Article Information

Mpho Ngoepe1

1Department of Information Science, University of South Africa, South Africa

Correspondence to:
Mpho Ngoepe

Postal address:
PO Box 392, University of South Africa 0003, South Africa

Received: 03 Mar. 2014
Accepted: 20 May 2014
Published: 19 June 2014

How to cite this article:
Ngoepe, M., 2014, ‘The role of records management as a tool to identify risks in the public sector in South Africa’, SA Journal of Information Management 16(1), Art. #615, 8 pages

Copyright Notice:
© 2014. The Authors. Licensee: AOSIS OpenJournals.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
The role of records management as a tool to identify risks in the public sector in South Africa
In This Original Research...
Open Access
   • Problem statement
   • Research purpose and objectives of the study
   • Literature review
   • The relationship between records management and risk management
   • Risks emanating from poor or lack of records management in organisations
   • Research methodology
   • Data analysis and research findings
   • The availability of risk management strategies in governmental bodies
   • Risks relating to records management in governmental bodies
   • How records management mitigate risks in the public sector
Discussion of results
Conclusion and recommendations
   • Competing interests

Background: Records management is a vital element in the identification of risks. However, there is a consensus amongst scholars that the relationship between records management and risk identification has not been clearly articulated. As a result, risks associated with records are often dealt with via internal audits, legal processes and information technology.

Objectives: The study utilised the King III report on corporate governance in South Africa as a framework to investigate the role of records management in identifying risks in the public sector, with a view to entrench the synergy between records management and risk management.

Method: Quantitative data were collected through questionnaires distributed to records managers, risk managers and auditors in governmental bodies in South Africa. Provisions of the King III report, guided the research objectives.

Results: Even though the study established that there is a reciprocal relationship between risk identification and records management, most governmental bodies in South Africa lack records management and risk-mitigating frameworks or strategy. Furthermore, records management did not feature in most governmental bodies’ risk registers. It has been established that most governmental bodies have established risk committees that do not include records management practitioners. In most governmental bodies, risk management resides within internal audit functions.

Conclusion: The study concludes by arguing that a strong records management regime can be one of an organisation’s primary tools in identifying risks and implementing proper risk management. Therefore, records management should be integrated with risk management processes for organisations to benefit from the synergy.


Both public and private organisations face different kinds of risks that affect the reliability of records and effectiveness of internal controls daily, such as losses, negative cash flows and, ultimately, bankruptcy, which can lead to liquidation. According to Ebaid (2011:108), it is difficult for organisations to avoid risk. However, what matters most is the identification and management of risks that the organisation is exposed to. Records management is one of the functions that can play a vital role in identifying and assessing risks and leading to effective risk management. Effective risk management plays an integral part in the development of the control environment which, in turn, provides management with the necessary assurances that the organisation will achieve its objectives within an acceptable degree of residual risk.

Despite the role that records management can play in identifying risks within organisations, it is clear from the literature that the role has not been clearly articulated, particularly in the public sector in South Africa as compared to elsewhere in the world (Bhana 2008). Lemieux (2001; 2004:57) contends that risks associated with records are often dealt with on an ad-hoc basis via internal audits, legal processes, information technology and in few instances records management. Akotia (1996:6) has also observed that ‘a major defect in financial administration arises from failure to integrate accounting and records management process, with the result that essential information is lost or becomes subject to inaccuracies’. Palmer (2000:63) points out that the chaotic and collapsed state of records management systems is one of the primary reasons why accounting standards will not easily be implemented in developing countries. Indeed, when accounting systems are weakened due to poor record-keeping, management is unable to access records for decision-making. In this light, it is essential that records are managed properly throughout their entire life cycle to enable identification of risk and management thereof.

Willis (2005:88) is of the view that a robust records management programme should form part of the organisation’s risk management process, as records and the management of risk are considered inseparable. In this regard, proper records management can be used as a tool to identify risks in the organisation. Fraser and Henry (2007:393) identify two contexts in which the inseparability of and nexus between records and risks can be considered: records for identifying business risk and business risks associated with managing records. Furthermore, Lemieux (2010) provides a typology between records management and risk management:

• Using records to explore types of risk.
• Risk to records.
• Records as causes of other types of risk.
• Risks associated with the traditional archival function.
• Records management applying the risk management process (pp. 210–211).

In view of the above, this study utilised the King III report on corporate governance to develop a theoretical argument for the role of records management in identifying risk in the public sector of South Africa, with a view to entrench the synergy between records management and risk management. A study by Ngoepe and Ngulube (2013a) covered other chapters of the King III report, but excluded the governance of risk from the role of records management in corporate governance. Therefore, this study attempts to fill the gap by using chapter 4 and chapter 5 of the King III report as a framework to define the role of record-keeping as a tool to identify risks in governmental bodies. As Isa (2009:3–4) would attest, it is essential to explore the relationship between these two areas in order for organisations to benefit from the synergy of their integration.

The King III report was launched on 01 September 2009 by the Institute of Directors of Southern Africa (IoDSA), and came into effect on 01 March 2010. It heralded a new era in which risk management and recorded information were regarded as important. The King III report has nine chapters1. Chapter 4 and chapter 5 are relevant to this study as they deal with risk management and information management respectively. The chapters provide valuable guidance on how the various processes can be integrated. For example, in terms of the King report, people responsible for organisational governance must be able to rely on competent and trustworthy internal resources, capable of accurately assessing the effectiveness of the processes in place to manage and mitigate risks (IoDSA 2009:86). The King III report applies to all private and public entities in South Africa. Records are regarded as important assets of the organisation as they are evidence of business activities. The King III report recommends that management should ensure that there are systems in place for the management of information assets to ensure the availability of information in a timely manner, implement a suitable information security management, ensure that sensitive information is identified, classified and assigned appropriate handling criteria, implement the management of risks associated with information and establish a business continuity programme addressing the organisation’s information and recovery requirements. In this regard, according to the King III report, information management encompasses: protection of information (information security), the management of information and the protection of personal information processed by organisations (information privacy) (IoDSA 2009:86).

Problem statement
Despite the importance of records management to risk identification, as highlighted in the preceding section, it would seem that records management in the public sector in South Africa does not satisfy the threshold specified by the King III report. For example, the general reports on audit outcomes by the Auditor-General of South Africa express concerns on the lack of adequate records that automatically increase audit risks and fees (Bhana 2008; Ngoepe & Ngulube 2013b:52). This implies that records are not properly managed to mitigate information-related risks; hence, the public sector in South Africa is characterised by auditing findings relating to poor records management. Hence, Sarens and De Beelde (2006:64) and Fraser and Henry (2007:393) observe that the relationship between records management and risk identification has not been clearly explored and articulated by scholars, practitioners and organisations. According to the Institute of Internal Auditors (2009), many organisations are fearful that they do not really understand the link between risk management and records management. Erima and Wamukoya (2012:32) are of the view that as a tool for risk management, records management is important in strategic decision-making, helps cut down costs and reduces risks from litigation, amongst others. Isa (2009:4) ponders that the embedding of records management into the risk management function is a long-term exercise to ensure that records consideration is at the heart of all management processes. Organisations create an array of records relating to relevant internal and external activities. These records are needed at all levels of an organisation to identify, assess and respond to risks (Committee of Sponsoring Organizations of the Treadway Commission 2004:67). Failing to manage records throughout their life cycle is a growing risk facing every organisation across the globe. According to Isa (2009:75) organisations have neglected proper record-keeping, which results in exposure to risks from various angles. If records management is used as a risk identification tool, many of the risks associated with poor record-keeping, such as litigation, loss of information, reputation risks and others, can be mitigated.

Research purpose and objectives of the study
The general purpose of this study was to investigate the role of records management as a tool to identify risks in the public sector in South Africa, with a view to entrench the synergy between records management and risk management. The specific objectives were to:

• Investigate the availability of enterprise risk management strategies that embrace records management in governmental bodies.
• Identify risks emanating from poor or lack of records management in the public sector in South Africa.
• Investigate how records are managed to mitigate risks in the public sector in South Africa.
• Make recommendations on integrating records managements into risk management.

Literature review
Literature for this study is reviewed under two themes: the role of records management in identifying risks and risks emanating from poor or lack of records management in organisations.

