Article Information

Authors:
Cleophas Ambira1,2
Henry Kemoni2

Affiliations:
1Kenya Commercial Bank Ltd, Kenya

2School of Information Sciences, Moi University, Kenya

Correspondence to:
Cleophas Ambira

Email:
cleophasambira@gmail.com

Postal address:
PO Box 1406-00502, Karen, Nairobi, Kenya

Dates:
Received: 20 Feb. 2011
Accepted: 08 Aug. 2011
Published: 28 Nov. 2011

How to cite this article:
Ambira, C.M. & Kemoni, H., 2011, ‘Records management and risk management at Kenya Commercial Bank Limited, Nairobi’, SA Journal of Information Management 13(1), Art.#475, 11 pages. doi:10.4102/sajim.v13i1.475

Copyright Notice:
© 2011. The Authors. Licensee: AOSIS OpenJournals. This work is licensed under the Creative Commons Attribution License.

ISSN: 2078-1865 (print)
ISSN: 1560-683X (online)
Records management and risk management at Kenya Commercial Bank Limited, Nairobi
In This Original Research...
Open Access
Abstract
Records and records management
Risk management
   • Statement of the problem
   • Aim of the study
   • Specific objectives of the study
   • Research questions
   • Significance of the study
Methodology
Theoretical framework
Key findings at Kenya Commercial Bank
   • Business process analysis and records created
   • Nature and types of risks
   • Records management status
   • Records management as an integral part of risk management
   • Management of vital records
   • Respondents’ recommendations
      • Recommendations from clerical staff and section heads
      • Recommendations from branch and operations managers
      • Recommendations from human resource managers
      • Recommendations by central processing centre archiving staff
      • Recommendations from risk managers
      • Recommendations from central archives
      • Recommendations by Information Technology manager
Conclusion
Recommendations
Proposed records management model to support risk management
   • Step 1: Definition of associated risk profile for records management
   • Step 2: Identification of human capital
   • Step 3: Development of records management programme, policy and procedures
   • Step 4: Prepare physical resource requirements
   • Step 5: Staff sensitisation and training
   • Step 6: Management of records in the continuum
   • Step 7: Continuous development
   • Step 8: Monitoring and evaluation
Suggestions for further research
   • Records management and banking service delivery
   • Research in Kenya Commercial Bank branches outside the Nairobi area
   • Research in other banks
   • Electronic records management for banking
Acknowledgements
   • Author contributions
References
Abstract

Background: This paper reported empirical research findings of an MPhil in Information Sciences (Records and Archives Management) study conducted at Moi University in Eldoret, Kenya between September 2007 and July 2009.

Objectives: The aim of the study was to investigate records management and risk management at Kenya Commercial Bank (KCB) Ltd, in the Nairobi area and propose recommendations to enhance the functions of records and risk management at KCB. The specific objectives of the study were to, (1) establish the nature andtype of risks to which KCB is exposed, (2) conduct business process analysis and identify the records generated by KCB, (3) establish the extent to which records management is emphasised within KCB as a tool to managing risk, (4) identify which vital records of KCB need protection because of their nature and value to the bank and (5) make recommendations to enhance current records management practices to support the function of risk management in KCB.

Method: The study was qualitative. Data were collected through face-to-face interviews. The theoretical framework of the study involved triangulation of the records continuum model by Frank Upward (1980) and the integrated risk management model by the Government of Canada (2000).

Results: The key findings of the study were, (1) KCB is exposed to a wide range of risks by virtue of its business, (2) KCB generates a lot of records in the course of its business activities and (3) there are inadequate records management practices and systems, the lack of which undermines the risk management function.

Conclusion: The findings of this study have revealed the need to strengthen records management as a critical success factor in risk mitigation within KCB and, by extension, the Kenyan banking industry. A records management model was proposed to guide the management of records within an enterprise-wide riskmanagement framework in the bank.

Records and records management

A record is defined by the International Standards Office (ISO) 15489–1:2001 standard as information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. This definition is shared by a number of authors, who contend that a record can be in any media, paper, electronic or microfilm (Ngulube 2001:155–173; Shepherd & Yeo 2003; Shepherd & Yeo 2006:9–12).

Records management is the activity responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of, and information about, business activities and transactions in the form of records (ISO 15489–1:2001).According to Ngulube (2001), records management is concerned with the creation, organisation, storage, retrieval, distribution, retirement and final disposal of records, irrespective of their form and media. From these definitions, we can therefore deduce that records management entails the application of professional approaches, including systems, standards, procedures and practices, in the care of records. Records management involves the systematic handling of every stage ofrecords care from the time of creation to the records’ disposal. The objectives of records management are (ISO 15489–1:2001):

• setting policies and procedures
• assigning responsibilities for records management at various level within the organisation
• setting best practice standards
• processing and maintaining records in safe and secure storage
• implementing access policies
• implementing a records retention and disposal policy
• integrating records management into business systems and processes
• assigning, implementing and administering specialised systems for managing records
• providing a range of services relating to the management and use of records.

