ARMA Houston 2014: Vital Records and Business Continuity

diamond_logo_artwork_-_colorThis is a part of a series of recaps from the 2014 ARMA Houston conference.

Judy Sitton, CRM, of PacoTech, Inc. led a wonderful discussion on vital records at the ARMA Houston 2014 conference. The discussion started with an admission that vital records mean something different to corporations than they do to governments. In fact, at TSLAC, we don’t even call them “vital” for local governments – instead, they’re “essential” records. State agencies, on the other hand, do have vital records. Essential and vital records are those records that are needed for “the resumption or continuation of government operations in an emergency or disaster,” “the re-creation of the legal and financial status of the government,” and “the protection and fulfillment of obligations to the people of the state.”

Ms. Sitton had a much more succinct definition for these records. She called them the heart attack records – the records that, if lost, would put you out of business. This isn’t quite applicable to governments, because when government records are lost, the government will keep functioning. For example, if the Constitution was lost (knock on wood), the United States government would not cease operations.heartattack

Now, when should you decide what records are vital? During an inventory is a good time – and we always like more reasons to do inventories! Another good time for identifying your vital records is when you are creating your retention schedule. Basically, any time that you’re already looking at your records really closely is also a good time to decide whether they are vital or not.

Frequently, records that would seem vital turn out to not be vital at all. For example, most people would say that medical records are vital records. But upon closer examination, they are not actually vital for most hospitals. If one patient dies because their medical record is lost, it is certainly an outrage, and the hospital will probably be sued. However, the hospital probably won’t go out of business, unless the person who died was, say, the President. So, in this case, medical records are certainly important, but they are not vital.

Protecting Your Vital Records

The second half of the discussion focused on methods of protecting those vital records. They are:

  • Natural or Built-in dispersal: This is when different people have copies of a record in the normal course of business. Let’s say that you keep the record copy of something, and somebody else in your office keeps a copy in the normal course of business. You should notify the person that they have your “protection copy,” and let them know how long they need to keep it in order to protect it.
  • Artificial Dispersal/Duplication/System Backup: This is when you have to take some other means aside from your normal course of business in order to protect your records. This includes things like microfilming, imaging, or backing up your electronic records.
  • Onsite Vaulting/Stay in Place Protective Storage: This refers to things like fireproof vaults and salt mines.
  • Offsite backups: This is when you keep copies of your records in a separate location from your normal site of business. The recommended distance is around 30 miles: it’s close enough for you to be able to access the records, but far enough away that they probably won’t be vulnerable to whatever disaster you might have at your primary site.
  • You might think, “Well, what about Hurricane Katrina? That covered a much larger area than 30 miles.” This is true, but storms or other disasters that affect such a large area are relatively rare. So, in addition to considering the kinds of risks that your primary and back up sites could encounter, be sure to consider the likelihood of risks as well.
  • What’s the level of service for your backup site? How will you be retrieving your records? Will you be competing with someone else for records retrieval at the time of your disaster?
  • Rural and low-traffic areas can be easier to guard.
  • Make sure you visit your site! Ms. Sitton told a story about visiting a site that had a keypad for security. Well, that’s good, right? In theory yes, but in practice, not so much: the receiving dock was wide open, and they had the code for the keypad taped right next to the keypad itself! Not so secure after all!

    Keypad security fail! From http://blog.rootshell.be/2009/10/09/security-code-fail/

    Security fail!! From http://blog.rootshell.be/2009/10/09/security-code-fail/

  • On a related note: Keypads are pretty cool for security, but are useless if there is no electricity, as may often be the case after a natural disaster. Make sure that there is a manual override method (such as a key) as well.
  • In addition to ensuring that your back ups are kept safe, make sure that your records are also protected from any hazards that you might create – such as radiation at a hospital or in a nuclear lab.

On a final note, someone mentioned that a lot of continuity plans do not talk about non-electronic records. This is quite ironic, since most organizations still keep a number of records in paper or microfilm. So when you’re creating your continuity or emergency preparedness plans, make sure to outline how to access those non-electronic vital records too!