Future Proof – Protecting our digital future

photo credit: verlaciudad

Last week State Records ran a half day workshop, Managing recordkeeping risk in business systems. We had a fantastic group of participants who really engaged with the topic and brought a whole range of valuable experience to the discussion.

The workshop was developed to support implementation of State Records’s Standard on digital recordkeeping. It’s intended to help organisations manage the risks associated with the move to the digital business environment.

The move to digital business operations makes strategic, operational and business sense and therefore must be supported. But real business risks arise when the need for recordkeeping is not considered as part of the business system design and implementation process. Unfortunately, it often happens that recordkeeping is not adequately considered and is also not native functionality in these systems, and real risks do arise as a result.

Business systems and recordkeeping systems are often completely different beasts

A key issue discussed at the workshop was how diametrically opposed business and recordkeeping systems can be in terms of their intent and structure.

Business systems are designed to maintain dynamic business data, that is updated and current. Recordkeeping systems are designed around the concept of fixed, read-only, point-in-time data. Records are designed to show you what happened when. This can be a challenge for dynamic business systems.

Business systems are also designed to be lean and efficient. Non redundancy is important to speed, efficiency and the ability to perform large-scale transactions and so the same data is not captured in multiple locations. Data objects are often captured just once with pointers or links to the different points in the system where they have meaning. Often too inputs to processes are captured but not the outcomes or outputs of these processes, with the assumption being that you can recreate a process if required, rather than store each specific output.

Recordkeeping systems on the other hand, are all about redundancy. It comes from the evidential and though-time perspectives of these systems. You make and keep a record so that you can know what happened when. You want specifics and you want detail and you want fixity. With the through-time perspective, you also don’t want to be managing multiple links to related objects. If one of these objects changes in the system – for example if a person leaves an organisation or if a classification tool is updated – then all the links between this data object and related record objects are likely to all be lost. Suddenly evidential and through time requirements are lost.

Business systems are also designed to serve immediate business needs. They are implemented to do things now. Recordkeeping systems are built with the potential to also do things in the future. Business systems are very good for point of capture metadata requirements that document the immediate here and now. But they often fall down in their capacity to document subsequent process, on their ability to capture information about what might go on from a management perspective in the future. So, again from an evidential perspective, recordkeeping systems are designed to maintain evidence of how business information was both created and managed. Who set the security rules, who decided how long it should be kept, what was their authority for this decision, who transferred it to another organisation and what was their rationale for doing so? All of this longer-term, management metadata is necessary for accountability but assessment is showing that it’s not likely to be present in a system designed to serve immediate business purposes.

It needs to be all about the risk

The Standard on digital recordkeeping takes a risk-based approach to improving recordkeeping in business systems. It says in areas that are identified as high risk areas, or aspects of your business that really need to be supported by good and accountable records, you need to make sure your business systems can also operate as recordkeeping systems. So this is what the workshop talked through. How do you do this, how do you explain this and what does it mean for organisations?

It’s a big, big problem

Issues we discussed related to the scale of the problem. Business systems are proliferating, being incorporated daily into so many aspects of business. Cloud and web 2.0 based technologies such as Google docs, wikis and other collaborative tools are often great for work process but have minimal native recordkeeping capacity. Really prioritising assessments based on level of risk and business need is possibly one way to deal with this issue.

It’s hard to communicate what the problem is and what needs to be done

A number of participants reported on problems communicating their concerns to system owners and IT staff. It was only when there was a significant failure that people began to pay attention.

Others however reported that senior management buy-in was really helping them to conduct whole-of-organisation assessments and to start work on remedying the issues faced. The group felt that this level of endorsement and support was often critical to success. Others however reported that the slow and steady approach, of one-to-one contact with system owners, sitting down and talking about how processes could be improved and what might work better for the business was very time consuming but also very successful.

The flip side of this level of engagement also however had the potential for problems. A number of participants had been successful in becoming involved in the business system procurement process which was fantastic for building recordkeeping into systems at the outset, but this level of engagement takes a lot of time.

Administrative change

It was reported that large levels of administrative change in government recently are having significant impacts on business systems. Business systems are having to be split or have their components amalgamated with other business systems and a number of participants really want more guidance on improving and managing records through this process.

Practical technical guidance

Participants also reported on wanting more practical technical guidance. Some more examples on how to determine what a record actually is in a database environment were requested. People also wanted short, simple statements of recordkeeping requirements that could be added to procurement documents or requirements statements. And people also wanted clear, simple ideas about how business systems can meet recordkeeping requirements.

Don’t necessarily believe vendors

One participant reported on a new business system process she had been involved with where the vendor argued very convincingly that the system could meet all identified recordkeeping requirements. She wasn’t convinced and was finally able to persuade the system owners that they should build an integration pathway between the business system and the corporate records system just in case. It was lucky she did because within hours of its implementation it became very apparent that the business system could not make records of its operations.

You don’t just want records, you want good quality records

When assessing what records you need from your business systems, we also discussed that you need to consider the quality aspects of these records too – what’s needed to make them good records, accountable and useful records, records that will serve all business needs and make them useful in the organisation. What metadata is necessary, what records management processes need to be supported, what other business needs can be met by improving how records are described, managed and shared.

It is hard work…

The group also discussed that unfortunately there are no quick fixes to any of these problems. Most systems require a tailored, individually developed solution which takes significant time, effort and engagement.

It does need to be about the business

While records do need to be made and kept, recordkeeping needs shouldn’t overrule business needs. Recordkeeping supports business, not the other way around. Participants discussed the fear that some system owners have that records staff are going to make all their dynamic data read-only and interfere with system functionality. The group discussed that if you have a business need for fixed representations of this dynamic data at a particular point in time, then yes, you need to work out a way to create a fixed record, but if the business needs dynamic data, don’t mess with this.

It doesn’t have to be pretty

We also talked about how quick fixes might be appropriate in many situations. Solutions don’t necessarily have to be elegant and expensive. They can be expedient and elementary if this meets business needs. For example, investigate whether you can you take a screen shot and tag it with relevant metadata in order to meet your business needs. Can decisions based on business system data be reported in an email and then this email captured as the official record? Can a file note of a business decision that includes reference to the information that was ‘derived from system X which said this on this date’ be enough? Can you run a regular report and export this to your records system and use this as your official record? What are all your options and what will be appropriate?

Any solution developed will need to be based on an assessment of business risk and business need, but sometimes these simple, expedient options can be appropriate.

Whatever solution is developed, it’s important that it’s supported by a documented procedure that outlines what the recordkeeping process is for your business process.

In summary

From our perspective, this was an incredibly valuable workshop that provided so much food for thought. It demonstrated the fantastic recordkeeping work that is going on in NSW government and enabled us to talk to some of the brilliant people working at the coal-face each day.

It also highlighted the significant risks facing all forms of government business and showed that these risks are increasing each day. State Records will continue to work on helping to mitigate these risks and we’ll post regular updates on this blog. In the meantime though, if you have comments, suggestions or particular business system examples you want to discuss, please make a comment or send us an email. We love to hear from you!