- Corporate Security
- Governance, Risk & Compliance
- Information Security
Governance, Risk and Compliance
By Joe Crampton Modified February 7, 2021
If you asked businesses to name their most valuable assets, they might note items such as money, intellectual properties and patents, physical property and offices, and even upper-level management. However, information is just as important to business operations, and companies should always look to protect these assets.
Modern Risk Management has grown increasingly complex due to more scrutiny from regulators and shareholders. In many instances, companies will suffer losses because information was not transparent to relevant decision makers and risk managers. In short, information adds yet another potential threat that businesses need to account for.
“Because business information is vital to conducting transactions, the link between business risk and record keeping risk is very close,” explains Barbara Reed, director at Recordkeeping Innovation. “But treating record keeping risk as an identifiably separate component of risk enables organizations to become more sophisticated, focused and successful in managing risk.”
Records are vital to risk management – records can be used to prove compliance, avoid potential penalties and fees, and inform business decisions. For example, lack of financial records can lead to SOX penalties and fines. Records are more than just financial accounts – they can be related to production, operational and weather activities as well.
Risk Management revolves around the need to plan for the likelihood of a specific event occurring and having a strategy for dealing with the outcome. However, record Risk Management can be difficult. Physical records can be lost, digital records could be accidentally deleted, edited or accessed by unauthorized individuals. Moreover, as companies transfer physical records to digital formats, there could be errors in the transition process, making recovery more challenging.
Record keeping risks are also closely associated with management-related issues. For example, the failure to share or publish information can lead to poor decision-making. Additionally, poor management could lead to accidental breaching of information security policies.
Record management and risk management are almost synonymous. Businesses need strong record management to maximize the potential of their risk management programs. As Risk Management magazine notes, retaining vital records is no longer just a good business practice – it’s a necessity. Companies that are unable to produce relevant records and information may be found liable for damages suffered by not having those documents available.
Ultimately, proper record management starts at the bottom. All employees need to be aware of the importance of safely and reliably storing essential materials. These individuals often feel as if they have the least responsibility – the worse that can happen to them is being reprimanded or fired. However, if a crucial piece of information is lost, businesses could be sued and executives could even be imprisoned in severe SOX-related cases. It’s up to management to stress the importance of recordkeeping practices to ensure employees know how crucial the task is.
“Unfortunately, compliance with all of the laws and regulations pertaining to records management is not always simple,” Risk Management magazine adds. “Although most of the compliance risk comes from documents that have been destroyed prematurely, there is equal risk in keeping documents for too long. Files can and should be destroyed after a certain number of years, depending on the type of information. If a file is retained beyond a certain date when it legally could have been destroyed, it can still be used against an organization in legal proceedings.”
Another problem many businesses are facing with their efforts to improve record Risk Management is the transition to digitized formats. Although computers have been common in offices for the better part of three decades, many businesses are still finding new ways to convert physical files into digital ones.
There are some types of information that can obviously be digitized – for instance, financial accounts and transactions. On the other end, there are some record types that are only now eschewing their paper roots. For example, construction companies are known for having dozens of floor plans that guide the building process. Only recently did digital blueprints gain popularity, as contractors and architects can now share files via the cloud and access them through mobile tablets on the job site.
The digitization process itself can lead to many issues. Data can be inputted incorrectly if businesses are manually converting files. Physical records can be lost before digitization is completed. Files can be corrupted if the digital solution hasn’t been thoroughly tested. If companies are trying to setup new systems to automate digital record saving, there are opportunities for failure there as well. There are a number of intricacies that need to be accounted for.
Once records have been digitized, businesses still have the matter of security to deal with. Cybercriminals and fraudsters are extremely relentless when it comes to gaining access to sensitive data. Businesses need to have the appropriate safety measures set up to safeguard their data, particularly as they begin to rely more on these digitized formats.
“To be effective, an organization’s risk management plan requires the development and maintenance of an ongoing process that enables the identification, analysis, evaluation, and treatment of risks that may impact the organization,” Robert Higgins, a chief risk executive at Gallagher, adds. “This knowledge further enables the prioritization of actions to reduce these risks to an acceptable level.”
As companies move forward, they need to realize that record management plays a big role in Risk Management. Just as Risk Management looks to protect assets and minimize damage to them, so too should programs be devoted to record management.