Iron Mountain Digital Authority

Best practices for records management
are a must

WHILE MANY ORGANIZATIONS ARE MAKING GREAT strides in their overall records management efforts and devoting more legal, financial, technological and human resources than ever before to their programs, the 2007 edition of the Iron Mountain Compliance Benchmark Report shows that 65 percent of public and private organizations surveyed do not have an enterprise-wide records management policy and program.

This Compliance Benchmark Report, based on a survey of 2,000 organizations, shows that those organizations without an enterprise-wide records management policy and program are at risk of noncompliance with state and federal regulations, possibly facing heavy fines and the loss of brand equity as a result.

Still, companies are recognizing the need for a formal records management policy. New rules, such as the amended Federal Rules of Civil Procedures, the Sarbanes-Oxley Act, and the Fair and Accurate Credit Transactions Act, mandate how organizations maintain records. Technology makes the issue even more complex, as the types of covered formats—includ-

ing paper, microfilm, email, digital information, online transactions, images and instant messages—expand. Sixty-one percent of organizations surveyed say they are committed to improving their records management policies and are in the process of identifying plans for continuous development.

According to Iron Mountain’s chairman and CEO Richard Reese, the Compliance Benchmark Report serves a dual purpose: It’s a true benchmark for the state of the storage art, and it can be used as a risk assessment tool to gauge the strengths and vulnerabilities of records management programs. Under the risk assessment mode, Iron Mountain has developed the Iron Mountain Health Scale, a uniform evaluation of an organization’s performance and procedures across five specific Best Practice Areas, in addition to an overall assessment of an organization’s Compliant Records management performance.

“We developed the risk assessment to help our customers understand how well their records management programs stack up against industry norms and best practices,” says Reese, Iron Mountain’s chairman and CEO.

BOTTOM LINE Despite mounting regulatory pressures and ever-expanding amounts of data, a recent survey finds that 65 percent of public and private organizations do not have a comprehensive records management program in place.

Laura McDaniel, Director of Compliant Records Management Program, Iron Mountain

“This is a tool to help businesses uncover the hidden risks of noncompliance and implement a plan to reduce those risks and costs. Iron Mountain is uniquely positioned to help companies do both.”

Assessing Records Management

Complex technologies and dispersed data, including distributed IT infrastructures and the globalization of business functions, are challenging organizations to find new ways to protect and preserve information consistently across the enterprise. Until now, there was no comprehensive or current benchmarking material for records management. Yet this information is imperative to creating a frame of reference for the organizations. The study was designed to ascertain overall ratings and identify particular areas of strength and weakness within five defined best-practice areas: Retention, Policies and Procedures, Index and Access, Disposal, and Audit and Accountability. The report also establishes a clear cross-industry review, and attempts to determine if that picture is consistent with common perceptions.

A Compliant Records Management program necessitates control and protection of information assets that are subject to legal obligation, including digital data and media, correspondence, email and paper files. Effective control and protection are synonymous with the consistent and accurate application of a comprehensive program for risk mitigation. So how are current records management programs performing in specific matters and relative to best practices—and what are the implications for compliance?

Key Findings

n Records management oversight is unclear. Seventy-three percent of organizations say that oversight responsibilities are “not clearly defined” and steering committees have limited participation from key stake-