Introduction

Successful organizations identify and manage all their business risks. Identifying and managing the risks to records processes, controls and systems (records risks) is the responsibility of the organization’s records professionals.

This document is intended to help records professionals and people who have responsibility for records in their organization to assess records risks.

This is distinct from the task of identifying and assessing the organization’s business risks to which creating and keeping adequate records is one strategic response. The decisions to create records or not in response to general business risks are business decisions, which should be informed by the analysis of the organization’s records requirements undertaken by records professionals together with business managers. The premise of this document is that the organization has created records of its business activities to meet operational and other purposes and has established at least minimal mechanisms for the systematic management of the records.

The consequence of records risk events can be the loss of, or damage to, records, which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail to meet the organization’s purposes.

The document provides guidance and examples based on the general risk management process established in ISO 31000 (see Figure 1) to apply to records risks, including information on relevant risk assessment tools and techniques. It covers the risk assessment components:

a) risk identification,
b) risk analysis, and
c) risk evaluation.

This document introduces and explains selected techniques from IEC 31010 that are applicable in a records management environment (see Table A.2 for the list of techniques).

The results of the assessment of records risk should be incorporated into the organization’s general risk management framework. Consequently, the organization will have better control of its records and their quality for business purposes.

This document does not deal with risk treatment. Once the assessment of records risks has been completed, the assessed risks are documented and communicated to the organization’s risk management section. Response to the assessed risks should be undertaken as part of the organization’s overall risk management program. The priority assigned by the records professional to the assessed risks is provided to inform the organization’s decisions about managing those risks.

Figure 1 — Risk management process

NOTE Source ISO 31000:2018, Figure 4

BS ISO 18128:2024

Information and documentation. Records risks. Risk assessment for records management

Current

Published:

30 Apr 2024