Defining risk in recordkeeping February 13, 2012

View / 景色(けしき)
Creative Commons License photo credit: TANAKA Juuyoh (田中十洋)

The compliance timetable supporting the Standard on digital recordkeeping says that, in order to manage your digital records effectively, you should focus your time and resources on identifying and improving the systems that support the high risk business processes in your organisation. In this post we will look at some of the issues associated with identifying and assessing the systems that support high risk business processes in your organisation.

‘High risk’ in relation to recordkeeping assessments is similar but not the same as business continuity definitions

The first point to note is that ‘high risk’ in the context of the Standard is related to but is not the same as disaster management or business continuity planning or vital records identification.

Business continuity planning and vital records management are critical components of disaster recovery. They are necessary processes to ensure that organisations are able to re-establish themselves as quickly and comprehensively as possible after a disaster. ‘High risk’ in terms of the Standard on digital recordkeeping does encompass aspects of this, but is different to business continuity and disaster management because it is focussed specifically on recordkeeping.  The Standard’s definitions of risk relate to corporate accountability, corporate knowledge culture and corporate memory. It is asking you to assess risk in the form of the threats to your corporate business information that could impair your organisation’s ability to function and to account for its actions, both immediately and in the longer term.

The Standard is designed to mitigate threats and risks posed by poor or inadequate digital recordkeeping practices

The Standard is really asking you to identify the risks that could impact your organisation if specific collections of corporate information were lost or compromised.

The Standard was developed because State Records became aware that many of the new business systems being implemented across Government were either not designed or were not being configured to capture and manage records. For the short term (which can increasingly be a window as small as 12-18 months), most business systems are able to manage the business information they contain so that it can be referenced and used when required in business operations.

However, if systems are changed or upgraded or integrated with other applications, threats to the integrity and useability of their information immediately begin to creep in. And if you are performing high risk business processes in a system that cannot adequately capture and manage records, then this is a very high risk for your organisation because the likely outcome is that you will have no valid and useable information to account for your actions or to use as a reliable basis for subsequent actions.

These then are the threats that the Standard seeks to mitigate and it is asking you to nominate ‘high risk’ from this perspective. It is asking you to identify which business processes are high risk in your organisation. Then, it is effectively saying that you need to determine to what extent your organisation’s high risk processes would be affected if information about these processes was lost or incomplete or corrupted. It is very important to realise that this means not just affected tomorrow or the day after tomorrow, but in 5 years time, 10 years time, 100 years from now.

Once you know what information is needed to support your high risk business processes, you then need to determine whether the business systems that perform these processes can actually make and keep records and maintain accessibility to them for as long as your business needs dictate.

Importantly too, the Standard is not just requiring you to manage what you have, it is also saying that you need to make sure you are actually creating what you need. Many contemporary business applications do not natively make records. So you need to assess the systems that support your high risk business processes and make sure they actually can make records of your business, and then work out strategies for the ongoing management of these records.

A lot of business systems can’t natively make and keep records and this is a big risk

Configuring business systems to make records of their operations can actually be very complex and challenging. This kind of approach which requires a stable collection of ‘redundant’ data is antithetical to many database design principles. Many business systems are designed around the principle of ‘non-redundancy’. To ensure systems operate at maximum efficiency they are designed not to keep collections of time-expired, non current, ‘redundant’ data.

These principles may have been appropriate in the early days of database design and do still have validity in many applications, but they are not appropriate in business environments where organisations are required for various reasons to keep records of their operations. But even where significant legal obligations exist, in many business areas systems that are based on non- redundancy principles are being rolled out to perform operations that have legal and business requirements for ‘redundant’ data (also known as records).

This process is likely to be happening because, in most situations, people have never really had to stop and consciously make records. Records, in very long-standing and traditional definitions, are ‘the by-products of business operations’. They are usually not consciously or deliberately created but are created automatically in the course of performing a business transaction. Records then, tend to just happen, to just accumulate. People have never had to think terribly much about it, a record has just been created when they do the work that they do. And because most records have traditionally been either paper or ‘fast paper’ (like a word processed document), they have had a degree of in-built longevity and fixity which has meant that they have just naturally tended to survive for as long as business has needed them.

But digital business systems have changed all that. Suddenly many business records are bearing absolutely no resemblance to traditional paper records at all. Because they have never really had to be considered before, record creation and management principles are not being built into business applications.

Businesses still have all the exact same reasons and obligations to make and keep records – law suits are never going to go away, people will always need to know their rights and entitlements, the business will always need to account to the Minister, the client, the Board or the stakeholders and staff will always need to know what decisions were made last month. It’s just now that the business applications we rely on can’t do it. Or can’t do it beyond a 1 – 5 year window. And this is such a concern to each and every organisation.

So the Standard on digital recordkeeping says that you need to identify what information you need to make and keep in all your high risk areas of business. You need to look at the systems that do this business and then you need to make sure that these systems can actually make and manage records.


Leave a Reply

You must be logged in to post a comment.