Protecting and Recovering Vital Records from Disaster - A Practical Approach

Hurricanes Katrina and Rita have put the spotlight on the necessity of protecting and recovering vital records. Vital records are the records that contain information critical to the continuation or survival of your company during or immediately following a crisis. They can be paper records, database records, e-mail with attachments, voice mail, instant messages, or any other official record documenting company business.

Proper protection of these records starts with proper planning. Here is our recommended planning approach to protecting your company's vital records against all disasters - natural or man-made.

One: Designate a Vital Records Program “Owner”

For your vital records program to succeed there must be one individual accountable for planning and maintaining the program. The business continuity or records manager are likely candidates due to their involvement with records programs or business continuity planning. You also need a clear definition of responsibilities between records management, business continuity, risk management, and emergency preparedness.

Two: Assess Your Current Vital Record Program

The next step is to determine what (if any) vital records or risk assessment programs already exist within the organization. If these programs do exist, examine how much of this work can be leveraged for a comprehensive vital records program. Typical departments to consider are:

• Records management - they may have vital record classes identified.
• Business continuity - they may have criticality assigned to business functions from a Business Impact Analysis.
• Risk management - they may have rated company business function loss.
• Emergency preparedness - they may have specified an order to re-establish company business functions.

If you currently do not have any relevant programs, you will need to complete a Business Impact Analysis (BIA) of the company business functions. Your BIA will give you a recovery priority rating that is a key component for aligning business function recovery priorities with vital records priorities.

2. Identify and Assess Vital Records

Conduct surveys of business functions to document business function records, and collect information to identify and assess vital records. The following three risk categories should be included in the assessment survey:

• Probability of loss or damage.
• Recovery priority analysis (from the business impact analysis).
• Financial or time impact of loss or damage.

Next, the responses for each risk category should be rolled up into an overall risk rating for each vital record. Your plan will include all records, but of course scarce resources should be allocated to the highest risk records first.

3. Create an initial plan to protect and recover your vital records

Build your initial vital records recovery plan with the following in mind:

• Include high-ranked vital records in the business continuity plan and provide for their quick and easy access.
• Develop a protection plan with record owners for records that are not on the short-term risk reduction list.
• Include a corporate compliance/governance summary for corporate compliance use.
• Coordinate the vital record program with the business continuity plan.
• Develop training and rollout plans including a policy and procedure document.
• Obtain approval for the plan to reduce vital record risk.
• Include external processes like e-commerce, voice mail, or web hosting in your plan.
• Include vital records protection within existing security, records management, and recovery processes when possible.

4. Maintain and Update Your Vital Records Plan

Vital records are dynamic and change with the business, so your vital records plan needs to be updated on a regular basis. Keep your plan up to date by remembering to:

• Include vital record recovery and reconstruction in your business continuity plan exercises.
• Plan and fund continuous risk reduction for vital records.
• Include vital records in new application development processes.
• Update vital records risk at a minimum of every two years.
• Train new employees and managers responsible for vital records.
• Produce an annual compliance report for vital records.
• Encourage internal audits to ensure compliance with the vital record program.

Summary

Vital records are essential for the recovery of any business. If you follow this pragmatic approach, a disaster doesn't have to mean you can't quickly recover the most vital records you need to keep your business running. 

This article was adopted from, Business Continuity Relies on Records, by Gary Rossell, a senior consultant with Iron Mountain.