I have been reading ISO/TR 18128:2014 «Information and documentation – Risk assessment for records processes and systems», as well as ISO’s general standard on risk management (ISO 31000:2009, principles and guidelines).
The ISO 18128 was very recently published, and for those of us who love standards, guidelines and rules in general, this is truly exciting – finally we have an explicit framework that helps us incorporate risk awareness and management in our approaches to records management.
Risk management is, in my opinion, part of the core responsibilities of records management professionals. This is not to say that other areas, such as retrieval and use, are unimportant; they are simply not as important (again, my opinion). In any case – should one wish to approach risk in records management, the ISO 18128 can be a good start, in the least as a scalable framework.
The ISO 18128’s introduction states that ISO 18128 «[…] is intended to help records professionals and people who have responsibility for records in their organization to assess the risks related to records processes and systems. […] This is not the same as identifying and assessing the organization’s business risk to which creating and keeping adequate records is one strategic response.». Risk management in records management is separate from general business risk management, as well as more specific – placing it firmly within the records management professional’s area of expertise.
The introduction goes on to state that «[t]he consequence of risk events to records processes and systems is the loss of, or damage to, records which are therefore no longer usable, reliable, authentic, complete, or unaltered, and therefore can fail to meet the organization’s purposes.». I believe that risk awareness is an inevitable part of any records management effort, but that this awareness, and the following step – the risk management – in many (most?) cases is too implicit to have a real impact.
The ISO 18128 helps records management professionals express why records management is important in general, and why risk should be at the centre of the records management endeavour. The first step in the risk management process is to identify areas of uncertainty (risk areas). Annex B in the ISO 18128 lists a comprehensive checklist with a wide range of questions / bullet points that one can use to identify possible areas of uncertainty. Some examples:
- Is records management supported by top management?
- Are records responsibilities included in job descriptions where relevant?
- Is the technology selected an appropriate fit for the size, complexity, and activities of the organization?
- Has the organization identified all systems that create, hold, or manage records?
- Does the business continuity planning specifically include the records systems?
The ISO 18128 does not deal with risk treatment (which is probably partly why it is titled risk assessment and not risk management). Is states that «[o]nce the assessment of risks related to records processes and systems has been completed, the assessed risks are documented and communicated to the organization’s overall risk management section. Response to the assessed risk is undertaken as part of the organization’s overall risk management program.» This is clearly not a good fit for everyone, as an organization may not have an overall risk management program, or the records management professionals is expected to provide the solutions as well as point out the problems and/or problem areas. And the latter is not necessarily a bad thing!