Hi. I'm trying to decide whether Risk Assessments and Risk Treatment Plans would be considered documents or records. In other words, should they be version controlled? Or should they have specific record retention periods?
Please note that documents describe rules to be followed and/or actions to be performed, whereas records evidence actions performed and/or results achieved. Additionally, documents can be updated, while records cannot (at most they can be complemented, i.e., new information can be added, but the original information cannot be changed).
Considering that, Risk Assessments are records (they evidence that risk assessment was performed and the assessed risks), as well as Risk Treatment Plans (they evidence which actions were performed to treat risks and achieved results). Since records cannot be updated, it only makes sense to apply version control on them if they can be complemented (in this case the information for version control can be the date of the last included complement). However, they need to have ways to be uniquely identified.
As records, they indeed need to have specific retention time, based on business and legal requirements.
This article will provide you a further explanation about record management: