Frequently Asked Questions: DRAMBORA

Q1. What is DRAMBORA?

DRAMBORA (Digital Repository Audit Method Based on Risk Assessment) is a self-audit toolkit developed by the Digital Curation Centre (DCC) and DigitalPreservationEurope (DPE) to help guide repository managers along a similar route of analysis to that which an external auditor would use to examine and analyse the work of the repository. Its design is based on the experiences of the DCC audits of digital repositories conducted in 2006.

Q2. What are the benefits of undertaking a self-audit using DRAMBORA?

Completion of the DRAMBORA self-audit process will yield a number of valuable results, facilitating both retrospective reflection and proactive planning for participating organisations. Firstly, organisations will have established a documented self-awareness of their fundamental objectives, and of associated activities and assets. By defining their operational contexts, organisations are well positioned to determine their own assessment parameters as well as verify that their resources are optimally invested and positioned to ensure success. Secondly, organisations will have developed a documented understanding of the risks they face expressed in terms of their likelihood and potential impact. Mapped to organisational aspirations and efforts this will facilitate subsequent organisational development and resource allocation, and offer a quantifiable insight into the contemporary severity of risks faced. Finally, organisations will have defined their chosen means for risk management, determining the appropriate strategies for avoidance, treatment, transfer and tolerance, as well as the mechanics of their implementation. This process, which should be repeated on a regular basis, will provide opportunities to establish and achieve quantifiable targets, facilitating the ongoing development of every aspect of organisational activity.

As well as being a tremendously valuable process in and of itself, self assessment with DRAMBORA is expected to represent a worthwhile precursor to external audit, accreditation, and certification when these services become broadly available. The six stages of self-audit correspond closely to the preparatory work that organisations will be expected to undertake prior to exposure to full audit, and the aggregated insights and documentation will be highly reusable.

Q3. Who should be involved in the self-audit process?

It is generally anticipated that a single individual will take primary responsibility for conducting the self-audit process, although, as mentioned above, it is essential that the organisation as a whole invests and participates in the process. The success of the audit process benefits from the participation in the process of key players within the organisation. The primary auditor assumes responsibility for ensuring that all appropriate contributions from within the organisation are solicited, obtained and appropriately assessed. In order for the process to be internally reliable, and for its outcomes to be regarded as correct and complete, organisations should ensure that their auditors are both appropriately trained and have suitable personal skills.

Q4. What are the personal attributes of an auditor?

ISO 19011 Guidelines for quality and/or environmental management systems auditing offers a good indication of the ideal characteristics an auditor should have and display:

• high ethical standards
• open-mindedness
• diplomacy
• observational aptitude
• perceptiveness
• versatility
• tenaciousness
• decisiveness
• self-reliance

Q5. Where should an auditor be positioned in my organisation?

An ideal auditor will be centrally positioned within an organisation, with influence or responsibilities associated with as many aspects of the repository's business as possible. Breadth of knowledge should be given higher priority than in-depth understanding of specific business objectives or activities. Auditors should occupy a suitably senior role and level of trust within the organisation to facilitate engagement with organisational colleagues, and have access to a comprehensive range of internal documentation. Auditors should be granted a full range of system access privileges during the period of the audit.

Q6. How much effort is required to undertake a self-audit?

It is anticipated that the self-audit process will take approximately 24-30 hours (or, at six hours per day, four to five days). Each individual task is allocated an estimated effort requirement, although, depending upon the scale and scope of repository operations, and the degree of scrutiny with which the assessment is conducted, this may vary, occasionally substantially. In reality, the core activity, the conception and management of an organisational risk register, is something that is never finalised, and requires reassessment over time to ensure its ongoing relevance and applicability. Nevertheless, the initial 'first-run' breakdown might be expressed as follows:

