The risk/records management nexus. How to approach it in practice?
Written by Carlota Bustelo
Monday, 12 March 2012 00:42

RiskBalloting and commenting of the first draft of ISO technical report PDTR 18126 - Information and documentation-Risk assessment for identification and records systems, is the reason to re-think on the subject.

The practice of risk management and records management have been completely separated domains, both in the research and academic field and in the business practice, although there is a very strong nexus between them:

  • The main justification for records creation and control in organizations is to avoid all kind of risks coming from the loss of evidence of business activities.
  • Many of the actions proposed to mitigate the risks of all types found in organizations are based on the creation of records and the control of information, which allow to put in place warning systems and to document the actions that have taken place.

However, when establishing the practice of risk management in relation to records management, there is not a clear methodology to include risk management in records processes and controls. Different well known practices focus mainly on electronic records and the risks of the information systems that manage them. An example is the DRAMBORA methodology to assess the risks of digital repositories.

The ISO technical report aims to focus not only on the information technologies that manage digital records, but inevitably are a very important point. Leaving for another text the general risks of not creating the appropriate records, the technical report scope is the identification of risks which have the potential to undermine records to be authentic, reliable, and remain complete and usable as long as needed.

The idea is to apply the processes of risk management, recognized and established in the management field for long time, to identify and assess risks associated with managing records and information. The draft of the technical report proposes the records risk identification and assessment is a task of records professionals. Findings of this task are provided to those responsible of risk management, which would be responsible for including this kind of risks into the overall risk management programme.

In this approach, which may be valid for many organizations, at least two important points could be discussed:

  • At what point the risk identification and assessment has to be performed and how to include it in records processes and controls. Is it a task previous to the implementation of a records programme or system? Is it a task that would be performed when auditing a programme or system already in place? Is it a routine task that should be part of records processes?
  • How to make identification and assessment of risks related to records useful and practical when the organization doesn´t have a recognized programme of risk management. If the organization does not have a risk management programm is not worthwhile to identify and assess the risks associated to records? Can the identification and assessment of risks help us in the design of records processes?

We will try to answer some of them during the commenting and final drafting of the report.