Wrestling with managing risk and delivering value through Records, Information, Data and Knowledge.
Automation provides two possibilities –
When things go wrong, they’re going to go wrong at scale.
This means that audit needs to happen more often.
This is how an ATM software bug ended with the Commonwealth Bank being fined $784 Million by AUSTRAC.
Things went wrong at scale for CBA.
The only organisation that noticed was the regulator.
Is information architecture maintenance.
We do –
Systems maintenance.
Software maintenance.
Hardware maintenance.
We do that all.
We budget for it.
Specifically.
Like it’s important.
When was the last time someone saw a budget for information architecture maintenance?
I have a client that I learn a lot from.
She runs successful project after successful protest after successful project.
Not surprisingly, her organisation has an amazing records culture and she rarely struggles for budget.
One thing I’ve learnt from her is that every records change takes two to three years.
She’s never said this directly, but…
Every time we talk about a major project – two to three years.
Time it took to get everyone off paper – two to three years.
Her latest automation project, timeline – two to three years.
Two to three year intervals seem to work.
What’s your two to three year plan?
In preparation for the introduction of the consumer data right in Australia, I’m reading a lot of overseas privacy news.
I’ve seen many fines associated with the failure to have a destruction plan in place.
I’m wondering if it might bring any of the practices that we have adopted for convenience and simplicity under scrutiny.
Specifically, the practice of sentencing records as a group to the longest period that applies to the grouping.
The practice has been a godsend for many organisations.
It has made greatly simplified classification schemes achievable.
This has made accurate classification achievable for users with far less skill and training.
In general, this seems to have made records programs more likely to deliver good outcomes.
We’re more likely to get records in a records system, more likely to have them accurately classified, and then more likely to be able to destroy them with confidence.
One outcome of privacy law though, is to essentially flip the requirement from mandatory retention, to mandatory destruction.
Which makes me wonder if the practice will still be acceptable.
Is to use the compliance system that already exists.
If records policy is defined and agreed to at the organisational level, all we are asking people to do is to perform to organisational policy.
There’s a process for ensuring they do it already in place.
It’s performance management.
Why try and invent our own?
Why not use what’s already there.
Do we really think that staff are more likely to listen to us than their own managers?
Is a timeframe.
“Records must be filed within x of creation. Violations of this policy will lead to x.”
Most records programs are unenforceable because records is always something that can be done later.
One area which has been liberally ignored by most of the Records profession, is structured data.
Largely, that’s been OK.
We’ve been exchanging data in static representations of what appeared in a structured data system – and keeping records of that.
It does mean that we’ve endlessly migrated structured data from system to system, without ever destroying it.
And that’s the problem now.
It’s left us all incredibly light on capability in structured data, and now privacy law is exposing it.
I think there are four basic capabilities for most privacy legislation:
While the first and second capabilities can be taken care of with good enterprise search, the last two have been mostly ignored for many years outside of the records profession, and by records in structured data systems.
And now we have to do them at scale, under time pressure.
When we engage with clients now, it’s easy to record the information we provide them.
Because we always exchange a document.
A significant trend though, is the move to portal based engagements.
In many cases, the portal content is static documents held elsewhere – so record keeping is relatively easy.
Dynamic content though, is generally composed in real time from many sources.
With the state of APIs and integration services, these sources could be outside the control of the organisation.
So an accurate recording of the interaction requires one of two things:
One of which is easy, storage intensive and doesn’t scale.
And the other, which is amazingly difficult and the only way to scale effectively.
Organisational policy is about making clear what the organisation expects.
It’s about giving ordinary workers clear rules about the value of information.
We do this, because information that people will handle often has “no value to me”.
It does have value to the organisation though.
It has value to the officer who spends six months looking for it after a subpoena.
It has value to the big data project that will rely on its quality.
It has value to the compliance officer who will need to show it to an auditor.
But in the moment, the value to the user might be nil. And they won’t care, unless we help them care like the organisation does – with policy.
Which is why we fail if we don’t get policy enforcement right.
Classifications schemes that work, present information organised the way people organise their work.
And they get used.
Because they help.
The hardest part is reminding ourselves that we are as likely to deeply understand how people organise their work, as they are to deeply understand records.
And asking them for help.
Information Governance 