Risk analysis and control: vital to records protection: identifying and preventing risk is smart business practice. This excerpt from Records and Information Management: Fundamentals of Professional Practice gives the fundamentals of assessing risk in your records operations, putting a prevention plan in place, and auditing that plan for compliance.

• Author: Saffady, William
• Position: ManagementWise

Risk analysis determines and evaluates the exposure of vital records to specific risks. Its outcome provides the basis for protection planning and other records management decisions. A thorough risk analysis begins with the identification of threats and vulnerabilities to which vital records are exposed. Once identified, threats and vulnerabilities can be evaluated using qualitative or quantitative approaches. Risk control is also an important component of any vital records program. The purpose of risk control is to safeguard vital records. Where vital records protection is part of a broader business continuity and disaster recovery plan, risk control measures may also safeguard facilities, computer hardware and software, laboratory equipment, and other resources.

Identifying Risks

Threats to vital records are customarily divided into three broad categories: (1) destruction, (2)loss, and (3) corruption. A fourth category--threats associated with the improper disclosure of recorded information--is typically outside the scope of records management responsibility.

Protection of essential information against malicious or accidental destruction is a well-established component of vital records planning. Malicious destruction of recorded information may result from warfare or warfare-related issues. Potentially catastrophic agents of accidental destruction include natural disasters. Vital records can also be damaged or destroyed by human-induced accidents such as fire or lack of knowledge about the consequences of specific actions.

More likely causes of accidental records destruction are less dramatic and more localized but no less catastrophic in their consequences for mission-critical operations. Records in all formats can be damaged by careless handling. Paper documents, for example, are easily torn, damaged by spilled fluids, or otherwise mutilated. Microforms, X-rays, and other photographic films can be scratched. With very active records, the potential for such damage is intensified by use. In many work environments, for example, valuable engineering drawings subject to frequent retrieval are characteristically frayed and dog-eared.

Information recorded on magnetic media and certain types of optical disks can be erased by exposure to strong magnetic fields. Careless work procedures, such as mounting magnetic tapes or diskettes without write protection, can expose vital electronic records to accidental erasure by overwriting. Mislabeled rewritable media may be inadvertently marked for reuse, their contents being inappropriately replaced by new information. Computer hardware and software failures can damage valuable information. Electronic records may be accidentally deleted during database reorganizations or by utility programs that consolidate disk space.

Records in all formats can be misfiled, misplaced, or stolen. Like many business tasks, filing of paper records is subject to errors. Documents can be placed into the wrong folders, and folders can be placed into the wrong drawers or cabinets. Widely quoted sources claim misfile rates ranging from one to ten percent for documents in office files, but such claims are typically substantiated by anecdotal reports rather than scientific studies that present detailed statistical data about filing activity in specific work environments. Nonetheless, even a very low misfiling rate can pose significant problems in large filing installations. In a central filing area with 25 four-drawer cabinets, for example, a misfiling rate of just one-half of one percent means that more than 1,000 records are filed incorrectly. Of course, even a single misfiled document can have serious consequences if it contains information needed for an important business purpose.

Color-coded folders can simplify detection of misplaced folders, but they are not applicable to every filing situation nor can they identify individual documents filed in the wrong folder. Microfilm's advocates claim that it will eliminate misfiles associated with refilling activity. However, unless misfile detection is performed during document preparation, pages can be microfilmed in the wrong sequence, in which case misfiles are irreversible. Further, individual microfiche, microfilm jackets, and aperture cards can themselves be misfiled within cabinets or trays. With electronic records, data entry errors are the counterparts of misfiles. Although effective methods, such as double-keying of information, are available for error detection and correction, they are not incorporated into all data entry operations.

Like any valued asset, recorded information can be stolen for financial gain or other motives, by intelligence operatives or by disgruntled, compromised, or coerced employees. Traditionally, espionage-related concerns have been most closely associated with government and military records, but they apply to other work environments as well. Commercial information brokers, for example, are interested in names, addresses, telephone numbers, and other information about an organization's employees, a company's customers, a hospital's patients, an academic institution's students, and a professional association's members. Trade secrets, product specifications, manufacturing methods, marketing plans, pricing strategies, and customer information are of great interest to a company's competitors.

The threat of theft is greatest for records stored...