Imagine your company is about to enter legal proceedings over alleged failure to honour a contract when your lawyers inform you that your copy of said contract differs from that held by the other party. Can you prove your copy is the correct version?
Or imagine the taxation authority has asked for documents to substantiate claims going back six years, but your organization can only retrieve the relevant transaction records for the past two years. The earlier ones have been deleted in a migration exercise.
Finally imagine there is a fire in the Property Management Office of your organization and the property acquisition files have been irreparably damaged by the fire and the sprinkler system? Are there any backup copies of the title deeds or other acquisition records?
These are all real-life examples of what can happen when an organization’s records risk management is deficient. Most people see records as boring at best and an expensive nuisance at worst. Yet the uncomfortable truth is that when you need them, you really need them.
The risk-record nexus
Records are crucial to any organization. Companies that operate under a risk management programme identify the high-risk areas within their activity and take steps to maintain adequate records to mitigate those risks. If, on the other hand, their records processes and systems are not supported by sound risk management practices, then the very means of addressing their business risks are undermined.
Over the past decade, a number of International Standards have been published to help organizations get to grips with their records management. Now, a new technical report is showing them how to address the inherent risks associated with managing these records. Treading new ground, ISO/TR 18128:2014, Risk assessment for records processes and systems, provides organizations with a systematic and comprehensive method for assessing the risks related to records processes and systems.
Stalking risk
Mapped to the framework of ISO 31000:2009, which sets out the ground principles for managing risk, the new technical report includes a checklist to help records management professionals find their way around the document. It helps them identify, analyse and evaluate risks that need to be included in an organization’s risk management programme. And to faciliate its integration in an existing management system, the technical report has adopted the records process analysis outlined in the ISO 30300:2011 suite of standards, Information and documentation – Management systems for records (MSRs).
ISO/TR 18128 does not address records creation and control as a means of dealing with “business risk”. Prioritizing an organization’s business risks is a matter for senior management and involves a specific records process to identify its recordkeeping requirements. Once the decision to create records has been taken, it becomes the responsibility of the records professional to ensure this is accomplished in an environment of appropriately managed risk.
The bottom line
This technical report is not only aimed at large organizations with a formal records programme and risk management department. It can be scaled to the needs of smaller companies or for analysing the records of a single function or a single business unit.
In contemporary organizations where records – and other strategic information – are stored in a variety of business systems, through a diffuse architecture of multiple databases, localized Web applications, social media sites and mobile computing devices, managing the risks to records is a daunting prospect. In this hybrid environment, having a systematic, process-oriented risk assessment methodology in place will go a long way to identifying and managing those risks, bringing significant benefits to the whole organization – as well as peace of mind.
Risk assessment for records systems
Deputy University Archivist
NSW, Australia
