Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | florence-potter |
View: | 212 times |
Download: | 0 times |
RIM and BCP
The Perfect Partnership
Bill MillicanConsulting StrategistRecords & Information ManagementMedia Services & Shred Time
Learning Objectives
Business Continuity: what does this mean
The role of records management in business continuity planning
The Business Impact AnalysisThe Working Parts of BCP
◦ Defining and Managing
The Greatest Deterrent
What is BCP?A holistic approach to managing potential
impacts to the business from threats
A framework to be used for an effective response and recovery
A focus on response and recovery of core essential functions in the aftermath of a crisis
Plans to protect the company from the impact of lost revenue, clients, brand, corporate image
What BCP is Not?Disaster Recovery: (activities,
documentation, procedures that protect, restore, and recover technical structures of a business)
Insurance: (pays for facilities, reparations, physical assets, etc. it will not pay for lost market share, lost work, lost value of destroyed vital records, damaged brand)
An Exercise in Futility:
The Issue: Facts Paper based systems
◦ Paper production continues to rise and stock made into file folders continues to rise
American Paper Institute
◦ Sales increase of $ 100M = 8.8M more sheets of paper
Price Waterhouse Coopers
Electronic Mail (E-mail)◦ Volume continues to rise
Electronically Stored Information (ESI)◦ Sanctions are on the rise
The Cloud is real and more real◦ Will it become the only option
Professional Records Management◦ Vice President, Records Management
Mid-
Missouri
Chapter of ARMA
March 15, 2011
Mid-Missouri Chapter of ARMA March 15, 2011
5
Mid-Missouri Chapter of ARMA March 15, 2011
The Issue: FactsE-discovery sanctions are at an all-time
high. We identified 230 sanction awards in 401 cases involving motions for sanctions relating to the discovery of electronically stored information (ESI) in federal courts prior to January 1, 2010
The Duke Law Journal: November 2010
Hard Copy Storage Costs:◦ $ 3.00 per year in a records management facility◦ $ 30.00 per year in your office space
National Archives & Records Administration
E-mail Proliferation◦ Results in a 40% increase in paper use when improperly
managed Price Waterhouse Coopers
Mid-
Missouri
Chapter of ARMA
March 15, 2011
6
Mid-Missouri Chapter of ARMA March 15, 2011
The Issue: Facts
Retention & Disposition Works: ◦ 55 % of inactive or obsolete materials can be either
properly destroyed or moved to a professional records center
Robert Allerding
You’ll Never Touch Most of Them: ◦ 90% of records filed after completion are never accessed
General Services – State of Tennessee
Data Loss:◦ 67% of data loss is directly related to user blunder◦ 30 TIMES more menacing that viruses
Mid-
Missouri
Chapter of ARMA
March 15, 2011
7
Mid-Missouri Chapter of ARMA March 15, 2011
8
Life Cycle Concept!
Never Changing
Creation/ReceiptStage
Storage & Maintenance
Stage
Retention & Disposition
Stage
Archival Preservation
Stage
Distribution &Use Stage
Information
Governance
What Are The Deterrents?Organizational misunderstanding
of its critical business functions
The First One
The Least Obvious
The Easiest to Eliminate
The Most Persistent
The Most Powerful
Fundamentally Speaking:Why is RIM Important to
Business Continuity?
RIM ensures that the information needed is retrievable, authentic, reliable, and accurate.
Ensure regulatory complianceControl creation and growth of recordsMinimize litigation risksReduce operating costs
Guiding Principles forBusiness Continuity Planning
First Do No Harm
You cannot recover the entire company immediately
Focus on essential functions
Recovery must be consistent and coordinated throughout the organization
Guiding Principles forBusiness Continuity Planning
Communication is key
Business units own their recovery plans
Exercising the Plan is mandatory for a living, robust Plan
Nobody has more than one role in Recovery
There is a primary and alternate for every BCP Role
Who’s Responsible for RIM?
Executives – Responsible to ensure that internal controls are in place, and policies and procedures are followed
Records Manager – Evaluate policy and procedures periodically, analyze current risks, implement regular reviews, determine retention requirements
IT Manager/Specialist – Create system for storage of electronic records, included metadata, ensure that log files and audit trails are implemented, develop security controls
Who’s Responsible for RIM?
Records Creator – Responsible for the creation, receipt and storage of active records and metadata as part of their job duties, in accordance with established policies and procedures
All Users – Accountable for following RIM Policies & Procedures for those records for which they are responsible
The Project Manager
Internal versus External◦ Time may be the determining factor◦ Expertise may be another◦ Lack of bias could be another
Personality must be Strong, but not Tyrannical◦ Have respect and ear of upper management,
administrative management and staff◦ Adhere to, and influence others to adhere to,
the Time-lineUnderstanding of Process
◦ Ability to see all needsAnalytical Skills
◦ Vision into what each piece of the Process will need
Defined Teams and RolesCrisis Management Team
◦ Crisis Manager◦ Recovery Manager◦ Team Leader ◦ Team Member ◦ Recovery Coordinator
Emergency Response Team◦ Incident Commander/ERT Leader◦ Team Members – Facilities, Legal, Risk
Management, HR, Corporate Communications, I/T, Business Continuity Planning representative
Executive Management Team
Business Impact Analysis
Gathering information from high level management
Identifying and prioritizing “Essential” functions
Define Recovery Time Objectives (RTO) for Essential Functions
Identify critical staff, office locations or records
Survey method, Questionnaire method or combination
Critical Considerations
Time-line for◦ Development: a number of months and date -
dependant on commitment of organization◦ Completion: The Date (i.e. Development + 1
month, 2 months etc. )◦ Implementation: The Date (Completion + 2
months, 3 months etc.)Event Definitions
◦ Very important to define as many types of Business Interruptions as possibleo Small water leak to major water leako Small isolated fire to entire floors being inaccessibleo Building closing to entire area being inaccessible
Critical Considerations
Locations & FacilitiesEquipment & Supplies
◦ Vendor Lists
Communication & Notification◦ Cell phones, pagers, Voice mail box
Workgroup RelocationStaffingMail, Routing & DeliveryConflict Resolution
DocumentationCrisis Management Guide
• Roles/Team Responsibility• Limited Distribution to Senior People• Plan Activation• Check Lists
Business Continuity Recovery Plan• Emergency Recovery Procedures• Crisis Management Instructions• Contact Information• Staffing Matrix• Application Software• Vendor Contacts• Documentation Locations
Maintenance Guidelines◦ Tabletop exercises, contact info updates
The Records Inventory
Records Inventory: How is it Used◦To build the RM Program: The
Foundation◦Process Intelligence◦Information Processing Efficiency◦Business Unit Crosswalk Efficiency◦Forms and Document Management◦Retention & Disposition
Development
Training and Exercising
First: Training and Exercising - NOT the same
Second: Training is essential and without it, the BCP program will not work
Third: Exercising validates◦ Development◦ Training
Fourth: Exercising identifies adjustments
Fifth: Training and Exercising: never finished
Records Retention Program
Defines the period of time that records are maintained and specifies procedures for the transfer and destruction of records
Retention periods are based on the operational, legal, and historical value of each record type
Specifies the methods of disposal and disposition
Mid-Missouri Chapter of ARMA March 15, 2011
24
Records Retention ScheduleFor full legal protection, all
records must be included in a retention schedule
Each organization must develop their own retention schedule
Classify records by using “records series”
Dispose of records in the “normal course of business”
Vital RecordsVital records contain information
needed to reestablish or continue an organization in the event of a disaster
Vital records must be irreplaceable and required to operate the business
Categories of assets:◦ People◦ Property◦ Capital◦ Records – difficult or impossible to replace
if lost or destroyed
Audit and Compliance
Program audit and compliance◦ Who is responsible for auditing the
program ◦ Who is responsible for compliance◦ Frequency of audit◦ Partnerships with Internal Audit ◦ Penalties for non-compliance
Unauthorized destruction of Business Records Termination? Criminal penalties imposed by state and federal
laws and regulations.
