IDENTIFYING AND EVALUATING RISKS
Determining information risks includes not only what you have, but may also include what you don’t have—and can be found liable for not having. This has become painfully, publicly clear as lawsuits reveal that defendants cannot produce records demanded as evidence, or have made the mistake of destroying records according to disposition schedules when a lawsuit was imminent. In the case of United States vs. Philip Morris, the court had ordered preservation of relevant documents, and yet the defendant continued to delete e-mail when it became 60 days old. The cost to Philip Morris: $2.75 million in monetary sanctions; preclusion of defense witnesses who did not follow the preservation order; and payment of plaintiff’s costs relating to spoliation of the e-mails.
In discussing Enterprise Risk Management, ERM, Allan Holmes writes in CIO Magazine that Chief Information Officers are best positioned to champion ERM to identify a single view of all risks, internal and external, and an executive-level strategy to deal with those risks. Developing an ERM strategy is a complex process that may meet resistance because many people feel that identifying areas of risk brings criticism to their work.
In such an atmosphere, the message for ERM becomes very important. “You must find a way to describe the risk,” according to David Weymouth, former CIO with Barclays Bank. In his case, he found a way to calculate the savings produced when the bank’s IT department prevented fraud or other negative incidents. Another former CIO, Bill Sharon, said that ERM can succeed when the ERM leader develops personal relationships with operating units throughout the organization. These thoughts will likely have a records and information professional nodding in agreement, thinking “This is what I want to do in my organization.”
As a first step, a RIM practitioner can go to ARMA International’s web site, www.arma.org, and consider the “RIM...