Manual for the Design and Implementation of Recordkeeping Systems (dirks)

Вид материалаДокументы

Содержание


When to analyze risk
Example: Requirement not in the organization's interests to meet
How to analyze risk
Consequences of not meeting requirements
Consequences of meeting requirements
Results of risk analysis
Подобный материал:
1   ...   21   22   23   24   25   26   27   28   ...   71
^

When to analyze risk


You do not need to perform a risk analysis for all of your records. Rather, you should look at your list of recordkeeping requirements and determine if:
  • it may not be in the UN's best interests to meet a requirement fully or in part, or
  • there is a conflict between requirements. 

In these cases, a risk assessment of the likely consequences of not meeting the risk is necessary.

 

^ Example: Requirement not in the organization's interests to meet

You may have identified that there is no legislative or business need, but there is a community expectation that a certain series of records is available for research. Yet, it is extremely costly to store these records, and expensive and difficult to continually migrate them so that they remain accessible. 

You need to assess the risk to the organization if it destroys the records in a shorter period of time. If the result of the risk analysis is that the risk is 'low' the organization may choose not to meet the community expectation.   

  

In the majority of cases, regulatory requirements are essential for organizational accountability and you should meet them. However, implied requirements or the level of quality to which the requirements are met might be questioned.

The level of risk associated with maintaining records may influence the length of time they are retained, particularly if the risk of disposing of them is moderate to low. Risks associated with maintaining records include: 
  • costs of preservation, storage and security
  • costs of setting up programs, policies, procedures and systems to manage the records effectively, and
  • risks of improper access leading to breaches of privacy or confidentiality. 

Tip: Risks of discovery or access do not justify non-creation or disposal

The risks of discovery action or legitimate access to records should not be used to justify the non-creation or premature disposal of records that it would otherwise be desirable to have.
^

How to analyze risk


If there are requirements your department/section is considering not meeting, or if there is a conflict between requirements, you can determine through risk assessment an appropriate course of action. 

You need to establish clear definitions of what constitutes different levels of risk to your department/section (including ‘unacceptable risk’ as a benchmark), and then prioritize the identified recordkeeping requirements according to this scale. You may already have in place its own risk management policy that defines such benchmarks.  

Consequences of risk
^

Consequences of not meeting requirements


Decisions not to meet requirements may:
  • compromise current or future business activity
  • compromise the organization's capacity to defend or prosecute claims
  • result in loss of amenity for the organization
  • attract adverse publicity or community reaction
  • compromise rights and entitlements of other parties affected by UN decisions and actions
  • compromise wider UN interests, and
  • diminish archival resources.

 


Example: Consequences of not keeping adequate records - out of court settlements

The Audit Office of New South Wales (NSW), Australia, did an investigation into out of court settlements made by government agencies in 1999-2000. They sampled 85 agencies of all types and sizes. 163 out of court settlements were made in this period, costing $19.2 million in awards and costs. 

The Audit Office reported that "in some instances, settlement was recommended because agency records were deficient and defending the action in court would therefore be much harder. Agencies should be reminded of the need to maintain full and complete records in accordance with the (NSW) State Records Act 1998." [1]
^

Consequences of meeting requirements


Decisions to meet recordkeeping requirements will also have consequences such as:
  • costs of preservation, storage and security
  • costs of setting up programs, policies, procedures and systems to manage the records effectively, and
  • risks of improper access leading to breaches of privacy or confidentiality. 
^

Results of risk analysis


The results of this risk assessment, and risks linked to particular functions (Step B: Analysis of business activity) can help determine what recordkeeping requirements should be met. The various tables, matrices and other techniques used in risk and feasibility analysis will help you to:
  • identify specific areas of recordkeeping risk in your department/section
  • quantify and prioritise those risks in terms of the cost to, or impact on, your department/section (ie operational, financial and technical feasibility factors), and
  • make, justify and document recommendations for meeting recordkeeping requirements.