From Concept to Reference Model and Risk Assessment with CHARM
by Maureen Pennock
Published onSep 07, 2024
Scaling Up Knowledge of Digital Preservation Risk
·
Abstract – Risk is a frequently used term in digital preservation, though the literature and solutions of the field often portray and describe risk in different ways. CHARM addresses this with a newly innovative, comprehensive reference model and corresponding vocabulary for the digital preservation risk domain. Inspired by risk science, a signature feature of CHARM is its applied distinction between conceptual and characterized digital preservation risk. CHARM establishes a conceptual definition of digital preservation risk built around a purposeful definition of digital preservation as a goal and value-based endeavour, then deconstructs this to develop a cascading and logical series of abstract models for the whole digital preservation risk domain.
This paper introduces the methodology through which CHARM was developed, presents and explains some of the key CHARM models, and discusses some of the methods through which CHARM can support scoped yet holistic risk identification and risk assessment exercises. This holistic, domain-level solution represents a significant 'scaling up' of our disciplinary understanding of digital preservation risk.
This paper was submitted for the iPRES2024 conference on March 17, 2024 and reviewed by Inge Hofsink, Andrea Goethals, Micky Lindlar, Dr. Stephen Abrams and 1 anonymous reviewer. The paper was accepted with reviewer suggestions on May 6, 2024 by co-chairs Heather Moulaison-Sandy (University of Missouri), Jean-Yves Le Meur (CERN) and Julie M. Birkholz (Ghent University & KBR) on behalf of the iPRES2024 Program Committee.
Introduction
Risk is a recurring theme in digital preservation literature, from the early days of the field in the 80’s and 90’s up to the present day. References, problems, and solutions to the problem of digital preservation risk are prolific across the field, exploring everything from risks associated with specific content types, to format-based risks, metadata risks, legal risks, system risks, financial risks, and more… the list is extensive. As an applied and solutions-driven field, several frameworks have been developed to support the exploration, identification, and assessment of these various risks. From format assessment frameworks to collection-level risk assessments and repository audit and assessment tools, the solution space is now remarkably well populated.
There is, however, a significant degree of inconsistency across the field when it comes to the detail of digital preservation risk. Analysis of the literature and solution space reveals that the field has yet to settle on a vocabulary for describing digital preservation risk [1]. Works often make frequent reference to risk but without clearly defining it, either in the context of digital preservation or at all. Associated terms such as threat and vulnerability are often used interchangeably with risk, even within a single document and certainly differently by different authors. Related terms such as risk source and risk factor, and other variations thereof, also appear frequently yet without clear definition and applied differently in solutions to describe different aspects of risk. Metrics and measures vary similarly, even across frameworks of the same type (such as format assessments). Whilst these solutions all have clear value as standalone pieces of work, it is not clear how they relate to or build upon each other or why such terminological differences are needed. Moreover, the underlying risk model and risk relationships in – and across - frameworks is often unclear, both conceptually and structurally. In short, our model and vocabulary for understanding the complex relationships in digital preservation risk is uncertain.
This causes many problems: if risk is not well understood then it is very difficult to manage, particularly holistically and at scale. Moreover, if not well understood by those responsible for managing it, it is even more difficult to convincingly communicate to other audiences. This poses a particular challenge in an institutional setting, where those responsible for digital preservation risk must effectively position it alongside other types of institutional risk, often with competing priorities. Lack of clarity also makes it challenging to establish acceptable levels of risk, especially from a holistic perspective. It is impossible to completely eliminate risk, but it should wherever possible be controlled so it remains within institutional tolerance levels. How can this be consistently achieved, when it is so inconsistently understood?
The realization of this situation led to a research project on the nature and complexity of digital preservation risk. This was conducted at the British Library as a practice-based PhD that concluded in mid-October 2023. It was designed to establish a thorough overview and model of digital preservation risk that could be used to support holistic digital preservation risk assessments, for integration into an institutional enterprise risk management framework. This paper distills the salient design aspects of the research into a single paper, providing a short introduction to the work for dissemination and engagement with the wider digital preservation community.
Methodology
The research methodology drew heavily on two lesser-known fields for many digital preservation professionals: design science and risk science.
