T
HE
F
INANCIAL
C
APABILITY
M
ODEL AND THE
R
ECORDS
M
ANAGEMENT
F
UNCTION
:
A
N
A
SSESSMENT
A R
ESEARCH
P
APER IN
S
UPPORT OF
T
HE
P
UBLIC
P
OLICY
F
ORUM
D
ISCUSSION
P
APER
ON
I
NFORMATION
M
ANAGEMENT TO
S
UPPORT
E
VIDENCE
-B
ASED
G
OVERNANCE IN THE
E
LECTRONIC
A
GE
February 2002
About the Author
John McDonald is an independent consultant based in Ottawa.
This research paper was prepared in the context of a project sponsored by the Public Policy Forum as part of its work on public sector management reform and on governance. The project team was led by David Brown, Director, Special Projects, at the Public Policy Forum and also included Andrew Lipchak. The team was assisted by Geneviève Lépine, Research Associate at the Public Policy Forum.
The Public Policy Forum (PPF) is a non-profit organization aimed at improving the
quality of government in Canada through better dialogue between government, the private and third sectors. The Forum’s members, drawn from businesses, federal and provincial governments, the voluntary sector and the labour movement, share a common belief that an efficient and effective public service is a key element in ensuring our quality of life and global competitive position. Established in 1987, the Public Policy Forum has gained a reputation as a trusted, neutral facilitator, capable of bringing together a wide range of stakeholders in productive dialogue. Its research program provides a neutral base to inform collective decision- making.
Table of Contents
Preface ... 1
Executive Summary ...2
1. Introduction...4
2. Background...5
3. The Financial Capability Model (FCM) ...7
THE MODEL... 8
THE DEVELOPMENT OF THE MODEL... 12
THE APPLICATION OF THE MODEL... 13
4. The Records Management Function ... 13
5. Assessment of the Financial Capability Model ...20
THE MODEL... 20
THE MATURITY LEVELS... 22
THE KEY PROCESS AREAS (KPAS) ... 23
ESTABLISHING A FRAMEWORK FOR RECORDS MANAGEMENT KPAS... 23
6. Towards a Maturity Model for Records Management...28
7. Conclusions...38
Appendix A - Financial Management Capability Model: Outline
...40
Appendix B - Financial Management Capability Model:
Example of a Level and Key Process Area (KPA)...43
Appendix C - E-Capacity Checklist and the Software Capability
Model: Methodology and Lessons Learned ...47
Preface
The electronic environment is dominating the agenda of modern governments including those in the developing world where the application of information and communications technologies (ICT’s) are seen as a major catalyst to economic and social advancement. The potential is rising for greater citizen participation in governmental processes through the innovative use of ICT’s and the adoption of e-government strategies. The growing intimacy between the citizen and the government is accelerating the need for effective strategies, tools and techniques to help citizens and governments transact business in trustworthy environments based on records that are authentic, reliable, accessible, understandable, and usable.
Based on discussions with the International Records Management Trust and subsequent funding from the National Archives of Canada, Public Works and Government Services, and the Treasury Board Secretariat, the Public Policy Forum is undertaking a study of the relationship between governance and recordkeeping. The findings of this study are described in the discussion paper, “Information Management to Support Evidence-Based Governance in the Electronic Age”.
This report describes the results of an investigation into the feasibility of using a maturity model developed for the financial management community as the basis for a similar model for use as a roadmap by the records management community.
It is also designed to contribute to the further development of strategies and tools that will permit public sector organizations to manage information as an asset similar to any other valued asset.
The Public Policy Forum (PPF) is grateful for the support provided by the National Archives of Canada, Public Works and Government Services, and the Treasury Board Secretariat. The Forum is also grateful to Andrew Lipchak and John McDonald who wrote the two reports while under contract with the PPF.
Executive Summary
This research paper was prepared in support of a study on the relationship between information management and good governance. The purpose of the study, entitled “Information Management to Support Evidence-based Governance in the Electronic Age”, is to identify key issues which governments in both developed and developing countries should consider in assessing and improving their recordkeeping (or records management) programs.
Although governments are increasingly recognizing the relationship between governance and recordkeeping, they are struggling to ensure that the related infrastructure of policies, standards and practices, systems and technologies, and people is complete, effective, and relevant, especially in an electronic environment. The struggle is exacerbated by the absence of tools to help them assess the adequacy of their existing recordkeeping infrastructures and to provide them with a road map to help guide them in enhancing their infrastructures. Such a road map would help them understand the direction they should be taking to move systematically toward higher levels of records management maturity. At the same time, it would respect their need to take steps that fit their resources, capabilities and conditions. Other resource management functions such as human resources, information technology, and finance have developed such maturity models to serve this purpose. One such model is the Financial Capability Model (FCM), developed by the Office of the Auditor General of Canada. Based on a preliminary review of the attributes of the model, the conclusion was reached that it might offer a framework within which a recordkeeping maturity model might be developed. At the very least it would help to inform the nature and structure of an effective recordkeeping maturity model, whether or not fully based on the FCM.
