Origins of the Risk-Assessment Model
The risk-assessment methodology described in this report has its origins in the efforts of the Library of Congress (the Library) to better manage its finances and strengthen its core business, that is, “to make its resources available and useful to Congress and the American people and to sustain and preserve a universal collection of knowledge and creativity for future generations” (Library of Congress 1997). Developed to be used in a working national library, the methodology is now an integral part of the Library’s annual audit. Because the Library is an agency in the legislative branch of the Federal government, other libraries may not share its specific accounting requirements. Moreover, the scope and size of the Library’s collections exceed those of other research libraries and, indeed, other national libraries. But the fundamental problems that the Library staff addressed with independent financial auditors from KPMG LLP as they developed the first-ever model to “account” for the well-being of heritage assets are the same as those facing any library-public or private, multimedia, or single-format.
The Library undertook its first audit in fiscal year 1995. For the purposes of this audit, the Library’s collections were assessed not for their replacement value but for their cultural value. They were treated as “heritage assets,” a term from the Federal Accounting Standards Advisory Board (FASAB)1 Standard No. 6, Accounting for Property, Plant, and Equipment. The standard uses the term to define assets with historical or natural significance; cultural, educational, or artistic importance; or significant architectural characteristics. These assets are generally expected to be preserved indefinitely. Their monetary value may vary significantly from item to item; some items may even be irreplaceable. In all cases, the monetary value is seldom identical to the cultural value these assets provide for the communities they serve-past, present, and future.
The costs of acquiring, processing, and preserving collection items consume a significant portion of a library’s annual budget. In Federal financial statements, the costs of keeping collections up-to-date, physically stable, and readily accessible are considered operating expenses in the period incurred. The heritage assets are quantified in terms of physical units (for example, number of items in the collections) and recorded in a supplemental schedule to the financial statements.
Although not required to do so by law, the Library of Congress elects to comply with laws to improve financial management in the executive branch agencies.2 Each year the process begins with Library management making a statement about the adequacy of its internal controls over financial reporting and the safeguarding of its collections. (“Safeguarding” refers to the protection of the assets from theft, loss, or misuse.) The Library’s independent auditors are required to express opinions not only on the fair presentation of the financial statements but also on whether management’s assertions are accurate. In its financial statements for fiscal years 1995-1998, the Library was unable to assert that its controls over safeguarding of heritage assets were effective. The Library’s auditors agreed with this assertion.
The Library could not assert that its controls were effective because the risks to its collections had never been assessed. A risk assessment is the foundation for establishing or improving existing controls in order to form an internal control framework that lets managers know the state of an organization’s assets at any time. Absent that assessment, managers have only anecdotal feedback about the effectiveness of controls. While Library managers and staff had a fairly strong grasp of what threats existed to their collections and what actions could be taken to mitigate them, there were no data to support that knowledge or to demonstrate to funding organizations the need to invest in improving controls. To rectify this, the Library began systematically assessing the risks to its collections.
Defining Business Risk
To understand where its risks lie, management must be clear about what risks might threaten the mission of the institution. Missions vary widely among libraries and research institutions, as do their collections. For instance, the Library of Congress’s mission is to “acquire, preserve, and make maximally accessible the intellectual and information heritage of the United States and, to the degree desirable, the world” (1997). The Library has many different types of collections with different levels of value, but the comprehensiveness of its collections is critical. Because the Library keeps items of research value indefinitely, it emphasizes collections care and long-term preservation.
Harvard College Library has a similarly ambitious mandate. Its mission statement says that it “supports the teaching and research activities of the Faculty of Arts and Sciences and the University. Beyond this primary responsibility, the Library serves, to the extent feasible, the larger scholarly community.” In contrast, the mission of the Denver Public Library is “to help the people of [the] community achieve their full potential” by informing, educating, inspiring, and entertaining its patrons (2000). Although it does have special collections that are unique and rare, the Denver Public is not a library of last resort. Consequently, its acquisition policies, preservation and security measures, and circulation system differ dramatically from those of an institution that must serve a larger community over the course of centuries.
Libraries attached to scientific and technical institutes put a premium on currency of information and seldom have the same need for preserving collections indefinitely. The mission statement of the Caltech Library System declares that it “provides library resources and forward-looking information services of the highest quality in a timely, cost-effective manner to support and facilitate the research and educational programs of the Institute” (2000). For libraries such as those at Caltech, licensed access to databases, subscriptions to electronic journals, and heavy reliance on digital information (as opposed to historical literature) mean that robust information technology services may be more vital than the preservation of artifacts.
Just as the mission of a particular library determines the types of collections it builds and maintains, so, too, does mission set the course for creating the framework of controls that is designed to reduce its business risks. The Library’s mission focuses on developing, preserving, and serving its vast collections. The first and fundamental step in identifying the chief risks to any of its collections, therefore, is to understand what threatens its fitness for use. What good would a book be if no one could use it, and what could happen to a book that would render it unusable? It could become embrittled and crumble. It could be misplaced, inadvertently through misshelving or deliberately through theft. It could be incorrectly cataloged and hence be unretrievable. These hazards are well-known to librarians, and much staff work goes toward reducing the chances that any of them will happen. To develop an internal control framework, librarians and their staff must be able to relate their daily activities to the corresponding policies and procedures under which they work. They must understand how the design of those policies and procedures reduces risks to the collections and be able to explain this framework to oversight bodies.
On the basis of its mission, the Library of Congress defined the following as important business risks:
- The risk of not acquiring materials that are critical to the continued development of the research collections that meet the needs of Congress and the research community;
- The risk of failing to make the collections available to users in a timely and appropriate fashion;
- The risk of not preserving the collections from the physical degradation inherent in each of the various media the Library holds, and from deterioration through use; and
- The risk of exposing the items in the collection to theft, mutilation, or accidental loss.
1 The FASAB was developed to standardize financial accounting in the federal government, and has as its coprincipals the secretary of the treasury, the director of the Office of Management and Budget (OMB), and the comptroller general of the United States.
2 These laws include the Chief Financial Officer’s Act of 1990 (CFO Act) and the Government Management Reform Act of 1994 (GMRA). These two acts provide for the preparation and audit of financial statements for executive branch agencies. The OMB prescribes the form and content of the federal financial statements under OMB Bulletin No. 97-01, Form and Content of Agency Financial Statements. The bulletin requires agencies that comply with the CFO Act to follow the accounting standards set forth by the FASAB. As a government entity, the Library adopts all accounting standards set forth by the FASAB and reports its financial statements in accordance with OMB Bulletin No. 97-01.