Minimizing Cost and Risk with Defensible Disposition

Posted by: bford

It goes without saying that having a strong information management strategy is critical for success in any industry. Whether hard copy or digital, files accumulate quickly, and more are being generated every day. That’s why it’s imperative that you stay up-to-date and proactive with your record retention policies and procedures. One way to remain “ahead of the game” is through practicing defensible disposition.

What is defensible disposition?

A recent study by the 2012 Compliance, Governance, and Oversight Counsel Summit found that roughly 69 percent of information currently held by companies actually has “no business, legal, or regulatory value.” This means that companies are wasting valuable storage resources and putting themselves at higher risk by keeping unnecessary information.

getting your information and data under control with defensible depositionDefensible disposition is a proven way to get your information under control by actively sorting out what data needs to be stored from that which can be safely disposed of. This is accomplished through the analyzation of risk for each individual record based upon predetermined retention parameters. Once the information is verified as no longer needed for a valuable reason, it can then be sent for secured destruction. In short, a defensible disposition strategy is a critical part of a company’s Information Governance plan, which helps businesses maintain the appropriate life-cycle for each record.

Why not just keep everything?

At first, retaining all of your past files and records seems like the safest route to protect your business against unexpected future threats. After all, if you have record of everything, you will never mistakenly delete pertinent information, right? However, what most companies don’t realize is the increased risk that they are undertaking by choosing to keep the excess data.

In their 2018 study, IBM found that the average cost of a data breach in the United States is almost $8 million. Further research goes to show that as the number of compromised records grew for each instance, so did the overall damage of each breach. Put simply, the more records you have to lose, the higher the cost of a data breach would be for your company. By being proactive and maintaining a proven defensible disposition strategy, you can minimize your data breach risks by keeping your mountain of data under control. After all, hackers can’t access or leak data that no longer exists.

Additionally, over-retention consumes valuable resources and budgets across all areas of a company. For instance, the constantly compiling data must be safely stored somewhere. Whether you choose to work with a certified data storage vendor, or opt to store your data on an internal server, proper information protection quickly gets expensive. With each added record or file, costs of storage continue to increase and consume that much more of your budget. Over-retention can also slow down the production of your staff, as there are now so many records to sort through when looking for needed information.  All of these inefficiencies can easily be avoided by practicing defensible disposition.

How do I get started?

The Association for Information and Image Management (AIIM) suggests that “an effective disposition program really begins at the point the records and information are created”. That means that from the moment of creation, you should already be analyzing and categorizing your data. The best way to keep things organized from the start is to pay close attention to the metadata parameters you choose for each record. Having accurate metadata ensures that your records are quickly retrievable, and can easily be identified and analyzed.

team meeting to work on defensible disposition plan

However, proper metadata is pointless without a trusted system in place for record analyzation and retention. That’s why it’s essential to have a clear process in place to execute your defensible disposition plan. There is no one “right” answer for how you should set up your strategy, and proven strategies vary widely between industries. Ultimately, you need to figure out what process will work best for your specific company.

A good way to kick off your quest for record management perfection is to get all of the players at the same table. When setting your retention rules and identifying possible disposition targets, it is essential that you receive input from various departments such as legal, IT, management, HR, and compliance. Each department will have its own specific needs that must be taken under consideration when creating a company-wide disposition blueprint.


Where do I look for Disposition Targets?

Although every company’s plan may look slightly different, the general process remains the same. Basically, the process can be broken into four simple steps of planning, investigating, making assessments, and then either retaining or destroying the information at hand. Regardless of your specific rules and requirements, each record must be assessed to determine if it has any future value professionally or legally.

It is important to note that before deciding the fate of a record, you should first confirm with all departments that there is no regulatory or legal hold on the data. Although at first it may appear to be outdated or unnecessary information, such holds can make the records imperative and easily classify them into the retention category.

Generally, the best method to begin your assessment for disposition is to identify any duplicate files and records that may exist. After all, it’s often pointless to have multiple copies or revisions of the same information. Duplicate files are easy to identify as invaluable, and can often be sent to destruction with little risk. Additionally, some common places to look for eligible information for destruction include:


  • Archival records
  • Backup media
  • File shares
  • Obsolete data sources
  • Former employee files
  • Physical hardware files
  • Hard copy paper files and boxes
  • Records from service providers and other vendors
  • Any inherited data from acquisitions and mergers


Identifying which records to retain and which to dispose of can often seem like the hardest part of the disposition process. Luckily, there are numerous resources to help guide you as you work through the decision process. For instance, this webinar by industry-expert Tom Mighell dives into more detailed information regarding disposition targets and developing a trusted retention plan.

Want to Know More?

Whether you are ready to begin a defensible disposition strategy today, or simply still have questions, our team can help! Just fill out the form below for more information, or contact us to speak with a company representative today.

Contact Us

  • This field is for validation purposes and should be left unchanged.

  Related Posts

You must be logged in to post a comment.