Study of Risk Assessment and Business Continuity Management of Analog to Digital Archiving Process in order to Guarantee Reliable System

The process of converting analog files into digital files in the archiving process is a routine activity that needs to have appropriate procedures and is accompanied by a study of the profits and risks that accompany the process. The method of the research to solve this problem was by risk management approach refer to ISO/TR 18128 about risk assessment of recording data and ISO 22301 about Business Continuity Management (BCM). Through risk management, risk analysis review is conducted which determines the risk identification, risk assessment, risk evaluation, and strategies to enhance the ability to handle the digitization process. In other hands, business continuity management provides the potential benefit from the digitization process and guarantee of maintaining a reliable system. The companies to be observed are University, Government, and Financial Company (FC). The discussions are about the risk treatment with the strategy to reduce it and the comparison of maturity BCM from every companies. The result explains the readiest company in implementing analog to digital archiving process and the most company who has more mature in developing Business Continuity Management.


Introduction
The problem in making digital achieve are (1) the size of digital document, for graphic data, it is more accurate and precision if the digital data saved in high resolution, and (2) the format of digital data should be appropriate to be used in next long years [1]. People can read one hundred-year analog document, but it is not the same common treatment for digital data which made by Word Perfect in 1990s to be read now. In appropriate transformation from analog document to be digital document without notice to these problems can create some risk. Digital data theoretically can survive more time than analog document, however some threat can damage digital data such as not well-prepared data migration, redundant data, copy paste accident, false deleting process etc [2]. The research of this paper tries to propose some avoidance procedure so the unnecessary accident in transformation from analog document to digital data not happened. Both analog document and digital data can be damaged in a different way so it needs good planning to preserve data [3] in the meaning of the business continuity process. When natural disaster happened like flood, burning [4], the data should be saved by making protection or back up procedure. Reliable system is defined as when process need to get data or save data so the system will provide the best and appropriate data in a reasonable time [5].

Method
The goals of this research are first, to observe the risk management that should be taken with precaution when transforming data from analog to digital. The second goal is to make sure the digital data obtained in this transformation process can be suitable to be used later. To solve the first goal, it can be done by finding some suggestion and risk analysis from ISO/TR 18128:2014 about assessment of analog to digital archiving process. To solve the second goals is by finding appropriate digital data preservation [3] proposed by ISO 22301:2012 for Business Continuity Management using only two clauses i.e. clause 9 about performance evaluation and clause 10 about improvement. Both goals can be the key to guarantee the reliable system. The method of this research is descriptive qualitative method. The data were obtained from three different organisations, i.e. University, Government and Financial Company (FC) in the local area in the year of 2018.

Reliable System
According to BS ISO 31000, risk is "the effect of uncertainty on objectives… [and] is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood…of occurrence" [6]. The latter can be influenced by the level of reliability. Reliability itself is defined, based on BS 4778 [7], as "the ability of a component or a system to perform its required functions without failure during a specified time interval" [8], but "can also be denoted as a probability or as a success ratio" [5], p. xxvi. Several different techniques for obtaining qualitative or quantitative measures of reliability exist; however, not every method is suitable to be applied to the assessment of offshore energy systems. Some may be more useful than others, and some have to be adjusted or combined to obtain valuable results.
The system for handle the digitizing process has input some archive of analog document which will be scanned to be adobe reader format (pdf) or be rewritten in Microsoft Document (doc). The process can have some failure by some technical factor. The goal of this paper is to make sure the system is reliable or less likely to failure. Some failure can be replay but some processes cannot. By applying risk management, the reliability of system can be guarantee, and some procedures can be made to avoid failure. Beside failure, the availability of digital data and the availability of device [9].

Risk Assessment
Based on ISO/TR 18128:2014 and ISO 3100:2012, the risk assessment according to record process is consist of Risk Identification, Risk Analysis and Risk Evaluation [10]. In Risk Identification, the criteria of risks are well defined, and in Risk Analysis, analytic process to provide information regarding undesirable event which should be taken precautions. The risk is identified by estimating the probability and expected consequences. Based on risk assessment, risk manager can make policy or strategy to deal with the risk and other factor [11]. Company spends a lot of many or contrary does not make budgeting for doing the transformation of analog document to digital data, they improve their operation and more time needed in compliance to law and regulation. However, what happened if recorded data is misfiled, damaged, deleted. The anxiety can be reduced by implementing ISO/TR 18128:2014 about Information and Documentation -Risk Assessment for Record Process and system. The implementation of risk assessment can be on nonbank-Financial Company [12], University, and Government [13].