Some of the benefits of setting up a good records management programme and practice in an organisation include (International Records Management Trust 2009:7– 20; Roper & Millar 1999:5–20; Stephens 1995):

• Control of records creation and growth. An effective records management programme addresses both creation control (i.e. it limits the generation of records or copies not required to operate the business) and records retention (a system for destroying useless records or retiring inactive records), thus stabilising the growth of records in all formats.

• Improvement of efficiency and productivity. Time spent searching for missing or misfiled records is non-productive. A good records management programme can help any organisation upgrade its recordkeeping systems so that information retrieval is enhanced, with corresponding improvements in office efficiency and productivity.

• Ensuring regulatory compliance. The only way an organisation can be sure reasonably that it is in full compliance with laws and regulations is by operating a good records management programme which takes responsibility for regulatory compliance.

• Cost reduction. Professional records management helps organisations save on the costs of space and equipment, which are engaged to manage recordsthat would otherwise have been disposed.

• Risk mitigation. Adequate records management protects organisations from risks resulting from insufficient or inadequate information such as weak management decision-making, a negative corporate image and the loss of client confidence.

• Assimilation of new records management technologies. A good records management programme provides an organisation with the capability to assimilate new technologies and take advantage of their many benefits.

• Knowledge sharing. A key perspective of organisational performance management is knowledge sharing. Proper records management ensures that critical knowledge is captured and preserved for sharing across the organisation to sustain competitive advantage and ensure continuity in service and product delivery.

Risk management

The Government of Canada’s (2000) integrated risk management model (IRMM) defines risk as the uncertainty that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organisation’s objectives. Risks exist as operational, strategic, compliance or reputational risk (Central Bank of Kenya 2000; CBK 2005; Mwisho 2001:16–49). Operational risk, also called transaction risk, is the riskarising from fraud, error and the inability to deliver products or services, maintain a competitive position and manage information. Strategic risk is the risk arising from adverse business decisions or improper implementation of those decisions. Compliance risk is the risk arising from violations or non-conformance with laws, rules, regulations, prescribed practices, or ethical standards. Reputational risk is the risk to earnings or capital arising from negative public opinion (Buttle 1999;Chance 2004; Comptroller’s Handbook 2008; Lore & Borodovsky 2002).

In the banking industry, risk management has become even more essential due to the nature of the business, which is essentially to safeguard people’s money(Ioannis 2008:56–75). Banks deal with sensitive financial services that are equally marred by various risk issues that impact on their services to their clientele (Gup & Kolari 2005; Nyaoma 2005). With regard to risk management in the banking industry, records management is critical in minimising risk exposure within banks. Poor records management poses challenges to banks in their effort to manage risk. A number of scholars (Makhura 2008; Sampson 2003; University of Technology Sydney2008; Williams 2007) contend that weak records management programmes, systems and practices have remained a problem and a major hindrance in developing watertight risk management strategies in the banking industry, as well as other financial institutions; hence, the challenge of managing risk in banks remains a complex matrix.

According to Gorrod (2004), commercial banks are exposed to risks such as frauds, system failures and failures to enforce compliance with existing regulatory framework. These risks are usually exacerbated by weak information and record management systems and practices. Gorrod’s opinion is also shared by Borodzicz(2005) and Richard (2006), all of whom contend that effective records management is the foundation upon which institutions can demonstrate legal compliance, regulatory compliance, high standards of corporate governance and sustain operational efficiency. Records management may also deliver additional benefits to an institution through the reduction of overheads, the protection of assets and the streamlining of business processes.

Statement of the problem
In Kenya, it is a requirement by the Central Bank of Kenya (CBK) that all commercial banks must establish a risk management unit dedicated to risk managementwithin the banks (CBK 2005). The CBK notes that risk-taking is an inherent element of banking and, indeed, profits are, in part, the reward for successful risk taking in business. Poorly managed risk can lead to losses and thus endanger the safety of a bank’s deposits (CBK 2005; CBK 2006; Njuguna 2007).

This study was necessitated by the increasing neglect of records management at KCB, despite wide exposure to risks by the bank. The main research question was to establish the role of records management in risk mitigation at KCB. The nature of KCB’s banking activities expose it to a variety of risks, including credit risk, liquidity risk, market risk, operational risks and interest rate risks. KCB has consequently, and pursuant to the CBK’s requirements, established a risk managementdivision, entirely dedicated to the function of risk management. This division has instituted a number of measures to mitigate risks in the bank. However, no decisive action has been taken by the division to improve records management in the bank as a risk management strategy. Consequently, records management in KCB remains low key, poorly administered and not a priority of the division in its risk management activities. Lack of enforcement of strong records managementsystems and practices continue to expose the bank to enormous risks accruing from weak records keeping regimes, ultimately undermining the entire function of risk management. There is no comprehensive records management policy and/or programme to guide the function of records management in KCB. In addition, KCB’s strategic objectives do not mention anything to do with records or even information management. The management of records is decentralised, with everydepartment or branch entirely responsible for its own records. There is no central control or supervision to ensure standardisation of records management practices across the bank. This is despite the fact that risk management at KCB enjoys central control from the risk management division located at its head office, which enforces uniformity across the KCB network. Consequently, existing records management systems and practices continue to undermine risk management efforts atKCB, especially for those risks accruing from inadequate records management.

