Decrease Organizational Risk, or Risk Paying Out Money
by Joseph Andrew Settanni, CRM, CPC
and Smith County, TX RMO/Director of Record Services
Risk can be defined and has been defined in many ways. One, perhaps, effective way to give it a kind of needed definition is to observe that risk normally exists as the perceived extent of possible loss, when noted, under various conditions and circumstances of that loss.
Admittedly, it is, also, the normal case that different people will, on average, have different views or opinions of the exact or assumed impact of a particular risk, at a particular time, and under various circumstances that might or might not exist. Yet, some good risk consciousness raising may help.
On the other hand, it can be also said that many objectives can only be realized by being prepared to accept at least some valid risk. In many cases, if risk can be correctly managed effectively, possible positive opportunities can then be obtained and successfully exploited or properly utilized.
Risk, whether always consciously realized or not, is naturally generated by every decision that is made by an individual, organization, or, for that matter, even an entire society; as a fair consequence, it is not unpredictable that it is normally beneficial for individuals, organizations, and, perhaps, governments to try to become increasingly proficient concerning the work to be done.
As beauty has been said proverbially to be in the eyes of the beholder, thus, in an analogous sense, what may appear to be a small or minor risk for one person may yet have the potential to fully devastate or destroy the very livelihood of someone else being made the subject of a risk or risks.
And, that rather important, though often overlooked, point is something to really think about a while, concerning human nature, if nothing else. Of course, it is impossible to avoid all risk. (But, at the risk of being too long winded, I will now start at what is probably the best beginning, for this kind of risky talk.)
RISK ANALYSIS
One way, according to the experts in this field of knowledge, of rationally attempting to put some sort of practical or tangible price tag, a money/dollar value, to an insightful calculation of a substantive value, for the consideration of risk, has been the following interesting equation:
Risk = Probability of Event x Cost of Event
So, for instance, given a tornado hitting a power plant at being a, say, a 4 out of 10 chance in a 1 to 10 scale of what could reasonably happen, at a particular time, if weather conditions are rotten on a certain day, is an example; this then simply yields the number 4.
If the company’s insurance agency has, e. g., legally stated in writing that it would cost at least $10,000,000.00 to rebuild that particular power plant, then the calculation is to be presented as follows:
4 x $10,000,000.00 = $40,000,000.00 risk factor that the company ought, therefore, to properly realize is a matter both economically and appropriately worth considering.
The firm may not be able to sustain such a financial loss that could be catastrophic and lead to the closing of the business, especially if full insurance coverage cannot be obtained, without paying truly exorbitant (or confiscatory) premiums.
So, it can be very practical and useful to think seriously about the degrees of the likelihood of particular events, as to their probable or possible occurrences, and then to multiply such a factor by the perceived or fairly known economic cost, if it should happen; that calculation will, therefore, equate to yielding a sense of what the risk is that ought to be made consciously known to any organization, whether public or private.
It is a fair and useful means of properly trying to compare various kinds of risks, in a more objective manner, rather than to have just different people, with different opinions, trying to merely guess at things. So, decision making can proceed with a certain degree of confidence, as to efforts at analyzing risk in a successful manner, which then yields some fairly tangible results, for either private businesses or public/governmental entities.
Formal and detailed efforts at risk analysis must, as to the first stage of such thought, seek to critically and carefully identify the wide variety and kinds of human and natural threats, so risk analysis becomes usually synonymous with most perceptible threat analysis, of course.
There are, fortunately, just really 10 basic classifications or categories of threats, meaning when all such matters or issues are, thus, finally thought out toward their most outer limits, as to what may possibly or probably happen to increase or create levels of (unwanted) risk. In a study of the vast literature, many different professional Risk Analysts, of course, can prefer, e. g., fewer categories by which diverse areas of possible threats are more consolidated.
To make, one hopes, matters more understandable, however, the choice was to have more rather than less headings for things to think about; and, people are free to give many more possible examples than have been covered. They are not, moreover, listed here in any particular order of importance, though some experts have attempted, of course, to try to prioritize the different categories, as to some sense of either real or relative importance. The bottom line of real monetary loss seems to be the major issue.
These ten presented groups of matters to carefully think about can, usually, be categorized as: human, operational, procedural, natural, project, technical, reputational, financial, political, and other threats, dangers, or risks.
1.) Human Threats
People can often be the jokers in the deck; individual persons and even entire
organizations of people can come to adversely affect a company or agency; or
just matters involving simple illness, death (including suicides), theft, vandalism,
violent behavior at the workplace, bomb threats, arson, divorce, etc.; human
beings can be perverse and are, thus, not always conveniently predictable.
2.) Operational
Many things can happen during the course of a day from having a disruption,
e. g., to needed supplies or basic operations to, in addition, loss of needed
access to vital or essential corporate assets; other problems that could be
encountered, in this area of concern, certainly cover failures in distribution of
products or a halting of services rendered, though the long list of operational
difficulties, which could heighten organizational risk, could be easily extended.
3.) Reputational
This one sounds, at first, too abstract or rather hard to fully define, until a word
of mouth campaign starts that can then have an ultimately devastating impact
upon a company or agency, whether public or private; an aggrieved former
partner of a firm could so initiate the “dirty word” campaign or an expensive
lawsuit, or both; falling stock prices could damage employee confidence with
some of the best or better personnel thinking about or planning to get out while
the getting is still good; there may be, also, extended damage to the reputation
of the company, in the business market itself, with reverberating consequences
for possibly years or decades to come, if the business survives that long.
4.) Procedural
Neither people nor organizations work perfectly; there can be and often, under
various and uncontrolled or unforeseen circumstances, notable failures of
corporate or individual accountability, where no one person might be willing to
take necessary major responsibility for a project or activity; internal systems and
controls if not monitored properly or consistently can fail and increase or create
risk; flaws in an organizational structure may not be clearly perceived until some
significant stress occurs; another factor, e. g., could be the unwanted element of
perpetrated fraud.