Design Science Research (DSR) represents a pragmatic approach for real-world problem solving, characterised by a blend of knowledge, creativity, innovation, scientific rigour, and practicality [2], [3], [4]. DSR methodologies are inherently iterative, bouncing between problem and solution space until both are sufficiently well understood that the knowledge generated through this process can be represented in one or more usable artefacts. March and Smith (1995) outline four main types of artefacts in design science research: constructs (i.e. a vocabulary), models, methods, and instantiations (or implementations) [5]. A fifth artefact type of theory has also gained ground in more recent years: theory [6], [7]. Unlike in natural sciences whereby theory answers the question of ‘why’ something is as it is, theory in design science is more akin to a ‘how’ question, i.e. ‘how’ might a problem be solved in a way that delivers a usable solution. The utility of the solution or artefacts is a driving principle in design science research: the goal is not to deliver the ‘best’ or most accurate solution, but one which meets the task at hand.
Risk science is an emergent field of thinking evolved from risk analysis that seeks to provide a systematic and objective understanding of risks through the development and application of models and methods for assessing and predicting risks. It represents development of the epistemically most warranted and contemporary knowledge on risk concepts, assessment, communication, and management [8], [9]. Generic (or basic) risk science develops ‘concepts, principles, approaches, methods, and models for understanding, assessing, characterising, communicating, managing, and governing risk’, whilst applied risk science is focused on more specific scenarios and activities, often from an interdisciplinary perspective [10]. Both generic and applied risk science can exist in a risk research endeavour.
The nascent theory underpinning this research was that risk science could offer new insights into ways to think about digital preservation risk, particularly in terms of conceptualisation, characterisation, and communication. The research was progressed through an implementation of the Design Science Research Methodology (DSRP) [11]. DSRP is an iterative though nominally sequential problem-solving process model that was used to develop three related DSR artefact types: the construct and model – incorporated into the CHARM Reference Model document – and the methods – developed to demonstrate the utility of the model and presented in an accompanying ‘How-To’ Guide [12], [13].1
Initial requirements for the research were developed through a review of the literature and the existing problem/solution space. This identified several issues that the research sought to address, particularly with regards to terminology, flexibility, utility, reusability, and modelling.2 The research itself took an open-ended, investigative and iterative approach to identify, design, test, and refine possible solutions. There were three main developmental phases to this, each demarcated by ‘break points’ when limitations of a given approach were realised or reached.
The first phase aimed to identify the major potential risks that might be associated with the main functional entities in the Open Archival Information System [14]. These highlighted the need for a deeper initial conceptual understanding of digital preservation risk. The second phase used a risk science approach to address this, introducing risk-related concepts such as target values and risk sources, and applying these across what was known of the risk landscape from practitioner-derived experience. Whilst sound in theory, the resulting outputs revealed a deeper conceptual understanding of risk was still required to ensure structural consistency between described risks. The third phase addressed this with a more thorough deconstruction of the risk source concept, leading to the risk source concept model described later in this paper. This was subsequently applied across the domain and populated with suitably consistent values. Iterative testing and refinement of all three artefact types ensured consistency and overall utility. This deep conceptual analysis underpinned the structured development of CHARM to establish a logical, improved and holistic understanding of digital preservation risk.
Conceptual Beginnings: What is ‘Risk’?
The way in which a risk is described invariably influences how it is assessed, understood, and mitigated [15]. The global standard on risk management ISO 2009 defines risk simply as the ‘effect of uncertainty on objectives’, whereby an effect is a deviation from what is otherwise expected, either positive or negative [16]. This definition reflects a generic and broadly accepted description of risk. A vague definition of risk can however pose challenges for informed and targeted decision-making. Hansson [17] observes that precise terminology affords a greater and more granular understanding of risk and any associated nuance. In addition, Ylönen and Aven [18] propose that ‘much of the confusion […] concerning risk can be tracked back to the concept of risk being mixed with its measurement or characterisation’. They argue for a distinction between the conceptualisation of risk - representing one or more abstract principles - and the characterisation of risk – relating to descriptions and measurements against which judgements are made. This precise and two tiered understanding of risk marks the significant risk science beginnings of CHARM.
Risk science offers a structure for contextualising the concept of risk specifically in relation to planned objectives or values, through an applied approach developed to clarify the conceptual meaning of ‘supply chain risk’ in a way that can support lower-level quantification and modelling [19]. That example can be abstracted into a structure whereby risk is conceptualised as the potential loss in a given context in terms of its target values, evoked by uncertain developments and triggering events. This approach explicitly associates risk with negative outcomes and identifies three essential components of a risk definition that can move it from representing a wholly abstract concept to a meaningfully contextualised concept: an undesirable outcome (the potential loss in a given context), the target values against which the outcome is measured (contextual stated target values), and the potential causes of that outcome (uncertain developments and triggering events). This structure forms the basis of the approach applied in CHARM to develop a contextualised conceptual definition of digital preservation risk and establish high level reference points for the subsequent model.
Defining Digital Preservation Risk
A contextualised understanding of digital preservation risk first requires clarity on the function and purpose of digital preservation – in other words, a clear definition of digital preservation itself. This functions as a stable foundation and a scoping mechanism with which to subsequently establish meaningful and justifiable digital preservation risk parameters.
Many variations of definitions of digital preservation exist in the literature of the field, featuring a number of recurring concepts and themes. These include the importance of access, acknowledging that preservation is a means to this end rather than an end in and of itself, and authenticity, ensuring that items are reliable and unchanged in any meaningful sense so that they can be confidently and reliably re-used [20], [21], [22], [23], [24]. Others make clear that preservation incorporates many different types of activities and processes [20], [23], [25], [26], addressed through an ongoing activity [27], [28], [29]. This reflects the so-called ‘moving target’ of digital preservation [30] and the unavoidable fact that the environments in which most digital resources are managed and preserved is in a near constant state of change. CHARM incorporates these various objectives, themes and concepts into a single defining statement:
Digital Preservation is the series of coordinated organisational and technological activities undertaken in an organisation throughout the lifecycle to ensure its digital content is retrievable, authentic, has integrity, and is accessible over time for current and future users.
This definition clearly identifies the goals and target values of a digital preservation endeavour, framed within the setting of a managed and organised environment. From a process perspective, it makes clear that digital preservation is an ongoing and coordinated series of activities throughout the lifecycle and over time, both technological and organisational. From a focus perspective, it makes clear that digital content is at the heart of the endeavour – it is the core around which the framework of activities is built. Finally, from an outcome perspective, it makes clear the expectations, purpose, and goals of the endeavour through high-level capabilities and properties: retrievability, authenticity, accessibility, integrity, and an expectation that these are maintained over time. Most importantly however for the purposes of this research, it provides the reference points against which to develop a contextualised understanding of the concept of digital preservation risk. By applying the structure developed by Heckmann et al to this definition of digital preservation, we can establish a meaningful, logical, and useful conceptual definition of digital preservation risk:
Digital Preservation Risk is the potential for complete or partial loss of digital collection content in terms of its target values of retrievability, authenticity, integrity, accessibility, and longevity, arising from sub-optimised risk sources within the managed organisational and technological environment in which the content should otherwise be preserved.
This definition changes the concept of risk in digital preservation from predominantly abstract to meaningfully contextualised, precisely scoping the overall problem area and its most meaningful constructs. It maps to all three components of the risk structure suggested by Heckmann et al [19]: a) the undesirable outcome <complete or partial loss of digital collection content>, b) the target values against which that is assessed <retrievability, authenticity, integrity, accessibility and longevity>, and c) the potential causes of a negative outcome <sub-optimised risk sources in the managed organisational and technological environment, within which the content should otherwise be preserved>. It illustrates well Hansson’s observation [17] that precise terminology can improve the overall understanding of risk, and effectively provides greater clarity and direction on the concept of digital preservation risk to experts and non-experts alike.
CHARM illustrates this definition through a conceptual relationship model, as seen in fig 1, below.
In this model, digital content is managed within organisational and technological infrastructures, which together represent the managed environment. All three of these entities contain risk sources, which threaten an organisation’s ability to achieve its preservation objective. The preservation objective is represented by target values that are associated with the digital content, as held within the managed environment.
