includes directors, officers, employees, agents and independent contractors.”1
A set of standard controls for the business must be established for an organization by an internal governance authority. While all controls may not be applicable to all lines of business, the set of RIM risk controls must be mandatory regardless of the function being performed (e. g., Human Resources or Retail Banking) or its location (e.g., North America or Asia).