- Defining information risks
- Identifying high risk areas of business
- Know what information is needed to support high risk business processes
- Know the technology used to support high risk business areas
- Determine whether necessary business information is being impacted by information risk
- Determine appropriate information risk mitigation strategies
- Case studies of mitigating information risk and supporting high risk business
High risk business areas in each organisation should be priorities for information management activity, in order to identify and mitigate any information-related risks these business areas might face.
This page defines common and specific information risks, articulates strategies for identifying areas of business which face information risk and provides mitigation strategies and case studies for dealing with information risk.
Information risks are related to but distinct from technology risks. Information risks are those risks which relate to the inherent characteristics and value of information. The threat and impact of information risks are significantly increasing and common information risks that could be occurring in high risk business areas include:
- information that cannot be generated in a useable form
- information that cannot be maintained in a useable form
- information that is incomplete
- information that is meaningless
- information that cannot be trusted
- information that cannot be authenticated
- information that is inaccessible
- information that does not survive for as long as it is needed by the business area
- information that is overwhelming and unmanaged and inhibits rather than enables business process.
Information risks can hamper government business and accountability, particularly when these risks occur within high risk areas of business operations.
Information risks are different to the risks that are assessed and mitigated in business continuity planning processes. Business continuity planning builds processes to ensure that organisations are able to re-establish themselves as quickly and comprehensively as possible after a disaster. Separate processes need to be established to identify and mitigate information risks in high risk areas of business.
Areas in your organisation that perform core, strategic, highly accountable or high value business operations are likely to be classed as high risk business. Because these areas are likely to be performing key aspects of government business, it is critical that good information exists to account for and support these operations, in both the short and long term.
Other areas of high risk business that need to be identified and assessed are areas undergoing significant transition. In these areas, it is possible that traditional processes are changing, new technologies and services are being adopted and information itself is changing or disappearing, possibly placing your business at risk. To identify high risk areas of business in your organisation you can:
- identify areas that perform core, strategic, highly accountable or high value business operations
- use your organisation’s corporate risk register to flag existing areas of identified corporate risk
- look at business areas that are adopting a lot of new technologies and services
- focus on business areas under transition
- focus on areas adopting BYOD (bring your own device) approaches
- talk to managers and staff about any information-related concerns they may have in their specific business areas.
After identifying areas of high business risk, you should then identify what information is required to support these business areas.
To know what information is needed to support your business, you can:
- talk to staff – what information do staff working in high risk business areas say that they need to support their business? Is this information readily available to them? Can they readily find, understand, access and use all the information they need to do their job in both the short and medium term?
- look at the authorised retention and disposal authorities that apply to this business area for an indication of the type of information required to support this business
- look at legislation and standards that apply to the high risk business area, as legislation and standards are often very specific in terms of the records you need to keep and the information that these records need to contain
- look at quality controls or procedure statements that say what records need to be created from specific processes. Are these records being created? For example, if the internal business procedures for case management say that ‘a record must be kept of each action in a case in the Case Management System, including the date of the action and who approved it’, does your case management system actually do this?
- understand corporate accountability controls and reporting requirements. Is the information required to support these available, meaningful and useable in these business areas?
- understand business needs for information dissemination and sharing. Are these possible in high risk business areas?
- identify the information needed to support clients, projects and cases in the short and medium term. Is this information accessible, useable and accountable for the periods of time needed to support these business needs?
- examine the data, metrics and analysis that is required to account for the performance and operation of certain business operations. Can this be gathered, sustained and shared by the business in the short to medium term?
These and other consultative mechanisms will help to identify what your business area’s specific information needs are.
Understanding business operating environments is critical to understanding and developing strategies to mitigate information risk. This involves understanding whether your high risk business areas are using:
- cloud-based service offerings
- social media
- collaborative environments such as SharePoint, wikis, Google Docs or Office 365
- complex datasets as the basis for decision making
- systems including legacy applications
- large uncontrolled network environments
- personal storage networks
- diverse applications to perform different aspects of their operations
- backup systems as information storage environments.
Knowing the environments where high risk business is performed will help you to plan and implement strategies to mitigate your specific information risks.
Once you have an understanding of the information that your high risk business areas need and the technological environments where the business is performed, you can then determine whether the information required to support business is:
- still being generated in a useable formstill being maintained in a useable form
- now incomplete and therefore not meeting business needs
- losing its meaning and can no longer be used to meet business needs
- being impaired and now cannot be trusted
- unable to be authenticated and is therefore unreliable for business or client needs
- inaccessible and cannot be found and used
- not surviving for as long as it is needed by the business area
- lost within overwhelming and unmanaged data volumes and cannot be easily access and used in necessary business processes.
There are many potential strategies you can adopt to mitigate information risk. Key points at which you can mitigate information risk are:
- in the implementation of strong information governance frameworks
- at system specification, design and configuration
- at system transition.
If it is not possible to address information risks at these points, you may be able to undertake remedial actions to mitigate information risk.
Examples of risk mitigation through strong information governance frameworks
- Promote a broad corporate understanding of the high risk/high value information generated and needed by your organisation.
- Communicate specific information management requirements applying to high risk areas of business to staff, management, ICT, contractors.
- Deploy change management strategies and training to develop an organisational culture which values information management.
Examples of possible risk mitigation strategies at system specification, design and configuration
- Promote information governance by design as a strategy to ensure your information management requirements for high risk business areas are support in all system specification, procurement, design and configuration.
- Build awareness of information retention requirements into any new system design or development processes.
- When cloud offerings are being investigated, ensure corporate information needs are included in all appropriate service assessments and decision making processes.
