Risk-Assessment Process

Creating an Internal Control Framework

On the basis of its definition of business risk, the Library of Congress worked with its independent auditors to document substantial risks to the collections and to identify appropriate safeguarding controls. This process followed generally accepted standards for internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).³ The COSO report on internal control, Internal Control-Integrated Framework, was written to establish a common language that business people, regulators, legislators, and others could use when communicating about internal control. It provides a framework by which both public agencies and private sector businesses can understand their control systems. While this framework is widely accepted in the business and accounting communities, its terminology was new to the Library staff. By contrast, its concepts, which mapped closely to practices of responsible custody and service, were quite familiar to the professional staff.

The COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations" (1991). The business risk model presented in this report was developed to satisfy the second of the five elements of the COSO framework, namely risk assessment. This element and the other four framework elements are as follows:

1. Control Environment. The control environment is an organization's culture, beliefs, and values. It includes the integrity, ethical beliefs, and competencies of its people, which are visible in management's operating style, how management assigns authority and responsibility, and how management organizes and develops its employees. Another indication of the control environment is the degree of involvement from its board or directors.

2. Risk Assessment. Risk assessment is the identification and analysis of internal and external risks relevant to the achievement of objectives. A risk assessment forms a basis for determining how risks should be managed. Assessments are a continuous part of the internal control process because emerging economic, regulatory, political, and operating conditions will change the type and degree of risks faced by an organization.

3. Control Activities. Control activities are the policies and procedures an organization develops to ensure that management's directives are carried out and objectives are met. Control activities occur at all levels and in all functions within the organization.

4. Information and Communication. To conduct control activities and identify risks, mechanisms must exist within the organization to capture and communicate relevant information at all levels. Information systems produce reports with internal and external financial, operational, and compliance information that allows the organization to function. This information must flow up, down, and across the organization for the control environment to remain strong. External communication with customers, suppliers, regulators, and stakeholders must also be effective.

5. Monitoring. The internal control system must be monitored for effective performance over time and be evaluated periodically. Management and supervisors must constantly assess actions taken by staff in performing their duties. The frequency and depth of the monitoring activities depend on the amount and degree of risk faced by the organization. A successful monitoring activity is one that allows all serious matters to be reported to management in a timely manner.

The Library's auditors used this framework in fiscal years 1995 and 1996 to assess the status of the Library's safeguarding controls over its collections and to serve as a basis for the development of recommendations for improving those controls. The focus of the auditors' assessment was control activities, which in the Library range from cataloging standards and practices to protocols for the physical handling of acetate disks or eight-track tapes. Despite the absence of a baseline risk assessment for the collections, the auditors could draw significant conclusions about the control environment and note what information was gathered, how well it was communicated, and how various monitoring systems operated. How were managers held accountable for the collections in their custody? How was performance evaluated, how often was it done, and what authority did managers have to enforce policies that served to protect the collections? What orientation and training did the staff receive about workplace policies and procedures? What instructions were patrons given about proper handling procedures for rare or fragile materials? The control activities of an institution provide the answers to these questions.

Based on the results of the audits, the Library decided to conduct formal risk assessments of the environments and control activities within selected divisions. The assessments would be done in the divisions where collections of differing formats were either permanently stored or temporarily handled as they arrived, or where they were serviced in some manner within the Library. That way, staff could assess the risk to items over the course of their life cycle—from acquisition to cataloging and from service to storage. Staff could also distinguish between the risks to different types of material. For example, the risks to a recent monograph on the Japanese economy, printed on acid-free paper and of little artifactual value, would be different from the risks to a Hollywood feature film from 1956 or to the 1991 Sports Illustrated swimsuit issue. Each item has its own risks, based on physical features of the recording medium and perceived value, and in each case, the risks are dynamic and change over time. A judicious choice of formats and genres produces a risk assessment that allows extrapolation from these data to similar types of collection items.

Library management realized that risks would need to be calibrated on the basis of the likelihood of their occurrence and on the magnitude of impact, should they occur. The Library's safeguarding risk, i.e., the risk of not controlling what happens to the overall condition of the collections, was defined as follows:

The risk associated with an internal control weakness over the safeguarding of the collection assets is assessed ashigh, moderate, or low, depending upon the degree to which present policies and procedures make it highly probable that:

1. The Library will incur a loss of collection items (by theft, damage or misplacement), and the loss will not be detected in a timely manner by personnel in the ordinary course of business;

2. The Library will not be able to serve the needs of Congress, the U.S. government, or the public through service or accessibility to the collection assets;

3. The Library will not be able to acquire materials critical to the continued development of the research collections; and/or

4. Management will not receive enough information to determine whether its objectives, with respect to collection assets, are being achieved.

