Risk management is a critical aspect of running any organisation, whether a business or public service entity, in the 21st century. Apart from the traditional risks of crime and data loss, cyber crime and terrorism have been added to the list of risks that managers need to concern themselves with.
"Managing risk is not only a management responsibility, but is now being regulated," says Paul Mullon, marketing director of Metrofile. "Executives will be held accountable for negligence in this area in future. Risk has therefore become a lucrative industry for consultants and advisers as managers face the task of protecting their organisations, and in the process, themselves."
There is an even greater need for risk management in government because the business processes under threat are traditionally critical to the functioning of the country and the data at risk can be of a sensitive or confidential nature. Government is also larger and more dispersed than most organisations, which in many respects makes it an easier target.
Before any one person or department in government can manage risk, however, they must first identify what risks they face. Three main categories of risk need to be addressed (although there is no limit to what threats may arise and from where):
Disaster: The first and most frightening risks are those that put a stop to all business processes and can even put lives at risk, such as natural or man-made disasters; and then there are virus attacks that can shut down an organisation`s IT infrastructure. In these instances, it is vital that an effective disaster recovery and business continuity strategy is in place so that the affected organisation can resume business in a different location with clean data.
Crime: People gaining access to information and duplicating it, whether as a means to make money or for competitive advantage, is a greater risk now than ever before because of the proliferation of electronic communications and storage devices.
Once again, government is at even greater risk because it is broadly dispersed, and not all departments and outposts have the latest technology available.
Data loss: Loss of information applies to both physical documents and electronic records that can be copied, stolen, or even e-mailed to unauthorised persons. Effective data management must therefore be a cornerstone of a risk management programme.
"Given the historical processes local governments and municipalities employed in the execution of their duties, information tends to be scattered around various locations in different filing systems managed by people with diverse backgrounds and training," explains Mullon. "It`s an accident waiting to happen."
This is only the tip of the iceberg, he says. "There simply seems to be too many records, stored in too many locations (and most of the time in the wrong locations) that are too hard to gain access to and even harder to control."
Mullon also notes that data loss goes further than stealing police dockets or identity information. "In a country like SA, poor record management could see historical documentation going missing. For example, losing records of land ownership would prevent the repatriation of land to its rightful owners."
Reputation risks: Accompanying the loss of data through fraud or a disaster is the risk of reputational harm to the government if it becomes known that it is careless with its security processes. And this applies more than ever in an election year. Dealing with risk
Once risks have been identified, it is then possible to take steps to prevent them, or at least to counter them, should the worst happen. Here, a well thought-out records management programme becomes critical for government.
For example, to ensure documents are not compromised in any way, government could use electronic images of documents in day-to-day activities while the originals are stored in a secure, offsite location. Should the electronic data store be compromised or destroyed, at least the originals will be safe.
"Government needs to take a big-picture overview of the risks it faces," notes Mullon. "In those areas where the risks are high, it needs to take action to prevent losses. These actions will be dependent on each situation and could mean that a full duplicate of a department must be set up in a disaster recovery site. On the other hand, it may simply require keeping copies of data in a different medium as an emergency measure. It could even be as simple as putting an extra security guard at the door."
Should certain government departments decide on electronic storage as a risk-management option, Mullon highlights another caveat. "If electronic storage is mandated, data administrators need to ensure that the medium they choose will still be readable in 10 or 20 years - and many, if not most documents in government`s possession will need to be stored for that length of time."
The veracity of this statement is only too clear when one considers that only a few years ago 5.25-inch floppy disks were in every PC. Now they are extinct and extracting data stored on those disks is almost impossible. One needs to ensure the physical medium used for storage will last for a long time.
Risk management is a complex task, especially for organisations as large as government. The most efficient and cost-effective process of managing risk is to first identify in detail what threats are being faced and then determine the most appropriate course of action to deal with them.
Share
Metrofile is the South African market leader in the management of business documents, and is committed to help customers reduce costs and improve productivity in processes that are centred on documents and corporate records.
All companies have a combination of paper and electronic documents, and are forced by law and customer requirements to secure the availability of the documents for the duration of their lifecycle. For most organisations, the volume of documents is growing at an exponential rate, and is becoming increasingly difficult to manage.
Metrofile is uniquely positioned to provide consulting and implementation of full lifecycle paper and electronic records management solutions from storage and conversion through to destruction.
Editorial contacts