In a world where poor management of IT assets has taken center stage in the public eye, it is more important than ever to fully understand our risk exposure and develop innovative ways to manage these risks. From the U.S. News article “E-Waste in Developing Countries” to the 60 Minutes special in which reporters traveled to China to follow the e-waste trail from America, the public eye is on companies managing the disposition of used IT assets. What we have learned from these reports is that there are environmental, public safety, and data privacy risks that must be considered and responsibly managed by all organizations managing old IT assets.
An organization’s exposure to risk is determined by the scale of its compliance program. An immature compliance program can expose a business to vulnerabilities that may lead to legal, financial, and publicity problems, while a mature compliance program can enhance a business’ overall performance and risk management.
The OEM Type of Risk
Whether you are a financial organization, healthcare provider, retailer, manufacturer of electronics (OEM), or other organization that has used electronic assets that have reached the end of their useful life, you are exposed to risk. These risks will vary based on several factors. One factor is your ownership of an electronics brand and the assets that bear your company’s logo; as an OEM, you are subject to producer responsibility laws.
OEMs have a legal requirement to manage old IT equipment in a responsible way that ensures waste is minimized, kept out of landfills, and recycled to recover secondhand commodities. Millions of pounds of e-waste have been exported to developed and developing countries where recovery /recycling technologies and regulatory infrastructure are not sufficient and these wastes have been dumped in rural communities, resulting in negative environmental impacts and exposure of local populations to toxic materials. This damages the brand and public image of the companies whose brands are represented on these assets.
But, it’s not just OEMs that have this exposure; many companies’ IT departments assign asset tag labels to their internal IT assets — tag labels that identify these assets as company property, and oftentimes these labels are not removed.
The Data Nightmare
Another factor is that organizations may also be exposed to data security risks, as most IT equipment will have data-retaining media. Take-back programs collect old IT assets from businesses and consumers that will retain user data. That data must be destroyed in a secure environment to prevent data breach and the potential release of private or privileged information.
Data breach is a real risk to all companies. We’ve seen many examples in the news over the past several years; of large organizations having security vulnerabilities that resulted in the loss of customers’ private information, and government contractor firms that experienced data breaches because old IT assets were not properly managed in their reverse logistics streams. These risks drive us to be more diligent in how we manage these assets and in our approach to identify and validate IT asset disposition (ITAD) firms contracted to perform asset management services.
Most businesses will outsource the management of IT assets to ITAD firms that will manage everything from logistics and remarketing to data sanitization and disposition, but how do we manage these firms in a way that minimizes our risks?
This is where a sound and mature compliance program comes into play. Often, we hear about compliance and assume this relates only to regulatory requirements; not true. A strong compliance program is founded on risk management. First, we must identify our risk profile. This is a complete list of all identified risks categorized by severity. Once we understand these risks, we can define what our drivers are; for example, a data security risk has the potential to negatively impact a company’s reputation, reduce the company’s ability to generate revenue, or result in loss of revenue from key customer accounts subject to a potential data breach. So, the driver here is the prevention of these negative impacts on the business.
Once we understand our risks and drivers, we can design a compliance program around these risks. The foundation of your compliance program is your global standard or company policies that communicate your risk prevention requirements that are built into your ITAD RFPs and contracts. This ensures that any ITAD firm or subcontractor on-boarded is legally bound to comply or conform to your standard.
Ronald Reagan was quoted as saying “Trust, but verify.” So, the next step is to develop a due diligence process and tools to ensure these firms are adhering to your standard and requirements; simply put, you need an audit program. Audits are a snapshot in time, so regular auditing improves your risk management and your visibility of the ITAD firm’s performance to your standard. Audit tools will include but are not limited to questionnaires, audit protocols and checklists and performance-tracking metrics. The audit protocol or checklist should be designed around your identified risks; for example, risks associated with adherence to industry best practices throughout the downstream channels of recyclers should be verified through questions in the audit checklist that look at downstream auditing, communication of policies in agreements and verification of documentation that demonstrates appropriate implementation of these systems.
Audits are structured in a three stage approach — pre-audit, on-site audit and investigation, and reporting and corrective actions. Pre-audit is the collection of general information that gives you a detailed view of operational processes, environmental and security policies, permits/insurance, etc. This allows you to appropriately scope the next stage. An on-site audit should include a detailed look into evidential documentation of management systems designed to promote process efficiencies and risk management and verify how robust implementation of these systems is. The reporting/corrective actions stage allows you to communicate deficiencies and manage corrective and preventative actions with the ITAD firm to ensure your risks are appropriately managed and continual improvement measures are implemented.
Achieving 100% risk avoidance is impossible. We will always be exposed to some level of risk, but with a thoughtful approach to compliance and risk management, we can significantly reduce our exposure to these risks and the reward will be well worth the investments we make.