Calming the Data Storm:
A Risk Management Model for Mitigating Risks
Records management has become an integral aspect of how most large organizations do business – in fact, it’s increasingly taking center stage. While many organizations have implemented or are in the process of implementing enterprise records management solutions, there seems to be varying degrees of utilization, success, and return on investments. Establishing a sound records management program in today’s environment requires not only a thorough understanding of the fundamental records management principles but also the legal, regulatory, financial, and operational requirements of the organization.
Michelle Rush and Ganesh Vednere
Frequently, organizations have well-intentioned strategies and well-chosen technologies but have trouble orchestrating them to develop and deliver a cohesive enterprise records management platform. Furthermore, records management is a complex task made more so with the advent of newer types of media, formats, locations, and technologies.
Records managers are being asked not only to manage the traditional paper and electronic files but also to address more esoteric pieces of information such as instant messages, blogs, and wikis. As most corporate records managers will attest, senior management wants to comply with records management requirements, but questions the hard returns and the business value provided by implementing a records management program. Records managers are thus, increasingly, turning their attention to the tangible value that the records management program can offer the organization.
A clear-cut example of a return on investment is in the e-discovery space. Fifteen years ago when litigations were not as prevalent and legal fines were somewhere on the order of a slap on the wrist, records management was considered an operational/legal expense. These days, however, e-discovery and litigation specialists are propounding the solid benefits of a proper records management program and are providing numerous real life data points on the millions of dollars saved through more efficient ways to locate, search, categorize, and present records.
Chief executive officers, chief financial officers, and chief operational officers are looking at records management in somewhat of a new light and recognizing the bottom line value that a solid records management program provides. This new visibility, however, has not translated into significant new spending on records management. In fact, in some organizations, records managers increasingly face budgetary constraints and ongoing pressure to better manage records in this litigious environment.
Given the long-term nature of records management and the ever-changing landscape, it is no surprise that records managers have felt the need to invest in more systematic approaches, including auto-classification of records, auto-promotion of records when certain events in the business process happen, automated disposition, and having to make somewhat large-scale assumptions around the true scope and requirements of the program. There have been instances where corners have been cut because the work involved was too much, too soon, and there was just not enough time in the day to address it appropriately.
Records managers have thus made the best of what they could with the best of what they have. It has become increasingly clear that attempting to manage the universe of all records will simply result in a black hole. The data ocean in most organizations shows no sign of ebbing; instead it’s increasingly akin to a perfect storm, threatening to wash over most well-intentioned controls and processes.
The most well-thought-out records management program can be subverted by the most innocuous of things (e.g., the thumb drive). Records managers thus have the dubious distinction of seeing no new dollars but having to manage a more significant workload. How then are records managers ever going to solve the records management problem? Are they going to be in catch-up mode forever, chasing one fire drill after another? Is there a pragmatic way to address the issues at hand?
There are several methods that a number of records managers across various organizations have implemented to ensure that records are properly managed given all the constraints. One method to seriously consider is a risk-based approach to records management.
The Risk-Based Approach to Records Management
Picture a budget meeting where the first hour goes perfectly. The records manager presents the work plan for the year, talks about accomplishments for the past year, reviews the new litigation and regulatory landscape affecting the company, talks about the return on existing investment around increasing the availability, integrity, and authenticity of records, and finally presents a reasonable and minor increase in the budget.
The smiles in the room drop, the silence becomes deafening; the cold air in the room could be cut with a pocket knife. The records manager just committed a cardinal sin – asking for more. Suffice it to say that the post-meeting message was very loud and very clear – no new budget or the records manager will be searching soon for a new job.
While this describes a hypothetical situation, the reality is that records managers are currently facing a fundamental issue in setting boundaries around what to manage in a restricted budgeting world. New information channels are emerging almost every year, and the difficulties in managing them make it virtually impossible to tightly control all possible sources of records. It is thus imperative for records managers to establish a well-defined execution model that meets legal and regulatory requirements and at the same time is not cost-prohibitive and resource-intensive.
One good outcome of applying the risk model is that it provides a fairly quick and clear-cut picture of the organizational areas where there is significantly more risk probability than others. This is not to say that records that do not fall into the high-risk areas can be ignored. Rather, it is to emphasize that the level of effort must be prioritized on securing records constituting higher risk first. Prioritizing effort becomes all the more evident when records management has limited staffing, time, and budget, and using the risk-based model to prioritize the areas that will be addressed first becomes a much more practical approach.
The risk-based approach to records management is one approach to mitigating the issue of limited staff, time, and budget. This approach takes into account the most critical factors affecting a company and then addresses the corresponding set of records in a sound and principled manner.
Simply put, the risk-based approach has arisen from the need to balance proper records management with the harsh realities of budgets, time and resource constraints.
Risk Defined
According to Wikipedia, “risk” is a concept that denotes a potential negative impact to some characteristic of value that may arise from a future event. Exposure to the consequences of uncertainty constitutes a risk. In everyday usage, risk is often used synonymously with the probability of a known loss.
In the context of records management, risk plays an important role in determining the exposure of an organization to its legal, financial, and operational well being. The appetite of an organization to deal with the risk of failure of a records management control is usually limited and, in these days of highly litigious environments, it makes organizations wary of not being able to demonstrate proper records management.
The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
-
Effectiveness and efficiency of operations
-
Reliability of financial reporting
-
Compliance with applicable laws and regulations
Records Management Risk Assessment Model
To effectively manage and establish records management controls, organizations should consider conducting a comprehensive risk assessment of their records management controls to gauge how effective the controls are and to identify and analyze any gaps.
In some cases, records management controls are well-intentioned, but they fail to produce the desired impact in the long term. Records management risk assessments can proactively bring forward records management controls that are not very effective. A six-step model for assessing records management controls is reproduced below.
1. Determine Records Management Risk.
Review the corporate landscape to determine what constitutes the highest risk to the organization. Each organization, given its unique way of doing business, will have varying degrees of risk tolerance, and knowing what the most critical risk factors are will go a long way in establishing the right set of policies, procedures, and controls around records management.
When determining risk, consider the key factors that affect the organization:
Legal Risk. Risk arising from pending or potential legal action; legal drivers including legal retention requirements, history of litigation holds, subpoenas, and previous fines or legal actions; e-discovery requests; includes violation of privacy and non-public information laws.
Regulatory Risk. Federal/state agency rules and/or regulations such as from the Securities and Exchange Commission and the National Association of Securities Dealers; includes risk associated with the inability to produce records as part of a governmental audit, examination, or inquiry.
Financial Risk. Impact to financial well being of the company; includes loss that can be reflected in financial statements (such as loss or damage to assets), or an indirect loss (such as additional requirements on staff time or loss of market share).
Operational Risk. Risk of loss resulting from inadequate or failed internal processes, people, or systems and from internal and external events; includes operational incidents.
"Reputational" Risk. Failure to meet business expectations or obligations resulting in damage to the organization’s public image, confidence, or reputation.
For each of the risk factors, determine a score card and a weighted matrix to enable proper classification and categorization of records management risk. This will assist senior management in identifying affected areas and selecting the appropriate response and implementation plans.
Through this exercise an organization can prioritize the records management implementation process by determining the most critical records that affect its day-to-day operations and provide appropriate controls based on priority to manage those records.
2. Determine Probability.
For each of the identified risks, determine the likelihood of the risk occurring. History repeats itself, so they say, and past occurrences may be a good indicator of the probability that the risk incident will happen again. Understanding the risk probability is an important factor when determining the records management controls needed in various parts of the overall information life cycle of the organization.
3. Analyze and Determine Criticality.
Once the risk and the associated probability are known, analyze the impact of the risk occurrence. For example, in some companies, “reputational” risk can make or break the entire business model. In this case, the organization must ensure that any and all records affecting the organization’s reputation are tightly controlled and managed. This does not mean that the remaining risks are not important, but it simply provides a mechanism for the organization and, in turn, the records managers to identify what areas on which they need to focus first.
4. Determine Risk Mitigation.
Determine mitigation strategies for each of the identified risks, keeping in mind the associated criticality and probability of occurrence. Each risk and its associated mitigation response must have the right set of controls and procedures around them. An example of risk mitigation would be the response to an organization’s financial risk. To mitigate the financial risk, proper controls and checks have to be established around the associated records, including polices, procedures, approvals, and audits.
5. Establish Risk Controls.
Implement records management controls based on the risk mitigation strategy discussed above. Each risk mitigation strategy may have one or more risk control associated with it. In the context of records management, these controls will take the form of policies, procedures, and automated systems. Identification of the risk, the mitigation strategy, and the available resources (budget, staffing, and time) will allow the records managers to determine appropriate controls and how to implement them.
6. Measure Effectiveness and Monitoring.
Once the controls are established and implemented, ongoing monitoring of their effectiveness is critical. Monitoring ensures that the right controls have been put in place to begin with and that there is appropriate understanding of the control, including how, where, and when to implement the control. Establishing metrics around the controls will enable appropriate monitoring and tracking. Monitoring also serves as a report card that can be used to evaluate how well the overall program is doing.
