What Is Risk Management?

 Risk Management is a two-step process:

  1. Assessing what risks exist in an organization.
  2. Handling those risks in a way best-suited to organizational objectives.

All decisions regarding the retention of information are based on the management of risk. Even where records retention periods are clearly defined, those requirements only specify the minimum amount of time for which the information must be retained. Other factors, such as the volume of information covered and the perceived likelihood of it being required may warrant longer or shorter retention periods. 

In an age where storage costs are relatively cheap, especially for electronic information, it can often be tempting to assume that the best route to take is to just keep everything. However, this approach ultimately leads to significant costs such as decreased efficiency, redundancies that may lead to inaccurate information, and higher inventory costs.

In addition, considerable risks are associated with keeping everything. All content maintained by or on behalf of an institution is subject to Freedom of Information (FOI) laws or as part of any other form of the legal discovery process. Many organizations have found themselves in damaging or embarrassing situations due to the required disclosure of information maintained beyond required retention periods.

Consequently, whether externally mandated or internally created, consistent application of records retention requirements not only decreases the chances of information being disposed of too soon, but it will also protect an organization in the event that information is requested cannot be produced because it was disposed of according to records retention requirements.

Drivers Governing Information Retention

In general, the two primary influences upon records retention come from internal and external factors.

Internal factors are determined by operational considerations such as how long the information is likely to be needed both to fulfill the purpose for which it was originally created or for any secondary purposes. It is also important to consider the longer term historical perspective and whether the information in question is likely to be of interest to future generations as part of the documentary record of the development of an institution.

External factors are largely governed by legal and regulatory requirements. In fact, many pieces of legislation will have statutes of limitations* written in that will either specify exact retention requirements or that will help to define the minimum amount of time information covered by that legislation should be kept to ensure that any subsequent legal challenge can be resolved.

             *Statutes of Limitations:  laws setting time limits during which a lawsuit can be brought.
               The typical deadline for bringing a contract action is six years from the time the breach
               occurs. The idea of this policy is that everyone is entitled, at some point, to close the
               book on a transaction. It encourages people to move on and reduces the uncertainty
               that businesses, for example, would face if they could be sued for breaching contracts
               that no one in the organization remembers. (American Bar Association Family Legal Guide)

Assessing The Value of Organizational Information

As explained above, oftentimes, there will be clear and compelling external reasons for retaining information. However, where these reasons do not exist, it may be difficult for an organization to objectively assess the value of its information. And, without a reasonably accurate estimate of its worth, it may prove difficult to render an informed risk-based decision regarding retention and its associated costs. After all, information storage costs money whether in commercial storage fees for paper records or in the considerable overhead for the storage of electronic records. Consequently, it is important to quantify that the organizational value of the information justifies the cost of retaining it.

Defining the Value of Organizational Information

Unfortunately, it is not always easy to quantify the value of information because the true value of internal information is rarely defined in strictly monetary terms. The time required to recreate the information might be one measure, but in itself, this does not determine the likelihood of this scenario which will also depend on the perceived value of the information to the institution.

The following questions provide a basic guide for deciding whether information is worth retaining:

  1. Does it contain useful information that you or your colleagues will need to perform a specific and known task or role?
  2. Have you or a colleague referred to this information in the last 6 months?
  3. Is this the only place where such information is available?
  4. Is it likely that an auditor would wish to see this information?
  5. Are there legal or regulatory reasons for keeping this information?
  6. Is it likely that this information may serve as a historical record that future generations are likely to be interested in?

If the answer to any of the above is 'yes,' it may indicate that the information is worth keeping--at least for the time being. If the answers to all the above is 'no,' it is unlikely that the information is worth keeping. However, these questions only serve as a rough guide that should be applied within the context of a risk management based approach.

For additional information on risk management in the public sector, please see the following link:

JISC InfoNet (www.jiscinfonet.ac.uk): Information Management Toolkit (2007)