Freely subscribe to our NEWSLETTER

The study reveals that many organisations are not coping effectively with paper. 39 per cent of those surveyed have monitored policies in place that guide employees in the storage and disposition of digital records, but just 31 per cent have the same for paper documents. Only 39 per cent have monitored access restrictions to areas where confidential information is stored.

Over three quarters (85 per cent) of firms rely on one person or team to manage both paper and digital information risk – although the study found that top performers in risk management invariably have distinct groups looking after paper and digital information.

Most organisations think IT security managers should have a responsibility for information risk (73 per cent) with many (42 per cent) believing that IT security managers should be ultimately accountable. In the UK just 3 per cent believe that the records manager should hold some responsibility.

The study suggests that the paper security challenges organisations face include the widespread existence of legacy archives, uncertainty about retention rules – with many companies retaining all records just in case – and an increased focus on digital transformation.

This complements the findings of another Iron Mountain study which found that two-thirds of firms in the UK[ii] (63 per cent) find it hard to integrate paper into automated customer management processes.

Sue Trombley, Managing Director of Professional Services at Iron Mountain said: “All information is vulnerable in some way, but paper and digital records carry different risks that firms need to understand and govern appropriately. In the absence of proper controls and policies, paper can be photocopied – not just once, but many times. It is easily shared and removed and can be left lying around, filed randomly or disposed of in any bin. Organisations need to introduce and monitor effective processes and responsibilities for keeping paper documents safe. While we may never be completely free of paper, we can significantly reduce its associated risk by raising awareness, providing practical processes, and monitoring compliance.”

Iron Mountain recommends that companies follow these three simple steps:

Make the most of widely available and affordable eLearning courses and tools to reach all employees in all locations with the same message – and expectations – for managing information.

If organisations haven’t already thought about imaging their paper records, it’s worth taking a look at document processes and seeing what might be right for scanning, such as documents required immediately or regularly. The original paper documents can then be destroyed or archived securely depending on relevant retention guidelines.

An annual clean-up day can go a long way toward putting the focus on the control of paper records and deciding how to get paper records out of the office environment. With proper guidance, employees can help determine whether to destroy records or send them to a secure off-site storage facility.
The full report Beyond Good Intentions: The need to move from intention to action to manage information risk, can be found here.

The 2014 Information Risk Maturity Index is the third annual study to measure how prepared companies are to manage and respond to information risk and address other key information trends. PwC surveyed senior managers at 600 European and 600 North American businesses with 250 to 2500 employees and a further 600 firms across both continents with up to 100,000 employees, in the legal, financial services, pharmaceutical, insurance and manufacturing and engineering sectors.