The relationship between records management and risk management
Chernobai, Rachev and Fabozzi (2007:xv) contend that there is a historical relationship between risk management and records management, even though the risk management field has its origin in the insurance industry. From time immemorial, human beings have striven to understand risk affected by factors such as storm, fire or flood (Graham & Kaye 2006:1). In the 1980s, risk management in manufacturing industries took hold with the adoption of total quality management. Very few organisations took a wide-angle view of risk and controls beyond finance. Even in these cases, as postulated by Lemieux (2010:210), attention was generally focused on hazard-related or insurable risk. It was only in the 1990s that the field of risk management received greater recognition.

Risk commentators such as Fraser and Henry (2007:393), Hiles (2002), Lemieux (2010:211) and Sarens and De Beelde (2006:64) argue that the incident on 11 September 2001 in the United States of America changed the world with regard to risk management as many companies ceased to exist after the event. However, the roots of modern risk management are much older and were already deeply embedded in the management of many organisations long before that fateful day. Risk was rarely projected and it was only when records were kept that an opportunity presented itself to scrutinise these records to offer prediction of the future. Today, most organisations have, as part of their corporate executive staff, an individual with the title of chief risk officer. As a result, risk management to many is synonymous with good governance. This also manifests itself in governance tendrils such as the King III report on corporate governance in South Africa.

Whilst internal monitoring bodies within organisations such as internal audit functions and audit committees are becoming increasingly involved in risk management, records management is conspicuous by its absence. Fraser and Henry (2007:393) argue that historically no unit within organisations has been charged with risk management. As a result, internal audit departments and audit committees took the opportunity to fill the gap simply because many risks have an obvious financial dimension. According to Isa (2009:4), records management ensures the availability of records for risk assessment and as such should be involved in or incorporated into the risk management process. Isa (2009) proposes some guidelines for how the integration could be done:

Record-keeping practice and risk management elements must be nurtured and embedded in all business activities across the organisation. This can be realised by forming a working committee comprising the audit committee, archivist and records manager and risk management team to implement such an approach across the board. Therefore, records management professionals should embrace the opportunity to contribute to the achievement of corporate governance. (p. 258)

Effective records management ensures the availability of records for future assessment in order to determine whether the recommended risk mitigation has been followed by relevant business process owners. The success of risk management is partly dependent on the accuracy of records in organisations, as every judgement made must be based on reliable information. In an age in which transparency, accountability and compliance are of increasing concern, it is essential that organisations comply with regulations and, if they do not, are able to explain why not (Isa 2009:53; Lomas 2010:191).

Sampson (1992:134; 2002:169) asserts firmly that the main contribution of records management to risk management is through records retention schedules, which allocate a suitable retention period to various records, especially perceived threats of litigation. However, it should be noted that there are instances of public organisations in South Africa destroying records, for accountability purposes, as a way of managing political risks (Harris 2002; 2007). Harris and Merrett (2007:270) are of the view that, even in an era of more open government, it is inconceivable that compliant procedures can be applied uniformly as they simply cost too much. Reed (1997) suggests that not all processes generate records and that it is the role of records management working within a risk management framework to identify how far each process should be recorded. However, as Isa (2009:66) would attest, this role cannot be accomplished in the absence of commitment from managers of various departments across an organisation.

The strength and effectiveness of a record-keeping system mainly depend on the effectiveness of risk management that prioritises and identifies risks across an organisation. Allocating the identified risks into an organisational directory or a file plan structure enables the identification of contextual information, which in turn ensures that the authenticity and integrity of electronic records are controlled (Isa 2009:91). As risk is associated with avoiding or mitigating obstacles to achievement, from a liability standpoint, records are necessary to demonstrate that an organisation has conducted itself reasonably. If nothing is recorded, it difficult to prove that it happened. Relying on human memory is dangerous due to its elusiveness, frailty and the tendency of people to remember things that never happened (Jimerson 2003:90; Ngoepe 2012:44). This can lead to records and information management risks, which encompass any threat to the business arising from inadequate records management (Lemieux 2004:56).

