- RMAT FAQ
- What is the RMAT?
- Who should use the RMAT?
- Does the RMAT cover all obligations from the State Records Act 1998?
- How frequently should I use the RMAT?
- What are the maturity levels in the RMAT?
- Why does the RMAT focus on high risk/high value records and information?
- How long does the assessment take?
- How should I use the assessment results?
- Do I send the results of the assessment to NSW State Archives and Records?
This is a list of Frequently Asked Questions about the Records Management Assessment Tool. We will be adding to this page as questions arise.
The Records Management Assessment Tool (RMAT) is a new self-assessment tool. The RMAT will enable public offices covered by the State Records Act 1998 to assess the maturity of records and information management in their organisation, or a part of the organisation (e.g. business unit or information system), or a group of public offices.
The questions in the self-assessment tool are focused on the management of records, information and data in NSW public offices, and how these practices align with requirements in the State Records Act 1998. They highlight the links between records management and regulations for cyber security, privacy, data sharing, open data and information access (GIPAA).
The results of the assessment can be used for reporting on current status; planning for improvement; justifying investment; and measuring progress.
We recommend the person or team responsible for records and information management should answer the RMAT questions – or complete the questions collaboratively with key staff, such as a system owner, data custodian or business manager.
This is important because:
- The assessment includes some technical terms that may require explanation from a records and information professional. Perhaps you use different or specific terms in your organisation. You can also refer to the SARA Glossary for definitions. [https://www.records.nsw.gov.au/recordkeeping/resources/glossary]
- Some questions may be more applicable at the organisation-level (e.g. if there is a central policy or executive leadership). You could consider pre-filling the answers to these questions before asking a system owner, data custodian or business manager to complete other questions.
- It builds awareness and communication between the business and the person or team responsible for overseeing records and information management. For example: the SRO must have visibility of records and information management in all parts of the business, in order to fulfil their responsibilities; business managers should be aware of corporate-wide policies.
- It enables the person or team responsible for overseeing records and information management to better appreciate the ecosystem of records, information and data; and how well it is supporting business needs.
- It enables the person or team responsible for overseeing records and information management to fully understand the level of maturity in their public office, plan for improvements and justify requests for resourcing.
Yes, the RMAT is based on all obligations and requirements from the State Records Act 1998 and the standards issued under the Act.
When you are using the RMAT, look at the Requirements column in the spreadsheet or the word document; this section of the RMAT will tell you which regulatory requirements are linked to a question.
When you are looking at the Results of your assessment, have a look at the Baseline Compliance Table. This table links regulatory requirements with the RMAT questions and indicates whether compliance is demonstrated for each requirement. This table has traffic light reporting; green indicates compliance and red indicates non-compliance.
Public offices can use the RMAT frequently throughout the year. The assessment shouldn’t just be a one-time or annual activity.
The RMAT uses a 5 level maturity scale to determine the level of compliance with a requirement. You will need to select the maturity level that reflects your organisation’s current situation.
|Level||Description||Practices and processes are ...|
|1. Ad hoc||The desirable processes are non-existent or ad hoc, with no organisational oversight. The organisation or senior responsible officer is unaware of whether a requirement is met.||ad hoc, unpredictable, poorly controlled, no processes, or unaware|
|2. Developing||Processes are becoming refined and repeatable, but only within the scope of individual teams or projects. There are no organisational standards.||aware, reactive, repeatable, documented processes|
Processes are standardised within the organisation based on best practices identified internally or from external sources. Knowledge and best practices start to be shared internally.
Level 3 is considered Baseline Compliance for meeting SARA requirements for high risk / high value records and information.
|controlled, established, standardised, followed processes|
|4. Managed||The organisation has widely adopted the standard processes and begins monitoring them using defined metrics.||capable, proactive, measured and reported|
|5. Optimising||The organisation is optimising, refining and using innovation to increase efficiency within the organisation and, more widely, within its business sector.||efficient, reviewed and audited, data-driven process improvement|
The RMAT seeks confirmation that an organisation has formally identified high risk/high value areas of the business and the records of these business operations. This area of recordkeeping should have the highest priority for investment and management. Identifying and managing records of high risk/high value areas of business means that it is likely that appropriate controls have been implemented for the organisation’s most critical information. This approach to prioritising records of high risk/high value also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.
In undertaking the assessment, your organisation will need an agreed list of high risk / high value activities or systems for the organisation or business unit being assessed. For further information see Identifying and managing high value and high risk records and information
If the records and information management team does not have relevant documentation, check with colleagues in ICT, Security, Governance, Corporate, Risk or Legal to find out if this analysis has been carried out for another purpose. High risk and high value areas of business and systems may be identified during:
- Cyber security attestation or information security planning
- Business continuity and disaster recovery planning
- Corporate risk management (risk registers and plans)
- Responses to audit, inquiries or litigation
- Systems audit or IT asset inventory
- Information lifecycle management planning
- Open data planning and reporting
- Development of a retention and disposal authority.
Once you have an agreed list, it will be possible to identify records and information relating to those activities – and plan to address them.
It will depend on the scope of the assessment (e.g. business unit, business system, whole of organisation) and the process you’ve decided to use (e.g. one person doing the assessment, a small team of information professionals from across the organisation, records and information management team with other key staff). It may take a couple of hours or a day to complete the assessment depending on the scope and process used.
TIP: Take some time before you start the assessment to read through the questions and responses and be familiar with the content.
TIP: Allow an hour to factor in the evidence and additional guidance to make preliminary responses.
TIP: If doing the assessment as a team or in collaboration with others, allocate time for everyone to complete their assessments and then have a workshop to discuss individual responses to each question and settle on an overall score.
The results of an assessment can be used for reporting on the:
- current status of the records and information governance programs
- planning for improvement in a particular business unit or information system
- justifying investment and measuring progress.
The assessment results can also support planning and reporting for cyber security, privacy, data sharing, open data and information access (GIPAA).
Public offices are also encouraged to use the RMAT assessment results for
- Internal or external audit exercises
- Annual or quarterly management reporting
- Work planning and budgeting
- Workforce capability planning
- Training needs analysis
- Staff development plans
- Organisation restructure or machinery of government (MOG) changes
- Digital initiatives to procure, decommission, or upgrade systems
- Measuring and reporting the impact of an IT or information management project.
- Formal request from SARA for information on the organisation’s records and information management practices and conformity with requirements.
During 2021 we encourage you to use the RMAT, get familiar with the assessment questions, and start using the results of your assessments in your organisation to identify the current status of your records and information governance program and to identify improvements.
There will be no formal requirement for public offices to submit their completed results during 2021.
In 2022 there will be a formal monitoring activity when we will request copies of your assessment results.
We will contact each public office with further information in early 2022 about the monitoring activity.
If you have queries about the assessment process or the results, please feel free to contact us on firstname.lastname@example.org
Published July 2021