Records provide information of actions performed and decisions taken. Creating and managing records helps your agency do business and manage the risks associated with that business. Without adequate records, your agency may have difficulty providing evidence of its actions and decisions.

Records and risks should be considered in two contexts:

• records for mitigating business risk
• business risks associated with managing records

An agency may have a number of core business responsibilities, or may be operating in just one or two specific business areas. The level of risk for these may vary and you should undertake a risk assessment for each of your agency's core business areas.

High-risk functions are those that:

• receive a high level of public and media scrutiny
• instigate or are subject to litigation
• are mandated in law
• allocate, spend or collect large amounts of money
• assess or mitigate significant public risk
• involve issues that are politically sensitive
• involve issues of national security
• relate to sensitive or contentious activities
• are outsourced to an external service provider

All of these could expose your agency, or the government, to serious consequences. Records documenting these actions generally need to be more detailed and of a higher quality than those that document low risk activities.

Where limited resources forces your agency to concentrate on certain records and record types, these decisions should be made on a risk-based approach. 

In addition to the higher risks posed by some agency business activities, there are also risks associated with particular record formats or categories:

• Records that are 'Retain as National Archives' – are identified in Records Authorities and General Disposal Authorities issued by the National Archives. These records cannot be destroyed. They should be transferred to the National Archives as soon as they are no longer needed in everyday business.
• Electronic records that have a retention period of over five years – are likely to require preservation, including migration, to ensure access over time.
• Emails and webpages - are problematic, especially identifying which emails need to be kept and by whom, and managing webpages as records.  For more information about these formats, see IT systems.
• Records that contain classified information – need to be protected from unauthorised access by the public and unauthorised staff. 
• Records with content created in both paper and electronic formats – need to be managed as a whole, particularly for access to ensure that users understand the whole story, and for destruction or transfer.
• Records of advice issued by your agency, particularly through media such as the telephone or via dynamic websites – need to be managed to ensure that an organisation can establish what was said or published, and by whom and when, even though this advice may not be being transmitted in a formal written form.

Knowing your risks allows you to plan for their mitigation. A strong records management regime should be one of your primary risk mitigation strategies. For more information about identifying and understanding your business risks, you may also wish to review the Australian Standard for Risk Management, AS/NZS 4360.