Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Electronic Information Deluge Putting a Strain on Records Management

Joe Mont | May 22, 2012

Despite increased resources and good intentions, companies are still fumbling when it comes to executing a comprehensive information management program that balances the unique needs of physical and electronic documents.

That's the overarching conclusion of the latest Iron Mountain Compliance Benchmark Report, an analysis developed from more than 4,000 compliance risk assessments with input from professionals in every major vertical market, conducted recently by the global provider of information management services.

The report found that the “deluge of electronic information,” means greater challenges for managing information in multiple formats and across many locations.

“[Companies] have pretty good programs for hard copy, but the electronic documents have increased the complexity of their world significantly. The worlds of electronic and hard copies are starting to collide and it is causing them trouble,” says Sumukh Tendulkar, director of product and solutions marketing for Iron Mountain's  records management business. He says companies have also struggled to keep up with the shifting regulatory requirements for electronic records.

The report says this trend shows the need for “having a program foundation that includes policies, training, and a retention schedule to provide the groundwork for a healthy, unified program.”

Among the challenges cited: paper records are stored onsite across multiple facilities and locations, or paper records are stored offsite with one or more third-party vendors. “Electronic records are everywhere and in too many formats to grasp,” the report states. Such formats include applications—like Microsoft Word and Excel—file shares, Share Point, tape, desktops, and even in the “cloud.”

“No single, consistent policy has been defined and applied to all these records,” the report continues. “When faced with this level of complexity, it's no wonder that organizations struggle to achieve even the most fundamental best practices.”

The study focuses on what it calls the “commitment-practice” divide, meaning that companies are willing to devote more resources to the problems, but they don't yet have the right solutions at hand. According to the survey, 94 percent of respondents said their organizations intend to apply more budget and resources to information management in the coming year. More than 72 percent, however, lack a strategic, multi-year plan for records and information management.

“They have more money but they don't really have a good idea how to invest it,” Tendulkar says. It isn't intent, it's implementation where they are still struggling.”

Among respondents, 80 percent said they have formal records and information-management (RIM) policies. Only 37 percent say those policies are consistently applied, however, and just 9 percent can claim the best practice of enterprise-wide, consistent policy adoption.

“[Companies] have pretty good programs for hard copy, but the electronic documents have increased the complexity of their world significantly. The worlds of electronic and hard copies are starting to collide and it is causing [companies] trouble.”

—Sumukh Tendulkar,
Director of Product and Solutions Marketing,
Iron Mountain

Even though 73 percent of organizations reported that legal departments, compliance departments, and formalized committees are accountable for the governance of RIM programs, just 15 percent regularly audit policies and procedures, review the findings with senior management, and respond with a formal remediation process.

This disconnect on policy monitoring and remediation can lead to costly compliance woes and legal dangers.  Lacking enterprise-wide, consistent policy adoption “leaves many vulnerable to non-compliance risk, reputation damage, and real costs,” the report warns. Of the organizations surveyed, 63 percent reported a “trigger event” that cost them money.

 “What we hear is that a lot of companies end up settling just because they know the cost around discovery is so high and they have no confidence in their discovery,” Tendulkar says.

“We feel the key part of legal discovery is really having this unified approach; bring everything together and think of it in a holistic way,” he adds. “Consistency signifies the intent and judges value that you have a policy and you are sticking to it. Having unification goes a long way to consistency.”

Social Media Challenges

The emerging role of social media has added a new policy challenge. Iron Mountain's research found that nearly 50 percent of the business managers it surveyed said they were unaware they were legally liable for their social media content. A third of the businesses surveyed described their oversight of social media as “unmanaged and chaotic.”

“Many companies don't even realize that they are creating records on these blogs and tweets,” Tendulkar says. “Sometimes employees are acting as their agents, sometimes they are not.”

“The definition of record is being misused,” he adds. “Now, there are records and there are documents and the challenge is that they are both discoverable. Even though you may just have sent an instant message internally to someone doesn't mean that is off the record. It you store it and can retrieve it, it is discoverable. These are records.”

A Unified Approach


Below are two graphs from the 2012 Iron Mountain survey.

Source: Iron Mountain.

Iron Mountain's report stresses the importance of Unified Records Management (URM) policies as a centralized means to access both paper and electronic documents, manage onsite and offsite files, consistently classify data, apply legal holds, and set retention periods.

It suggests a step-by-step process to build such a program. A foundation must first be established that focuses on policy, procedures, retention, training and other basics. The next effort should be to unify physical records and implement system-wide protocols. A similar approach can then tackle the larger challenge of unifying electronic records.

At all three phases, organizations should prioritize areas of risk and seek opportunities for improvement that align with business goals and strategies.

A best-practice RIM program needs to include education and training to ensure that employees have clearly defined, role-specific responsibilities. There should be understood procedures employees follow for properly disposing of records at the end of their specified retention periods. Well-documented accountability needs to extend throughout the organization.

“When you make it easy for employees to reference retention policies, you're more likely to see those policies actually being applied,” the report advises, adding a troubling statistic that 23 percent of survey respondents said they do not have a legally credible retention schedule.

Organizations should commit to updating their retention schedule every 12 to 18 months, including consideration of new media types, geographies, and business units, Iron Mountain suggests. Clear-cut policies are also necessary to index data for retrieval, maintain privacy, detail the disposal process, and establish a chain-of-command for compliance oversight.

Note: A webcast on Thursday May 24, 2-3 p.m., will feature Sue Trombley, managing director of consulting at Iron Mountain, discussing “Iron Mountain Compliance Benchmark Report: A View Into Unified Records Management.”  To register, or for more information, click here.