Using recordkeeping to support high risk business and to mitigate information risks June 28, 2012

http://www.flickr.com/photos/katerw/4566825653/

30 June 2012 marks the end of the phased implementation timetable of State Records’ Standard on digital recordkeeping. Under the terms of the Standard, records now need to be made and kept of the high risk business operations that are performed in all your relevant digital business systems.

It is important to be aware that you should not be implementing the standard purely because State Records says you should, or because there are mandatory compliance requirements built into the Standard.  And it is also important to not see the Standard as a cost burden, or an inhibitor to business process and innovation.

The Standard was designed and implemented because there are genuine risks that are threatening the ongoing useability and accessibility of government’s digital business information. And, for key business information, these threats must be mitigated. So this is what the Standard is designed to do. It is really a risk management standard that requires you to assess and mitigate the risks that may threaten your organisation’s business information, now and over the long term. The Standard seeks to ensure that whatever business applications your organisation is using, you have ensured that these systems can create, maintain or export the information your organisation needs to support its business operations.

Types of risks threatening business information

Unless they are mitigated, in the digital environment there are risks that:

  • information will not be maintained
  • information maintained will be incomplete information will be meaningless and unable to be understood
  • information cannot be trusted
  • information will be corrupted
  • information will be inaccessible
  • information will not survive for as long as your business needs to access it

These genuine threats to digital information are already impacting across many organisations. The Standard exists to proactively flag that significant risks can threaten Government’s ongoing ability to make and keep the digital business information it needs to continue its operations. Therefore organisations must actively identify their key, high risk digital business information and then take steps to ensure that this information will be maintained, complete, meaningful, trustworthy, accessible and kept for as long as you have business needs and requirements for it.

Key points at which information risks need to be mitigated

There are specific points in the lifespan of your digital business information and systems where risks to the sustainability of your digital business information need to be mitigated. Being aware of these risk points can help you to plan for how the requirements of the Standard might most effectively be deployed in your organisation.

System design and configuration

When designing and configuring business systems, you need to:

  • assess your business processes to identify the records that need to be created to support your business operations
  • assess your business systems to determine what records need to be extracted from them – that is, if systems can only retain information for a short time before it is overwritten, what information needs to be exported and when?
  • ensure your system configuration takes account of your information management needs – can your system actually provide you with the information you need now and into the future to access and continue to understand and use your business information?

System integration

The design, implementation and upgrades to system integrations can have significant impacts on recordkeeping capacities and information sustainability. Any business system integrations need to be well designed and then regularly monitored to ensure that accurate and adequate business information is continuing to be exchanged between the systems.

System migration

If migration is not performed well, threats to data integrity and system functionality can lead to business failures and significant information loss. Records staff need to be involved in the migration of high risk business systems to ensure that the key business information is identified, protected and maintained through the migration process.

Record format selection

Complex record formats, or formats that do not operate with standard business environments, or formats that are not stable over a 3-5 year window can all threaten the sustainability of your business information. Record format selection is a key risk point for the ongoing accessibility and useability of your business information. It is important to make format choices that ensure your ability to maintain and use your information over time.

Moving to cloud based business or storage environments

When corporate information is moved to the cloud, it is critical that there are contractual arrangements and controls in place to ensure the safe custody and proper preservation of records in the cloud environment. It is also necessary to consider information governance requirements and how these will be deployed in the cloud environment. For your key, long term information, given it is likely that a significant proportion of this information will be required by your organisation for longer than the service agreement with your cloud provider, you also need to consider how it will be exported and integrated into your business systems at the conclusion of cloud service arrangements.

If service providers performing business on your behalf are using cloud systems for this work, then you need to ensure that they are making and keeping all appropriate records on your behalf in these systems. They also need to be capturing them in appropriate formats and applying all required metadata to ensure the records remain useable, meaningful and accessible.

Orphan records

An emerging threat to accessible, useable business information is the creation of orphan records and systems. Sometimes when legacy business systems are too complex or poorly designed or too costly to map to new technology, a decision is made to set the old system and its contents aside and start processes afresh in a new business applications. While this may be justified in many situations, it must not be an opportunity for ‘orphaning’ the legacy information. If business information that still has business and legal retention requirements applying to it is not to be carried forward into active business systems, then arrangements must be made for its ‘adoption’. To mitigate risks, it is important to identify the orphans that may already exist across your organisation and then to plan for their adoption.

So these are some of the risks threatening your business information that assessments under the Standard on digital recordkeeping can help to mitigate.

Implementing the standard

It is fantastic that many government organisations have already undertaken substantial work to implement the Standard and to build good recordkeeping safeguards into their digital business processes and actively manage their information risks.

But if you are still in the process of assessing your high risk business information-containing systems and identifying information risks and determining strategies to mitigate them, here are some suggestions for ways that you can kick start your implementation of the Standard and your assessment of information risks

Use existing risks

Use your organisation’s corporate risk register to prioritise the assessment of business areas and systems. Flag the risks on the register that have been created by poor information management practices and try to develop some advice on how these risks could be mitigated by using recordkeeping strategies and advice.

Information Governance requirements can help as a driver

Use information governance as a driver. There are some disturbing statistics around about the state of information governance. Gartner has predicted that by 2016, 20% of CIOs in regulated industries will lose their jobs for failing to implement information governance effectively across their business systems. (Image and Data Manager, Jan-Feb 2012)

The Standard on digital recordkeeping identifies risks to information as key organisational risks, and requires that organisations deploy strategies to mitigate these risks. Use the completion of the Standard’s compliance timetable as a driver to have conversations about information governance with your executive, CIO, ICT staff, business areas, system owners, users and any other parties who have a vested interest in the ongoing maintenance and useability of your core business information.

Book roundtable meetings

Book out half a day and convene a meeting of the owners of business systems that you believe are contain high risk business information in your organisation. Have a roundtable discussion where you all discuss business information requirements, information sustainability and longevity, and the threats and opportunities that are impacting on these core sets of business information.

Collaborate

Collaborate with ICT colleagues and work together to fully assess a key business system that you have identified. Sit with your ICT colleagues while they assess its configuration, hardware and software dependencies, business rules, integrations, export capacities etc. You can then flag the retention requirements that apply to the business performed in the system, the different types of business information that reside in the system, the short term data that can be routinely purged from the system, the long term information that will need to be carried forward out of the system and the metadata that is necessary to support information integrity and useability etc. Then together you can all work with relevant business staff to confirm your understandings. This comprehensive and collaborative approach to system assessment will give you a very solid understanding of business requirements, the business system, information requirements and the information threats that may exist in the system.

Develop list of recordkeeping requirements

Develop a list of key recordkeeping requirements that should be built into new high risk business systems that will support high risk business processes. Having a proactive list of requirements that can be built into systems at design or development can help to immediately mitigate information risks in new systems, and help to ensure that these systems have the capacity to manage corporate information according to your particular business needs and requirements.

Consider new business systems

Don’t forget new business systems. When assessing your business systems, don’t forget new and evolving applications like social media, wikis and collaborative platforms. These are spreading rapidly across government and legitimate government business is increasingly being performed in these applications. If your organisation is taking social media seriously, you need to take social media seriously too and assess the ongoing needs that your organisation may have for the information generated by and through these systems.

Document your system configurations

Documenting the system configuration that controls how your business information is managed is critical to the ongoing management, export and useability of your business information. For all systems that make and keep important business records, you need to have records that show how these systems are configured and how they are managing your business information. The Standard on digital recordkeeping says that you must identify and map the key metadata that is used to control your business information, and documenting your system configurations will help you to do this, and help you to identify where any important metadata that may be needed to identify and manage your business information is currently not being captured.

Consider the cloud

Be aware of the movement of any high risk data to the cloud. If you have been told that a certain system or information is being moved to the cloud, provide some proactive advice about the business needs and requirements that apply to this information. Let ICT and business colleagues know how long this information will need to be kept for and what security, use or management rules apply to it.  Also flag what metadata will be required to support the ongoing accessibility and use of the information. If there are any format concerns with the records, make sure to flag these, and ensure you identify any audit trails or other accountability requirements that may need to be deployed in the cloud environment.

Workshop on managing recordkeeping risk in business systems

Last week we ran another of our free workshops on managing recordkeeping risk in business systems where we discussed all these issues and more. We had a great range of participants, some who were yet to really embark on digital recordkeeping challenges, some who were transitioning to the digital environment, and some who were well down the track of identifying and managing their digital information risks. One of the great things about the workshops is the group discussion and collaboration. At this workshop lots of great strategies and ideas were exchanged about recordkeeping challenges and solutions. The workshops also attract a diverse range of participants, including people with responsibilities for records, ICT,  risk, business systems and more. This creates an excellent range of viewpoints which really contribute to the discussion.

If you are interested in attending a future workshop, please see the course description and registration information. Please note, because this workshop is free and because it relates to specific NSW government requirements, participation is limited to members of the NSW public sector.

We’d love to hear your views!

If you have projects underway to mitigate information risks in your organisation or if you have been working towards compliance with the Standard on digital recordkeeping, please share your experiences! Alternatively, if you have questions about how you deploy the Standard in your organisation or in a specific system, or about a particular information risk you have identified, then please do let us know. We are here to help!

Leave a Reply

You must be logged in to post a comment.