Digital preservation risks: Difference between revisions

From wiki.dpconline.org
Jump to navigation Jump to search
Line 31: Line 31:


{| class="wikitable" style="border-width: 1px"
{| class="wikitable" style="border-width: 1px"
|- valign="top"
| '''DRAMBORA describes risks to different areas of an organisation's operations:'''
| '''DRAMBORA describes risks to different areas of an organisation's operations:'''
| '''SPOT describes risks to essential properties of digital objects:'''
| '''SPOT describes risks to essential properties of digital objects:'''

Revision as of 10:19, 1 August 2013

Completing a preliminary digital preservation risk assessment will help you to clarify the recommendations you intend to make in your business case. It will also enable you to justify these recommendations by demonstrating their relevance and urgency. This section provides guidance on how to conduct a risk assessment for your digital collections. It also includes suggestions as to how best to make use of the results of your risk assessment in order to support your digital preservation business case.

Process

This is the process that a practitioner should follow to build this section of the business case. This should be a numbered list!

The exact process followed for your risk assessment will depend on its depth and scope. The following steps are intended to provide a basic framework to help you get started:

  1. Define the focus and scope of your risk assessment.
    • The focus of your risk assessment will depend on the purpose of your business case: are you making a case for new staff, a new system, or a new service? Are there certain risks that are specific to these circumstances?
    • Decide how comprehensive you want your risk assessment to be: will you include general risks to your organisation, or limit your assessment to your digital collections?
  2. Assemble any information that might help you to better understand the collection, e.g. data gathered as part of a digital collections audit.
  3. Use risk assessment methodologies to guide or inform your assessment, and to help identify risk domains and specific risks.
    • DRAMBORA (Digital Repository Audit Method Based on Risk Assessment) is a complete toolkit for a digital repository audit, which includes a list of over 80 examples of potential risks to digital repositories.
    • The SPOT (Simple Property-Oriented Threat) model aims to provide a simple model for risk assessment, focused on safeguarding against threats to six essential properties of digital objects.
  4. Decide how best to describe and conceptualise risks.
    • Describing risks in terms of the consequences for your institution (e.g. resources not discoverable) may enable you to make a more dramatic case for digital preservation; focusing on causes of risks (e.g. inadequate metadata), however, may help you to shape your business case recommendations and make a strong case for them to be implemented.
  5.  Categorise and prioritise the risks you have identified.
    • Group risks according to common categories e.g. staffing, storage arrangements.
    • Prioritise risks by scoring them according to their likelihood and impact.
  6.  Considering your audience, decide how best to present your risks to support your business case.
    • Describe risks using terms that will be accessible to your audience.
    • Consider placing more emphasis on risks that your audience are likely to consider particularly significant.

Content

Risk domains and specific risks

Both DRAMBORA and the SPOT model provide examples of risk domains and specific risks, which may help you to identify risks to include in your business case.

DRAMBORA describes risks to different areas of an organisation's operations: SPOT describes risks to essential properties of digital objects:
  • Physical environment
  • Personnel, Management and Admin procedures
  • Operations & Service Delivery
  • Hardware, Software of Communications Equipment and Facilities
  • availability
  • identity
  • persistence
  • renderability
  • understandability
  • authenticity
Examples of specific risks which DRAMBORA suggests for these domains include: Examples of specific risks which DRAMBORA suggests for these domains include:
  • Loss of key member(s) of staff
  • Legal liability for IPR infringement
  • Hardware failure or incompatibility
  • Sufficient metadata is not captured or maintained
  • Object characteristics important to stakeholders are incorrectly identified and therefore not preserved.
  • Inadvertent damage to medium and/or bit sequences via hardware, software or operator error.

Presenting risks

How you present the risks you have identified will vary depending on the purpose of your business case. The following are some general suggestions for presenting risks in a digital preservation business case:

  • Group risks under sensible headings, and describe them using terms accessible to your audience.
  • Prioritise risks to give more weight to those that most strongly support your case.
  • For each risk, clearly describe the threat, and explain why it is a problem and what the consequences are likely to be.
  • Where possible, phrase risks so that there are clear links with the recommendations you are making in your business case.

Scenarios

Thoughts on how to adapt the content of this section to particular scenarios that the business case is focused on.

(Communications)

Notes relevant to tailoring this section to the appropriate audience and communicating the the business case to that audience

Resources

These are external resources of relevance to this section. Links can be incorporated into the text above if that is more useful.


  • DPC presentation

Notes

How do you describe risk?

Relationship between risks, costs, drivers

Risk areas to think about:

Use the DRAMBORA (http://www.repositoryaudit.eu/about/) classification:

  • Physical environment
  • Personnel, Management and Admin procedures
  • Operations & Service Delivery
  • Hardware, Software of Communications Equipment and Facilities

Cross reference with the SPOT (http://www.dlib.org/dlib/september12/vermaaten/09vermaaten.print.html) model:

  • availability (long-term use...)
  • identity (referencibility...)
  • persistence
  • renderability (use and retain sig. char.)
  • understandability (interpretation of content)
  • authenticity (digital bit or rendered form is what it is supposed to be)
  • security

How do you prioritise risk?

Using a risk assessment to inform the business case

Scoring risks

Scenarios

  • Risks to consider/prioritise in a business case for a repository system
  • Risks to consider/prioritise in a business case for new DP staff
  • Risks to consider/prioritise in a business case for a digital preservation service

The following are all examples that could factor into any of the above sections...

CURATION

  • responsibility (who is actually responsible)
  • rights and licensing, use/re-use
  • IP
  • sensitivity (access control)
  • who adds value

ORGANISATION

  • capability and skills (skills gap)
  • succession planning
  • MANDATE (local, institutional, national, international)
  • usability
  • marketing/surfacing/relevance
  • value of asset, reputation of asset
  • accruing value, impact, re-use, evidence
  • measuring and metrics
  • understand the long-term vision if the data is view over a long/short-term
  • managing expectations of use
  • value of materials against strategy
  • what happens when the organization no longer values the collection?
  • flow of resources to keep activity going (sustainability)
  • respond to external factors
  • institutional sustainability
  • organization maturity (are they ready to care for these assets)
  • risk profiles (are they similar to physical or organization structure) are we making assumptions?

Communications