Significant components of the FCM could be adapted for use in the development of a similar model for recordkeeping. The model is based on five levels of maturity supported by Key Performance Areas (KPAs) that guide how an organization can move from one level of maturity to another. “Institutionalization Common Features” provide indicators of what the organization must be capable of supporting as an infrastructure if the goals of the KPAs are to be met and if the level of maturity is to be sustained through time.
Based on the approach taken by the FCM, a proposed set of cumulative maturity levels is presented for the records management function, as follows:
• Level 1: An infrastructure for managing records is not in place. Records are
created, used and retained based on protocols established by individuals or work groups.
• Level 2: An infrastructure is in place for controlling the retention, protection, and
disposition of records. The relationship between records management and business needs is weak.
• Level 3: An infrastructure is in place to ensure that records are created to document
business activities, that records are accessed and retrieved effectively and that they are retained and disposed of according to corporately approved standards and in
compliance with laws and policies. The relationship between records management and business needs is strong.
• Level 4: An infrastructure is in place to ensure that the right information in
authentic and reliable records is provided to the right person at the right time in the right format at a reasonable cost.
• Level 5: An infrastructure is in place to exploit information in records to meet the
needs of a knowledge-based organization functioning in a continuous learning environment.
A methodology for developing the KPAs required to link together the maturity levels is proposed and examples are provided.
Although much can be learned from the experience gained through the assessment of the FCM, there are a number of implications. These range from the issue of deciding whether or not an organization must achieve all of the “requirements” for a given maturity level before it can claim that it has reached that level, to the challenges of relating the maturity levels for records management to the yet-undefined maturity levels for “governance”. Regardless, the FCM provides an excellent basis for the development of a much-needed maturity model for recordkeeping.
Aside from helping governments advance their records management programs in a consistent and systematic manner, such a model would also support the consistent and systematic implementation of the new International Records Management Standard. The outcome would be a global approach to the establishment of records management programs using the same road map in terms of their future evolution. At a time when countries around the world are promoting common values and objectives for governance, the need for records management programs (which underpin good governance) to reflect common objectives and attributes has never been greater. An international records management standard coupled with an internationally endorsed records management maturity model would go a long way to satisfying this requirement.
1. Introduction
1.1 Records, when well managed, are both instruments of accountability and authoritative sources of information that can be used to support decision-making and the delivery of government programs and services. The effective creation, use, and preservation of records are integral components of a government’s ability to reflect the values and ethics associated with good governance.
1.2 Although governments are increasingly recognizing the significance of this relationship, they are struggling to ensure that the infrastructure of policies, standards and practices, systems and technologies, and people is complete, effective, and relevant, especially in an electronic environment. The struggle is exacerbated by the absence of tools to help them assess the adequacy of their existing recordkeeping infrastructures and to provide them with a road map to help guide them in enhancing their infrastructures if and as required.
1.3 What is the nature of that road map from a recordkeeping perspective? Are tools available or can they be developed / modified to help analyse where a given records management program is located in terms of its level of maturity, capability, and relevance? Can these same tools offer a process for defining what steps need to be taken to proceed from one level of maturity and capability to the next? Given that records are valuable resources that need to be managed, can lessons be learned from other resource management functions to help answer these questions?
1.4 This report explores these questions and offers a perspective on the extent to which one such capability model developed for the financial management function might be applicable to the assessment of the records management function in a public sector setting. 1.5 The report begins with a brief review of the capability and maturity models that have emerged to support functions such as information management (e.g. Information Management Capacity Check under development by the National Archives of Canada) and information technology (e.g. the Capability Maturity Model for Software produced by Carnegie Mellon University) and the rationale behind the selection of the Financial Capability Model developed within the Financial Management function as a focus of attention for this study. It continues by exploring the attributes of the records management function (within the context of information management) and the extent to which it can be defined in terms of levels of maturity. A commentary is provided on the relationship between levels of maturity for records management and levels of maturity for governance. The report continues with an assessment of the applicability of the Financial Capability Model (developed by the Office of the Auditor General of Canada) as the basis for the development of a similar maturity model for the records management function. The implications of the assessment for the development of maturity models for the records management function are also described. 1.6 Terms and expressions such as capacity, capability and maturity are often used interchangeably to explain what many would perceive to be the same concept. This report
will use the expression maturity model. While capacity focuses on the conditions necessary to achieve a set of objectives within the context of a given stage along a continuum, the term maturity tends to address the entire continuum and although the focus is on the conditions at each stage along the continuum, the emphasis is as much on the relationships among stages and the processes by which one can move from one stage to the next as they are about the individual stages themselves. The key is that no one stage is right or wrong. It is simply a state of being, much like the stages of maturity experienced by human beings.
1.7 The term records management function refers to the infrastructure of policies, standards and practices, systems, and people that are brought together within a management framework (i.e. planning, organizing, and controlling) to enable recordkeeping to be undertaken in support of decision-making, program/service delivery, and the ability to meet accountability requirements prescribed by laws and policies.
1.8 The term model is favoured over tool because the objective of this exercise is as much to establish a reference model from which tools can be produced as it is to develop the tools themselves. In fact, given the nearly complete absence of diagnostic tools for the records management function, the establishment of a reference model upon which the tools could be developed is seen as an important pre-requisite.