Whether risk was acceptable would be determined by the degree to which one or more of the above situations could occur (likelihood of occurrence) and the degree to which the situation would adversely affect the integrity of the collections (magnitude of impact). These situations may occur because of the absence of an effective policy or procedure, or failure to adhere to the policy or procedure. For example, moving materials from a custodial division to the preservation department without creating any paperwork to document the transfer would be one such unacceptable practice. This could occur either because there was no policy regarding paper documentation in place or because the staff ignored the policy. Creating and enforcing such a policy would greatly reduce the risk of theft, loss, or misplacement of Library materials.

Identifying Relevant Controls

Before the Library could begin its risk assessment, management had to determine which internal controls were relevant. Just as the clues to uncovering business risk are found in the mission statement, relevant controls are derived from an examination of business risks. For example, from the four salient types of risk the Library identified, it derived four corresponding types of "safeguarding controls" that mitigate those risks to its collections. They include bibliographic, inventory, preservation, and physical security controls.

Given the many formats that the Library holds and the complexities of controlling them both physically and intellectually, controls vary among formats and media. The degree and type of control placed on an item depend upon its relative value and risk of loss or deterioration relative to other items in the collection. The demand for and condition of an item may vary. Nonetheless, whether the item is a videotape, a Thomas Jefferson holograph letter, or an illustrated elephant folio from 1750, it must have bibliographical control, be retrievable through some inventory or tracking system, be protected from physical degradation or loss of information content, and be secured from theft and mutilation.

Table 1, on pp. 10–11, defines the Library's four relevant controls, provides examples of each type, and describes risks that may be present if these controls are weak. While not all libraries will face the same risks in equal measure and degree, the risks they face will fall into these four categories, as will the controls designed to mitigate them.

Determining How to Assess Risk

The Library separated its collections by format before attempting to assess risk. This was done for several reasons. First, only about one-quarter of the Library's collections are books and serials. Most are special collections. Whereas the book collections are housed in centrally controlled storage areas and from there served in several reading rooms, the special collections are separately housed and controlled and served in separate reading rooms to researchers.⁴ For instance, music scores are housed and served in the Music Division, whereas maps and globes are housed and served in the Geography & Map Division. Within each special collection division, items also have different formats. For example, recorded sound may be kept on LPs, CDs, cassettes, or other media.

Second, the degree of risk will vary, depending upon the format of the item. A single-page manuscript has a higher risk of physical loss than does a large monograph. Therefore, the risk-assessment process would be more efficient if collections were first segregated by major format types that tend to share similar risk.

To establish a common language for this segregation by risk, the Library uses names of five precious metals—platinum, gold, silver, bronze, and copper—that describe groups of items in the collections by degree of tolerance for risk. The Library defined each group as follows:

Platinum includes the Library's most priceless items. The Treasures, a small group of the Library's most precious items, such as the Gutenberg Bible, are the quintessential components of this category.

Gold includes rare items that have prohibitive replacement cost, high market value, and significant cultural, historical, or artifactual importance. This includes first editions and rare books, daguerreotypes, manuscript maps, and wax cylinder recordings.

Silver includes items that require special handling and items at particularly high risk of theft, such as computer software, popular titles in print, videos, and compact discs.

Bronze includes items served without special restrictions in the Library's reading rooms and materials that may be loaned without stringent restrictions.

Copper includes items the Library does not intend to retain but holds while deciding; for example, items that may be used for its exchange and gift programs.

2. Inventory Control "Where are the items located?"
Examples of Activities	Potential Risks from Weak Control Activities
• Automated circulation control systems	The existence of collection items may not be recorded (inventoried) by the institution when the items are received. Without a record of existence, even the library staff will not know about them. The staff will also not know if items are lost or stolen. If items must travel among many departments of the institution for cataloging, treatment, and storage, or to an off-site location for service or storage, and the movement of the items is not tracked, the institution may have no way of knowing where to locate the items.
• Shelf lists	A shelf list may be in manual form only, preventing it from being easily updated.

