Risk in trustworthy digital repository audit and certifcation

Abstract

Risk is a foundational concept in digital preservation. While it has been examined from technical, economic, and organizational perspectives, I argue that it is also a social phenomenon. In this study I report on the results from 42 interviews with stakeholders in the Trustworthy Repositories Audit & Certifcation (TRAC) system, and analysis of documents relating to the ISO 16363 standard in order to examine how standard developers, auditors, and repository staf members understand the concept of risk for digital repositories. The results of this research demonstrate that members of these three stakeholder groups identifed risk in the TRAC audit and certifcation process in terms of specifc potential threats or sources of risk, which I have organized into fve main categories: fnance, legal, organizational governance, repository processes, and technical infrastructure. While standard developers, auditors, and repository staf generally shared an understanding of the major sources of potential risk that face digital repositories, they disagreed about whether and how these risks can be mitigated and how mitigation can be proven. Individuals who were more removed from the day-to-day work of the repositories undergoing an audit were more likely to accept well-documented risk identifcation and mitigation strategies as sufcient evidence of trustworthiness, while repository staf were skeptical that documentation was sufcient evidence of risk assessment and mitigation and thus questioned whether this would translate to actual trustworthiness for longterm digital preservation.