Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | barry-byrd |
View: | 219 times |
Download: | 1 times |
Records Management and Risk Reduction
Foundations for Success
Foundations for Success
A strong information management program is foundational to an organization's success, and can significantly reduce the risk of poor business decisions, costly litigation, e-discovery and damage to reputation.
How?
Record
A Record - according to ISO 15489-1, 3.15 Information created, received, and
maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business
A non-Record
Duplicates Working papers and drafts Transmittal letters or cover sheets Reproduced or published material from
other offices Catalogues, trade journals, periodicals,
etc. Stocks of publications (reports,
brochures, plans, etc.) and forms, agendas etc.
Records Management
Bit of a misnomer – is actually more about management of business information
Primary objective is to identify what to keep, how to keep it, when to get rid of it, and how to get rid of it
Information as an asset
Manage as an asset through the entire life cycle1. Create/Receive2. Use3. Retain/Archive4. Final Disposition
Do we know what we have?
68%2%
25%
5%
Digital Landfills
Everything Else Subject to Legal HoldHas Business Utility Regulatory Requirement
Source: CGOC (Compliance and Governance Oversight Council)
It actually makes sense
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”2002, Donald Rumsfeld, former US Secretary of State for Defence
Known – Lowest Risk
We know that much of our information exists in enterprise systems like SAP, etc. and we know what the data is.
This data is well managed and protected from security risks, is auditable, and while retention may not be applied, we can usually rely on the integrity of the data.
From a Records Management risk perspective, these business records are the least of the worries.
Known Unknowns – High Risk
We know we have information in shared drives, email, collaboration software, etc.
We know where it is, but we don’t have an accurate way to measure what the data is or what it’s business value/risk is
We can’t control the growth or redundancy
We can’t control where it goes or who it goes to (email, copy to USB and remove, etc.)
Is not managed in most organizations
Unkown Unkowns – Who Knows?
With the unknown content, we may: Fail to see or seek out information because
we don’t know it’s there Vital information not available for retrieval
and distribution for decision making purposes Theft or unauthorized use of information
(think social media, or worse) We don’t have a way to share the
information, which limits the organization’s awareness and ability to make good decisions
Records Management
Successful programs ensure that records are: Useable Reliable Authentic Having integrity
Foundations
Inventory Information Assets Identify the records, disposition non-
records Develop records retention schedule Develop the Records Management
Policy Develop standards and procedures
for capture, storage and disposition Train, Train, Train
Inventory
A detailed registry of what type of records are owned, where they reside, Office of Primary Responsibility, relevant metadata
Also should ideally indicate if P.I. is in the record, what the security classification is, and if the record is considered a vital record
As a Risk Manager – inform your Records Managers of the areas of the organization that own records related to high risk events/situations
Dispose of non-records
Encourage employees to regularly dispose of convenience copies and duplicates
Purge email that does not constitute a record
Help your Records Manager draft a communication plan that includes the risk to the organization that results from retaining unmanaged information.
Policy development
Key to successful records management program is a well thought-out policy with accompanying standards, procedures and guidelines to inform staff of their roles and responsibilities, and how to carry out those responsibilities
Work with Records Management to include a section on Risk into to Records Management Policy, or reference the Risk Management Policy
Classification Schedule
A schedule based on the function the records are evidence of as a way to organize similar records in groups
Similar to a library classification scheme
Retention Schedule
A schedule based on business needs, legal, privacy and regulatory obligations
Specifies the length of time a record is to be retained, and the method of destruction
In Saskatchewan, government records retention schedules must be approved by the Saskatchewan Archives Board and the Public Records Committee
Audit and Legal Hold Obligations
Statutory obligations to preserve records: Plethora of legislation and regulations
Employment Legislation Corporate record keeping Tax records
Audits, investigations, etc. Failure to preserve may attract criminal
liability, fines, penalties, etc.
The Obligations
Statutory obligations to destroy records: Privacy laws – FOIPPA, HIPPA. Obligation to destroy when no longer needed
for reasonable business / legal purposes Destruction of personal information is an
offense when it occurs after an individual has requested access to their information
In Saskatchewan
The Saskatchewan Evidence Act:“record” includes any information
that is recorded or stored by means of any
device or electronic means.
