Two approaches to managing information risks: when managing information risks, is it better to use an event-based or a records and information requirements-based approach? This excerpt from Managing Risks for Records and Information explores these approaches and examines how to choose the one that best fits your organization's needs.At the Core This article * examines the consequences of failing to manage records and information risks * discusses the event-based approach to managing information risks * explores the records and information requirements-based approach to managing information risks Records and information risks encompass any threat to the business arising from some inadequacy in an organization's records and information. These risks can be many and varied, ranging from those typically addressed by business continuity programs--damage to or loss of records and information arising from disasters or major system faults, for example--to more systemic systemic /sys·tem·ic/ (sis-tem´ik) pertaining to or affecting the body as a whole. sys·tem·ic adj. 1. Of or relating to a system. 2. problems with records and information. In extreme cases, these risks can lead to heavy loss and even corporate failure. Recent high-profile cases outlined in Table 1 (page 57), cited by Clifford Clif·ford , Clark McAdams 1906-1998. American lawyer and politician who, as chief counsel (1946-1950) to President Harry S. Truman, influenced U.S. foreign policy. During the Vietnam War he served as U.S. secretary of defense (1968-1969). Carey in Records Management Bulletin, highlight how poor-quality records and information, and the organizational practices that lead to them, can expose an organization to risk. These cases highlight the need for organizations to pay attention to records and information related risks. Aside from risk avoidance and control, however, effective records and information risk management can lead to improved performance of the organization. Records and information risk management initiatives are as much about identifying and capitalizing on opportunities to manage information strategically as they are about minimizing risks and losses. Some of the ways in which a records and information-related risk assessment can be used to enhance an organization's performance include: * More effective planning of records and information management strategies and programs to ensure alignment with strategic business objectives * Better control of records and information management costs * Improved assessment and measurement of records and information management functions * Improved decision-making decision-making, n the process of coming to a conclusion or making a judgment. decision-making, evidence-based, n a type of informal decision-making that combines clinical expertise, patient concerns, and evidence gathered from in the records and information management arena * Enhanced share value as a result of credible strategies to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. and manage records and information-related risks * Improved compliance with records and information related legal and regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. * Higher level of preparedness pre·par·ed·ness n. The state of being prepared, especially military readiness for combat. Noun 1. preparedness - the state of having been made ready or prepared for use or action (especially military action); "putting them for outside regulatory review * Minimized operational disruptions * Improved management information * Improved knowledge sharing throughout the organization Developing a Records and Information Risk Management Program Despite the risks of failing to manage them holistically and systematically, records and information risks are not recognized as a distinct area of focus in most organizations and, therefore, no processes or people are specifically dedicated to them. In most organizations, line managers deal with records and information risks, where they address them at all, on an ad hoc For this purpose. Meaning "to this" in Latin, it refers to dealing with special situations as they occur rather than functions that are repeated on a regular basis. See ad hoc query and ad hoc mode. basis through other business processes such as internal audit, legal, IT or, in some cases, records management. Their approach to managing records and information risks is purely loss avoidance-oriented. In an increasing number of organizations, however, board-level and management awareness of records and information-related risks and the need to manage the risks is growing. This awareness is likely brought on by recent high-profile cases involving records and information and new laws New Laws: see Las Casas, Bartolomé de. and regulations, though the awareness of the rationale rationale (rash´  nal´),n the fundamental reasons used as the basis for a decision or action. for records and information risk management still is likely to focus attention on loss avoidance rather than opportunity maximization. In these organizations, personnel typically found within the business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined , IT security, and legal functions perform rudimentary rudimentary /ru·di·men·ta·ry/ (roo?di-men´tah-re) 1. imperfectly developed. 