“All animals are equal, but some animals are more equal than others.” —George Orwell, Animal Farm
With the above quote from George Orwell’s Animal Farm, BlackRock director Jason Stearns set the tone at a 2018 Legaltech panel discussion on the role of records management in disaster recovery (DR) planning. Every organization has records it needs to conduct business, but not all content has the same criticality. And even among the most business-critical records, there are different tiers of importance. Jason’s point was that business continuity and DR planners have to always keep this hierarchy in mind, particularly when they’re evaluating information systems and tools.
Records management refers to the “set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions.” A lot of factors influence how records are managed, driven by things such as regulatory requirements and business needs. These different factors also help define the relative importance of the records themselves, sorting them into different tiers as follows:
All records must be managed, but it’s a record’s classification in the above tiers that determine how carefully: how long it is retained, where and how it’s stored, and how secure and reliable the storage tools are.
According to Stearns, as critical as vital records are from a DR perspective, they are often overlooked during the DR planning process. For example, part of an organization’s DR plan may include preserving the technical documentation required to get systems and services back online — but what about recovering the records that are absolutely critical to an organization’s ability to conduct business?
Aflac business continuity consultant Patsy Pritchett talked about how a vital insurance record might be a list of policy beneficiaries. This kind of data would be easy to miss in DR planning, but if it were lost, there would be huge legal implications and harm to the business. Other vital records might be anything related to in-progress litigation, such as data on legal hold. Although vital records may not be needed during a recovery process, they have must be available later in order to keep the business going.
So again, all vital records may be equal, but … some are more equal than others. When records and data management are a real part of DR planning, a company has to categorize the importance of vital records in three tiers:
Once an organization figures out where vital records fall within the three tiers, the risks to those records needs to be assessed. It’s too expensive and generally not feasible to protect all records equally. Intelligent risk assessment means balancing the chance of something happening with the potential consequences. According to Stearns, you always live with some level of risk. For example, if a record may never be needed or would not be too hard to replace, then you may be willing to risk losing it. But this can be tricky — a chain is only as strong as its weakest link, and sometimes data that seems less important is, in fact, crucial for a recovery or business process.
There isn’t a one-size-fits-all approach to vital records management, but understanding the records’ risk profile is always the first step. The organization can then figure out the rest, such as how many copies to keep, in what format, the retention period, and how quickly records need to be accessible at any time. Managing data records correctly is as important as the data itself — and doing it incorrectly can open the business up to unsuspected risks. For example, maintaining too many copies of records or keeping records too long can provide opportunities for data exposure.
One of the most important factors in properly managing vital records and DR planning is selecting the right data-management systems and other tools to make sure records are protected and accessible during and after a disaster. This is where the cloud comes in. Because of the cloud’s ubiquity, it’s radically changed how we think about vital record planning.
For example, Pritchett described the following advantages of Aflac’s cloud-first initiative from a DR perspective:
As Pritchett pointed out, leveraging the cloud as part of the DR process can offload a lot of the heavy lifting.
At the same time, organizations must be careful and make sure that any systems or services they put together can meet data privacy (HIPAA) and eDiscovery requirements, allow for quick record identification, and enable timely disposal when records pass their retention dates.
The DR planning process varies drastically by organization and is influenced by geography, industry, the type and size of the business, and other factors. However, for any organization, vital records have to be identified, protected, and governed. Putting a comprehensive vital records management program in place before a disaster occurs will reduce unpleasant surprises and ease the already complicated burden of resuming business as normal.
Learn how to ensure that your company is ready, with the right plan in place by downloading our guide: Building a Disaster Recovery Plan for the Cloud Era