Are you in control of your records?

laptop colourful folders S

Records are crucial to any organisation. Companies that operate under a risk management programme identify the high-risk areas within their activity and take steps to maintain adequate records to mitigate those risks. If, on the other hand, their records processes and systems are not supported by sound risk management practices, then the very means of addressing their business risks are undermined.

Over the past decade, a number of international standards have been published to help organisations get to grips with their records management. Now, a new technical report is showing them how to address the inherent risks associated with managing these records. ISO/TR 18128:2014, Risk assessment for records processes and systems, provides organisations with a systematic and comprehensive method for assessing the risks related to records processes and systems.

Convenor of our International Review Group for the committee that developed the technical report - TC 46 SC 11 Archives/records management - Trish O'Kane says management of information is critical for organisations to ensure they are effective and to manage risk.

'The new ISO technical report ISO/TR 18128:2014 provides needed tools to accurately assess risks to records and how to mitigate those risks.'

Stalking risk

Mapped to the framework of ISO 31000:2009 Risk management - Principles and guidelines, which sets out the ground principles for managing risk, the new technical report includes a checklist to help records management professionals find their way around the document. It helps them identify, analyse, and evaluate risks that need to be included in an organisation’s risk management programme.  And, to faciliate its integration in an existing management system, the technical report has adopted the records process analysis outlined in the ISO 30300:2011 suite of standards, Information and documentation – Management systems for records (MSRs).

ISO/TR 18128 does not address records creation and control as a means of dealing with ‘business risk’. Prioritising an organisation’s business risks is a matter for senior management and involves a specific records process to identify its recordkeeping requirements. Once the decision to create records has been taken, it becomes the responsibility of the records professional to ensure this is accomplished in an environment of appropriately managed risk.

The bottom line

This technical report is not only aimed at large organisations with a formal records programme and risk management department. It can be scaled to the needs of smaller companies or for analysing the records of a single function or a single business unit.

In contemporary organisations where records – and other strategic information – are stored in a variety of business systems, through a diffuse architecture of multiple databases, localised web applications, social media sites, and mobile computing devices, managing the risks to records is a daunting prospect. In this hybrid environment, having a systematic, process-oriented risk assessment methodology in place will go a long way to identifying and managing those risks, bringing significant benefits to the whole organisation – as well as peace of mind.


Buy ISO/TR 18128:2014 Buy AS/NZS ISO 31000:2009 Buy AS/NZS ISO 30300:2012

Published in business and ICT.