Assess and manage your recordkeeping risk
Risk management is the process of identifying your agency's risks, prioritising those risks in accordance with your needs and risk appetite, and deciding how to mitigate those risks.
The risks you need to consider include:
- recordkeeping risks–risks related to your recordkeeping practices (or their absence)
- business activity risks–risks involved in performing your agency's work.
It is important that you conduct both types of risk analysis to ensure you have a comprehensive understanding of the risks faced by your agency.
Assessing and managing your recordkeeping risks are an important part of building or changing your records governance.
Recordkeeping risks are risks that are a direct result of recordkeeping activities such as the creation, capture, control, access to, storage or disposal of records.
The following are examples of recordkeeping risks:
- inability to find records due to poor controls such as inconsistent titling or being saved haphazardly in multiple locations
- loss or reduction in ability to access records due to technological obsolescence, disaster, corruption of information, or MOG and administrative change
- unauthorised disclosure of sensitive information due to outdated or ambiguous policies and procedures
- loss or unlawful destruction of records
- records being accessed externally (e.g. staff accessing from home or remotely) with inadequate security controls
- the authenticity and integrity of records being compromised
- business systems coming to their end of life (before replacement or migration)
- inability to provide appropriate public access to records, including in response to Right to information (RTI) or information privacy applications
- inability to comply with legislative requirements
- loss of government information, corporate memory and part of Queensland's documentary heritage.
Failure to appropriately manage these risks can lead to:
- loss of time and resources
- breaches of confidentiality
- reputational damage
- legal action
- loss of valuable information
- compromised accountability and transparency
- corruption or fraud
- loss of the irreplaceable heritage of Queensland.
Find out more about the recordkeeping risk factors in preventing corruption.
Business activity risks are risks that result from normal day-to-day business operations. They may not be linked to recordkeeping activities but may be mitigated through improved recordkeeping.
- risks revealed by an audit into financial practices being addressed through implementation of consistent recordkeeping processes for travel arrangements
- risk of not being able to explain why a particular course of action was taken due to critical business knowledge being lost in staff turnover. May be addressed through capturing decision considerations and other relevant information in records.
When considering business activity risks, you should consider any relevant internal or whole-of-government policies or frameworks such as the Queensland Treasury's A Guide to Risk Management.
Carry out a risk assessment to determine the acceptability of risks, strategies to minimise them, and the priority of treatment.
You can conduct a risk assessment by:
- identifying risks–review audit reports, interview agency staff, talk to system users
- analysing risks–consider each risk, and its impact and likelihood
- evaluating risks–prioritise each risk.
Use the Risk Impact Matrix to help you assess the level and likelihood of each risk, and the potential impact.
Recordkeeping risks will largely be based on each agency's regulatory requirements and business needs. Give priority to areas that expose, or have the greatest potential to expose, your agency to risk.
Use your risk assessment to determine what risks you can and will mitigate and how you will monitor these risks.
There are multiple ways to identify risks. You can:
- undertake brainstorming exercises and use focus groups
- interview staff and external stakeholders
- use a SWOT (strengths, weaknesses, opportunities and threats) analysis of current recordkeeping practices
- undertake audit activities or prepare/review audit reports
- review existing risk registers, or
- undertake a combination of the above.
For each risk identified, you should be able to articulate:
- what the risk is–the event or set of circumstances
- what causes the risk–the factors that contribute or increase the likelihood of the risk
- the consequence of the risk–the outcome or impact of the event.
We recommend that you document the risks you identify, their level and likelihood, potential impact, and any mitigation or monitoring activities.
Risks to records will increase during a MOG or administrative change. Potential risks may include:
- inability to transfer records and all associated metadata to the receiving agency
- records and metadata, including the history of the records, being lost or corrupted during transfer
- misuse of records and information by service providers, private entities or other organisation with temporary custody of public records
- reduced or loss of access to records.
Risks can increase due to differences between recordkeeping systems, information management practices, recordkeeping abilities and maturity in the agencies involved.
MOG or administrative change agreement
Risk mitigation strategies, recordkeeping requirements, compliance and monitoring information, and responsibilities need to be included in your agreement to reduce and manage potential risks.
If you are outsourcing a function and public records are in the custody of a service provider, or records are on loan to a private entity as part of a privatisation, you may need to do a periodic risk assessment. Make sure provisions to carry out regular monitoring of recordkeeping are in your agreement.
Do a risk assessment to determine the risks and your level of acceptance of those risks.
- if there is a risk that a complete and reliable reproduction of the original record cannot be created
- your ability to prove the authenticity of the digitised, converted or migrated record if challenged
- your ability to manage the digitised, converted or migrated record and ensure it will remain accessible for the full retention period
- the level of risk to vital records
- what level of loss or change of record characteristics between the source record and the converted, digitised or migrated version is acceptable (e.g. content, context, structure, appearance, connections).
If you are digitising, also consider:
- the likelihood that a temporary value record may become permanent in the future
- whether government, community, and others' expectations will be met by providing access to a digitised image rather than the original
- whether records or information could be damaged or lost during the process, particularly fragile and older records, or records with intrinsic value.
You may need to develop a strategy to mitigate the identified risks if they are unacceptable.
Risk mitigation may depend on how the migration, digitisation or conversion is done (e.g. through technical specifications and settings).
