The Three P's to Effective Risk Management and Compliance
By April Chen, Senior Product Manager, Iron Mountain
Did you know that in a 2015 survey of government records and information management (RIM) professionals, only 33 percent of respondents felt very confident that their agency records were not at risk? This aligns closely to a 2016 survey of a similar audience who identified "risk management" as the number-one area of improvement for their agency. Every day, news outlets are filled with stories about how improper management and control of agency information has led to fines, e-Discovery delays, reputation damage and loss of constituents' trust. With the increasing scrutiny on data breaches and information security practices, how can agencies take action today to address this issue in a standard and comprehensive fashion?
It's not enough for federal agencies to assume they know where their information risks reside, especially given the constantly evolving information landscape. Gaining a comprehensive understanding of their records inventory and management practices throughout the organization is a challenging, but necessary, measure for mitigating risks associated with the expanding volume of records and various access points open for attack. What agencies need is a formal, structured framework to manage information, from creation or collection to destruction that is constructed to specifically address the challenges and risks associated with growing information volumes and varied format types.
In order to do this, RIM professionals must engage with the agency lines of business managers – the general purveyors and creators of this information for their respective business functions – in documenting compliance with a baseline set of mandatory controls. Doing so provides insight into how information is viewed, accessed and managed on a daily basis, and provides the visibility needed to contextualize associated levels of risk. From there, agencies can implement a set of consistent controls that all managers can leverage to support a comprehensive risk framework applied across the agency.
So what is a risk framework and why do agencies need one? In short, a comprehensive risk framework is an operational self-assessment program that provides records and information managers as well as lines of business managers with tools for diagnosing their own performance against a set of given controls. Although the framework is only one part of an agency's compliance measures,it allows them to identify and then close gaps in information management shortcomings across the organization, in addition to quantifying and demonstrating compliance through a systematic approach. Moving in this direction will ensure consistency, while forcing agencies to continually re-evaluate and improve their processes as the information landscape changes. In addition to driving process improvements, the results from the assessment can also be used as a powerful change management tool, ensuring quantified results are communicated to employees to help promote, foster and shape compliant behavior.