The problem of weak records management at KCB therefore presented a potential research area that needed intensive and extensive investigations. This wasnecessary to establish the place and role of records management in mitigating risk in KCB and subsequently submit appropriate recommendations to improve the situation in KCB and, by extension, other commercial banks.

Aim of the study
The aim of the study was to investigate records management and risk management at Kenya Commercial Bank (KCB) Ltd, in the Nairobi area and propose recommendations to enhance the functions of records and risk management in KCB.

Specific objectives of the study
The specific objectives of the study were to:

• Establish the nature and type of risks to which KCB is exposed.
• Conduct business process analysis and identify the records generated by KCB and their roles in business activities.
• Establish the extent to which records management is emphasised within KCB as a tool to managing risk and its role in risk mitigation.
• Identify vital records of KCB that need protection because of their nature and value to the bank.
• Make recommendations to enhance current records management practices to support the function of risk management in KCB.

Research questions
The main concern for this study was to identify the role and place of records management in risk mitigation at KCB. This was addressed through the followingresearch sub-questions:

• What are the main business activities of KCB and what records are generated out of these activities?
• What are the types of risks that KCB is exposed to in its activities?
• What is the nature of records management systems and practices at KCB?
• How adequately do existing records management practices support risk management?
• What framework informs the activities of vital records management and disaster management for records at KCB?

Significance of the study
The findings of the study are expected to help KCB strengthen risk management strategies by more specifically emphasising records management as a critical component in scaling up risk mitigation. The study will also enlighten the management and staff of KCB on the importance of records management in risk management. The study has revealed the impact of recordkeeping systems and processes on staff performance and their subsequent influence on risk management.The research contributes to the body of knowledge on records management and risk management and informs the development of policy, practice and theory of records management as an integral part of risk management in the banking industry. The study has also made appropriate recommendations useful for supporting risk management and has provided a records management model within the context of risk management that will foster risk management at KCB.

Methodology

The study population sample size constituted 36 respondents drawn from 5 KCB Nairobi branches (Moi Avenue, Jogoo Road, Kipande House, River Road and SaritCentre) and 5 Head Office units. This population sample size included 19 non-management staff and 17 management staff, as indicated in Table 1.

The data collection instruments were face-to-face interviews complemented with observations. Qualitative approaches were used to analyse, present and interpretdata. Data presentation is descriptive in nature and analysis has been done according to study objectives, primarily to focus on specific issues as defined by the objectives of the study.

This study utilised simple random sampling and purposive sampling. Simple random sampling was used in this study specifically in selecting the clerical and section head staff. The purposive sampling technique was extremely useful in this study for the selection of interviewees within the head office of KCB and its branches. It was also useful in identifying the branches within the Nairobi area from which the clerical and section head staff were selected randomly. Theinterviewees chosen were those with a direct strategic or operational role in both risk management and records management, such as branch managers, branch operations managers and risk management managers. The branches were purposely selected depending on their size and volume of activity, therefore a few large branches and a few small branches were selected.

TABLE 1: Study population sample size (N = 36).

Theoretical framework

The study was informed by Frank Upward’s (1980) records continuum model (RCM) and the Government of Canada’s (2000) IRMM. This was done throughtriangulation of the RCM and IRMM. Triangulation mixes theories, methods and multiple data sources to strengthen the credibility and applicability of findings (Hoque 2006).

The RCM was formulated in the 1990s by Australian archival theorist, Frank Upward (Xiaomi 2001). The Australian Records Management Standard AS4390 defines the RCM as a consistent and coherent regime of management processes from the time of the creation of records (and before creation, in the design of recordkeeping system) to the preservation and use of records as archives (Australian Standards Organisation AS4390 1996, Part 1: clause 4.22). The continuum concept captures themodern definition of records, that is, one which is inclusive of the key elements of content (the facts about the activity), context (information about the circumstances in which the record was created) and structure (relationship between the constituent parts). Flynn (2001:79–93) explains that the RCM is significant because it:

• Broadens the interpretation of records and recordkeeping systems offered by the lifecycle model. Such broadening is helpful, given the variety of contexts in which archivists and records managers operate and in which archives and records are used.

• Reminds us that records (including archives) are created and maintained for use as a result of business and administrative functions and processes, ratherthan as ends in themselves.

• Emphasises cooperation beyond the walls of repositories, especially between the closely related professions of archives administration and records management – a cooperation that is more important than ever in the contemporary climate of outsourcing and cross-sectoral working.

