Australian records managers not ready for terrorism: RMAA

Australian records managers not ready for terrorism: RMAA

By Paul Montgomery

An expert from the Record Management Association of Australia (RMAA) has warned that Australian records managers are not ready for terrorist attacks, in the wake of the Bali bomb blasts on the weekend.

With attacks on economic infrastructure becoming a very real risk since the events of September 11, many Australian organisations, particularly those in sensitive areas like government, defence and finance, have given more attention to counter-disaster projects.

However, Geoff Smith, president of the NSW branch of the RMAA and chair of its technology and industry standards committee, said that disaster recovery planning in Australian companies had not considered terrorism as a major threat.

When asked if Australian records managers were ready in the event of terrorists attacks, Mr Smith said, "No we're not. I don't think there has been any consideration given to it. Some organisations have been giving consideration to what would happen if things did go down, and the ability to get information back speedily is something that has been of interest, but with things like the latest computer viruses like Bugbear, people weren't even prepared for those things."

Mr Smith said that in the finance sector, there was a question as to which regulatory body should be responsible for setting standards for data storage and disaster recovery policies for companies like the Australian Stock Exchange (ASX)."I don't think ASIC [Australian Securities and Investments Commission] would be doing it, because there has been a turf war as to who is responsible. The current situation is that we are still arguing as to whether ASIC has control over the ASX or not," he said.

Despite this, Mr Smith did say that the ASX's records management and storage procedures "would be under control", as would those of the major banks, although he questioned whether the Reserve Bank and insurance companies would be as ready."The big insurance houses have tended for a number of years to scrimp and save on those sort of things. They haven't put much money towards it," he said. Mr Smith said that HIH was a "one-off" in terms of over-spending by insurance companies.

Another sector identified as a possible terrorist target is utility companies. "Most of those are going to have problems," said Mr Smith. "They wouldn't have records to know how their systems operate."

Australian utilities have had significant experience with disasters already, although most have been the more regular fires and floods. For instance, in 1994 there was an explosion at a substation owned by the State Electricity Commission of Victoria, which caused a major fire. Unfortunately, the Melbourne City Archives were stored in the same building. While the fire did not spread to the 25,000 paper-based city planning documents, they were damaged by soot and smoke and had to be cleaned afterwards by an external company, at significant cost.

The problem of records being stored nearby sensitive infrastructure which could come under terrorist attack is another issue which records managers have not dealt with, according to Mr Smith.

"The big problems they have is the need to find low-cost places to store records," he said. "These tend to be places they already own, rather than going to [outsourcers like] the Ausdocs of this world. That means they are under threat not just from terrorists, but from acts of God."

Risk assessments which include the possibility of terrorist attacks must also consider the human element, of course, and Mr Smith advised that companies in particularly sensitive industries look at plans to make sure continuity of leadership in the event of a disaster, by implementing policies like making sure the top two executives don't travel in the same plane.

Mr Smith said that the RMAA itself would not be at the forefront of efforts to tighten up terrorist-related disaster recovery planning, with public sector agencies like the Defence Signals Directorate more likely to play a guiding role.

"Government would have to get involved. I think it would need to provide the direction, because people need to know what issues they actually have. If you're in a government agency, like Defence, you need to know what are the areas in your organisation which are at risk, what can do to reduce risk, and what are the standards for offsite facilities."

Many DRP projects have previously used the AS4390 records management standard as a starting point for making sure their records are properly stored. AS4390 has now been superseded somewhat by the ISO15489 standard, which was adapted from AS4390, but the ISO standard does not include the mandates on correct storage procedures which AS4390 does, according to Mr Smith.

Related Articles:

Records keeping practices slammed

Business Solution: