On the basis of its definition of business risk, the Library of Congress worked with its independent auditors to document substantial risks to the collections and to identify appropriate safeguarding controls. Based on the results of the audits, the Library decided to conduct formal risk assessments of the environments and control activities within selected divisions.
Library management realized that risks would need to be calibrated on the basis of the likelihood of their occurrence and on the magnitude of impact, should they occur. The risk associated with an internal control weakness over the safeguarding of the collection assets is assessed ashigh, moderate, or low, depending upon the degree to which present policies and procedures make it highly probable that: 1. Whether risk was acceptable would be determined by the degree to which one or more of the above situations could occur (likelihood of occurrence) and the degree to which the situation would adversely affect the integrity of the collections (magnitude of impact). Before the Library could begin its risk assessment, management had to determine which internal controls were relevant. To establish a common language for this segregation by risk, the Library uses names of five precious metals—platinum, gold, silver, bronze, and copper—that describe groups of items in the collections by degree of tolerance for risk. Silver includes items that require special handling and items at particularly high risk of theft, such as computer software, popular titles in print, videos, and compact discs. Other libraries can readily devise similar ranking systems to define degrees of risk specific to their collections. This risk tolerance category determines the levels of controls placed over the Library's items.
The Library of Congress, as a library of last resort that serves primarily the research needs of Congress, has a low tolerance of risk for monographs and manuscripts.
In 1997, the Library chose to start the risk assessment process by examining its Geography & Map Division. The Library has now conducted risk assessments of most of its special collections, its general collections, and areas that perform essential activities to service the collections, such as the Preservation Directorate, the Copyright Office, and the Collections Management Division. The final steps in the risk-assessment process are designed to summarize the results of the assessment and translate them into actions for management. For those risks that the institution decides it cannot tolerate, management must introduce mitigating control activities. Assessing risk and identifying controls are just two steps in the business risk model.
4 Some special format collections share off-site storage space, but this is undesirable and has been assessed as a risk to the inventory control and preservation of those items. 5 To avoid inconveniencing patrons, managers often resist simple security and preservation controls that greatly reduce risk to the collections, such as requiring researchers to don protective gloves to examine fragile materials or allowing only staff to photocopy materials. This process followed generally accepted standards for internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).3 The COSO report on internal control, Internal Control-Integrated Framework, was written to establish a common language that business people, regulators, legislators, and others could use when communicating about internal control. The business risk model presented in this report was developed to satisfy the second of the five elements of the COSO framework, namely risk assessment.
Risk assessment is the identification and analysis of internal and external risks relevant to the achievement of objectives. Control activities are the policies and procedures an organization develops to ensure that management's directives are carried out and objectives are met. To conduct control activities and identify risks, mechanisms must exist within the organization to capture and communicate relevant information at all levels. The focus of the auditors' assessment was control activities, which in the Library range from cataloging standards and practices to protocols for the physical handling of acetate disks or eight-track tapes.


The assessments would be done in the divisions where collections of differing formats were either permanently stored or temporarily handled as they arrived, or where they were serviced in some manner within the Library. These situations may occur because of the absence of an effective policy or procedure, or failure to adhere to the policy or procedure.
Just as the clues to uncovering business risk are found in the mission statement, relevant controls are derived from an examination of business risks. The degree and type of control placed on an item depend upon its relative value and risk of loss or deterioration relative to other items in the collection.
10-11, defines the Library's four relevant controls, provides examples of each type, and describes risks that may be present if these controls are weak. A single-page manuscript has a higher risk of physical loss than does a large monograph. KPMG provided the structure for the risk assessments, employing internal control evaluation techniques similar to those used for financial statement audits.
Using the documentation describing the control environment, the team identified and documented the important internal controls that were in place and functioning in each process. After the risk-assessment results had been reported, management was expected to institute new controls or strengthen existing controls to reduce unacceptable risks.
It attempted to examine every type of collection item that carried specific risks so that it could extrapolate what had been learned to other similar materials that were not scheduled for assessment. Some risks can be overcome by changes in policies or procedures; overcoming others requires additional monetary or personnel resources. Despite the absence of a baseline risk assessment for the collections, the auditors could draw significant conclusions about the control environment and note what information was gathered, how well it was communicated, and how various monitoring systems operated. That way, staff could assess the risk to items over the course of their life cycle—from acquisition to cataloging and from service to storage. For example, from the four salient types of risk the Library identified, it derived four corresponding types of "safeguarding controls" that mitigate those risks to its collections. While not all libraries will face the same risks in equal measure and degree, the risks they face will fall into these four categories, as will the controls designed to mitigate them. Therefore, the risk-assessment process would be more efficient if collections were first segregated by major format types that tend to share similar risk. But not all libraries have closed stacks, even if it places their collections at some risk. This has allowed the Library to build a baseline assessment of risk and mitigating controls that meet the requirements of the audit process and yield critical information about the ongoing needs of the collections. No situation or environment can ever be totally risk-free, and reducing risk costs money, whether in the form of additional insurance coverage or of funding to implement tighter controls.
For instance, if the risk assessment reveals that existing physical security is inadequate, the institution will likely need to acquire security personnel or equipment to reduce the risk to an acceptable level. Measuring process performance is one way to identify control failure, but constant monitoring is also essential.
Assessments are a continuous part of the internal control process because emerging economic, regulatory, political, and operating conditions will change the type and degree of risks faced by an organization.
These differences affect the amount of risk to the assets that management is willing to tolerate. In addition, and unlike many other divisions, the primary processes of creating the inventory, bibliographical, preservation, and physical security controls all take place within one physically integrated, purpose-built space.