Examples of possible risk mitigation strategies at system transition
- Facilitate effective cloud transitions by ensuring services are selected for high risk areas of business that enable data portability and the application of desired information management processes.
- Identify where high risk business processes and service delivery are moving to social media environments and develop information management strategies to help manage, improve and account for these services.
- When systems supporting high risk business are migrated, ensure all information that is required to support long term business needs is carried successfully through system transitions.
- When systems supporting high risk business are migrated, determine whether any information has been orphaned or made legacy because it was not able to be transitioned to new business environments. If so, determine whether any strategies need to be put in place to ensure the ongoing monitoring and management of this legacy information to ensure its continuing accessibility for as long as business needs to access it.
- When systems supporting high risk business are migrated, ensure all metadata that brings meaning and accountability to business information is migrated and maintained alongside the information it relates to.
- If new systems have completely transformed the nature of the information generated to support business, determine whether these new information formats or structures are continuing to meet business needs and whether they can be maintained for as long as the organisation needs to keep and access the information.
Examples of possible remedial actions to mitigate information risk
- If new systems keep only dynamic data and have no capacity for maintaining information in the medium to longer term but a business need exists for this information, develop alternate mechanisms for making and keeping required business information.
- If information that is that is required to support long term business needs has been moved to cloud environments, ensure planning processes are initiated to ensure this information is supported and maintained and re-transitioned if required so that it continues to be available for business use.
- Where local or cloud-based collaborative tools have been deployed, investigate where high risk/high value information may be being created in these environments and determine whether strategies are necessary to ensure this information can be securely managed and maintained in these environments for as long as it is required.
- Implement effective record disposal programs to appropriately destroy time-expired business information and to focus corporate attention on the management of high risk/high value business information.
Please note, the following scenarios are fictional and illustrative and should not be relied on as providing comprehensive advice.
Example: Assessing the information management needs of a high risk business area
Some councils have traditionally provided child care services. To assess information requirements for a high risk area like child care you could start by:
- looking at relevant legislation like Childcare Regulations 2018 which contains significant recordkeeping requirements, identifying a wide range of records that must be kept about childcare services and specifying how long many of these need to be kept for
- looking at (General Retention and Disposal Authority) GA39, Local Government which in section 3.0.0 identifies a range of records that should be kept about childcare services
- talking to childcare staff and those who manage the administrative areas of childcare – what information do they want and need in order to do their work effectively and accountably?
Using these and any other sources you think appropriate, a list of necessary records will start to emerge:
- childcare licenses
- certificates of registration
- emergency plans
- public liability insurance
- records of all registered children including medical records
- records of child attendance and excursions
- records of complaints
- responses to complaints
- reports of complaints to relevant authorities
- probity checks of staff
- records of staff qualifications
- records of staff first aid training
- records of staff attendance
- signed visitor registers
- records of all programs offered by the service
- records of daily timetables
- a developmental record for each child
- a weekly record of the service etc.
To assess whether your processes and systems are supporting these identified information requirements, you should assess whether all the information you have identified is actually being made and kept, and also kept in accordance with business, legal and any appropriate security requirements you have identified.
This means you need to look at business areas and systems and assess whether all the information you need is there and kept in a way that enables it to be used and maintained. It is important to remember that high risk business operations often have long retention requirements, meaning that the records produced in these areas legally often have to be kept for very long period of time. For example, the Childcare Regulations 2010 say that some records about children at a childcare service have to be kept until the children reach the age of 25. Part of your assessments would ensure processes, strategies and supports are in place to ensure that your organisation will actually be able to achieve this.
Example: Develop an information risk register
To help ensure information continuity and risk mitigation, you could use a register to identify information risks that need ongoing monitoring or management in specific business environments. For example, you could develop a register to flag:
- certain key information and metadata fields in System X are required to support business process and therefore must be maintained through the system’s migration
- if, because of the way user permissions are defined, sections of a wiki or SharePoint environment used to manage high risk/high value project information are able to be deleted by project staff, flag that ongoing staff education and user support are necessary to ensure this high value information is not inappropriately deleted from these workspaces
- if certain business information needs to be kept for 10+ years, ensure that this is proactively identified and flagged for any system or service offering or process review associated with this information
- if certain long term value business information has not been migrated to new system environments and is being maintained in a legacy environment, flag that this needs information needs independent ongoing management and monitoring to ensure its ongoing accessibility
- if a core business system is unable to export data of its transactions, identify that manual workarounds are necessary to provide reporting and other information needed for service delivery and continuity
- if information requirements were not built into contracts with services providers or service offerings and data portability is not guaranteed under the contractual arrangements, identify that alternate strategies for maintaining access to information of long term business value need to be investigated.
Example: Information management impacts of BYOD
Organisations are increasingly embracing BYOD (bring your own device) to allow staff flexibility and productivity on their own digital devices. This can present information management challenges if incorrectly implemented: important organisational information may be lost or released with multiple and potentially severe impacts and staff may also be exposed to inconvenience and risk through inadvertent possession of official information on their personal devices.
The following considerations may assist with a well-managed implementation of BYOD:
- examine in BYOD environments what staff and business processes are being transitioned to BYOD and what corporate business information needs will need to be managed through these new distributed environments
- assess third party apps that are used in BYOD or for service provision and determine whether all necessary information export, security and management requirements can be enabled in these environments
- if BYOD policies are deployed without supporting information governance frameworks, staff education, strategic planning and risk mitigation strategies are required to ensure high value business information is maintained within corporate environments for as long as needed to support business operations.
Published April 2014