Information Governance, Records Principles and Risk Management
I presented yesterday at an information governance/records management event and took the opportunity to raise my view that records management/content governance/information governance needs to include risk concepts (or at least an understanding of business risk) as part of its practitioners’ skill set. What surprised me was that very few (less than 20% by my reckoning) of the audience seemed to have any idea that such thinking would/could or should play a part in what they do. Perhaps I’m showing a little naivety with that statement and maybe I’m not giving the audience enough credit because when one talks about risk and risk management it tends to invoke images of corporate registers and assessments that seem far from records management.
I think, however, that a big contributor to the response I got was actually called out in an earlier presentation slot. That slot involved a case study given by another attendee that I would describe as an Information Professional. Her view from the inside was that ‘records managers expect perfection’ and that a big part of her work involved helping her colleagues lower their expectations in exchange for meaningful progress. That really is, or was, my point.
Setting aside any specific views one might hold on how things like Generally Accepted Records Principles or model records plans might apply in information governance, the point I was making was that such approaches are all too often presented or applied far too rigidly and can become a straitjacket unless balanced with risk management concepts. I have worked with skilled and experienced information professionals who feel unable to act because their retention schedule provides them with too many things to comply with whilst they entirely miss the fact that doing nothing actually makes them less compliant as time passes. In other words, they are missing the balance that an appreciation of risk concepts provides – they are looking only at one side of the equation whilst, on the other side, their existing approach to electronic content is simply leaving their records to decay.
In the resulting discussions with the event attendees I concluded that, crudely, such risk-based thinking has two important levels of application, especially when it comes to compliance with legislation like the UK’s Public Records Act and updates from Freedom of Information Act 2000.
From the top down, those responsible for directing and leading information governance in the organization need to make an assessment of the risk of doing nothing, informed by the state of their existing practices and – importantly – the volatility of their information environment (think file shares, e-mail and SharePoint!). They need to recognize that in many cases their digital records are being held in fundamentally unstable environments and, as a result, are in a state of decay. This means that concerns about the challenges of getting their electronic content in order are usually far outweighed by the fact that the content – from a records point of view – is already broken.
At a practitioner level, the challenge is exactly one of understanding that – at digital scale – perfection is actually the enemy. Practitioners, empowered by a suitable top-down conclusion that the risk of doing nothing is unacceptable, need to take responsible decisions about how best to protect what quality is left in their content. They need to develop repeatable practices that reasonably fix or replace the broken bits of content – for example, where thousands (nay millions) of potential records have no reliable metadata, some ‘best judgement’ replacement is all that can be reasonably expected.
Too often it seems that information governance implementations are stymied by what should be reasonable management-backed judgement calls. For me this ability to manage risk plays a big part in the challenge faced by many information professionals as they transition from the way things were to the practicalities of the scale. Those that can adapt stand to be valuable players in their organization’s information future.