3. Preservation Control "How can collection items be protected from physical loss or damage due to improper handling or storage?"
Examples of Activities	Potential Risks from Weak Control Activities
• Serving surrogates (digital, microform, reference copies of audiovisual materials)	Original works may become inaccessible because their format cannot be restored and no measures have been taken to reproduce them in a more stable medium.
• Programs for collections care	Monographs produced on acidic paper may deteriorate if they are not deacidfied.
• Preservation treatment of processed items	Items that require preservation treatment may not be identified because the institution does not have a program to identify them in a timely manner.
• Planning for proper storage (adequate space and appropriate environment)	Temperature and humidity controls within the collection storage areas are inadequate to properly preserve the stored items. Storage space is insufficient to meet current or future needs. Stored items may suffer damage because there is insufficient shelf space or a lack of space for protective housing.

4. Physical Security Control "How can collections be protected from physical loss or damage due to improper handling or storage?"
Examples of Activities	Potential Risks from Weak Control Activities
• Engaging building perimeter security, including exit inspections and theft- detection devices	Valuable research or collection items are not equipped with theft-detection targets or other methods for identifying when someone is attempting to remove them from the premises. The institution’s buildings that house valuable research or collection items have no physical deterrents to prevent vehicles with bombs from approaching or other terrorist actions from occurring.
• Closing stack access to the public	An institution has no physical security to ensure valuable research items or collections cannot be removed.
• Registering readers	An institution has no record of its readers’ identities or addresses, making it impossible to locate them in the event an item they were using cannot be located.
• Restricting loans to authorized organizations or individuals and docu-menting the transaction	An institution with no formal loan policy for its materials has no recourse in the event an item is lost or damaged by an organization to which it was loaned.

Other libraries can readily devise similar ranking systems to define degrees of risk specific to their collections.

This risk tolerance category determines the levels of controls placed over the Library's items. Manuscripts usually consist of unbound sheets of paper, such as letters. Because these sheets can be easily lost or misplaced and because it is seldom cost-efficient to institute item-level bibliographic and inventory control over manuscript leaves, physical controls are put in place to compensate for this situation. Such controls must be strong in areas where the items are likely to become lost, stolen, or damaged, such as in the reading room. Additional security personnel may be required to monitor researchers' actions, and researchers' activities may be limited; for example, they may not be allowed to bring personal items into the reading room. These are difficult trade-offs for both library staff and researchers. Libraries that require their readers to modify their behavior to protect the collections must make it clear to their patrons why the measures are deemed necessary.⁵

The Library of Congress, as a library of last resort that serves primarily the research needs of Congress, has a low tolerance of risk for monographs and manuscripts. In the past decade, the Library has greatly enhanced security and restricted access to its general-collections stacks. But not all libraries have closed stacks, even if it places their collections at some risk. In some cases, the measures of protection afforded by physical security are provided in other ways. College libraries, for example, usually have open access to their stacks and so must institute policies and procedures that mitigate the havoc that can result when students pull books from the shelves and incorrectly reshelve them, or take them to the dormitory without checking them out. College library managers may accept the risk to their collections when those controls fail occasionally, because it is worth it to meet student needs.

To provide examples of how control environments differ among different collection formats at the Library, Table 2 on pp. 14–15 compares and contrasts the principal safeguarding controls of three types of collections: monographs, manuscripts, and prints and photographs.

Controls vary with the format of the material, because each format resides in a different environment and is subject to different types of handling. These differences are apparent in the physical control risk category. If lost or stolen, some monographs can be readily replaced, while others cannot. These differences affect the amount of risk to the assets that management is willing to tolerate. Management has less risk tolerance for items of considerable value that cannot be replaced than for those items that can be bought in the marketplace.

2. Inventory Risk Items cannot be located because their location is not recorded.
Monographs	Manuscripts	Prints and Photographs
An accurate and fully functional shelf list is maintained to locate items not on the shelf, checked out, or on loan.	Comprehensive shelf lists may be impractical for institutions that house large numbers of manuscripts. Physical controls must compensate for lower degrees of inventory control.	Comprehensive shelf lists may be impractical for large numbers of individual photographs that may by grouped by subject or photographer. Physical controls must compensate for lower degrees of inventory control.

3. Preservation Risk Items may not be usable because they are too fragile.
Monographs	Manuscripts	Prints and Photographs
Inspections are conducted of valuable items to detect damage or deterioration.	Similar control as monographs.	Similar control as monographs.
Surrogates, such as microfilmed copies, are served to researchers so originals can be handled sparingly.	Fragile items are copied onto acid-free paper during preparation for storage.	Surrogates, such as digital images and copy prints, are served when originals are fragile.
Temperature controls and hydrother-mographs are used to monitor the physical environment of the stacks.	Similar control as monographs.	Similar control as monographs.
Signs are posted in reading rooms instructing patrons on how to handle books.	Similar control as monographs.	Similar control as monographs.