Lessons Learned from Applying the Risk Model
Organizations are always applying a risk perspective – be it in developing long-term plans, responding to competitive threats, or meeting legal and regulatory requirements. Formalizing the records management program to leverage a risk-based approach is a natural extension of the risk function.
A typical situation faced by many records managers is that the organization allocates a limited set of dollars to implement records management. While the debate on how best to allocate the money rages among the concerned parties, the records management team, working collaboratively with the business units, employs a variation of the risk model to determine what are the most critical record series within the company and present the business case for why the funding should be allocated first to address these record series.
Management treats the decision as a no-brainer, and the records management team is successful not only in getting the budget, it also receives a “high five” on the pragmatic approach undertaken. This is a solid win with the executive management that can go a long way toward ensuring ongoing visibility and support for the records management program.
Applying the risk model is akin to making a sound financial decision – paying money toward a loan principal or bumping up a CD to a higher rate. It pays in the long run. Applying the risk model in a methodical and systematic way will ensure success and relevant return on investment.
Socialize risk concepts early in the records and information management cycle. The records management team working in conjunction with legal and compliance functions must develop a holistic risk-based approach and then meet with business unit leaders to review and obtain support. It is important at this time for the records management team to play the “sales” role and present a message that is both palatable and doable. The risk approach will be successful only if management buys into the risk concept.
Look past the obvious risks. While legal, financial, and operational risks are inherent in every business, it behooves the records management team to evaluate the magnitude associated with different types of risk. For example, what level of risk could be associated with personnel bypassing internal controls? As one major European financial institution recently discovered, the costs could be in the billions.
Clearly articulate risk definitions in lay person terms. While the textbook definition of risk types may suffice for research papers and articles, getting the business user on the ground to understand the definition may be a different story. Records managers must provide clear definitions of risks as they relate to activities performed by users. Some business users simply assume that “financial” risk means records generally related to financial statements, but in reality, there is a whole slew of records that falls under the purview of financial risk. Defining risk in an easy-to-understand manner will go a long way toward alleviating these types of issues.
Avoid over-engineering. It is imperative to keep the risk model as simple and as relevant as possible. The tendency to include as many risk factors as applicable will make it unduly complex to implement and manage. Keep the number of key risks to a maximum of four or five.
Institute a risk oversight committee. Establish a steering committee to review and discuss key risks affecting the organization’s records and to make recommendations around managing risk. The risk oversight committee comprises key stakeholders and sets direction on the risk-based approach.
Develop a communications plan. The communications plan will detail the risk approach and assist business users in understating the why, what, and how of the program. This is a chance for the records management team to step up and shine. Newsletters, all-hands meetings, business unit forums, and periodic communiqués all provide an opportunity to emphasize the records management program.
Develop or update policies and procedures to include a risk section. Factor the risk-based approach into policies and procedures. Inside each business procedure, add a risk section that describes the risk rating, criticality, probability, and controls that have been established to mitigate the risk associated with the procedure. This ensures a clear line of association between the policy, the associate procedure(s), the record outputs, and the risk controls.
Perform a cost-benefit analysis of managing high- vs. low-risk records. Once there is a good understanding of the high-risk record sets and their associated impact to the organization, the records management team can start to identify what system solutions will be appropriate to manage these records sets. Performing a cost-benefit analysis will assist with the decision about what records need to be managed where.
Use manual controls, if appropriate. These days, there is a rush to evaluate the latest and greatest system solution. Organizations should, however, consider leveraging manual controls where appropriate to manage records as part of their overall strategy. A methodical and process-based manual approach may produce results similar to a highly sophisticated, fully automated system solution.
Consider challenges with auto-managing structured content. While there is buzz around federated records management – implementing such a solution to manage all structured and unstructured content is fraught with significant challenges. Vendor solutions are just getting off the ground in this area. Instead, it is better to isolate those structured systems that represent the greatest risk to the organization and enforce systematic and/or procedural controls.
Institute a compliance plan focused on risk management. Develop a compliance plan that measures records risk mitigation and evaluates the effectiveness of the controls. Business units’ compliance with the plan should be measured on a periodic basis, and any required remediation should be monitored and tracked.
Develop a continuous improvement platform. Once the program has been implemented, establish a support structure that includes periodic review of risk factors and analysis of new and obsolete risks. Any required program updates should also be addressed as part of this function.
Conclusion
The risk-based approach to records management allows records managers to categorize and prioritize the universe of records that they need to manage. With the increasing challenges and constraints around cost, resources, and time, the risk-based approach allows records managers to focus on areas that will have the greatest impact and address the biggest risk to the records management function of an organization.
Michelle Rush can be contacted at michelle_rush@fanniemae.com.
Ganesh Vednere can be contacted at gvedn@comcast.net.
From July - August 2008