DISASTER MANAGEMENT, RISK MANAGEMENT AND GOVERNANCE
BY
Prof. Henry N. Kemoni
The Technical University of Kenya
[email protected] or
[email protected]
Paper presented During the Eastern and Southern Africa Regional Branch of the International Council on Archives (ESARBICA) Pre-conference Workshop on Disaster Management Nairobi, Kenya, Kenya School of Monetary Studies, 3rd – 4th June 2013.
OUTLINE 1. 2. 3. 4. 5. 6. 7.
Archives and Empowerment of Society Legislative Mandate of Archival Institutions Disaster Management Risk Management Disaster management and Governance Records/Archives and Good Governance Electronic records:
Archives and Empowerment of Society Archival information empower society in various ways: 1. 2. 3. 4.
Transparency and accountability Good governance Democratic transformation Social justice and reclaim of human rights Victims of genocide and mass murder in Africa, Cambodia, East-timer, Guatemala, Germany, Kenya, South Africa, etc Right to liberty Security of personal property Freedom from slavery, torture and cruelty Freedom from discrimination
(UN The Universal Declaration of Human Rights – 30 articles) 5. Dispute resolution 6. Historical accounting/reconstructing the past 7. Archives and construction of culture – Archives are the means society uses to construct and re-examine its knowledge base of insights and achievements 8. Crimes/scandals/risks (Wallace 2007; Harris 2007; John Curtin University, Australia) *Effective Disaster management provides frame work for preservation and access of archives to facilitate empowerment. Legislative Mandate of National Archival Institutions 1. Proper administration and management of public records and archives 2. Make records and archives accessible and promote their use 3. Promote awareness of archives and records management and encourage archival and records management activities 4. Promote preservation and use of national archival heritage 5. Approve institution s to use public archives (The Public Archives and Documentation Service Art Cap 19, Kenya, 1991; The United Republic of Tanzania, Records and Archives Management Act, 2002; National Archives and Records Service of South Africa Act, Act No. 43 of 1996).
The legislative mandate of archival institutions would be undermined in the absence of effective risk and disaster management plan.
Concept of Disaster Management [Business Continuity Planning] Disaster – An unexpected event with serious destructive consequences. Emergency – any unexpected occurrence requiring immediate action. (Laura Miller 1999) Business continuity planning comprise measures to prevent, prepare and recover from a disaster [National Archives of Australia Digital Recordkeeping Guidelines 2004] Disaster Management – Integrated approach to managing disasters with following activities 1. Risk assessment 2. Prevention and preparation 3. Response 4. Recovery Potential Threats to Archival Holdings Natural Hazards
Earthquakes and landslides Fires Hurricanes Tornado Storms Total surges Flooding Lightening strike Windstorm
Criminal or Terrorists Attack
Vandalism Theft
Arson Bomb hoax/bombing Demonstration Sabotage Terrorist attack
Industrial Accidents
Nuclear radiation Fire Explosion Chemical or fuel spillage Gas leaks Falling objects
Environmental
Dust Insects Rodents Light
Computer Crimes Computer crimes include: when computer is used to aid criminal activity or where the computer is the target. Involves use of internet to support crimes such as fraud, identity theft, sharing information and embezzlement. Examples of when computer can be used to aid criminal activity (Store records of fraud, packaging false identification, reproducing and distribution copyright materials, collecting and distributing child phonography [FBI] Examples Fraud achieved by manipulating of computer records Spamming Deliberate circumvention of computer security systems Unauthorized access to or modification of programs (cracking or hacking). Intensive property theft Industrial espionage Identify theft
Writing/spreading computer viruses Denial of service attack (websites flooded with service requests leading to overloading and crushing) Risk Management
Risk is unavoidable and present in virtually every human situation Risk refers to the uncertainty that surrounds future events and outcomes Expression of likelihood and impact of an event (Government of Canada Integrated Risk management Framework) Risk Management “systematic approach to getting the best course of action by identifying, assessing, understanding, acting and communicating risk issues”. According to ICA, examples of risks to archival material include those emanating from: from outside building, building structures and its services, unstable material in the buildings and from people or groups targeting the institution globalization
Corporate Risk Profile: Steps 1.
Identify types of risk Technological Financial Human recourses Health and safety Political Governance and accountability structures Individuals working in the system
2. Identify source of risk – internal/external 3. What is at risk – area of impact/type of exposure 4. Level of ability to control the risk
Table 1: Identification of risks and Likelihood of Happening and Impact
Risk
Earthquake Fire Flood Building Collapse Radiation Fire Floods Rodents Insects Riots Arson Bomb Threat Computer Crimes Viruses Hacking Others
Likelihood Almost Certain
Likely
Moderate
Unlikely
Rare
Risk Management Model
Identifying organization goals and environmental expenses
Identity risks
Controls that deal with identified risks and their effectiveness
Likelihood/consequences
Treat risk
Monitor and review identifying new risks and treat them
Adapted: Standards Australia AS/NZS: 2004 Risk Management. Records and Archives: High Risk Functions 1. 2. 3. 4. 5. 6. 7.
Those that receive high level of public and media scrutiny Instigate or are subject to litigation Allocate, spend or collect huge sums of money Involve issues that are politically sensitive Involve issues of national security Relate to sensitive or contentions activities Contain classified information
Governance “The process of decision-making, and the process by which decisions are implemented or not implemented”. (United Nations Economic and Social Commission for Asia and the Pacific) “Way power is exercised through a country’s economic, political and social institutions” (World Bank). Actors of Governance include:
Government NGOs Financial Institutions Political Parties Military Society Medial International donors Multi-national Corporations
Good Governance “Transparent, participatory and accountable” “Epitomized by predictable, open and enlightened policy making, a bureaucracy imbued with professional ethics and strong civil society” Good Governance Model
Accountable
Participatory Transparent Rule of law
Effective and efficient
Responsive
Equitable and inclusive
Source: UNESCAP 2013 Records, Archives and Governance Efficient and effective records management is the basis for:
Poverty reduction Accountability Effective management of state resource Protection of rights and entitlements Services for citizens Antic corruption strategies Rule of law
*Disaster and risk management facilitate availability of records for governance
The Four Pillars of Comprehensive Development Framework:
Good governance Equitable judicial system Accountable financial system Enforceable civil rights
(World Bank 2012) “The loss of control of records has consequences for citizens, relevant and accurate records must exist if government are to preserve the rule of law and to demonstrate fair, equal and consistent treatment of citizens without access to records, the public does not have the evidence needed to hold officials accountable or to insist the prosecution of corruption and fraud”(World Bank) Electronic Records Common types of electronic records include: Documents created using office applications- word processed documents, spreadsheets Online and web-based- intranets, extranets, public websites Records generated by business information systems- databases, human resources systems, financial systems, workflow systems content management systems Digital communication systems- email, SMS, MMS, voice mail, videoconferencing Electronic Records concerns
Technological obsolescence Hardware and data security Preservation and transformation of data concerns;
Electronic records may be affected by disasters such as Natural events, Building structural failures Industrial accidents Technological disasters such as viruses Criminal behaviour such as theft, arson, espionage, malicious computer hacking, Accidental loss through human error
Unstable storage conditions- storage of magnetic media near electronic equipment
[National Archives of Australia digital Recordkeeping Guidelines 2004]
Preservation methods Refresh – copying from one medium to another [floppy disk to CD- ROM? Replication- Similar to refreshing but location different? Migration- translating data from one computer format to another to ensure data is accessed using new of changed computer technologies? Emulation- process of using one computer device or software to imitate behaviour of another device, thereby obtaining the same results when accessing digital objects? [National Archives of Australia 2012] Counter Disaster Strategies for Electronic Records Duplication and dispersal Regular and comprehensive system back-up Passwords Secure storage facilities for digital devices, including fire resistant housings Environmental controls Other measures include: Risk analysis-software packages which are available to help quantify potential exposure to security breaches Access levels and privileges-read only, remote access, specific file or directory, ability to upload or download data from mainframe to network database Audit trail- audit computer use by providing comprehensive record of network activity including who is accessing what data, when and how often Distinguishing security level of records- confidential, restricted and open] Encryption for restricted and confidential data-process that scrambles data when stored or transmitted and become unintelligible without a data key. Required software on the other end decodes the information Environmental considerations for magnetic media optical disk storage environment (Texas State Library and Archives Commission 2013]
End Thank you. Comments/questions Welcome!
