Leveraging the Data Map It s More Than Just an Inventory and Managing Records in the Cloud It Won t Happen To Me Mitigating Records Risks Peggy Syljuberget, MLIS, MBA, IGP, CRM Information Specialist Entrepreneurship Manitoba Business Services Division Knowledge Centre 250 240 Graham Ave., Winnipeg MB peggy.syljuberget@gov.mb.ca 204-945-0916
It Won t Happen To Me Mitigating Records Risks Learning Objectives 1. Include records in your crisis plans 2. Prioritize records at risk 3. Develop and monitor crisis mitigation strategies November 15, 2016 2
It Won t Happen To Me Mitigating Records Risks Agenda Part 1 - Include records in crisis planning Part 2 Determine risks to records Estimate the impact to an organization Calculate a risk factor Assign a value to records Prioritize records based on value and risk factor Part 3 - Develop and monitor records risks and strategies November 15, 2016 3
120 It Won t Happen To Me Mitigating Records Risks Organizational Survival 100 80 60 40 20 0 Total Organizations Organizations Following a Disaster Organizations One Month Following a Disaster Organizations Three Years Following a Disaster Organizational Survival November 15, 2016 4
Include Records in Crisis Planning What is a record? recorded information, regardless of medium or characteristics, made or received by an organization in pursuance of legal obligations or in the transaction of business. ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 5
Include Records in Crisis Planning A record series a group of similar records that are arranged according to a filing system and that are related as a result of being created, received, or used in the same activity. ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 6
Include Records in Crisis Planning Disaster Recovery vs Business Continuity Disaster Recovery is a written and approved course of action to take after a disaster strikes that details how an organization will restore critical business functions and reclaim damaged or threatened records Business Continuity is an organization s ability to operate in the event of a disaster or disruption ARMA International. (2007). Glossary of Records and Information Management Terms. 3 rd ed. Lenexa, KS: ARMA International. Retrieved April 29, 2014 from http://archive.arma.org/standards/glossaryw2/index.cfm November 15, 2016 7
Part 1 - Include Records In Crisis Plans Photo taken by Peggy Syljuberget, 2015 November 15, 2016 8
How to Mitigate Risks to Records Step 1 - Prevention is a priority! Designate a senior person to oversee information governance in the organization and delegate responsibility for records management to appropriate individuals November 15, 2016 9
How to Mitigate Risks to Records Step 2 - Conduct a comprehensive inventory of your organization s business records Purpose and function Who needs access Locations Copies, backups, third party custodians Formats, revisions, and versions Storage equipment and facilities Work-in-progress November 15, 2016 10
How to Mitigate Risks to Records Step 3 - Identify as many risks and exposures to records as possible Step 4 - Conduct a organization-wide impact assessment This information can be quantified to obtain a risk factor A crisis can occur in seconds without warning, but recovery can take years! November 15, 2016 11
How to Mitigate Risks to Records Step 5 - Assign a value to records Records are more valuable than systems because systems can be replaced more easily than records Step 6 - Prioritize records based on their risk factor and value to the organization November 15, 2016 12
How to Mitigate Risks to Records Step 7 - Identify resources needed to survive each risk to each record series Step 8 - Identify all versions of records Copies Backups Revisions Redactions Third party custody Work-in-progress Photo taken by Jerry Kofsky, 2013 November 15, 2016 13
How to Mitigate Risks to Records Step 9 - Develop strategies for mitigating each risk to each record series Step 10 - Schedule regular reviews of disaster recovery and business continuity plans November 15, 2016 14
Part 2 - Apple Cider Company Case Study Photo taken by Peggy Syljuberget, 2016 November 15, 2016 15
Part 2 - Apple Cider Company Case Study Risks Lack of cash flow Poor location Personal liability Improperly drafted or lack of /agreements Poor inventory management Records Income statements Balance sheets Cash flow statements Business and marketing plan Lease Permits Server location Business and liquor production license Failed inspections Taxes and vendor Insurance policy Partnership and non-disclosure agreements Intellectual property licenses Tree and equipment inventory Production volumes Equipment maintenance November 15, 2016 16
Determine Risks to Records Step 1 - Use the comprehensive records inventory and record retention schedules to identify all of the records series Step 2 - Identify as many potential risks to records as possible November 15, 2016 17
Cash flow Cash flow Risk Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Personal liability Personal liability Determine Risks to Records Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Production Production Vendor Office of Record Legal Purchasing Processing Processing Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 18
Determine Risks to Records Step 3 - Assess the probability that each risk may occur A) examine external factors B) explore facility-wide risks C) examine risks by department D) observe employee workstations November 15, 2016 19
Determine Risks to Records Step 4 - Characterize each risk in terms of the probability that it may occur by ranking it from 1 to 10 1 = lowest probability of risk occurrence 10 = highest probability of risk occurrence November 15, 2016 20
Risk Cash flow 8 Cash flow 8 Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Personal liability 6 Personal liability 6 Determine Risks to Records Probability (P) Impact (I) 1 1 Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Legal Purchasing 3 Production Processing 10 Production Processing Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 21
Estimate the impact to an organization Step 5 - Conduct an impact assessment to determine what the impact to the organization would be if the records were lost, damaged, or otherwise unavailable Visuals can be helpful to show how business functions interact within the organization November 15, 2016 22
Estimate the impact to an organization Example of a graphic representation November 15, 2016 23
Estimate the impact to an organization Step 6 - Rate the potential risk impact 0 = No impact 1 = Noticeable impact for up to 24 hours 2 = Damage to organization from 24 to 72 hours 3 = Major damage to organization for 72 hours or more November 15, 2016 24
Estimate the impact to an organization Risk Cash flow 8 3 Cash flow 3 1 Compliance with /agreeme nts Compliance with legislation Compliance with legislation Inventory management Probability (P) Impact (I) 1 3 1 3 Personal liability 6 1 Personal liability 6 1 Risk (P x I) Daily ($193 x P x I) Record Class Value Record Series Vendor data Home office filing cabinet November 15, 2016 25 Legal Purchasing 3 2 Production Processing 10 3 Production Processing Vendor Office of Record Current Storage Home office filing cabinet Risk
Risk Cash flow 8 3 24 $4,632 Cash flow 3 1 3 $579 Compliance with / agreements Compliance with legislation Compliance with legislation Inventory management Probability (P) Calculate a risk factor Impact (I) Risk (P x I) Daily ($193 x P x I) 1 3 3 $579 1 3 3 $579 Vendor data Legal Purchasing 3 2 6 $1,158 Production Processing 10 3 30 $5,790 Production Processing Personal liability 6 1 6 $1,158 Personal liability 6 1 6 $1,158 Record Class Value Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 26
Assign a value to records Picture taken by Jerry Kofsky, 2013 November 15, 2016 27
Assign a value to records Step 8 - Define record value classes Vital - 4 Value Class Definition Priority for Access Class of Vital Record Important - 3 Contains information critical to the continuation or survival of the organization during or Physical protective storage must be close to a immediately following a crisis. Necessary for disaster response site where crisis coordination continuing operations without delay under activities take place. Electronic records must be abnormal conditions. Contains information available using electronic replication methods as necessary to recreate legal and financial status, to needed preserve rights, and meet obligations to stakeholders Has some value to the organization for restoring operations to a normal state following a crisis. Category for destroyed records that can be replaced for a moderate cost Physical protective storage must be close to the disaster recovery site where crisis coordination activities take place. Electronic records and backups can be accessed quickly Records are essential for managing emergency or crisis situations Records are essential for resuming business operations following a crisis Useful - 2 Useful for continuing organizational operations without interruption. Inconvenient without records but they can be replaced for minimal cost Physical protective storage is accessible and away from disaster area Records are essential for legal and audit purposes Non-Essential - 1 November 15, 2016 Used for reference, are copies of originals, or are transitory in nature. Inconvenient without records but can be replaced for minimal cost Physical storage is typically at department or user workstations. Some records are copies that can be replaced if needed Records are used for quick reference or transitory in nature 28
Assign a value to records Step 9 - Assign a classification to each record series based on its value to the organization Vital = 4 Important = 3 Useful = 2 Non-essential = 1 Myth: The greater the amount invested in securing and protecting a record, the more likely the record is vital November 15, 2016 29
Assign a value to records Risk Cash flow 8 3 24 $4,632 3 Cash flow 3 1 3 $579 3 Compliance with / agreements Compliance with legislation Compliance with legislation Inventory management Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value 1 3 3 $579 4 1 3 3 $579 4 Vendor data Legal Purchasing 3 2 6 $1,158 2 Production Processing 10 3 30 $5,790 2 Production Processing Personal liability 6 1 6 $1,158 1 Personal liability 6 1 6 $1,158 1 Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 30
Prioritize records based on value and risk factor Step 10 - Prioritize each record series Sort first by Record Value Class Then by Risk Factor or Daily Risk Cost November 15, 2016 31
Prioritize records based on value and Risk Compliance with / agreements Compliance with legislation risk factor 1 3 3 $579 4 1 3 3 $579 4 Cash flow 8 3 24 $4,632 3 Cash flow 3 1 3 $579 3 Inventory management Compliance with legislation Probability (P) Impact (I) Risk (P x I) Daily ($193 x P x I) Record Class Value data Vendor Legal Purchasing 10 3 30 $5,790 2 Production Processing 3 2 6 $1,158 2 Production Processing Personal liability 6 1 6 $1,158 1 Personal liability 6 1 6 $1,158 1 Record Series Vendor Office of Record Current Storage Home office filing cabinet Home office filing cabinet Risk November 15, 2016 32
Prioritize records based on value and risk factor Photo taken by Jerry Kofsky, 2013 November 15, 2016 33
Part 3 - Develop and monitor records risks and strategies Photo taken by Jerry Kofsky, 2013 November 15, 2016 34
Part 3 - Develop and monitor records risks and strategies Step 1 - Use the Records Risk Mitigation Strategic Planning Job Aid to identify the records series with the highest value and greatest risk factor Step 2 - Systematically assess the information entered into the Records Risk Mitigation Strategic Planning Job Aid to ensure it is current November 15, 2016 35
Part 3 - Develop and monitor records risks and strategies Step 3 - Develop policies and procedures to comply with organizational obligations Step 4 - Assign a person(s) from each Office of Record to be responsible for managing records and maintaining sections of the crisis plan pertaining to their function November 15, 2016 36
Part 3 - Develop and monitor records risks and strategies Step 5 Update the floor plan showing locations where records are stored and who needs access to them Step 6 - Prepare a mobile emergency kit to contain damage and create an area for staging, assessing, and recovering damaged records November 15, 2016 37
Part 3 - Develop and monitor records risks and strategies Step 7 - Identify methods and equipment needed to access, reconstruct, or replace records if they are damaged, lost, or unavailable Step 8 - Establish a budget for crisis planning Estimate costs and expenses Estimate cash flow needed to sustain operations during a crisis November 15, 2016 38
Part 3 - Develop and monitor records risks and strategies Step 9 - Establish a records management program Apply Generally Accepted Recordkeeping Principles Keep the records inventory current Ensure adherence to retention policies Securely destroy records as retention periods expire Diligently maintain backup processes Ensure records are accessible and available at any point in time November 15, 2016 39
Part 3 - Develop and monitor records risks and strategies Step 10 - Get involved in crisis planning Establish an Information Governance Committee to develop/monitor strategies to mitigate risks to records Consult record stakeholders to determine the feasibility of each risk mitigation strategy Add risk mitigation strategies to the Records Risk Mitigation Job Aid for new records/risks Revise crisis plans to include records risk mitigation strategies November 15, 2016 40
Helpful Resources United Nations Office for Disaster Risk Reduction. Is Your Business Disaster Proof? GlobalHand. Retrieved April 15, 2015 from http://www.unisdr.org/files/30674_privatesectorghd.pdf United Nations Office for Disaster Risk Reduction. Global Assessment Report on Disaster Risk Reduction 2015: Making Development Sustainable: The Future of Disaster Risk Management. Retrieved April 15, 2015 from http://www.preventionweb.net/english/hyogo/gar/2015/en/home/download.html ARMA International. (2012). Glossary of Records and Information Management Terms. 4 th ed. Lenexa, KS: ARMA International. Retrieved Sept. 9, 2016 from https://members.arma.org/eweb/browse.aspx?webcode=product&id=34107432-7be7-4707-9743-787f987e378c#.v9oybcgrliu Innovation, Science and Economic Development Canada. Financial Performance Data. Retrieved Sept. 9, 2016 from http://www.ic.gc.ca/eic/site/pp-pp.nsf/eng/home November 15, 2016 41
Researching External Risks EM-DAT: The International Disasters Database http://www.emdat.be/ RSOE Emergency and Disaster Information Service http://hisz.rsoe.hu/alertmap/index2.php United Nations Disaster Prevention Statistics (glide numbers) http://www.unisdr.org/we/inform/disaster-statistics International Federation of Red Cross and Red Crescent Societies publications https://www.ifrc.org/ November 15, 2016 42
Researching External Risks Canadian Disaster Database http://www.publicsafety.gc.ca/cnt/rsrcs/cndn-dsstr-dtbs/indexeng.aspx Natural Resources Canada. Natural Hazards https://www.nrcan.gc.ca/hazards/natural-hazards Weather Websites http://weather.gc.ca/canada_e.html http://www.weather.com/ http://www.theweathernetwork.com/ Local libraries and newspapers November 15, 2016 43
Researching Internal Risks Seek senior management support! Some documents may contain sensitive information Access to information requests Workers compensation claims Investigations and audits Organizational history Insurance claims Annual reports Lawsuits November 15, 2016 44
Discussion/Questions Peggy Syljuberget, MLIS, MBA, IGP, CRM Information Specialist Entrepreneurship Manitoba Business Services Division Knowledge Centre 250 240 Graham Ave., Winnipeg MB peggy.syljuberget@gov.mb.ca 204-945-0916 November 15, 2016 45