Risks emanating from poor or lack of records management in organisations
In his keynote address to the South African Records Management Forum conference, Bhana (2008) questions whether it is fair to equate poor records management to high risk. Putting it differently, Sampson (1992:134) questions whether proper records management can help to identify and assess risk. To answer these questions, the Auditor-General of South Africa (2011) is on record noting the importance of keeping records as a key component of any entity’s risk management process. Organisations operate in a world that grows more litigious, risky and highly regulated (KPMG 2011). Failing to manage records throughout their entire life cycle is a growing risk facing every organisation. In the past, records management was purely paper based and the challenge was less onerous. Traditionally, records management processes have been undertaken by records management staff. The digital world brings new complexities to records management. Now the work has been transferred to end-users which has proved to be unsuccessful (Henttonen & Kettunen 2011:87). In an electronic environment, the challenges include managing access, versioning, controlling and surrogates. Therefore, records management can no longer be a tactical solution to a departmental problem, but must be approached as an enterprise-wide strategy (KPMG 2011). The starting point is to identify key areas of records management that pose a risk to the organisation or have a significant cost impact.

Indeed, how well an organisation manages its records will impact on certain business and legal risks. Often, the cost of poor record-keeping is hidden; hence, few organisations especially in the public sector bother to establish a records management programme. There are several risks that come to mind, but four risks stemming from poor or lack of proper record-keeping identified by Bhana (2008) and Ngoepe (2011:75–76) that need to be considered are reputation, legal, financial and information loss. Bhana and Ngoepe posit that a governmental institution with lack of proper record-keeping is at risk of information loss when individuals resign or leave office. This is a common phenomenon and has almost become a cliché since organisations often refer to individuals that they hold in high regard because of their ‘institutional memory’. The institutional memory should in fact be vested in the organisation’s records management systems, which are further supported by appropriate knowledge management frameworks. Furthermore, governmental bodies need to comply with legislation regarding retention of records.

Several other scholars also identify risks associated with poor or lack of records management. For example, Fraser and Henry (2007:393) identify two types of process-level risk assessments for record-keeping. The first is a strategic approach to managing business information by undertaking a systematic, risk-based assessment of record-keeping needs and designing appropriate record-keeping strategies. The second is an assessment, by individual work units, of the risks they face in achieving their objectives, including record-keeping. Furthermore, Egbuji (1999:94) classifies risks into reputation, litigation and environmental risks. The Institute of Charted Accountants in England and Wales classifies risks into five main categories: financial, business, compliance, operational and knowledge management (Fraser & Henry 2007:392–393). McKemmish and Acland (1999) suggest that failure of the record-keeping system may lead to organisational risks and societal risks. These risks include the following:

• Lack of evidence that an organisation did something under contract or according to regulation.
• Inability to find mission-critical information.
• Loss of proof of ownership, rights and obligations.
• Lack of documentation of who knew what and when.
• Inability to locate proper context information for records that may be incriminating in one context and innocent in another.
• Inability to demonstrate that policies and procedures were in place and consistently followed.
• Impairment of functioning of society and its institutions.
• Loss of evidence of the rights of people as citizens and clients.
• Inability of societal watchdogs to call to account governments, corporations and individuals.
• Loss of collective, corporate and personal identity.

From the discussions, it is no exaggeration to suggest that a solid records management programme can be an effective insurance policy for an organisation to identify risks. Ngoepe (2011:33) contends that organisations without proper records management run the risk of destroying records too soon and consequently of not being able to produce the records when legally required. Alternatively, organisations adopt the costly practice of keeping everything forever, a practice that can also backfire in legal proceedings. The organisation is then required to produce everything it has relating to the proceedings, not just what it is legally required to provide. At the very least, producing all related records is time-consuming and expensive (Ngoepe 2012:84). Therefore, it is appropriate to manage records to enable identification and assessment of risks within organisations.

Research methodology
This study relied on quantitative data collected via questionnaires distributed to governmental bodies in South Africa, which were listed on a government website as follows: 283 municipalities, 37 national government departments, 108 provincial government departments in all nine provinces and 30 public entities (South Africa Government Online n.d.). Data collected via questionnaires were supplemented through content analysis of documents such as risk strategies and registers of eight of the participating organisations who were willing to provide such documents. Since the population being studied was large and heterogeneous, a stratified random sampling technique was used. The assumption was that if other types of probability sampling were applied, chances are that national government departments and statutory bodies could have been under-represented as they were few, whilst municipalities and provincial government departments could be over-represented as they were many. The population was divided into strata of municipalities, national departments, provincial departments and public entities to ensure representativeness. Municipalities and provincial departments were further grouped into sub-strata according to their respective provinces. Participants from the chosen sample were selected purposively and were either a records management staff member, risk manager or internal audit staff member. In some instances, especially in municipalities, municipal managers were selected, as there were no records managers or auditors. A proportional sample size of 37% (171) was taken from the population based on a scientific calculator available online. Therefore, the sample consisted of 105 municipalities, 14 national departments, 40 provincial departments and 12 public entities.