2. Background
2.1 Records management can play a significant role in the achievement of the goals of good governance (e.g. transparency, accountability, public trust, protection of rights and entitlements, citizen engagement, service, etc.). Although governments are beginning to recognize this role, they are struggling to determine how their existing records management functions should be positioned and enhanced to ensure that they are effective and relevant. In doing so, they are raising questions concerning how the adequacy of their existing programs can be assessed and how strategies leading to improvements (as required) can be established. In short, they are seeking a road map to help them determine where they are, where they need to be and through what stages they need to through in order to get ‘there’. 2.2 The tools and techniques that would appear to come closest to satisfying this requirement are associated with the audit and evaluation function. However, these are often in the form of checklists that provide an in-time measurement of whether or not a program is meeting a certain set of requirements. For instance, the Treasury Board of Canada’s Guide to the Review of the Management of Government Information Holdings1 provides a highly useful checklist of conditions that need to be met if a given government institution is to demonstrate that it is in compliance with the requirements of the Management of Government Information Holdings2 policy (soon to be replaced with the new Management of Government Information policy). While presented as a self-assessment tool for use by program managers, the Guide presents conditions of compliance that either are or are not being met.
2.3 Similarly, the IM-Ready Survey3, also produced by the Treasury Board Secretariat, measured the state of information management across the Canadian government at one
point in time but did not position the scales that it used (e.g. 1 to 5) as levels of maturity. Rather, they were seen as levels of inadequacy documenting the fact that they have not achieved a certain standard.
2.4 Tools such as the Guide and the Survey are based on ‘right-wrong’ paradigms that focus on narrow judgements about adequacy rather than maturity. Rarely do they leave room for those being audited to diagnose their current state, establish goals that are incremental and progressive, and establish a map to guide them from where they are to where they need to be with respect to the next higher levels of maturity and capability. 2.5
2.6 The FCM derives it’s experience from the Capability Maturity Model for Software (CMMS) 4 developed in 1996 by the Software Engineering Institute at Carnegie Mellon
University to help software organizations improve the maturity of their software processes. The model described various stages of maturity ranging along an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes. The CMMS is organized into five maturity levels:
1) Initial. The software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics.
2) Repeatable. Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3) Defined. The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.
4) Managed. Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
5) Optimizing. Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies. 2.7 According to the model, predictability, effectiveness, and control of an organization's software processes are expected to improve as the organization moves through each of these five levels.
2.8 Except for Level 1 (i.e. the only unacceptable level of the five levels), each maturity level is decomposed into several key process areas that indicate the areas an organization should focus on to improve its software processes and to transition to the next level of maturity. 2.9 The CMMS inspired a number of related initiatives that have resulted in the development of capability measurement tools for other resource management functions5. In
the Government of Canada, the CMMS was one of the components of the Enhanced Management Framework6 and the ICMM served to inform the development of the
Government’s E-Capacity checklist7, which is being used by government institutions to
assess their level of capacity and e- readiness for carrying out the objectives of the Government On-line initiative. The CMM was also used as the foundation for the development of the Financial Capability Model (FCM)8 developed by the Office of the
Auditor General.
3. The Financial Capability Model (FCM)
3.1 The FCM was developed by the Office of the Auditor General as a self-assessment tool for use in assessing the level of financial management in government institutions and to provide institutions with a road map for improvement. In effect, it provides a framework that describes the key elements of effective financial management. It sets out a path that an organization can follow to develop progressively more sophisticated financial management practices, as needed. It shows the steps in progressing from a level of financial management typical of a start-up organization to the strong, effective, financial management capabilities associated with a more mature and complex organization.
3.2 Figure 3.1 illustrates the scope and depth of the financial management function upon which the FCM is mapped.
Figure 3.1 Elements of Financial Management
3.3 In addition to its use in auditing, the Financial Management Capability Model also provides a tool that a government organization can use to:
• Determine its financial management requirements according to the nature, complexity and associated risks of its operations;
• Assess its existing financial management capabilities against the requirements it has determined; and
• Identify any gaps between those requirements and its existing financial management capabilities.
Having identified these gaps, an organization can then address any significant ones and work toward developing the appropriate level of financial management capability.
The Model
3.4.1 The model illustrates the stages through which an organization can evolve as it defines, implements, measures, controls, and improves its financial management processes. These steps have been organized into five progressive "capability levels" (see figure 3.2).
Figure 3.2 Financial Capability Model: Maturity Levels
3.4.2 Each level represents a well-defined stage toward developing a mature financial management regime.
Level 1 (Start-up): Describes the financial management characteristics of an
organization that has not yet established its key policies and practices or its control framework.
Level 2 (Control): The focus is on ensuring that adequate resources are available,
assets are safeguarded, data are reliable, and operations are monitored and controlled and conducted with prudence and probity. It describes current expectations for financial management based on established Treasury Board guidelines, Receiver-General directives and the Financial Administration Act.
Level 3 (Information): The focus is on integrating the organization's financial and
non-financial systems, practices and procedures to provide information that can be used to manage resources with prudence and probity and in an efficient and economical manner.
