Records Management and Risk Reduction

Foundations for Success

Foundations for Success

A strong information management program is foundational to an organization's success, and can significantly reduce the risk of poor business decisions, costly litigation, e-discovery and damage to reputation.

How?

Record

A Record - according to ISO 15489-1, 3.15 Information created, received, and

maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business

A non-Record

Duplicates Working papers and drafts Transmittal letters or cover sheets Reproduced or published material from

other offices Catalogues, trade journals, periodicals,

etc. Stocks of publications (reports,

brochures, plans, etc.) and forms, agendas etc.

Records Management

Bit of a misnomer – is actually more about management of business information

Primary objective is to identify what to keep, how to keep it, when to get rid of it, and how to get rid of it

Information as an asset

Manage as an asset through the entire life cycle1. Create/Receive2. Use3. Retain/Archive4. Final Disposition

Do we know what we have?

68%2%

25%

5%

Digital Landfills

Everything Else Subject to Legal HoldHas Business Utility Regulatory Requirement

Source: CGOC (Compliance and Governance Oversight Council)

It actually makes sense

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”2002, Donald Rumsfeld, former US Secretary of State for Defence

Known – Lowest Risk

We know that much of our information exists in enterprise systems like SAP, etc. and we know what the data is.

This data is well managed and protected from security risks, is auditable, and while retention may not be applied, we can usually rely on the integrity of the data.

From a Records Management risk perspective, these business records are the least of the worries.

Known Unknowns – High Risk

We know we have information in shared drives, email, collaboration software, etc.

We know where it is, but we don’t have an accurate way to measure what the data is or what it’s business value/risk is

We can’t control the growth or redundancy

We can’t control where it goes or who it goes to (email, copy to USB and remove, etc.)

Is not managed in most organizations

Unkown Unkowns – Who Knows?

With the unknown content, we may: Fail to see or seek out information because

we don’t know it’s there Vital information not available for retrieval

and distribution for decision making purposes Theft or unauthorized use of information

(think social media, or worse) We don’t have a way to share the

information, which limits the organization’s awareness and ability to make good decisions

Records Management

Successful programs ensure that records are: Useable Reliable Authentic Having integrity

Foundations

Inventory Information Assets Identify the records, disposition non-

records Develop records retention schedule Develop the Records Management

Policy Develop standards and procedures

for capture, storage and disposition Train, Train, Train

Inventory

A detailed registry of what type of records are owned, where they reside, Office of Primary Responsibility, relevant metadata

Also should ideally indicate if P.I. is in the record, what the security classification is, and if the record is considered a vital record

As a Risk Manager – inform your Records Managers of the areas of the organization that own records related to high risk events/situations

Dispose of non-records

Encourage employees to regularly dispose of convenience copies and duplicates

Purge email that does not constitute a record

Help your Records Manager draft a communication plan that includes the risk to the organization that results from retaining unmanaged information.

Policy development

Key to successful records management program is a well thought-out policy with accompanying standards, procedures and guidelines to inform staff of their roles and responsibilities, and how to carry out those responsibilities

Work with Records Management to include a section on Risk into to Records Management Policy, or reference the Risk Management Policy

Classification Schedule

A schedule based on the function the records are evidence of as a way to organize similar records in groups

Similar to a library classification scheme

Retention Schedule

A schedule based on business needs, legal, privacy and regulatory obligations

Specifies the length of time a record is to be retained, and the method of destruction

In Saskatchewan, government records retention schedules must be approved by the Saskatchewan Archives Board and the Public Records Committee

Audit and Legal Hold Obligations

Statutory obligations to preserve records: Plethora of legislation and regulations

Employment Legislation Corporate record keeping Tax records

Audits, investigations, etc. Failure to preserve may attract criminal

liability, fines, penalties, etc.

The Obligations

Statutory obligations to destroy records: Privacy laws – FOIPPA, HIPPA. Obligation to destroy when no longer needed

for reasonable business / legal purposes Destruction of personal information is an

offense when it occurs after an individual has requested access to their information

In Saskatchewan

The Saskatchewan Evidence Act:“record” includes any information

that is recorded or stored by means of any

device or electronic means.

