Risk can come in many forms to our organizations and it is not going away. Management needs to accept that risk is now part of doing business and put measures in place to mitigate it. Being proactive versus reactive is the first step, but also understanding that risk mitigation isn’t about avoiding the risk, but rather about reducing the impact. Risk mitigation is about softening the blow if, or rather when, something happens. Mitigating risk around an organization’s information is arguably one of the most critical things to address. Here are five steps an organization can take to mitigate risk in their Information Governance program. 

Penetration Testing

Information security is a hot topic, and rightfully so. Organizations should look to a third party partner to conduct penetration testing on their network to find the potential vulnerability. The testing should pay special attention to areas where personally identifiable information (PII) may be stored and vital records that are critical for the organization to stay in business. The penetration report will show vulnerabilities and give advice on how to mitigate those vulnerabilities. Protecting your information from outside threats is critical.

Employee Training

Studies repeatedly show that employees are one of the biggest risks to organizations. Whether clicking on malicious links or falling for social engineering, hackers can exploit human nature to get to your information. Ongoing extensive training for all employees can help mitigate this risk. Training should include how to handle and protect information from outside and inside threats.

Privacy Impact Assessment

You can’t know what you need to protect until you know what you have and where you have it.  A Privacy Impact Assessment (PIA) can identify where PII is stored, enabling an organization to protect that information.  PIAs can determine if the information is at risk and help guide an organization in understanding if that information should be securely deleted, encrypted, or moved. PIAs can also help an organization understand what information their vendors have and work with them to mitigate risks on their systems.  An experienced partner in information governance should be able to provide a fully-scoped PIA, compliance, maturity, and other assessments.

Asset Control

Organizations tend to be very good at tracking physical assets such as computers and phones. They need to be equally diligent in tracking information assets. Tracking information gives insights into who has access to what.  Organizations need to have a strong onboarding process for physical assets being added to a network and ensure they don’t give more access than needed to each asset.  While an employee losing an encrypted laptop may be a pain, an employee losing an unencrypted USB drive with sensitive data is a nightmare.

Intrusion Prevention

As much as some would like to hope, there is no way to make a network or system 100% secure.  Having alarms and notifications in place help mitigate risk by letting management know there is an issue immediately.  It takes companies on average 191 days to realize there’s been a data breach. Learning of a breach on day one allows a company to immediately take action to avoid a disaster.

Having a risk mitigation strategy and plan in place are critical to an organization and their IG program. Don’t wait until a disaster happens, take action today to set your company up for success.


Courtney Stone has been in records and information management for 7 years. She received her Bachelor of Arts (BA) in Communications – Public Relations/Advertising from the University of Houston. She is a Certified Records Manager (CRM) and an Information Governance Professional (IGP). Courtney will be graduating from Bay Path University in October with her Masters of Science in Information Management.

Courtney was on the Exam Development Committee for the Institute of Certified Records Management (ICRM) for 2 years. She was on the Advisory Board for DSF from 2017-2018 and has served on the board of ARMA Houston for 3 years. Courtney was the Records and Retention Manager at AMOCO Federal Credit Union from 2014-2019. Courtney is now an Information Lifecycle Management Senior Advisor at USAA.