Defining high risk records June 18, 2011

Creative Commons License photo credit: nothakus

In a few days time, on 30 June, it will become a mandatory requirement under the Standard on digital recordkeeping (see Resources section above) that each government organisation must ‘define the digital State records that it will make and keep’ for all of its high risk business processes (requirement 1.1).

Our recent government-wide compliance survey asked how organisations were going with meeting this and other requirements from the standard. 80% of agencies from across all sectors of government reported that they had not yet determined what records are needed to support their high risk business processes. This is potentially a very large problem. If organisations don’t know what information they need to make and keep in support of their high risk operations, they are jeopardising their current operations and also impairing their ability to maximise and realise the full benefit of their information.

So how do organisations define which digital records are needed to support high risk processes? Here are a range of options to get you started.

How to identify what ‘high risk’ is in your organisation

Use existing risk assessments

  • For disaster recovery and other risk management purposes, IT or other staff in your organisation will have already assessed and identified the high risk business systems in your organisation. You can use this assessment to identify these systems. You will then be able to identify what parts of your business these systems support. Once you know this you can start to identify what information is actually needed to support this business. Remember, you are not just looking to identify what information is already captured, you are looking to identify what is actually needed. There may or may not be a difference in your organisation.

Use existing disposal tools

  • Use authorised retention and disposal authorities – for classes that have retention periods of 10+ years, what types of records do these authorities say should be created? Do you actually create and maintain these records?

Use existing models of what high risk processes in government are

Across government, high risk business processes are likely to involve one or more of the following:

  • regular, routine or direct contact with individuals (for example, a regulatory, enforcement, health or welfare activity)
  • impact on citizens’ rights, entitlements and wellbeing
  • the creation of policy for offices with impact on individuals and communities
  • the making of legal agreements on behalf of NSW Government
  • the making of laws
  • the determining of policy on government functions and activities
  • a significant investment by Government
  • an investigation by the ICAC (Independent Commission Against Corruption), Ombudsman or other watchdog agency with recordkeeping issues relating to the process being identified
  • processes that are open to corruption or the potential of corrupt behaviour
  • a significant contribution to the economic and social development and management of NSW either directly or indirectly
  • a significant contribution to the economy, the management of natural resources, the protection and security of the state, and/or infrastructure of NSW
  • a major program of international/national/state significance
  • records that are included in the organisation’s vital records register
  • significant records relating to Aboriginal people and heritage
  • profiling in the media for matters that indicate possible recordkeeping failures
  • the production of State archives.

If your organisation operates in one or more of these areas, look at how your organisation performs this business, what specific processes it performs and what records are created as part of these processes. You can then look at whether these records are adequate and meeting business needs.

Use legislation, standards, procedures and best practice requirements

  • legislation and standards are often very specific in terms of the records you need to keep and the information that these records need to contain. Make sure, for your high risk business, that you are meeting these kinds of mandatory requirement
  • look at procedure statements that say what records need to be created from specific processes. Are these records being created?
    • for example, if the procedures for student management say that ‘a record must be kept of each action taken on a student in the Student System (eg offer, grading, disciplinary action) including the date of the action and who approved it’, does your student management actually do this?

Think about your business needs

  • what information do staff working in high risk business areas say that they need to support their business? Is this information readily available to them?
  • can a standard search by someone not directly involved in the business find relevant information?
  • remember that your organisation doesn’t just need information, it needs good quality information. Information that has good metadata that identifies who created it, when it was processed, what it documents and how it has been managed. Do the records you create provide a comprehensive and useable overview of high risk business operations? Can queries to be readily answered? Can information be leveraged and reused?

Focus on areas of your organisation that use business systems, not recordkeeping systems

  • traditional correspondence or forms-based processes and systems tend to be good at managing records
  • your organisation is likely to face higher levels of risk with newer processes and systems that are based around databases and business systems
  • recordkeeping is not native to these applications and so these could be key areas of risk where adequate records are not being created
  • this could be a problem because if records are not made or managed appropriately in business systems, your organisation won’t have essential evidence of what has occurred (a big problem if it is challenged) and it is at risk of failing to meet some of its legal, business and other requirements. You might also find that the lack of records in dynamic business systems can also hinder the actual conduct of business by inhibiting decision-making and forcing data to be recreated rather than simply reused


Strategies for documenting government business: the DIRKS manual provides a sound methodology for identifying legislative and business requirements for records, and community expectations of what records will be created. For example, Step A of the methodology indicates what sources need to be examined and questions to ask of stakeholders. Step C indicates how to interrogate these sources in order to identify recordkeeping requirements. These processes will lead you to a comprehensive understand of the different records your organization needs to support its business and will help you to assess whether your organization actually has the records it needs.

Focus on areas where you think there might be problems

The Standard on digital recordkeeping is not designed to simply give you work for work’s sake. If you have good recordkeeping in place across your organization and have already assessed your recordkeeping requirements, there is no need to trawl back through and compile research again just in order to be compliant with the standard.

Rather, the standard is intended to provide a prompt in this era where business systems are proliferating and government business is changing rapidly, to step back and reassess whether, in amidst all this change, good recordkeeping is still being achieved in the high risk areas of your organisation. There have been many instances across government where rapid changes in staff and technology have lead to poor recordkeeping which consequently lead to significant operational and accountability failures. Identifying the records that should be kept of your high risk business operations and then determining whether your processes and systems can actually make and keep this information, is a really important risk management process in your organisation.

Don’t forget!

  • you are not just looking to identify what information is already captured, you are looking to identify what your organisation actually needs to support its processes
  • this assessment is meant to be guided by your business needs and not seen primarily as an external compliance exercise. Your investigations should be very grounded and focussed specifically on your own operations – what is needed in your organisation to manage risks and to give you the highest value and most effective information
  • excessive levels of detail are not required – it should be focussed on your own needs, not some external high level benchmark of best practice
  • the Standard on digital recordkeeping indicates that the level of detail required for defining digital records should be risk based and adequate for implementation purposes. There needs to be enough detail to implement the requirement: for example, so that the organisation knows what pieces of data must be captured with which other data, and at what point in the business process.

Case study: A sample risk assessment from local government

In early 2011 State Records consulted with a small reference group consisting of records management and archives staff from a range of metropolitan and regional Councils, to develop an indicative set of high risk business activities and associated systems for Councils.

The areas of Council business activity that they identified as potentially of high risk are:

  • financial management
  • property management (Council property)
  • the building and maintenance of infrastructure such as roads or sewerage/drainage services
  • development and building controls
  • legal services
  • community services (childcare)
  • grants and subsidies
  • personnel (payroll)
  • tendering
  • complaints

To manage the high risks associated with these areas of business, councils should identify what records they need of these high risk operations in order to:

  • perform these operations appropriately, and
  • account for Council’s work in these areas, both immediately and in the long term.

So, for a high risk area like ‘community services (childcare)’ you would:

  • look at relevant legislation like Children’s Services Regulations 2004 which contains significant recordkeeping requirements, identifying a wide range of records that must be kept about childcare services and specifying how long many of these need to be kept for
  • look at (General Retention and Disposal Authority) GA39, Local Government which in section 3.0.0 identifies a range of records that should be kept about childcare services
  • talk to childcare staff and those who manage the administrative areas of childcare – what information do they want and need in order to do their work effectively and accountably?

Using these and any other sources you think appropriate, a list of necessary records will start to emerge:

  • licences
  • certificates of registration
  • emergency plans
  • public liability insurance
  • records of all registered children including medical records
  • records of child attendance and excursions
  • records of complaints
  • responses to complaints
  • reports of complaints to relevant authorities
  • probity checks of staff
  • records of staff qualifications
  • records of staff first aid training
  • records of staff attendance
  • signed visitor registers
  • records of all programs offered by the service
  • records of daily timetables
  • a developmental record for each child
  • a weekly record of the service etc, etc

This is the key component of the mandatory compliance requirement that will become effective on 30 June.

Requirement 1.2, ‘The digital State records that the public office has defined must be captured into an official digital recordkeeping system’ and the remaining requirements in the Standard on digital recordkeeping, will become mandatory under the State Records Act on 30 June 2012.

To comply with these next requirements, you need to use your set of defined records and determine whether all identified records are actually being made and kept appropriately. This means you need to look at business areas and business systems and assess whether all the information you need is actually there and kept in a way that enables it to be used and maintained. Remember, your high risk business operations often have very long retention requirements, meaning that the records produced in these areas often have to be kept for very long period of time. For example, the Children’s Services Regulations 2004 say that records about children at a childcare service have to be kept until the children reach the age of 24. Can the systems you have in place actually achieve this?

At the moment however, the key mandatory requirement relates to knowing what records of your high risk processes need to be kept. Advice on determining the adequacy of how you make and keep your defined high risk records will be forthcoming, but before then, any ideas, discussions or queries about compliance issues with the Standard on digital recordkeeping would be most welcome via the Future Proof blog.

Leave a Reply

You must be logged in to post a comment.