Contingency Planning

Benchmark Study Reveals 65 Percent of Organizations Have Not Implemented Enterprise-Wide Records Management Policies

October 11, 2007

Sixty-five percent of public and private organizations do not have an enterprise-wide records management policy and program, putting them at risk to face the heavy fines and loss of brand equity associated with non-compliance with state and federal regulations, according to a study of nearly 2,000 general counsels, CIOs and records management professionals. Sixty-one percent of organizations surveyed, however, say they are committed to records management improvement and are in the process of identifying plans for continuous development.

The Compliance Benchmark Study, conducted by Iron Mountain Inc., surveyed participants in private, public, government and non-profit organizations of all sizes and industries, to evaluate their current practices and areas for improvement.

Key findings of the study include:

Records management oversight is unclear: 73 percent of organizations state that oversight responsibilities are “not clearly defined” and steering committees have limited participation from key stakeholders. As a best practice, businesses should establish a senior level steering committee to provide oversight and strategic direction and clearly define and designate roles and responsibilities to its employees.

Records retention is solid: 81 percent of all organizations have a retention schedule that serves as the lynchpin for a compliance program and provides a blueprint for all records management activities. As a best practice, businesses should adopt and apply a universal records retention schedule across all business units and all records, regardless of media format.

Record retrieval is usually accurate and quick: Although participants differ in their own assessments of the speed at which they can retrieve active records from on-site filing areas and off-site storage facilities, 90 percent rate their ability to do so as effective and accurate. This indicates that most people are generally satisfied with their ability to retrieve records, and that most seem to understand the basics of record storage, indexing and retrieval. The success of a records management program hinges on the ability to access information for business support, litigation response, and/or regulatory compliance. To avoid sanctions or loss of rights, organizations should institute policies and procedures that facilitate timely and effective record recovery.

Secure destruction practices are inconsistent: Only 38 percent of organizations described a consistently applied program for the appropriate disposal of confidential information. Federal and state privacy laws require the secure destruction of virtually all documents that contain personally identifiable information. Therefore, it is important for records disposition to be an inherent and consistent element of an organization’s overall records management program, covering both active and inactive records. Standard destruction policies should be set at the corporate, rather than departmental, level and should be reviewed by the proper legal and compliance professionals.

Companies that participated in the benchmark study can use the results to educate key stakeholders and decision makers in their organization to make improvements to their records management program.

“The good news is that we’re seeing an emergence of competency and strength in key areas of records management, particularly in the highly regulated industries,” says Laura McDaniel, director of compliant records management at Iron Mountain. “Our research shows that more than half of respondents are very committed to records management improvements and as mandates and regulations continue to grow, this is a very positive sign.”

“The survey is a tool to help businesses uncover hidden risks of non-compliance and implement a plan to reduce those risks and costs,” says Richard Reese, Iron Mountain chairman and CEO.

— Iron Mountain Inc.