The IRMM was proposed by the Government of Canada in 2000, under its then new management framework entitled Results for Canadians. Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organisation-wide perspective. It is aboutmaking strategic decisions that contribute to the achievement of an organisation’s overall corporate objectives. The IRMM has four key elements for management of risk namely, (1) developing the corporate risk profile, (2) establishing an integrated risk management function, (3) practicing integrated risk management and (4) ensuring continuous risk management learning. As such, the IRMM provides a clearer and holistic step by step model for risk management. This model provides aclear pattern within which the function of records management can be evaluated as a tool for risk management. The model’s presentation is such that it advocates for establishment of risk management frameworks across the organisation, right from the first step of developing a corporate risk profile. The IRMM does not focus onlyon the minimisation or mitigation of risks but also supports activities that foster innovation, so that the greatest returns can be achieved with acceptable results, costs and risks (Government of Canada 2000; Graham 2004).

Key findings at Kenya Commercial Bank

Business process analysis and records created
The bulk of business activities in KCB are direct financial activities. These include:

• local currency deposits
• credit facilities (loans, overdrafts, credit cards, short-term and medium-term loans, local bills discounts)
• guarantees (bid bonds, performance bonds, commercial guarantees)
• issuance of cheques
• safe custody
• foreign currency deposits
• international trade finance
• mortgage financing
• asset-based financing
• and community social responsibility.

Figure 1 indicates the distribution of financial and non-financial (control and support) activities at KCB, as reported by respondents.

Five (45.45%) of the eleven clerical staff interviewed were involved in teller activities, two (18.18%) in clearing activity at the central processing centre, two (18.18%) in back office operations at custody services and two (18.18%) in filing at the credit unit. Branch managers are responsible for the day-to-day management of the respective branch. The branch operations managers report to the branch manager and are responsible for daily operational activities. A total of five branch operations managers were interviewed. Most of the core banking activities that relate to funds management, such as deposits, withdrawals, transfers and even loans, fall directly under the operations managers. Examples of records generated from these core financial activities include:

• transaction vouchers
• account statements
• customer files
• cheques
• daily ledger books
• investment reports
• loan performance reports
• fraud reports
• funds transfer reports
• forex statements
• circulars and daily correspondence relating to customers, staff and business issues.

Besides the financial activities, there are also support and control activities which include such activities such as HR management, auditing, clearing, financial management, information technology, and facilities and estate management. Examples of records generated from the non-financial support and control activities include:

• personnel records
• audit reports
• annual accounts and financial statements
• estate and facilities reports
• ICT deployment status reports and periodic financial turnover reports.

Risk management is a critical business activity within the banking industry. The findings indicated that the bulk of business activities in the bank are sensitive activities that relate to the core of the economy of the society – money. This implies that by the very nature of these business activities, the need for adequate riskmanagement is high. Consequently, the need for records management in principle is also high, despite the inadequacies revealed in the study. From the findings of the study, it can be concluded that records management is a critical activity for KCB, given the need for strong risk management which records management underpins.

FIGURE 1: Business activities at Kenya Commercial Bank.

Nature and types of risks
The most prevalent type of risk in the banking industry is operational risk. The other risks include compliance, strategic and reputational risks, as indicated in Figure 2. Operational risks do not only include acts of fraud, management failures, weak systems and human error but also inadequate records management.

Of the 19 non-management respondents (clerks and section heads), 63.15% cited operational risk, whereas 70.00% of branch and operations managers cited operational risks as the most prevalent risks affecting their performance. All 10 (100%) branch managers and branch operations managers acknowledged exposure torisks (Table 2).

One of the two respondents (50.00%) from the risk management division noted that KCB is exposed to ‘people risks, systems risks, process risks and threats fromexternal events’. The other respondent (50.00%) reported that KCB is at the stage where risk culture sensitisation and embedment are taking place, which involves communicating on risk practice and culture, couching risk approaches in terms of value creation and preservation, identifying, analysing and evaluating the risks, and ‘putting in place and implementing frameworks and policies for treating risks and monitoring and reviewing the risks’.

Both respondents from the HR division (100%) indicated that they are exposed to risks. Those risks cited included: ‘risks of losing data through fire, computer crush and viruses’, ‘unauthorized access to records’, ‘frauds committed by staff who did not go through a thorough vetting process’. It can be concluded from thesefindings that there is a high risk exposure in KCB.

FIGURE 2: Risk profile at Kenya Commercial Bank.

TABLE 2: Types of risks cited by branch and operations managers (n = 10).

Records management status
The study revealed inadequacies in records management at KCB. There is no comprehensive professionally drawn records management programme (RMP) other than the operations manual, which is limited.

In relation to the availability of a formal RMP in their respective units or departments, 15 (78.95%) of the 19 clerks and section heads interviewed indicated that their departments do have a formal RMP. Two (10.52%) said they do not have such a programme and two (10.52%) said they did not know. However, when probed further, the respondents revealed that the RMP being referred to was the recordkeeping guidelines provided by KCB’s operations manual and internal departmentalor branch practices and not a formally and professionally drawn RMP for the bank. The scope of these guidelines was limited to retention and disposition of vouchers after an audit. In relation to satisfaction with existing records management practices and systems by the 19 non-management respondents, 1 (5.26%) respondent expressed satisfaction, 8 (42.11%) said they are entirely not satisfied, whilst 10 (52.63%) said they are partially satisfied.

