Managing risk
If you hold bibliographic records that have been supplied by other parties, there may be risk involved in using and transferring these records. This does not need to be a bad thing, just something to be aware of. Identifying risks does not mean that you are are creating the risk, but that you can analyse the risks and decide what to do about them.
Conducting regular compliance audits is essentially a form of risk management - a systematic process of identifying, analysing and responding to project risk.
Risk management may be broken down into a number of sub-processes:
This page is based on information from JISC infoNet's Risk Management infoKit which provides excellent guidance if you would like to find out more about this topic.
This is the first stage of risk managment - becoming aware of risks to your institution. Undertaking Steps1, 2 and 3 of the compliance audit will help you identify risks, which may include:
- undertaking activities which you are not clear are permissable within your supplier licences;
- using and transferring bibliographic records where you are unsure of their provenance;
- not understanding what you are doing with your bibliographic records, and not knowing what contractual relationships you have been supplied under.
It is good practice to log these risks in a Risk Register.
This involves assigning relative priority and absolute significance of risks by assessing their likelihood and severity (eg H, M or L impact on cost, time or money). This can be done at Step 3.
Having prioritised your risks, you can decide how you will respond to them - this is addressed at Step 4 of this website. The way you manage these risks will depend on your institution's attitude to risk, ranging from risk adverse to risk seeking, although most institutions are likely to lie towards the risk adverse end of the scale.
You may choose to mitigate, avoid, defer, accept or transfer the risks.
For example, possible responses to an example risk (some of your activities do not comply with one of your suppliers' licence terms) may include:
- Do nothing - accept the risk, add it to the risk register and put procedures in place to deal with situations that may arise.
- Negotiate with suppliers to clarify contractual terms, or to add in new terms and mitigate the risk.
- Cease activities which are not permitted and avoid the risk.
You need to keep track of the identified risks, monitor the effectiveness of your risk responses and identify new or changed risks (eg when you negotiate new contracts with suppliers) by regularly auditing your compliance (Step 5).