Cuba Gooding, Jr. says that barely a day goes by without someone asking him to repeat that iconic line from the film Jerry McGuire: “Show me the money.” While it isn’t my favorite movie, I do appreciate the call to action!
For years now, organizations have been investing in records and information management (RIM) programs: developing and publishing retention schedules, creating policy, conducting training, etc. Last year’s Cohasset/ARMA Information Governance survey reported that on average 87% of organizations have solid RIM programs – a consistent upward trend. Yet only 8% said they use metrics and 17% measure compliance to some degree. How can one attest with confidence to regulators, shareholders, customers, citizens, or auditors that policy is complied with? I say it’s time RIM professionals tell business units to “show me the evidence!”
Unless you are a very small firm, there is no way RIM staff can police each business unit, let alone every employee or contractor, to determine their degree of compliance with company information management internal or requirements. And this is evident from the inability of the majority of organizations to “inspect what they expect.”
As the volume of information continues to grow exponentially the job of controlling and managing it becomes more and more difficult – a monumental task. We are quickly realizing the need to construct a control framework specifically to address the risks posed by information management. As such, a RIM risk and control framework is a vital component of an Information Governance program.
Not surprisingly, the highly regulated financial services sector has taken the lead in devising a framework and associated process by which business units are compelled to assess their performance and activities for a defined set of “controls.” These controls are aligned to specific functions related to executing RIM, such as disposition, retention, privacy and security, legal holds, training, vendor management, and governance. Designated business managers – regardless of physical location – rate their ability to conform to a control using a scale from 1 – 4, with 1 being the highest possible degree of conformity.
Through a RIM Risk and Controls self-assessment, lines of business can identify problem areas and drive the implementation of corrective actions to prevent, resolve or mitigate key operational, legal, compliance and reputational risks and costs. This process is supported by key functional areas such as RIM, Compliance, IT, Information Security and Privacy and Internal Audit to provide input to the creation of the program. It also helps to support its implementation and to assist in the creation and execution of a remediation plan after assessments have taken place.
Download a complimentary copy of the Practical Guide for a Records and Information Management Risk & Controls Framework to help you get a jump start on understanding your business units’ compliance profiles, so that you can continue to mitigate your risk and maximize your return on investment. In it you will find a set of Controls with suggested ratings, how to institutionalize the process, roles and responsibilities, measures of success, and how to construct an action plan for improvement.
Ensuring that information risks are well understood, documented and then controlled in order to mitigate them are practices that every institution should follow. In addition to external threats, our regulators, customers, and shareholders expect no less. Show them the evidence!
Follow me on Twitter @Sue_Trombley