5.) Project Risk
Not all projects, of course, can be guaranteed to be totally free of major or,
perhaps, ultimately damaging risks of cost over-runs that may happen; jobs
may be simply taking too long to finish versus the plan; inadequate or just
insufficient product or service quality may prevail, if quality assurance has not
been officially insisted upon, as a necessary and logical part of any process. The
team leader of a project might, e. g., become seriously ill or suffer a nervous
breakdown.
6.) Financial
There can be, at some unknown or, perhaps, fairly predictable time, business
failure; the boss of a company may decide, at a particular point in time, that
enough money, time, effort, etc. has been invested with no appreciable result;
the monetary losses may be cut by cutting many company jobs; the stock
market could crash; interest rates could soar rapidly upward well beyond the
firm’s capacity to pay off multiple loans; an embezzlement, if the firm is not
properly bonded or insured for it, could easily bankrupt the organization.
7.) Technical Risk
Significant and, eventually, overwhelming competition may come from a new
entrant in one’s trade or industry sector, by which that competitor will very
successfully leverage new technology to then have a great advantage; there
can be a technical failure, at a corporation, by which the firm’s computer
engineers find out, too late, that they are not able to develop the needed and
critical computer architecture for successfully finishing a project.
There may be discovered informational flaws, in purchased technical manuals, that
could end up heightening the failure rate of the finally produced product(s).
And, of course, the ever prevalent computer hackers and cyber terrorists exist,
along with many old and ever newer computer viruses.
8.) Natural
As ever, the weather can be unpredictable and threats from tornados, wild
fires, floods, hurricanes, wind storms, etc. can be so quite devastating; the
possibility of earthquake fault zones becoming active is a geographical risk
factor, as just part of the natural order of reality, of natural disasters. In
addition, one can consider the effects and affects of diseases; also, some
account must be taken of the possibility of mere accidents, some of which
may become unavoidable or almost so, under various circumstances.
9.) Political
During times of economic crisis, political risks can occur because of such
matters as previously unexpected changes in tax regimes or rates, fast
shifts in public opinion either toward or away from some once supposedly
settled issues; government policy decisions could force private and/or
public organizations and institutions to abide by a plethora of new codes,
rules, or regulations; acts of foreign countries concerning trade agreements
disputes could disrupt needed supplies of overseas goods or products.
10.) Others
Besides risk factors that can be, either directly or indirectly, tangible or,
perhaps, fairly quantifiable in some way, shape, or form, there still must be
taken into account what may be here called the “x factor” or something just
presently unknown; living in an imperfect world with imperfect people has its
consequences; thus, risk analysis or assessment must be both an ongoing art
and science, not just one or the other.
Just to give a wild “for instance,” a large enough meteorite could directly, by chance, hit a critical component at the local power plant near one’s business, ... so, then, calculate that risk.
These ten explicated and discussed areas of risk should more than merely suggest why needed threat analysis is so truly important, for any organizations or corporations of whatever size. It can be easy for many people to overlook various factors due, e. g., to just plain ignorance by not having the knowledge or, perhaps, the unfortunate assumption that nothing much should be done anyway because too many things could go wrong for too many reasons.
And, that latter point of view is, of course, also a risk.
However, there is a way of mentally encompassing the requisite thinking about all the possible risks covered, by using a number of different avenues of thought or analytical approaches to the topic of risk, of threat analysis/assessment.
Risk/Threat Analysis Can Proceed as Follows: 4 Steps
1.) One can, as the first exercise, think through all the 10 areas of potential risk that have been now presented and try to see if some, any, or most might somehow or other apply to one’s own firm, institution, or agency. (Hint: Be honest, … at least with yourself.)
2.) Next, carefully consider the existence, nature, and realities of the systems, organizations, or structures being actually operated, and then analyze, thoroughly, the delineated risk areas to see if any really match up, with what actually exists at your institution or corporation.
3.) Having then properly done the suggested good review and with much studied reflection upon it, try hard to find out and critically assess if there are any vulnerabilities or weak points existing, within any institutional or corporate systems, subsystems, or structures, either in their entirety or any parts thereof.
4.) As a most useful external check and to gain valuable different perspectives, go ask other people within or, perhaps, beyond your own organization/firm for any possible further insights, though, perhaps, it too might be a bit risky to do so.
In any event, there should be no doubt that business risk must be something to be, thus, estimated as carefully and critically as may be possible and feasible. Once various and sundry threats/risks have been thoughtfully identified, a good next means of dealing with this matter is to consider rationally the probable likelihood of particular threats being so realized and, then, assess the related impacts that could be fairly expected.
As can be by now recognized, almost everything that people do in the modern world of both commerce and the public corporate arena will, sooner or later, involve, directly or indirectly, levels or degrees of risk of some kind. It has been, well pointed out, by professionals in this field of study, that, as an example, customer habits can change, sometimes rapidly.
For the private sector, new competitors can appear; and, also, for both the for-profit and not-for-profit worlds, there can be and often are a literal multiplicity of various factors that either directly or indirectly are beyond effective control that could, for instance, delay or harm a project or function of an agency or corporation.
In many ways, realistically speaking, a great deal of risk naturally exists, as there is in existence any effort to attempt to do more and more things, which can, logically, involve the increasing multiplication of factors that can, thus, potentially hinder possible achievements.
And yet, the purpose of doing formal risk assessment and risk management can substantially assist to achieve rational and useful ways for being able to consider risks and then, moreover, to properly decide what good actions can be taken to at least minimize disruptions, for instance, to any possible plans that may have been made.