Data analysis and research findings
This section analyses and presents the results of the data obtained via questionnaires and document review. Out of 171 questionnaires distributed, only 94 were returned, a 55% response rate. Data from questionnaires were analysed using survey software available online. Results are presented through written descriptions and numerical summaries. Of the 94 responses, 42.5% (40) were completed by records managers, 28.7% (27) by registry clerks, 15.9% (15) by other information professionals such as librarians, knowledge managers and information technology specialists, whilst 12.7% (12) were completed by different officials such as municipal managers, risk managers and internal auditors.

The availability of risk management strategies in governmental bodies
Principles 4.1 and 4.4 in chapter 4 of the King III report require organisations to develop risk management policy and plans that are aligned to the purpose of the organisation (IoDSA 2009:29). The policy should be widely distributed throughout the organisation. When asked if their organisations had developed a risk management strategy, 57.4% (54) of the respondents indicated that their organisations have developed an enterprise risk management strategy as compared to 42.6% (40) which did not have. The respondents indicated that the risk management policy and plan formed part of the strategy and were monitored by the risk committee. Of those who indicated that their organisations have developed a risk management strategy, only 36.1% (34) mentioned that the strategy included record-keeping as a risk. Another 21.2% (20) indicated that the strategy was not clear on records as it just mentioned security of information without specifying the type of information.

With regard to responsibility in risk management, 44.6% (42) indicated that the accounting officers have delegated the responsibility and designated the head of internal audit as the chief risk officer. It was only in a few instances 23.4% (22), that respondents indicated that responsibility lay with compliance and legal service units. Only 31.9% (30) indicated that it was not clear who was responsible for risk management as there was no such unit in their organisation. However, no respondents indicated that the records management unit was involved in risk management in their organisation. Four (4.2%) respondents indicated that records management was represented by information technology managers in risk management meetings. With regard to the availability of risk committees, 77.6% (73) indicated that their organisation had established risk committees as compared to 22.3% (21) that did not. Again, no member of a records management team was part of the risk committees. When asked about the interval of risk assessment, 57.4% (54) indicated that the assessment is conducted once a year, as compared to 42.5% (40) which did not. Only 36.1% (34) of those who conducted risk assessments indicated that records management was included in the assessment.

Risks relating to records management in governmental bodies
Principle 5.7 in Chapter 5 of the King III report indicates that the risk committee should consider information as a crucial element of the effective oversight or risk management of the organisation. When asked about the availability of a risk register, 53.2% (50) indicated that there was a risk register in their organisations as compared to 46.8% (44) who did not have one. The respondents indicated that the risk register was reviewed once a year. The risks that kept recurring as identified by the respondents were loss of information, leakage of information, security of information and litigation due to unavailability of information. However, three respondents indicated that the top risk issues in their organisation were confidential and, therefore, could not divulge information to the researcher. Perusal of risk registers from eight participating organisations revealed that security of information was considered a high risk, especially in an electronic environment. Issues identified in the registers include: sufficient security measures to prevent unauthorised or untracked access to the computers, networks, devices or storage and the inclusion of user permissions, passwords control and firewalls in the systems. However, none of the eight risk registers mentioned the possible risks related to paper records and their storage.

The respondents were further asked to list five records management areas that pose a risk to or have a significant cost impact on their organisation. The top five issues were information security, data integrity, information loss, non-compliance and leaking of information. The internal audit unit was identified by respondents as responsible for providing assurance regarding risk management. However, 53.2% (50) of the respondents indicated that internal audit units and records management did not always work in unison on risk management issues.

How records management mitigate risks in the public sector
The King III report views information contained in records as the most important information assets as they are evidence of business activities. Therefore, it is essential for organisations to manage records for sustainability and to minimise risks associated with poor records management (Ngoepe & Ngulube 2013a). The availability and implementation of key records management documents such as strategy, policy, procedure, file plans, retention schedules, disposal authority, vital records schedules and disaster recovery plans goes a long way in helping organisations to mitigate risks. Respondents were asked to indicate or state the availability of key records management documents, as reflected in Table 1.

