The broken promises of records management

The promised benefits of doing digital records management are well known – make gains (via better access to better quality information), and prevent losses (manage the risk of non-compliance or unauthorised deletion). But overall, government departments in Australia have not been able to realise these benefits for the past decade. Instead, organisations incur all of the (significant) cost, impact and risk inherent with use of traditional records management systems, without any return on investment.

Castlepoint CIO Rachael Greaves has written this article for IDM magazine about the issue – and about what we can do about it, by taking a new and better approach to information and records management. Does this resonate with you? Have you had a similar experience to the Department of Home Affairs, or the Department of Health? I’d love to hear about it!

Why are organisations still struggling to get the promised benefits from records management?

The International Standard for Information and Documentation – Records Management (also known as ISO 15489) includes a list of the benefits that come from doing records management well. The list is broken up into three broad groups, pretty much the same ones we consider with any activity or enterprise – making gains, preventing losses, and, if that all goes well, taking advantages of other opportunities for ‘wins’.

In the case of records management, the gains we are promised are based around efficiency, productivity, meeting compliance requirements (note that is only one of many benefits, not the end goal) – and equity, or fairness. In essence, RM should help us do our best work. In terms of the losses we can avoid by doing effective RM, they centre around protecting ourselves – by showing our working and keeping the history of decisions made when and by whom. It can keep us from getting into trouble – but sometimes this backfires pretty badly, as we will see below.

Other wins in records and information management are about telling our story – this is the domain of knowledge management, archiving, and business intelligence. These are more qualitative benefits, and not usually considered as critical by businesses. In government, these are usually seen as a stretch target.

What have we already done?

Government and industry came on board with records management a long time ago. When digital records management started becoming important, most agencies and organizations did a few things to try to get those promised benefits.  To make some gains in the new digital frontier, we established some governance, bought an EDRMS, and trained everyone how to use it. This was meant to make us more productive and efficient. To avoid the pitfalls of digital disruption, we set up policies and rules, and told people they had to use the EDRMS or else. When this didn’t really work, we started trying to connect business systems like SharePoint to TRIM or Objective.

Some of us have tried to hit the stretch targets, and overall there has been mixed success with big data, BI and knowledge management across the board.

How much did this cost to do? A recent audit on the Department of Health pegged the EDRMS implementation at about $A5.5M, taking 9 years to get up. The audit also detailed the impacts on staff in having to learn how to use a new system and other impacts on the records management unit.

The cost of integrating systems with the EDRMS is typically about half again of the cost of implementation. About $A2.5M is a conservative estimate for SharePoint/TRIM integration, with a low overall success rate across government. Of course, integration has system impacts as well as cost impacts.

The cost of targeting those more qualitative gains is very open ended, but not usually cheap. Part of the reason is that we can’t get good intelligence out of our data until we are managing it effectively in the first place – and despite all of this investment, most organisations still aren’t.

The digital payoff?

Let’s look closer at what we did and didn’t get for our money and efforts. In 2016 Finance did a feasibility study into whole of government EDRMS, which had a user survey component. The survey found that, across the board, EDRMS implementations were not being used efficiently or effectively. There was a large impact on staff from being forced to work in EDRMS, which were designed for records managers, not users. After more than 10 years, RM in government is not realizing the promised gains.

How about using records management to protect ourselves from losses? There are two main deficiencies here. We know more about the deficiencies in Federal Government

departments because the Australian National Audit Office (ANAO) has undertaken quite a few critical audits over recent years. These have consistently found across that time span, that:

  • Problem one – agencies are still not managing most of their records – which means they have none of the promised protections for all of that information. Government is still exposed to losses from not managing our records in our key business systems.
  • Problem two – even when we are ‘managing records’ in an EDRMS, we can’t reliably find them. Records may be in the EDRMS, or they may be in business systems, or both. And when they are put into the EDRMS there’s no guarantee we can find them again. ANAO found that only 18% of records put into the Health EDRMS were afterwards findable by staff. If we can’t find our records of business, we can’t protect ourselves.

Is this an isolated issue?

A review of ANAO audits, from just 2017 and 2018, shows 11 separate investigations that found deficiencies in records management. And all occurred in agencies that have formal RM governance and EDRMS – from PMC to Defence to Human Services.

Let’s look a little closer at the first big problem, not managing our Business Information Systems (BIS). Under Digital Continuity 2020, all business systems must meet functional requirements for information management.