CHARM then uses these concepts as reference points against which to explore different aspects of digital preservation risk in more detail, represented through a series of further models. Two of these, the Risk Source Model, and the Digital Preservation Risk Source Model, are briefly presented in the following section to illustrate the logical structure and key conceptual relationships that underpin CHARM.3
The CHARM Risk Source Concept Model
Risk Source is a foundation yet complex concept in digital preservation risk and central to the CHARM Reference Model. References to sources of risk frequently occur in digital preservation literature, though the term ‘risk source’ itself is neither widely used nor often defined. The literature of the risk science and risk analysis field is more forthcoming. The term ‘risk source’ is defined for example by the Society for Risk Analysis (SRA) as an ‘element (action, sub-activity, component, system, event, etc.) which alone or in combination with other elements has the potential to give rise to some specified consequences (typically undesirable consequences)’ [31], whilst the ISO family of risk management standards uses a similar phrasing, defining a risk source as an ‘element which alone or in combination has the intrinsic potential to give rise to risk’ [16]. CHARM draws on these to define a Risk Source as a changeable element in the digital preservation environment that alone or in combination with others has the intrinsic potential to give rise to a negative outcome. This ‘potential’ for a negative outcome from a risk source suggests however that a risk source alone does not necessarily result in a risk - it must be affected in some way so as to produce a negative outcome.
As change over time is inevitable, most elements of the environment (including digital content) can be considered to be risk sources. In attempting to analyse the overall risk source space of the domain, this research found that the risk source concept could be usefully deconstructed into a series of related constructs that collectively function as a mapping structure for the domain. They are represented in the Risk Source Concept Model as Risk Originating Entities, Risk Source Classes, Risk Source Instances and Instance Types, and Risk Factors. The relationship between each of these entities is expressed in a simple, abstract risk source concept model (fig 2).
In this abstract state, the Risk Source Concept Model represents a potential reference structure and generic risk science approach to modelling domain-level risk, regardless of context. From a more practical perspective - and specifically for the purposes of this research - it establishes the main conceptual and logical entities subsequently used in the CHARM Digital Preservation Risk Source Model and their relationships.
Risk Originating Entities are the top-level entity in the model. These represent distinct areas of risk sources within a domain that may lead to a negative outcome if not suitably managed. Each Risk Originating Entity is associated with a family of Risk Source Classes, Instance Types, Instances and Risk Factors.
A Risk Source Class is a conceptual grouping of similar risk source Instances, whilst a Risk Source Instance is a specific manifestation of a risk source. Instances are highly contextual and there may be many hundreds of potential instances in a given setting. The model therefore represents these as abstract Risk Source Instance Types.
All instance types and instances in a given class share the same set of Risk Factors. The term ‘risk factor’ is used in several digital preservation risk frameworks to describe different aspects of risk though often without definition [32], [33], [34], [35], [36]. CHARM uses the term Risk Factor to specify a more precise indicator of the changeable uncertainty associated with an instance of a risk source than the instance alone. A Risk Factor is thus understood as a variable property of a risk source that can be optimised to reduce uncertainty and the likelihood or impact of a negative outcome.
Risk Originating Entity
An aspect of the operational digital preservation environment that contains risk sources
Risk Source
A changeable element in the digital preservation environment that alone or in combination with others has the intrinsic potential to give rise to a negative outcome.
Risk Factor
A variable property of a risk source that can be optimised to reduce uncertainty and the likelihood or impact of a negative outcome.
Risk Source Class
A conceptual grouping of similar risk sources.
Risk Source Instance
An individual instance of a risk source.
Risk Source Instance Type
Different types of risk sources within a given class.
Table 1: Risk Family Concept Definitions
The relationships between each of these entities as subsequently applied in an abstract domain model are illustrated in figure 3, below.
This structure was applied to the domain and populated with meaningful values, with the resulting models tested for consistency and utility in an iterative review process. The output from this activity is the CHARM Digital Preservation Risk Source Model.
The CHARM Digital Preservation Risk Source Model
CHARM blends the key entities from its definition of digital preservation risk with those in the risk source concept model to develop the underlying structure of the CHARM Digital Preservation Risk Source Model. Populated, this represents a domain-level abstract mapping of digital preservation risk sources. In the model, Risk Originating Entities are individuated and each associated with a family of logical entities including Risk Source Classes, Instance Types, and Risk Factors.
There are three Risk Originating Entities, in line with the definition of digital preservation risk above:
‘Digital Content’ is at the heart of the preservation endeavour. It is intangible: as such, it does not exist until meaningfully accessed by an end user. In practice, the Digital Content entity always has an explicit and direct dependency on both other risk originating entities, as these represent the context in which preservation is implemented.
