When to analyze risk - Manual for the Design and Implementation of Recordkeeping Systems (dirks)

^ When to analyze risk
You do not need to perform a risk analysis for all of your records. Rather, you should look at your list of recordkeeping requirements and determine if:

In these cases, a risk assessment of the likely consequences of not meeting the risk is necessary.


^ Example: Requirement not in the organization's interests to meet

You may have identified that there is no legislative or business need, but there is a community expectation that a certain series of records is available for research. Yet, it is extremely costly to store these records, and expensive and difficult to continually migrate them so that they remain accessible. 

You need to assess the risk to the organization if it destroys the records in a shorter period of time. If the result of the risk analysis is that the risk is 'low' the organization may choose not to meet the community expectation.   


In the majority of cases, regulatory requirements are essential for organizational accountability and you should meet them. However, implied requirements or the level of quality to which the requirements are met might be questioned.

The level of risk associated with maintaining records may influence the length of time they are retained, particularly if the risk of disposing of them is moderate to low. Risks associated with maintaining records include: 

Tip: Risks of discovery or access do not justify non-creation or disposal

The risks of discovery action or legitimate access to records should not be used to justify the non-creation or premature disposal of records that it would otherwise be desirable to have.
^ How to analyze risk
If there are requirements your department/section is considering not meeting, or if there is a conflict between requirements, you can determine through risk assessment an appropriate course of action. 

You need to establish clear definitions of what constitutes different levels of risk to your department/section (including ‘unacceptable risk’ as a benchmark), and then prioritize the identified recordkeeping requirements according to this scale. You may already have in place its own risk management policy that defines such benchmarks.  

Consequences of risk
^ Consequences of not meeting requirements
Decisions not to meet requirements may:

Example: Consequences of not keeping adequate records - out of court settlements

The Audit Office of New South Wales (NSW), Australia, did an investigation into out of court settlements made by government agencies in 1999-2000. They sampled 85 agencies of all types and sizes. 163 out of court settlements were made in this period, costing $19.2 million in awards and costs. 

The Audit Office reported that "in some instances, settlement was recommended because agency records were deficient and defending the action in court would therefore be much harder. Agencies should be reminded of the need to maintain full and complete records in accordance with the (NSW) State Records Act 1998." [1]
^ Consequences of meeting requirements
Decisions to meet recordkeeping requirements will also have consequences such as:
^ Results of risk analysis
The results of this risk assessment, and risks linked to particular functions (Step B: Analysis of business activity) can help determine what recordkeeping requirements should be met. The various tables, matrices and other techniques used in risk and feasibility analysis will help you to: