What Is Risk Management?
Risk Management is a two-step process:
- Assessing what risks exist in an organization
- Handling those risks in a way best-suited to organizational objectives
All decisions regarding the retention of information are based on the management of risk. Even where records retention periods are clearly defined, those requirements only specify the minimum amount of time for which the information must be retained. However, other factors may warrant longer retention periods. Conversely, where the volume of information covered is high and the perceived likelihood of it being required is very low, shorter retention periods may be appropriate.
In an age where storage costs are relatively cheap, especially for electronic information, it can often be tempting to assume that the best route is to keep everything. However, this approach ultimately leads to significant costs such as decreased efficiency, redundancies that may lead to inaccurate information, and higher inventory costs.
In addition, considerable risks are associated with keeping everything. All content maintained by or on behalf of an institution is subject to Freedom of Information (FOI) laws or as part of any other form of the legal discovery process. Many organizations have found themselves in damaging or embarrassing situations due to the required disclosure of information maintained beyond required retention periods.
Consequently, whether externally mandated or internally created, consistent application of records retention requirements not only decreases the chances of information being disposed of too soon but will also protect an organization in the event that information is requested that cannot be produced because it was disposed of according to records retention requirements.
Drivers Governing Information Retention
In general, the two primary influences upon records retention come from internal and external factors.
Internal factors are determined by operational considerations such as how long the
information is likely to be needed both to fulfill the purpose for which it was originally
created or for any secondary purposes. It is also important to consider the longer
term historical perspective and whether the information in question is likely to be
of interest to future generations as part of the documentary record of the development
of the institution. The Guidance on the appraisal of archival records provides further
information on making this decision.
External factors are largely governed by legal and regulatory requirements. In fact, many pieces of legislation will have "statutes of limitation(s)" written in that will either specify exact retention requirements or that will help to define the minimum amount of time information covered by that legislation should be kept to ensure that any subsequent legal challenge can be resolved.
- Statutes of Limitations: laws setting time limits during which a lawsuit can be brought. The typical deadline
for bringing a contract action is six years from the time the breach occurs. The idea
of this policy is that everyone is entitled, at some point, to close the book on a
transaction. It encourages people to move on and reduces the uncertainty that businesses,
for example, would face if they could be sued for breaching contracts that no one
in the organization remembers. (American Bar Association Family Legal Guide)
Assessing The Value of Organizational Information
As explained section above, oftentimes, there will be clear and compelling external
reasons for retaining information. However, where these reasons do not exist, it may
be difficult for an organization to objectively assess the value of information. And,
without a reasonably accurate estimate of its worth, it may prove difficult to render
an informed risk-based decision(s) regarding retention and its associated costs. After
all, all information storage costs money whether in commercial storage fees for paper
records or in the considerable overhead for storage of electronic records. Consequently,
it is important to quantify that the value of the information to the organization
justifies the cost of retaining it.
Defining the Value of Organizational Information
Unfortunately, it is not always easy to quantify the value of information because the true value of internal information is rarely defined in strictly monetary terms. The time required to recreate the information might be one measure, but in itself, this does not determine the likelihood of this scenario which will also depend on the perceived value of the information to the institution.
The following questions provide a basic guide for deciding whether information is worth retaining:
- Does it contain useful information that you or your colleagues will need to perform a specific and known task or role?
- Have you or a colleague referred to this information in the last 6 months?
- Is this the only place where such information is available?
- Is it likely that an auditor would wish to see this information?
- Are there legal or regulatory reasons for keeping this information?
- Is it likely that this information may serve as a historical record that future generations
are likely to be interested in?
If the answer to any of the above is 'yes,' it may indicate that the information is worth keeping--at least for the time being. If the answers to all the above is 'no,' it is unlikely that the information is worth keeping. However, these questions only serve as a rough guide that should be applied within the context of a risk management-based approach.
For additional information on risk management in the public sector, please see the following link:
JISC InfoNet (www.jiscinfonet.ac.uk): Information Management Toolkit (2007)