Risk management of vital records

The protection of vital records is fundamental to the management of risk and business continuity in the event of a large-scale disaster. But protecting those records is not a simple matter of deploying a standard toolkit of safeguards. Approaches to protecting vital records can vary depending on the needs of the records and the risks involved and it is essential to assess those risks before choosing a plan of action.

In the majority of cases, this also needs to take account of the emergence of what is often referred to as a ‘hybrid records management environment’, i.e., one in which an organisation’s file collection mixes paper and electronic records, with many individual files cuttings across both formats.

The hybrid environment adds another dimension to the choices facing organisations about which holdings to identify as records, for purposes of legal risk management and records retention. This challenge is especially acute when determining which are the vital records, which inherently carry more operational risk.

More Risk, More Opportunity

Like many challenges, the combination of vital records and hybrid record keeping also brings opportunity, especially when it comes to the array of advantages and solutions offered by multi-media capabilities. Where one medium is subject to special environmental threats, perhaps the other might offer advantages to mitigate that threat. Take for example the established records protection technique of dispersal. If an organisation is worried about inadvertent destruction of paper records during a disaster, it could benefit from the remote storage capabilities of an electronic back up. Conversely, an organisation at great risk of power failure or other technical threats might consider a paper, microform or other physical back-up which can be accessed with minimal technology.

Identify vital records

The process of identifying vital records is by its nature, a selective process. Vital records protection measures come at a cost and ensuring a return on that investment requires that safeguards be applied only where necessary.

Generally accepted practices in records management accept that anywhere from one to five per cent of an organisation’s records meet the definition of a vital record. Identifying which records fall into this narrow category can be an involved process, but it does eventually boil down to one core question: What is the bare minimum of information and documentation necessary to resume critical business operations in the event of a disaster?

The selective nature of this process becomes all too clear when we narrow in on the different hierarchy levels that make up a corporate records management system. Industry-recognised standards such as ISO 15489 recommend that organisations develop company-wide classification systems based on ‘an analysis of business activities’. Depending on which activities are critical to the organisation’s continued operation, only certain records classification categories will contain vital records at all. Within those categories, whether a record is vital may depend on its level of detail, how current it is, or any number of other factors. Even within an individual file, there may be documents which are more critical than others for vital records purposes.

None of this is meant to suggest that you should be pulling individual documents from file folders. But what do all these possible levels of selection means for hybrid file collections whose content exists across both paper file collections and electronic repositories? Are paper records more ‘vital’ than their electronic counterparts, or vice versa? When faced with these choices, ask yourself the following questions:

• Which records provide information necessary to resume critical business operations and/or otherwise recover from a disaster? Depending on your organisation’s operational priorities, examples may include emergency response procedures, contracts and ownership documents for key assets, and accounts receivable documents necessary to identify and collect from revenue sources

• Which format best supports information access and use during or shortly after a large-scale disaster?

• Which format allows for the most reliable application of vital records protection strategies?

Admittedly, not all of these questions can be answered at the outset and, for this reason, vital records identification is often performed concurrently with the risk assessment and countermeasure planning activities described below.

Identify Threats to Vital Records

When record-keeping is diversified across different media formats, the range of threats to the integrity of those records is also diverse. In identifying risk scenarios applicable to a hybrid records management environment, it is important to consider all possible physical and technical risks including:

• Natural disasters such as flooding

• Man-made disasters, both accidental and deliberate, possible resulting from war, terrorism, civil unrest, corporate sabotage or negligence

• Information technology threats such as computer viruses, data corruption or hackers

• Facility malfunctions such as electrical fires and plumbing leaks/floods

• Environmental contaminants that can hasten deterioration of records media, such as airborne pollutants, rodents, insects and mould

Quantify the Possible Impact of Each Threat

Many risk assessment methodologies rate impact on a scale, such as high/medium/low. This means attaching objective outcomes to the possibility of not having certain records. Where information is necessary to ensure the safe operation of business, can the threat of lost records contribute to personal injury, death or serious environmental damage? How would lost records impact the company’s finances?

As a source of hard numbers, financial measures are especially useful for rating impact on a scale. How much revenue would your organisation lose if it were unable to resume operations due to lost records and information? From a compliance perspective, what is the monetary value of penalties for not meeting legal requirements? If your organisation were to find itself lacking key evidence in a legal proceeding, what kind of settlements or damages might it end up paying?

While some threats can be identified at an organisation-wide level, others may differ across record formats – in some not so obvious ways. A computer virus or other information technology threat presents an obvious impact on electronic records, but do not be so quick to dismiss the impact on paper records. Not unlike their electronic counterparts, paper records must be accessible to meet requirements for business use, retention and possible legal discovery. Accessibility can be seriously compromised for large paper collections if the electronic system for tracking and retrieving those files were to be corrupted.

In some instances, the possible impact of a given threat to both paper and electronic records may raise options for alternative records media. Micrographic formats are less common than before the advent of electronic records, but they are by far less impacted by water damage in the event of flood.

In all these cases, different threat scenarios have very different impacts based on record format. Identifying these differences upfront can play a critical role in identifying mitigation strategies and possible choosing one format over another for disaster recover purposes.

Quantify the Probability of the Threat Occurring

While some risk assessment methodologies rely on statistical techniques and actuarial studies to assign a numerical rating, a simpler approach is to scale probability as high, medium or low. For many possible threats, the probability of occurrence is often related to the organisation’s geographical location, line of business and other factors. An organisation whose offices are located in the heart of a major city will face a higher probability of terrorist attack, just as a bank may face a higher probability of theft. The key is to objectively assess all factors that apply to the organisation and apply those to different disaster and threat scenarios described above.

Calculate Overall Risk Level

Virtually every risk assessment methodology defines risk as the product of probability multiplied by impact. If you have not already established a risk assessment methodology, consult your organisation’s IT department, project management team or other possible sources. Some organisations rate probability and impact along numerical scales, multiply the two rating and express the overall risk as a percentage. For ratings systems built on a simple high/medium/low model, probability can be plotted against impact using a matrix diagram. All these models follow the same logic. Increase in either the probability or impact of a threat directly increase the overall risk to vital records, and the greater the threat, the more work needed to protect those records.

Implement risk mitigation strategies

Overall risk depends on both probability and impact. To mitigate risk, an organisation must implement controls which reduce the likelihood of a threat occurring and/or lessen its impact when it does occur. Having followed the steps outlined above, you will have identified and quantified risks applicable to records in both the paper and electronic environments.

The next step is to identify possible techniques and products for protecting records in each environment. Three common strategies for mitigating risks to vital records are: protective storage, dispersal and conversion. The following table shows examples of tools associated with those strategies specific to each of the physical and electronic environments:

In considering any of those strategies, or a combination thereof, it is important to assess the relative advantages of paper and electronic environments. Some questions to consider in making this assessment include:

• Which would be most cost-effective to implement and maintain on an ongoing basis? (Consider the choice between back-up copying within the original format and conversion to an alternate format.) Which approach is the most cost-effective in terms of the copying/conversion process itself and ongoing storage of the back-up copies? Note: As long as both copies meet all applicable requirements for record-keeping and disaster recovery, cost justification is a perfectly acceptable approach to establishing vital records status.

• Which provides most reliable assurance that records will be protected given the probability and impact of specific threats? For example, an organisation which has identified fire damage to paper media as a predominant threat might consider converting paper records and maintaining back-ups in an electronic format. On the other hand, an organisation at high risk of large-scale power failure or data corruption might benefit from having physical back-ups of electronic records on paper or microform.

Test and Reassess

Like any element of an ongoing records management programme, vital records protection does not end with initial implementation. The programme must stay on top of changes to the business itself. Emerging legal liabilities, operational requirements and record-keeping technologies can all introduce new threat scenarios or increase the probability and/or impact of threats already identified. Keeping the vital records programme current means continued application of those threat and risk assessment principles on which it was originally built. The following tasks are recommended as part of this ongoing risk analysis process:

• Reassess overall risk levels for each identified threat after implementation of mitigation strategies. Is the level of residual risk acceptable? If not, consider implementing additional controls.

• Assess all changes in record-keeping practice, physical storage arrangements and electronic systems to see whether they affect the probability or impact of threats already identified. For instance, do new cabinets or a change in off-site storage provider increase or decrease the probability of fire damage? Does changing electronic records management software increase the probability of unauthorised access? Does shifting from paper to electronic records retention increase the impact of unauthorised access, now that potential intruders can download thousands of files in just minutes?

• Assess the impact of changes in legal and regulatory requirements. Do new non-compliance scenarios, penalties, sanctions or damage limitations change the impact of certain threats? If so, consider implementing additional controls.

• Assess the probability, impact and overall risk level of any new threats which apply to your organisation over time. Define mitigation strategies sufficient to reduce the overall risk to acceptable levels.

Directly Addressing the Risk

Well before the advent of electronic record-keeping, organisations protected vital records based on a process of business analysis, information requirements gathering and risk assessment. Today’s IT professionals follow a similar process for ensuring recovery of critical information systems in a disaster scenario.

But applying vital records techniques to a hybrid records management environment is not just a simple matter of applying records management and IT techniques simultaneously. The overlap between paper and electronic content in any hybrid environment creates new questions about which medium is best for evidentiary purposes, and those same questions still pertain in any disaster scenario.

Answering those questions requires organisations to assess not only the threats associated with each specific medium, but also the unique advantages each medium offers for reducing impact and probabilities of those same threats. In a truly hybrid programme, this can also mean leveraging the capabilities of one medium to address risks associated with the other, thus tapping the full potential of vital records protection techniques.