Future Proof – Protecting our digital future

Kate and I spoke at the NSW Records Managers’ Forum yesterday.

We had a lot of interest in our blog post for International Archives Day, Our Our top 5 – Why recordkeeping is awesome!  So, for the Forum, we chose to expand on this theme, and develop a bit of a ‘manifesto’ for good recordkeeping and to give our top 10 tips on what recordkeeping professionals need to do to achieve good recordkeeping.

Some organisations wanted to get a copy of the manifesto for use internally in their organisations. Some wanted all the information we presented. So we promised that we would make the information available on this blog.

The Happiness Manifesto
http://www.flickr.com/photos/
daveharkins/6649723933/

The ‘manifesto’ has now been massaged into a two page flyer called ‘Why is good recordkeeping important?’ (PDF 36kb).

We have also downloaded a version of our original Recordkeeping manifesto Prezi presentation (15.1MB – use the arrow keys on your keyboard to scroll through the document).

The top 10 key recommendations that we believe are necessary for deploying the recordkeeping that will create and sustain good business information are as follows:

1. We need to be strategic

Good recordkeeping is, by its nature, strategic. It looks to the big picture, taking into account our organisation’s risks and business needs and implements solutions that meet needs and mitigates risk.

But recordkeeping gets pigeon-holed as a process. Worse, it is seen as a back-end process, with little relevance to immediate business concerns. Our work is seen as procedural, not strategic. Our ICT colleagues, for example, widely believe that ‘recordkeeping’ is deploying and maintaining an EDRMS, and its purpose is primarily compliance-based.

In the digital world recordkeeping cannot be strategic unless it is at the forefront of business planning and processes. Records managers need to be part of teams planning how the organisation should use, store and manage information. They also need to be involved in system design or purchase, where they can define what recordkeeping requirements need to be built in, to safeguard important records within systems now and over time.

We need to do more to educate our organisations about the strategic power of recordkeeping and the real benefits of the work that we do.

To be strategic, recordkeeping needs to be seen as an enabler, not as a straight-jacket. Good recordkeeping should be viewed as something critical to multiple business applications, not just an EDRMS environment. Recordkeeping is a primary support for powerful, effective and sustainable business information, not a box on a compliance checklist.

We need to make sure that recordkeeping is reflective of business needs and be open to assessment, analysis and continuous improvement. As business needs change, our recordkeeping processes must also be open to change and evolution.

We need to help our organisations be proactive and not reactive. As recordkeepers we already have the big-picture understandings of our organisation’s legal obligations, business requirements, risks and client needs and the implications of new risks and business endeavours. With this knowledge we can proactively contribute sound advice in all relevant contexts and proactively assist in the management of change.

2. We need to collaborate

In the digital business environment, separate ICT, IM and RM domains are converging at such a pace that none of these professions has had time to redefine their boundaries, communicate their ideas or assess their risks. There are no longer neat lines of demarcation between our responsibilities. There are also no longer separate life cycle stages where each of us needs to step in and play our part, traditionally ICT and IM at the start of the lifecycle and RM at the end.

Failing to work together means systems, technology and business information are proliferating in ways that often meet no key business requirements.

These issues are reaching a tipping point. Disturbingly, Gartner predicts that by 2016, 20% of CIOs in regulated industries will lose their jobs for failing to implement the discipline of information governance effectively across their business systems. (SharePoint Survey 2012, Image and Data Manager, Jan-Feb 2012, p18)

Because of the rapid evolution and adoption of digital technologies, consistent and coordinated assessments have not been deployed to ensure these technologies are capable of appropriate information retention, management, control, storage, access and compliance. This is placing all our organisations at risk.

But the good news is that we know all about this stuff. By collaborating with our colleagues and contributing our insights on the strategic management of information, on the business benefits of destroying superseded information, on information integrity, on risk mitigation and accountability, we can demonstrate that we really deserve a seat at the table, and that we have valuable insights that will contribute to the effective governance and management of business information.

3. We need to find champions

To be effective, our recordkeeping strategies need management buy-in and ongoing support.

To get this support, we need business sponsors and champions. We need influential colleagues and decision makers to understand the benefits recordkeeping can bring and to advocate for recordkeeping on our behalf.

We need the changes we advocate to be driven from the top and then incorporated in strategic workplans, system design, business process and business decisions.

4. We need to be pragmatic

We need to realise that in certain circumstances, good recordkeeping may really be ‘good enough’ recordkeeping.

Our organisations need good information today or tomorrow or in 20 or 50 years time and it is our job to provide them with this. But there are no set rules for how we should do this. We might deploy the ultimate system with all the bells and whistles. Or we might simply run a monthly report from our business system to export key data at regular intervals.

With the vast quantities of information available what is imperative is that we act now and be strategic. We need to be selective and our solutions need to be pragmatic and focused on the areas of highest risk. We need to focus on what is achievable and what needs to be done. Pragmatism not perfection is the key!

We believe that being pragmatic also means using and repurposing tools that we already have and using them for strategic advantage.

For example, we need to stop seeing disposal authorities as retrospective tools for sentencing and destruction. Disposal authorities are actually detailed, information rich tools that outline the business your organisation performs and the legal requirements that specify how long the business generated by that business needs to be retained for.

We need to instead see them as proactive tools for assessing business risk. For example, it is quite likely that the business areas generating records with longer retention periods will be performing higher risk operations. You can therefore proactively support these areas with advice on good system design, on good long term record format selection, metadata creation and application, migration support etc.

Disposal authorities also help you to identify business systems with short term value information that can be regularly purged. In this way, the retention of short term value information will not become an asset drain on the organisation.

Disposal authorities can also be used at system design to help define the business rules and retention requirements that should be built into systems to better manage the business information they create.

We also should see the value in corporate-wide tools such as classification schemes. These tools can actually give us insight into all areas of our organisations. As records managers we are among a few key professions that do have a broad-reaching understanding of the business performed across our organisations. We need more confidence in our voice and our viewpoints that come from this broad understanding.

5. We need to educate

Firstly we need to educate our organisations about the value of their corporate information.

In a 2010 survey of New Zealand government CIOs, the number one corporate risk flagged by CIOs was that ‘my organisation is not aware of the value of the information it holds’. (Archives New Zealand, Digital information at risk survey: final report, December 2010, available at: http://archives.govt.nz/digital-information-risk-survey) As recordkeepers, it is critically important that we help our organisations be aware of the value and strategic importance of corporate information. Until our organisations are fully aware of the current and legacy information assets they hold, they will not commit resources to its protection and management.

We also need to better educate our organisations about the extent of our recordkeeping role. All business systems make records. All business environments need to be underpinned by effective recordkeeping. As recordkeepers, our expertise and responsibilities are not limited to documents and to EDRMS.

To educate our organisations, we need to outline the risks and challenges confronting corporate business information, explain why these are real strategic concerns that threaten business performance and outline what we can collaboratively do to help. We need to see advocacy, communication and education as a key part of our role.

As recordkeepers we also need to promote our ability to see the future! It is our job to not just think about what our organisation needs today, but to also think about what it may need tomorrow. In the current technological environment, where the future is anything but certain, that recordkeeping capacity to see the future and know the information that will be required to support the organisation tomorrow, and how this should be protected, is a very valuable commodity.

As recordkeepers, with our responsibility for many legacy record collections and systems, we also often have the benefit of hindsight, of knowing what has and hasn’t worked in the past. We need to better use this knowledge to articulate what our organisations will need in the future and to identify the legacy information that will need ongoing resourcing and support.

6. We need to support information integrity

The ‘value add’ of recordkeeping is accountability and integrity. Recordkeeping processes and systems are designed to invest information with accountability and integrity.

Good recordkeeping involves encouraging the creation of full and accurate records of our organisation’s key business and then protecting the integrity of the records so they can meet privacy, security and confidentiality requirements and stand up as evidence if their integrity is ever questioned.

We need to see information integrity and the key accountabilities that this enables as critical components of our roles and responsibilities and communicate this understanding with others.

7. We need to be aware of new technologies

New technologies are transforming how business is done. Most of these technologies do not natively make and keep records and so, if our organisations use these technologies, we need to be alert to how we might need to support business to ensure it continues to have the evidence and information it needs.

For example, many businesses are recognising the significant business advantages of cloud computing. But they assume these records will always be around when they need them, an assumption entirely dependent on a third party provider. Good recordkeeping involves taking active measures to include recordkeeping requirements in cloud computing contracts, to monitor to ensure these are met and to make arrangements for the safe return of data when contracts expire.

Social media is being embraced as a powerful business tool, opening up new ways of collaboration and consultation. But information you post on social media sites is hosted by external third party providers. Do you know what business your organisation is performing in these environments? Do you know whether can you extract relevant business information from these applications and import it into corporate systems? Does the applications you use actually have export functionality?