4. Physical Risk Items are subject to loss or misappropriation.
Monographs	Manuscripts	Prints and Photographs
Stack areas are off limits to the general public.	Similar control as monographs.	Some items are available for general use in the reading room. Patrons can select these items on their own. Service of this nature is limited to less valuable items.
Items of special interest or extraordinary value are placed in locked areas, with restricted key access.	Manuscripts are inherently susceptible to loss or misplacement. Additional security in the reading rooms is necessary to discourage theft because segregation of valuable and invaluable items is difficult.	More valuable or fragile items are kept in stacks that are not accessible by the public.
Security cameras are placed in reading rooms and study areas.	Similar control as monographs.	Similar control as monographs.
Access to other areas of the building is limited to employees.	Similar control as monographs.	Similar control as monographs.
Books are tagged with electronic devices that activate an alarm at a library exit gate if an attempt is made to remove them from the premises.	Researchers are restricted from bringing personal belongings into the reading room. Manuscripts cannot be hidden in personal belongings.	Similar control as Manuscripts.

Conducting the Risk Assessment

In 1997, the Library chose to start the risk assessment process by examining its Geography & Map Division. The collections in this division, while all containing geographical information, are recorded on diverse media, from vellum to computer disk. The highly diverse formats of geographical information, including atlases, globes, and single sheet maps, have a variety of bibliographical and preservation needs. In addition, and unlike many other divisions, the primary processes of creating the inventory, bibliographical, preservation, and physical security controls all take place within one physically integrated, purpose-built space. These considerations, together with a highly knowledgeable and experienced staff, made this particular collection an ideal place to begin the process of translating library practice into a business model.

A team of KPMG consultants and Library managers performed the risk assessments. KPMG provided the structure for the risk assessments, employing internal control evaluation techniques similar to those used for financial statement audits. The process was performed separately for each participating division. Figure 1 on page 16 depicts the procedures that made up the risk assessment process.

Step 1: Define Risk. The risk assessment started with defining risk. This definition served as the measure against which business risks were compared. From this comparison, management determined whether business risks were acceptable or whether controls needed to be instituted to mitigate some of them.

Step 2: Conduct Interviews and Walk-Throughs. Together, KPMG and Library managers walked through each division to understand and document the general flow of materials within the division. The walk-through was repeated if different types of formats moved about in different ways.

Step 3: Document the Control Environment. Based on the interviews and walk-throughs, the team prepared a memorandum that documented the flow of materials in the division. The memo began by describing how the materials entered the division. It described the processes used to accession, catalog, and prepare the items for use. The documentation concluded by describing whether the items were stored within the division or sent to other areas of the Library. The documentation included examples of manual or computer-generated forms the division used to track and control the movement of items. A flowchart was prepared to illustrate the movement of materials.

Step 4: Define the Key Controls. Using the documentation describing the control environment, the team identified and documented the important internal controls that were in place and functioning in each process.

Step 5: Define the Control Weaknesses. From the documentation prepared in Step 3, the team identified and documented weaknesses in the control environment. They described what controls should be in place to safeguard assets but were not in place as well as what controls were in place but did not appear to be functioning properly. (Examples of control weaknesses are presented in Table 1.)

Step 6: Assess the Degree of Risk on a Control-by-Control Basis. The team summarized the control weaknesses by process (e.g., accessioning and cataloging), and by control type (i.e., inventory, physical, bibliographic, or preservation). For each weakness, the team assessed the degree of risk and whether management was willing to accept the risk. The degree of risk was measured by both the likelihood of occurrence and the magnitude of impact.

Step 7: Separate Acceptable Risks from Unacceptable Risks. All risks that management was willing to accept were removed from further consideration at this time. The risks that management was not willing to accept were sorted by level of risk (high, medium, or low) and by control type (bibliographic, inventory, preservation, or physical). Management analyzed the types of risks within each level to determine whether there were any pervasive weaknesses of a particular control type. This determination was based on several factors, including the probability that the weakness might significantly hamper the institution's ability to carry out its mission.

Step 8: Report Results to Organization Management. The institution's management team prepared an executive summary for organization management. The summary restated the institution's mission and objectives, summarized the results of the risk assessment, and made conclusions about the effect of the results on the institution's ability to carry out its mission and objectives. This report was used to support the institution's requests for further resources to strengthen controls or to institute additional controls that would facilitate achievement of the organization's mission objectives.

