RIM and BCP

The Perfect Partnership

Bill MillicanConsulting StrategistRecords & Information ManagementMedia Services & Shred Time

Learning Objectives

Business Continuity: what does this mean

The role of records management in business continuity planning

The Business Impact AnalysisThe Working Parts of BCP

◦ Defining and Managing

The Greatest Deterrent

What is BCP?A holistic approach to managing potential

impacts to the business from threats

A framework to be used for an effective response and recovery

A focus on response and recovery of core essential functions in the aftermath of a crisis

Plans to protect the company from the impact of lost revenue, clients, brand, corporate image

What BCP is Not?Disaster Recovery: (activities,

documentation, procedures that protect, restore, and recover technical structures of a business)

Insurance: (pays for facilities, reparations, physical assets, etc. it will not pay for lost market share, lost work, lost value of destroyed vital records, damaged brand)

An Exercise in Futility:

The Issue: Facts Paper based systems

◦ Paper production continues to rise and stock made into file folders continues to rise

American Paper Institute

◦ Sales increase of $ 100M = 8.8M more sheets of paper

Price Waterhouse Coopers

Electronic Mail (E-mail)◦ Volume continues to rise

Electronically Stored Information (ESI)◦ Sanctions are on the rise

The Cloud is real and more real◦ Will it become the only option

Professional Records Management◦ Vice President, Records Management

Mid-

Missouri

Chapter of ARMA

March 15, 2011

Mid-Missouri Chapter of ARMA March 15, 2011

5

Mid-Missouri Chapter of ARMA March 15, 2011

The Issue: FactsE-discovery sanctions are at an all-time

high.  We identified 230 sanction awards in 401 cases involving motions for sanctions relating to the discovery of electronically stored information (ESI) in federal courts prior to January 1, 2010

The Duke Law Journal: November 2010

Hard Copy Storage Costs:◦ $ 3.00 per year in a records management facility◦ $ 30.00 per year in your office space

National Archives & Records Administration

E-mail Proliferation◦ Results in a 40% increase in paper use when improperly

managed Price Waterhouse Coopers

Mid-

Missouri

Chapter of ARMA

March 15, 2011

6

Mid-Missouri Chapter of ARMA March 15, 2011

The Issue: Facts

Retention & Disposition Works: ◦ 55 % of inactive or obsolete materials can be either

properly destroyed or moved to a professional records center

Robert Allerding

You’ll Never Touch Most of Them: ◦ 90% of records filed after completion are never accessed

General Services – State of Tennessee

Data Loss:◦ 67% of data loss is directly related to user blunder◦ 30 TIMES more menacing that viruses

Mid-

Missouri

Chapter of ARMA

March 15, 2011

7

Mid-Missouri Chapter of ARMA March 15, 2011

8

Life Cycle Concept!

Never Changing

Creation/ReceiptStage

Storage & Maintenance

Stage

Retention & Disposition

Stage

Archival Preservation

Stage

Distribution &Use Stage

Information

Governance

What Are The Deterrents?Organizational misunderstanding

of its critical business functions

The First One

The Least Obvious

The Easiest to Eliminate

The Most Persistent

The Most Powerful

Fundamentally Speaking:Why is RIM Important to

Business Continuity?

RIM ensures that the information needed is retrievable, authentic, reliable, and accurate.

Ensure regulatory complianceControl creation and growth of recordsMinimize litigation risksReduce operating costs

Guiding Principles forBusiness Continuity Planning

First Do No Harm

You cannot recover the entire company immediately

Focus on essential functions

Recovery must be consistent and coordinated throughout the organization

Guiding Principles forBusiness Continuity Planning

Communication is key

Business units own their recovery plans

Exercising the Plan is mandatory for a living, robust Plan

Nobody has more than one role in Recovery

There is a primary and alternate for every BCP Role

Who’s Responsible for RIM?

Executives – Responsible to ensure that internal controls are in place, and policies and procedures are followed

Records Manager – Evaluate policy and procedures periodically, analyze current risks, implement regular reviews, determine retention requirements

IT Manager/Specialist – Create system for storage of electronic records, included metadata, ensure that log files and audit trails are implemented, develop security controls

Who’s Responsible for RIM?

