The 3 Ps to effective risk management and compliance

April Chen, the senior product manager for Iron Mountain, explains how process, protection and people need to come together to better manage records and data.

Did you know that in a 2015 survey of government records and information management (RIM) professionals, only 33 percent of respondents felt very confident that their agency records were not at risk?

This aligns closely to a 2016 survey of a similar audience who identified “risk management” as the number one area of improvement for their agency.

April Chen is a senior product manager at Iron Mountain.

Every day, news outlets are filled with stories about how improper management and control of agency information has led to fines, e-Discovery delays, reputation damage and loss of constituents’ trust. With the increasing scrutiny on data breaches and information security practices, how can agencies take action today to address this issue in a standard and comprehensive fashion?

It’s not enough for federal agencies to assume they know where their information risks reside, especially given the constantly evolving information landscape. Gaining a comprehensive understanding of their records inventory and management practices throughout the organization is a challenging, but necessary, measure for mitigating risks associated with the expanding volume of records and various access points open for attack.

What agencies need is a formal, structured framework to manage information, from creation or collection to destruction that is constructed to specifically address the challenges and risks associated with growing information volumes and varied format types.

Engaging the lines of business

In order to do this, records and information management (RIM) professionals must engage with the agency lines of business managers – the general purveyors and creators of this information for their respective business functions – in documenting compliance with a baseline set of mandatory controls. Doing so provides insight into how information is viewed, accessed and managed on a daily basis, and provides the visibility needed to contextualize associated levels of risk. From there, agencies can implement a set of consistent controls that all managers can leverage to support a comprehensive risk framework applied across the agency.

Establishing a RIM risk and control framework

So what is a risk framework and why do agencies need one? In short, a comprehensive risk framework is an operational self-assessment program that provides records and information managers as well as lines of business managers with tools for diagnosing their own performance against a set of given controls. Although the framework is only one part of an agency’s compliance measures, it allows them to identify and then close gaps in information management shortcomings across the organization, in addition to quantifying and demonstrating compliance through a systematic approach. Moving in this direction will ensure consistency, while forcing agencies to continually re-evaluate and improve their processes as the information landscape changes. In addition to driving process improvements, the results from the assessment can also be used as a powerful change management tool, ensuring quantified results are communicated to employees to help promote, foster and shape compliant behavior.

The three “P’s” of a successful risk framework

  • Process: Governance, inventory, retention and disposition
    The first step in accounting for information management risk is establishing an overall structure for organization, management and accountability. This ties in closely to accounting for where information resides and in what format, how that information is stored while under agency control, and how it is disposed of or preserved when it reaches the end of its lifecycle. If agencies are unable to account for how their information is handled or where it is stored, it should be obvious that they do not have a comprehensive understanding of their current risk positioning. Putting this into perspective, in the previously mentioned survey from 2015, only 28 percent of respondents indicated that their agency had proper governance tools in place and only 25 percent conducted regular audits of their compliance, which represents a clear opportunity for change.
  • Protection: Privacy, security and legal holds
    Once agencies have a full view of the information under their control and how that information is handled, they should begin looking at compliance requirements. This entails protecting agency information in accordance with all applicable government laws, regulations and compliance mandates, including, but not limited to, facility certifications, security standards, electronic conversion requirements and other obligations. Legal holds are also used in select circumstances to suspend retention requirements or cease destruction of certain groups of records, even if they are eligible for destruction. According to the 2015 survey results, an overwhelming 72 percent of respondents believe there is room for improvement in either the tools or procedures used to ensure compliance with records management laws and regulations, making the case for this step in the framework.
  • People: Staffing, training and vendor management
    The first and last line of defense in an agency’s fight against unnecessary risk is the people who work with information on a daily basis – employees and contractors. Even if an agency is well positioned in regards to their processes and protection, it is all for naught if those measures are being ignored or subverted by the end-user either at the creation of a record or as it is managed through its lifecycle. In addition to proper oversight, agencies should ensure that all staff and contractors are fully trained – on a continuous basis – in how to handle information as it pertains to their job function and the importance of conforming to the overall risk framework. However, as it currently stands, only 39 percent of employees report receiving formal training based on agency policies that will help them appropriately manage records under their immediate control, which validates the need to address proper education as part of the larger end-user framework.

Moving forward
As agencies continue to be more data-driven and flexible in how they create records, the burden of monitoring compliance has outgrown the current capabilities of resource-constrained RIM staffs. Agencies can better monitor compliance by promoting the risk framework as a self-rating tool as well as establish agency buy-in to adhere to/enforce the framework. As a result of end-user transformation and the development of a baseline set of mandatory controls, agencies can feel confident in their current RIM state.

Implementing a risk and control framework is an ongoing process that must be constructed and managed accordingly. Agencies should be looking to continuously identify gaps in their framework, assess the effectiveness of established controls and revise or implement new controls as necessary. By following this methodology, agencies can significantly boost their compliance standing and leverage their positive results to formulate strategic action plans, reduce risks and lead by example to encourage larger, governmentwide adoption.

April Chen is the senior product manager for Iron Mountain.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkFederal Acquisition, GSA

    Iron Mountain’s Sue Trombley on updating federal records management

    Read more