Prepared by PAC Australia

Download the PDF

Q: What is risk management?

Risk management is the term used to describe the activities people and organisations undertake to identify, assess and treat the risks that could potentially affect their businesses or organisations.

Risk management is widely used by organisations around the world as part of their standard management practice. This is reflected in the fact that there is an overarching international standard for risk management ISO 31000:2018, Risk management – Guidelines ( This is supported by other international standards for risk management vocabulary and risk assessment techniques. A number of countries have other risk management standards for specific applications, e.g. in Australia there are a wide range of risk management standards for areas as diverse as legal practice, weed control, medical devices and information security to name just a few. It is a tried and tested system and has been adopted by libraries and other cultural organisations around the world.

Q: Why is risk management useful in preservation?

There are a number of reasons risk management is helpful, including:

  • It is systematic and is carried out based on an agreed framework that is established when you first start on risk management. This groundwork is very important to the effectiveness of your subsequent risk management processes. Because it is systematic everyone in your organisation can use the same criteria to assess risks and to determine their priority for treatment.
  • Risk management can be applied to any organisation, event, project, type of work etc – so it can operate on many levels covering different circumstances – you just have to define the context in which you are operating and design the system to suit your organisation. So you can apply risk management to an exhibition, an event involving your collections or to the day to day operations of your library.
  • It provides you with an agreed language to discuss and compare diverse risks that can impact your organisation such as risks to the health and safety of workers and the public, to collections, to organisational finances and organisational reputation.
  • Including risks to collections in the broader organisational risk management framework brings the collections into consideration with all other organisational risks – this is where they should be because risks across an organisation can rarely be looked at in isolation. For example, risks to the building infrastructure or to finances are very likely to result in risks to collections, while risks to the collection have potential reputational and business continuity risks for collecting organisations.
  • Because it is systematic and uses an agreed risk language within an organisation, risk management can help to calm discussions and lead to less emotionally charged descriptions of risk. This is a positive for clear forward planning. People get very emotional about collections given their immense importance to our sense of identity within our different cultures, but managing risks to such important items is usually most efficient and effective when approached with a cool head.

Q: What is risk?

Risk is defined in ISO 31000:2018, Risk management – Guidelines as the effect of uncertainty on objectives. This is a very broad definition and so can cover a huge range of things that could happen and which could have only a minor impact through to things that could be devastating. This is why organisations decide what categories of risk they will focus on, what risks and what level of risk they are willing to live with and which risks they need to actively manage.

The same system that is used for risks, can be used to assess opportunities, which can be seen as positive risks.

Q: But isn’t risk defined as consequences x likelihood?

Well not really. This definition is used sometimes but it is a bit misleading and does not help you to understand the risk. When identifying risks it is important to have a really good understanding of their source and what they might result in, for example “risk of fading and colour change due to exposure to UV radiation and high lighting levels”. This can help you determine the severity of the impact (consequences) and the likelihood of it occurring in the specific instance you are looking at, and then how you might treat that risk in a cost-effective way.

Determining the severity of the impact (consequences) and the likelihood of the risk being realised is the most common form of risk analysis. Consequences x likelihood can give you a risk rating which helps you to determine the priority of treating a risk as compared to others you have identified and analysed. This is vital for planning.

Q: What are the main risks that can affect collections?

The Agents of Deterioration framework is a very useful way of looking at the source of risks to collections, so useful in fact that this system of categorising risks to collections can be found on websites from all over the world. It was developed at the Canadian Conservation Institute (CCI) in the 1990s and has been expanded on and developed since then. The Canadian government website provides in-depth information on the agents of deterioration when you follow the individual links ( You may not need or want to go into this depth but there are other websites, such as the AIC wiki ( and the Smithsonian National Postal Museum ( that provide really useful summaries of the “agents”.

