Author: Karl Melrose

Thinker about how to think about information governance, economics, security, risk, technology and incentives. Out to solve every optimising problem, out to make sure my thinking gets better, every day. Information Governance, Management and Records Management at informationgovernance.blog. Random thoughts at karlmelrose.blog

The two ways to fail an audit, and how to avoid one of them.

Karl MelroseLeave a comment

There are only actually two reasons to fail an audit:

  1. You’re not doing the right things.
  2. You can’t prove you did the right things.

Doing the right things is obvious.

What is less obvious, is proving that the right things were done.

If you work in a regulated organisation, at some point the auditors are going to show up. When they do, they’re going to ask you for your records. Records are your evidence that you did the right things.

If you don’t have a records management program, chances are, you’re failing at capturing the right evidence, or you’re handling the audit process with a massive overcommitment of resources.

A records management program starts with a great records manager. A great records manager will review your regulations, work out what needs to be captured to provide evidence, and then execute a program to ensure that it is.

Then all you need to do is make sure your organisation does the right things.

New research paper examining some considerations for switching official communication from paper to digital.

Karl MelroseLeave a comment

A new paper has been published in the Government Information Quarterly titled “Paper beats ping: On the effect of an increasing separation of notification and content due to digitization of government communication“.

The paper examines a number of factors that influence how likely a recipient is to immediately access a message on receipt of a notification. This is important for anyone considering taking a process digital, because there are assumptions about how people consume paper messages that we don’t notice until we change them.

Simply, when we get a letter, we generally open it, and read it.

This behavioural assumption is built into every piece of legislative communication that goes in the mail.

Email also fulfils the same basic function.

When government agencies digitise however, the need to ensure secure and confidential communications makes email unusable as a messaging method. The general trend in government agencies has been to notify using an unsecured channel, and then direct the user to an official portal to collect their message.

Under this architecture, the act of consuming the notification, and consuming the message are separate. There’s also friction in the form of the need to switch applications and remember logins and passwords. So we can’t assume that the notification and the consumption of the message will happen simultaneously as they do with mail.

This becomes a problem when official communication requires time based actions that are built on paper world assumptions.

This paper examines a number of factors to understand what happens when we make this shift, and how message delivery method impacts the likelihood that a recipient will consume a message quickly on receipt of notification.

The paper considers:

  • Message delivery channel
  • Operational skill level – skills to operate technology.
  • Informational skill level – skills used to search and find with accuracy.
  • Expectation that the message content is negative or positive.

The paper reaches a number of findings:

  • Paper messages have the shortest gap between notification and consumption, and people receiving digital notifications consume messages significantly more slowly.
  • People with poorer operational skills are more likely to access a message immediately.
  • People with better informational skills are more likely to access a message quickly.
  • Expectation has no impact on the speed with which messages were accessed.

It is important to note that this research used a vignette survey methodology. Which is to say that it asked people what they WOULD do in certain scenarios, it didn’t measure what they did do. That said, the Dutch government did provide that more than 1/3 of messages on their myGovernment service remain unread three weeks after notification. While this is anecdotally satisfying, it is not possible to say whether the same is true for paper.

The general conclusion that we need to think differently about communication that happens digitally vs on paper is well made.

My take away from the paper is that agencies that are considering moving to digital should consider that the economics of attention, and of notification and delivery change substantially. A letter costs $1 or more to send, and the best we can do is assume consumption of the message. This means that a certain percentage of enforcement actions will always fail because of routine administrative errors, or missed communications that are unknown until enforcement actions have escalated.

With digital channels, we can notify many times, and gain certainty that consumption of the message has occurred for a fraction of the direct cost. When messages have not been consumed, agencies could put escalation paths in place to higher cost methods of communication that provide similar levels of certainty. Ultimately, this could lead to faster and more certain outcomes.

You can find the paper at the link below:

Paper beats ping: On the effect of an increasing separation of notification and content due to digitization of government communication

https://doi.org/10.1016/j.giq.2019.101396

The relationship between records and compliance, and the risks of doing records badly.

Karl MelroseLeave a comment

Records are evidence of compliance.

To destroy information which is evidence of compliance, is to destroy a record.

The risks of doing Records Management poorly are that information proving compliance – 

  • Won’t be available when you need it because it has been deleted or lost.
  • Will be difficult (ie. expensive and time consuming) to find.
  • Will be incomplete, and will require significant time and effort to assemble into a comprehensive record.

The consequences of failing at Records starts with failing audit. Depending on your industry, there can also be other consequences that range from inconvenience and fines, to quite literally killing people.

I’ve simplified greatly here because I’ve discovered that Records have different meanings in different contexts. I think that’s part of the reason why record keeping isn’t held in much higher regard as a discipline, and why certain industries are doing it so badly (and failing audits left, right and centre).

What I’ve found by industry – 

  • Government agencies know what records are, but generally under-fund it.
  • Health organisations think that they’re about patients (all patients have records, but not all records are about patients).
  • The greater private sector thinks they’re in accounting, but have people in risk actually performing records management duties.

Records are evidence of compliance. If you have legislation, regulation or standards to comply with, records are the evidence that you can give an auditor that’s going to get them out of the building quickly. The longer the auditors are with you, the higher your risk is.

If you’ve got an audit problem, you’ve got a records problem

Karl MelroseLeave a comment

“Regulatory audits are enjoyable experiences.”

That’s what organisations say when they have good records. 

The audit process is smooth, efficient, and low stress, because they’re permanently ready.

Mostly though, regulatory audits aren’t enjoyable experiences. They are high stress, and there’s a huge rush of last minute work to try and be ready.

The last minute rush is record assembly.

It’s trying to create complete records out of all the pieces of information collected and created by your process. 

When you have a complete record, you can hand it to the auditor knowing that it’s everything you have.

If you’ve got an audit problem, you’ve got a records problemAnd the audit is, for lack of a better word – enjoyable.