Business Continuity Management
Although the data are existing, if the data are not ready when the process needed it would be no meaning. Also, when the data are damaged or cannot be used again because it deleted incidentally by human error or natural disaster, the well-established system do not have meaning at all [14]. The risk assessment which assures the process of transformation data have no meaning when one day the system can no longer get the digital data in proper form or proper time as used to be. The databank should be protected and backed up in order to ensure that the system is reliable. Availability of the system should push to maximum condition. Over resolution in making digital picture data can cost in time saving and time loading. Therefore, this is the reason why sometimes the picture data not always scanned and recorded in bitmap format, but rather in vector format [15]. • Clause 10: Improvement

Results and Discussion
The asset to be considered in digitizing analog document are shown at Table 1. The direct asset is the asset which have first impact from the process. While the indirect assets are assets which have collateral impact from the process. The analog document can be in form of certificate, invoice, transfer permit, legal letter or etc, which will be input for the system and digitizing process.

Reliable System
Several long-term surveys have been performed in three types of company for collecting data on installed direct asset. The need for a database for server and scanner in three companies is also emphasised in respect to recording digital data, there is a Reliability, Availability, Maintainability, and Safety (RAMS) database. However, comprehensive data collections for reliability and safety of recording digital data assets are lacking. Directly linked to the RAMS database is the analysis of the data, which provides outputs that are valuable for recording digital data, self-maintenance machines, operation and maintenance strategies, life cycle cost and profit estimates, as well as the assessment of qualifications for new technologies.
In case of a lack of failure rate data, statistical modelling techniques can be applied. The Weibull distribution is commonly used [18] for estimating the failure rate of a system. By changing the shape IOP Conf. Series: Materials Science and Engineering 879 (2020) 012018 IOP Publishing doi:10.1088/1757-899X/879/1/012018 4 parameter of the Weibull distribution, the entire life cycle can be covered and the bathtub curve of the failure rate represented. The model of Reliable model based on Risk Management can be shown in Figure 1.

Risk Assessment
From observation the causality of risk that would be occurred in three type of companies are shown at Table 2. Most of the cause are initiated by the direct asset which influenced by not incomprehensive in implementing safety procedure. High resolution in digital image Paper document are scanned using too high resolution so the file is high capacity There no limit in maximum resolution for scanning process 2 Location of digital file The location of result in digitizing are not written well or has been remove to another location without notification The address location for digital result are not written well. 3 Low resolution When the digital data retrieve from main server, some text or symbol or picture cannot see clearly The analog document are scanned in too low resolution so the detail of the picture in document are not clear of blur 4 Mis-file extension The digital file cannot be opened properly with some application The data are saved in wrong file extension. 5 Not compatible The digital data cannot be opened with some application The application and the file extension in not compatible. 6 Part of data are missed Some of data or part of image are not scanned to be digital data or some of field are blank The data is too large and part of them are not recorded or some of moderated fields are left null/blank 7 Low quality of analog data Some of analog document has less quality in printed so when the document being The analog document is too old or printed in worse Most of the risk is related to direct asset, but risk number 6 (Part of Data missed) is related to indirect asset as reputation of company (see Table 3). Frequency of risk happened in years are defined in rare, unlikely, moderate, likely, almost, as well as certain. The consequence or impact are defined in insignificant, minor moderate, major and catastrophic (see Table 4).  Table 4, University has greater risk frequency to be happened but the impact is still lower than Government and FC. Some risk can be ignored in University i.e. low resolution because the impact is insignificant. All three companies have most problem in Low quality of analog data and part of data are missed. Using Risk Matrix at Table 5, we can conclude the level of risk which happened in this research in 2018 year. Risk Matrix at Table 5 was made based on nature of office with employee below 500 people (see Table 5).  Technically, from the three companies observed, those factors can be simplifying by measured as cost recovery and recovery time as shown at Table 7. Average cost recovery per accident is calculated by totalling the cost recovery data, maintaining asset, liabilities and human cost. And the recovery time is obtained by calculating Time for True Repair (TTR) for total accident. Capability of Tolerance is obtained by measure the distance from linear line for condition without BCM Procedure and with BCM Procedure. From Table 7, the tolerance of Government is the greater, it means the cost saving is more than two other companies. Maturity of BCM was design as shown in Table 8. The risk appetite is obtained from risk level as mention at Table 6. According to the second goal of this research, to make sure the digital data obtained in this transformation process can be suitable to be used later we used clause 9 and clause 10. The survey for maturity level is obtained from Manager R-Type of RACI model [19] and the result is shown in Table 9. From Table 9 can be shown that government and FC has more mature than university. They all have ready in guarantee for maintaining readable system.

Conclusion
There are two main results according to the research goal. First, from the risk view, it can be concluded that the University has greater frequently risk to be happened but the impact is still low than Government and FC. Some risk can be ignored in University i.e. low resolution because the impact is insignificant. All three companies have the most problem in Low quality of analog data and part of data are missed. Second, from the BCM view, the Government has the most saving cost for implementing BCM and so in guarantee for maintaining a reliable system.