Of the 10 branch managers and operations managers interviewed, 6 (60.00%) respondents said their branches or departments have an RMP in place, whilst 4 (40.00%) said they do not have a programme. Seven (70.00%) managers indicated that they have dedicated staff for records management, whereas three (30.00%) said they didnot. Of the seven respondents with dedicated staff for records management, five (71.43%) indicated that these staff members have no formal training in this process, whereas two (28.57%) said that their staff members have just undergone on-the-job training. Eight (80.00%) of the ten respondents said their staff are well informed on the value of records management, whereas two (20.00%) said their staff lack the required knowledge. All 10 (100%) respondents acknowledged the inadequacy ofexisting systems in fostering efficiency and effectiveness within their branches.

The central archives did not have any form of documented guidelines on archiving records under their custody. The respondent reported to ‘have all the informationin the[ir] head’ and nothing documented for reference. Indeed, even the KCB operations manual’s provisions on records management do not cater for archiving and archiving management.

Both respondents (100%) from the HR division indicated that there is a formal policy for managing personnel records in KCB. On further probing the elements of the policy, the respondents indicated that the policy covers the following aspects: description of file – numerical description using staff numbers, components of personnel files, ‘access controls to personnel information’, ‘access to HR registry’ and retention of personnel files.

Feedback from the respondents of the risk management division was as follows: one respondent (50.00%) reported the absence of such a framework, whilst the other (50.00%) noted that each risk management discipline and each branch provide detailed records management frameworks for their particular area of interest. Both(100%) respondents noted that proper recordkeeping is treated as a cornerstone of risk management by the risk management division. The two respondents cited concerns that the existing records management systems and practices in KCB do not adequately foster efficiency and effectiveness.

From these findings, it can be concluded that records management in KCB is inadequate and that it requires strengthening to sufficiently support risk management.

Records management as an integral part of risk management
The study findings revealed that there are enormous risks that arise as a result of inadequate records management in KCB. The respondents were asked which of thefour categories of risks they thought was most affected by inadequate records management. Their responses are indicated in Figure 3.

Eighteen (94.74%) of the nineteen respondents indicated that they are exposed to risks arising from records management inadequacies, whilst one (5.26%)respondent reported a lack of exposure to any risk due to records management. These risks included:

• loss or misplacement of records
• long retrieval times affecting management decision-making
• inadequate information which affects quality of decisions
• dissatisfied customer due to delayed retrieval of customer records
• exposure to acts of fraud perpetrated through weak recordkeeping systems.

On whether existing records management systems sufficiently serve to mitigate risks, 7 (36.84%) observed that existing records management infrastructure does notmitigate risks at all, 6 (31.58%) said it partially mitigate risks and 6 (31.58%) said it sufficiently mitigate risks. When asked whether records management systems and practices impact their motivation in work, 17 (89.47%) respondents agreed, indicating that poor storage, misfiling and misplacement of files is frustrating to them and negatively impacts their work morale. Two (10.53%) respondents said their motivation is not affected by the existing systems.Of the 10 branch managers and operations managers sampled, 3 (30.00%) said the existing records management practices in their branches sufficiently support risk mitigation, 2 (20.00%) said they offer no risk mitigation support and 5 (50.00%) said that these practices partially support risk mitigation. Regarding the prevalence of risk categories, 6 (60.00%) of the 10 branch managers and operation managers cited operational risks as the most prevalent, 1 (10.00%) cited reputational risks, 2(20.00%) cited compliance risks and 1 (10.00%) cited strategic risks. Regarding the degree to which records management is valued as a risk management strategy, 7 (70.00%) respondents reported a high value, whereas 3 (30.00%) noted a very low value.

The respondent from CPC archiving reported there was a working relationship between the CPC archiving section and the risk management division. It was reported by the respondent that the risk division ‘vets existing procedures at the CPC archiving section and flag risk areas that need mitigation.’

When asked whether the existing records management practices support the department in risk mitigation, one (50.00%) of the two respondents from the HR division said ‘not fully’, whereas the other respondent remarked ‘no’.

It can be concluded from these findings that existing records management systems and practices at KCB do not adequately foster risk management and that they, in fact, contribute to risk exposure within KCB.

FIGURE 3: Risk categories most affected by inadequate records management systems.

Management of vital records
The findings of the study revealed that KCB emphasises the management of vital records, given the investment made in storage equipment and authority controls for the handling of vital records. The bulk of vital records held in the bank are those belonging to clients who have deposited their important documents for safecustody. These include: title deeds, academic documents, wills, partnerships, agreements and investment certificates.

Thirteen (68.42%) of the nineteen clerks and section heads interviewed reported to have vital records in their units, whilst five (26.32%) said they do not hold vitalrecords. One (5.26%) respondent reported to be unsure of whether their department has vital records or not. Those who reported to have vital records cited such records to include client security documents such as title deeds, company registration certificates in safe custody, academic certificates in safe custody and collateral documents such as car log books for clients afforded car loans. However, of the 13 who acknowledged the availability of vital records, only 8 (61.54%) reported tohave a vital records management programme, whilst 4 (30.77%) said they have none. One (7.69%) respondent did not know.

