Building a Framework to Measure
and Minimize Information Risks

Traditionally, assessing risks applicable to records management has not been perceived as a priority for managers. These risks can vary, ranging from minor human error or system failure to more systemic problems and major natural disasters that can lead to heavy loss and even corporate failure.

Natural disasters are probably the most neglected environmental threat to records, despite the fact that organizations that suffer major natural disasters frequently don’t recover.

Soon-Jae Lee, Ph.D., and Hye-Kyung Chung, Ph.D.

However, the most common source of threat to records is people – especially employees who are unaware of which records need protection or how they should be protected.

With the move to electronic records, different kinds of man-made risks have emerged: passive and active intrusion and sabotage. As in the case of natural disasters, many organizations that are sabotaged never recover.

A June 2006 Inside Counsel article, “The Meta Monster,” provides some examples of other potential disasters stemming from human error. One is the unintentional release of privileged information contained in the metadata of distributed or shared electronic files created in commonly used software, such as Microsoft Word. Unless a Word document, for example, is “scrubbed” to remove metadata (through steps detailed on Microsoft’s website), anyone who has access to it potentially can discover embedded comments, revisions, and “hidden” data with just a few mouse clicks.

Further, an article in the April 2005 Records Management Journal, “Management of e-mails as official records in Singapore: a case study,” focused on risk management in e-mail communication and pointed out that many senior executives were unaware that e-mail presented liability risks to a company when not properly stored and archived.

Meanwhile, the increasing pace of technological change poses a potential risk to records management, requiring regular assessments by the records manager. Often, the media on which records are stored can be problematic in terms of their permanence, durability, and retrievability. Data on obsolete magnetic tapes, for example, is in many cases
no longer accessible.

The study reported on below surveyed records risk management in Korea with an aim to identify potential and existing risks and to present a new approach to assessing these risks.

Proposing a New Risk Assessment Method

Category of Risks

Based on the literature review, this study divides potential risks into three categories:

• Natural Risks – These include flood, fire, earthquake, and other natural disasters.
• Human Risks – These can be either deliberate or accidental. Theft, computer viruses, hacking, erasing, and altering due to unauthorized access are examples of deliberate human risks. Examples of accidental human risks are negligence and erroneous data entry. Negligence may cause loss of records, while data entry error and inadequate indexing may result in misfiling and inability to retrieve records.
• Technical Risks – These include data loss stemming from media migration, authenticity, and malfunctioning central processing units.

Risk Assessment Dimensions

To assess the risks identified in records management, it is necessary to measure two risk dimensions – the probability that a risk will occur and the impact of the risk in terms of potential loss. Ideally, risk impact should be estimated using past risk statistics, but sufficient data for assessing risks are not available because records centers often do not keep accurate records and statistics – and because organizations are reluctant to disclose their exact damages to the public.

Risk Probability Scale

A risk probability scale provides a way to estimate the likelihood that a particular risk will occur. Some prefer to use
simple estimates, such as high,medium, and low, to facilitate decision making. This study used a five-level measurement.
(See below.)

 However, the probability measurements used by previous studies were less reliable in that they did not directly specify the time period for which the risk probability was estimated. In other words, the method did not consider how frequently the disaster was likely to occur during a specified period.

This study established a base period of one year per Risk Management of Digital Information: A File Format Investigation for the risk probability scale. Hence, risk probability would be 100 percent if a major risk occurs once a year, 50 percent if it occurs once in two years and 25 percent if it occurs once in four years. Table 1 illustrates the scale ratings and their meanings.

 

 

With a risk probability rating scale in place, it is possible to calculate a risk probability score for any given risk by using the risk probability formula:

 

Find the risk probability score for a given risk by first multiplying the probability rating chosen by the number of respondents who chose it. This is done for each probability rating and the results are summed. The sum is then divided by the total number of all respondents to arrive at an average that represents the risk probability score.

Risk Impact Scale

The level of interruption for the records center is used as a basis for measuring risk impact. The duration of the interruption to the records center is a sound measurement for reflecting the severity of a risk because the situation prohibits users from information access, which is a main function of records management. This study used the quantitative weighting scheme developed at the University of Washington to quantify risk impact levels.

The risk impact score for each risk is based on the risk impact formula shown below using calculations similar
to those used to arrive at the risk probability score:

 

Respondents select a risk impact rating. Each rating chosen is multiplied by the number of respondents who chose it. The sum of all responses is divided by the total number of respondents to identify the average risk impact score.

Survey Response

To obtain respondents for the study, a questionnaire was sent to records managers, archivists, and staff who worked in the records centers of 49 institutions in Korea in May 2007. A total of 66 returned the completed questionnaires. The questionnaire inquired about the organization’s current risk management status in records management and requested the respondents to estimate risk probability and risk impact for eight different risks.

Of the 53 institutions surveyed, 94 percent had records managers, archivists, or staff members who were in charge of a records center that had been in operation for an average of four years and 10 months.

Of the 36 records managers who responded, 12 (33%) indicated that their institutions implemented risk management for all types of disasters, and three (8%) executed risk management for all types except accidental human disasters. Five (14%) responded that they did not perform a risk management function at all.

