Do you keep a near miss register for Records?
A near miss in records should be a time when policy wasn’t followed and the organisation was exposed to a specific risk – without that risk becoming an incident or a loss.
Near miss reporting is a common practice in safety management. It’s there to expose all of those times that the organisation avoids an incident because it is lucky rather than because it did things properly. I think it’s probably a useful tool that will help us deal with our creeping problems by identifying and giving us data on the leading indicators of major failure.
The idea is simple – every time we have a problem because policy wasn’t followed, we record it. This doesn’t mean that we record every file that’s on a file server somewhere – because no one cares about that until theres an actual problem. It means that we record the times when that kind of practice exposed the organisation to a specific risk. It’s a way of starting to understand the magnitude of the creeping problem of records non-compliance.
I don’t think anyone would disagree that records compliance is a creeping problem for lots of organisations. Every corruption report and every royal commission lists records being falsified, accessed improperly, not kept or otherwise ignored as a part of the problem that lead to the investigation.
I think a near miss register provides a tool that could turn these problems into hard data problems that executives can’t ignore (or have to specifically ignore).
I think that ultimately, we have two options – one is to report on the near misses, and hopefully find a solution. The other is to wait until there’s a catastrophic failure – as we’ve often seen. At that point, the records will be needed, and if they aren’t there, and we can’t show the data we provided over and over again to highlight the problem, we will have to accept a level of blame.
The idea of a near miss might be a bit nebulous, so here are a few examples of the kinds of things I mean –
- The time a record required for an FOI (or royal commission) was in a repository where users have uncontrolled delete privileges.
- That time we audited HR and found that they were keeping confidential information on a file server with no access control.
- That time IT had to restore a file share because records were deleted to make way for a new project repository.
In each case, the organisation was exposed to a specific risk by a violation of policy.
I don’t think this is a magic bullet, but I think it’s one more tool that we can use to start turning the tide.
If this is something that you do, or an idea that you like – please email me or leave a comment, I’d like to see how well it works for you.
Information Governance 