"Risk in Trustworthy Digital Repository Audit and Certification."
Abstract
Risk is a foundational concept in digital preservation. While it has been examined from technical, economic, and organizational perspectives, I argue that it is also a social phenomenon. In this study I report on the results from 42 interviews with stakeholders in the Trustworthy Repositories Audit & Certification (TRAC) system, and analysis of documents relating to the ISO 16363 standard in order to examine how standard developers, auditors, and repository staff members understand the concept of risk for digital repositories. The results of this research demonstrate that members of these three stakeholder groups identified risk in the TRAC audit and certification process in terms of specific potential threats or sources of risk, which I have organized into five main categories: finance, legal, organizational governance, repository processes, and technical infrastructure. While standard developers, auditors, and repository staff generally shared an understanding of the major sources of potential risk that face digital repositories, they disagreed about whether and how these risks can be mitigated and how mitigation can be proven. Individuals who were more removed from the day-to-day work of the repositories undergoing an audit were more likely to accept well-documented risk identification and mitigation strategies as sufficient evidence of trustworthiness, while repository staff were skeptical that documentation was sufficient evidence of risk assessment and mitigation and thus questioned whether this would translate to actual trustworthiness for long-term digital preservation.