Managing recordkeeping risks
Protect your agency by understanding risks related to records
Creating and managing records help your agency do business and manage the risks associated with that business.
Without adequate records, your agency may have difficulty providing evidence of its actions and decisions.
Effective records management should assist your agency to adopt a defendable position in the event of legal actions or public scrutiny of its business.
Records and risks should be considered in two contexts:
- records for mitigating business risk
- business risks associated with managing records.
Records for mitigating business risk
Knowing your risks allows you to plan for their mitigation. A strong records management regime should be one of your primary risk-mitigation strategies.
The level of risk for agency business areas may vary, and you should undertake a risk assessment for each of your agency's core business areas. Check-up 2.0, a National Archives tool for assessing your agency's information and records management, covers questions which focus on the requirements for records of high-risk business.
High-risk businesses are those that:
- receive a high level of public and media scrutiny
- instigate or are subject to litigation
- are mandated in law
- allocate, spend or collect large amounts of money
- assess or mitigate significant public risk
- involve issues that are politically sensitive
- involve issues of national security
- relate to sensitive or contentious activities
- are outsourced to an external service provider.
All of these could expose your agency or the government to serious consequences. Records documenting these actions generally need to be more detailed and of a higher quality than those that document low-risk activities.
Such records will also require more intensive management to ensure their proper accountability and incorporate features such as audit trails.
If resources are limited, your agency should assess levels of risk and allocate resources accordingly.
Business risks associated with managing records
There are risks associated with particular record formats or categories. These include:
- records that are 'retain as national archives' – these are identified in records authorities and general records authorities issued by the National Archives. They cannot be destroyed and should be transferred to the National Archives as soon as they are no longer needed in everyday business
- digital records that have a retention period of over five years – these are likely to require preservation, including migration, to ensure access over time
- email and web pages – it can be problematic identifying which emails need to be kept and by whom and managing web pages as records. Your agency needs to have clear procedures and guidelines in place for dealing with these formats.
- records that contain classified information – these need to be protected from unauthorised access by the public and unauthorised staff
- records with content created in both paper and electronic formats – these need to be managed so they can be accessed as a whole to ensure that users understand their full context, or appropriately destroyed or transferred
- records of advice issued by your agency, particularly by telephone or via social media sites such as Facebook – these need to be managed to ensure that an organisation can establish what was said or published, by whom and when.
For more information about identifying and understanding your business risks, you may also wish to consult the Australian Standard for Risk Management, AS/NZS ISO 31000:2009.