If you’ve got it, you must produce it.

But

Storage space, regardless of record type, is not an infinitely available resource.

Organizations need to realize that keeping everything is not records management.

Example

We can just manually review the records, right?

Volume of Data: Kb = one page Mb = small novel, 5 Mb = all of

Shakespeare Gb = a pickup truck full of books, 100 Gb =

a library floor Tb = 50,000 trees, 10 Tb = the entire print

collection of the U.S. Library of Congress (my org. has 12 TB on shared drives & email)

What could go wrong?

Enron/Arthur Anderson fiasco resulted in Sarbanes-Oxley

Sydney Hospital mismanages patient records – stuffs them into unlocked cabinets, stored with toxic materials, etc.

Washington D.C. police force records found in abandoned cars, trash bins as a result of a records burning event gone bad.

It doesn’t end there

Who: Lucent Technologies Inc. When: May 2004 Accusation: Providing incomplete records in response to a Securities and Exchange Commission investigation. Consequences: $25 million fine

It doesn’t end there

Who: UBS Warburg LLC When: July 2004 Accusation: During an ongoing gender-discrimination lawsuit (Zubulake v. UBS Warburg), deleted relevant e-mails despite court order; failed to locate, preserve records and produce e-mail and other documents in a timely manner. Consequences: Ordered to produce relevant documents and pay for redeposition of some witnesses and pay legal expense of the plaintiff.

It doesn’t end there

Who: Philip Morris USA/Altria Group When: July 2004 Accusation: Deleted e-mail that was over 60 days old for more than two years after a legal order to preserve all documents relating to litigation. Failed to follow the company's internal procedures for document and e-mail preservation. Consequences: $2.75 million fine

It doesn’t end there

Who: Banc of America Securities When: March 2004 Accusation: Violation of Exchange Act record-keeping requirements, including failure to produce e-mail records in a timely manner and failure to preserve documents after an SEC staff request to do so. Consequences: $10 million fine; censure

Information Security

IT, Records Management, Privacy, Legal and Risk all need to be at the table.

IT provides the security and audit functionality

Records can identify retention periods

Privacy and Legal can assess/approve/make request for change

Risk can measure/help manage

Alphabet Soup

ECM, ERM, EDRMS, DM All of these are acronyms for electronic

solutions to help organizations manage document/record control, retention, audit, workflow, versioning, legal/audit holds, security, etc.

They are becoming more and more relevant and necessary as organizations wake up to the risks they are carrying and the opportunities they are missing by not managing information as an asset.

The struggle for relevance

Records Managers have been around for centuries, but we are still perceived as the file clerk in the basement in most organizations.

We need to partner with those in our organizations with common goals

Your sphere of influence

You can help shape and enforce records management policy, procedure and compliance in your organization by adding your influence to the RIM messaging

Next Stage

In order to achieve the desired state we need to move beyond silos

Records

IT Legal&

Privacy

Risk Audit

A Model for Governance

Definition A framework and responsibility model for

cross-functional and executive dialogue that serves as a catalyst for defining a unified governance approach to information by linking business value and legal duties to the information assets.

Information Governance Model

Elements of IG

Information is at the centre – and disposition is the end-state, but it starts with the business and the value

Risk Management in IG

The role of Risk Management in Information Governance is to actively work with RIM, Legal, Privacy and the business to ensure that data is being defensibly disposed of at the right time.

Risk Reduction Model

Your next step

Find out who is responsible for Records Management in your organization

Work with them to present the challenge for the organization as it relates to risk

Help them find ways to show value to the organization

Risk Assessment for Records

You are the expert – help your records manager perform a risk assessment

“ISO18128 Information and documentation – Risk assessment for records process and systems”

It’s a good start, with a scalable framework

Questions to ask

Is records management supported by top management?

Are records responsibilities included in job descriptions where relevant?

Is the technology selected an appropriate fit for the size, complexity, and activities of the organization?

Has the organization identified all systems that create, hold, or manage records?

Does the business continuity planning specifically include the records systems?

Questions?

Denise Harrydharry@sgi.sk.ca306 751 3332

ARMA Saskatchewan Chapterwww.armasask.org