Brian Bailey looks at Information and Records Management (IRM) challenges in terms of the fundamentals - people, process and technology – and how they serve to highlight the disproportionate effort organisations expend on IT over other risk factors.

This is not news of course, but it does raise some questions. Why the focus on IT risk? Will it always be so? Can organisations change and take on better practices? Or are organisations doomed to a high level of financial and reputational risk?

There is cultural lacuna, or gap, in organisational activity that has, in many cases, seen information and records management limited to a series of fragmented ‘bottom up’ efforts, rather than an enterprise approach. The primary driver for this gap is ownership; or rather a lack of ownership of IRM practices and outcomes most often dissipating into the cracks, between management reporting lines and departmental responsibilities.

The idea of ‘the business’ and ‘IT’ as more or less separate entities even within the same organisation has been a feature of the past two decades. A Records Management department is often a third entity in the mix (perhaps with a paper focus and a reporting line to Facilities Management).

Other quasi- IT stakeholder groups have also emerged, such as Management Information Systems to manage reporting and an Information Management team to manage office-centric tools such as intranets. It’s easy to see even within this grossly simplified picture that if nothing else, it is easier to focus on localised IT risks rather than address the complexities of human behaviours at an enterprise level.

The risks are real. There are sufficient recent recent examples of records management gone wrong to give government officials, executives, and directors sleepless nights.

What about "Climategate” as a prime example. When the findings of critical research into Climate Change were called into question after the University of East Anglia's Climatic Research Unit was unable to produce raw data for independent analysis. Amid accusations of fraud, or selective data use, it was claimed that models could not be reliably verified or re-produced. The failure to retain this data caused inestimable reputational damage to the whole climate change movement prior to the Copenhagen climate change conference of 2009.

There are many other instances. The failure by the Japanese Social Insurance Agency to manage electronic records for the full length of time that they were needed caused a government crisis in 2007. The introduction of a new pension scheme meant that multiple pension numbers from previous systems were integrated into a single pension number for each person. Records were not properly transferred, so 50 million pension records couldn’t be linked to the individuals who had made the payments.

Time to get real

Record-keeping strategies have to be applied in a real world amid competing, even conflicting pressures. In many cases, information and records management efforts have been restricted to office software and its outputs, paper and electronic documents.

The difficulty with proposing new approaches to ensure the authenticity, integrity, usability and availability of records in business transaction processing systems, is that many regard those systems as ‘off limits’. While some governance progress has been made in the office documentation space, business systems have been comparatively neglected.

Recently there has been increased interest in Enterprise Content Management (ECM) and Enterprise Records Management (ERM); two overlapping approaches that have brought change and renewed opportunity for holistic enterprise information and records strategies. A key link between Recordkeeping, Data and Information Management is an understanding of business information risks and a willingness to address and mitigate those risks. Enterprise Content Management (ECM) is powered by several important business drivers: improved compliance; reduced costs; enhanced internal and external collaboration; and greater levels of business sustainability. Importantly, Enterprise Content Management forces the focus on the content, not the container. Information workers don’t care if the content they need comes from a database or a document management system.

This brings an opportunity. Business systems – databases – have been largely in the domain of IT departments. While record-keeping hasn’t been a priority, much work has been done on technology centric support initiatives such as Management Information Systems (MIS), Business Intelligence (BI), Data Warehousing (DW), and data integrity initiatives such as Master Data Management (MDM).

Strategically addressing data management and information management functions provides a foundation for Enterprise Information Management and an opportunity to insert smart recordkeeping approaches into all systems, databases or documents.

We are now seeing a widespread interest in organising data and information across business and technology silos, an activity that engages the business and IT. With the help of a risk-based focus, this can link business transformation to real business needs.

Steps to success

When developing a strong recordkeeping governance framework, there are many risk-based decisions to be taken and these need to be assessed, documented prioritised and framed as actions to address recordkeeping risks, based on international standards.

The aim should be to take a simple, self-assessment checklist in order to assess your organisation’s preparedness, and to ensure that record-keeping governance can be monitored, reviewed and audited, empowering executives to act.

Assess the importance of the organisation’s record holdings;
Assess all the recordkeeping risks, sensitivity and points of vulnerability;
Develop a plan for managing risks, including proactive mitigation steps and what to do if things go wrong;
Inform staff of their roles and responsibilities to manage recordkeeping risks, and make it a performance measure;
Acquire the right skills and capability to manage records through a program of systematic control;
Ensure that recordkeeping standards are embedded in business processes, there are sufficient points of review and auditing standards are met;
Ensure processes are monitored, checked and reviewed. New risks can emerge from different sources and in countless numbers of ways. Risk management requires a continuous improvement approach;
Keep management informed of the record-keeping risks, in the same way they receive regular updates on personnel and finance; and
Take on an incident management approach and ensure a prompt response to mitigate the impacts of risks. Security breaches will occur. Organisations need to detect and response promptly to minimise the harm.