Transcript Conference Outline Delivery Draft

Recordkeeping risk, regulation
and the positioning of the
Public Records Act 2005 Audits
Future Perfect
Digital Continuity Conference
May 4th 2010
Richard Hipgrave, Manager, PRA Audit Programme
Presentation Overview
• Business risk associated with poor recordkeeping
• Challenges in setting up a regulatory programme
• Overview of the Public Records Act 2005 (PRA)
• How PRA audits fit into a broader regulatory framework
• Challenges as the PRA audit programme matures
Business risk associated with poor recordkeeping
Compliance
1.
2.
3.
4.
Operational
5. Inability to transfer data across organisational systems
6. Inability to deliver services due to the loss of information
7. Inability to retrieve and interpret records in obsolete formats or systems
8. Information is inaccessible or unsuitable for the conduct of business
9. Inability to provide a record of specific transactions
10. Inconsistent, ineffective and inefficient conduct of business
Reporting
11. Inability to provide reliable evidence summarising activities or undertakings
12. Reduced capability to demonstrate good performance
13. Misleading the minister or other key stakeholders
Reputation
14. Embarrassment to the chief executive, minister, the government and individuals
15. Damage to reputation, loss of credibility, lowered public confidence
Strategic
16. Loss of records which support New Zealand’s cultural and national identity
17. Poor strategic planning and poor decisions made on inaccurate information
18. Inability to use organisational information and knowledge to full potential
19. Constrained business and information management strategies
20. Inability to automate processes and to secure efficiency benefits
Failure to meet legislative and regulatory requirements
Unlawful disposal of records
Inability to provide assurance of legislative compliance
Inability to produce records or provide evidence
Regulatory failure is common!
• Leaky homes….
• Failure of finance companies….
• Behaviour of NZ drivers….
• Provision of telecommunication services….
• Provision of electricity services….
….So what makes for good regulation and monitoring???
Regulatory programme business systems are
wide-ranging and take time to build
• Regulatory Policy
– Approx 15 core processes
• Regulatory Services
– Approx 20 core processes
• Regulatory Instruments – Legislation, Standards, Codes of
Practice, Guidelines, etc.
– Approx 5 core processes
Key regulatory policy activities
• Define the domain
• Capture quantitative information about its business systems
• Capture qualitative information
– Beliefs, values, attitudes and behaviours
• Define the business risk associated with the domain
• Identify tactical activities to contain or reduce risk
• Research barriers to achieving compliance with regulations
• Develop regulatory programme monitoring framework
Regulation must be based on a good understanding
of the milestones to better practice….
The organisation systematically reviews its recordkeeping performance, and
actions improvements where justified by business benefits or further
reductions in business risk
Risk
Low
Risk
The organisation follows rules for the disposal of records
The organisation stores its records securely so that they cannot be stolen, damaged or
altered
The organisation’s systems can consistently locate and retrieve records
There is reporting to the governance board on business risk
The organisation systematically reviews its recordkeeping requirements
Recordkeeping procedures are documented, operative and complied with
Recordkeeping staff are properly trained
Senior Managers have accountabilities, provide budgets for staff and equipment and
investigate policy breaches
High
Risk
The organisation has a policy, endorsed by the CE, distributed across all business units,
describing responsibility and identifying penalties for non-compliance
Inconsistent
Effective
Efficient
Business Outcomes
Regulatory strategy needs to be phased….
Risk
Low Risk
Phase 2
Actions to secure benefits in the form
of improvements to customer services
and reduction in costs
Acceptable
Risk
Phase 1
Actions to eliminate unacceptable
risk and achieve compliance with
good practice requirements
High Risk
Inconsistent
Effective
Efficient
Comply with good practice requirements, but yet to
optimise service levels and costs
Business Performance Outcomes
….and tactics need to be smart
Good
Practice
Reward
Accredit
Acceptable
Practice
Incent
Enable
Inform
Influence
Poor
Practice
Deter
Prosecute
Punish
Remove
Key regulatory services
• Accredit
• Advise
• Audit for compliance with
regulations and standards
• Audit performance
• Audit for quality management
• Certify
• Enforce
• Evaluate
• Inform and influence
• Inspect
• Investigate
• Liaise with Crown and
international agencies
• License and Permit
• Prosecute
• Register
• Respond to queries
• Review
• Support Communities of
Interest and Networks
Key regulatory instrument management activities
• Define programme of work
• Consult
• Draft standards, codes of practice, guidelines, etc.
• Publish
– Distribute printed products
– Disseminate electronic information
• Evaluate
– Effectiveness of dissemination
– Effectiveness of training and support
– Ease-of-understanding
Regulatory business systems take time to mature
Regulatory Policy Management
Benchmark performance with other countries
Regulatory Services Management
Accredit
Regulatory Instrument Management
Consult
Evaluate policy effectiveness
Advise
Disseminate electronic information
Liaise With Crown and international agencies:
Policy
Maintain intellectual property
Audit for compliance with regulations and standards
Distribute printed products
Audit performance
Publish
Maintain data and evidence bases
Audit for quality management
Set Standards, Codes of Practice,
Guidelines, etc.
Maintain policy agenda
Certify
Manage innovation
Enforce
Manage research programmes and projects
Evaluate
Manage stakeholders
Inform and influence
Monitor regulatory instrument adoption
Inspect
Monitor regulatory instrument compliance
Investigate
Monitor regulatory services management
effectiveness
Monitor societal and sector trends
Liaise with Crown and international agencies:
Operations
License and Permit
Monitor technology trends
Manage revenue from licensing, registration and
certification
Prosecute
Report to stakeholder groups and the Crown
Register
Regulate
Respond to queries
Review
Support Communities of Interest and Networks
The Public Records Act 2005
PRA promotes:
• Democratic accountability
(Crown to the Public)
• Management accountability
(Agencies to the Crown)
• Collective memory and
historical heritage
• Good management
Key components of the PRA regulatory framework
Audit
Archives New Zealand must undertake independent audits of
recordkeeping in public offices from 2010 (PRA s33)
Standards
The Chief Archivist may issue standards in relation to public
records. It must be stated who they apply to and if they are
mandatory or discretionary. Consultation must be undertaken
before issue (PRA s27)
Inspection
Archives New Zealand has the right to inspect the archives
and records of public offices and local authorities (PRA s29)
Direction
to report
Public offices can be directed to report on any aspect of
recordkeeping or on the records they control (PRA s31)
Parliamentary
Parliamentary
Report
Report
The Chief Archivist must report annually to Parliament on the
state of recordkeeping in public offices
(PRA s32)
The PRA underpins the work done by organisations
undertaking audits, inquiries and investigations
Public Office Accountability
and
Information Access
Public Office Outcomes
and
Operating Effectiveness
Public Finance Act
Public Audit Act
Risk
Management
Official Information Act
Privacy Act
“Provide for the
preservation and public
access to…”
“Create and maintain
full and accurate
records….”
Records and Information
Management
Public Records Act
Audits target the management of high-value records
examined in audits, inquiries and investigations
POLICY
MANAGEMENT
SERVICE
DELIVERY
ASSET
MANAGEMENT
Research, evaluation,
consultation,
outcomes, impacts,
interventions, outputs
and activities
Records of transactions
with customers, clients,
subjects, citizens
Locational records,
inventories, specifications,
plans, calculations,
detailed designs,
operating procedures,
maintenance schedules
Service standards,
process designs,
procedures
OPERATIONS SUPPORT
Records of transactions with suppliers – orders, contracts, tenders
COA, budgets, financial models, transactions
HR
treaties, statutes, guidelines, codes of practice
board papers, forecasting models, business plans, management reports
Summary
• Regulation comprises policy, services (e.g. PRA Audits) and
instruments
• Regulatory programme business systems take time to build and
mature
• In its first phase of development, regulation focuses on eliminating
unacceptable risk and achieving compliance with good practice
• Outcomes are achieved through a range of tactical services that
reward, incent, enable, deter, punish and remove targeted segments
• Tactics need to be informed by an up-to-date evidence base and a
range of analyses producing good intelligence
• Over-dependence on one tactic creates unrealistic expectations
and counter-productive behaviours
For further information
• See the Archives website for information on recordkeeping and
the Public Records Act
http://archives.govt.nz/advice/public-records-act-2005
• Contact:
Richard Hipgrave
[email protected]