Many records managers are slow to take social media seriously. But if business is taking social media seriously, then we need to take social media seriously too . Good recordkeeping involves supporting business wherever it may be occurring and finding solutions to capture social media records where risks indicate that solutions are needed, so that relevant information will continue to be available as an ongoing resource and protection for your organisation.

It is important to be aware too that good recordkeeping can help you to manage particularly vulnerable records. For example, the United States Defense Department is concerned that its 3D engineering documents for weapons and long term assets such as planes and aircraft carriers can no longer be used to service and maintain these assets. These records are created in complex engineering software which is upgraded every 18 months. Defense is finding that in a very short period of time, due to all the software upgrades, these records are potentially no longer accurate. This threatens necessary business processes, such as the repair and maintenance of these critical, long term assets. They are investigating recordkeeping strategies as way to manage and mitigate these business risks. (See http://www.stripes.com/news/as-technology-evolves-military-wrestles-with-preserving-vital-engineering-data-1.166093)

8. We need to destroy information

A critical but overlooked component of good recordkeeping involves destroying selected records when their value has diminished.

Think of all the hoards of paper records in storage that cannot be destroyed because no one knows what is there and what the information is worth. There is a significant cost burden here.

This wastage is being replicated in the digital world. Organisations are incorrectly assuming that, as storage is cheap, they can keep everything.

But information is growing exponentially. Each year, data volumes are increasing by 57%. (David Rosenthal, Let’s Just Keep Everything Forever in the Cloud, 14 May 2012, accessed via http://blog.dshr.org/2012/05/lets-just-keep-everything-forever-in.html)

It will be impossible, and actually prohibitively expensive to keep everything.

It is important to realise that while storage containers might be cheap, the management of these containers is not.

The effort requirement to manage privacy, compliance, protection and confidentiality, let alone access requirements with the massive information volumes confronting us will become completely unsustainable. We will see increased litigation risk and expensive and inefficient e-discovery processes. Without digital destruction, we will be completely lost in the fog of digital data and our organisations will be subject to significant long term migration, preservation and storage costs and risks through over-retention of digital data. Core information will become lost in a sea of meaningless information.

We need to realise that good recordkeeping means chucking things out. It involves reducing quantity in order to manage core information in a strategic and managed way.

9. We need to help build better systems

Many government organisations are suffering from ‘architecture debt’, a legacy of inadequate and inefficient business systems that are not built on sound system architecture that enables information to be created and managed well.

Geoffrey Vintin, a Fellow of the Australian Computer Society says that examples of architecture debt include:

• inconsistent and overlapping information that is held in different repositories
• systems that can’t talk to each other due to inconsistent metadata and classification structures
• the inability to find correct, up to date information that is needed for decision making.

These issues and many others like them create ‘debt’ because they lead to genuine financial impacts. These can be caused by poor decision making, or the ongoing purchase of new technologies to plug gaps, or the costs of recreating business information that no longer there, or the effects of legal challenges. (Geoffrey Vintin, Information Management and Governance for the Public Services, ARK Group Conference, 25 June 2012)

We need to be confident that recordkeeping gives us the tools to positively contribute to system design in ways that can help to avoid architecture debt.

With recordkeeping we can proactively identify the business information that will need to be accessed, used and understood in 5, 10+ years time and can contribute genuine advice on the system design and export functionalities necessary to enable this.

We can flag the business information that will not need to be carried forward and can provide advice on how and when this should be routinely purged. We can advise on metadata and the context that will be necessary to ensure information is accessible, understandable, accountable and useable in the future.

We can therefore provide powerful and business appropriate mechanisms for minimising architecture debt in the future and we need to proudly assert this message.

10: Ultimately we need to realise it’s not about recordkeeping, it’s about business

We need to stop trying to sell recordkeeping and instead we need to start solving business problems with recordkeeping, and let the results speak for themselves.

To better align with business, we need to target business strategies and demonstrate how recordkeeping will better enable these strategies to be achieved or how better long term outcomes can be achieved using recordkeeping.

This alignment with business, ultimately, is what is going to build recordkeeping acceptance, capacity and performance in our organisations, and generate better records as a result.

Questions? Comments? Concerns?

These are our the views of the Digital Recordkeeping team but we would love your feedback. What have we got right, and what have we got wrong? What do you think is necessary to support strategic recordkeeping? What extra advice or support or strategy is needed to bring about strategic recordkeeping? Please let us know!