2. vestigial. ru·di·men·ta·ry adj. 1. records and information risk identification, assessment, and control. Their focus is likely to be on the types of records and information risks typically addressed by these functions (i.e., disasters, major systems failures, threats to information security, and litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. of new laws). Other sources of records and information risk, if they are identified, are still dealt with on an ad hoc basis within each business unit. Ownership of those records and information-related risks that have been identified may or may not be clearly defined at the level of individual business units. In such organizations, the records management function, where it exists, usually still performs a more traditional role concerned with information retrieval information retrieval Recovery of information, especially in a database stored in a computer. Two main approaches are matching words in the query against the database index (keyword searching) and traversing the database using hypertext or hypermedia links. or retention and disposition, though recognition of the need to widen wid·en tr. & intr.v. wid·ened, wid·en·ing, wid·ens To make or become wide or wider. wid en·er n. its role to engage in records and information risk management may be growing. How should records and information risk management be administered within an organization? Generally speaking, it should be fully integrated into the organization's enterprise-wide risk management program. This integration means that: * Records and information risk awareness will be incorporated into the organization's risk management culture and policy. * Roles and responsibilities for records and information risk management will be dearly identified and will permeate permeate /per·me·ate/ (-at?) 1. to penetrate or pass through, as through a filter. 2. the constituents of a solution or suspension that pass through a filter. per·me·ate v. all levels and locations of the organization. * Records and information risks will be highlighted in all training and development initiatives. * Records and information risk management will be a component of all operational processes (e.g., the development of new products or services). * Consideration of records and information risk management requirements will be built into organizational planning processes such as strategy development and budgeting. Records and information risk management should be incorporated into existing risk management administrative structures, processes, and technologies. In addition, roles and responsibilities for functional areas that have traditionally focused on records and information management or dealt with certain types of records and information risk, such as a records management department of the IT department, will need to be redefined in relation to how records and information risk management fits into the organizations enterprise-wide risk management program. Finally, just as is the case with other types of risks that cut across organizational boundaries, administration of records and information risks may be aided by the establishment of a committee that focuses specifically on this risk category from a cross-organizational perspective. The Event-based Approach Organizations traditionally have identified and managed their records and information risks by a trigger event or threat. Table 2 (page 58) lists common trigger events or threats that organizations typically take into consideration and aim to address as part of their risk management initiatives or programs. These are the types of records and information risks an organization may need to identify and manage. The traditional approach usually begins with a survey of the organizational environment to identify all possible sources of threats to records and information. The business impact of these risks is then assessed. The diagram diagram /di·a·gram/ (di´ah-gram) a graphic representation, in simplest form, of an object or concept, made up of lines and lacking pictorial elements. in Figure 1 (above) illustrates the process. [FIGURE 1 OMITTED] Table 2 identifies some of the risk mitigation MITIGATION. To make less rigorous or penal. 2. Crimes are frequently committed under circumstances which are not justifiable nor excusable, yet they show that the offender has been greatly tempted; as, for example, when a starving man steals bread to satisfy strategies organizations typically employ to address commonly identified threats to records and information. in most cases in a large organization, management assigns Individuals to whom property is, will, or may be transferred by conveyance, will, Descent and Distribution, or statute; assignees. The term assigns is often found in deeds; for example, "heirs, administrators, and assigns to denote the assignable nature of ownership of these risk mitigation strategies to particular groups or functional areas. For example, business continuity groups will focus on risks arising flora disasters and major system outages; IT security groups will focus on risks arising from breaches of computer security; and legal groups will focus on risks arising from laws, regulations, of litigation. The Records and Information Requirements-based Approach Another approach to identifying and managing records and information risks is to begin with an analysis of the organization's business requirements for records and information. For example, managers might ask, "What type and quality of records and information does the organization require to support its critical business processes and transactions?" Risk arises whenever the organization's records and information fail to match these requirements. Such requirements may derive from laws and regulations as well as from organizational business needs. In an Information Management Journal article, J. Edwin Dietel, J.D., identified some standard quality characteristics that organizations may require of their records and information. These characteristics are summarized in Table 3. Not all these quality characteristics will be needed to support the business processes and transactions of every organization. An organization may require other qualities of its records and information that are not listed in Table 3. Similarly, the definitions provided in the table may not suit the context of every organization. To adapt this approach, each organization will need to assess the quality characteristics best suited to its business requirements, develop consistent definitions for these qualities, and determine their relative importance. Having identified the qualities required of its records and information, an organization then would assess the impact on its