DC 101 Exercise: Identifying and mitigating risk


Published on

As part of the taster session on the Digital Curation 101 course, this presentation introduced participants to the concept of risk and the Digital Repository Audit Method Based on Risk Assessment (DRAMBORA). This presentation preceded a group exercise and was given at the Digital Curation and Preservation Outreach and Capacity Building Workshop in Belfast on September 14-15 2009.


Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Hard to define: but we must define it if we want to automate its handling Multi-facetted: not one simple score that covers all data quality, need many such scores… expensive Highly app specific means: again need more than one score, hard to reuse the details of the scores Highly subjective: means difficult to completely automate
  • Recall that the last two are actually just proxies for accuracy.
  • Recall that the last two are actually just proxies for accuracy.
  • DC 101 Exercise: Identifying and mitigating risk

    1. 1. Exercise: Identifying and Mitigating Risk Joy Davidson, Digital Curation Centre (DCC)
    2. 2. The Challenge of Building Trust <ul><li>There is work going on now to define certification methodologies and </li></ul><ul><li>processes for trusted digital repositories, but formal certification is still </li></ul><ul><li>a long way off. The DCC feels that the most effective way to build trust </li></ul><ul><li>amongst your stakeholder communities is not necessarily through </li></ul><ul><li>formal certification but rather to be able to: </li></ul><ul><li>illustrate that you know what risks threaten your ability to achieve your mandate </li></ul><ul><li>provide evidence that you have considered these risks, understand them, and have appropriate measures in place to manage and mitigate these risks over time </li></ul>
    3. 3. DRAMBORA <ul><li>The Digital Repository Audit Method Based on Risk Assessment </li></ul><ul><li>(DRAMBORA) was developed by the Digital Curation Centre (DCC) and </li></ul><ul><li>DigitalPreservtionEurope (DPE) to assist repository staff to identify, </li></ul><ul><li>assess, manage, and mitigate risks. </li></ul><ul><li>Definition: risks describe challenges or threats that impede the achievement of repository objectives, obstruct activities, and prejudice the continued availability of essential assets. </li></ul><ul><li>In DRAMBORA, risks have several attributes: probability , impact , severity , owner(s) , and management strategies . Risks may also link to other risks. </li></ul>
    4. 4. DRAMBORA assesses: <ul><ul><li>information assets (analogue materials, databases, data files, contracts, agreements, documentation, policies and procedures) </li></ul></ul><ul><ul><li>software assets </li></ul></ul><ul><ul><li>physical assets </li></ul></ul><ul><ul><li>services and utilities </li></ul></ul><ul><ul><li>business processes </li></ul></ul><ul><ul><li>people (staffing and skills) </li></ul></ul><ul><ul><li>intangibles, such as reputation </li></ul></ul>
    5. 5. DRAMBORA stages <ul><li>Establish organisational profile </li></ul><ul><li>Develop contextual understanding </li></ul><ul><li>Identify and classify repository activities and assets </li></ul><ul><li>Derive registry of pertinent risks </li></ul><ul><li>Undertake assessment of risks (and existing management means) </li></ul><ul><li>Commit to management strategies </li></ul>
    6. 6. Anatomy of a risk The name of the individual who assumes ultimate responsibility for the risk in the event of the stated risk owner relinquishing control Escalation Owner: Name of risk owner - usually the same as owner of corresponding activity Owner: Hardware, software or communications equipment and facilities Operations and service delivery Personnel, management and administration procedures Physical environment Nature of Risk: Date that risk was first identified Date of Risk Identification: Example circumstances within which risk will or may execute Example Risk Manifestation(s): A longer text string offering a fuller description of this risk Risk Description: A short text string describing the risk Risk Name: A text string provided by the repository to uniquely identify this risk and facilitate references to it within risk relationship expressions Risk Identifier:
    7. 7. Anatomy of a risk A targetted risk-severity rating plus risk reassessment date Risk Management Activity Target: Individual(s) responsible for performance of risk management activities Risk Management Activity Owner: Practical activities deriving from defined policies and procedures Risk Management Activity(ies): Description of policies and procedures to be pursued in order to manage (avoid and/or treat) risk Risk Management Strategy(ies): A derived value, representing the product of probability and potential impact scores Risk Severity: This indicates the perceived impact of the execution of this risk in terms of loss of digital objects' understandability and authenticity Risk Potential Impact: This indicates the perceived likelihood of the execution of this particular risk Risk Probability: A description of each of the risks with which this risk has relationships Risk Relationships: Parties with an investment or assets threatened by the risk's execution, or with responsibility for its management Stakeholders:
    8. 8. Risk Relationships where risks exist in isolation, with no relationships with other risks Atomic where avoidance or treatment associated with a single risk renders the avoidance or treatment of another less effective Domino where avoidance or treatment mechanisms associated with one risk also benefit the management of another Complementry where a single risk’s execution will increase the likelihood of another’s Contagious where the simultaneous execution of n risks has an impact in excess of the sum of each risk occurring in isolation Explosive Definition of Risk Relationship Risk Relationship
    9. 9. Scenario for the Exercise <ul><li>You work in an archive that has recently expanded its mandate to include the stewardship of digital materials. </li></ul><ul><li>How do you determine your ability to safeguard the data you accept? </li></ul><ul><li>How can you prove your trustworthiness to those depositing data and reusing the resources over time? </li></ul>
    10. 10. Exercise: Part I – Identify a risk (30 minutes) <ul><li>Each group should identify one risk (based on your own </li></ul><ul><li>experiences wherever possible) and complete the </li></ul><ul><li>DRAMBORA worksheet. </li></ul><ul><li>Groups should complete: </li></ul><ul><ul><li>name and description of the risk </li></ul></ul><ul><ul><li>example manifestations of the risk </li></ul></ul><ul><ul><li>nature of the risk </li></ul></ul><ul><ul><li>risk owner </li></ul></ul><ul><ul><li>stakeholders who would be affected </li></ul></ul><ul><ul><li>if possible, relationships with other risks </li></ul></ul>
    11. 11. Exercise: Part II – Mitigate the risk (30 minutes) <ul><li>Each group should now identify what they might </li></ul><ul><li>undertake to manage and mitigate the identified </li></ul><ul><li>Risk over time. </li></ul><ul><li>Each group should complete: </li></ul><ul><li>Risk management strategy(ies) </li></ul><ul><li>Risk management activities </li></ul><ul><li>Risk management activity owner </li></ul>
    12. 12. Benefits of Risk Assessment Exercise <ul><li>Firmly established organisational mandate </li></ul><ul><li>Understanding of legal and regulatory framework within which you are working </li></ul><ul><li>Development and maintenance of a realistic risk register </li></ul><ul><li>Identification and collation of relevant policies and strategies </li></ul><ul><li>Identification of staff skills and gaps </li></ul><ul><li>Identification of strengths and weaknesses in operations </li></ul><ul><li>Pre-cursor to self-audit or external audit </li></ul>