Assess and manage recordkeeping risk
The Records Governance Policy (external) has replaced Information Standard 31: Retention and disposal of public records, and Information Standard 40: Recordkeeping. These information standard have been repealed.
Any references to IS31 and IS40 may be taken as a reference to the current Records Governance Policy if the context permits.
Table of contents
You should include identifying and managing recordkeeping risks as part of your agency’s records management program.
Recordkeeping risks will largely be based on each agency's regulatory requirements and business needs. Give priority to areas that expose, or have the greatest potential to expose, your agency to risk.
The following are examples of recordkeeping risks:
- inability to find records due to poor controls such as inconsistent vocabulary
- loss or reduction in ability to access records due to technological obsolescence, disaster, corruption of information, or MOG/administrative change
- unauthorised disclosure of sensitive information due to outdated or ambiguous policies and procedures
- loss or unlawful destruction of records
- the authenticity and integrity of records being compromised
- business systems coming to their end of life (before replacement or migration)
- inability to provide appropriate public access to records, including in response to Right to information (RTI) or information privacy applications
- inability to comply with legislative requirements
- loss of government information, corporate memory and part of Queensland's documentary heritage.
Carry out a risk assessment to determine the acceptability of risks, strategies to minimise them, and the priority of treatment.
You can conduct a risk assessment by:
- identifying risks–review audit reports, interview agency staff, talk to system users
- analysing risks–consider each risk, and its impact and likelihood
- evaluating risks–prioritise each risk.
Use the Risk Impact Matrix to help you assess the level and likelihood of each risk, and the potential impact.
Level of risk
Severe, extreme or critical risk
- Operational performance would be compromised to the extent your agency is unable to meet obligations and liabilities in core activity areas.
- Your agency would:
- be rendered dysfunctional
- incur huge financial losses
- not be able to meet key reporting requirements
- not be able to recover from such consequences.
- Stakeholders would face life-threatening consequences.
- Major adverse repercussions would affect large sectors of the State Government and its clients, including the general public.
- Must be managed by senior management with a detailed plan.
Major, very high or significant risk
- Operational performance of the function or activity area would be severely affected with your agency unable to meet a major portion of your obligations and liabilities.
- Your agency’s asset and resource base may be significantly depleted.
- Your agency would not be able to comply with the majority of its reporting requirements effectively.
- Recovering from consequences would be highly complicated and time consuming.
- Stakeholders would be unable to pursue their rights and entitlements.
- Public reaction would result in major disruptions.
High risk requires detailed research and management planning at senior levels.
Major risks needs senior management attention.
Significant risk must specify management responsibility.
Moderate or medium risk
- Operational performance of your agency would be compromised to the extent revised planning would be required to overcome difficulties experienced by function or activity area.
- Your agency would experience difficulty in complying with key reporting requirements, which would jeopardise some State interests.
- Recovery would be more gradual and require detailed corporate planning with resources being diverted from core activity areas.
- Stakeholders would experience considerable difficulty in pursuing rights and entitlements.
- Considerable adverse public reaction would result in some damage and disruption to your agency.
- Must be managed by specific monitoring or response procedures.
Low or minor risk
- Slight inconvenience or difficulty in operational performance of function or activity area.
- Some accountability implications for the function or activity area, but would not affect your agency’s ability to meet key reporting requirements.
- Recovery from such consequences would be handled quickly without the need to divert resources from core activity areas.
- Some minor effects on ability of stakeholders to pursue rights and entitlements. For example, other sources or avenues would be available to stakeholders.
- Public perceptions of your agency would alter slightly, but no significant damage or disruption occurs.
- May be managed by routine procedures.
- Operational performance of the function or activity area would not be materially affected.
- Your agency would not encounter any significant accountability implications.
- The interests of stakeholders would not be affected.
- Public perception of the public authority would remain intact.
- May be managed through routine procedures and is unlikely to require dedicated resources.