‘Organisational Infrastructure’ represents the organisational environment in which a managed digital preservation service occurs. This includes the ‘3 P’s’ of People, Policies and Processes as well as areas such as governance, finance, strategic planning, mandates, and legal affairs. Digital content has value within an organisational infrastructure, which also provides the mandate and justification for the continuance of preservation activities.
‘Technological Infrastructure’ refers to the technological environment in which digital content is acquired, managed, preserved, and made accessible from. This includes areas such as hardware and software environments used by business functions (both in-house and outsourced), cyber security, systems support and admin, networks, and managed services. Digital content is managed within the technological infrastructure, providing and maintaining the systems, networks and processes required to support their ongoing preservation and access.
These entities are drawn from the definition of digital preservation risk but are also broadly consistent with those used by other digital preservation assessment frameworks to distinguish between different aspects of an institutional environment [37], [38].
Each Risk Originating Entity contains several Risk Source Classes (i.e. conceptual groupings of similar types of risk sources). As seen in figure 4, CHARM identifies thirteen classes of risk source in total, dispersed across the three risk originating entities:
• The Organisational Infrastructure Entity contains six classes of risk source: Strategy, Legal, Policy, People, Budget, and Processes/Workflows.
• The Technological Infrastructure Entity contains five classes of risk source: Rendering Software, System Software, Physical Hardware, Network, and Processes/Workflows (shared with Organisational Infrastructure).
• The Digital Content Entity contains three classes of risk source: Content File(s), Metadata, and Storage Media.
Each class is also associated with a set of defined Risk Source Instance Types and a set of shared Risk Factors. Instance Types in the model broadly represent all main types of sources associated with a given class. They are intended to be indicative rather than exhaustive, in line with the design principle of utility over absolute truth. Instance types for the Strategy class, for example, include corporate strategy, functional strategy, and departmental strategy. Instance types for the System Software class, on the other hand, include operating systems, management systems, utility programs, virtual machines, firmware, and tools, whilst those for the Metadata class include technical metadata, administrative metadata, and descriptive metadata.
Acknowledging the variable context within which each may sit, and in order to remain universally relevant despite those variations in context, CHARM does not associate each Instance Type with a definitive list of Instances. The textual descriptions in CHARM that accompany each Risk Source Class instead provide insight into what specific instances might look like. The same approach is taken with Risk Factors, which may be either causal or reflective depending on the context and perspective in which a risk source is presented. To illustrate this, figure 5 contains the descriptive CHARM entry for the Network class, associated with the Risk Originating Entity of Technological Infrastructure, whilst figure 6 provides an example of a corresponding graphical entry, based on the System Software class.
CHARM applies this class/factor/instance structure across all three risk originating entities to develop a consistently structured, domain level, abstract model of risk sources for digital preservation.
A degree of duplication or redundancy exists within the model in its representation of similar risks across different entities: cyber security for example is referenced not only in association with networks (factor: security), but also system software (instance type: utility programmes; factor: configuration), and content files (factor: malware). Similarly, storage is associated with digital content (class: storage media), and also physical hardware (instance type: storage devices), with relevant factors for both including Condition, Quality, and Location. This duplication is purposeful, for whilst CHARM does not assume any one perspective or implementation, a single event or outcome can be triggered from multiple different sources. Different paths can therefore lead to similar risks, though not all will be relevant across all different scenarios.
The model also has other limitations. For example, it does not attempt to directly map relationships between different classes of risk sources or between risk factors themselves, as these are typically less abstract in nature and more situational. This would imply a certain implementation, which is inconsistent with the reference model approach. In the same manner, the model does not attempt to map the range of consequences that can be associated with risk entities. These are also situational and variable, depending on the wider context in which a risk manifests and the framing of the factor as either causal or reflective. Consequences are associated instead with a different CHARM model for characterising specific risks.
Using CHARM
A number of methods for using CHARM were devised as part of the research. These supported formative evaluation during the design process to test the utility of CHARM, though also served as re-usable methods for use of CHARM in real world risk identification and assessment scenarios. Methods are a critical component through which to encourage and enable consistent re-use of digital preservation models and frameworks by the wider community [39]. These methods have therefore been released alongside CHARM as an additional design science artefact in the form of the CHARM How-To Guide [13]. As a reference model, CHARM does not prescribe any particular implementation: institutions are free to use it as they see fit. The three methods developed during the course of the research are nonetheless summarised here to encourage wider reflection and as indicative means through which CHARM might be used in practice.
