Go to top of page

Assess and manage recordkeeping risk

1. How risk management applies to recordkeeping

Identifying and managing recordkeeping risks should be included in your agency’s records management program.

Recordkeeping risks will largely be based on regulatory requirements and business needs of each agency. Priority should be given to areas that expose or have the greatest potential to expose your agency to risk.

The following are examples of recordkeeping risks:

  • inability to find records due to poor controls such as inconsistent vocabulary
  • inability to access records due to technological obsolescence
  • unauthorised disclosure of sensitive information due to outdated or ambiguous policies and procedures
  • records wrongly destroyed because no retention and disposal schedule in place
  • business systems coming to their end of life (before replacement or migration).

Find out about the recordkeeping risk factors in preventing corruption.

2. Assess recordkeeping risk

A risk assessment can be carried out to determine the acceptability of risks, strategies to minimise them, and the priority of treatment.

Identify and assess risks based on regulatory requirements, business needs, and stakeholder/client expectations.

You can adapt your agency’s risk management framework to document your assessment or include recordkeeping in your agency’s broader framework.

You should identify risks and strategies to manage or reduce them in your strategic recordkeeping plan.

You can conduct a risk assessment by:

  • identifying risks–review audit reports, interview agency staff, talk to system users
  • analysing risks–consider each risk, and its impact and likelihood
  • evaluating risks–prioritise each risk.

Use the Risk Impact Matrix (PDF, 170 KB) to help you assess the level and likelihood of each risk, and the potential impact.

Level of risk

  • Severe risk must be managed by senior management with a detailed plan
  • High risk requires detailed research and management planning senior levels
  • Major risk needs senior management attention
  • Significant risk must specify management responsibility
  • Moderate risk must be managed by specific monitoring or response procedures
  • Low risk may be managed by routine procedures
  • Trivial risk may be managed through routine procedures and is unlikely to require dedicated resources.

3. Mitigate records management risks

You can implement recordkeeping controls to treat, control and mitigate risks, including:

  • establish a separate register for risk management–see an example of a risk assessment register (PDF, 170 KB)
  • ensure agency-wide risk management and records management policies align
  • ensure consistent naming conventions/business classification scheme to improve the ability to find records
  • conduct regular self-assessments and internal audits to assess and benchmark recordkeeping practices
  • incorporate records into your agency risk register as well as establishing a separate register for the recordkeeping unit
  • include a recordkeeping section in your agency’s induction program
  • establish an active agency disposal program to ensure records are kept for the appropriate period of time and then legally disposed of
  • maintain an approved retention and disposal schedule covering unique agency specific functions
  • communicate and promote recordkeeping to staff
  • provide regular training to staff on good recordkeeping, and the risks of poor recordkeeping.