In his book Information Nation: Seven Keys to Information Management Compliance Randolph A. Kahn describes a governance approach for information management which adopts the principles, controls and discipline upon which many corporate compliance programs are built. The seven keys are:

1. Good policies and procedures




2. Executive-level program responsibility




3. Proper delegation of program roles and components




4. Program communication and training




5. Auditing and monitoring to measure program compliance




6. Effective and consistent program enforcement




7. Continuous program improvement

These keys to information management compliance are designed to help those responsible for Information Governance understand their responsibilities and what they must contribute to their organization's information management effort.

As I contemplate how these principles can be put into practice, I find the Keys 5 and 6 the most challenging with respect to records management compliance. How can organizations audit and monitor their actual records management practices to measure compliance with their stated policies?

This calls for a way to measure in real time, key performance indicators related to the creation, distribution, reliability, storage and preservation, security, access, privacy protection and disposition of records. So what are the auditable components and metrics that could be applied to records management compliance, and what controls can be put in place to detect non-compliance? These will certainly be different for organizations based on industry and non-compliance risks.

The following is a list of some of the obvious program components that could be audited:

• Program communications and training delivery - appropriate employee groups have attended training and individual employees have acknowledged the records management policies




• Business unit compliance "“ appropriate business units are participating in the program and adhering to the records management policies schedule.




• Retention schedule accuracy "“ reflects the latest laws and regulations




• Classification accuracy- ensures records are being retained in accordance with the retention schedule




• Destruction timeliness "“ lag time from when records are eligible for destruction and actual destruction




• Legal hold communications- legal hold notifications and communications to information custodians are tracked from the legal hold trigger to the end of the legal action




• Destruction suspension - records temporarily suspended for destruction due to litigation have been retained and later released for destruction on schedule

I would be interested in hearing what other indicators and/or metrics you use in your organization to measure the success of your records management compliance initiatives or those you wish your organization had in place for such measurement?