business if records and information are not of the required quality. Finally, the analysis would examine the possible types of threats or sources that could cause the organization's records and information to fall short of identified records and information standards, and the likelihood and impact of these causes. Advantages of Each Approach Both approaches--the event-based and the records and information requirements-based--to identifying and managing records and information risks possess strengths and weaknesses. For example, the traditional event-based approach may make identifying risk mitigation strategies easier because the analysis begins with a clearly identifiable trigger event or threat. The requirements-based approach may require more analysis to arrive at a risk mitigation strategy, as a number of causes are possible for poor records and information quality. Inaccessibility in·ac·ces·si·ble adj. Not accessible; remote or unapproachable. in ac·ces of records, for example, could be the result of inadequate indexing, technological obsolescence ob·so·les·cent adj. 1. Being in the process of passing out of use or usefulness; becoming obsolete. 2. Biology Gradually disappearing; imperfectly or only slightly developed. rendering See render. (graphics, text) rendering - The conversion of a high-level object-based description into a graphical image for display. For example, ray-tracing takes a mathematical model of a three-dimensional object or scene and converts it into a bitmap image. the records unreadable, or unauthorized records destruction. Clearly, the risk mitigation strategies needed to address these causes will be quite different, though the resulting risk--inaccessible records--is the same for each root cause. For this reason, if time and resources are short, or management wants to address only a particular trigger event or threat, the traditional approach may be better suited to the organization's needs. The traditional approach, because it is widely employed, also may be easier to integrate with any existing risk taxonomy taxonomy: see classification. taxonomy In biology, the classification of organisms into a hierarchy of groupings, from the general to the particular, that reflect evolutionary and usually morphological relationships: kingdom, phylum, class, order, of risk management program the organization may have in place. The requirements approach has several advantages, however. First, because it begins with an analysis of the records and information requirements The information needed to support a business or other activity. Systems analysts turn information requirements (the what and when) into functional specifications (the how) of an information system. needed to support transacting an organization's business and attaining its goals and objectives, it can be a better method to employ when using risk management for strategic purposes as opposed to using it for the purpose of avoiding losses from particular threats. In addition, the traditional event-based approach tends to perpetuate per·pet·u·ate tr.v. per·pet·u·at·ed, per·pet·u·at·ing, per·pet·u·ates 1. To cause to continue indefinitely; make perpetual. 2. a splintered approach to records and information risk management owing to owing to prep. Because of; on account of: I couldn't attend, owing to illness. owing to prep → debido a, por causa de the fact that, in many organizations, specific functional areas or business groups typically deal with certain types of threats. With the requirements approach, however, the process of identifying the risks starts with the organization's business needs for records and information, which may have the effect of promoting greater creativity and cross-functional cooperation in the development of risk treatment strategies. Finally, the traditional approach, in focusing on threats, tends to overlook more systemic causes of records and information risks such as poorly integrated systems, poor procedural controls A method of airspace control which relies on a combination of previously agreed and promulgated orders and procedures. , and the like. The requirements approach is much better at detecting systemic problems leading to inadequacies in an organization's records and information. Table 4 above summarizes the pros and cons pros and cons Noun, pl the advantages and disadvantages of a situation [Latin pro for + con(tra) against] of both approaches. Managing Risks for Records and Information presents a methodology developed to assess records and information risks using a requirements-based approach as well as ideas for adapting this methodology to support a more traditional event-based approach. Consulting this book will help you choose whichever method best suits the organization's records and information risk management objectives and business context. PI Managing Risks for Records and Information is available from the ARMA International Bookstore (www.arma.org/bookstore). References Clifford, Cary. "Scary scar·y adj. scar·i·er, scar·i·est 1. Causing fright or alarm. 2. Easily scared; very timid. scar Records Management Stories." Records Management Bulletin 106. February 2002. Dietel, J. Edwin. "Recordkeeping Integrity: Assessing Records; Content After Enron Enron A U.S. energy-trading and utilities company that housed one of the biggest accounting frauds in history. Enron's executives employed accounting practices that falsely inflated the company's revenues, which, at the height of the scandal, made the firm become the seventh ," The Information Management Journal 37. May/June 2003. Lemieux, Victoria. Managing Risks for Records and Information. Lenexa, KS: ARMA International, 2004. Victoria L Lemieux is a U.K.-based records and information management specialist with more than 15 years of extensive management experience in the public sector, academia, and financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. . She may be contacted at vicki.lemieux@ntlworld.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion