A risk assessment is the practice of evaluating the inherent threats to and weaknesses in a government entity’s records and information. It is a recommended practice to evaluate the protection of your entity’s records in order to mitigate the potential destruction, harm, or loss to the information. While it may seem daunting to conduct a risk assessment to protect your records, let’s go over the considerations and what to look for to conduct such an analysis.
What is a Risk Assessment?
By definition a risk assessment (otherwise known as a risk analysis) is the “evaluation of the possibility of incurring loss, damage, or injury and a determination of the amount of risk that is acceptable for a given situation or event,” (Society of American Archivists). With that definition in mind, what would the potential risks be? The following are several potential risks to your entity’s records:
- Water: caused by inclement weather, leaking pipes, or burst pipes.
- Fire: caused by accident from a spark, or arson.
- Insects: such as silverfish bugs that eat paper.
- Rodents: such as rats or mice that will eat or tear up paper.
- Theft: such as unauthorized access through unlocked doors and filing cabinets.
- Computer viruses: such as data breaches or malware.
- Ransomware: a type of virus that locks you and your staff out of your network system, unless you pay a literal ransom to regain access.
Conducting the Assessment
How do you prioritize and estimate your risk in order to mitigate it? You will need to assess your strengths, weaknesses, opportunities, and threats. This is otherwise known as a S.W.O.T analysis.
- First: You will need to identify what the apparent or potential risk is to your records and information. This could be from a computer virus, hurricane, or infrequent records management training.
- Second: Decide whether the risk is a threat or a weakness. A threat would be a negative external factor that you have little to no control. And a weakness maybe an internal weakness.
- Third: You will determine the likelihood the risk is to occur. This would be on a scale from 1 through 10. With 1 as never and 10 as most certainly will happen.
- Fourth: Rank the estimated severity of the damage that would happen if the risk were to occur. This is also 1 thru 10 with 1 as very low and 10 as catastrophic.
- And finally: You will calculate the risk factor by multiplying the likeliness times the severity to see how high of a priority the risk is in terms of addressing it.
Once you have the risk calculations you will be able to prioritize from the most likely hazards, address what methods and practices to mitigate and protect the entities records and information. Below is an example of how the analysis would work:
|Hurricane||Threat||Floods and destroys the filing cabinets and physical hard drives.||5||7||35|
|Infrequent training on records management||Weakness||Lack of awareness of the entity’s polices and procedures on the management of records and information.||8||6||48|
Some of the potential harm to your records could come from natural disasters that are out of your control to intentional acts you can prevent. While not every entity will face the same drawbacks it is important to identify what the probable risks are and their impact. What measures and strategies would be used to mitigate disasters?
First research to find if there are any standards in the protection and storage standards, whether it be legal statutes or industry standards. In Texas, we have laws and rules on the storage of records in 13 TAC 7 Local Records Storage Standards that covers minimum required storage conditions such as protection against environmental hazards, exposure to sunlight, and protection to the location of the storage facility. There are also optional enhanced storage practices such as installing temperature controls and fire suppressant system and installing metal shelving instead of wooden shelving.
Look into what type of natural disasters are common to the region where your government office is located or where your records are stored.
The storage standards are primarily applicable to local governments to guide their storage of paper records and records of permanent or historical value. There are not any mandatory storage standards for state agencies as there are for local governments, but the storage standards in the 13 TAC 7 are an excellent benchmark to use.
For more information about disaster preparedness check out the following blog articles: