Jump to content
  • Documentation and Records

    Nadine Cranenburgh


    Documents and records are fundamental for managing risk, safety, and quality.  Even with digital advancement and the migration of records to an online environment, managers, risk practitioners and engineers still need to decide the extent of the documentation and records required to manage risk and collect enough information to support the organisation's level of risk appetite.  Should things go wrong, conflict is almost always resolved through documentation.

    The documentation suite in most workplaces can be likened to a swamp. It contains a lot of good information, but it can be murky, making it hard to find what you need. Instead, risk managers should aim for a crystal-clear lake, where you can see right to the bottom, and everything is in its place.


    The risk management basics page outlines a framework for building a risk management solution. The framework includes six components:

    1. Governance structure
    2. Defined risk appetite
    3. Risk based management planning
    4. Risk control systems
    5. Risk based assurance
    6. Risk culture

    Each of these components has enabling tools attached to it, such as:

    • leadership structure (i.e. organisation chart)
    • risk appetite statement (i.e. policy or vision)
    • risk matrices / heat maps
    • documented risk tolerances, thresholds & limits (i.e. plans or procedures)
    • strategic, business, project management, and risk management plans
    • assurance frameworks, standards, and plans.

    Other tools used in risk management include: 

    • risk registers, 
    • bow-tie analyses,
    • layer-of-protection analyses
    • control effectiveness studies.

    These enabling tools are, by their nature, documents and records.  


    Documents and records are differentiated by their purpose. Documents (which can be hardcopy or electronic) are typically plans, procedures, or contracts, which in effect tell a person what to do. Documents provide guidance if there is a misunderstanding about what is supposed to be done.

    Records (which can also be paper-based or electronic), are typically reports, checklists, certificates, registers, or spreadsheets which tell a person what has been done.  Records are often the evidentiary output that is relied upon if there is a dispute or misunderstanding about what happened.

    Effective risk management solutions require both documents and records.


    Access to computers and electronic devices has made document and record creation a simple task. However, this can mean that there is little preamble or thought about whether the document or record should be created in the first place.

    For each document and record, the aspects listed below should be considered and written down, so that there is a common understanding of why the effort needs to be expended in writing and maintaining the document or record:

    • purpose
    • audience
    • level of detail and/or accuracy required
    • length and structure
    • history and source of input information
    • lifecycle (inputs, outputs, usage and storage
    • approval requirements

    Where the aspects above are unknown, unclear, or disputed, the value of the document or record should be reconsidered, as should the need to create it in the first place.

    Design process

    Designing a suite of documents and records for risk management includes the following steps:

    1. Define the entire suite of documents and records, before writing any of them
    2. List the plans, procedures, reports, registers and tools that will be used
    3. Design with the reader or user in mind
    4. Layout the content of each document or record in a logical flow for the reader. The design determines if it is worth reading or using
    5. Declutter the content
    6. Be very sure about the audience of the document or record, and what they will use it for. Be sure of what it needs to do, and stick to that; nothing more, nothing less.
    7. Deliver for approval, or address the question: “done, then what?” 
    8. Understand what approvals are needed and how long they will take
    9. Determine the review process, and advise the reviewer or approver of any relevant guidelines that need to be consulted
    10. Decide what happens to the document or record after approval.


    The content on this page was based primarily on the following sources:

    • Material provided by Susan Jaques, Sage Consulting Solutions

    Edited by Nadine Cranenburgh

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...