In addition, when these matters are put into right perspective, risk analysis and management will help an organization and its professional information management staff to decide whether the strategies chosen to be used will substantially control risk and be, in addition, cost effective as well.
In the data/records-intensive environment of the modern world, risk analysis, risk management, and risk mitigation should be seen to be important, especially in the specific context of having a comprehensive records and information resources management program in place, for it is critical to the success of any progressive organization, whether private or public in nature.
RIRM and Risk Considerations
The right records and information resources management (RIRM) program, by treating information as a truly valuable corporate resource, guarantees the security and accessibility of paper and electronic documents, along with rationally saving space and labor costs in the process; this is by both more correctly and rationally organizing institutional or corporate information more efficiently and effectively. Increasingly, therefore, it ought not to be that surprising that important and logical considerations of risk, as with, e. g., identity theft worries, have been quite topical and in the news lately.
Additionally, in today's world of quite stringent regulatory requirements, extensive privacy legislation, Sarbanes/Oxley rules and, of course, much increasing litigation, the matters of risk management, analysis, and mitigation concerns and records management programs must both help to keep a company or agency, whether a private or public entity, fully compliant, while, also, reducing the risk and cost of litigation.
Nonetheless, this ought to be still accomplished, it should be noted, without terribly or significantly impacting the corporate, the institutional, ability to deliver a regularly high level of service to both internal and external customers.
For any RIRM program to be more fully effective, therefore, it has to be a daily priority across the entire enterprise, as with related concerns for instituting and carrying on Enterprise Content Management. Whether consciously realized or not, the matter of risk, under various names, has been one of the biggest RIRM challenges for at least the last 40 years or longer, though, perhaps, not always explicitly so.
It should be understood, however, that part of the data, information, or records control challenge is seen usually in time constraints and often a lack of expertise concerning proper and appropriate calculations of risk; this is then, of course, necessarily inclusive of risk analysis, management, and mitigation.
Concern for this matter pertaining to risk and its implications ought to be facilitated through the ongoing RIRM program, policies, practices, and records system and subsystems at each level of the organization and across all business units as well; there must be, moreover, both a holistic and synergistic approach to considerations of risk and, furthermore, various degrees of risk that should be properly accounted for by any institution.
How RIRM can Incorporate Risk Considerations
In today's business environment, one can now readily perceive the increasing importance of privacy legislation, increasing regulatory scrutiny, the growing frequency of litigation, as well as, e. g., mainly any quite common paper records storage constraints and many escalating costs for keeping too much paper, which are just a few of the important factors that have certainly made good RIRM practices an essential feature of any modern and enlightened institution.
It really needs to be critically added, furthermore, that this yet a clearly and quite rapidly changing environment that has, definitely and unquestioningly, presented new records management challenges for almost every institution, whether public or private.
Risk management, along with information governance, compliance with regulatory authorities, and the seeking out of applying correct best practices to the work being done, can be added in with records management tasks and activities; these can encompass the development and application of improved records retention strategies; the strengthening of the security of vital client records through digitization and encryption capabilities must go forward.
Also, there can still be the matter of distinguishing those records that need to be kept in original paper format for any extra, wanted or special evidentiary needs , and such a matter, for instance, as the making of e-records use more palatable to older people.
To aid with those and a myriad of other records-related matters, professional records and information managers ought to be actively involved in, e. g., guiding the appropriate design of a retention strategy that will simultaneously reduce storage costs and, in addition, the risk of non-compliance by identifying appropriate records retention schedule, as well as vital or essential RRS, as a logical part of a holistic and synergistic RIRM program with its systems and subsystems.
It may be necessary, e. g., to still coordinate the design of a digitization program that fully considers the requirement for parallel maintenance of microform or paper versions of certain vital records, since during a power failure machine-readable records may not be as accessible. Records managers can seek to restructure information capture, with the cooperation of IT personnel, so as to make the proper usage of the information in the electronic format increasingly more user friendly.
Also, there may be a rational need for possibly upgrading a records system for better classifying records that are to be only stored offsite, which can lead to improved usage on the part of the concerned employees. Substantial and substantive improvements, directed by the RIRM approach, can help to reduce instances of other considerations of risk involving legal, corporate governance, and compliance concerns. Some legal concerns can now be addressed.
Litigation Risk
During the process of litigation, prosecutors can, of course, request all extent information that applies to a case. When the legal hold order or its equivalent occurs, defendants, therefore, must seek to produce records that exist, even if those records were eligible for destruction. But, those records that have already been purged and destroyed, according to a legal, published records retention and disposition schedule, need not ever be presented by the defense.
Hence, one ought to know that it really can be as extremely important to always get rid of all unneeded records, as it is, also, to appropriately keep those that are yet required according to a company’s RRS.
Often, however, legal counsel will still ignorantly recommend keeping all corporate records forever, thinking it will supposedly provide a guaranteed safety net for their clients; however, this highly absurd approach is, increasingly, being easily discredited because, among other important reasons, the cost of producing records for litigation is high and not without risk.
No corporation should have to enjoy the experience of being prosecuted by use of its own subpoenaed records; a “litigation safe” organization ought, thus, to be a both requisite and logical corporate goal. Court cases can get nasty, and expensive.
During what’s called the discovery process, records, consequently, must be found, evaluated, redacted, and presented; the work, furthermore, must be all properly done but within a typically tight schedule. And, turning company or institutional records over to any hostile claimants necessarily carries risks with such an action; not only from sharing any real or potentially legally damaging information, but also from, perhaps just accidently, leaking competitive or otherwise normally privileged information.
As professional records and information managers know, correctly retaining only those records that are deemed necessary, meaning when in accordance with legally established and published RRS, greatly lowers these risks and, furthermore, saves real money. And, all that makes compliance much easier.