TABLE 1: Availability and implementation of key records management documents (N = 94).

It is distressing to reveal that only a pitiable figure of 9.5% (9) of governmental bodies have implemented disaster recovery plans. With regard to disposal authorities, respondents cited lack of support from the National Archives of South Africa (NASA) as a contributing factor to unavailability of disposal authority and a retention schedule in their organisation. One respondent indicated that their organisation requested a disposal authority from NASA in 2010, but had not yet received a response in 2014. This according to the respondent was despite several follow-ups with NASA. The respondent indicated that NASA cited lack of capacity as a contributing factor.

When asked how records management mitigates risk in governmental bodies, respondents replied that with proper records management in place, the governmental bodies will comply with archival legislation, minimise loss of information and be able to present records as evidence in court and base decisions on records rather than thumb-sucking or mental memory. They also identified that records management allows for the availability of comprehensive documented information about all aspects of risks and risk sources, retention and disposal of records. The following were further identified by respondents as areas of records management that will create risks for organisations if not attended to:

• Absence or poor implementation of records management strategies, policies and procedures.
• Approved file plans not implemented in filing structures.
• Inability to distinguish historical records from those with ephemeral value; as a result, the ‘keep everything syndrome’ is applied.
• Low awareness of the importance of proper records management practices.
• An overwhelming volume of older stored records.
• Staff changes that leave the context of many records unknown.
• Vital records not identified and secured (lack of a disaster preparedness plan).
• Failure to implement an electronic document and records management system (EDRMS).
• Staff not adhering to a central filing strategy (keeping files at their desks), resulting in inability to locates files later.
• Documents not verified as being complete before being returning to the registry, filing room or archives.

Discussion of results

It is clear from the study that internal audit units have assumed the functions, systems and processes of risk management in most governmental bodies in South Africa. As a result, risk management in most governmental bodies resides within internal audit functions. However, in a few instances the risk management function resides within areas such as compliance and legal services. There was no single instance in which the records management unit was responsible for risk management. Therefore, records management practitioners have taken a backseat with regard to risk identification. Even though most governmental bodies have established risk committees, records management practitioners did not form part of such committees. Instead, in most cases, records management was represented by the information technology division. The study has further revealed that there was an absence of a records management risk-mitigating framework or strategy in most governmental bodies. As a result, governmental bodies are vulnerable to information loss and litigations. The study has established that records management was excluded from the risk register of many governmental bodies. In the case in which records management was identified as a risk issue, only security and loss of information were considered the top risks associated with records.

The study has established that key records management documents that have been developed in the majority of governmental bodies include policy, procedures and a file plan. However, these documents were not implemented in most governmental bodies. Documents such as disaster recovery plans, vital records schedules and retention schedules were non-existent in many governmental bodies. This implies that the government is sitting on an ‘information ticking time bomb’ that could have dire consequences, such as loss of vital national memory and legal actions against government. In the absence of rules and guidelines as to what should be kept and for how long, staff should be reluctant to authorise the destruction of records, which is what was happening in most governmental bodies in South Africa. By not implementing records management policies and carrying out disposal authorities, governmental bodies are vulnerable in that they may not be able to meet legislative or other obligations required of them. For example, governmental bodies might find it difficult to respond to requests in terms of freedom of information legislation, as they would struggle to sift through an ever-increasing mountain of records. As a result, the retrieval of a particular record will be akin to searching for the elusive needle in the haystack. Furthermore, in an environment of ever-decreasing budgets, the over-retention of records may force governmental bodies to spend more money in order to preserve records that could have been disposed of a long time ago.

In this study, it has been established that proper records management can mitigate risk through compliance with legislation, minimisation of information loss and provision of evidence of transactions. It is clear from the study that record-keeping is viewed in the context of a key enabler without which risk management becomes unsuccessful. Relevant records are required to support activities performed in the course of business, decision-making and accountability. Therefore, how well organisations manage records will impact on certain business and legal risks, including:

• Loss of revenue (financial risk).
• Loss of legal rights and failure to comply with legislation (legal risk).
• Exposure to penalties in litigations and investigations (legal and financial risk).
• Violation of the law (compliance risk).
• Waste of staff time in searching for lost or mislaid documents (knowledge management risk).
• Inability to prove what has been done or agreed upon (legal risk and reputation risk).
• Fruitless expenditure due to storage of records with no archival or business value (financial risk).
• Lack of continuity in the event of disaster or employees resigning or changing positions (knowledge management risk).
• Accidental access to organisational records by external people due to employees leaving records in their work stations unprotected (security and reputational risk).