Records Creator – Responsible for the creation, receipt and storage of active records and metadata as part of their job duties, in accordance with established policies and procedures

All Users – Accountable for following RIM Policies & Procedures for those records for which they are responsible

The Project Manager

Internal versus External◦ Time may be the determining factor◦ Expertise may be another◦ Lack of bias could be another

Personality must be Strong, but not Tyrannical◦ Have respect and ear of upper management,

administrative management and staff◦ Adhere to, and influence others to adhere to,

the Time-lineUnderstanding of Process

◦ Ability to see all needsAnalytical Skills

◦ Vision into what each piece of the Process will need

Defined Teams and RolesCrisis Management Team

◦ Crisis Manager◦ Recovery Manager◦ Team Leader ◦ Team Member ◦ Recovery Coordinator

Emergency Response Team◦ Incident Commander/ERT Leader◦ Team Members – Facilities, Legal, Risk

Management, HR, Corporate Communications, I/T, Business Continuity Planning representative

Executive Management Team

Business Impact Analysis

Gathering information from high level management

Identifying and prioritizing “Essential” functions

Define Recovery Time Objectives (RTO) for Essential Functions

Identify critical staff, office locations or records

Survey method, Questionnaire method or combination

Critical Considerations

Time-line for◦ Development: a number of months and date -

dependant on commitment of organization◦ Completion: The Date (i.e. Development + 1

month, 2 months etc. )◦ Implementation: The Date (Completion + 2

months, 3 months etc.)Event Definitions

◦ Very important to define as many types of Business Interruptions as possibleo Small water leak to major water leako Small isolated fire to entire floors being inaccessibleo Building closing to entire area being inaccessible

Critical Considerations

Locations & FacilitiesEquipment & Supplies

◦ Vendor Lists

Communication & Notification◦ Cell phones, pagers, Voice mail box

Workgroup RelocationStaffingMail, Routing & DeliveryConflict Resolution

DocumentationCrisis Management Guide

• Roles/Team Responsibility• Limited Distribution to Senior People• Plan Activation• Check Lists

Business Continuity Recovery Plan• Emergency Recovery Procedures• Crisis Management Instructions• Contact Information• Staffing Matrix• Application Software• Vendor Contacts• Documentation Locations

Maintenance Guidelines◦ Tabletop exercises, contact info updates

The Records Inventory

Records Inventory: How is it Used◦To build the RM Program: The

Foundation◦Process Intelligence◦Information Processing Efficiency◦Business Unit Crosswalk Efficiency◦Forms and Document Management◦Retention & Disposition

Development

Training and Exercising

First: Training and Exercising - NOT the same

Second: Training is essential and without it, the BCP program will not work

Third: Exercising validates◦ Development◦ Training

Fourth: Exercising identifies adjustments

Fifth: Training and Exercising: never finished

Records Retention Program

Defines the period of time that records are maintained and specifies procedures for the transfer and destruction of records

Retention periods are based on the operational, legal, and historical value of each record type

Specifies the methods of disposal and disposition

Mid-Missouri Chapter of ARMA March 15, 2011

24

Records Retention ScheduleFor full legal protection, all

records must be included in a retention schedule

Each organization must develop their own retention schedule

Classify records by using “records series”

Dispose of records in the “normal course of business”

Vital RecordsVital records contain information

needed to reestablish or continue an organization in the event of a disaster

Vital records must be irreplaceable and required to operate the business

Categories of assets:◦ People◦ Property◦ Capital◦ Records – difficult or impossible to replace

if lost or destroyed

Audit and Compliance

Program audit and compliance◦ Who is responsible for auditing the

program ◦ Who is responsible for compliance◦ Frequency of audit◦ Partnerships with Internal Audit ◦ Penalties for non-compliance

Unauthorized destruction of Business Records Termination? Criminal penalties imposed by state and federal

laws and regulations.

