What is high value, high risk?

High value, high risk is an approach you can take to manage your agency’s records.

By identifying records that are of high value or which are at high risk, Victorian Government agencies can ensure that these records are well managed and are allocated appropriate resources and strategies.

High value high risk matrix
High value high risk matrix

 

Understanding value and risk

Value is a very subjective term and changes depending for whom value is being determined. The high value of records can be broadly determined from two main perspectives:

  1. permanent value
  2. business value.

 

Permanent value

Records that will be stored permanently as State Archives and have continuing value to Victorian Government and community. These high value records provide evidence of major Victorian Government activities and decisions over time and how these interacted with and impacted people’s lives. 

Our selection of archives is guided by a set of key characteristics that are intrinsic to public records we wish to retain as State Archives:

  • The authority, establishment and structure of government
  • Primary functions and programs of government
  • Enduring rights and entitlements
  • Significant impact on individuals
  • Environmental management and change
  • Significant contribution to community memory.

See Appraisal Statement for Public Records Required as State Archives for further information about the characteristics and examples.

 

Business value

Records that are critical to enabling agencies to:

  • undertake and continue their functions
  • make good decisions
  • service their clients
  • maintain or enhance their reputation
  • respond to commissions, inquiries, audits, investigations and legal issues.

Agency records management specialists should consult with other areas of the business to gain an understanding of their high value records and refer to documentation such as a their vital records register.

 

There are a number of tools that can be used to identify which records are of high value, including:

 

 

  • Retention and Disposal Authorities (RDAs) - these standards issued by PROV provide a functional list of records along with a retention period and disposal sentence. Records outlined in RDAs with a long retention period may be considered high value records as they have ongoing value often beyond the lifespan of the systems they are currently being managed in.

 

  • Agency records registers such as vital records register. Vital records are those that are essential to the continued operations of an agency and therefore are likely to also be of high value. See Vital records protection (Counter Disaster Strategies) for further information (this web page from State Archives and Records NSW provides an overview of vital records including how to identify them).

 

  • Information Security Guide, Chapter 1 Understanding Information Value – this guide provides a common vocabulary and a structured approach to enable Victorian public sector organisations to assess the value of their public sector data (referred to as official information) by identifying the business impacts if official information were compromised.

Identifying, assessing and managing risks will help to ensure that the risk is managed appropriately and therefore that the records have the appropriate level of management. 

Risks for recordkeeping are predominantly due to two main factors:

  1. risks related to the security of the record and the information it contains, or
  2. risks to the record continuing to be available, readable, and usable for the duration of its retention period.
HVHR Types of Risks Pie Chart

 

  • Security - inappropriate security controls can place significant risk to records as well as cause harm to the agency and individuals. Examples include: 
    • unauthorised disclosure, such as staff emailing a confidential document to the media
    • unauthorised destruction, such as someone deleting documents without approval
    • unauthorised modification, such as someone editing final versions of records
    • malicious damage, such as a hacker deleting a database
    • theft, such as an intruder stealing key infrastructure files from an office.

 

  • Storage - environmental - physical records (paper, tapes, disks, photographs, film) can come under risk when stored in areas that are exposed to excessive levels of dust and light, electromagnetic fields, mould, pests (vermin and insects), unsuitable temperatures, fire (faulty equipment, bushfire, combustible film), water (leaks and floods) and building construction. Environmental damage can cause significant damage or complete loss of records.

 

  • Storage - handling and practice - using inappropriate storage shelving and containers can also place records at risk as well as ineffective handling of records to do improper procedures or lack of training.

 

  • Systems and technology - managing information within systems and technology platforms that are not maintained over time or backed up can place the information and records at risk. This could include failure to back up information, storing information in out-of-date applications which are no longer supported or on obsolescent hardware or managing records in systems that have limited extraction and migration capabilities.

 

  • People and processes – risks to records being managed appropriately due to lack of staff knowledge and training or ineffective business processes that do not account for recordkeeping requirements.

Records that are identified as being high risk will require a more stringent management regime than records of low risk. There are a number of tools that can be used to determine and manage risk including:

 

 

  • AS/NZS ISO 31000: Risk Management Principles and Guidelines - this standard provides a widely accepted framework for risk management and is generic enough to be tailored for specific environments. Included are methods for the identification, analysis, evaluation and treatment of risks as part of an ongoing process.

 

  • Victorian Risk Management Framework - this framework is tailored for the Victorian public sector and mandatory for departments and agencies that report in the annual Financial Report for the State of Victoria. It focuses on governance structures for the identification, management and reporting of risk within the public sector.

High value, high risk step-by-step

laptop with graphs on screen title graphics

The process of identifying and managing high value high risk records