Conclusion and recommendations

It is clear from the study that a strong records management regime can be one of an organisation’s primary tools in identifying risks and can therefore lead to proper risk management. Therefore, records management should be integrated with risk management and record-keeping must be viewed by organisations as a risk management function, thereby leveraging its status in the public sector. The integration of risk and records management has a bright future as its synergy enables the identification of not only risk but also business opportunities, maintains competitive advantage and facilitates the achievement of the strategic objectives of the organisation. Therefore, as Isa (2009:257) would attest, a risk-based approach to records management identifies and gives priority to risky records and in the process ensures that records are protected against destruction and damage, retrieved when needed and disposed of at the end of their life cycle.

An effective records management programme covering the full life cycle of a record will ensure that records are not merely kept, but are kept well, as a resource and an asset to increase the organisation’s efficiency. As part of risk management, organisations should develop business continuity plans and contingency measures to ensure that records that are vital to the continued functioning of the organisation are identified as part of risk analysis, protected and recoverable when needed. As Isa (2009:91) would attest, to limit the risks associated with records, records need to be protected. Furthermore, organisations need to ask the following questions:

• What are the risks if the records are available, not available or fall into the wrong hands?
• Will there be sufficient evidence for a defence or to file a claim?

In view of all of the identified risks, record-keeping must be approached by governmental institutions as a risk management function. In this regard, the records management unit should be involved in the management of risks associated with records. Furthermore, records management practitioners should be included in risk committees. Effective risk management is the cornerstone of good governance and can lead to improved performance, resulting in better service delivery, more efficient use of resources, as well as helping to minimise waste and fraud. The risk assessments in governmental bodies should also review record-keeping, so that government entities’ records management priorities do not pose any legislative or business risk to the organisation. Applying the principles and practices well is no guarantee for success, as other factors can influence and determine outcomes. Nevertheless, failure to do so would most likely lead to less than desired results and, probably, even failure.


Competing interests
The author declares that he has no financial or personal relationship(s) that may have inappropriately influenced him in writing this article.


Akotia, P., 1996, ‘The management of public sector financial records: The implications for good government’, University of Ghana, Legon, viewed 10 January 2013, from

Auditor-General of South Africa, 2011, Simplifying audit opinions and findings to enable government leadership to exercise meaningful oversight towards clean administration, AG online column, viewed 16 July 2013, from

Bhana, P., 2008, ‘The contribution of proper record-keeping towards auditing and risk mitigation: Auditor-General of South Africa’s perspective’, paper presented at the 3rd Annual General Meeting of the South African Records Management Forum, Midrand, South Africa, 10–11 November, viewed 15 June 2013, from Contribution of Proper Records Keeping towards auditing and risk mitigation Auditor General Perspective.pdf

Chernobai, A.S., Rachev, S.T. & Fabozzi, F.J., 2007, Operational risk: A guide to Basel II capital requirements, models and analysis, John Wiley & Sons, New Jersey.

Committee of Sponsoring Organizations of the Treadway Commission, 2004, Enterprise risk management – Integrated framework, viewed 16 May 2013, from

Ebaid, I.E., 2011, ‘Internal audit function: An exploratory study from Egyptian listed firms’, International Journal of Law and Management 53(2), 108–128.

Egbuji, A., 1999, ‘Risk management of organisational records’, Records Management Journal 9(2), 93–116.

Erima, J.A. & Wamukoya, J., 2012, ‘Aligning records management and risk management with business processes: A case study of Moi University in Kenya’, Journal of the South African Society of Archivists 45, 24–38.

Fraser, I. & Henry, W., 2007, ‘Embedding risk management: Structures and approaches’, Managerial Auditing Journal 22(4), 392–409.

Graham, J. & Kaye, D., 2006, A risk management approach to business continuity: Aligning business continuity with corporate governance, Rothstein Associates, Brookfield.

Harris, V., 2002, ‘The archival sliver: Power, memory, and archives in South Africa’, Archival Science 2, 63–82, viewed 10 January 2014, from

Harris, V., 2007, ‘“They should have destroyed more”: The destruction of public records by the South African State in the final years of apartheid, 1990-1994’, in V. Harris (ed.), Archives and justice: A South African perspective, pp. 305–336, The Society of American Archivists, Chicago.