Compliance Risk
Worldwide, it is readily known that government regulation of business grows almost daily, especially because of or transitions into social-market economies, as with Western Europe. The US Congress, in addition, continues, decade by decade, to raise penalties for noncompliance, while also increasing the number and power, range and influence, of the always growing bodies of regulators.
What has been critically called the rise and progression of the modern Regulatory State is not a piece of fiction; just go to look at, e. g., the most recent edition of the CFR as a set of printed volumes. It is not entirely illogical, therefore, that many sectors of industry and commerce certainly feel a new urgency to strongly address their ever expanding and increasingly complex compliance risk.
At a minimum, few firms want to pay extremely costly fines and, furthermore, endure the often accompanying negative publicity and ignominy, unless, however, this proves less expensive than the implementation of proper risk management. Some corporations, as could be guessed, seem to enjoy paying relatively small fines versus having to deal with any future and possibly out-of-control litigation, concerning the recognized existence of an ever increasingly litigious society in this country.
Unfortunately, in terms of the full range of the observation of risk considerations, it is not sufficient to simply comply with all sorts and kinds of apparently applicable regulations. Progressive and informed firms/institutions do still need to effectively and efficiently prove their compliance to increasingly stern and often unforgiving regulators. It can be, therefore, so obviously added that both properly and coherently establishing and maintaining this requisite proof requires the natural existence of records, especially authenticated records, backed by RRS.
The absence of a comprehensive RIRM program, as could be guessed by now, puts an organization at serious risk, regardless of how otherwise presentable their observed practices may, on the surface at least, seem to be.
In sharp contrast, however, it has been notably said that when records are both appropriately and professionally managed, just a few computer keystrokes may simply generate reports that easily satisfy often inquisitional regulators and then let them, therefore, just move on more quickly to investigate the less organized, less professional, and, thus, more ill-prepared targets. And, risk management can, of course, substantially help to control both possible compliance dangers and today’s ever present legal dangers.
RISK MANAGEMENT
Risk management both creates and protects value and needs to be understood and comprehended correctly as an integral part of all organizational processes and linked directly to decision making activities; the nature of such management explicitly addresses uncertainty and is, thus, to be always totally systematic, structured, and timely, as to its always vital corporate applicability.
It is, in addition, based on the best available information, when effectively implemented and tailored to corporate needs and practices, by properly taking into account a wide variety of human and cultural factors and by, also, being both transparent and inclusive, in its notably forever proactive approach.
Effective and efficient risk management must remain creatively dynamic, iterative, and very adaptively responsive to the reality of change and, furthermore, it necessarily facilitates continual improvement and progress of the organization, by its very nature and existence, as being a good source and rational means of intelligent management, of course.
The short and long-term enormous financial benefits to both having and intelligently practicing risk management ought, therefore, to be quite empirically obvious and, thus, without much of a need for an elaboration or defense of it.
Risk management can usefully be also known as risk avoidance. Once there has been carefully thought out the matter of the value of the risks being confronted, it is then possible to look at the known and usually effective ways of managing such risks or dangers.
But, as a cautionary note, it is important when doing this to try to so properly choose cost effective approaches, meaning in most cases; what is really meant is that, logically and rationally speaking, there is no sense or point in spending more to eliminate a possible risk than the probable actual cost of the event, should it occur.
NOTE: The use of basic common sense, which often does not really appear too common, ought to be still exercised regularly, concerning the avoidance of assuming too many monstrous possibilities happening simultaneously on a “bad hair” day. As a general rule, be reasonable and, therefore, do not normally multiply a great number of possible variables, well beyond any rational need to do so. Thus, being too extremely risk adverse, especially over minor matters, could lead, perhaps, to some sort of paranoia.
It very well may be the usual or simple case, often, to just accept the risk, meaning instead of utilizing an excessive or resultantly disproportionate amount of corporate or organizational resources to eliminate it; hint: please don’t smash the fly with a sledge hammer. The resulting cost is (probably) not worth it. In reiteration, therefore, seek to be reasonable and, of course, just use some common sense; it is not too risky to be reasonable.
Nonetheless, there is a certainty that risk may be properly managed, in a number of practical ways; for the sake of brevity, only three typical ways will be here suggested. They intelligently encompass: the use of existing organizational or corporate assets, acts of useful contingency planning, and the wise or practical investment in new resources to handle various risk situations, potential or anticipated.
Existing assets can often be utilized effectively to fight against risk or threats; this could cover the use of any currently existing methods and systems as with, for instance, any updating or modernizations added to an institution’s RIRM program to heighten its level of capabilities or capacities for additional activities; the corporation’s essential/vital records protection program could be, e. g., totally reevaluated to then consider possible improvements and additional safeguards against any possibly new threats.
Changes in organizational responsibilities could be made by which, e. g., the RIRM function would be transferred from the Corporate Counsel, the Legal Department, to, perhaps, be positioned under the CTO’s purview or, perhaps, vice versa, or then some other such transfer might be done.
Through the proper application of intelligent contingency planning, there can yet be a decision made to accept a risk. However, the related choice would have to be to develop a plan to substantially reduce or minimize the effects of the risk, if and when it may happen. Sometimes, in business, risk is unavoidable, including a great risk to the safety or future of an organization, though it might be, perhaps, a great opportunity in disguise that ought to be exploited, not avoided.
A good contingency plan, being in place, will normally permit effective action to be taken immediately; this is with, moreover, the basic minimum of substantial and substantive project control, if someone then ends up in a (major) crisis management situation.
Research can be done, in addition, on the naturally allied matters of BCP (Business Continuity Planning) or BCM (Business Continuity Management), as well as disaster recovery/contingency planning, of course. The hope is that risk management may reduce the burdens of a possible crisis management, if a truly catastrophic disaster might occur.
