A Practical Guide for a Records and Information Management Risk & Control Framework for Financial Services

Topics: Financial Services Records and Information Management | Govern Information

Download PDF

Why Read This Document?

As regulated financial services entities, it’s not enough to say “we know what our information risks are.” The newspapers are filled with stories about how improper management and control of information have led to regulatory fines, sanctions, reputation damage and loss of customer trust.

Financial institutions in particular must be proactive in designing a risk mitigation and control methodology that covers all stages of the information lifecycle — from information creation to secure disposal.

The volume of information continues to grow exponentially, making the job of controlling and managing it more and more difficult. We are quickly realizing the need to construct a control framework specifically to address the risks posed by information management. This framework is a vital component of an Information Governance program.

Ensuring that information risks are well understood, documented and then controlled so as to mitigate them are practices that every institution should follow. In addition to external threats, our regulators expect no less.

Readers of this paper will find helpful guidance on controls that must be put in place to manage information related risks effectively, as well as a suggested risk-rating system for capturing the current status of your organization’s control environment.


Members of Iron Mountain’s Financial Services Customer Advisory Board (“CAB”) formed a Committee in early 2014 to identify and share proven practices around the topic of records and information management (RIM) risk. We started out with the question: “what is the best way to construct, garner support, and monitor compliance to RIM policy that’s applicable to our respective companies and the financial services industry?”

Through our discussions we determined that while each financial institution shapes and defines how compliance measurement is conducted to meet their individual requirements and culture, there are certain universal RIM risk and control elements. Recognition of this fact prompted the Committee to create this practical RIM Risk & Control Framework Guide with the objective of establishing a set of common risk controls to share with their peers as organizations continue to build and refine a robust Information Governance program.


At the onset of our collaboration, the following topics were selected by the Sub-Committee as being essential to the advocacy and development of the framework:

  • Definition of a RIM Risk Framework
  • Key Drivers for Compliance
  • Identification of Critical RIM Controls
  • Institutionalization
  • Roles and Responsibilities
  • Measures of Success
  • Action Plan for Improvement

The RIM Risk & Control Framework Sub-Committee and Iron Mountain are pleased to provide this Guide for developing and maintaining a RIM Risk & Control Framework for use in institutional compliance and information governance programs. This framework is by no means definitive or final. Rather, it is a first step on a journey to develop clarity and guidance on how to approach proper information compliance in the context of financial services. It is our hope that you adopt the Guide to start an internal dialogue to gain the cross-functional executive buy-in mandatory to support your organizational compliance requirements and platform.

Records & Information Management Risk & Control Framework

The RIM Risk & Control Framework establishes an operational self-assessment program that allows business managers to diagnose their own performance against a set of given controls. Such a program provides a comprehensive and consistent protocol for business managers, regardless of their location or the work they perform, to identify and address potential weaknesses in the design or execution of internal RIM processes.

Through a self-assessment process, lines of business can identify problem areas and drive the implementation of corrective actions to prevent, resolve or mitigate key operational, legal, compliance and reputational risks and costs. This process is supported by key functional areas such as RIM, Compliance, IT, Information Security and Privacy, and Internal Audit to provide input to the creation of the program. It also helps to support its implementation, and to assist in the creation and execution of a remediation plan after assessments have taken place.

All risks associated with the information life cycle must be managed within the context of policies, procedures, industry standards and best or proven practices to ensure that regulatory, operational, compliance and legal requirements are met

The RIM Risk & Control Framework should be positioned as a component of a broader set of organization-wide compliance controls. Organizational compliance is described as an enterprise’s “tangible efforts to prevent, detect and otherwise respond appropriately to wrongful behavior associated with the actions of those working on an organization’s behalf. This includes directors, officers, employees, agents and independent contractors.”1

A set of standard controls for the business must be established for an organization by an internal governance authority. While all controls may not be applicable to all lines of business, the set of RIM risk controls must be mandatory regardless of the function being performed (e. g., Human Resources or Retail Banking) or its location (e.g., North America or Asia).

Click Here For The Full Report