Level 4 (Managed): The organization uses the information developed at Level 3 to
balance two competing objectives: using its resources economically and efficiently, and producing cost-effective results - for example, goods or services of acceptable
quality. The organization understands the financial implications of the choices and trade-offs it makes between these objectives.
Level 5 (Optimizing): The organization uses information from inside and outside
the organization to set and achieve strategic targets or objectives for improvement. Achieving these targets enables the organization to increase the value of its services or products to clients or consumers.
3.4.3 Each level is described according to the following attributes: • An overview of the capabilities at the level;
• An overview of the key process areas (KPAs) at each level - their purpose, goals, and outcomes;
• A graphic representation of how each KPA interacts with the others at that level; and
• An indication, in general terms, of the risks associated with remaining at that level and what an organization must do to achieve the capabilities at the next level.
3.4.4 KPAs are the main building blocks that determine the financial management capability of an organization (see figure 3.3). They identify what must be in place at that capability level before the organization can advance to the next capability level.
Figure 3.3 Key Process Areas
3.4.5 An example of a maturity stage and a KPA are described in Appendix A. According to the model, only when an organization has instituted all of the KPAs associated with a
given level of financial management capability may it be considered to have achieved that level.
3.4.6 In order to achieve the goals in one or more key process areas, an organization must carry out certain activities:
• Identifying requirements - such as the need for a certain control system - and developing plans and procedures to meet them;
• Carrying out those plans and procedures;
• Tracking and monitoring the work being done; and
• Correcting any problems that may arise.
3.4.7 In turn, these activities produce immediate outputs (for example, a control system) or longer-term outcomes (such as careful management of the cost of products or services). According to the model, once an organization undertakes the necessary work and achieves the outputs or outcomes associated with a KPA, it is considered to have mastered that KPA and therefore established a basic building block that contributes to the achievement of a particular capability level. A fundamental principle is that all of the KPAs for a given level must be mastered before the organization can proceed to the next level.
Figure 3.4: Key Process Areas and their Relationship to the Financial Management Function
Figure 3.5: Model of a Key Process Area (Level 4 of the FCM Maturity Model)
The Development of the Model
3.5.1 The process involved in developing the model is as important to understand as the model itself. It was developed over a two-year period by a small group of 3-5 people within the Office of the Auditor General (OAG) supported by 3-5 functional specialists from other departments.
3.5.2 The trigger for the development of the model was the recognition that the OAG and, by extension, government departments lacked a tool to help them understand where given financial management functions were located on a scale of maturity. In too many cases audits performed by the OAG were measuring capacity and producing report cards that measured capacity at a given point in time without due regard to where the given financial management function resided on a scale of maturity. The OAG and departments alike recognized the need for a diagnostic tool that would provide the road map required to help guide the evolution of the function through various levels of maturity but at a pace that respected the needs and state of maturity of the organization itself.
3.5.3 The OAG team used the Capability Maturity Model for Software (CMMS) and the expertise resident at Carnegie Mellon as the basis for the development of the FCM. The bond between the OAG and Carnegie Mellon was so close that the OAG contracted the services of a specialist who had been involved in the development of the CMMS to help in the design of the equivalent for the financial management function.
3.5.4 Various drafts of the model were developed and shared with financial officers across the government and, more formally, with the Chief Financial Officers in government institutions. An Advisory Committee comprising senior officials from within the OAG
together with selected Chief Financial Officers from government departments, reviewed progress and provided direction and advice.
3.5.5 In 1999, the draft FCM was approved and made available to the financial community across the government.
3.5.6 As the model was being approved, the TBS Comptrollership Branch launched an initiative to develop a similar model for the Comptrollership function. While offering greater flexibility than the FCM (i.e. not all KPAs needed to be achieved before attaining a specific level) the initiative generated some confusion as financial officers began to raise questions about the relationship between the two models. In 2001, a project was established to harmonize the two models.
The Application of the Model
3.6.1 Although the model has been applied in a number of financial management audits9,
efforts have been made to encourage its use as a self-assessment guide for program managers. Rather than be viewed solely as an instrument of audit employed only by auditors, the OAG is advising departments that it can be used as a diagnostic tool that can help to increase the confidence level that a given financial management function is adequate or, if it is not adequate, the steps involved in advancing the function to the appropriate level of maturity.
4. The Records Management Function
4.1 A record is something that has a purpose (i.e. it is not merely the residue or by-product of organizational activities). In fact it has two purposes:
• To serve as an authoritative source of information (in context) to support
decision-making and the delivery of programs and services.
• To serve as an instrument of accountability by providing the essential evidence
governments and citizens require to account for their decisions and activities and to respond to the requirements of laws and policies.
4.2 In order to serve these purposes, records must have certain attributes and they must be managed in an environment that ensures their authenticity and integrity for the length of time they are required. The attributes of a record are its structure (discernable organization), content (it conveys identifiable information or evidence) and context (reference to the circumstances in which it was created or acquired). The environment in which it is managed must be supported by an infrastructure of policies, standards and practices, systems and technologies, and people that are dedicated to ensuring the authenticity, availability, accessibility, and understandability of records for as long as they are required for business and accountability purposes. Such an infrastructure must be managed which is why records
management is (or should be) a corporate function similar in status and organization to Human Resources and Financial Management.
