Two approaches to managing information risks: when managing information risks, is it better to use an event-based or a records and information requirements-based approach? This excerpt from Managing Risks for Records and Information explores these approaches and examines how to choose the one that best fits your organization's needs.
* examines the consequences of failing to manage records and information risks
* discusses the event-based approach to managing information risks
* explores the records and information requirements-based approach to managing information risks
Records and information risks encompass any threat to the business arising from some inadequacy in an organization's records and information. These risks can be many and varied, ranging from those typically addressed by business continuity programs--damage to or loss of records and information arising from disasters or major system faults, for example--to more systemic problems with records and information. In extreme cases, these risks can lead to heavy loss and even corporate failure.
Recent high-profile cases outlined in Table 1 (page 57), cited by Clifford Carey in Records Management Bulletin, highlight how poor-quality records and information, and the organizational practices that lead to them, can expose an organization to risk. These cases highlight the need for organizations to pay attention to records and information related risks.
Aside from risk avoidance and control, however, effective records and information risk management can lead to improved performance of the organization. Records and information risk management initiatives are as much about identifying and capitalizing on opportunities to manage information strategically as they are about minimizing risks and losses. Some of the ways in which a records and information-related risk assessment can be used to enhance an organization's performance include:
* More effective planning of records and information management strategies and programs to ensure alignment with strategic business objectives
* Better control of records and information management costs
* Improved assessment and measurement of records and information management functions
* Improved decision-making in the records and information management arena
* Enhanced share value as a result of credible strategies to mitigate and manage records and information-related risks
* Improved compliance with records and information related legal and regulatory requirements
* Higher level of preparedness for outside regulatory review
* Minimized operational disruptions
* Improved management information
* Improved knowledge sharing throughout the organization
Developing a Records and Information Risk Management Program
Despite the risks of failing to manage them holistically and systematically, records and information risks are not recognized as a distinct area of focus in most organizations and, therefore, no processes or people are specifically dedicated to them. In most organizations, line managers deal with records and information risks, where they address them at all, on an ad hoc basis through other business processes such as internal audit, legal, IT or, in some cases, records management. Their approach to managing records and information risks is purely loss avoidance-oriented.
In an increasing number of organizations, however, board-level and management awareness of records and information-related risks and the need to manage the risks is growing. This awareness is likely brought on by recent high-profile cases involving records and information and new laws and regulations, though the awareness of the rationale for records and information risk management still is likely to focus attention on loss avoidance rather than opportunity maximization. In these organizations, personnel typically found within the business continuity planning, IT security, and legal functions perform rudimentary records and information risk identification, assessment, and control. Their focus is likely to be on the types of records and information risks typically addressed by these functions (i.e., disasters, major systems failures, threats to information security, and litigation of new laws).
Other sources of records and information risk, if they are identified, are still dealt with on an ad hoc basis within each business unit. Ownership of those records and information-related risks that have been identified may or may not be clearly defined at the level of individual business units. In such organizations, the records management function, where it exists, usually still performs a more traditional role concerned with information retrieval or retention and disposition, though recognition of the need to widen its role to engage in records and information risk management may be growing.
How should records and information risk management be administered within an organization? Generally speaking, it should be fully integrated into the organization's enterprise-wide risk management program.
This integration means that:
* Records and information risk awareness will be incorporated into the organization's risk management culture and policy.
* Roles and responsibilities for records and information risk management will be dearly identified and will permeate all levels and locations of the organization.
* Records and information risks will be highlighted in all training and development initiatives.
* Records and information risk management will be a component of all operational processes (e.g., the development of new products or services).
* Consideration of records and information risk management requirements will be built into organizational planning processes such as strategy development and budgeting.
Records and information risk management should be incorporated into existing risk management administrative structures, processes, and technologies. In addition, roles and responsibilities for functional areas that have traditionally focused on records and information management or dealt with certain types of records and information risk, such as a records management department of the IT department, will need to be redefined in relation to how records and information risk management fits into the organizations enterprise-wide risk management program. Finally, just as is the case with other types of risks that cut across organizational boundaries, administration of records and information risks may be aided by the establishment of a committee that focuses specifically on this risk category from a cross-organizational perspective.
The Event-based Approach
Organizations traditionally have identified and managed their records and information risks by a trigger event or threat. Table 2 (page 58) lists common trigger events or threats that organizations typically take into consideration and aim to address as part of their risk management initiatives or programs. These are the types of records and information risks an organization may need to identify and manage.
The traditional approach usually begins with a survey of the organizational environment to identify all possible sources of threats to records and information. The business impact of these risks is then assessed. The diagram in Figure 1 (above) illustrates the process.