Of the 10 branch managers and operations managers, 6 (60.00%) reported to have vital records and vital records management programmes in place, whilst 4 (40.00%)said they are not clear on the status of vital records in their units. Eight (80.00%) of the ten respondents expressed deep concern that the state of disaster management for records was only better for vital records in safe custody and very inadequate for the bulk of other records (i.e. those not in safe custody). Four (40.00%) respondents noted that some of the records storage areas had no access controls, meaning that anyone could access the rooms.

All (100%) the branch managers revealed that every KCB branch has a security safe – which is fireproof – to protect the vital documents. Registers to control access to the safes have also been prepared and are audited periodically. The emphasis on the vital records could be as a result of the direct financial implications of theserecords, given they are a source of business to the bank and therefore a core area on which to focus, as opposed to ordinary records, which are viewed to be of secondary concern.

It can be concluded from these findings that the bank has given priority to vital records management but not to the management of ordinary daily transactional records, which apparently tends to be the channel for most cases of fraud and the cause of most operational risks.

Respondents’ recommendations

Recommendations from clerical staff and section heads
Amongst the recommendations made by the respondents were the following:

• ‘computerisation of the records management processes’
• ‘standardisation of arrangement and description of records and files’
• ‘staff training in records management’
• ‘establishment of a formal records management programme for KCB’
• ‘centralisation of records management’
• ‘improvement of records security and disaster management’
• ‘appraisal of records to prevent accumulation of unnecessary records’
• ‘designate specific staff to records management activities in all branches and departments’
• ‘improve security of electronic records’
• ‘establish methods to establish records authenticity’.

Recommendations from branch and operations managers
Recommendations by respondents under this category included:

• ‘computerisation’
• ‘training of staff on records management’
• ‘centralisation of management of records’
• ‘microfilming’
• ‘improvement of disaster management for records’.

Recommendations from human resource managers
Recommendations by the HR managers were:

• ‘more investment in electronic records which are easily stored, retrievable and accessed’
• ‘increased training on records management’
• ‘use of technology in records management’.

Recommendations by central processing centre archiving staff The respondent from central processing centre (CPC) archiving suggested that, ‘as a way forward, I feel we may need software that manages the system of the records archived’.

Recommendations from risk managers
The respondents from the risk management division made the following recommendations:

• ‘digitising records and planning for comprehensive document management software’
• ‘KCB should adapt modern records management practices, especially digitising critical records and instituting comprehensive records managementsystems with successive levels of offsite and secure electronic backup systems’.

Recommendations from central archives
The recommendations made by the respondent from central archives were:

• ‘automation of the records management systems’
• ‘invest in training of staff on importance and technical skills for records management’
• ‘enforce internal controls and professional records management standards’.

Recommendations by Information Technology manager
The Information Technology (IT) manager made the following recommendations:

• ‘There is need to control access to the e-records based on authorities within the various business units and branches that create and own the records.’
• ‘A more comprehensive programme for managing e-records should be developed to match technology changes and business changes, instead of relyingon the operations manual which may have aspects which are already obsolete’.
• ‘Given increasing risk exposure, there is probably need to rethink the entire process of managing records and create better working relationship regarding records management between the IT, risk division and business units.’

Conclusion

This research endeavoured to study the role of records management in risk mitigation at KCB. A broader result of the study has been the recognition of the fact thatrecords management has a strong impact on risk management. The study revealed that inadequate records management undermines risk management and it can be a breeding ground for more risks. The study also revealed that the nature of business at KCB exposes it to enormous risks that require comprehensive and integrated approaches to risk mitigation. Specifically, it revealed that KCB is faced with various risks associated with records management. The overall conclusion of the studyis that existing records management systems and practices are inadequate and undermine the risk management function and that immediate attention by KCB management is required to review existing records management systems to ensure they sufficiently support risk management.

Recommendations

The study made the following recommendations that could be useful in strengthening records management as a critical success factor and integral part of risk management at the KCB head office and Nairobi area branches:

• Policy and procedures. There is need for the KCB operations division, which is responsible for developing all KCB operational procedures and standards, to develop a comprehensive enterprise-wide records management programme for KCB to control and standardise records management practices across the bank.

• Central control of records management. There should be a central office established within the operations division and a professionally trained records manager should be recruited to that office to control records management activities in the bank. An alternative to this, at minimum, should be a department to cater for records management under the risk management division.

• Training and sensitisation. The KCB training and development department should invest in staff training in records management, preferably for all the staff of the bank.

• Professional personnel for records management. The KCB retail, risk management and HR divisions should facilitate the establishment of positionsof records officers in the departments and/or branches, or review the duties of filing clerks with a view to expanding them to cater for all day-to-day records management functions.

• Automation. There is need for the IT division, in conjunction with the operations division, to automate file tracking activities by the introduction ofcomputerised file tracking systems. This will address concerns raised by the respondents of long retrieval periods due to misplacement and misfiling of records.

• Electronic records management. The KCB IT division, together with the operations division should also develop and implement a comprehensive electronic RMP.