4.3 Records management is a subset of information management10. It has a dedicated
purpose to serve the ability of organizations to document their activities. As such, however, they also support the fundamental functions of information management which are to capture information, to provide access and retrieval capabilities, and to ensure that the information protected and retained in a trustworthy environment.
4.4 An understanding of the records management function begins with an understanding of the business of government (i.e. if records are an integral part of the business of government then an understanding of how that business is viewed must first be acquired)11. In a service environment, this business view (see figure 4.1) begins with an individual interacting with a given government process (i.e. a public servant applying for retirement benefits; a citizen applying for a license; a policy officer developing a briefing note for the Assistant Deputy Minister, etc.).
Figure 4.1: Business View
4.5 The service is supported by a business process comprising of a set of related tasks which generate an information product (e.g. license, cheque, report, etc.) which could be recorded on paper, electronically, etc. The business process supports the requirements of a given government function or activity which is managed by accountable individuals located inside an organization. The organizational structure is nothing more than a management and accountability framework for the function / activity and the business process. All of this (i.e. the organization, the functions, and the processes) are situated within an accountability framework which itself is derived from a mandate(s) and an enabling law(s).
Organization
Function/activity Business process
B u s i n e s s V i e w
task task task
task
Law
Accountability
4.6 The basic relationship among the business process (or workflow), the information product, the function / activity, the organizational structure (accountability framework), and the enabling law and mandate is a constant regardless of the type of program or service being delivered.
4.7 The business view model described in figure 4.1 illustrates the means by which government institutions carry out their program responsibilities (i.e. their business).
4.8 The Records Management Infrastructure view (see figures 4.2 and 4.3) is aligned with the business view. It focuses on the delivery of an information product generated by the tasks in the business process or workflow (see figure 4.2). The individual tasks themselves generate information objects (i.e. records) of their own (e.g. the various types of personnel records generated to support the processing of an application for retirement benefits or for a license; to support the development of a briefing note for the Assistant Deputy Minister, etc.).
4.9 In executing these tasks, three kinds of activities are carried out, namely:
• Activities done to bring records into existence to support decision making,
program delivery, and to meet accountability requirements. These activities include: create, generate, collect, capture, receive, etc. The label given to this set of activities is create.
• Activities done with records to support decision making, program delivery, and
to meet accountability requirements. These activities include: transmit, exchange, access, retrieve, disseminate, share, etc.). The label given to this set of activities is use.
• Activities done to records to ensure that they are authentic, reliable, available,
usable, and understandable for as long as required to support decision making, program delivery, and to meet accountability requirements. These activities include: organize, describe, classify, retain, protect, store, migrate, dispose, etc. The label given to this set of activities is preserve.
create use preserve
Figure 4.2: Records View - Part 1 Figure 4.3: Records View - Part 2
4.10 These activities may be viewed at different levels:
• At the level of the individual record (i.e. a draft of the briefing note);
• At the level of the business process (i.e. all of the records associated with the preparation and dissemination of the briefing note);
• At the level of the organizational unit (i.e. all of the records for which a unit within the policy sector of the department is responsible);
• At the level of the function (i.e. all of the records associated with the policy development function the responsibility for which might reside in one organizational area or be shared with multiple organizational entities);
• At the level of the government institution (i.e. all of the records under the control of a given government department); and
• At the level of the involvement of other external organizations as active participants (i.e. all of the records associated with land management as generated by central agencies, individual government departments, other governments, the private sector, etc.).
4.11 The three activities are managed by a framework of: (see figure 4.3)
• Laws and policies (that reflect the values and ethics of the organization in
terms of the way in which it creates, uses, and preserves records; that support directly the strategic directions of the organization);
• Standards and Practices (that are authoritative, shared, owned, implemented,
and measured); and
• Systems (that respect the requirements for records creation, use and
preservation and that are directly related to the values and principles of the organization re: transparency, accountability, effective program delivery, etc.);
Business Process A w a r e n e s s/ U n d e r s t a n d i n g Records View Law/policy Systems Standards/ practices People create use preserve O w n e r s h i p/ A c c o u n t a b i l i t y
4.12 This framework cannot exist in a vacuum. It must be supported by people who have an awareness and an understanding of the importance and relevance of records to their programs. But more than this, the framework requires ownership and
accountability through public servants who understand its fundamental importance in
enabling them to carry out their program responsibilities and to reflect the values that guide their behaviour as public servants in a democratic government. Normally this ownership is reflected in an accountability framework extending across a given organization:
4.13 From the people perspective the model may be viewed from three perspectives. The first perspective is that of the manager and his or her staff who carry out their responsibilities in support of a given function or set of functions. These responsibilities are based on a mandate derived from one or several enabling laws and / or policies, supported by strategic and operational goals, and infused with the governance values set out for the public service.
The second perspective is that of the manager and staff who carry out their responsibilities for designing, building and maintaining the records management infrastructure. These responsibilities are based on a mandate derived from one or several enabling laws and / or policies, supported by strategic and operational goals (for the advancement of the infrastructure in line with the needs of the business of the organization), and infused not only with the governance values of the public service but also the values that guide them as professionals. Both the manager and the infrastructure manager and staff view the same model but the laws, mandates, strategic priorities, values, etc. as well as the ownership and accountability may differ because of the role each plays in the model.
The third perspective is that of the citizen (a business or individual) receiving a service or otherwise inter-acting with the government. Citizens expect that a trustworthy environment is in place to support this interaction and that the information associated with the interaction is authentic, reliable, complete, and accurate. They count on both the program managers and the records management ‘infrastructure builders’ to have carried out their responsibilities for establishing such a trustworthy environment and for managing effectively the records that support their interactions.
4.14 Based on this model it follows that the highest level of records management maturity should reflect a set of values and objectives that are consistent with the highest levels of values and objectives guiding the governance structures of public sector organizations. If a government is to support values such as transparency, public trust, accountability, etc. then it follows that government would be expected to support a culture that values information and the role it plays in supporting a citizen-state interaction founded on trust and respect. In this ideal context (i.e. reflecting the highest level of records management and governance maturity), public servants would be expected to12:
• Be fully conscious of the role information plays in establishing a relationship with citizens built on trust, integrity, and quality service;
• Understand the varied needs of citizens including businesses and respond to these needs with information which is complete, relevant, organized, timely and structured to maximize self sufficiency and access;
• Understand the central and critical role information plays in support of government business and accountability;
• Understand the need to document what they are doing with the records created as a result of their activities;
• See these records as valuable sources of information to help them do their job and as instruments of accountability;
• Understand the need to apply common standards and best practices to manage, make accessible and protect information assets; and
• Appreciate the value of sharing and exploiting information and knowledge to support more integrated program delivery within government (i.e. where appropriate and authorized).
4.15 Within this context, those responsible for the records management infrastructure that reflects such a maturity level would be expected to subscribe to the following objectives:
• To provide a trustworthy environment within which government business can be conducted;
• To enable public servants to generate, collect, receive, document and otherwise create the records they require to support decision-making, program and service delivery and accountability;
• To enable public servants to access, retrieve, exchange, transmit, disseminate, exploit and otherwise use the information they require to make decisions, deliver programs and services and to hold themselves accountable;
• To enable public servants to identify, describe, protect, retain, migrate and otherwise preserve the authenticity of records for as long as they are required; and
• To provide expert advice on the management of records.
4.16 This vision of the relationship between records management and governance does not stop with public servants and those involved in developing and maintaining the records management infrastructure. It extends to the citizens (individuals and businesses) who are both the contributors to and beneficiaries of the infrastructure. In ideal circumstances these are citizens who:
• Understand their rights and entitlements in terms of their interaction with government programs and activities;
• Understand the importance of records as evidence of their interaction with government programs and services;
• Expect their government to support a trustworthy environment that enables the protection of the information they provide to obtain government benefits and services;
• Expect their government to be able to hold itself accountable for its decisions and actions; and
• Expect their government to manage the records generated as a result of their engagement with the decision-making and policy development activities of the government (and who recognize the importance of records in providing evidence of such interaction).
4.17 The preceding discussion has tried to illustrate that the convergence of governance values and records management values is reflected in the goals and behaviour of three players: program officials at all levels, records management infrastructure builders, and citizens. If the conditions described above are reflected in the behaviour of these players then one could suggest that an organization has reached the highest level of maturity in terms of the way in which it is governing its business and managing the records that support this business. Moreover, it would appear from the above that it might be feasible to express at least the highest attributes of governance and records management as integrated rather than separate statements (though this remains to be tested).
4.18 Needless to say, not all organizations will reflect these attributes. Some will reflect a complete absence of record-keeping capability or a fragmented approach at best while others will be at various stages along an evolutionary path leading to the kind of records management maturity set out above. Similarly, the extent to which organizations are demonstrating the attributes of good governance will vary from those who are only beginning to establish governance frameworks to those that are reflecting the highest levels possible of a values-based governance framework.
4.19 Regardless of the governance or records management maturity levels displayed by an organization, one of the central features of a maturity model is that it does not pass judgment on whether or not a given organization has passed or failed. It is very much a diagnostic tool that permits an organization to assess where it is on a scale of maturity and if, where, and how it needs to proceed. While the first level may not be a desirable level, the subsequent levels may or may not be adequate depending upon the nature of the organization, its approach to governance and its approach to the establishment of a recordkeeping infrastructure.
4.20 An organization just establishing itself cannot be expected to reach the highest level of governance or records management maturity right away. It will require time and a systematic approach to the development of both its records management function (including the establishment of recordkeeping culture) and its governance framework before it can achieve the level of maturity enjoyed by other more values-based and records-sensitive organizations.
4.21 The exploration of the attributes of a maturity model for governance is beyond the scope of this paper. However, the foregoing discussion has attempted to illustrate how important it is to assess any proposed records management maturity model against a similar
maturity model for governance. While the remainder of this paper will focus on the attributes of a records management maturity model, subsequent work emerging from this current initiative should focus on the development of a relevant governance maturity model against which any proposed records management maturity model can be mapped.