The agents of deterioration are:

The Agents of Deterioration are a useful launching point for your thinking about the risks you might encounter in your situation. The relative importance of those risks and the way you treat them will be specific to your organisation. Remember that these agents may not be the only risks to your collections – if you don’t have funding or your occupancy of your building is uncertain, the risks to the collection might be ones that are common to the organisation as a whole.

Q: So how does risk management relate to preservation strategies?

Risk Management and Preservation Strategies have much in common. Both seek to identify potential risks, assess their potential impact and likelihood of occurring and aim to have treatment strategies planned in advance to ensure that the response can be quick, efficient and hopefully effective. This is especially evident in disaster preparedness and response planning and other preventive programs. What risk management adds is the formalised assessment of the likelihood of something happening and the potential severity of the impact, which really helps sharpen the focus for short-, mid- and long-term preservation planning.

Other things that risk management and preservation planning have in common are:

  • The need to tailor your systems to your specific circumstances.
  • The importance of ongoing consultation and communication
  • The necessity to monitor and review and revise as required to ensure the ongoing effectiveness of the work.
  • Both benefit greatly from data gathering and building on experience.

If your organisation uses risk management as part of its overall management framework, basing your preservation planning and communications around risk can help to have collection issues considered alongside other corporate issues.

Q: Can risk management help to determine if a preservation strategy is effective and efficient?

Risk management is certainly one tool that can help you to assess the effectiveness of your preservation strategies. Risk management is not something that is done just once – to be truly effective and to have it embedded in your management approaches, risk management is continuous. This repeated work of risk management provides you with the opportunity to observe trends over time. If the trend is toward a lower risk rating for the same risk over time because of the treatments/mitigations put in place, this is an indicator that your strategies are effective. However, it is not necessarily an indicator that they are cost-effective – this is something that you would need to determine taking into account the amount of staff/contractor and other resources required to achieve the change in the risk rating.

Risk management can be used with other mechanisms as well, for example, a trend over time toward a lower risk rating combined an improvement in condition or halting of deterioration of your collection would be a good qualitative indicator that the preservation strategies are effective.

Q: Can I use another organisation’s risk management framework or preservation strategy?

You can use another organisation’s risk management framework or preservation strategy as a reference and as a guide to how you might want to structure your own work, but your risk management framework and your preservation strategy will be most effective if they are designed for your specific needs, your physical environment, your political, social and cultural environment and your collection.

Q: Looking at the preservation literature, there seems to be a whole lot of different approaches. Which is best?

There are quite a few different approaches, and that is because people have developed different approaches to meet different needs. So the best approach will be the one that works for you. You may find that over time you use a number of different approaches for both risk management and preservation planning.

For example, at the National Library of Australia (NLA), risks to the collections are included in the risk categories that are part of the corporate risk framework. The collections are a major asset and so this is appropriate. The NLA’s Enterprise Risk Management framework, policy and practices are based on the international standard, ISO 31000:2018, Risk management – Guidelines. In Preservation Services at the Library, we have also based our risk management on the standard, because we feel it is important that our preservation activities are using the same system and language as the wider Library. This is a strategic choice to ensure preservation strategy issues receive attention throughout the organisation. At the same time, we are using QuiskScan to get a snapshot of the vulnerabilities of the collection to assist in developing our Strategic Preventive Conservation Program. It will be used to help develop a risk profile for the collections as a whole. The QuiskScan ( was developed by conservation scientists at the Cultural Heritage Agency of the Netherlands and the British Museum.

Another method, based around the Agents of Deterioration ( is the Cultural property risk analysis model (CPRAM). This model was developed specifically for preservation/preventive conservation planning. This method is widely used in the cultural heritage sector and Robert Waller, who developed it, has provided training workshops in a number of different countries.

In all the examples listed above risk management and preservation strategic planning are strongly linked. You just need to determine the way you want to work, to either select or design the best approach for your needs.

Additional Resources 

Download the PDF for a full list of additional resources

Back to all F.A.Q. topics.