Most organisations have over a thousand discrete business information systems. Usually around a dozen systems will do the heavy lifting, and contain most of the records to support the work of the organisation. The usual suspects here are document repositories, CRMs, transactional line of business systems and email. These essential administrative and core business systems support the entire enterprise.

This top one percent of systems will usually hold the majority of business records. But the other 99% of systems, while not as ubiquitous, do still hold large amounts of essential evidence of business decisions, transactions, effort expended and outcomes.

The average agency has 142TB of digital records outside of their EDRMS. For context, the EDRMS usually holds less than 1% of the total of all digital records. According to the 2016 NAA Survey of Information and Records Management Practices in Australian Government Agencies:

1. Only a third of agencies are sentencing any digital records (including in EDRMS)

2. Only half of those are doing any disposition of those digital records

3. No agencies are doing any disposition of BIS records

4. Less than 20% of agencies have a plan for their BIS RNA records (around 53TB of them per agency).

Overall, we can expect over 14 million BIS records in an average government agency per the Survey – and they aren’t being managed.

So what is stopping agencies and other organisations from meeting just the basic requirements?

Per the Survey, cost is a big issue, which makes sense when you think of the scale of systems that need to be managed, whichever option is used. Technical barriers are also a problem, which are hard to overcome using the four current Business Systems Assessment Framework options.

Finally, a combination of staff capability and organisational culture are acting as impediments. This will always be a problematic area where negative impacts on users are expected. Let’s look at Problem 2 – we can’t find the records that we actually are theoretically managing. The ANAO report from Health found that after spending the money, and nearly a decade in planning, evaluation and implementation, users still couldn’t find most of their records. A lot of records didn’t make it into TRIM, which goes back to Problem 1, but even the ones that did then effectively disappeared. If over 80% of the records you put into an EDRMS are never to be seen again, and if it takes inordinate effort to find the less than 20% that you can locate, you haven’t had a win here.

Real life consequences

So what’s the real world impact of all of this? Does it matter if we aren’t managing all of our record holding systems? Does it matter if we can’t always find our information?

Perhaps after years of living this reality, the average user inside the organization gives up caring. Life goes on, we all keep working, the wheels keep turning. But what happens when we look outside of our organisation, at who is affected by our actions, or inactions? We can better see outside our own four walls if we reflect on the cases of Vivian Solon and Cornelia Rau.

Vivian Solon was found in a park in Lismore in 2005 with head and possible spinal injuries. She was taken to hospital, where someone suspected her of being an illegal immigrant, for unknown reasons, and reported her to DIMIA. DIMIA officers ran with this assumption, and deported her, even though she told them she was a citizen, and even though there was a missing persons alert out for her.

The Comrie Inquiry looked into the circumstances, and found that information identifying Vivian, that would have prevented her deportation, was in TRIM. The officers didn’t find them by searching, so assumed they weren’t there. DIMIA had the records, and they were managing them – but they couldn’t find them.

After a TV special aired, an officer recognized Vivian and did some more searches, and did find the connection The officer reported it to their supervisor – who did nothing. Another officer found the same thing and reported it to the supervisor – who still did nothing. There was plenty of evidence of these searches, and communications, that implicated the supervisor in this terrible action.  So overall, the records management situation did nothing to help DIMIA to ‘do its best work’, but did do a lot to get it into trouble. You will recognize this as the opposite of the benefits we were told to expect from records management. This wasn’t the only instance of RM issues at DIMIA having catastrophic real life impacts.

Cornelia Rau was picked up by the Queensland Police on the Cape York Peninsula in 2004. She gave conflicting accounts of who she was, and where she was from. She didn’t give Police her real name. She was eventually detained as a suspected illegal immigrant, even though the German consulate had no record of her. Her identity was only discovered after a newspaper article was published, and her family in Victoria, who had been looking for her, saw her picture.

The Palmer report found that searching for information, and in fact the aggregation and linking of information, was ineffective. The staff at DIMIA had assumed that the fact that they couldn’t find anything on ‘Anna Schmidt’ or ‘Anna Brotmeyer’ didn’t mean much. If the search facilities had been more connected, and more reliable, they would have flagged that this woman wasn’t who she said she was, and done more investigation.

The Inquiry Recommends …

The inquiries made two broad sets of records and information management focused recommendations, which were aligned with the two persistent issues presenting at DIMIA, and in fact across all agencies. Firstly, make records more findable. They proposed that this could be achieved by training people better, including training them to spell more carefully.