Thirty-four respondents (94%) recognized risk management functions to be essential in records management. Only two (6%) did not know anything about records risk management. Records managers responded that, on average, 18.7 percent of the records management budget should be allocated for risk management.

Risk Probability and Risk Impact

Survey results are summarized in Table 3: “Risk Probability and Risk Impact.” In response to the risk of fire
(the first risk in the table), for instance, 20 people (30%) thought a fire would occur with a probability of less than 1 percent, 29 (44%) said the probability was between 1 percent and 5 percent, nine (14%) cited a probability between 5 and 10 percent, four (6%) said between 10 and 25 percent, and three (4.5%) gave a probability of greater than 25 percent. The probability score of 2.09 is computed by averaging the product of the number of respondents and the scale corresponding to each probability.

When assessing the risk impact of fire, six (9.1%) responded that a fire would not result in any interruption of records center operations, 11 (17%) estimated less than eight hours of interruption, 12 (18%) said between eight and 48 hours, and 37 (56%) predicted more than 48 hours (two days) of interrupted operations. The impact score of 2.21 is computed by averaging the product of the number of respondents and the scale corresponding to each interruption period.

Selecting Treatment Methods

To select the appropriate treatment method or strategy for dealing with various risks, both the probability and impact dimensions of each risk is combined and graphed. (The book Risk Management and Insurance provides descriptions of various risk treatment methods.) As a result, each of the seven types of risk would fall into one of four category quadrants as shown in Figure 1:

• Low Probability and Low Impact
• Low Probability and High Impact
• High Probability and Low Impact
• High Probability and High Impact

 

It is then possible to formulate a strategy corresponding to the probability and potential impact of each risk.

Low Probability-Low Impact

Because an organization can afford to absorb infrequent small losses within its operating budget, low probability, low impact risks should be placed in category quadrant I, which implies no major records management risk.

High Probability-Low Impact

Loss control treatment measures are suggested for high probability, low impact risks identified in quadrant II, including accidental human risks and data loss due to carelessness and data entry error. The risks in this quadrant are likely to occur frequently, but their impact is relatively low.

The careless handling of records and data entry error might be managed through loss prevention activities such as training and monitoring programs. A systematic training program will enhance the level of records management capability among staff members, as well as their ability to control the hazardous effects of mishandling, thereby reducing the probability of a loss occurring.

Loss reduction programs are a tacit admission on the part of the risk manager that some losses will occur, despite an organization’s best efforts. Therefore, steps should be taken to control the loss and reduce its potential severity.

Low Probability-High Impact

For risks in quadrant III, organizations might want to purchase insurance, which is a typical risk financing transfer measure. Natural risks, such as fire and windstorm, and deliberate human risks, such as hacking/erasing/altering risks, are located in this quadrant. Hacking/erasing/altering risks, which are deliberate human risks, marginally belong to this category. While these risks are likely to occur infrequently, their impact is high.

For many years, fire insurance has been a popular product in the insurance market given the potential devastation and financial losses that can result from a fire. Windstorm risk is also covered under fire insurance contracts, typically in the form of endorsement or under water damage insurance. In response to hacking risk, “hacking insurance” was developed years ago and is available.

High Probability-High Impact

The risk treatment selection rule suggests that high frequency-high severity risks quadrant IV risks, including migration risk, computer virus risk, and authenticity risk, should be avoided. Risk avoidance is one of the risk control measures, which include proactive avoidance and abandonment.

In records management, however, media refreshing, media migration, and format migration are unavoidable activities because of the need to keep up with rapid advancements in information technology. Authenticity and computer virus
risks are also unavoidable risks. Therefore, risk avoidance is not a viable measure for these risks.

In reality, these activities seem unavoidable because they must be applied by all means to attain permanent access to digital information resources. However, if alternative measures can be developed with technological progress, risk avoidance might be a viable measure for those risks in the future.

Authenticity risk has a probability score of 3.17 and an impact score of 1.55, and computer virus risk, 3.72 and 1.72. These scores indicate that the risk is located between quadrants IV and II. Hence, alternative treatment measures for these risks may include loss control such as loss prevention or loss reduction. On the other hand, migration risk is located between quadrants IV and III, so an alternative treatment measure of insurance might be considered for this risk.

Spreading the Risk Management Message

This study found that records centers in Korea, where many organizations are moving into digitization of records, have an urgent need to establish a records management system armed with appropriate risk management mechanisms. While digital records are easy to create, copy, and disseminate, they contain risks that can lead to serious damages for the organization. Treating these risks appropriately is integral to ensuring digital information longevity and legibility.

This study showed that records managers, in general, have a high level of risk management awareness. However, fewer than half of the records managers surveyed indicated having a budget for risk management.

A hoped-for outcome of this study is that – by providing guidance on how organizations can execute risk assessment analyses and develop risk treatment applications – it will enhance awareness of the role of risk management in records management and encourage the adoption of risk management practices.

Soon-Jae Lee, Ph.D., can be contacted at sjlee@sejong.ac.kr.

Hye-Kyung Chung, Ph.D., can be contacted at hkc@kdischool.ac.kr.

From May - June 2008