As an added means of managing risk, there is the matter of choosing to invest in new resources, if other possibilities do not mostly or totally satisfy the reasonable requirements of handling or trying to avoid threats and their often baleful consequences. A question may be: Are additional resources or means needed, therefore, based upon the risk analysis/assessment that had been reasonably made?
There may be a way of transferring the risk, doing a risk transfer, by purchasing additional amounts of insurance coverage well beyond just a basic “umbrella policy,” as it is usually, thus, called.
Because of, e. g., a fairly imminent, looming, and basically known kind of catastrophic threat that is so easily seen on the business horizon, it may, thus, very well be worth it to pay much higher insurance premiums; this would be in anticipation of a genuine crisis, as a way of avoiding a substantial risk, that the corporation could then become fully insolvent, meaning by an uninsured disaster of a potentially overwhelming magnitude.
What is called Enterprise Risk Management, it can be so noted here, attempts to get at the highest understanding and comprehension of perceiving the absolute needs of the entire organization, as holistically considered as a means of implementing a form of strategic management, especially at the corporate officer level. Good ERM must, therefore, incorporate appropriate risk mitigation practices.
RISK MITIGATION
This part of the triad of matters being discussed encompasses the needed adoption of proper standards and models of best practices such as: GARP, ISO 15489, ISO/IEC 27001, DoD 5015.2-STD, etc. Some of these, only some, will be discussed in heavy detail.
One can, in addition, go to the ARMA International website and look through many others; it is, also, usefully possible to go the ISO’s website and the ANSI’s website to get at more and more standards, for trying to aim at attaining best practices for corporate information governance, compliance, corporate governance, and litigation safety.
It is also good to know about the existence of COSO (The Committee of Sponsoring Organizations) of the Treadway Commission that is dedicated to providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence; this organization is just quickly mentioned here as a side note. (See the handout.)
Hours of talk, however, will not be given for any comprehensiveness today.
As with risk analysis and risk management, only an overview of certain matters can be presented. Some attention will be paid first to the international Information Security Management System standard because, most likely, it is rarely discussed, even among records managers.
Since this is largely unfamiliar stuff, it will be covered earlier rather than later and given in some detail as well, meaning as a most useful risk mitigation tool to properly consider.
ISO/IEC 27001, which is a part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard, published jointly in October of 2005, by both the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
[The earliest origins of what started as ISO/IEC 27001BS 7799 was a standard originally published by the British Standards Institute Group in 1995 and was, thus, written by the United Kingdom Government's Department of Trade and Industry and had consisted of several parts.]
ISO/IEC 27001 formally specifies a modern and capable management system that is precisely intended to bring all aspects of requisite information security under explicit management control. Being set in existence as a formal specification, therefore, means that it necessarily mandates specific requirements for its then proper implementation as such.
It must be here critically noted, therefore, that any organizations that seek to properly claim to have actually adopted ISO/IEC 27001 can, as a direct legal consequence, be formally audited and certified compliant with the accepted standard. A failed audit, however, is not really a good thing, as could be, thus, imagined.
Most larger and complex organizations do have a number of information security controls. Without an Information Security Management System (ISMS), however, the existing controls normally tend to be somewhat disorganized and disjointed, having been often implemented as just point solutions to some specific situations or, on the other hand, simply as just a plain matter of mere convention. Maturity models, therefore, classically call this solely preliminary stage as being just "ad hoc".
The more normal or prosaic security controls in operation characteristically address certain parts of IT or data security, though specifically not addressing non-IT information assets, which are inclusive of, e. g., paperwork and proprietary knowledge; these aspects of corporate assets are, not surprisingly, then less well protected on the whole.
ISO/IEC 27001 explicitly requires that management systematically examine all of the organization's information security risks, taking account of the full measure of threats, vulnerabilities, and impacts; there must also be the coherent design and implementation of a comprehensible and all-inclusive suite of information security controls and/or other requisite and interconnected forms of risk treatment, which can correctly encompass risk avoidance or risk transfer, to then much better handle those risks that are simply denoted to be categorically unacceptable.
The final measure that must be rationally taken must include the adoption of an all-encompassing management process to critically ensure that the instituted information security controls will continue to successfully meet the institution's information security needs on both a sustainable and ongoing basis.
It can be properly noted, however, that technical security controls, such as antivirus and firewalls, are not regularly audited in ISO/IEC 27001 certification audits: the corporation is fundamentally presumed to have accepted or adopted all necessary information security controls; this is since the overall ISMS is then set in place and is, thus, considered adequate by satisfying all the defined requirements of it.
Furthermore, management, as another qualification to what has been said, determines the exact scope of the ISMS for the certification purposes and may wish to limit it to, perhaps, only a single business unit or location. As, however, a rather important limitation to be noted, the ISO/IEC 27001 certificate does not necessarily mean that the rest of the organization, outside of the scoped area, has a satisfactory approach to information security management.
An Information Security Management System, it can be noted, may be so certified compliant, with this standard, by a number of Accredited Registrars existing worldwide. Moreover, it is the agreeable case that certification against any of the recognized national variations of this standard done by an accredited certification body is, therefore, fully functionally equivalent to certification against ISO/IEC 27001 itself.
As a concluding point here, this certification, as with other such ISO management system certifications, usually involves a three-stage audit process.
GARP Explained
The next risk mitigation tool ought to be one that records professionals should be fully conversant with, meaning the Generally Accepted Recordkeeping Principles (GARP) made official by ARMA International in 2010, and this will now be discussed. The records management profession is now intelligently guided by GARP, a parallel to GAAP, the Generally Accepted Accounting Principles, as is used by CPAs.
GARP is a rigorous and professionally devised outline for correctly managing records, in an intellectually structured way, which definitely upholds, covering seven areas, an organization's immediate and future
• regulatory,
• compliance,
• governance,
• legal
• risk mitigation,
• environmental, and
• operational requirements
This is all, thus, quite inclusively speaking.