If you’ve got it, you must produce it.
But
Storage space, regardless of record type, is not an infinitely available resource.
Organizations need to realize that keeping everything is not records management.
Example
We can just manually review the records, right?
Volume of Data: Kb = one page Mb = small novel, 5 Mb = all of
Shakespeare Gb = a pickup truck full of books, 100 Gb =
a library floor Tb = 50,000 trees, 10 Tb = the entire print
collection of the U.S. Library of Congress (my org. has 12 TB on shared drives & email)
What could go wrong?
Enron/Arthur Anderson fiasco resulted in Sarbanes-Oxley
Sydney Hospital mismanages patient records – stuffs them into unlocked cabinets, stored with toxic materials, etc.
Washington D.C. police force records found in abandoned cars, trash bins as a result of a records burning event gone bad.
It doesn’t end there
Who: Lucent Technologies Inc. When: May 2004 Accusation: Providing incomplete records in response to a Securities and Exchange Commission investigation. Consequences: $25 million fine
It doesn’t end there
Who: UBS Warburg LLC When: July 2004 Accusation: During an ongoing gender-discrimination lawsuit (Zubulake v. UBS Warburg), deleted relevant e-mails despite court order; failed to locate, preserve records and produce e-mail and other documents in a timely manner. Consequences: Ordered to produce relevant documents and pay for redeposition of some witnesses and pay legal expense of the plaintiff.
It doesn’t end there
Who: Philip Morris USA/Altria Group When: July 2004 Accusation: Deleted e-mail that was over 60 days old for more than two years after a legal order to preserve all documents relating to litigation. Failed to follow the company's internal procedures for document and e-mail preservation. Consequences: $2.75 million fine
It doesn’t end there
Who: Banc of America Securities When: March 2004 Accusation: Violation of Exchange Act record-keeping requirements, including failure to produce e-mail records in a timely manner and failure to preserve documents after an SEC staff request to do so. Consequences: $10 million fine; censure
Information Security
IT, Records Management, Privacy, Legal and Risk all need to be at the table.
IT provides the security and audit functionality
Records can identify retention periods
Privacy and Legal can assess/approve/make request for change
Risk can measure/help manage
Alphabet Soup
ECM, ERM, EDRMS, DM All of these are acronyms for electronic
solutions to help organizations manage document/record control, retention, audit, workflow, versioning, legal/audit holds, security, etc.
They are becoming more and more relevant and necessary as organizations wake up to the risks they are carrying and the opportunities they are missing by not managing information as an asset.
The struggle for relevance
Records Managers have been around for centuries, but we are still perceived as the file clerk in the basement in most organizations.
We need to partner with those in our organizations with common goals
Your sphere of influence
You can help shape and enforce records management policy, procedure and compliance in your organization by adding your influence to the RIM messaging
Next Stage
In order to achieve the desired state we need to move beyond silos
Records
IT Legal&
Privacy
Risk Audit
A Model for Governance
Definition A framework and responsibility model for
cross-functional and executive dialogue that serves as a catalyst for defining a unified governance approach to information by linking business value and legal duties to the information assets.
Information Governance Model
Elements of IG
Information is at the centre – and disposition is the end-state, but it starts with the business and the value
Risk Management in IG
The role of Risk Management in Information Governance is to actively work with RIM, Legal, Privacy and the business to ensure that data is being defensibly disposed of at the right time.
Risk Reduction Model
Your next step
Find out who is responsible for Records Management in your organization
Work with them to present the challenge for the organization as it relates to risk
Help them find ways to show value to the organization
Risk Assessment for Records
You are the expert – help your records manager perform a risk assessment
“ISO18128 Information and documentation – Risk assessment for records process and systems”
It’s a good start, with a scalable framework
Questions to ask
Is records management supported by top management?
Are records responsibilities included in job descriptions where relevant?
Is the technology selected an appropriate fit for the size, complexity, and activities of the organization?
Has the organization identified all systems that create, hold, or manage records?
Does the business continuity planning specifically include the records systems?