Last updated:

August 29, 2019

Please note:

Some of our Standards and guidance products have recently changed. 

We are working on updating content on our website to reflect these changes. Refer to the Standards Framework page for more information.

Please contact us if you have any questions or concerns.

 

What is high value, high risk?

High value, high risk (HVHR) is an approach you can take to manage your agency’s records.

By identifying records that are of high value or which are at high risk, Victorian Government agencies can ensure that these records are well managed and are allocated appropriate resources and strategies.

High value high risk matrix
High value high risk matrix

 

Identifying and managing HVHR records

HVHR records should be appropriately managed as a priority in stable, accessible and secure physical and/or digital environments.

Below is some guidance on the criteria for identifying these types of records and tips on conducting a records assessment to be able to plan for their management over time.

Understanding value and risk

Value is a very subjective term and changes depending for whom value is being determined. The high value of records can be broadly determined from two main perspectives:

  1. permanent value
  2. business value.

 

Permanent value

Records that will be stored permanently as State Archives and have continuing value to Victorian Government and community. These high value records provide evidence of major Victorian Government activities and decisions over time and how these interacted with and impacted people’s lives. 

Our selection of archives is guided by a set of key characteristics that are intrinsic to public records we wish to retain as State Archives:

  • The authority, establishment and structure of government
  • Primary functions and programs of government
  • Enduring rights and entitlements
  • Significant impact on individuals
  • Environmental management and change
  • Significant contribution to community memory.

See Appraisal Statement for Public Records Required as State Archives for further information about the characteristics and examples.

 

Business value

Records that are critical to enabling agencies to:

  • undertake and continue their functions
  • make good decisions
  • service their clients
  • maintain or enhance their reputation
  • respond to commissions, inquiries, audits, investigations and legal issues.

Agency records management specialists should consult with other areas of the business to gain an understanding of their high value records and refer to documentation such as a their vital records register.

 

There are a number of tools that can be used to identify which records are of high value, including:

 

 

  • Retention and Disposal Authorities (RDAs) - these standards issued by PROV provide a functional list of records along with a retention period and disposal sentence. Records outlined in RDAs with a long retention period may be considered high value records as they have ongoing value often beyond the lifespan of the systems they are currently being managed in.

 

  • Agency records registers such as vital records register. Vital records are those that are essential to the continued operations of an agency and therefore are likely to also be of high value. See Vital records protection (Counter Disaster Strategies) for further information (this web page from State Archives and Records NSW provides an overview of vital records including how to identify them).

 

  • Information Security Guide, Chapter 1 Understanding Information Value – this guide provides a common vocabulary and a structured approach to enable Victorian public sector organisations to assess the value of their public sector data (referred to as official information) by identifying the business impacts if official information were compromised.

Identifying, assessing and managing risks will help to ensure that the risk is managed appropriately and therefore that the records have the appropriate level of management. 

Risks for recordkeeping are predominantly due to two main factors:

  1. risks related to the security of the record and the information it contains, or
  2. risks to the record continuing to be available, readable, and usable for the duration of its retention period.
HVHR Types of Risks Pie Chart

 

  • Security - inappropriate security controls can place significant risk to records as well as cause harm to the agency and individuals. Examples include: 
    • unauthorised disclosure, such as staff emailing a confidential document to the media
    • unauthorised destruction, such as someone deleting documents without approval
    • unauthorised modification, such as someone editing final versions of records
    • malicious damage, such as a hacker deleting a database
    • theft, such as an intruder stealing key infrastructure files from an office.

 

  • Storage - environmental - physical records (paper, tapes, disks, photographs, film) can come under risk when stored in areas that are exposed to excessive levels of dust and light, electromagnetic fields, mould, pests (vermin and insects), unsuitable temperatures, fire (faulty equipment, bushfire, combustible film), water (leaks and floods) and building construction. Environmental damage can cause significant damage or complete loss of records.

 

  • Storage - handling and practice - using inappropriate storage shelving and containers can also place records at risk as well as ineffective handling of records to do improper procedures or lack of training.

 

  • Systems and technology - managing information within systems and technology platforms that are not maintained over time or backed up can place the information and records at risk. This could include failure to back up information, storing information in out-of-date applications which are no longer supported or on obsolescent hardware or managing records in systems that have limited extraction and migration capabilities.

 

  • People and processes – risks to records being managed appropriately due to lack of staff knowledge and training or ineffective business processes that do not account for recordkeeping requirements.

Records that are identified as being high risk will require a more stringent management regime than records of low risk. There are a number of tools that can be used to determine and manage risk including:

 

 

  • AS/NZS ISO 31000: Risk Management Principles and Guidelines - this standard provides a widely accepted framework for risk management and is generic enough to be tailored for specific environments. Included are methods for the identification, analysis, evaluation and treatment of risks as part of an ongoing process.

 

  • Victorian Risk Management Framework - this framework is tailored for the Victorian public sector and mandatory for departments and agencies that report in the annual Financial Report for the State of Victoria. It focuses on governance structures for the identification, management and reporting of risk within the public sector.

Tips for managing HVHR records

If you do not have a comprehensive list and/or knowledge of the records in your agency, you can conduct an assessment to gain an understanding of the records which are of value and/or risk.

Depending on the scale of your agency and records, it may be practical to take a staged and/or targeted approach to the assessment. For example, focus on the most important business activities and related records first.

By undertaking an assessment, you should be able to rate the value and risk of your agency’s records and gain general knowledge about:

  • the range, volume and types of records your agency creates and manages
  • how the records relate to the business of your agency
  • the physical and digital environments in which the records are managed
  • the people and processes in place to manage records.

The following approaches can be undertaken to source information during the assessment:

  • refer to documentation:
    • Information Asset Register
    • Retention and Disposal Authorities (note records with long retention periods)
    • Records registers and lists, such as vital records register.
  • inspect the storage environment (physical and/or digital)
  • review the business systems and processes that manage records
  • interview staff in the agency and/or conduct workshops or surveys to gain information.

See Conducting an Information Review from National Archives of Australia for further information about the assessment process from an information asset perspective.

Once you have conducted the assessment and determined the value and risk ratings of your agency’s records, the next step is to prioritise the records which require the most attention.

Rate the records which should be prioritised due to their high value and risk and define:

  • the limitations and factors that impact on the management of the records
  • the required approaches to mitigate the risks to the records.

Also refer to the principles and requirements outlined in the PROV Standards and Specifications and flag those which are not being met and which are of primary importance to managing the records.

A plan and strategy will communicate the required actions, timelines and potential resourcing and/or funding requirements to manage the high value, high risk records identified as a priority. This may include projects to:

  • update the agency’s recordkeeping program
  • change or implement new processes, systems or technologies
  • migrate, relocate and/or transfer records
  • train staff on recordkeeping requirements.

Also, some of your proposed projects may require developing a Business Case to gain agency investment in a project that requires funding and resources.