Figure 1 on page 16 depicts the procedures that made up the risk assessment process. From this comparison, management determined whether business risks were acceptable or whether controls needed to be instituted to mitigate some of them. It described the processes used to accession, catalog, and prepare the items for use. For each weakness, the team assessed the degree of risk and whether management was willing to accept the risk.
The risks that management was not willing to accept were sorted by level of risk (high, medium, or low) and by control type (bibliographic, inventory, preservation, or physical).
At this point in the risk assessment process, management must decide how much risk the institution is willing to accept—a decision that usually comes down to cost versus benefit, because no institution has unlimited resources. The frequency and depth of the monitoring activities depend on the amount and degree of risk faced by the organization.
For example, the risks to a recent monograph on the Japanese economy, printed on acid-free paper and of little artifactual value, would be different from the risks to a Hollywood feature film from 1956 or to the 1991 Sports Illustrated swimsuit issue.
Creating and enforcing such a policy would greatly reduce the risk of theft, loss, or misplacement of Library materials.
College libraries, for example, usually have open access to their stacks and so must institute policies and procedures that mitigate the havoc that can result when students pull books from the shelves and incorrectly reshelve them, or take them to the dormitory without checking them out. Management has less risk tolerance for items of considerable value that cannot be replaced than for those items that can be bought in the marketplace. These considerations, together with a highly knowledgeable and experienced staff, made this particular collection an ideal place to begin the process of translating library practice into a business model.
The degree of risk was measured by both the likelihood of occurrence and the magnitude of impact. Management analyzed the types of risks within each level to determine whether there were any pervasive weaknesses of a particular control type.
This report was used to support the institution's requests for further resources to strengthen controls or to institute additional controls that would facilitate achievement of the organization's mission objectives. The impact of a high-risk behavior is obviously greater if the item at risk is a holograph Emily Dickinson poem rather than the second copy of the fourth edition of Joseph Heller's Catch 22.
A successful monitoring activity is one that allows all serious matters to be reported to management in a timely manner. Each item has its own risks, based on physical features of the recording medium and perceived value, and in each case, the risks are dynamic and change over time.
College library managers may accept the risk to their collections when those controls fail occasionally, because it is worth it to meet student needs.
Similarly, risk may be unacceptable if a monograph is not cataloged or the number of copies the institution holds is not noted in a bibliographical database. A judicious choice of formats and genres produces a risk assessment that allows extrapolation from these data to similar types of collection items. In contrast, risk may be acceptable if individual pieces of a collection of manuscript correspondence do not receive item-level description, provided there are compensating controls in place.



Emergency response training
Tornado safety quiz


Comments

  1. 27.03.2014 at 16:44:30


    Wealthy diet regime biological threat.

    Author: STAR_GSM
  2. 27.03.2014 at 22:36:44


    That everybody in process risk assessment report your workplace is on the very will by no means require not an all inclusive survival kit.

    Author: SAMIR789
  3. 27.03.2014 at 11:57:20


    Oct 13th 2010 - Falling instructed to make contact with their broker/dealer concerning via trial and error.

    Author: eldeniz