Security and Privacy During Recovery
Security & Privacy Issues:How is Security different from
Privacy?◦During Recovery: don’t lose sight of
these Trust Confidence PII Information Use Consumer, or Customer Choices
Mid-Missouri Chapter of ARMA March 15, 2011
28
Considering Security & Privacy
◦ Security of Business Records File plans Standard for storage – safe, secure Retrievable Access to Business Records Trade Secrets Make the policy Transparent
Secure
Retrievable?
Access Restrictions
Electronic Records
Over 90% of records created today are electronic. The management of electronic records has become a critical business issue.
Electronic records have fundamental differences from traditional records, therefore special treatment to preserve their integrity over time is needed
Mid-Missouri Chapter of ARMA March 15, 2011
30
Electronic Records: The Cloud Cloud computing is Internet-based computing, whereby
shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. (Wikipedia)
Cloud Solutions◦ Communications – Email, instant messaging◦ Enterprise Content Management (ECM) – Capture, document
management, workflow, records management◦ Business Continuity – Disaster recovery systems
Mid-Missouri Chapter of ARMA March 15, 2011
31
Electronic Records RIM Status – Cohasset/ARMA Survey (2009)
◦ 34% of organizations polled stated that they do not have a formal process for responding to discovery requests
◦ 35% of respondents stated that electronic records are not included in their records retention schedules
◦ 41% stated that IT/IS has primary responsibility for managing their electronic records
◦ 43% reported that they are not confident that their electronic records are accurate, reliable and trustworthy
◦ 47% said they do not have a formal retention policy for email
Mid-Missouri Chapter of ARMA March 15, 2011
32
Will the Cloud Remain? Steve Ballmer, Microsoft CEO, stated that “Microsoft is
all in when it comes to cloud computing”
Brad Horowitz, Google VP, stated that “regulatory issues are better solved by the cloud paradigm.” He argues that it is easier to do e-discovery if the data is all on central servers instead of spread out on PC’s.
Greg Taylor, Sony, stated that “all content that poses no threat to customer privacy or data security should be shipped off to the cloud.”
Mid-Missouri Chapter of ARMA March 15, 2011
33
Records Manager’s Role in Compliance
Research and apply those laws and regulations that apply to your industry◦ IRCH (Don Skupsky) - Legal Requirements for Business Records◦ Zasio Enterprises – Versatile Retention◦ LexisNexis – Compliance Manager◦ WestLaw - Next◦ TheLaw.net – Equalizer
By knowing the legal requirements, a legally defensible records retention program can be developed
Mid-Missouri Chapter of ARMA March 15, 2011
34
The Risks……… firms that have not developed a good
records management policy may fail their clients and be faced with a costly liability lawsuit……
Chubb & Son
…….companies and organizations are finding they need policies and systems to manage all electronic information from origination to destruction. Litigation aside, experts say it is just good business.
EMC Corporation
Sprint Settlement: $ 57 million settlement over scrubbed employee data
Public Record
Mid-Missouri Chapter of ARMA March 15, 2011
35
The Risks “It’s not difficult establishing the benefit of proper
records management, when a company such as Microsoft spends an average of $20M for e-discovery per litigation………”
Microsoft Corporate Executive: Computerworld
“Ease of use and minimal disruption to the business is paramount = time, effort and money”
“You’ve got to treat the disease, not the symptom, e-discovery risk and sanctions are a symptom of unmanaged electronic information, particularly e-mail and office content.
James Daley, Attorney Daley & Fey
Founding member of Redgrave, Daley, Ragan & Wagner
In Summary
Business Continuity: what does this mean
The role of records management in business continuity planning
The Business Impact AnalysisThe Working Parts of BCP
◦ Defining and Managing
The Greatest Deterrent
Mid-Missouri Chapter of ARMA March 15, 2011
37
Thank U!
Questions and Discussions Continue
Bill MillicanConsulting StrategistRecords & Information ManagementMedia Services & Shred [email protected]@gmail.com