Step 9: Incorporate Action Plans into Management Performance Plans. After the risk-assessment results had been reported, management was expected to institute new controls or strengthen existing controls to reduce unacceptable risks. Management would hold itself responsible for accomplishing these actions by incorporating them into its annual performance plans or goals. It then would measure its own performance regularly to ensure the actions were taken and control effectiveness was improved.

Addressing Unacceptable Risks

The Library has now conducted risk assessments of most of its special collections, its general collections, and areas that perform essential activities to service the collections, such as the Preservation Directorate, the Copyright Office, and the Collections Management Division. It attempted to examine every type of collection item that carried specific risks so that it could extrapolate what had been learned to other similar materials that were not scheduled for assessment. This has allowed the Library to build a baseline assessment of risk and mitigating controls that meet the requirements of the audit process and yield critical information about the ongoing needs of the collections.

The final steps in the risk-assessment process are designed to summarize the results of the assessment and translate them into actions for management. Step 7 of the process separates acceptable from unacceptable risks. No situation or environment can ever be totally risk-free, and reducing risk costs money, whether in the form of additional insurance coverage or of funding to implement tighter controls. At this point in the risk assessment process, management must decide how much risk the institution is willing to accept—a decision that usually comes down to cost versus benefit, because no institution has unlimited resources. The impact of a high-risk behavior is obviously greater if the item at risk is a holograph Emily Dickinson poem rather than the second copy of the fourth edition of Joseph Heller's Catch 22. Similarly, risk may be unacceptable if a monograph is not cataloged or the number of copies the institution holds is not noted in a bibliographical database. In contrast, risk may be acceptable if individual pieces of a collection of manuscript correspondence do not receive item-level description, provided there are compensating controls in place.

For those risks that the institution decides it cannot tolerate, management must introduce mitigating control activities. Some risks can be overcome by changes in policies or procedures; overcoming others requires additional monetary or personnel resources. For instance, if the risk assessment reveals that existing physical security is inadequate, the institution will likely need to acquire security personnel or equipment to reduce the risk to an acceptable level. Securing funding for these improvements may remain a challenge, but with the risk assessment results in hand, managers will have the documentation necessary to support their requests as well as the business understanding necessary to present those needs to financial decision makers.

Monitoring Risk: An Ongoing Process

Assessing risk and identifying controls are just two steps in the business risk model. Controls are effective only if they are implemented, and they must be tested periodically to be sure they are operating effectively. Measuring process performance is one way to identify control failure, but constant monitoring is also essential. Monitoring involves assessing the design and operation of controls regularly and taking necessary actions. It applies to all activities in an organization.

For example, management may measure the performance of adequate preservation controls by recording statistics about how many items were treated during a particular period. However, this measure is meaningful only if management also had surveyed its materials and determined how many items were in need of treatment at the outset. This periodic evaluation is an effective monitoring tool to understand the general performance related to preservation, but it will not necessarily detect a specific item that needs attention.

Monitoring is also conducted by ongoing activities, such as noticing damage or deterioration of items that have been served to a researcher. If an item needs treatment, immediate action should be taken. Monitoring might also require thorough surveys of portions of a collection to see whether any items are particularly vulnerable.

Limitations on Internal Control

Management must be aware of what internal controls cannot do, as well as of what they can do. For example, internal controls, no matter how well designed, cannot provide absolute assurance that an organization's objectives will be achieved. All systems of internal control have inherent limitations. These limitations include faulty decision making, human errors, or collusion by two or more people within an organization. Management itself may also override controls. Therefore, while controls help ensure that management is aware of the organization's progress toward its objectives, they can provide only reasonable assurance that the objectives will be achieved. Above all, management should consider where controls, if instituted, will return benefits to the organization that outweigh their costs.

Footnotes

³ COSO's oversight board consists of representatives from the American Institute of Certified Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. s

⁴ Some special format collections share off-site storage space, but this is undesirable and has been assessed as a risk to the inventory control and preservation of those items.

⁵ To avoid inconveniencing patrons, managers often resist simple security and preservation controls that greatly reduce risk to the collections, such as requiring researchers to don protective gloves to examine fragile materials or allowing only staff to photocopy materials. Simple explanations of why a certain practice is good stewardship—on the patron's part as well as the library's—obviates complaints in most cases.

Next     Previous

Return to CLIR Home Page >>