© 2014 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks

of Iron Mountain Incorporated. All other trademarks and registered trademarks are the property of their respective owners.

Turning INSIGHTS Into ACTIONSue Trombley, Managing Director, Thought Leadership,

Iron Mountain February 20, 2015

Agenda

▶ Benchmark Findings

▶ Action #1: Adopt IG

▶ Action #2: Tackle RIM

▶ Change Agent Role

▶ Resources

2

PwC/Iron Mountain Risk Index

Report for Mid-Market and

Enterprise

1200 NA and Europe respondents

Benchmarking: Cohasset and PwC Reports

Cohasset/ARMA Information

Governance Benchmarking

Survey Report

1500 respondents

3

Have you experienced

THE GAP?

4

5

Benchmark Report findings: A Call for Modernization

Effective IG is increasingly recognized as an imperative.

IG must modernize its efforts to manage ESI or never “catch up”.

Legal holds present major concerns due to over-preservation.

IG programs are more prevalent, better designed, and inclusive of

ESI. However, there are elements not addressed.

6

Information Risk findings: A Common Challenge

RISK AWARE

“Businesses have woken up to the need to manage risk. However, they are uncertain about what to do and remain ill-equipped to tackle the threat.”

65.7%Combined Index Score

66.3%Europe

65.7%North America

Source – PwC Information Risk Report

Your information is growing

EXPONENTIALLY.

It’s in all formats and scattered across

your organization – making it difficult to

find and even harder to manage.

Information Governance Challenges: InternalInternalInformation Governance Challenges

Transition from paper to digital records“Keep everything culture”All information, not just records, needs to be managedVolume, velocity, and variety of information

of organizations have no defensible disposition practice78%

have no automated tools to destroy eligible information75%

of information is ROT (redundant, obsolete, temporary)69% Of businesses see paper as highest information risk67%

more information created in 201440%

8.5 billion apps downloaded in 2015Social and mobile:

9

Information Governance Challenges: InternalInternalInformation Governance Challenges

Each function has its own concernsBig data pressureMetrics are missingData protection and security

measure complianceonly 8%Information used for competitive advantage

Potentially sold as an asset

Breaches are on the rise

Access controlsIT, LOBs, Compliance, RIM, Legal, Data Officer

10

Information Governance Challenges: External

Retention rules

Privacy (EU Data Protection Regulation)

Security

EU and national regulatory bodies

Customers

AuditsRegulations continue to increase

ExternalInformation Governance Challenges

Take Action #1:

Encourage Adoption of

Information Governance

11

“

Information Governance is the

multi-disciplinary enterprise

accountability framework that

ensures the appropriate behavior

in the valuation of information

and the definition of the roles,

policies, processes, and metrics

required to manage the

information lifecycle, including

defensible disposition.

RIM is a member of the IG

Council, not the sole owner of

the Program!

Make the Transition to Information Governance

Source: Information Governance Reference Model

/ © 2012 / v3.0 / edrm.net

12

13

IG Council Members’ Points of View

Records and

Information

Management:

How can I

ensure policy

is consistently

being

practiced?

Lines of

Business:

How can we

leverage the

information

in a

meaningful

way?

Compliance /

Audit:

How can we

ensure we meet

regulatory

requirements?

Security /

Risk:

What are the

risks to our

customers'

privacy for

keeping the

information?

Information

Technology /

Data Officer:

Can we save

cost by

removing

unnecessary

files from

servers? Can

we keep

everything

for analysis?

Legal:

How long

should we

hold on to

information

to meet our

legal

requirements

for

discovery?

Everyone comes to the table with a different motivation!

IG Engagement

14

How to get stakeholders

engaged? Change the

conversation!

Speak about information as an asset

rather than just a liability.

▶ Shift from fear to value

▶ Use analytics

▶ Advocate smart risk

Take Action #2:

Get Your RIM

House in Order

15

RIM Insights: Commitment/Practice Gap

TAKE ACTION: Audit current policy and implementation results

realistically and periodically. Create an action plan for improvement.