All ARMA members should, therefore, willingly preach the “gospel” of GARP to their institutions and without any hesitation, as a very good way of reducing many organizational risks, if fully implemented, of course. http://www.arma.org/
As ought to be well known, GARP has eight basic principles, which are ultimately all interrelated, for knowingly creating both disciplined records management best practices and associated information governance best practices:
Principle of Accountability - An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel and ensure program audit ability.
Principle of Transparency - The processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.
Principle of Integrity - A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
Principle of Protection - A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
Principle of Compliance - The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.
Principle of Availability - An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
Principle of Retention - An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
Principle of Disposition - An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by laws and organizational policies.
The GARP principles were developed, in 2010, with the assistance of ARMA International and legal and IT professionals who critically studied and extracted global best practice resources. These properly covered the international records management standard ISO 15489 from the International Standards Organization, and other standards from the American National Standards Institute, and, also, applicable court case law.
The principles, in addition, were scrutinized and reviewed, through a public call-for-comment process encompassing the professional records information management community, to then better ensure their universality of substantive conception and needed formulation.
It can be further noted that ARMA International had, also, developed a GARP Maturity Model giving greatly detailed information; this is as to how compliant a company can really become, meaning as to the fullest administrative and managerial implementation and adoption of this still relatively new records management standard for use.
Six more standards will, now, be just briefly covered, because it is good to have knowledge about them, and some or many may be applicable, more or less, to particular situations at different institutions.
Of course, the websites of ARMA, ISO, and ANSI can be freely consulted in useful support of this discussion.
*****
[The first step to determining whether your records management program is an asset or potential liability is to conduct a self-assessment. To assist you, ARMA International in conjunction with NetDiligence, has developed an online assessment solution. [Copied from ARMA website]
This Web-based tool allows you to assess and document your records management program against ARMA-interpreted best practices in the spirit of ISO 15489, the international records management standard. The standard is recognized worldwide as establishing the baseline for excellence in records management programs. [See: http://www.arma.org/standards/eassessment.cfm]
*****
ISO 31000
Known as ISO 31000:2009 It is now the International Standard on Risk Management. This standard was originally based upon AS/NZS 4360:1999, meaning, basically, the Australian standard that was actually first published in the year 1995. ISO 31000 provides a standard generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring, and communicating risk.
Anyone really intent upon getting heavily into risk management, especially at the top corporate level, ought to get it and read it through thoroughly; fortunately, it is only 34 pages, which is unusually brief for an ISO standard.
ISO 15489
This is the International Standard for Records Management, issued on September 15, 2001, by the ISO headquartered in Geneva, Switzerland. It concerns, therefore, both worldwide recordkeeping practices and professionals by at last giving a publicly recognized benchmark for having fundamental excellence concerning modern records management work; it is now, increasingly, becoming a minimum standard for attaining a best practice model for modern business practices.
http://www.iso.org/
One can importantly note that ISO 15489, however, is actually about more than just simply attaining a basic kind of records management benchmark of best practice; it is substantially and directly about the comprehensiveness of the holistic methodology, processes, and, moreover, the then resulting data storage or, rather, electronic records management system, all inclusive, for any organization, public or private.
ISO 15489-1:2001 Information and Documentation - Records Management - Part 1: General
ISO 15489- Part 2 Implementation Guide for Record Management
ISO 15489-3 (Proposed standard for EDRMS, maybe as an ISO 15489-3?)
DoD 5015.2-STD Design Criteria Standard for Electronic Records Management Software Applications
The current version of DoD 5015.2-STD, signed on April 25, 2007, defines the basic requirements based on operational, legislative, and legal needs that must be met by records management application (RMA) products acquired by the Department of Defense (DoD) and its Components.
It defines requirements for standard-acceptable RMA's managing classified records and includes requirements to support the Freedom of Information Act (FOIA), Privacy Act, and all interoperability functionality.
Version 2 of DoD 5015.2-STD was done in June 2002. This version is still made available to provide information to vendors, developers, and users.
ISO 9000
The ISO 9000 standards are a set of international quality management system standards and guidelines. The term ISO 9000 refers to a group of quality management standards that are process standards, not product standards. They were originally introduced as ISO 9000 in 1987.
Currently, 178 countries, with over one million registrations, exist to now clearly make it an extremely common standard for the entire modern business world. The United States’ version is classified as: ANSI ISO 9001:2008
ISO 23081
ISO 23081 sets a logical and needed framework for creating, managing, and using records management metadata and, in addition, usefully explains the related principles that govern them. However, it does not define any mandatory set of records management metadata to be actually implemented, since these metadata will normally differ in detail; this is, of course, according to organizational or specific, jurisdictional requirements that may exist.
NOTE: But, it realistically and efficiently assesses the main existing metadata sets specifically and logically in line with the already existing requirements of ISO 15489.
ISO 23081-2:2009
This covers the associated matters of needed information and documentation for the proper managing of the metadata for records, concerning both the conceptual and implementation issues involved in such use of this standard. Interested people can compare this standard to the Dublin Core that was also developed, some years ago, to cover metadata.
ISO/IEC 17799:2005 Information Security Code of Practice
ISO 17799 is, within the security industry, the now most widely recognized security standard. It is considered to be substantially comprehensive, in its fundamental coverage of security issues and contains a considerable number of excellent control requirements; and, some are extremely complex.
Compliance with this or, indeed, any greatly detailed security standard, is a far from trivial undertaking, which can reasonably be said for even for the most security conscious of organizations. Certification attainment can, thus, be an intimidating task for any institution seeking this highly advanced degree of compliance; one part of this standard is, of course, risk analysis, meaning the definite need to assess risks methodically, for the then professional establishment of appropriate security policies.
