Taking a risk-based approach to recordkeeping decisions

This guidance explains how to take a risk-based approach to making decisions about recordkeeping. By working through case studies, this guidance demonstrates a structured approach to meeting obligations under the State Records Act 1998 and the Standard on Records Management. 

Why a risk-based approach?

Very often, the answer to a public office’s question about how to achieve a certain recordkeeping outcome is ‘it depends’ or ‘take a risk-based approach’. This is because the way in which a public office will implement a requirement or meet its recordkeeping obligations is not prescriptive - instead, it depends on its resourcing, the nature of its business, systems and processes, and its records management maturity. 

Due to these dependencies, decisions about how to meet recordkeeping requirements can be made following a risk management process:

  1. Assess the inherent risk levels associated with the recordkeeping matter in question
  2. Check the agency’s tolerance for recordkeeping risk
  3. Treat the risk
  4. Assess the residual risk levels once the risk has been treated
  5. Monitor and manage the risk over time.

Remember at all times that minimum retention periods for records must be met.

 

1

Assess the inherent risk level

"How serious is this risk?"

Understanding how severe (or otherwise) the inherent risk associated with a given recordkeeping activity is starts with weighing up the potential impacts and likelihood of things going wrong as a result of that activity.

The risk that is being assessed in this case study is: 

As a result of not reviewing the contents of all former employee and contractor OneDrive accounts before they are deleted, we lose records that should have been retained.

Impacts:Potential impacts include a loss of unique business information that the public office may need to perform its functions properly, or an inability to produce records when required, e.g. by an auditor or in response to a GIPA request. These impacts are assessed as ‘Moderate’.
Likelihood:The public office has a good level of awareness about keeping records in approved systems, and using OneDrive only for duplicate reference copies and working documents. However, the large number of team members and the public office’s use of contractors who may not have been trained does mean some information was not saved to the proper systems. Using the public office’s risk matrix (see below) the likelihood is assessed as ‘Possible’.

Using the risk matrix below this produces an inherent risk rating of ‘High’. 

Risk management toolkit Appendix Risk Matrix
Figure 1: Risk Matrix (source: NSW Treasury Risk Management Toolkit)

 

2

Check risk appetite

"Do we need to do anything?"

Decisions about accepting or remediating risk should be informed by risk appetite. Risk appetite is the amount of variation an organisation is willing to accept around a specific objective.

In the case of recordkeeping and other information management risks, the public office in this case study has established that it has a risk appetite that accepts ‘Low’ and ‘Moderate’ risks but requires that anything that is rated ‘High’ or ‘Extreme’ should be treated with appropriate controls. 

 

3

Treat the risk

"How should we manage this risk?"

Common treatment strategies include:

  • Avoid: stop or change the activity that creates the risk
  • Reduce: add or improve controls to lower likelihood or impact
  • Accept: decide to tolerate the risk, typically where the cost of treatment outweighs the benefit. Each public office will have a process for accepting, reporting and monitoring risks that are outside its risk appetite.

Decisions on how to treat a risk must be recorded and approved by the risk owner (the senior role with the ability to apply controls to the risk – in this case, it could be the Chief Technology Officer).

In relation to the potential loss of records from OneDrive accounts, the public office decides it needs to reduce the risk to ‘Low’ so that it is within its risk appetite.

The public office decides to reduce the risk by establishing a procedure to scan OneDrive accounts belonging to senior staff, staff involved in decision-making and members of the legal team, to identify anything that may need to be saved into a recordkeeping system. 

This procedure is a control for mitigating the risk. It is recorded in the public office’s risk register as a control – and linked to the record of the risk. 

 

4

Assess the residual risk

"Are we now within appetite?"

As opposed to the inherent risk, which was assessed before it was treated with the control described above, the residual risk must now be assessed and recorded in the risk register. 

To assess residual risk, re-apply the same risk matrix used to assess the inherent risk, this time taking into account the effect of the controls that have been put in place. Ask the same two questions – how likely is it that things will still go wrong, and how serious would the impact be – but now consider how the treatment changes those answers.

In the OneDrive example, the new procedure requires a targeted review of accounts belonging to senior staff, staff involved in decision-making and legal team members before deletion. This control does not eliminate the risk entirely – accounts belonging to other staff are still deleted without review – but it meaningfully reduces the likelihood that records of significant business value will be lost. The potential impact remains ‘Moderate’, since gaps in the review coverage could still result in the loss of important information. However, focusing the review on the roles most likely to hold unique or high-value records means the likelihood can now be reassessed as ‘Unlikely’. Applying these revised ratings to the risk matrix produces a residual risk rating of ‘Moderate’, which is within the public office’s risk appetite.

The residual risk rating, together with the reasoning behind it and the controls on which it relies, should be recorded in your organisation’s risk register. It is important that the rating reflects an honest assessment of how well the controls actually work in practice, not simply their existence on paper. A control that is poorly implemented, inconsistently applied, or not understood by the people responsible for it will provide less risk reduction than one that is well-embedded and regularly tested.

Where the residual risk remains above your organisation’s risk appetite after treatment, consider whether further controls can be applied, or whether the residual risk should be formally accepted by the relevant risk owner and escalated as required by your organisation’s risk management framework.

 

5

Monitor and manage the risk

"Is the risk remaining at an acceptable level?"

Monitoring and managing information and records risks over time is important because the risk landscape is not static – threats evolve, business processes change, legislative requirements are updated, and new technologies introduce unforeseen vulnerabilities. 

A risk that was adequately treated at the time of its identification may increase as controls deteriorate, staff turnover occurs, or the volume and sensitivity of information held by a public office grows. 

The frequency with which risks are reviewed will depend on factors like your organisation’s existing risk management program, and the level and nature of the risk, but it should be done periodically or as circumstances change.

 

Risk-based approach case studies 

1

Is our business system adequate for managing records?

This example centres on a grants management system being considered as the sole recordkeeping system. 

  1. Assess inherent risk: The grants context is high-stakes (public money, appeal rights, audit obligations, reputational risks, high level of scrutiny). Without assessment, a cloud business system is more likely than not to have recordkeeping gaps. The inherent risk is ‘High’.
  2. Check risk appetite: High falls outside the public office’s appetite; treatment is required.
  3. Treat the risk: A structured assessment against the  business system assessment for recordkeeping functionality reveals gaps in disposal, record protection and metadata export. Two controls are implemented: a procedure to save key records to the EDRMS at defined lifecycle stages, and vendor contract provisions covering data portability and sovereignty.
  4. Assess residual risk: Controls reduce the rating to ‘Moderate’. The residual risk remains outside the public office’s appetite due to reliance on manual action. As there are significant business benefits to moving to the new system, the risk owner formally accepts the risk while an automation project to reduce the impact and likelihood or the risk is explored.
  5. Monitor and manage: The risk is registered, assigned, and reviewed six-monthly with defined trigger points (contract renewal, system changes, audit findings, completion of automation).
2

Can we stop producing bound volumes of Council minutes and rely on digital copies?

This example centres on a NSW Local Council deciding whether to cease the long-standing practice of producing bound paper volumes of its meeting minutes and instead rely solely on digitally signed PDFs in its EDRMS. This example takes a deliberately careful approach, reflecting the particular legal weight and permanence of council minutes.

  1. Assess inherent risk: Council minutes are permanent records under the Local Government Act 1993 and required as State archives by the General disposal authority for local government records  (FA450). They are relied upon in legal proceedings, property transactions, planning appeals and accountability processes, potentially decades into the future. The consequences of an unrecoverable digital failure are rated ‘Major’. Without knowing whether digital arrangements are adequate, likelihood is ‘Possible’, producing an inherent risk of ‘High’.
  2. Check risk appetite: High falls outside appetite. The team also notes that the option to avoid the risk by continuing paper production remains on the table – the risk assessment should inform a conscious choice, not assume digital is adequate.
  3. Treat the risk: Four controls are identified: 
    1. a digital signing procedure reviewed for compliance with the Electronic Transactions Act 2000
    2. tested backup and recovery arrangements with an annual schedule
    3. a documented migration strategy for permanent records and a regular transfer of the minutes to the State Archives Collection (managed by Museums of History NSW)
    4. retention of all existing paper volumes from before the transition date.
  4. Assess residual risk: The controls reduce likelihood to ‘Rare’, but consequence remains ‘Major’ – controls can only reduce likelihood, not the severity of what a failure would mean. Residual risk is ‘Moderate’. The General Manager formally accepts this, noting that the controls represent protection comparable to the paper volumes against foreseeable risks.
  5. Monitor and manage: There is an annual review of this risk as a standing item for the Council’s Audit and Risk Improvement Committee (ARIC), with specific trigger points including system changes, backup test failures, cyber incidents and changes to legislation or Office of Local Government or State Records NSW guidance. Ongoing acceptability of the digital-only approach is contingent on controls remaining effective.

Terms and definitions

Using risk language will help ensure that recordkeeping decision-making is dealt with through the same risk lens as other risk-based organisational decision making.

Inherent riskThe level of risk that exists before any controls or safeguards are applied. It reflects the raw likelihood and potential impact of something going wrong if nothing is done to prevent or mitigate it.
Residual riskThe level of risk that remains after controls and safeguards have been put in place. No control is perfect, so some risk will always remain – the goal is to reduce it to an acceptable level.
Risk appetiteThe amount and type of risk an organisation is willing to accept in pursuit of its objectives. It sets the boundary between risks that are tolerable and those that require further action. In a government context, risk appetite is typically defined by senior leadership and may differ across risk categories (e.g. a low appetite for privacy breaches, a higher appetite for innovation risk).
Risk controlAny measure, process, policy, or safeguard put in place to reduce the likelihood of a risk occurring or to limit its impact if it does.
Risk register

A documented record of identified risks facing an organisation or project. For each risk, the register typically captures a description, likelihood, potential impact, risk rating, assigned owner, and the controls or treatments in place. 

Your organisation’s Audit and Risk Committee will review the risk register on a regular basis.

Risk treatment The process of selecting and implementing options to address a risk. 

Related information

Download as PDF Print this page
Top of page