Consider employing self-assessment risk “controls” to monitor business

unit performance.

of organizations claim to have a mature RIM program

Yet, only…

▶ 8% use metrics to “inspect what they expect”

▶ 17% conduct RIM compliance audits

16

17

RIM Risk & Control Framework

RIM Insights: Employee Engagement

TAKE ACTION: Create a scheduled certification program for employees

that can be easily administered, such as eLearning. Provide a take away

upon completion for reinforcement.

Only 7% report

employees are

engaged in RIM

Just 35% train

employees every

1 to 2 years…

…and 26%

never train.

18

RIM Insights: Retention Schedules

TAKE ACTION: Schedule a refresh with emphasis on fewer classes and

more timely updates to rules for ease of use. Create a task force to

consider methods for managing event-based rules.

of organizations have a Records Retention

Schedule, yet respondents want:

▶ a more “uniform” Schedule (69%)

▶ fewer classes, series, or categories (51%)

▶ options for event-based rules (65%)

19

RIM Insights: Barriers to Disposition

TAKE ACTION: COLLABORATE with stakeholders to make disposition

decisions. Identify and document risks, excess spending, and productivity

losses to cost justify automated tools.

say “keep everything culture” is an impediment to

efficient RIM

▶ 75% have no automated tools to destroy eligible information

▶ 37% cannot obtain approvals for destruction

20

RIM Insights: Legal Holds

TAKE ACTION: Form strong bonds with your legal team. Explain how

blanket holds lead to non-compliance and increased risk and cost.

say they have a legal hold process, yet:

▶ Only 50% use automation

▶ 70% agree that more information than necessary is retained

▶ 30% indicate that holds aren’t regularly or effectively terminated

21

RIM Insights: Modernize Management of ESI

TAKE ACTION: Include oversight of ESI in IG strategy (all formats and

locations) or risk being viewed as outdated or unrealistic in your approach.

indicate they are in the planning process to

improve the deletion of ESI.

60% state that there is no process for regularly

scheduled deletion

22

RIM Insights: Lack of Planning in Application Development

TAKE ACTION: Form bonds with IT for involvement in technology

systems acquisitions, implementations, redesign and decommissioning.

Only 13% of respondents indicate RIM involvement in IT

decisions is mature, while just 39% say improvements are

underway.

23

IG Insights: Cross Functional Governance

TAKE ACTION: Composition of IG Council should include members from

various departments and functional areas, but not necessarily the senior-

most executives.

report cross-functional

governance structures are

maturing or improving

24

Your Role as Change

Agent

25

Making a Difference

26

report failure to

secure enterprise-

wide adoption.1Source: Iron Mountain Compliance Benchmark Report : A

View into Unified Records Management

of companies report

having formal

policies in place, but

Creating policy is

NOT ENOUGH.

Change Agent: The Psychology

27

Where do you focus to get the

most out of your IG Program?

Adopt the language of your

audience – speak to their

concerns. Act as a consultant.

Consider your organization’s

culture.

Manage your identity and

mission purposefully.

It starts with

A CONVERSATION.

Change Agent Success Factors

SPEAK WITH ONE VOICE.

A consistent message that represents the needs of all stakeholders

for the organization to follow.

KEEP IT SIMPLE.

Start with small victories, build consensus and grow organically by

demonstrating success.

KEEP IT FRESH.

Suggest rotating IG members if organizational distractions effect

commitment levels.

BUILD A GROUNDSWELL OF SUPPORT.

Communicate benefits with examples.

1

2

3

4

28

29

5 - 100

BE PASSIONATE!

30

Complimentary Resources

www.ironmountain.com/thoughtleadership

▶ Practical Guide to Information Governance

▶ RIM Best Practices Manual

▶ Event-Based Retention Whitepaper

▶ PwC and IM Information Risk Whitepaper

▶ Cohasset/ARMA Benchmark report

• All industries

• Oil & Gas

• Healthcare

• Financial Services & Insurance

• Federal Government

• Law Firms

Thank you.

Sue Trombley, MLIS, IGPManaging Director, Thought Leadership,

Iron Mountain

(617) 678-6855

sue.trombley@ironmountain.com

@sue_trombley