The first two methods focus on risk identification. Method One is a simple process that uses the model as the basis of an exploratory conversation about risk. This method is most suitable for experienced practitioners or assessors, especially those who need to engage with a wide range of stakeholders as part of the risk identification process. Method Two is a question-based framework that is particularly useful to anyone using the model for the first time, as well as assessors who welcome a structured interpretation to guide them through a comprehensive review. Both methods can be used to identify areas of potential risk that require exploration and assessment, without prescribing the form that subsequent assessment may take.
The third method builds on the outputs of methods one or two and develops them into a full qualitative risk assessment process. Compatible with the risk management standard ISO 31000 [40], it supports not just risk identification but also risk analysis and evaluation. A spreadsheet template is provided to support this process. The model helps to ensure that all potential risk sources can be considered in the assessment and no significant stone is left unturned, whilst the spreadsheet helps ensure that assessments are appropriately scoped, that risks are consistently framed and measured, and that potential impacts on preservation objectives and target values are made clear.
Meaningful and comprehensive risk assessments take time to produce, though a thorough review is essential to generate meaningful, useful insight. The assessment process itself typically requires in-depth knowledge of the subject and scope under investigation. Whilst it can be led by a single person, it is recommended that input is sought from a wider team of stakeholders who have broad or particular knowledge relevant to the designated scope and context. Each of the methods presented here is designed for coordination from a knowledgeable digital preservation practitioner, ideally one with some wider knowledge or experience of risk assessments and with input elicited from relevant stakeholders as appropriate to the designated scope. This wider input also provides a degree of assurance and peer review, which is particularly important for qualitative methods such as those presented here.
Method One
This method represents a lightweight, communication-based process, using the CHARM Digital Preservation Risk Source Model as its focal point. It is designed to engage stakeholders in an exploratory discussion of potential sources of risk, supporting the Identification stage of the ISO 31000 Risk Assessment Process. It has four main steps: define scope and context; identify stakeholders; discuss model and context to identify potential risks; collate outputs. It is a loosely defined and flexible method that can be easily tailored to the needs of an individual assessor or scenario.
The goal of this method is to identify broad areas of concern in a given scenario, drawn from the wider potential risk landscape identified in the digital preservation risk source model. The method is well-suited to those with a good understanding of the model, who can independently guide a discussion on risk without requiring an explanation of each risk source and factor. It can also function as a standalone method to explore and identify risks in organisations where a full ISO 31000 risk management and assessment process is not appropriate or required, for example where other structured processes are already in place.
Method Two
The second method translates the Digital Preservation Risk Source Model into a series of structured questions about each class of risk source and risk factor, to consider whether any risks are associated with each class and factor for a pre-defined and well scoped scenario of their choice. In essence, it functions as a translated form and alternative representation of the model. A template is available for this method: the CHARM Risk Identification Framework (RIF) [41].
In the RIF, each class and factor is translated into a question, accompanied by an explanation to help clarify the purpose of the question and its relevance to digital preservation target values. The questions are consistently framed so that ‘yes’ is an indication of a low or negligible risk, whilst ‘no’ or ‘unsure’ indicates a likelihood of higher risk that needs investigation. For example:
Class
Digital Content
Factor
Completeness
Question
Do the files contain all of the intellectual content to which you expect to provide access?
Justification
Rendered objects can sometimes display or use information held externally, linked from the content files. If this additional information is important but not available then the authenticity of the rendered objects can be affected.
Table 2: Extract from the RIF Framework
Each question in the full template has space in which to record notes about relevant instances for which there is a cause for concern.
As with method one, the RIF primarily supports the Identification stage of the risk assessment process. It is well suited to assessors with little prior knowledge or experience of the model, though still requires some domain-level digital preservation knowledge in order to understand and apply the questions to a given scenario. There are forty-four questions in total, though the amount of time taken to complete an assessment will vary according to the scope of the assessment, the knowledge of the assessment team, and the ease with which reliable information is available to answer each question. The output from the process should be a completed document with sufficient information to inform the next steps. Should the likely risks indicate the need for a full assessment process, method three may be initiated.
