Taking a risk-based approach to recordkeeping June 26, 2017

State Archives and Records NSW advises that high risk business areas in each organisation should be priorities for information management activity. By identifying its high risk business areas, an organisation can identify and mitigate any information-related risks these areas might face.

At last week’s meeting of the Digital Implementers Group, the members talked about how they have been identifying, assessing and mitigating information risks. The discussion revealed the practical ways in which organisations are considering recordkeeping through a risk management prism.

Using a risk assessment to inform whether ‘heroic measures’ are warranted

One member talked about how their organisation is planning to migrate records from existing business and recordkeeping systems to its soon-to-be-rolled-out recordkeeping system. As part of this work, they have identified types of records which, for various reasons, are very difficult to extract successfully.

Their IT experts have advised that they can continue developing and refining solutions for extracting these types of records, and are confident of eventual success. However this will inevitably divert resources from other aspects of the project. The organisation has decided to base its decisions about which records warrant such heroic measures on an assessment of risk and value.

For some records, the organisation has determined that it is not worth taking such heroic measures. Instead, it has committed to maintaining the records in the legacy system until their retention periods expire.

Identifying high risk areas of business to target for recordkeeping interventions

Another member talked about the work their organisation has been doing to identify high risk business areas. The idea is to identify high risk areas of business across the organisation, and then to identify any information risks attached to these areas (e.g. records are unavailable, records are not fit for purpose, records are kept longer than required etc.)

This work can then inform the design of new systems and the remediation of existing systems. For example, they plan to identify SharePoint sites which are being used to conduct high risk business and link these sites to their recordkeeping system – everything created and managed in such sites will be captured as a record.

Taking a risk-based approach to managing legacy email

A number of members talked about their organisations using a risk-based approach to manage legacy email. Many organisations use email vaults, but may not have policies around how long the messages in the vault will be kept. Keeping messages indefinitely creates a number of risks for an organisation (e.g. in terms of meeting privacy requirements to retain information no longer than required, and in terms of being able to find relevant information in response to access to information requests such as GIPA).

One member described the risk-based approach their organisation has taken to manage the messages in its email vault. While the organisation has a policy that business-related messages must be captured in the recordkeeping system, all messages are saved in an email vault. After a certain period of time, the messages from operational staff inboxes are purged, while the messages from managers and certain other high level positions will be kept indefinitely. This decision involved a risk assessment which found that operational staff were better at capturing messages to the recordkeeping system and senior staff were likely to have important business records in their inboxes.

Risks come in different shapes and sizes

There was a lot of discussion about the importance of considering reputational risk. This is not always appreciated, but for certain types of organisations with a high public profile and lots of interaction with the public, it is critical.

Information risk assessment is hard!

The members talked about how it is difficult for recordkeeping professionals to assess the risks associated with a particular business activity when they are not directly involved in undertaking that business. Without practical, hands on knowledge of what a particular business activity involves, it is hard to accurately assess the associated risks.

Some members have found that many workers in their organisations regard every activity as being of high risk. One member commented that their organisation’s risk manager is very adept at refining such claims by challenging assumptions.

What’s next?

State Archives is currently developing a workshop on information risk assessment for NSW public offices. If this is something that would be of use to you and your team, keep an eye out for an announcement of when this workshop will be run in Future Proof and our For the Record newsletter.

The Digital Implementers Group meets several times throughout the year. If this discussion about information risk has piqued your interest and you are interested in joining this group, please contact us at govrec@recordkeeping.nsw.gov.au.

photo by: katerha
Leave a Reply

You must be logged in to post a comment.