• Stage 1: Identify organisational context
  (approximately 3 hours of effort required)
  The level of detail and granularity of the answers within this stage determines to a significant extent the quality of risk identification and assessment at subsequent stages of the self-audit. Greater investment at this point is likely to contribute to a reduction of the effort required during subsequent stages. Pre-audit effort should be spent aggregating the documentation necessary to complete this stage of the self-audit process, and engaging with repository staff to determine the extent of organisational objectives, activities and, ultimately, risks.
• Stage 2: Document policy and regulatory framework
  (approximately 2-3 hours of effort required)
  The time required to complete this stage will depend on the auditor's general knowledge of the repository's legal and regulatory context, knowledge of and access to contractual agreements, and knowledge of standards that may apply to the repository. The list of all legal, regulatory and contractual obligations and strategic policy documents should be presented with rich details and appropriate references. The primary time investment is expected to go into finding and analysing the documentation and sources to form the list of relevant regulatory requirements. Once these lists are compiled the organisation should undertake to keep them up-to-date, as they will provide a valuable resource for responding to the frameworks in which the organisation exists and will be required for future audits.
• Stage 3: Identify activities, assets and their owners
  (approximately 2-4 hours of effort required)
  The time allocated to this stage should be used to identify the repository's activities and to consider its activities, assets and staff as an interlinked organism. Unless existing and up-to-date business classification schemes and inventories of assets and technology are available, these will have to be created as part of this stage.
  Before starting Stage 3, auditors should:
  • have a general understanding of the organisation and the contexts within which it operate
  • obtain managerial support to undertake the analysis of business activity
  • acquire a list of repository staff and their responsibilities
  • determine whether the organisation has previously analysed and documented its activities and work processes
  If the repository has been analysed for other purposes it may be possible to draw on the results of such work, rather than starting from scratch. Projects that may involve an analysis of activities include:
  • business process re-engineering
  • imaging and work flow automation
  • activity-based costing or management
  • business classification development
  • quality accreditation
  • system implementation
  If the analysis arising from such projects is available, auditors will need to consider how, why and when the projects were undertaken to determine whether their findings are applicable to the audit exercise. Lists, registers or inventories of assets and technology may have been compiled for various purposes during analyses of business, compliance studies, audits or contingency planning exercises. Most organisations maintain an inventory of IT hardware, software and their licenses and of other tangible assets; these may be attainable from relevant sections within the organisation. Before starting moving to the next stage, auditors should engage with appropriate repository colleagues to seek an endorsement of the completeness and correctness of identified activities and assets.
• Stage 4: Identify risks
  (approximately 4-6 hours of effort required)
  The straightforwardness with which risks can be derived will be strongly influenced by the degree of granularity with which the auditor has already defined activities and assets. Risks might be derived more efficiently from a greater number of finely defined activities than from a handful of broadly stated examples. DRAMBORA provides a list of example 'off the shelf' risks from which auditors can choose those that are relevant to their own repository, facilitating and expediting this initial stage of risk register development. During this stage, auditors should solicit suggestions from appropriate repository colleagues of pertinent risks, classified according to their association with particular activities and assets and refer to the results of any risk-assessment exercises that have already been undertaken within the organisation, or to any continuity plans already conceived.
• Stage 5: Assess risks
  (approximately 4 hours of effort required)
  In order to complete this stage, auditors will need access to policy documentation that describes risk avoidance and treatment mechanisms; internally or externally generated documentation that provides an evidence base or justification for probability or potential impact values; relevant external documents and sources, such as legislation, standards, codes of practice; and additional repository personnel with knowledge of risks associated with particular aspects of the repository.
• Stage 6: Manage risks
  (approximately 4 hours of effort required)
  Although the identified risks will determine the number of times the risk mitigation measures have to be considered, the type, severity and ease of treatment of risks have a significant impact on how much effort has to be invested here. Ultimately, the time required to complete this stage depends on how seriously the repository and its senior management are prepared to undertake the risk management exercise. Time spent considering, planning, and deciding how to address the identified risks can only benefit the repository and protect its business activities in the longer term.

Q7. Who has already used DRAMBORA to facilitate a self-audit?

Here is a list of some of the organisations that have successfully undertaken self-assessment audits using DRAMBORA:

• British Library [external], London
• CERN Document Server [external], Switzerland
• Digital Library of Kungliga Biblioteket [external], National Library of Sweden
• Gallica [external], National Library of France
• GeoWeb [external], Marciana Library, Venice
• E-LIS (E-prints in Library and Information Science) [external]
• International Institute for Social History [external], Amsterdam
• Lithuanian Museum of Ethnocosmology [external]
• Ludwig Boltzmann Institute [external] in Linz, Austria
• Michigan-Google Digitization Project (MBooks) [external], University of Michigan
• National Archives of Scotland [external], Edinburgh
• National Library of the Czech Republic [external]
• National Library [external], Florence, Italy
• Netarkivet (Danish Internet Archive) [external]
• U.S. Geological Survey (USGS) [external]

Q8. Where can I learn more about DRAMBORA and download the toolkit?

To learn more about the subject area as well as more details about the team that the DCC/DPE has assembled, its proposed methodology for conducting audits and the anticipated outputs of the process, see: An Approach to Audit and Certification [external PDF, 67KB]

If you are interested in carrying out a self-audit using DRAMBORA, the toolkit can be downloaded from http://www.repositoryaudit.eu/.