It establishes critical guidelines and needed general principles for correctly initiating, implementing, maintaining, and improving information security management in an organization. This is because the objectives outlined provide general guidance on the commonly accepted goals of information security management, which contains best practices of control objectives.
And, in addition, there are to be controls in the following areas of information security management: these then necessarily encompass: explicit security policy, organization of information security, cognate asset management, human resources security, physical and environmental security, related communications and operations management, access control, information systems acquisition, development and maintenance; information security incident management; related business continuity management; and compliance features.
As was mentioned earlier, the websites of ARMA, ISO, and ANSI can be consulted for learning about many more standards as good and practical, not just theoretical, efforts at adopting best practices in various fields of endeavor.
Conclusion
In summation, risk as a business topic has been discussed covering the related need of risk analysis, and the equation given on how to do a calculation of risk should have helped to more vividly emphasize many points that were critically raised.
It would be good to remember the 10 areas of risk explicitly covered: human, operational, procedural, natural, project, technical, reputational, financial, political, and other threats or risks, which would be risky not to consider.
The four risk analysis steps given should further assist in gaining a better hold over how to think coherently and cogently about the many clearly cited possible threats or dangers. The value of RIRM, for controlling organizational or corporate risks, was, also, quite overtly presented for added consideration.
Next, the intimately related topics of risk management and risk mitigation, the latter stressing GARP and many other standards, helped to better round out the overall picture that was rendered for view, of course.
For doing research on the important matter of risk, those interested can go to the blog made for this talk, which is indicated on the last page of the handout, on the very bottom.
A four-page bibliography, as part of the talk, can be consulted there, as a good start for the possible research effort, if one would wish, of course, to then risk doing such an undertaking.
Bibliography
Articles:
Allen, Julia & Westby, Jody R. “Characteristics of Effective Security Governance.” Governing for Enterprise Security (GES) Implementation Guide (CMU/SEI-2007-TN-020). Software Engineering Institute, Carnegie Mellon University, 2007.
“Compliance and Risk Management in 2011: Key Concerns for Business” January 11, 2011 (discusses some compliance and risk management trends for 2011, focusing on privacy, the role of social media ...) www.corporatecomplianceinsights.com/2011/compliance-and-risk- management-in-2011-key-concerns-for-business/
Marks, Norman “Are We More Concerned With Addressing Obvious IT Risks Than Having Effective IT Risk Management?” March 29, 2011. www.cmswire.com/news/topic/risk
Moulton, Rolf & Coles, Robert. "Applying information security governance." Computers & Security 22, 7, Elsevier Ltd., 2003.
Nolan, Richard & McFarlan, F. Warren. "Information Technology and the Board of Directors." Harvard Business Review, October 2005.
Settanni, Joseph Andrew, “Integrating ERM, RIRM, ECM and Email Management Practices,” February 17, 2007, http://www.associatedcontent.com/ [includes considerations of risk management]
Settanni, Joseph Andrew, “Records and Intellectual Control: Business Information Considerations in a Digital Age,” April 13, 2010, http://www.asociatedcontent.com/ [includes considerations of risk management]
Steven, John. "Adopting an Enterprise Software Security Framework." IEEE Security & Privacy 4, 2 (March-April 2006): 84-8
“Enterprise Risk Management Foundations,” 28 Feb 2011 by Suzanne http://www.bionicturtle.com/ 7.
Tribbensee, Nancy E. "Liability for Negligent Security: Implications for Policy and Practice," Ch. 4, 45-57. Computer and Network Security in Higher Education. Edited by Mark Luker & Rodney Petersen. San Francisco, CA: Jossey-Bass, Inc., EDUCAUSE Leadership Strategies, 2003.
Westby, Jody, ed. "Roadmap to an Enterprise Security Program." American Bar Association, Privacy & Computer Crime Committee, Section of Science & Technology Law. American Bar Association, 2005.
Books:
Abkowitz, Mark D., Operational Risk Management: A Case Study Approach to Effective Planning and Response, 2008.
Alberts, Christopher & Dorofee, Audrey. Managing Information Security Risks: The OCTAVE Approach. New York: Addison Wesley, 2002.
Allen, Julia. Governing for Enterprise Security (CMU/SEI-2005-TN-023). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2005.
Barkley, Bruce, Project Risk Management, 1995.
Bowen, Pauline; Hash, Joan; & Wilson, Mark. Information Security Handbook: A Guide for Managers (NIST Special Publication 800-100). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 2006.
Business Roundtable. Securing Cyberspace: Business Roundtable's Framework for the Future. Business Roundtable, May 2004.
Business Roundtable. Committed to Protecting America: CEO Guide to Security Challenges. February 2005 (released May 2005).
Caralli, Richard. The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management (CMU/SEI-2004-TR-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004.
_________ . Managing for Enterprise Security (CMU/SEI-2004-TN-046). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004.
_________ . Sustaining Operational Resiliency: A Process Improvement Approach to Security Management (CMU/SEI-2006-TN-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
__________ , Stevens, James. F.; Wallen, Charles M.; White, David W.;Wilson, William R.; & Young, Lisa R. Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes (CMU/SEI-2007-TR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
Carey, Mark. Enterprise Risk Management: How To Jumpstart Your Implementation Efforts. International Risk Management Institute, 2005.
CERT Resilient Enterprise Management Team. CERT Resiliency Management Model, v1.0. Software Engineering Institute, Carnegie Mellon University, 2009.
Chapman, Robert J., Simple Tools and Techniques for Enterprise Risk Management (The Wiley Finance Series), 2006.
Conrow, Edmund H., Effective Risk Management: Some Keys to Success, Revised, 2003.
Corporate Governance Task Force. Information Security Governance: A Call to Action. National Cyber Security Partnership, April 2004.
The Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management-Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission, September 2004.
Cortez, Anna, The Complete Idiot’s Guide to Risk Management, 2010.
Cox, Louis Anthony, Risk Analysis of Complex and Uncertain Systems, 2009.
Crouhy, Michel, Dan Galai, and Robert Mark, The Essentials of Risk Management.
Deloitte Touche Tohmatsu. 2007 Global Security Survey. Deloitte Touche Tohmatsu, 2007.
Drennan, Lynn T. and Allan McConnell, Risk and Crisis Management in the Public Sector, 2007.
Flanagan, Roger and George Norman, Risk Management and Construction, 1993.
Fone, Martin and Peter C. Young, Managing Risks in Public Organisations, 2006.
Fraser, John and Betty Simpkins, editors, Enterprise Risk Management: Today's Leading
Research and Best Practices for Tomorrow's Executives (Robert W. Kolb Series), 2010.
Hall, Elaine and Addison Wesley, Managing Risk: Methods for Software Systems Development, 1998.
Hampton, John J., Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity, 2009.
Head, George and Kwok-Sze Richard Wong, editors, Risk Management for Public Entities, 1999.
Howard, Michael & Lipner, Steve. The Security Development Lifecycle--SDL: A Process for Developing Demonstrably More Secure Software. Redmond, WA: Microsoft Press, 2006.
Hubbard, Douglas W., The Failure of Risk Management: Why It's Broken and How to Fix It, 2009.
The Institute of Internal Auditors. Information Security Management and Assurance: A Call to Action for Corporate Governance. IIA and Critical Information Assurance Project, 2000.
The Institute of Internal Auditors. Information Security Governance: What Directors Need to Know. IIA, 2001.
The Institute of Internal Auditors. Building, Managing, and Auditing Information Security. IIA, 2001.
IT Governance Institute. Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition. ITGI, 2006.
Jones, Jack. An Introduction to Factor Analysis of Information Risk (FAIR): A framework for understanding, analyzing, and measuring information risk. Jack A. Jones, 2005.
Hester, R E and R M Harrison, Editors, Risk Assessment and Risk Management , 1998.
Kemshall, Hazel and Jacki Pritchard, Good Practice in Risk Assessment and Risk Management, 1996.
Lam, James, Enterprise Risk Management: from Incentives to Controls, 2003.
McGraw, Gary. Software Security: Building Security In. Boston, MA: Addison-Wesley, 2006.
McGraw, Gary; Chess, Brian; & Migues, Sammy. Building Security In Maturity Model BSIMM v1.0. 2009
Molak, Vlasta, Fundamentals of Risk Analysis and Risk Management, 1997.
National Infrastructure Advisory Council. Risk Management Approaches to Protection; Final Report and Recommendations by the Council. NIAC, October 11, 2005.
Norman, Thomas L., Risk Analysis and Security Countermeasure Selection, 2009.
Organisation for Economic Co-Operation and Development. Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. OECD, 2003.
Payment Card Industry Security Standards Council. Payment Card Industry (PCI) Data Security Standard, Version 1.2. PCI Security Standards Council, July 2009.
PCI Security Standards Council. Payment Card Industry (PCI) Payment Application Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1. PCI Security Standards Council, July 2009.
Pritchard, Carl, Risk Management: Concepts and Guidance, 2nd edition, ESI International, 2001.
Rafter, Susan, Risk Analysis and Risk Management: A Selected Bibliography (Public Administration Series No. P 2218).
Segal, Sim, Corporate Value of Enterprise Risk Management: The Next Step in Business Management, 2011.
Smith, Denis and Dominic Elliott, editors, Key Readings in Crisis Management: Systems and Structures for Prevention and Recovery, 2006.
Spedding, Linda S. and Adam Rose, Business Risk Management Handbook: A Sustainable Approach, 2007.
Taplin, Ruth, editor, Risk Management and Innovation in Japan, Britain and the USA, 2005.
Westby, Jody & Allen, Julia H. Governing for Enterprise Security (GES) Implementation Guide (CMU/SEI-2007-TN-020). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, August 2007.
________ . & Power, Richard. Governance of Enterprise Security Survey: CyLab 2008 Report. Carnegie Mellon University, 2008.
Addenda: (A handout)
Definitions: A Few Basic Terms - for Records Management Needs
Risk Analysis/Risk Assessment
The means of analyzing and assessing what threats, dangers, or
risks may exist, either presently or within the conceivable future
that may have a tendency to come to harm an organization,
agency, or institution, inclusive of all its assets, informational,
plant, capital, human resources, and equipment.
Risk Management/Risk Avoidance
The application of a variety of management techniques,
methods, and procedures specifically aimed at trying to control
and direct potential threats, dangers, or risks away from an
organization, agency, or institution, so as to minimize or, if
possible, substantially eliminate detrimental harm to the entity
being made subject to such degrees of avoidance protection.
Risk Mitigation/Risk Moderation
The explicit intention and active purpose of seeking out the
various ways and means of incorporating such tools as: best
practices, information governance, corporate governance,
compliance, standards, security measures, and litigation safety/
management for then properly safeguarding the interests of an
organization, agency, or institution against threats, dangers or
risks.
____________________________________________________________________________________
Suggested idea: One can check the Internet, by doing Google and other searches, for many case studies covering risk analysis, risk mitigation, BCP, disaster recovery, etc. as an added means of learning by reading about many actual examples of situations.
Some Examples of Risk Management Glossaries:
www.bcpl.co.nz/definitions.html
Glossary of Risk Management Terms. www.maricopa.edu/mira/glossary.php
www.content.calgary.ca/...Risk+Management/Glossary+of+Terms.htm
www.gwu.edu/~icdrm/.../PDF/GLOSSARY%2002-19-2007.pdf
www.riskythinking.com/glossary/
