Risk analysis and control: vital to records protection: identifying and preventing risk is smart business practice. This excerpt from Records and Information Management: Fundamentals of Professional Practice gives the fundamentals of assessing risk in your records operations, putting a prevention plan in place, and auditing that plan for compliance.

Risk analysis determines and evaluates the exposure of vital records to specific risks. Its outcome provides the basis for protection planning and other records management decisions. A thorough risk analysis begins with the identification of threats and vulnerabilities to which vital records are exposed. Once identified, threats and vulnerabilities can be evaluated using qualitative or quantitative approaches. Risk control is also an important component of any vital records program. The purpose of risk control is to safeguard vital records. Where vital records protection is part of a broader business continuity and disaster recovery plan, risk control measures may also safeguard facilities, computer hardware and software, laboratory equipment, and other resources.

Identifying Risks

Threats to vital records are customarily divided into three broad categories: (1) destruction, (2)loss, and (3) corruption. A fourth category--threats associated with the improper disclosure of recorded information--is typically outside the scope of records management responsibility.

Protection of essential information against malicious or accidental destruction is a well-established component of vital records planning. Malicious destruction of recorded information may result from warfare or warfare-related issues. Potentially catastrophic agents of accidental destruction include natural disasters. Vital records can also be damaged or destroyed by human-induced accidents such as fire or lack of knowledge about the consequences of specific actions.

More likely causes of accidental records destruction are less dramatic and more localized but no less catastrophic in their consequences for mission-critical operations. Records in all formats can be damaged by careless handling. Paper documents, for example, are easily torn, damaged by spilled fluids, or otherwise mutilated. Microforms, X-rays, and other photographic films can be scratched. With very active records, the potential for such damage is intensified by use. In many work environments, for example, valuable engineering drawings subject to frequent retrieval are characteristically frayed and dog-eared.

Information recorded on magnetic media and certain types of optical disks can be erased by exposure to strong magnetic fields. Careless work procedures, such as mounting magnetic tapes or diskettes without write protection, can expose vital electronic records to accidental erasure by overwriting. Mislabeled rewritable media may be inadvertently marked for reuse, their contents being inappropriately replaced by new information. Computer hardware and software failures can damage valuable information. Electronic records may be accidentally deleted during database reorganizations or by utility programs that consolidate disk space.

Records in all formats can be misfiled, misplaced, or stolen. Like many business tasks, filing of paper records is subject to errors. Documents can be placed into the wrong folders, and folders can be placed into the wrong drawers or cabinets. Widely quoted sources claim misfile rates ranging from one to ten percent for documents in office files, but such claims are typically substantiated by anecdotal reports rather than scientific studies that present detailed statistical data about filing activity in specific work environments. Nonetheless, even a very low misfiling rate can pose significant problems in large filing installations. In a central filing area with 25 four-drawer cabinets, for example, a misfiling rate of just one-half of one percent means that more than 1,000 records are filed incorrectly. Of course, even a single misfiled document can have serious consequences if it contains information needed for an important business purpose.

Color-coded folders can simplify detection of misplaced folders, but they are not applicable to every filing situation nor can they identify individual documents filed in the wrong folder. Microfilm's advocates claim that it will eliminate misfiles associated with refilling activity. However, unless misfile detection is performed during document preparation, pages can be microfilmed in the wrong sequence, in which case misfiles are irreversible. Further, individual microfiche, microfilm jackets, and aperture cards can themselves be misfiled within cabinets or trays. With electronic records, data entry errors are the counterparts of misfiles. Although effective methods, such as double-keying of information, are available for error detection and correction, they are not incorporated into all data entry operations.

Like any valued asset, recorded information can be stolen for financial gain or other motives, by intelligence operatives or by disgruntled, compromised, or coerced employees. Traditionally, espionage-related concerns have been most closely associated with government and military records, but they apply to other work environments as well. Commercial information brokers, for example, are interested in names, addresses, telephone numbers, and other information about an organization's employees, a company's customers, a hospital's patients, an academic institution's students, and a professional association's members. Trade secrets, product specifications, manufacturing methods, marketing plans, pricing strategies, and customer information are of great interest to a company's competitors.

The threat of theft is greatest for records stored in users' work areas where systematic handling procedures are seldom implemented and security provisions may be weak or absent. Centralized repositories, by contrast, tend to be more secure. Theft is a concern for records in all formats; but microforms and electronic media are compact and more easily concealed than paper documents, and their high storage densities increase the amount of information affected by a single incident of theft.

Tampering is a leading cause of corruption of recorded information, but not all record formats are equally vulnerable. With microforms, tampering is difficult and detectable. The contents of individual microimages cannot be altered, and insertion or removal of images requires splicing of film, which is readily apparent. By contrast, information in paper documents can be added to, obliterated, or changed, although such modifications can often be detected by smiled forensic examiners. The potential for unauthorized tampering with electronic records has been widely discussed in publications and at professional meetings. Records stored on rewritable media--such as magnetic disks, magnetic tapes, and certain optical disks--are subject to modification by unauthorized persons in a manner that can prove very difficult to detect. Such unauthorized modification may involve the deletion, editing, or replacement of information. Further, viruses and other malicious software can damage computer-stored records.

Qualitative Risk Assessment

Regardless of the specific threats involved, risk assessment may be based on intuitive, relatively informal qualitative approaches or on more structured, formalized quantitative methods. The methods are not mutually exclusive; they can be used in combination to evaluate the risks to which specific vital records are subject and to produce a prioritized list of vital records for which protective measures are recommended.

Qualitative risk assessment is the simpler of the two approaches. It relies principally on group discussions involving knowledgeable persons. Qualitative risk assessment is particularly useful for identifying and categorizing physical security problems and other vulnerabilities. A risk assessment team or committee, preferably led by a records manager, identifies and evaluates the dangers to specific vital records series from catastrophic events, theft, misfiling, or other threats.

A qualitative risk assessment is usually based on a physical survey of locations where vital records are stored, combined with a review of security procedures already in place. Among items the risk assessment team may consider are geophysical and political factors, reported problems with destruction or loss of records, number and types of employees who have access to records, records handling procedures that may result in damage to or loss of records, physical security, building construction, and access controls in records storage areas, the proximity of records storage areas to laboratories, factories, or other facilities that contain flammable materials or hazardous substances, availability of fire control apparatus and fire department services, and ability to reconstruct recorded information through backup procedures or other methods.

Although the nature and frequency of destructive weather, misfiles, theft of records, or other adverse events are examined and evaluated, qualitative risk assessments do not estimate their statistical probabilities or the financial impact of resulting losses. Instead, consequences and probabilities are evaluated in general terms. Consequences associated with the loss of specific records series, for example, may be categorized as devastating, serious, limited, or negligible. Similarly, the likelihood of significant information loss associated with specific threats may be described as very low, low, medium, high, or very high.