Assessing the level of risk
The level of risk will depend on:
- the value of the records
- the security classification applied to the records
- the complexity of the records (e.g. format, reliance on technology)
- the functions and activities they document
- if a dedicated recordkeeping system is used
- the recordkeeping functionality of your recordkeeping or business applications
- if past action with the records has occurred (e.g. contested in their original format, required for legal proceedings)
- if records can be sentenced as either temporary or permanent based on significance or other factors.
You may also need to consider any legal proceedings where these records, similar records or records of the same activity have been required in the past (e.g. all compensation records, all records relating to claims involving minors).
You can adapt your agency’s risk management framework to document your assessment or include recordkeeping in your agency’s broader framework.
Look at QGCIO’s advice on ICT risk management for information on risks in regard to ICT and how best to manage and reduce them.
You can implement recordkeeping controls to treat, control and mitigate risks, including:
- establish a separate register for risk management–see an example of a risk assessment register
- ensure agency-wide risk management and records management policies align
- ensure consistent naming conventions and business classification scheme to improve the ability to find records
- conduct regular self-assessments and internal audits to assess and benchmark recordkeeping practices
- incorporate records into your agency risk register as well as establishing a separate register for the recordkeeping unit
- include a recordkeeping section in your agency’s induction program
- consider the level of risk when deciding where and how records should be captured and managed
- establish an active agency disposal program to ensure records are kept for the appropriate period of time and then legally disposed of
- maintain an approved retention and disposal schedule covering unique agency specific functions
- communicate and promote recordkeeping to staff
- provide regular training to staff on good recordkeeping, and the risks of poor recordkeeping.
Identify the high-risk or high-value records and decide how and where these should be captured and managed before looking at your low-risk or low-value records.
If you use a combination of systems and applications, consider which records need to stay where and the associated level of risk.
Find out about the recordkeeping risk factors in preventing corruption.
High-risk or high-value records are usually your agency’s vital records or those with the potential to expose the agency to a high level of risk. Think about what would happen if you couldn't locate records needed to make a critical business decision or respond to a Right to Information request.
High-risk or high-value records are a priority and should be saved into your most compliant, stable application (e.g. eDRMS).
Find out how to identify and manage vital and high-value records.
Where and how you capture and manage low-risk, low-value records depends on your business needs and recordkeeping system.
You may be able to run regular reports in some applications that will take a snapshot of records. Capturing this snapshot may be sufficient for some low-risk or low-value records.
Risks to records will increase during a MOG or administrative change. Potential risks may include:
- inability to transfer records and all associated metadata to the receiving agency
- records and metadata, including the history of the records, being lost or corrupted during transfer
- misuse of records and information by service providers, private entities or other organisation with temporary custody of public records
- reduced or loss of access to records.
Risks can increase due to differences between recordkeeping systems, information management practices, recordkeeping abilities and maturity in the agencies involved.
MOG or administrative change agreement
Include risk mitigation strategies, recordkeeping requirements, compliance and monitoring information, and responsibilities need to be included in your agreement to reduce and manage potential risks.
If you are outsourcing a function and public records are in the custody of a service provider, or records are on loan to a private entity as part of a privatisation, you may need to do a periodic risk assessment. Make sure provisions to carry out regular monitoring of recordkeeping are in your agreement.
Do a risk assessment to determine the risks and your level of acceptance of those risks.
- if there is a risk that a complete and reliable reproduction of the original record cannot be created
- your ability to prove the authenticity of the digitised, converted or migrated record if challenged
- your ability to manage the digitised, converted or migrated record and ensure it will remain accessible for the full retention period
- the level of risk to vital records
- what level of loss and/or change of record characteristics between the source record and the converted, digitised or migrated version is acceptable (e.g. content, context, structure, appearance, connections).
If you are digitising, also consider:
- the likelihood that a temporary value record may become permanent in the future
- whether government, community, and others’ expectations will be met by providing access to a digitised image rather than the original
- whether records or information could be damaged or lost during the process, particularly fragile and older records, or records with intrinsic value.
You may need to develop a strategy to mitigate the identified risks if they are unacceptable.
Risk mitigation may depend on how the migration, digitisation or conversion is done (e.g. through technical specifications and settings).