Security and Privacy During Recovery

Security & Privacy Issues:How is Security different from

Privacy?◦During Recovery: don’t lose sight of

these Trust Confidence PII Information Use Consumer, or Customer Choices

Mid-Missouri Chapter of ARMA March 15, 2011

28

Considering Security & Privacy

◦ Security of Business Records File plans Standard for storage – safe, secure Retrievable Access to Business Records Trade Secrets Make the policy Transparent

Secure

Retrievable?

Access Restrictions

Electronic Records

Over 90% of records created today are electronic. The management of electronic records has become a critical business issue.

Electronic records have fundamental differences from traditional records, therefore special treatment to preserve their integrity over time is needed

Mid-Missouri Chapter of ARMA March 15, 2011

30

Electronic Records: The Cloud Cloud computing is Internet-based computing, whereby

shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. (Wikipedia)

Cloud Solutions◦ Communications – Email, instant messaging◦ Enterprise Content Management (ECM) – Capture, document

management, workflow, records management◦ Business Continuity – Disaster recovery systems

Mid-Missouri Chapter of ARMA March 15, 2011

31

Electronic Records RIM Status – Cohasset/ARMA Survey (2009)

◦ 34% of organizations polled stated that they do not have a formal process for responding to discovery requests

◦ 35% of respondents stated that electronic records are not included in their records retention schedules

◦ 41% stated that IT/IS has primary responsibility for managing their electronic records

◦ 43% reported that they are not confident that their electronic records are accurate, reliable and trustworthy

◦ 47% said they do not have a formal retention policy for email

Mid-Missouri Chapter of ARMA March 15, 2011

32

Will the Cloud Remain? Steve Ballmer, Microsoft CEO, stated that “Microsoft is

all in when it comes to cloud computing”

Brad Horowitz, Google VP, stated that “regulatory issues are better solved by the cloud paradigm.” He argues that it is easier to do e-discovery if the data is all on central servers instead of spread out on PC’s.

Greg Taylor, Sony, stated that “all content that poses no threat to customer privacy or data security should be shipped off to the cloud.”

Mid-Missouri Chapter of ARMA March 15, 2011

33

Records Manager’s Role in Compliance

Research and apply those laws and regulations that apply to your industry◦ IRCH (Don Skupsky) - Legal Requirements for Business Records◦ Zasio Enterprises – Versatile Retention◦ LexisNexis – Compliance Manager◦ WestLaw - Next◦ TheLaw.net – Equalizer

By knowing the legal requirements, a legally defensible records retention program can be developed

Mid-Missouri Chapter of ARMA March 15, 2011

34

The Risks……… firms that have not developed a good

records management policy may fail their clients and be faced with a costly liability lawsuit……

Chubb & Son

…….companies and organizations are finding they need policies and systems to manage all electronic information from origination to destruction. Litigation aside, experts say it is just good business.

EMC Corporation

Sprint Settlement: $ 57 million settlement over scrubbed employee data

Public Record

Mid-Missouri Chapter of ARMA March 15, 2011

35

The Risks “It’s not difficult establishing the benefit of proper

records management, when a company such as Microsoft spends an average of $20M for e-discovery per litigation………”

Microsoft Corporate Executive: Computerworld

“Ease of use and minimal disruption to the business is paramount = time, effort and money”

“You’ve got to treat the disease, not the symptom, e-discovery risk and sanctions are a symptom of unmanaged electronic information, particularly e-mail and office content.

James Daley, Attorney Daley & Fey

Founding member of Redgrave, Daley, Ragan & Wagner

In Summary

Business Continuity: what does this mean

The role of records management in business continuity planning

The Business Impact AnalysisThe Working Parts of BCP

◦ Defining and Managing

The Greatest Deterrent

Mid-Missouri Chapter of ARMA March 15, 2011

37

Thank U!

Questions and Discussions Continue

Bill MillicanConsulting StrategistRecords & Information ManagementMedia Services & Shred Time816.213.5007wfm@mediaservicesnow.comwfmillican@gmail.com