It Won t Happen To Me Mitigating Records Risks

Similar documents
Establishing an Essential Records List Criteria and Reporting Essential Records to the University s Records Management and Archives Department

Handout 1.1 Essential Records

Clinic Business Continuity Plan Guidelines

PHASE 2 HAZARD IDENTIFICATION AND RISK ASSESSMENT

REGULATORY GUIDELINE Liquidity Risk Management Principles TABLE OF CONTENTS. I. Introduction II. Purpose and Scope III. Principles...

Mitigation Action P lan

THE CITY OF EDMONTON PROJECT AGREEMENT VALLEY LINE LRT STAGE 1. Schedule 18. Freedom of Information and Protection of Privacy

RESILIENT INFRASTRUCTURE June 1 4, 2016

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

Service Alberta, Records Management Services can be contacted for advice, and they can consult with ministries on specific situations.

STORM UPDATE WHO TO CALL? For more Hurricane Preparedness guides and resources visit:

EXECUTIVE SUMMARY. Insurance & Risk Management for the Cannabis Industry

INFORMATION AND CYBER SECURITY POLICY V1.1

BELLEVUE SCHOOL DISTRICT NO. 405 Procedure No Policy Reference No Page 1 of 2 RECORDS MANAGEMENT

GROUP RECORDS MANAGEMENT POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Submission by State of Palestine. Thursday, January 11, To: UNFCCC / WIMLD_CCI

7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

Case Study. Supply Chain Risk Management. Increased transparency to avoid production downtime and ensure continuity of industrial insurance coverage.

1st Capacity Building Seminar on Enterprise Risk Management

Disaster Risk Management in the Caribbean Case Study: Rapid Damage and Loss Assessment following the 2013 Disaster

COMMUNIQUE. Page 1 of 13

Canter Strategic Wealth Management. Business Continuity Plan.

Helping communities weather the storm. Shawna Peddle Adaptation Canada 2016 April 13, 2016

IS-3 Electronic Information Security. Implementation Checklist

DISASTER RECOVERY PLANNING. To print to A4, print at 75%.

Post-Class Quiz: Information Security and Risk Management Domain

G318 Local Mitigation Planning Workshop. Module 2: Risk Assessment. Visual 2.0

DISASTER PREPAREDNESS GUIDE

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

CRISIS MANAGEMENT YOUR STEPS TOWARD RECOVERY

Risk Management at Central Bank of Nepal

client user GUIDE 2011

Disaster resilient communities: Canada s insurers promote adaptation to the growing threat of high impact weather

WATER FIRE MOLD STORM

Business Continuity Plan Client Disclosure Document

Disaster = any collection-threatening. Disaster Preparedness & Recovery. LYRASIS Preservation Services Disaster Preparedness and Recovery

Identification & Assessment of Risks

Science and Information Resources Division

FOR COMMENT PERIOD NOT YET APPROVED AS NEW STANDARD

SECTION 1 INTRODUCTION

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

Principles. Bison Transport will implement policies and procedures to give effect to this policy, including:

Quick Reference Guide. Employer Health and Safety Planning Tool Kit

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Content Our Approach. About us. Who are we Corporate Governance Committees Board Management. Systems & Processes Risk Management

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

IT Risk in Credit Unions - Thematic Review Findings

DOCUMENT AND RECORD RETENTION POLICY

MONROE COUNTY 2015 LMS STEP TWO: CHARACTERIZATION FORM

Disaster Risk Management

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

University Data Policies

The Firemen s Annuity & Benefit Fund of Chicago, Illinois

HURRICANE SEASON: SMALL BUSINESS DISASTER READINESS CHECKLIST

Protect your house, so it always feels like home.

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Action Items for Flood Risk Management on Wildcat Creek Interagency success with floodplain management plans and flood forecast inundation maps

Title CIHI Submission: 2014 Prescribed Entity Review

The Country Risk Manager as Chief Risk Officer for the Government. Swiss Re, 3 June 2014

TOOL SUITE FIDUCIARY MONITORING SYSTEM AND INVESTMENT DUE DILIGENCE. Plan Sponsor Challenge: Retirement Partners

Statement of Guidance Nature, Accessibility and Retention of Records

was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the

Code Subsidiary Document No. 0007: Business Continuity Management

Nuts and Bolts of Blockchain Technology: What RIM Professionals Need to Know

The University of Texas

Contents. Copyright The City of Calgary. All rights reserved. Reprinted with Permission.

Section 2. Introduction and Purpose of the LMS

Hazim M Abdulwahid, MSC, MBA Hazim Consulting

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

The Recordkeeping Regime: Overcoming RK Challenges in the Public Service

UnitedHealth Group: Who We Are

May 12, Due Diligence Request. To Whom It May Concern:

Appendix C: Economic Analysis of Natural Hazard Mitigation Projects

RiskTopics. Guide to flood emergency response plans September 2017

SMALL BUSINESS. Guide to Business. Continuity Planning. Ensure your business continues to operate in the event of a disruption.

MUNICIPAL FREEDOM OF INFORMATION & PROTECTION OF PRIVACY ACT ELECTRONIC DOCUMENT AND RECORDS MANAGEMENT SYSTEM JOHN DALY, CMO JANUARY 16, 2017

Human Capital Balancing Indigenous Culture And Creativity With Modern Workplaces

RISK AND BUSINESS CONTINUITY MANAGEMENT

PRIVACY IMPACT ASSESSMENT

AUTOFOCUS C G PAUL A. CERRONE, CPA. Cerrone, Graham & Shepherd, P.C. Certified Public Accountants and Consultants

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

Implementing Strategic Environmental Assessment (SEA) at Agriculture and Agri-Food Canada

The R.L. Brown Advisory Group, LLC Business Continuity Plan (BCP)

Draft: Document Retention and Destruction Policy. 1. Policy and Purposes

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Introduction to Disaster Management

DATA PROTECTION ADDENDUM

WHAT TO EXPECT. An Auditee s Guide to the Performance Audit Process

Risk Management Strategy

H 7789 S T A T E O F R H O D E I S L A N D

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

CRISIS MANAGEMENT AND RECOVERY SOLUTIONS. Delivering results, implementing change.

Negative Net Cash Flow: Red Flag or Red Herring?

Village of Rushville. Board Oversight and Information Technology REPORT OF EXAMINATION 2018M-118

Guideline on Fund Holder Arrangements. Prepared by the Canadian Association of Pension Supervisory Authorities (CAPSA) May 4, 2010

An Introductory Presentation for ECU Staff

Toronto & Region Conservation Authority (TRCA)

Record Management & Retention Policy

DOCUMENT RETENTION GUIDELINES

GOV : Enterprise Risk Management Policy

Transcription:

Leveraging the Data Map It s More Than Just an Inventory and Managing Records in the Cloud It Won t Happen To Me Mitigating Records Risks Peggy Syljuberget, MLIS, MBA, IGP, CRM Information Specialist Entrepreneurship Manitoba Business Services Division Knowledge Centre 250 240 Graham Ave., Winnipeg MB peggy.syljuberget@gov.mb.ca 204-945-0916

It Won t Happen To Me Mitigating Records Risks Learning Objectives 1. Include records in your crisis plans 2. Prioritize records at risk 3. Develop and monitor crisis mitigation strategies November 15, 2016 2

It Won t Happen To Me Mitigating Records Risks Agenda Part 1 - Include records in crisis planning Part 2 Determine risks to records Estimate the impact to an organization Calculate a risk factor Assign a value to records Prioritize records based on value and risk factor Part 3 - Develop and monitor records risks and strategies November 15, 2016 3

120 It Won t Happen To Me Mitigating Records Risks Organizational Survival 100 80 60 40 20 0 Total Organizations Organizations Following a Disaster Organizations One Month Following a Disaster Organizations Three Years Following a Disaster Organizational Survival November 15, 2016 4

Include Records in Crisis Planning What is a record? recorded information, regardless of medium or characteristics, made or received by an organization in pursuance of legal obligations or in the transaction of business. ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 5

Include Records in Crisis Planning A record series a group of similar records that are arranged according to a filing system and that are related as a result of being created, received, or used in the same activity. ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 6

Include Records in Crisis Planning Disaster Recovery vs Business Continuity Disaster Recovery is a written and approved course of action to take after a disaster strikes that details how an organization will restore critical business functions and reclaim damaged or threatened records Business Continuity is an organization s ability to operate in the event of a disaster or disruption ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 7

Part 1 - Include Records In Crisis Plans Photo taken by Peggy Syljuberget, 2015 November 15, 2016 8

How to Mitigate Risks to Records Step 1 - Prevention is a priority! Designate a senior person to oversee information governance in the organization and delegate responsibility for records management to appropriate individuals November 15, 2016 9

How to Mitigate Risks to Records Step 2 - Conduct a comprehensive inventory of your organization s business records Purpose and function Who needs access Locations Copies, backups, third party custodians Formats, revisions, and versions Storage equipment and facilities Work-in-progress November 15, 2016 10

How to Mitigate Risks to Records Step 3 - Identify as many risks and exposures to records as possible Step 4 - Conduct a organization-wide impact assessment This information can be quantified to obtain a risk factor A crisis can occur in seconds without warning, but recovery can take years! November 15, 2016 11

How to Mitigate Risks to Records Step 5 - Assign a value to records Records are more valuable than systems because systems can be replaced more easily than records Step 6 - Prioritize records based on their risk factor and value to the organization November 15, 2016 12

How to Mitigate Risks to Records Step 7 - Identify resources needed to survive each risk to each record series Step 8 - Identify all versions of records Copies Backups Revisions Redactions Third party custody Work-in-progress Photo taken by Jerry Kofsky, 2013 November 15, 2016 13

How to Mitigate Risks to Records Step 9 - Develop strategies for mitigating each risk to each record series Step 10 - Schedule regular reviews of disaster recovery and business continuity plans November 15, 2016 14

Part 2 - Apple Cider Company Case Study Photo taken by Peggy Syljuberget, 2016 November 15, 2016 15

Part 2 - Apple Cider Company Case Study Risks Lack of cash flow Poor location Personal liability Improperly drafted or lack of /agreements Poor inventory management Records Income statements Balance sheets Cash flow statements Business and marketing plan Lease Permits Server location Business and liquor production license Failed inspections Taxes and vendor Insurance policy Partnership and non-disclosure agreements Intellectual property licenses Tree and equipment inventory Production volumes Equipment maintenance November 15, 2016 16

Determine Risks to Records Step 1 - Use the comprehensive records inventory and record retention schedules to identify all of the records series Step 2 - Identify as many potential risks to records as possible November 15, 2016 17

Cash flow Cash flow Risk Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Personal liability Personal liability Determine Risks to Records Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Production Production Vendor Office of Record Legal Purchasing Processing Processing Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 18

Determine Risks to Records Step 3 - Assess the probability that each risk may occur A) examine external factors B) explore facility-wide risks C) examine risks by department D) observe employee workstations November 15, 2016 19

Determine Risks to Records Step 4 - Characterize each risk in terms of the probability that it may occur by ranking it from 1 to 10 1 = lowest probability of risk occurrence 10 = highest probability of risk occurrence November 15, 2016 20

Risk Cash flow 8 Cash flow 8 Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Personal liability 6 Personal liability 6 Determine Risks to Records Probability (P) Impact (I) 1 1 Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Legal Purchasing 3 Production Processing 10 Production Processing Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 21

Estimate the impact to an organization Step 5 - Conduct an impact assessment to determine what the impact to the organization would be if the records were lost, damaged, or otherwise unavailable Visuals can be helpful to show how business functions interact within the organization November 15, 2016 22

Estimate the impact to an organization Example of a graphic representation November 15, 2016 23

Estimate the impact to an organization Step 6 - Rate the potential risk impact 0 = No impact 1 = Noticeable impact for up to 24 hours 2 = Damage to organization from 24 to 72 hours 3 = Major damage to organization for 72 hours or more November 15, 2016 24

Estimate the impact to an organization Risk Cash flow 8 3 Cash flow 3 1 Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Probability (P) Impact (I) 1 3 1 3 Personal liability 6 1 Personal liability 6 1 Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Home office filing cabinet November 15, 2016 25 Legal Purchasing 3 2 Production Processing 10 3 Production Processing Vendor Office of Record Current Storage Home office filing cabinet Risk

Risk Cash flow 8 3 24 $4,632 Cash flow 3 1 3 $579 Compliance with / agreements Compliance with legislation Compliance with legislation Inventory management Probability (P) Calculate a risk factor Impact (I) Risk (P x I) Daily ($193 x P x I) 1 3 3 $579 1 3 3 $579 Vendor data Legal Purchasing 3 2 6 $1,158 Production Processing 10 3 30 $5,790 Production Processing Personal liability 6 1 6 $1,158 Personal liability 6 1 6 $1,158 Record Class Value Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 26

Assign a value to records Picture taken by Jerry Kofsky, 2013 November 15, 2016 27

Assign a value to records Step 8 - Define record value classes Vital - 4 Value Class Definition Priority for Access Class of Vital Record Important - 3 Contains information critical to the continuation or survival of the organization during or Physical protective storage must be close to a immediately following a crisis. Necessary for disaster response site where crisis coordination continuing operations without delay under activities take place. Electronic records must be abnormal conditions. Contains information available using electronic replication methods as necessary to recreate legal and financial status, to needed preserve rights, and meet obligations to stakeholders Has some value to the organization for restoring operations to a normal state following a crisis. Category for destroyed records that can be replaced for a moderate cost Physical protective storage must be close to the disaster recovery site where crisis coordination activities take place. Electronic records and backups can be accessed quickly Records are essential for managing emergency or crisis situations Records are essential for resuming business operations following a crisis Useful - 2 Useful for continuing organizational operations without interruption. Inconvenient without records but they can be replaced for minimal cost Physical protective storage is accessible and away from disaster area Records are essential for legal and audit purposes Non-Essential - 1 November 15, 2016 Used for reference, are copies of originals, or are transitory in nature. Inconvenient without records but can be replaced for minimal cost Physical storage is typically at department or user workstations. Some records are copies that can be replaced if needed Records are used for quick reference or transitory in nature 28

Assign a value to records Step 9 - Assign a classification to each record series based on its value to the organization Vital = 4 Important = 3 Useful = 2 Non-essential = 1 Myth: The greater the amount invested in securing and protecting a record, the more likely the record is vital November 15, 2016 29

Assign a value to records Risk Cash flow 8 3 24 $4,632 3 Cash flow 3 1 3 $579 3 Compliance with / agreements Compliance with legislation Compliance with legislation Inventory management Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value 1 3 3 $579 4 1 3 3 $579 4 Vendor data Legal Purchasing 3 2 6 $1,158 2 Production Processing 10 3 30 $5,790 2 Production Processing Personal liability 6 1 6 $1,158 1 Personal liability 6 1 6 $1,158 1 Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 30

Prioritize records based on value and risk factor Step 10 - Prioritize each record series Sort first by Record Value Class Then by Risk Factor or Daily Risk Cost November 15, 2016 31

Prioritize records based on value and Risk Compliance with / agreements Compliance with legislation risk factor 1 3 3 $579 4 1 3 3 $579 4 Cash flow 8 3 24 $4,632 3 Cash flow 3 1 3 $579 3 Inventory management Compliance with legislation Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value data Vendor Legal Purchasing 10 3 30 $5,790 2 Production Processing 3 2 6 $1,158 2 Production Processing Personal liability 6 1 6 $1,158 1 Personal liability 6 1 6 $1,158 1 Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 32

Prioritize records based on value and risk factor Photo taken by Jerry Kofsky, 2013 November 15, 2016 33

Part 3 - Develop and monitor records risks and strategies Photo taken by Jerry Kofsky, 2013 November 15, 2016 34

Part 3 - Develop and monitor records risks and strategies Step 1 - Use the Records Risk Mitigation Strategic Planning Job Aid to identify the records series with the highest value and greatest risk factor Step 2 - Systematically assess the information entered into the Records Risk Mitigation Strategic Planning Job Aid to ensure it is current November 15, 2016 35

Part 3 - Develop and monitor records risks and strategies Step 3 - Develop policies and procedures to comply with organizational obligations Step 4 - Assign a person(s) from each Office of Record to be responsible for managing records and maintaining sections of the crisis plan pertaining to their function November 15, 2016 36

Part 3 - Develop and monitor records risks and strategies Step 5 Update the floor plan showing locations where records are stored and who needs access to them Step 6 - Prepare a mobile emergency kit to contain damage and create an area for staging, assessing, and recovering damaged records November 15, 2016 37

Part 3 - Develop and monitor records risks and strategies Step 7 - Identify methods and equipment needed to access, reconstruct, or replace records if they are damaged, lost, or unavailable Step 8 - Establish a budget for crisis planning Estimate costs and expenses Estimate cash flow needed to sustain operations during a crisis November 15, 2016 38

Part 3 - Develop and monitor records risks and strategies Step 9 - Establish a records management program Apply Generally Accepted Recordkeeping Principles Keep the records inventory current Ensure adherence to retention policies Securely destroy records as retention periods expire Diligently maintain backup processes Ensure records are accessible and available at any point in time November 15, 2016 39

Part 3 - Develop and monitor records risks and strategies Step 10 - Get involved in crisis planning Establish an Information Governance Committee to develop/monitor strategies to mitigate risks to records Consult record stakeholders to determine the feasibility of each risk mitigation strategy Add risk mitigation strategies to the Records Risk Mitigation Job Aid for new records/risks Revise crisis plans to include records risk mitigation strategies November 15, 2016 40

Helpful Resources United Nations Office for Disaster Risk Reduction. Is Your Business Disaster Proof? GlobalHand. Retrieved April 15, 2015 from http://www.unisdr.org/files/30674_privatesectorghd.pdf United Nations Office for Disaster Risk Reduction. Global Assessment Report on Disaster Risk Reduction 2015: Making Development Sustainable: The Future of Disaster Risk Management. Retrieved April 15, 2015 from http://www.preventionweb.net/english/hyogo/gar/2015/en/home/download.html ARMA International. (2012). Glossary of Records and Information Management Terms. 4 th ed. Lenexa, KS: ARMA International. Retrieved Sept. 9, 2016 from https://members.arma.org/eweb/browse.aspx?webcode=product&id=34107432-7be7-4707-9743-787f987e378c#.v9oybcgrliu Innovation, Science and Economic Development Canada. Financial Performance Data. Retrieved Sept. 9, 2016 from http://www.ic.gc.ca/eic/site/pp-pp.nsf/eng/home November 15, 2016 41

Researching External Risks EM-DAT: The International Disasters Database http://www.emdat.be/ RSOE Emergency and Disaster Information Service http://hisz.rsoe.hu/alertmap/index2.php United Nations Disaster Prevention Statistics (glide numbers) http://www.unisdr.org/we/inform/disaster-statistics International Federation of Red Cross and Red Crescent Societies publications https://www.ifrc.org/ November 15, 2016 42

Researching External Risks Canadian Disaster Database http://www.publicsafety.gc.ca/cnt/rsrcs/cndn-dsstr-dtbs/indexeng.aspx Natural Resources Canada. Natural Hazards https://www.nrcan.gc.ca/hazards/natural-hazards Weather Websites http://weather.gc.ca/canada_e.html http://www.weather.com/ http://www.theweathernetwork.com/ Local libraries and newspapers November 15, 2016 43

Researching Internal Risks Seek senior management support! Some documents may contain sensitive information Access to information requests Workers compensation claims Investigations and audits Organizational history Insurance claims Annual reports Lawsuits November 15, 2016 44

Discussion/Questions Peggy Syljuberget, MLIS, MBA, IGP, CRM Information Specialist Entrepreneurship Manitoba Business Services Division Knowledge Centre 250 240 Graham Ave., Winnipeg MB peggy.syljuberget@gov.mb.ca 204-945-0916 November 15, 2016 45

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback