Information generated by an organization in the course of business -- especially hard-copy records -- should be...
protected. Records and information management (RIM) programs, as defined by ARMA International (www.arma.org), are essential activities to protect business information and can be established in compliance with laws, regulations, or corporate governance. Such a program ensures that critical information is protected and available to an organization during, or after, a crisis.
From a disaster recovery perspective, output from a business impact analysis (BIA) can help identify critical information in either physical or electronic forms. By identifying critical business functions, a BIA can help identify what information (e.g., vital records) is needed to restore organizational functions and to assist in business resumption. Once the vital hard-copy records are identified, they can be protected using a vital records plan (which can be made a part of a business continuity and/or disaster recovery plan).
Protecting hard-copy records
Loss of or damage to paper records can occur from fires, floods, hurricanes and tornadoes, explosions, smoke, mold and microbial contamination, water pipes bursting, accidental sprinkler discharges and freezing temperatures.
Strategies for protecting vital hard-copy documents include storing them in secure, clean and environmentally stable containers; making backup copies and storing the backups in secure off-site areas with stabilized temperature and humidity; making microfiche copies; and scanning documents into PDF or other data formats. Specialized document storage companies like Iron Mountain (www.ironmountain.com), BMS CAT (www.bmscat.com) and GRM Document Management (www.grmdocumentmanagement.com) can provide a range of document protection services. Document scanning service companies like IPS (www.ipsservices.com), Royal Imaging Services, LLC (www.royalimaging.com) and Docufree Corporation (www.docufree.com) can scan thousands of documents for less than five cents apiece. That service includes scanning, conversion to a specific format, and storing the scanned documents electronically. If the original documents can be shredded or destroyed once they have been scanned, there may also be a charge for that option.
Fire-resistant storage containers may be advisable for storing particularly important documents such as historical documents, such as company organization papers, deeds, court records, and early stock certificates.
Accessing hard-copy records after a disaster
Assuming your backup copies of your vital records are stored off-site, and in easily accessible formats, such as PDFs, getting to the documents after a disaster should be no more difficult than traveling to the storage site and retrieving the documents you need. Alternatively, you may be able to access the documents electronically simply by going on the Internet and connecting to your storage service company.
Recovering damaged hard-copy records
On the chance that some of your vital records may have been damaged in a disaster, companies like BMSCAT offer document recovery and restoration services. For example, in situations where documents are wet from flooding, freeze-drying processes are available to stabilize them and prevent further deterioration. Specialized water vacuum systems may also be used to extract water from water-logged documents. It may be necessary to fumigate a records storage area to destroy insects, mold, mildew, and other destructive biological infestations.
With any BC/DR plan, ensure that vital hard-copy records are part of the plan, because without access to critical company records and information, the organization could be compromised. Your organization could also be in violation of government regulations, such as HIPAA and Sarbanes-Oxley, if vital records are not protected.
Assuming a records management function exists in your organization, work with the staff to add RIM activities into BC/DR plans. Establish RIM policies; ensure that document scanning, storage and retrieval, and recovery and restoration procedures are documented; define controls to ensure that RIM activities are properly performed and can be periodically audited; and include document recovery in BC/DR tests when possible.
About the author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.
For additional reading:
ANSI/ARMA 5-2010, Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records sets the requirements for establishing a vital records program; ISBN: 978-1-931786-87-4
ARMA Guideline for Evaluating Offsite Records Storage Facilities (PDF); ISBN: 978-1-931786-31-7
ARMA Vital Records: Identifying, Managing, and Recovering Business-Critical Records https://www.arma.org/bookstore/productdetail.cfm?ProductID=1276