- What are high value / high risk records and information?
- Identifying high value and high risk records and information
- Principles for successfully managing high value and high risk records and information
- Further guidance
The Standard on Records Management contains two minimum requirements concerning high risk and high value records and information:
- High risk and high value areas of business and the systems, records and information needed to support these business areas are identified (minimum compliance requirement 2.2)
- Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken (minimum compliance requirement 2.3).
The standard purposely focuses on high risk and high value areas of business. Creating and managing information requires an investment of time, money and people to create appropriate policies and processes and implement suitable systems, security and storage. The business value of information must be commensurate with the cost of maintaining it, and prioritising high value and risk business areas and the records they create provides the clearest opportunity to demonstrate the value of information and records management to the organisation. It also ensures that the most valuable and critical records and information of the organisation are managed appropriately and safeguarded. Successful approaches to managing high value and high risk records and information, once demonstrated, can be implemented more widely across the organisation’s information assets.
The standard requires that high value and high risk records and information should be identified and captured, then managed and made accessible for as long as they are required. As high value and high risk records and information are often required for a considerable time, organisations will usually need to safeguard them for longer than the life of the system in which they are maintained. This means sustaining records and information through system and service transitions with robust migration and export strategies that identify both the critical information and the metadata which makes that information understandable and authoritative.
This guidance discusses high value high risk records and information together and does not usually draw fine distinctions between the two. However, it is worth noting that while certain high risk records and information must typically be managed with the same care as high value records for the period of time they are required, high risk records and information may not necessarily need to be retained for long periods of time.
This guidance does not cover information risks, which refers to records and information which due to technical or organisational factors may be considered to be at a high level of risk. Identifying and managing information risk is discussed in the guidance page Identifying information risks that might be impacting on high risk business.
High value and high risk records and information are determined by the business context. Each organisation has areas of business which are high risk and high value, or which are critical because they are the core business of the organisation. Identifying high risk and high value business processes will depend on the nature of your organisation’s business. For example, there may be business areas in your organisation which undertake:
- significant investment by Government or major contributions to the NSW economy
- direct contact with individuals (for example, a regulatory, enforcement, health or welfare activity where there may be dispute)
- development of policy which will impact on individuals and communities or rights and entitlements
- management of natural resources, the protection and security of the state or infrastructure in NSW
- processes that are open to corruption or the potential of corrupt behaviour
- a major program of international/national/state significance.
Useful sources for determining high risk and high value business will include: the organisation’s risk register, internal and external audit reports, discussions with risk managers or governance managers, information asset registers etc. However, any records and information which demonstrate the performance of legislated functions, the interactions with and entitlements of your clients and employees, and the specification and documentation of core assets, are likely to be high value.
Identifying high risk and high value business areas will assist you to identify the systems which are used in these business areas and the high risk/high value records and information which support these business areas. In addition, there are a range of different types of records and information which should also be considered as part of your identification of high risk/high value records and information.
Core or ‘unique’ functions of the organisation
High risk and high value records and information will include the records and information which are required to carry out core functions, to make key decisions and to give evidence of those key decisions at a later date: it demonstrates the performance of legislated functions, the interactions with and entitlements of your clients and employees, and the specification and documentation of core assets.
The core functions of an organisation are likely to be identified in functional retention and disposal authority (for NSW Government agencies) or general retention and disposal authority (for councils, universities, health organisations, or where there are common functions or practices across government). Retention and disposal authorities are in place for most government functions. These authorities define the long term and archival value records and information of those functions. Using the retention and disposal authority, you will be able to identify the high value activities undertaken within those functions and determine the key records and information of those activities.
Identifying and managing high value records and information of these functions will involve determining the systems which manage those high value activities, assessing the information they contain, understanding how the system manages that information, and assessing the capabilities of the system to export data in an appropriate form to give evidence to those transactions and activities if it will be required beyond the life of the system.
In particular, systems which are optimised for the collection and processing of information for immediate business needs may have limited capability to manage information over time. It may be most appropriate for that information to be routinely exported to another system for long-term management. In this scenario, information and data recorded by the system needs to be not just sufficient to execute the transaction or business process, but also to retain a reliable record of the transaction or process for as long as it is required. It is also important that the methods of achieving this are as automated as possible and not onerous on end users if they are to be successful.