4.22 The purpose of the next section of this report is to assess the applicability of the FCM model in terms of the extent to which it can help in the design of the structure and contents of a maturity model for records management and, most importantly, the processes by which such a model should be applied. The objective is to set the stage for the development of a working model that would not only provide an analytical tool to more precisely identify where given records management functions lie along an evolutionary path, but also how these functions can evolve in a systematic manner from where they are now to subsequent and more enhanced levels of records management maturity.
5. Assessment of the Financial Capability Model
5.1 In the absence of maturity models for records management and yet recognizing that such models could be extremely useful, the key question to be answered in this section is, “Can the Financial Capability Model (FCM) be used as the basis for the development of a similar capability model for records management?”
5.2 The short answer is yes. While the model is directed to the financial management function, its structure and, most importantly, the process by which it was developed, applied, and maintained can help to inform the development of a similar model for the records management function.
5.3 The potential role of the FCM is addressed in three parts:
• The model itself;
• The process by which the model was developed; and
• How the model should be applied.
The Model
5.4.1 One of the key features of the FCM is that it does not presume that an organization is either right or wrong in terms of its location along the maturity level (though it does explain that level one is not acceptable). This is extremely important. In the past, records management programs have been assessed on the extent to which they have either passed or failed. The audits of records management performed by the National Archives throughout the 1980s and the self-assessment guide that was produced by the Treasury Board Secretariat to measure compliance with the its Management of Government Information Holdings13 policy are examples of the black and white, either-or approach taken to assessing records management capacity.
5.4.2 The questions these instruments asked were along the lines of the following: Does the institution have the capacity or not to respond to the government’s recordkeeping requirements? If the records management program is inadequate in what way is it inadequate? This pass / fail approach to measuring records management capacity is a negative way of arriving at conclusions concerning the status and effectiveness of a records management program. They also fail to provide the road map most institutions are looking for to determine what needs to be done to mature beyond where they are and how quickly it needs to be done.
5.4.3 The application of a maturity model, however, provides a map of where the records management program is located along an evolutionary curve or scale of records management maturity. This understanding can then be used to make decisions concerning the strategies required (if any) to move from one maturity level to the next. In some cases, it may be concluded that remaining at Level 3, for instance, is entirely appropriate given the nature of the organization and where the organization is located in terms of its own evolution, especially in its reflection of the goals and objectives of good governance.
5.4.4 An example from the Department of Public Works and Government Services (PWGSC) using the structure of the FCM might help to illustrate the way in which a maturity model can become a road map rather than a yes / no compliance tool.
In 1998, the Superannuation program of PWGSC moved to Shédiac, New Brunswick. In the very initial stages, as the move was proceeding, it was safe to say that parts of the superannuation function were experiencing the attributes of a Level 1 stage of maturity.
As the disruptions caused by the move began to dissipate, however, the function evolved to Level 2 as it established basic processes and procedures for ensuring data integrity.
Once Level 2 was achieved, the function evolved to Level 3 as it implemented service level standards and other tools to help manage the organization responsible for the function.
The attributes of Level 3 formed the foundation for migration to Level 4 where the organization recognized the value of its financial information holdings in supporting sophisticated analysis and decision-making.
This set the stage for the evolution of the function to Level 5 where initiatives are underway to establish a continuous learning organization focusing on harnessing and exploiting financial information to achieve strategic objectives and the establishment of a knowledge-based organization.
5.4.5 This example illustrates the importance of ensuring that the state of a given records management function is assessed within the context of the state of the organization itself at any given point in time. Examples of this relationship from a governance perspective are provided in the main report. Another example, often experienced in the government, is
A given organization, having come through a major re-organization, may experience a Level 1 state of maturity as it seeks to establish or re-establish basic records management controls. As the impact of the reorganization subsides but before the new organization has evolved, a records management program reflecting Level 2 capabilities may be perfectly acceptable given the state of the organization at that point in time. As the new organization matures and becomes more established, however, its records management function will also need to evolve and mature.
The Maturity Levels
5.5.1 With respect to the levels themselves and based on the perspectives offered in section 2 it would appear that the maturity levels described for the FCM could be adapted for use in a records management model. The challenge, however, is to define the attributes of each records management maturity level and to have these accepted across a given jurisdiction.
5.5.2 Given that the definition of the maturity levels should be based on commonly-held values and beliefs, an added challenge will be the identification of the principles and values that would be expected to govern the records management function at any given maturity level. An effort to set the stage for this identification process was offered in the previous chapter.
5.5.3 While the levels described in the FCM could help to inform the description of similar levels for a proposed records management maturity model, other maturity models should also be examined. This would lead to a better understanding of what is involved in articulating the attributes of individual maturity levels. For instance, the E-Capacity checklist sets out a layered approach to the expression of maturity levels to guide federal government departments in identifying where they are located along the evolutionary curve of e-business maturity. The levels are expressed as follows:
“Level 1: Senior management is aware of the need for funding and limited funding
exists to support the e-government program. Resource requirements have not been identified.
Level 2: Senior management has made the initial funding and resource
commitments, but they are inadequate to achieve the objectives stated in the e-vision. Resource requirements have been identified.
