Phase 1: Risk assessment

The risk assessment consists of six questions. Provide a simple 'Yes' or 'No' response and follow the appropriate action.

Your response to each of the questions will determine the extent of your assessment.

Phase 1: Risk assessment checklist
No.QuestionExplanationResponse (Y/N)Action
1Does or will the system hold unique information?

Consider if the information is duplicated in another system.

A decision has to be made to determine if the information contained in this system is unique and the only version which cannot be sourced elsewhere.

Examples where the information is not unique:

  • a case management system that receives documents that are then saved to an EDRMS
  • your ICT back-up systems
  • any system where records are routinely exported and managed in another system, for example Outlook emails are saved to your EDRMS.

If Yes go to Q3 below.

If No go to Q2 below.

2

Is or will the information be the authoritative source of truth or relied on to create the authoritative record?

If not, does the system feed into a system that is an authoritative source of information?

Answer No to this question if the information can be destroyed using a normal administrative practice (NAP).

The agreed source of information to be shared within your agency that is deemed reliable and trustworthy.

An example of a system that manages the authoritative source of truth:

  • the Parliamentary Workflow Solution or other systems that manage information as a record.

An example where the content is generally 'saved into' the authoritative systems:

  • Microsoft Outlook.

If Yes go to Q3.

If No, document the outcome in your systems information management plan.

3Is the risk or value of the information high enough to warrant additional controls to ensure that it is trustworthy?

Answering this question will depend on your risk tolerance. If the value of the information in the business system is not sufficient, or if the risks associated with the information is within your stated risk tolerance, then the trustworthiness of the information may not need to be assessed as a priority.

To determine the level of risk, think about how critical the records are to the performance of your agency's functions. For example, situations where you may have to demonstrate that your records are authentic, reliable and have integrity:

  • FOI requests
  • audits
  • inquiries (including Royal Commissions of Inquiry)
  • legal proceedings.

If there is enough chance of any of these, you need to ensure that you can demonstrate these characteristics when asked.

Note: A yes response should be recorded for any systems that manage records identified as 'Retain as National Archives' (RNA) in an agency's approved record authority, and those systems that manage records that do not yet have disposal coverage.

Information is trusted (see Phase 2).

Move on to Q4.

If No go to Q5.

4Is there sufficient business benefit for managing disposal within the system before decommissioning?

You should have a compelling business reason to manage disposal at the individual (or aggregated) level within the business system.

Examples:

  • having a legal or policy requirement to destroy records within a certain timeframe
  • the system manages a high volume of records with long retention periods, such as an HR system.

If the records need to be disposed of before the system is expected to be decommissioned, they must be either exported from the system or accountably destroyed within the system. You will need to decide if the cost of implementing disposal capability justifies the benefit or if it is a mandatory requirement to allow destruction within a specific timeframe.

Note: A yes response should be recorded for any systems that manage records identified as 'Retain as National Archives' (RNA) in an agency's approved record authority, and those systems that manage records that do not yet have disposal coverage.

If Yes, you will need to assess functionality in Module 2: Disposal is accountable (see Phase 2).

Move on to Q6 below.

If No go to Q5.

5Are you likely to access the information beyond the expected life of the system?

Consider:

  • how long you expect the system to be in use
  • whether the records are in regular use
  • whether access to the records is likely to decline over time.

For this decision, you need to weigh the likelihood of needing to access the information against the cost of migrating it to, and managing it in, another format. If you do not need to keep the records for longer than the expected life of the system, you can destroy them when you decommission the system.

Note: A yes response should be recorded for any systems that manage records identified as 'Retain as National Archives' (RNA) in an agency's approved record authority, and those systems that manage records that do not yet have disposal coverage.

If Yes, you will need to assess functionality in Module 3: Export/import and Module 4: Reporting.

Document findings in your systems information management plan.

If No, document the outcome in your systems information management plan.

6Do or will you need to keep the information for longer than the expected life of the system?

Consider:

  • minimum retention periods for the records in the system
  • the expected life of the system
  • likely costs for maintaining the system after its active business use ends (for access purposes).

You may be required to maintain a system even after you have stopped actively using it so that you can continue to access legacy information.

For example, for a system managing short-term records that you must keep for at least 2 years, you may choose to maintain the system for 2 years after you stop using it so that the information can continue to be accessed.

If you need to keep the records for longer than the time you expect to maintain the system, and you need to destroy records within a specific timeframe, you will need to export the records to manage the destruction accountably.

Note: A yes response should be recorded for any systems that manage records identified as 'Retain as National Archives' (RNA) in an agency's approved record authority, and those systems that manage records that do not yet have disposal coverage.

If Yes, you will need to assess functionality in Module 3: Export/import and Module 4: Reporting.

Document findings in your systems information management plan.

If No, assess functionality in Module 4: Reporting.

Document your findings in the systems information management plan.

Copyright National Archives of Australia 2017