They also suggested some type of technical enhancement to support searching across systems. Secondly, to manage records in non-EDRMS systems more rigorously. They recommended linking records across systems, and even implementing a new BIS to manage records better through the lifecycle of a case.

Have these recommendations been effectively addressed? In the most recent ANAO audit, no substantial improvements were identified. The record-keeping across what is now Border Protection is still considered poor, users are still storing records (naturally) in line of business systems, and records in the EDRMS are still hard to discover. ANAO recommends – mandating use of the EDRMS. But there is no evidence that this will really help. Let’s look at why not.

The Department has actually been trying. They take this very seriously, and many concerted efforts have been made over the last 10 years to address the systemic issues. But no ground has been gained, because of repeated failed remediation initiatives, lack of follow through, and the sheer scale of records and record growth. The department has forecast a cost of around $A15M to address its records and information management shortfalls, which has not been able to be easily found in its budget.

So – is this actually fair enough?

• Should we be spending $A15M+ on this type of problem?

• If we do throw good money after bad, is it smart to spend it on training thousands of people, again?

• Can we really roll all of our records of business, 99.5% of all our data, into the EDRMS?

• And if we do put 100% of our records in the EDRMS, will we effectively lose 80% of them?

• How is the business case overall? Does the cost and impact of doing all this actually result in a good payoff for us? Do we get ROI? Do we align with NAA and whole of government expectations?

I think the answer to all these questions is no. We can’t spend that much money, and cause that much hurt, in the name of records management compliance. Our narrow focus on ‘complying’ by shoehorning records into a records management system, and overlooking the management of everything we can’t squeeze into it, has already caused us a lot of hurt. What we are doing isn’t working. Does this mean we just do nothing? We might say yes, if it wasn’t for Vivian and Cornelia.

How can we do this smarter?

Firstly, let’s understand the essential requirements for successful records management:

1. To create records in context: this means that the records about Vivian Solon in TRIM are connected somehow to the emails about her, the database entries about her, the documents in the shared drive about her, and even social media posts about her.

2. To manage and maintain records: the functionality required to ensure records do not lose their evidential value, for the duration of their lifespan. This evidence can hurt us if it shows we did the wrong thing – but it will help us if it shows we did the right thing.

3. To support import, export and interoperability: this means we can keep Cornelia Rau’s records linked even when we MOG or re-platform.

4. To retain and dispose of records as required: this is the ‘compliance’ part. Just one element (but a very important one).

Rachael Greaves is Chief Information Officer (CIO) at Australian RM specialists and solution provider Castlepoint Systems. Rachael has extensive experience consulting on information, records management, security and audit across federal government.

Manage Information Everywhere

Castlepoint is a records and information management solution designed to manage all an organization’s electronic records, in any business information systems (BIS). The way the Castlepoint Manage Information Everywhere (MIE) model works is by leaving the BIS unchanged and unaffected. Users just keep working in their own business systems, as normal.

MIE silently monitors every BIS for new items (documents, emails, tweets, rows, web pages, images or other records). When a new item is identified, MIE uses artificial intelligence to register it, or link it to an already registered record. MIE uses AI to understand the context of the record (who created it, and where in the organisation it arises from) as well as the content. It uses this information to automatically classify the record aggregation against a Records Authority (RA) Class, and any relevant ontologies. MIE applies the sentence from the RA when it is registered, but also continually over time as the content of the aggregation evolves and changes, to ensure the classification remains appropriate. When the retention period is met, MIE alerts the records managers, who can review the aggregation and execute the sentence.

Importantly, MIE adds extra value by providing a single pane of glass to find records from all across the enterprise. The ability to ‘see’ everything, everywhere, and find it based on its similarities with their own records, means users can get maximum value out of all information assets.

It also means quality control, security, audit and compliance teams can have eyes on all the content, all the time, and flag potential breaches such as underclassified records, duplicates, or sensitive records saved in inappropriate systems.  So, organisations can have the full benefits we were promised by 15489. Users can be more productive and efficient, and importantly, more equitable. Castlepoint also mitigates against potential losses incurred by not maintaining evidential integrity. And because you can verify and validate your data you can trust it enough to turn it into knowledge.

Risk is low. There’s no integration required, directly or via connectors, and no impact on supportability or upgrade paths. There’s no data migration or duplication.

The product itself is affordable, with a target of under $A50,000.00 for a mid-size agency. It’s one product for all systems, not one product for each system. The system is invisible to staff in terms of records management. User centric shouldn’t mean centralising users into one system – they can stay in their BIS, no need to work in a new interface. There’s no need to change policy or culture.