Common corporate functions
Many high value records are generated by common organisational functions. There is significant secondary value to the information created by some common processes and functions – value beyond the initial business need. Secondary value includes the accountability value of having accurate information about these functions, the significance of these functions for the organisation in the long term, as well as substantial volumes of information with permanent or archival value.
High value records and information of common corporate functions are located in a range of corporate systems common to many government organisation. A key issue will be whether the system capabilities established for managing the initial process will be sufficient for managing the information over a longer time period required by this secondary value. As there are now a number of common corporate systems across Government, there may be common approaches that can be defined for such systems which will cover a significant proportion of the government’s high value information.
Conversely, there are common business processes where records and information are only required for the short term. The value of this information may be adequately described by current business requirements. In those scenarios, business managers may be in the best position to make a risk-based decision as to determine whether the system has sufficient functionality for managing that information in a way which meets the organisation’s requirements and obligations. Appropriate functionality for management and retention of the information may be best achieved within common, generic business systems purposely designed for managing these lower value functions.
Organisations entering into as-a-service arrangements for many of these common corporate functions are getting the benefit of efficiencies and innovations, at a potential cost of less control over specifying system functionality which might be needed to manage records and information for the long term. It is necessary to identify what the high value information is in these systems, and what record of actions is required from these systems, and including this specification in service agreements.
State Records has issued general retention and disposal authorities which apply to the corporate functions and services common to many public offices. Functions common across public offices which may generate high value records and information as identified in these retention and disposal authorities include:
Systems and processes for organisational governance are increasingly digital. Systems may be chosen to meet immediate management needs, but long-term requirements must also be considered. Executives will demand a system which efficiently produces accurate, timely information, but given the importance of that information, a long term view of information requirements is also required.
Many organisations are putting in place digital systems to manage the distribution and publication of meeting papers, and need to consider how the high value information of high level committees can be exported once the business needs of the committee have been met. Organisations managing this process through document/content/records management systems are also having the challenge of managing a fully digital process for these functions (including digital authorisation/approval processes).
Certain community relations functions and community relations activities produce high value records. For example, the digital systems used to produce and deliver significant or key policy communications need to be able to be able to capture and export finalised, as-published versions.
Financial and human resource management
Financial and human resource information supporting the strategic management of the organisation may be based on structured data assembled and provided directly through a system “dashboard” rather than generated as a fixed report. Executives need to have confidence in the robustness of the systems supporting strategic decisions, and accountability requirements dictate that certain financial information be available long term. Government is continuing to consolidate its investment in these systems and increase the level of automation and digital processing performed by these systems, which presents an opportunity to adopt common approaches but also concentrates the risk into fewer systems.
Significant records which relate to the establishment of new organisational structures, or to the review of existing structures and programs which result in significant changes to core functional areas or the organisation as a whole, are required as State archives. Any systems which contain significant records of this process must export that information before they are decommissioned, or be able to export that information if they continue in business-as-usual use.
Records of authorisations from, agreements with and advice to government have traditionally been paper document-centric, but this is shifting. New processes and systems which are replacing these processes need to meet the requirements for appropriate long-term evidence of what was authorised, agreed and advised.
Corporate services automation and outsourcing
The automation and outsourcing of a wide range of corporate services and business processes means that traditional understanding of what is an authoritative and comprehensive record of these functions is changing rapidly. This change encompasses a very broad range of functions, from Asset Management, Property Management, Personnel Management, Legal Services, and Information and Records Management.
Changing digital operating environments
In defining high value information and records consideration also needs to be given to the changes in the nature of the information received and created by your organisation through the transition to fully digital business processes and services. While some processes remain document-based and may continue to be managed through EDRMS/ECM systems, many of these functions are moving to fully digital processes managed by specialised applications. High-value records in these contexts are not only digital documents which exist in a fixed representation, but are also the data and information required to represent important transactions, processes and decisions, and the metadata and audit logs to assure that these are unaltered and are what they purport to be.
The relationship between high risk and high value can be clearly understood for many records or information assets. The value delivered by managing those risks are obvious, because poorly managing them may expose the organisation to major loss of reputation, financial or material loss, and breach of statutory obligations. However there are some high risk records which could be overlooked when identifying your organisations highest value records and information. This may be because:
- the organisation assumes that the records and information exist when they may not
- the organisation assumes that the records and information sufficiently document the activity when they may not
- the organisation assumes that the records and information are sufficiently well managed when they may not be.
One example of this is process documentation for important matters, where it is incorrectly presumed that documentation of the outcome is sufficient. This may include information documenting processes such as the assessment of a procurement process, the management of a complaint, the management of a major asset project, the implementation of a digital system. Improving the management of high risk records in these contexts requires identification of gaps and deficiencies in processes as well as identifying the required records and information. The analysis performed by records and information managers should contribute to the organisation’s overall risk management frameworks such as those based on ISO 31000 Risk Management.
This is a category of high value records and information which should be considered in the analysis and identification of high risk/high data records and information. The release of Government data has increased wider public understanding of high value information held by Government. The quality of data made publicly available also reflects the maturity of the organisation’s internal information management processes.
Aligning with open data initiatives can be useful in identifying records and information that should be included in the high risk/high value category and also help to explain to senior management the importance of managing high value records and information. An important feature of open data initiatives is the register of information assets which is likely to include the identification of critical information assets.
The NSW Data & Information Custodianship Policy “defines a set of principles for the management and maintenance of the State’s core data and information assets” and complements this guidance on high risk/high value. The NSW Government Open Data Policy discusses high value datasets and notes that:
It is likely that personal information collected, stored and used by government organisations will be included in the organisation’s high risk/high value records and information.
Particular attention should be given to the capabilities of systems which manage personal information. Personal information which is unable to be managed appropriately exposes the organisation to significant risk. Organisations should be aware that there are strict rules governing how long an organisation may retain this data, how they may use this data, and to be able to report on this both to the individual concerned and to oversight bodies. It is important to consider that while customer insights may be gained from the aggregation of this information, there can be statutory or policy limitations on how this can be done. See the Information and Privacy Commission’s website for more information.
Organisations face the prospect of managing vast quantities of information, and there is an ongoing proliferation of tools and approaches offered by vendors. Taking a strategic and planned approach to records and information management is essential to the successful management of these assets over time. Minimum compliance requirement 2.3, Records and information management is a designed component of all systems and service environments where high risk and/or high value business is undertaken
The following principles, adapted from the National Archives of the United Kingdom, are useful to consider when developing or implementing records and information management policies, procedures and tools:
- Policies, processes and supporting technology must be user focused to eliminate barriers to use.
- Records and information assets, the technology that supports them, and the business requirements, policies, and processes that government them, must have defined and accountable owners.
- The time, resource and effort expended on managing records information must be proportionate to its value.
- Applications used to store and manage high value and high risk records and information assets should operate in a predictable and consistent way.
- The value of information can only be fully realised if each asset has the attributes of availability, completeness and usability (collectively, digital continuity).
- Applications used to store and manage high value records and information assets must enable the transfer of the content, context and value of the information.
- Records and information assets are evidence of actions, decisions and processes and may be subject to requests for access or to official scrutiny.
High value and high risk digital records and information will be managed in a variety of digital systems. This will include centralised recordkeeping systems, as well as systems which are specifically designed for the business process they support and their specific information characteristics.
Organisations must have a strategy for identifying and managing records and information which are essential to high risk, high value business processes. This strategy needs to be developed in accordance with the organisation’s size and complexity, and designed to assist an agency in making arrangements which support its core business outcomes.
Part of this strategy needs to be appropriate documentation of the specific records and information assets which are identified as high-risk and high value. These should be identified with a level of detail appropriate for the business context, however documentation of the organisation’s high value and high risk information assets might include:
- defining the extent of the record/information asset – information can exist as multiple interconnecting data sources, so what is in and out of scope of this asset
- identifying the business unit responsible for the record/information asset and any specific management accountabilities necessary to support those
- identifying its key content attributes – what is the business function documented by this record/information asset
- identifying the software and hardware critical for the maintenance of this asset – what are the unique technologies this asset depends on (not including easily-sourced commodity ICT technologies)
- identifying its dependency on other records/information assets – what separate internal or external information sources are necessary to understand and contextualise this information asset for its core high value / high risk uses.
High value and high risk records need to be at the centre of public offices' records and information management programmes. Further advice on managing digital records and information is contained in State Records' guidance on Designing, implementing and managing systems. In particular, public offices should refer to the following pages:
These pieces of guidance provide more detail on the framework and methodologies required for managing the records and information of your organisation, and are especially relevant to the management of high value and high risk information.
The National Archives (UK), Business requirements for managing digital information and records, 2013, available at http://nationalarchives.gov.uk/documents/information-management/business-requirements-for-managing-digital-information-and-records.pdf (viewed 29 March 2016)
Published February 2015