Standards Development

Scope

This International Standard intends to assist organizations in assessing records risks so they can ensure records continue to meet identified business needs as long as required. The International Standard

a) provides methods for identifying and documenting risks related to records, records processes, controls and systems;

b) provides techniques for analysing records risks;

c) provides guidelines for conducting an evaluation of records risks.

This International Standard can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates, which prescribes the creation and control of its records, are taken into account when identifying and assessing records risk.

Defining an organization or identifying its boundaries should take into account the complex structures and partnerships and contractual arrangements for outsourcing services and supply chains which are a common feature of contemporary government and corporate entities. Identifying the boundaries of the organization is the initial step in defining the scope of the project of records risk assessment.

This International Standard does not address directly the mitigation of risks, as methods for these will vary from organization to organization.

It can be used by records professionals or people who have responsibility for records in their organizations, and by auditors or managers who have responsibility for risk management programs in their organizations.

Purpose

Successful organizations identify and manage all their business risks. Identifying and managing the risks to records processes, controls and systems (records risks) is the responsibility of the organization’ s records professionals.

This International Standard is intended to help records professionals and people who have responsibility for records in their organization to assess records risks.

This is distinct from the task of identifying and assessing the organization’s business risks to which creating and keeping adequate records is one strategic response. The decisions to create or not create records in response to general business risk are business decisions, which should be informed by the analysis of the organization’s records requirements undertaken by records professionals together with business managers. The premise of this International Standard is that the organization has created records of its business activities to meet operational and other purposes and has established at least minimal mechanisms for the systematic management of the records.

The consequence of records risk events could be the loss of, or damage to, records, which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail to meet the organization’s purposes. 

The results of the assessment of records risk should be incorporated into the organization’s general risk management framework. Consequently, the organization will have better control of its records and their quality for business purposes.