Harris, V. & Merrett, C., 2007, ‘Toward a culture of transparency: Public rights of access to official records in South Africa’, in V. Harris (ed.), Archives and justice: A South African perspective, pp. 269–288, The Society of American Archivists, Chicago.

Henttonen, P. & Kettunen, K., 2011, ‘Functional classification of records and organisational structure’, Records Management Journal 21(2), 86–103.

Hiles, A., 2002, Enterprise risk assessment and business impact analysis: Best practices, The Rothstein, Brookfield.

Institute of Directors in Southern Africa, 2009, King report on corporate governance for South Africa, Sandton, South Africa.

Institute of Internal Auditors, 2009, ‘A new level of audit committee involvement’, Tone at the Top 44, 1–3.

Isa, A.M., 2009, ‘Records management and the accountability of governance’, PhD thesis, Humanities Advanced Technology and Information Institute, University of Glasgow, Glasgow, Scotland, viewed 15 May 2013, from

Jimerson, R.C., 2003, ‘Archives and memory’, Archives and Manuscript 19(3), 89–95.

KPMG, 2011, Records risk management diagnose, viewed 10 December 2013, from

Lemieux, V.L., 2001, ‘Competitive viability, accountability and record keeping: A theoretical and empirical exploration using a case study of Jamaican Commercial Bank failures’, PhD thesis, Dept. of Information Studies, University of London, London, viewed 10 December 2013, from

Lemieux, V.L., 2004, ‘Two approaches to managing risks’, Information Management Journal, Sep/Oct, 56–62, viewed 15 January 2014, from

Lemieux, V.L., 2010, ‘The records-risk nexus: Exploring the relationship between records and risk’, Records Management Journal 20(2), 199–216.

Lomas, E., 2010, ‘Information governance: information security and access within a UK context’, Records Management Journal 20(2), 182–198.

McKemmish, S. & Acland, G., 1999, ‘Archivists at risk: Accountability and the role of the professional society’, paper read at the Annual Conference of the Australian Society of Archivists, Brisbane, Australia, 29–31 July.

Ngoepe, M., 2011. Records management practices in the South African public sector: Challenges, trends and issues, Lambert Academic Publishing, Saarbrücken.

Ngoepe, M., 2012. ‘Fostering a framework to embed the records management function into the auditing process’, PhD thesis, Dept. of Information Science, University of South Africa.

Ngoepe, M. & Ngulube, P., 2013a, ‘An exploration of the role of records management in corporate governance in South Africa’, SA Journal of Information Management 15(2), Art. #575, 8 pages.

Ngoepe, M. & Ngulube, P., 2013b, ‘Contribution of record-keeping to audit opinions: An informetrics analysis of the general reports on audit outcomes of the Auditor-General of South Africa’, ESARBICA Journal 32, 46–54.

Palmer, M., 2000, ‘Records management and accountability versus corruption, fraud and maladministration’, Records Management Journal 10(2), 61–72.

Reed, B., 1997, ‘Electronic records management in Australia’, Records Management Journal 7(3), 191–204.

Sampson, K.L., 1992, Value-added records management: protecting corporate assets and reducing business risks, 1st edn., Quorum Books, New York.

Sampson, K.L., 2002. Value added records management: protecting corporate assets, reducing business risks, 2nd edn., Quorum Books, New York.

Sarens, G. & De Beelde, I., 2006, ‘Internal auditors’ perception about their role in risk management: A comparison between US and Belgian companies’, Managerial Auditing Journal 21(1), 63–80.

South Africa Government Online n.d., Together we move South Africa forward, viewed n.d., from

Willis, A., 2005, ‘Corporate governance and management of information and records’, Records Management Journal 15(2), 86–97.


1.The nine chapters of the King report can be accessed from


Crossref Citations

1. Records Management Audit Using the ARMA Information Governance Maturity Model: A Case of the Department of Teacher Training and Technical Education (DTT&TE), Botswana
Manyeke Manyeke, Amogelang Joshua
Mousaion: South African Journal of Information Studies  vol: 41  issue: 4  year: 2023  
doi: 10.25159/2663-659X/14035