Use the Risk Impact Matrix (PDF, 37 KB) to help you assess the level and likelihood of each risk, and the potential impact.
Permanent, high-risk, high-value records
Policy requirement 4 in the Records governance policy requires all agencies to treat permanent, high-value and high-risk records as a priority.
Permanent records are the records produced or received by your agency that are of enduring value to Queensland. Find out how to identify permanent records.
High-value records are the records that the agency could not or would have great difficulty operating without.
High-risk records are the records that pose a significant risk to the agency if they were misused, lost, damaged or deleted prematurely.
While all high-value records are also high-risk, not all high-risk records are high-value.
Low-risk, low-value records
How you manage low-risk, low-value records depends on your business needs and recordkeeping system.
You should use certain controls, such as metadata, on records stored in a shared drive to ensure they are findable and usable.
You may be able to run regular reports in some applications that will take a snapshot of records. Capturing this snapshot may be sufficient to mitigate risks for some low-risk or low-value records.
Severe, extreme or critical risk
- Operational performance would be compromised to the extent your agency is unable to meet obligations and liabilities in core activity areas.
- Your agency would:
- be rendered dysfunctional
- incur huge financial losses
- not be able to meet key reporting requirements
- not be able to recover from such consequences.
- Stakeholders would face life-threatening consequences.
- Major adverse repercussions would affect large sectors of the State Government and its clients, including the general public.
Must be managed by senior management with a detailed plan.
Major, very high or significant risk
- Operational performance of the function or activity area would be severely affected with your agency unable to meet a major portion of your obligations and liabilities.
- Your agency's asset and resource base may be significantly depleted.
- Your agency would not be able to comply with the majority of its reporting requirements effectively.
- Recovering from consequences would be highly complicated and time consuming.
- Stakeholders would be unable to pursue their rights and entitlements.
- Public reaction would result in major disruptions.
High risk requires detailed research and management planning at senior levels.
Major risk needs senior management attention.
Significant risk must specify management responsibility.
Moderate or medium risk
- Operational performance of your agency would be compromised to the extent revised planning would be required to overcome difficulties experienced by function or activity area.
- Your agency would experience difficulty in complying with key reporting requirements, which would jeopardise some State interests.
- Recovery would be more gradual and require detailed corporate planning with resources being diverted from core activity areas.
- Stakeholders would experience considerable difficulty in pursuing rights and entitlements.
- Considerable adverse public reaction would result in some damage and disruption to your agency.
Must be managed by specific monitoring or response procedures.
Low or minor risk
- Slight inconvenience or difficulty in operational performance of function or activity area.
- Some accountability implications for the function or activity area, but would not affect your agency's ability to meet key reporting requirements.
- Recovery from such consequences would be handled quickly without the need to divert resources from core activity areas.
- Some minor effects on ability of stakeholders to pursue rights and entitlements. For example, other sources or avenues would be available to stakeholders.
- Public perceptions of your agency would alter slightly, but no significant damage or disruption occurs.
May be managed by routine procedures.
- Operational performance of the function or activity area would not be materially affected.
- Your agency would not encounter any significant accountability implications.
- The interests of stakeholders would not be affected.
- Public perception of the public authority would remain intact.
May be managed through routine procedures and is unlikely to require dedicated resources.
The level of risk will depend on:
- the value of the records
- the security classification applied to the records
- the complexity of the records (e.g. format, reliance on technology)
- the functions and activities they document
- your records governance and its functionalities
- if past action with the records has occurred (e.g. contested in their original format, required for legal proceedings)
- if records can be sentenced as either temporary or permanent based on significance or other factors.
You may also need to consider any legal proceedings where these records, similar records, or records of the same activity have been required in the past (e.g. all compensation records, all records relating to claims involving minors).
You can adapt your agency's risk management framework to document your assessment or include recordkeeping in your agency's broader framework.
Look at QGEA's advice on ICT risk management for information on risks in regard to ICT and how best to manage and reduce them.
How you mitigate identified risks will depend on their priority, your functions, your resources, and your appetite for risk.
You should consider your permanent, high-risk and high-value records and their risks before looking at your low-risk or low-value records.
Mitigating risks can include:
- developing and implementing a Business Continuity Plan that accounts for recordkeeping considerations
- ensuring agency-wide risk management and records management policies align
- ensuring consistent naming conventions and business classification scheme to improve the ability to find records
- conducting regular self-assessments and internal audits to monitor and review your recordkeeping
- incorporating records into your agency risk register as well as establishing a separate register for the recordkeeping unit
- including recordkeeping training in your agency's induction program
- considering the level of risk when deciding where and how records should be captured and managed
- establishing an active agency disposal program to ensure records are kept for the appropriate period of time and then legally disposed of
- maintaining an approved retention and disposal schedule covering unique agency specific functions
- communicating and promoting recordkeeping to staff
- providing regular training to staff on good recordkeeping, and the risks of poor recordkeeping.
If you use a combination of systems and applications, consider which records need to stay where and the associated level of risk.
When determining how you will mitigate your identified risks, you will also need to consider:
- your recordkeeping requirements
- what to capture and how
- how the parts of your new records governance framework will work together including:
- framework requirements and functionalities
- technology and applications
- recordkeeping tools
- roles and responsibilities
- policies and procedures
- how any changes will be implemented
- how you will monitor and review your recordkeeping activities over time.
Find out more about Information security.