If there’s one thing that the past couple of years have taught us, it’s to expect the unexpected. Crises are sure to affect us all, whether it’s through extreme weather, natural disasters, or global pandemics. In these unpredictable times, having a strong business continuity plan has never been more important.
A pillar in any business continuity plan is protecting vital records, which are the records that allow your company to complete its most crucial tasks. Vital records are among an organization’s most important assets.[i] For example, without access to vital records, it may become impossible to pay employees, provide services to customers, test medical treatments, or manufacture products.
This blog discusses management’s duty of care when it comes to vital records, as well as a few effective crises planning guidelines from the Federal Emergency Management Agency that have application to business continuity planning for vital records.
Management’s Duty of Care to Protect Vital Records
It is well accepted that management has a duty to protect an organization’s records as it would any other company asset. [ii] For vital records, however, the stakes are raised, as their loss poses significant risk to an organization, as well as its customers and shareholders. [iii] Reasonable caution in the face of disaster may be all that’s necessary to protect non-vital records. For vital records, however, business continuity planning that expressly addresses protecting and preserving access to vital records is a key step for managers to uphold their duty of care.
Planning for Crises like the Pros: FEMA’s approach
Anticipating a crisis and its effects across an organization can be daunting. It may be a relief to know, then, that FEMA has provided businesses with a tool to ease this burden. This tool is FEMA’s “Developing and Maintaining Emergency Operations Plans: Comprehensive Preparedness Guide” (“Comprehensive Preparedness Guide” or the “Guide”). As an exercise in preparation, we’ll analyze steps 1 through 3 in FEMA’s Guide as they relate to vital records. FEMA recommends that private organizations (in addition to government entities) incorporate these steps into their business continuity and disaster planning. [iv] The Guide gives a glimpse of how emergency planning should take place at the highest level, and provides helpful ideas for management to prepare for disaster.
(v) (edit from full chart, Steps 1-6)
Step 1 – Form a Collaborative Planning Team
According to FEMA, proper planning “provides a methodical way to engage the whole community in considering the lifecycle of a potential crisis, determining required capabilities and establishing a framework for roles and responsibilities.”[vi] With respect to protecting vital records, this means getting input from the wide array of people that make up your organizational “community” (perhaps by including them via email surveys, or through company initiatives asking for buy-in on vital records management). To determine who should form your planning team, obvious candidates should be your organization’s records managers. However, including other business units will likely lead to more insight about individual record types, their usage, and the consequences of their potential loss. Members within a collaborative planning team can also carry out the subsequent steps of vital records planning; but ideally, FEMA recommends that management stay involved.
Step 2- Understand the Situation
While it can be hard to make predictions on risk, understanding which hazards might affect each location where your organization exists can reveal soft spots.(vii) FEMA suggests locating already completed analysis from public interest groups, academia, private consulting, and professional associations to determine risk levels across jurisdictions.(viii) While it won’t always be feasible to determine every possible hazard, having a firm understanding of the records you have, knowing how they’re stored, and accounting for the most likely types of hazards that threaten them will improve your organization’s vital records disaster readiness.
Step 3 – Determine Goals and Objectives
FEMA recommends that goals be broadly defined, with set intended outcomes; in contrast, objectives should more specifically target an individual’s actions to achieve goals. [ix] For vital records programs, the goal should be the timely access and usability of records that are essential for completing crucial business tasks. Goals should seek to minimize interruption to the greatest extent possible, and should create specific time periods within which an organization aims to restore operations. A planning committee might consider creating a schedule that assigns a number of days, or even hours that it might take to restore records usability based on the severity of a disaster, and then create objectives for individuals to achieve these goals. The idea is to get critical stakeholders thinking about specific scenarios and their responses. Stating goals and objectives helps create buy-in from an organization by defining what success during a disaster will look like. It also establishes key areas on which to focus. [x]
FEMA’s Comprehensive Preparedness Guide shows how emergency preparedness planning should take place at the highest level. As a manager, integrating these practices into your organization’s business continuity plan can be a good way to help fulfill your duty of care to protect your organization’s vital records.
Zasio provides solutions to help ensure vital records remain accessible during catastrophes. Contact us for further guidance and practical solutions for your vital records program.
[i] William Saffady, Ph. D., Records and Information Management: Fundamentals of Professional Practice (3rd Ed. 2016). Page 172.
[ii] Id. at 176.
[iii] Id. at 178.
[iv] Federal Emergency Management Agency (FEMA), Developing and Maintaining Emergency Operations Plans: Comprehensive Preparedness Guide (CPG) 101. September 2021, Version 3.0. https://www.fema.gov/sites/default/files/documents/fema_cpg-101-v3-developing-maintaining-eops.pdf. pg. ii.
[v] Id. at 43.
[vi] Id. at 1.
[vii] Federal Emergency Management Agency (FEMA), Developing and Maintaining Emergency Operations Plans: Comprehensive Preparedness Guide (CPG) 101. (CPG) November 2010, Version 2.0. https://www.fema.gov/sites/default/files/2020-05/CPG_101_V2_30NOV2010_FINAL_508.pdf. Pg. 4-7
[ix] See FEMA, 2021. Pg. 53.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.