There is no doubt that information is the very lifeblood of an organisation. Through rules and acts around the management of this information, such as the King III report and the Protection of Personal Information (PoPI) Act, it needs to be more carefully managed than ever before.
This is the view of Datacentrix senior enterprise information management (EIM) consultant, Louisa Venter, who believes that records management and analysis specifically is playing an instrumental role in sound corporate governance practice and the sustainability of business service delivery.
Venter is the chairperson of the local SABS committee ISO TC46/SC46D for the design of archives and records management industry standards and has had a 25-year career within knowledge and records management. She emphasises that records management is an essential requirement for all organisations, something that is particularly highlighted by King III.
Records management can be defined as the professional practice or discipline of controlling and governing what are considered to be the most important records of a company throughout their lifecycle. This includes the time from which they are conceived, right through to their disposal; including the identification, classification, prioritisation, storage, securing, archiving, preservation, retrieval, tracking and destroying of records.
“As part of a business’ broader governance, risk and compliance (GRC) endeavours, records management assists in controlling its activities (as well as providing evidence of these activities), enhancing operations and allowing it to remain compliant,” she explains. “What must be considered though is what happens should your records be irreparably damaged or lost.”
“It could become a company’s worst nightmare and underlines the need for a risk management programme that is able to identify high-risk areas within records management and archiving, and mitigate them by ensuring that the correct evidence is always available. This means that a company’s records process and systems must be supported by its risk management practices.”
A subject expert on archiving and records management, Venter, as part of the SC46D committee, was involved in drafting a new standard – ISO 18128 Risk identification and assessment for records systems – with a view to assisting records management practitioners to assess and address the risks associated with records management processes and systems.
“There are a number of standards already in place that look at information security management, risk management principles and guidelines and management systems for records requirements,” states Venter.
“Standards within this grouping tackle issues such as metadata for records, specifications for ensuring digital images created are admissible in court, converting digital records to different forms or moving them from one platform to another. While they all refer to the fact that risk must be identified and mitigated, none of them outline how this can be done.”
Based on the general risk management process established in ISO 31000, on risk management guidelines and principles, ISO 18128 will assist companies to assess and identify risks to records processes and systems, set risk criteria, assign responsibilities and analyse and evaluate identified risks so they can ensure records continue to meet identified business needs for as long as required.
Says Venter: “This standard will help organisations in acknowledging that records management is a strategic tool that supports other management system standards. It is also important to note that as a solutions and services provider, Datacentrix’ EIM business unit recognises the importance of operating within these standards, looking at a business’ needs from an information perspective and then applying the technology to support these needs.”