• Quality assurance and systems audit. The risk management and auditing divisions should ensure enforcement of procedures to allow for consistent appraisal of records. This is paramount to avoid accumulation of records for unnecessarily long periods, compromising physical and intellectual control of the records and exposing KCB to risks.

• Integration. There is urgent need for the risk management division to integrate records management within the KCB’s enterprise-wide risk management strategy.

• Vital records management. A comprehensive vital records management programme should be developed by the KCB operations division.

• Disaster management. A disaster management programme for records should be developed by KCB to establish standards for records protection. This programme should cover all aspects and types of disasters including artificial and natural.

Proposed records management model to support risk management

The study proposes a model that could be used to ensure adequate records management in KCB to support the function of risk management. The suggested model presents eight stages that KCB would have to go through to ensure there is adequate records management support for risk management. These stages andsubordinate action points under each are shown in Figure 4. This model has been adapted from existing models on records management and risk management.

FIGURE 4: The proposed records management model for Kenya Commercial Bank.

Step 1: Definition of associated risk profile for records management
Identify all risks associated with records management and relate records management to enterprise-wide risk management. Indicate how improved records management will assist in downscaling or eliminating these risks. Indicate the overall value of improved records management to the bank, with an emphasis on risk management benefits.

Step 2: Identification of human capital
Identify personnel requirements for the right people needed to drive the records management process. Identify what constitutes records management expertise,including professional qualifications, ICT skills and expected roles in the records management function. Identify other personnel who could be useful in the management of records, such as ICT staff, risk management experts and legal experts.

Step 3: Development of records management programme, policy and procedures
Draw up specific records management policy, programme and procedures manuals authorising and positioning the records management function within the company administrative hierarchy and defining its authorities of responsibilities.

Step 4: Prepare physical resource requirements
Establish storage areas for the records and necessary and appropriate storage equipment for all types of records – ordinary records, vital records and electronicrecords. Consider security, preservation and disaster management issues when allocating and preparing physical resources. Identify and set up locations for records centres and an archival repository. Establish necessary ICT infrastructure for e-records and prepare disaster management and response tools and equipment.

Step 5: Staff sensitisation and training
Train all company staff on the value of records management in ensuring business growth, stability and risk management, clearly identifying the risks accruing from poor records management.

Step 6: Management of records in the continuum
This refers to the full day-to-day management of records in the organisation based on an established programme, policies and procedures, driven by physicalresources and infrastructure and by the identified personnel and staff, from creation to disposition.

Step 7: Continuous development
This involves the continuous improvement of the records management systems to match the organisational changes, industry changes and paradigm shifts in records management and risk management practices.

Step 8: Monitoring and evaluation
The final step is to review the records management systems regularly to ensure they reflect the aspirations of the organisation and contribute to the overall success of the parent organisation.

Suggestions for further research

Records management and banking service delivery
There is need for further studies to reveal the current state of records management at KCB and its impact on service delivery. Research on the nexus between records management and service delivery would have a direct impact on risk mitigation because efficient service delivery systems contribute heavily towards risk mitigation.

Research in Kenya Commercial Bank branches outside the Nairobi area
This study limited itself to KCB branches in the Nairobi area, targeting the head office and five branches in Nairobi. There is need to conduct a similar study in otherKCB Branches in Kenya and other countries where KCB operates to reveal the status of records management in these branches. This will be necessary to understand whether the findings of this study are indeed representative of the entire bank.

Research in other banks
There are approximately 50 commercial banks in Kenya. This study confined itself to KCB but it is suggested that a similar study could be conducted in other banks to reveal the status of records management and risk management across the Kenyan banking industry. This would be necessary to establish any similarities anddifferences amongst banks on records management practices and identify the factors contributing to these similarities or differences.


Electronic records management for banking
This study revealed that there is a significant use of electronic platforms to transact business in KCB. As a result, large numbers of electronic records are generated. Further research and development in the area of electronic records management in the banking industry would be useful to advise this industry on how it can dealcomprehensively with electronic records management.

Acknowledgements

We thank all the respondents who participated in this study and provided us with useful data that formed the backbone of the study. We are deeply indebted to the Director of Human Resources at Kenya Commercial Bank, who approved the use of Kenya Commercial Bank as the case study for the research.

Author contributions
This article was written by Cleophas Ambira, with meaningful and concise contributions throughout the text by his supervisor, Prof. Henry Kemoni.

References

Australian Standards Organisation, 2004, ‘Risk management standard (AS/NZS 4360:2004)’, viewed 13 September 2008, fromhttp://www.riskmanagemeent.com.au

Borodzicz, E., 2005, Risk, crisis and security management, John Wiley & Sons, New York.

Buttle, J., 1999, Risk management in banking, viewed 24 March 2008, from http://www.apra.gov.au/risk_management_banking.pdf

Central Bank of Kenya, 2006, Prudential regulations for banking institutions, CBK, Nairobi.

Central Bank of Kenya, 2005, Risk management guidelines, CBK, Nairobi.

Central Bank of Kenya, 2000, Prudential guidelines for banking institutions, CBK, Nairobi.