Method three
Method Three integrates the outputs of Methods One or Two into a full risk assessment process with individual risks consistently described, analysed, and evaluated. It is a qualitative method that guides assessors to first define the scope and context of a risk assessment, then produce, characterise, analyse and evaluate individual risk statements relevant to their scenario. This method uses standard risk management concepts and structures familiar to many organisations operating enterprise-level risk management programmes including risk appetites and risk matrices.
A template has been designed for use with this method: the CHARM Risk Assessment Spreadsheet (RAS) [42]. The spreadsheet has three tabs, each holding different information. Tab One contains scoping information, whilst data about the assessment itself is mainly held in Tab Two, where risks are identified, characterised, analysed, and scored using a consistent structure. Tab Three includes a copy of the risk matrix to support scoring and evaluation of risks. Risk matrices require assessors to identify a) the impact of a risk manifesting and b) the likelihood that it will occur, using descriptions and values from a predetermined scale. There are different methods through which to generate initial scores for likelihood and consequence, both qualitative and quantitative. This method uses a qualitative scoring approach and is straightforward to learn though inevitably subjective. The subjectivity can be countered to a degree by, for example, ensuring assessors are experienced and knowledgeable about their field, integrating a process of peer review, and incorporating evidence-based judgements where available.
CONCLUSION
This paper has demonstrated how CHARM represents a new way to think about digital preservation risk. Through the analysis of key concepts and constructs associated with both risk and digital preservation, CHARM not only establishes a contextualised conceptual definition of digital preservation risk but also reveals and populates a structure for logically mapping digital preservation risk at a domain level that can inform the production of subsequent risk assessments. By mapping the whole domain in this way and justifying all of the entities within it, including a definition of the goals and objectives of digital preservation itself, as well as providing methods with which to understand that map in situ, the research addresses what was otherwise a gap in our disciplinary knowledge about digital preservation risk. This logical yet abstract approach to modelling results in a newly cohesive, consistent and comprehensive understanding of digital preservation risk. The initial analysis of other solutions to inform the direction for CHARM ensures that it learns lessons from other solutions in this space and builds on them to make a clear new contribution to the field. In addition, the abstract risk source model makes a new contribution to generic risk science as a reusable structure for risk source modelling at a domain level.
Risk modelling alone does not however mitigate risk, nor does risk assessment: only through effective risk management can risks be mitigated. End to end risk management is the next step in a solution model but the complexities and challenges of achieving this should not be under-estimated. The scope of CHARM goes some way to demonstrate the exceptionally broad and numerous range of potential risks in a digital preservation setting. One chink in the armour may be all it takes to introduce vulnerability. Many institutions - particularly those operating at scale - will find a range of actors, stakeholders or other roles have a significant degree of ownership over potentially significant areas of digital preservation risk. Nonetheless, this simply underscores the importance of a holistic and institutionally integrated, approach to communicating and managing digital preservation risk. It is unrealistic to expect that everything will always be perfect. Risks are not wholly avoidable and it is inevitable that sometimes they will manifest, with varying impacts. It is therefore not only our understanding of risk, but also our ability to anticipate, minimise and recover from such manifestations that will truly ensure longevity over time.
As a reference model, CHARM offers a landscape and domain-level overview of digital preservation risk. As a construct, it offers a standard vocabulary for describing different aspects of digital preservation risk. As a series of methods, it offers and suggests processes to support identification and assessment of risks. Testing of all three aspects during the course of the research validated the approach taken and confirmed its utility. With the conclusion of the primary research project, the Library is now exploring additional ways to use CHARM in addition to the RIF and RAS processes developed during the research. These include for example, the potential for targeted assessment exercises to inform prioritisation of technology projects, and a structured and regular risk register that also informs other technology risk assessments similar to those delivered by regular Penetration Testing. Engagement with the wider digital preservation community is also sought for practical feedback that might further improve the artefacts and enable their broader use. Community feedback on the vocabulary might, for example, help identify terms that are understood differently by different user groups or additional terms for inclusion in the glossary. Wider implementation of the methods will test and highlight potential challenges in translating the abstract concepts in the model to situational, characterised risks. Such wider use, engagement, and direct feedback will help shape CHARM as a valuable community resource going forwards.
ACKNOWLEDGMENTS
Thanks go to my research supervisors, in particular to Nancy Y McGovern for her critical insight during the shaping of the model. Thanks also to colleagues across the British Library for their formative feedback during the course of the research.