State Records Home
Personal tools
 

Analysing risk

Overview: Once recordkeeping requirements are identified and linked to functions and activities, you should analyse the risks associated with the requirements. This section explains the types of risk you examine in Step C, and gives further information on when and how to analyse risk and what to do with the results of your risk analysis.

Types of risk examined in Step C

The risk assessment in Step C is a different approach than that used in other steps. In Step A: Preliminary investigation and Step B: Analysis of business activity you examine the risks related to the business activity, that is, the risk involved in performing the work. In this step, you examine recordkeeping risks.

Recordkeeping risks are the risks that result from:

  • creating and maintaining records
  • not creating records at all, or
  • not having appropriate or adequate records of the work to meet your recordkeeping requirements.

There are links between the three types of risks.

QuestionsExample: Links between types of risk
The high risk related to a particular area of business could be reduced by good recordkeeping. Therefore the risks of not creating records relating to this area may be high.

When to analyse risk

You do not need to perform a risk analysis for all of your records. Rather, you should look at your list of recordkeeping requirements and determine if:

  • it may not be in the organisation's best interests to meet a requirement fully or in part, or
  • there is a conflict between requirements.

In these case, a risk assessment of the likely consequences of not meeting the risk is necessary.

QuestionsExample: Requirement not in the organisation's interests to meet
You may have identified that there is no legislative or business need, but there is a community expectation that a certain series of records is available for research. Yet, it is extremely costly to store these records, and expensive and difficult to continually migrate them so that they remain accessible.
You need to assess the risk to the organisation if it destroys the records in a shorter period of time. If the result of the risk analysis is that the risk is 'low' the organisation may choose not to meet the community expectation.

QuestionsExample: Conflicting requirements for census records
The Australian Bureau of Statistics faced an interesting dilemma with the individual census returns they created as part of the course of their business. On one hand there were groups in the community who believed strongly that these records should be destroyed in the interests of privacy after the business need had been met. Another group of stakeholders believed strongly these records should be kept to support future research. In addition, there were recordkeeping requirements under the Commonwealth privacy legislation that needed to be taken into account in the creation, management, use and destruction of these records.
The ABS had to assess the interests of both stakeholder groups and the risks of keeping and not keeping these records.
They decided to offer Australians the choice if they ticked a box on the census return to indicate they wished the return to be kept, it became a National archive with access restricted for 100 years. If they did not tick the box the return was destroyed after it had ceased to be of business use. This decision partly met stakeholder interests and was compatible with privacy requirements.

In the majority of cases, regulatory requirements are essential for organisational accountability and you should meet them. However, implied requirements or the level of quality to which the requirements are met might be questioned.

The level of risk associated with maintaining records may influence the length of time they are retained, particularly if the risk of disposing of them is moderate to low. Risks associated with maintaining records include:

  • costs of preservation, storage and security
  • costs of setting up programs, policies, procedures and systems to manage the records effectively, and
  • risks of improper access leading to breaches of privacy or confidentiality.

InformationTip: Risks of discovery or access do not justify non-creation or disposal
The risks of discovery action or legitimate access to records should not be used to justify the non-creation or premature disposal of records that it would otherwise be desirable to have.

How to analyse risk

If there are requirements your organisation is considering not meeting, or if there is a conflict between requirements, you can determine through risk assessment an appropriate course of action.

You need to establish clear definitions of what constitutes different levels of risk to your organisation (including ‘unacceptable risk’ as a benchmark), and then prioritise the identified recordkeeping requirements according to this scale. Your organisation may already have in place its own risk management policy that defines such benchmarks.

The following table outlines some steps you might like to take in conducting a risk analysis:

Step Action
1 Assess conflicting requirements in terms of:
  • the financial costs of meeting or not meeting the requirement, such as the cost of storage if records are to be retained for a long period
  • the volume of the records affected by the requirements
  • the impact of retaining the affected records for long periods on computer systems
  • the business value of the information contained in the records
  • any legal or financial penalties that may be incurred if the records are destroyed prematurely
  • the historical significance of the records
  • your organisation’s ability to maintain the records for long periods, such as preserving paper records or migrating electronic records, and
  • the potential effects on your organisation’s public image if the records are destroyed.
2 Identify and describe the consequences of not meeting each requirement, and determine the likelihood of each consequence occurring.
3 Weigh up the costs and benefits of meeting each requirement and the consequences of not meeting the requirements.
4 Discuss the issues with operational staff and management to reach an informed decision. Document this analysis and the decisions reached for future reference. This will assist in justifying your recommendations for retention and final disposal actions if you develop a disposal authority for these records.
Example
Requirement Costs and benefits of meeting requirement Consequences of not meeting requirement Decision and justification
A business requirement to purge computer data every 6 months to keep online storage available Available memory keeps the system operating efficientlyOrganisation cannot demonstrate the integrity and security of the database over time Less memory and a slower system Output audit trails to printed report and purge system every 12 monthsRetain printed reports for 75 years
A regulatory requirement to keep audit trail data for 75 years Memory is reduced and the entire system slows downOrganisation is able to prove the integrity and security of the database content Severe legal penalties and a failure of accountability

Consequences of risk

Decisions not to meet requirements may:

  • compromise current or future business activity
  • compromise the organisation's capacity to defend or prosecute claims
  • result in loss of amenity for the organisation
  • attract adverse publicity or community reaction
  • compromise rights and entitlements of other parties affected by government decisions and actions
  • compromise wider government interests, and
  • diminish archival resources.

QuestionsExample: Consequences of not keeping adequate records - out of court settlements
The Audit Office did an investigation into out of court settlements made by government agencies in 1999-2000. They sampled 85 agencies of all types and sizes. 163 out of court settlements were made in this period, costing $19.2 million in awards and costs.
The Audit Office reported that 'in some instances, settlement was recommended because agency records were deficient and defending the action in court would therefore be much harder. Agencies should be reminded of the need to maintain full and complete records in accordance with the State Records Act 1998.' [1]

Decisions to meet recordkeeping requirements will also have consequences such as:

  • costs of preservation, storage and security
  • costs of setting up programs, policies, procedures and systems to manage the records effectively, and
  • risks of improper access leading to breaches of privacy or confidentiality.

Results of risk analysis

The results of this risk assessment, and risks linked to particular functions (Step B: Analysis of business activity) can help determine what recordkeeping requirements should be met. The various tables, matrices and other techniques used in risk and feasibility analysis will help you to:

  • identify specific areas of recordkeeping risk in your organisation
  • quantify and prioritise those risks in terms of the cost to, or impact on, your organisation (ie operational, financial and technical feasibility factors), and
  • make, justify and document recommendations for meeting recordkeeping requirements.

Footnotes

[1] 'Across the Board Review on Out of Court Settlements,' Auditor General's Report to Parliament 2000, Volume 6, p.22. Accessed in February 2003 at: http://www.audit.nsw.gov.au/publications/publications.htm