Records Management and Risk Reduction
A strong information management program is foundational to
an organization's success, and can significantly reduce the risk
of poor business decisions, costly litigation, e-discovery and
damage to reputation.

A Record - according to ISO 15489-1, 3.15
 Information created, received, and maintained as
evidence and information by an organization or
person, in pursuance of legal obligations or in the
transaction of business







Duplicates
Working papers and drafts
Transmittal letters or cover sheets
Reproduced or published material from other
offices
Catalogues, trade journals, periodicals, etc.
Stocks of publications (reports, brochures,
plans, etc.)
and forms, agendas etc.


Bit of a misnomer – is actually more about
management of business information
Primary objective is to identify what to keep,
how to keep it, when to get rid of it, and how
to get rid of it

Manage as an asset through the entire life
cycle
1. Create/Receive
2. Use
3. Retain/Archive
4. Final Disposition
Digital Landfills
Everything Else
Subject to Legal Hold
Has Business Utility
Regulatory Requirement
5%
25%
2%
Source: CGOC (Compliance and Governance Oversight Council)
68%

“There are known knowns. These are things
we know that we know. There are known
unknowns. That is to say, there are things
that we know we don't know. But there are
also unknown unknowns. There are things we
don't know we don't know.”
2002, Donald Rumsfeld, former US Secretary of State for Defence



We know that much of our information exists
in enterprise systems like SAP, etc. and we
know what the data is.
This data is well managed and protected from
security risks, is auditable, and while
retention may not be applied, we can usually
rely on the integrity of the data.
From a Records Management risk
perspective, these business records are the
least of the worries.





We know we have information in shared
drives, email, collaboration software, etc.
We know where it is, but we don’t have an
accurate way to measure what the data is or
what it’s business value/risk is
We can’t control the growth or redundancy
We can’t control where it goes or who it goes
to (email, copy to USB and remove, etc.)
Is not managed in most organizations

With the unknown content, we may:
 Fail to see or seek out information because we
don’t know it’s there
 Vital information not available for retrieval and
distribution for decision making purposes
 Theft or unauthorized use of information (think
social media, or worse)
 We don’t have a way to share the information,
which limits the organization’s awareness and
ability to make good decisions

Successful programs ensure that records are:
 Useable
 Reliable
 Authentic
 Having integrity






Inventory Information Assets
Identify the records, disposition non-records
Develop records retention schedule
Develop the Records Management Policy
Develop standards and procedures for
capture, storage and disposition
Train, Train, Train



A detailed registry of what type of records are
owned, where they reside, Office of Primary
Responsibility, relevant metadata
Also should ideally indicate if P.I. is in the
record, what the security classification is, and
if the record is considered a vital record
As a Risk Manager – inform your Records
Managers of the areas of the organization
that own records related to high risk
events/situations



Encourage employees to regularly dispose of
convenience copies and duplicates
Purge email that does not constitute a record
Help your Records Manager draft a
communication plan that includes the risk to
the organization that results from retaining
unmanaged information.


Key to successful records management
program is a well thought-out policy with
accompanying standards, procedures and
guidelines to inform staff of their roles and
responsibilities, and how to carry out those
responsibilities
Work with Records Management to include a
section on Risk into to Records Management
Policy, or reference the Risk Management
Policy


A schedule based on the function the records
are evidence of as a way to organize similar
records in groups
Similar to a library classification scheme



A schedule based on business needs, legal,
privacy and regulatory obligations
Specifies the length of time a record is to be
retained, and the method of destruction
In Saskatchewan, government records
retention schedules must be approved by the
Saskatchewan Archives Board and the Public
Records Committee

Statutory obligations to preserve records:
 Plethora of legislation and regulations
 Employment Legislation
 Corporate record keeping
 Tax records
 Audits, investigations, etc.
 Failure to preserve may attract criminal
liability, fines, penalties, etc.

Statutory obligations to destroy records:
 Privacy laws – FOIPPA, HIPPA.
 Obligation to destroy when no longer needed
for reasonable business / legal purposes

Destruction of personal information is an
offense when it occurs after an individual
has requested access to their information
The Saskatchewan Evidence Act:
“record” includes any information that is
recorded or stored by means of any
device or electronic means.

If you’ve got it, you must produce it.


Storage space, regardless of record type, is
not an infinitely available resource.
Organizations need to realize that keeping
everything is not records management.


We can just manually review the records,
right?
Volume of Data:
 Kb = one page
 Mb = small novel, 5 Mb = all of Shakespeare
 Gb = a pickup truck full of books, 100 Gb = a
library floor
 Tb = 50,000 trees, 10 Tb = the entire print
collection of the U.S. Library of Congress
(my org. has 12 TB on shared drives & email)



Enron/Arthur Anderson fiasco resulted in
Sarbanes-Oxley
Sydney Hospital mismanages patient records
– stuffs them into unlocked cabinets, stored
with toxic materials, etc.
Washington D.C. police force records found
in abandoned cars, trash bins as a result of a
records burning event gone bad.

Who: Lucent Technologies Inc.
When: May 2004
Accusation: Providing incomplete records in
response to a Securities and Exchange
Commission investigation.
Consequences: $25 million fine

Who: UBS Warburg LLC
When: July 2004
Accusation: During an ongoing genderdiscrimination lawsuit (Zubulake v. UBS
Warburg), deleted relevant e-mails despite court
order; failed to locate, preserve records and
produce e-mail and other documents in a timely
manner.
Consequences: Ordered to produce relevant
documents and pay for redeposition of some
witnesses and pay legal expense of the plaintiff.

Who: Philip Morris USA/Altria Group
When: July 2004
Accusation: Deleted e-mail that was over 60
days old for more than two years after a legal
order to preserve all documents relating to
litigation. Failed to follow the company's
internal procedures for document and e-mail
preservation.
Consequences: $2.75 million fine

Who: Banc of America Securities
When: March 2004
Accusation: Violation of Exchange Act
record-keeping requirements, including
failure to produce e-mail records in a timely
manner and failure to preserve documents
after an SEC staff request to do so.
Consequences: $10 million fine; censure





IT, Records Management, Privacy, Legal and
Risk all need to be at the table.
IT provides the security and audit
functionality
Records can identify retention periods
Privacy and Legal can assess/approve/make
request for change
Risk can measure/help manage

ECM, ERM, EDRMS, DM
 All of these are acronyms for electronic solutions
to help organizations manage document/record
control, retention, audit, workflow, versioning,
legal/audit holds, security, etc.
 They are becoming more and more relevant and
necessary as organizations wake up to the risks
they are carrying and the opportunities they are
missing by not managing information as an asset.


Records Managers have been around for
centuries, but we are still perceived as the file
clerk in the basement in most organizations.
We need to partner with those in our
organizations with common goals

You can help shape and enforce records
management policy, procedure and
compliance in your organization by adding
your influence to the RIM messaging

In order to achieve the desired state we need
to move beyond silos
Records
IT
Legal
& Privacy
Risk
Audit

Definition
 A framework and responsibility model for cross-
functional and executive dialogue that serves as a
catalyst for defining a unified governance
approach to information by linking business value
and legal duties to the information assets.

Information is at the
centre – and
disposition is the
end-state, but it
starts with the
business and the
value

The role of Risk Management in Information
Governance is to actively work with RIM,
Legal, Privacy and the business to ensure that
data is being defensibly disposed of at the
right time.



Find out who is responsible for Records
Management in your organization
Work with them to present the challenge for
the organization as it relates to risk
Help them find ways to show value to the
organization



You are the expert – help your records
manager perform a risk assessment
“ISO18128 Information and documentation –
Risk assessment for records process and
systems”
It’s a good start, with a scalable framework
Is records management supported by top
management?
 Are records responsibilities included in job
descriptions where relevant?
 Is the technology selected an appropriate fit for
the size, complexity, and activities of the
organization?
 Has the organization identified all systems that
create, hold, or manage records?
 Does the business continuity planning
specifically include the records systems?

Denise Harry
dharry@sgi.sk.ca
306 751 3332
ARMA Saskatchewan Chapter
www.armasask.org
