The evidence, when perused objectively, is stark: failures in the management of records and information lead to deaths, financial loss, environmental loss, and loss of reputation every day.
In Melbourne, a worker employed by a utility company died because drawings of an installation were not accurate. In Gosford a family died because maintenance records of a bridge were not up to date. In the US a multinational company lost millions of dollars because a letter was not properly processed. The list of verifiable incidents with a root cause of poor records and information management is as long as it is sad and, at times, repugnant.
So who is accountable for the poor practices that lead to destruction of lives, reputation, assets and the environment?
What is Accountability?
In my time in the oil industry I was once sitting in front of the board as a young manager, explaining how in the unit I managed, we had created a situation where overnight a fountain of petrol erupted in a warehouse. A hundred thousand litres of petrol was spilled on a warehouse floor, exposing the vapours from the spill to a myriad of sources of ignition.
I explained the immediate cause of an employee forgetting to close a valve when ending their shift. One of the directors was clear: we should sack the storeman immediately. The storeman, so the reasoning went, was accountable for the spill.
I demurred. Whilst the storeman and his supervisor and I and Engineering and Maintenance could all be shown to be responsible, the General Manager was accountable and indeed in some context, the chairman was accountable for not ensuring that risks were adequately managed.
The warning signs for this risk event had been visible for many years. The decisions taken in expanding operations over twenty years and not taking preventative maintenance seriously had all contributed as root causes. Many of the root causes were strategic or poor management of risk. The storeman had no part in strategy.
And so it is thus with records and information management. Whilst individuals may be responsible for acts which act as an immediate precursor to a risk event with considerable negative consequences, it is the positions of CIO, CEO, and board members are usually the accountable parties. However, very few CEOs would accept this position. Why is that so?
Not valuing Information as an Asset
I have not met many CEOs who value information as an asset. They see it as useful and see they have a compliance need to keep records, but they do not see information as having intrinsic value. The only time they see value in information is when they are reacting to a risk event with significant negative consequences.
This is beginning to change in organisations with large amounts of data as the big data circus rolls on. I call it a circus because many of the efforts I see do not have sufficient emphasis on the quality of data being evaluated, and a lot of money is being spent for outputs of dubious quality and therefore potentially unintended consequences. Nonetheless, structured data is starting to be seen to have value.
Perhaps this will allow unstructured data to be seen as having value too.
Not understanding the Functionality of an EDRMS
Anecdotally from my experience, fewer than 20% of senior managers understand the functionality of an EDRMS. The myths about an EDRMS that I have seen include an overall view that they are only for archiving, to more specific views that an EDRMS is not as secure as shared folders; that revisions can’t be deleted; that workflow can’t be managed in an EDRMS; and that it is difficult to search using them, to name a few.
The essence is they do not see an EDRMS as a business improvement tool, which it is.
Not managing Risks
I am continually surprised at the lack of understanding of risk management concepts at executive level. Often I find the board has not set the context within which they will manage risk and what their risk appetite is. Without these fundamental concepts being in place, no risks can be managed.
When the context and risk appetite has been established, I rarely see in the assessment of potential risk events, the inclusion of information risk events in the assessment. Even when they are included, I rarely see risk treatments that have any impact on the consequence of poor information management, and the treatments purported to reduce the likelihood are usually overly optimistic in their view of the likely impact of the treatment.
CEOs, CIOs, and board members need to take information management seriously as part of their normal management of risk. They must treat information as an asset and manage it appropriately, lest they see the impact of the lack of accountability on the lives of people when it’s too late.