Risk assessment: It is worth the work!

Imagine that you are sitting on a tree stump in a quiet forest next to a gently running stream. The birds are chirping, squirrels and chipmunks playing, and all seems right with the world. You are in your refuge; the place you go in your mind when someone mentions peace. Sounds great, doesn’t it?

Unfortunately, the next thing you hear is the voice of one of your co-workers waking you from your daydream, telling you that your company is involved in litigation and there is an immediate need to determine the company’s exposure.

Harsh reality sets in. The next thought you have is that your company’s failure to analyze what data they have and where it is, might be its undoing.

You start to sweat. The panic overwhelms you.

You realize that if litigation is imminent, you will have no choice but to uncover all data on your servers, clients, backups, etc. Opposing counsel will demand that all evidence be turned over to them and you have no idea what risk and exposure you have.

This litigation could cost your company $100,000,000+ all because they decided that there was no “cost benefit” of performing the proactive tasks of assessing your data and mitigating the risk.

Risk-Assessment

Now let’s replay the scene with some tweaks.

For the past year, your company decided to put forth the effort and cost of assessing what data you have, where it is located, why it exists and how long it should be retained. This initiative spans all departments within your company – security, legal, HR, IT, records management, lines of business, etc. Representatives from each department worked on an assessment of the information needs that they must provide individually, and their employees helped with this process.

Once each department gathered all necessary information, the representatives met collectively to collate all of this information and categorize the types of data, locations, etc. Once all data was catalogued, the next step was to assign retention to each data type and ensure that the policy was strictly enforced; not only on the ‘live’ data, but also on backups, etc. Knowing that automating the enforcement of these policies, the company researched, purchased and configured software to perform all of the assigned retentions.

Decisions were also made on where data should not be stored; users should never archive email or business-related files (e.g. Word, Excel, etc.) locally.. Knowing it is difficult to enforce policies in an automated fashion, a decision was made to inform all employees that storing any information locally is a violation of the company policy and that not adhering to this policy has severe consequences, including possible termination.

For the past three months, the automation of the policy enforcement and adherence of the user policy had become routine. Even the random spot-checks of users’ compliance had proven that all employees were on-board. Backup tapes were being scratched based upon the policies as well.

Rewind.

So once again you are reveling in your thoughts about the forest when your co-worker tells you that litigation is occurring. You simply take a deep, cleansing breath and realize that all of the work your company has done over the past year, has proved worthwhile. The old adage, “If you fail to plan, you plan to fail” no longer applies to your company. The risk assessment analysis has been done and is ready to provide you with everything you need.

Which version of the story would you rather experience?  Make sure your company is prepared for litigation by taking the appropriate actions now.

[hs_action id=”5376″]

Leave a Reply

Your email address will not be published. Required fields are marked *