[FIGURE 1 OMITTED]
Table 2 identifies some of the risk mitigation strategies organizations typically employ to address commonly identified threats to records and information. in most cases in a large organization, management assigns ownership of these risk mitigation strategies to particular groups or functional areas. For example, business continuity groups will focus on risks arising flora disasters and major system outages; IT security groups will focus on risks arising from breaches of computer security; and legal groups will focus on risks arising from laws, regulations, of litigation.
The Records and Information Requirements-based Approach
Another approach to identifying and managing records and information risks is to begin with an analysis of the organization's business requirements for records and information. For example, managers might ask, "What type and quality of records and information does the organization require to support its critical business processes and transactions?" Risk arises whenever the organization's records and information fail to match these requirements. Such requirements may derive from laws and regulations as well as from organizational business needs.
In an Information Management Journal article, J. Edwin Dietel, J.D., identified some standard quality characteristics that organizations may require of their records and information. These characteristics are summarized in Table 3. Not all these quality characteristics will be needed to support the business processes and transactions of every organization. An organization may require other qualities of its records and information that are not listed in Table 3. Similarly, the definitions provided in the table may not suit the context of every organization. To adapt this approach, each organization will need to assess the quality characteristics best suited to its business requirements, develop consistent definitions for these qualities, and determine their relative importance. Having identified the qualities required of its records and information, an organization then would assess the impact on its business if records and information are not of the required quality. Finally, the analysis would examine the possible types of threats or sources that could cause the organization's records and information to fall short of identified records and information standards, and the likelihood and impact of these causes.
Advantages of Each Approach
Both approaches--the event-based and the records and information requirements-based--to identifying and managing records and information risks possess strengths and weaknesses. For example, the traditional event-based approach may make identifying risk mitigation strategies easier because the analysis begins with a clearly identifiable trigger event or threat. The requirements-based approach may require more analysis to arrive at a risk mitigation strategy, as a number of causes are possible for poor records and information quality. Inaccessibility of records, for example, could be the result of inadequate indexing, technological obsolescence rendering the records unreadable, or unauthorized records destruction. Clearly, the risk mitigation strategies needed to address these causes will be quite different, though the resulting risk--inaccessible records--is the same for each root cause.
For this reason, if time and resources are short, or management wants to address only a particular trigger event or threat, the traditional approach may be better suited to the organization's needs. The traditional approach, because it is widely employed, also may be easier to integrate with any existing risk taxonomy of risk management program the organization may have in place.
The requirements approach has several advantages, however. First, because it begins with an analysis of the records and information requirements needed to support transacting an organization's business and attaining its goals and objectives, it can be a better method to employ when using risk management for strategic purposes as opposed to using it for the purpose of avoiding losses from particular threats. In addition, the traditional event-based approach tends to perpetuate a splintered approach to records and information risk management owing to the fact that, in many organizations, specific functional areas or business groups typically deal with certain types of threats. With the requirements approach, however, the process of identifying the risks starts with the organization's business needs for records and information, which may have the effect of promoting greater creativity and cross-functional cooperation in the development of risk treatment strategies.
Finally, the traditional approach, in focusing on threats, tends to overlook more systemic causes of records and information risks such as poorly integrated systems, poor procedural controls, and the like. The requirements approach is much better at detecting systemic problems leading to inadequacies in an organization's records and information. Table 4 above summarizes the pros and cons of both approaches.
Managing Risks for Records and Information presents a methodology developed to assess records and information risks using a requirements-based approach as well as ideas for adapting this methodology to support a more traditional event-based approach. Consulting this book will help you choose whichever method best suits the organization's records and information risk management objectives and business context. PI
Managing Risks for Records and Information is available from the ARMA International Bookstore (www.arma.org/bookstore).
Clifford, Cary. "Scary Records Management Stories." Records Management Bulletin 106. February 2002.
Dietel, J. Edwin. "Recordkeeping Integrity: Assessing Records; Content After Enron," The Information Management Journal 37. May/June 2003.
Lemieux, Victoria. Managing Risks for Records and Information. Lenexa, KS: ARMA International, 2004.
Victoria L Lemieux is a U.K.-based records and information management specialist with more than 15 years of extensive management experience in the public sector, academia, and financial services. She may be contacted at email@example.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Management Wise|
|Author:||Lemieux, Victoria L.|
|Publication:||Information Management Journal|
|Date:||Sep 1, 2004|
|Previous Article:||Investing wisely for the future: calculating the return on investment can be useful in supporting the development and implementation of an effective...|
|Next Article:||An enterprise content management primer: ECM is increasingly important in helping organizations manage and control content according to their...|