Two approaches to managing information risks: when managing information risks, is it better to use an event-based or a records and information requirements-based approach? This excerpt from Managing Risks for Records and Information explores these approaches and examines how to choose the one that best fits your organization's needs.

• Author: Lemieux, Victoria L.
• Position: Management Wise

At the Core

This article

* examines the consequences of failing to manage records and information risks

* discusses the event-based approach to managing information risks

* explores the records and information requirements-based approach to managing information risks

Records and information risks encompass any threat to the business arising from some inadequacy in an organization's records and information. These risks can be many and varied, ranging from those typically addressed by business continuity programs--damage to or loss of records and information arising from disasters or major system faults, for example--to more systemic problems with records and information. In extreme cases, these risks can lead to heavy loss and even corporate failure.

Recent high-profile cases outlined in Table 1 (page 57), cited by Clifford Carey in Records Management Bulletin, highlight how poor-quality records and information, and the organizational practices that lead to them, can expose an organization to risk. These cases highlight the need for organizations to pay attention to records and information related risks.

Aside from risk avoidance and control, however, effective records and information risk management can lead to improved performance of the organization. Records and information risk management initiatives are as much about identifying and capitalizing on opportunities to manage information strategically as they are about minimizing risks and losses. Some of the ways in which a records and information-related risk assessment can be used to enhance an organization's performance include:

* More effective planning of records and information management strategies and programs to ensure alignment with strategic business objectives

* Better control of records and information management costs

* Improved assessment and measurement of records and information management functions

* Improved decision-making in the records and information management arena

* Enhanced share value as a result of credible strategies to mitigate and manage records and information-related risks

* Improved compliance with records and information related legal and regulatory requirements

* Higher level of preparedness for outside regulatory review

* Minimized operational disruptions

* Improved management information

* Improved knowledge sharing throughout the organization

Developing a Records and Information Risk Management Program

Despite the risks of failing to manage them holistically and systematically, records and information risks are not recognized as a distinct area of focus in most organizations and, therefore, no processes or people are specifically dedicated to them. In most organizations, line managers deal with records and information risks, where they address them at all, on an ad hoc basis through other business processes such as internal audit...