Chance, D.M., 2004, An introduction to derivatives and risk management, 6th edn., Thomson, Singapore.

Comptroller’s Handbook, 2008, Country risk management, Comptroller of The Currency USA, Washington, DC.

Flynn, S.J.A., 2001, ‘The records continuum model in context and its implications for archival practice’, Journal of the Society of Archivists 22(1), 79–93. http://dx.doi.org/10.1080/00379810120037522

Glyn, H.A., 2004, ‘Defining risk’, Financial Analysts Journal 60(6), 19–25. http://dx.doi.org/10.2469/faj.v60.n6.2669

Gorrod, M., 2004, Risk management system: Technology trends, finance and capital markets, Palgrave Macmillan, Basingstoke.

Government of Canada, 2000, Integrated risk management model, viewed 20 September 2008, from http://www.tbs-sct.gc.ca

Graham, A., 2004, Integrated risk management: Implementation guide, viewed 02 October 2008, from http://post.queensu.ca/~grahama/

Gup, B. & Kolari, J., 2005, Commercial banking: The management of risk, 3rd edn., John Wiley & Sons, New York.

Hansson, S.O., 2007, ‘Risk’ in N.Z. Edward (ed.), The stanford encyclopaedia of philosophy, Stanford University, Stanford, viewed 20 September 2008, from http://plato.stanford.edu/entries/risk/

Hoque, Z., 2006, Triangulation. What is it, when to use it and how to use it?, viewed 25 September 2008, from http://72.14.205.104

International Records Management Trust, 2009, Understanding the context of electronic records management, pp. 7–20, IRMT, London.

International Standards Organisation, 2001, ISO 15489-1:2001 Information and documentation: Records management standard, ISO, Geneva.

Ioannis, V.K., 2008, ‘Trust and risk communication in setting Internet banking security goals’, Risk Management Journal 10(1), 56–75. http://dx.doi.org/10.1057/palgrave.rm.8250035

Kemoni, H., Ngulube, P. & Stilwell, C., 2007, ‘Public records and archives as tools for good governance: Reflections within the recordkeeping scholarly and practitioner communities’, ESARBICA Journal 26, 3–18.

Lore, M. & Borodovsky, L., (eds.), 2002, The professional’s handbook of financial risk management, Butterworth-Heinemann, Oxford.

Makhura, M., 2008, ‘The importance of records management in audit: South African experience’, paper presented at the 16th ICA congress in Kuala Lumpur, 21–27th July.

Mwisho, A.M., 2001, ‘Basic lending conditions and procedures in commercial banks’, The Accountant 13(3), 16–49.

Nangomasha, C.T., 2009, ‘Managing public sector records in Namibia: A proposed model’, Information Development 25(2), 112–126. http://dx.doi.org/10.1177/0266666909104712

Ngulube, P., 2001, ‘Guidelines and standards for records management education and training: A model for Anglophone Africa’, Records Management Journal 11(3), 155–173. http://dx.doi.org/10.1108/EUM0000000007273

Njuguna, N., 2007, ‘Implementation of Basel II risk management framework within banks and the prevention of financial crime’, address by Prof. Njuguna, Governor, Central Bank of Kenya, Nairobi, 20 August.

Nyaoma, G.A., 2005, ‘Risk management in banks’, press statement issued on behalf of Central Bank of Kenya, Nairobi.

Richard, E., 2006, Credit risk management policy & strategies: The case of a commercial bank in Tanzania, BA Publications, Johannesburg.

Roper, M. & Millar, L. (eds.), 1999, Managing public sector record, pp. 5–20, IRMT, London.

Sampson, K.L., 2003, Value added records management: Protecting corporate assets, reducing business risks, 2 edn., Greenwood Publishing Group, Westport.

Shepherd, E. & Yeo, G., 2003, Managing records: A handbook of principles and practices, Facet Publishing, London. http://dx.doi.org/10.1108/09565690610654747

Shepherd, E. & Yeo, G., 2006, ‘Why are records in the public sector organisational assets?’, Records Management Journal 16(1), 9–12.

Stephens, R.B. (1995). ‘Ten business reasons for records management in information and records management: Document based information systems’, United States Environmental Protection Agency, viewed 20 December 2008, from http://www.epa.gov/records/what/quest1.htm

University of Technology Sydney, 2008, Risk management programmes for records, viewed 14 September 2008, from http://www.records.uts.edu.au

Upward, F., 2000, ‘Modeling the continuum as a paradigm shift in recordkeeping and archiving processes and beyond – A personal reflection’, Records Management Journal 10(3), 115–139.http://dx.doi.org/10.1108/EUM0000000007259

Williams, C., 2007, ‘The research imperative and responsible recordkeeping professionals’, Records Management Journal 17(3), 150–156. http://dx.doi.org/10.1108/09565690710833053

Xiaomi, A., 2001, ‘A Chinese view of records continuum methodology and implications for managing electronic records’, presentation at the International Symposium on OA System and Management of Archival Electronic Records: Theory and Practice, Handzhou, South East China, 11–13 November, viewed 20 August 2008, from http://www.caldeson.com/RIMOS/xannum.html