Level 3: Senior management has made adequate funding and resource commitments
for the initial investment in e-government
Level 4: Future year resource requirements are being identified and addressed in
Level 5: Resource commitments for the e-government program are dynamically
adjusted based on benefits realization and client satisfaction.14”
5.5.4 The E-Capacity checklist and the FCM, similar to other maturity models, not only provide context concerning where a given organization is located along a maturity scale, they also provide guidance concerning how the organization can move from one level to the next. In the FCM, this is accomplished through the Key Process Areas (KPAs).
The Key Process Areas (KPAs)
5.6.1 The structure of the KPAs described in the FCM offer a useful basis for the expression of KPAs covering the records management function. Although the outstanding challenge remains of developing a shared view of the records management function and its maturity levels, the structure of the KPAs described in the FCM offer a useful model for the development of similar KPAs for the records management function. In effect, the adaptation of the structure of the KPA would help to operationalize the records management model thus making it much more effective and real.
5.6.2 The components of a KPA include a purpose statement, a statement of objectives and a statement describing outputs and outcomes. Also included in the KPA is a section describing the institution and its level of capacity to support the infrastructure required to support the KPA. In Level 4, for example, the KPA is described according to “commitment to perform”, “ability to perform”, “measurement” and “verification”. These are important components because they set out expectations concerning what needs to be in place from an organizational perspective to support the attributes of the maturity level. Appendix B contains an example of a KPA (“Enhanced Decision Support”) developed to support the 4th
level of financial management maturity described in the FCM.
Establishing a Framework for Records Management
KPAs
5.7.1 A useful starting point for defining the KPAs that underlie each of the records management maturity levels might be found in the records management infrastructure view described in the main report. Each of the “create”, “use”, and “preserve” activities performed on records comprise a set of actions.
• “create”: actions done to manifest information (i.e. bring it into existence) to support decision making, program delivery, and to meet accountability requirements. The actions include create, generate, collect, receive, etc.
• “use”: actions done with information to support decision making, program delivery, and to meet accountability requirements. The actions include transmit, exchange, access, retrieve, disseminate, share, exploit, etc.
• “preserve”: actions done to information to ensure it is authentic, reliable, available, usable, and understandable for as long as required to support decision making, program delivery, and to meet accountability requirements. The actions include: organize, describe, classify, retain, protect, store, migrate, dispose, etc.
5.7.2 The actions that comprise each of the three activities are managed by an infrastructure of policies, standards and practices, systems, and people. This infrastructure is required to ensure the effective management of the actions described above and to ensure that they support the business and accountability requirements of the program or programs. Each of the actions described above (e.g. create, generate, collect, etc.; transmit, exchange, access, etc.; organize, describe, classify, etc.) must be addressed individually and collectively by the components of the infrastructure (i.e. laws and policies, standards and practices, systems, and people).
5.7.3 According to this approach, each activity and its associated actions are embraced by policies, standards and practices, systems and technologies and people. These inter-relationships may be viewed in the form of a matrix as illustrated below (see figure 5.1).
Component Policy Standards Systems People
Activity Create Generate Create Collect Capture Receive Use Access Retrieve Transmit Disseminate Exchange Share Exploit Preserve Identify Organize Describe Classify Store Protect Migrate Dispose
Figure 5.1: Matrix of the Records Management Infrastructure
5.7.4 The matrix would be like a checklist in which one could identify where policies, standards, etc. are already in place, what level of maturity they are reflecting and if any gaps exist. For instance, the protection of records requires laws and policies, standards and
practices for protecting information, systems and technologies to enable information to be
protected, and people with the required knowledge and skills to build and maintain the infrastructure required to ensure that information is properly protected. While all of these may be in place for “protection” they may not be in place for some other action (e.g. classify).
5.7.5 Moreover, they may reflect different levels of maturity. Under protection the policy may reflect a high level of sophistication but the people required to carry out the policy may reflect a low level of knowledge and skills. As a result the contents of each box in the matrix will vary according to their maturity. Collectively, however, they present an overall level of maturity for the entire records management infrastructure (e.g. conceivably there could be 5 or 6 such matrices, each representing a distinct level of records management maturity). 5.7.6 While the matrix may be useful in defining maturity levels, a road map must also be provided to help organizations migrate from one maturity level to the next. This is where the power of the KPA comes in. The KPA, as presented in the FCM, could be a useful model for the development of similar KPAs for the records management function. A set of records management KPAs as derived from the matrix approach described above could serve as a useful basis for capturing the records management road maps organizations will be looking for.
5.7.7 According to this approach, for each maturity level (e.g. Levels 1 to 5) there would be at least four KPAs -one for laws and policies (including assigned accountability), another for standards and practices, another for systems, and another for people (including awareness). Under each KPA a set of activities would be defined with each activity addressing a specific action (or grouping of actions) but expressed in a manner that reflects the given level of maturity (e.g. Level 4). An example of what such a KPA might look like is provided below for standards and practices based on a sample records management maturity level of 4.
Records Management Maturity Level:
Level 4: An infrastructure is in place to ensure that the right information in authentic and reliable records is provided to the right person at the right time in the right format at a reasonable cost.
KPA:
Standards and Practices
The purpose of the KPA is to ensure that standards and practices are in place to manage the mechanism creation, use, and preservation of records
KPA Objective:
To develop, implement, and review standards an practices for documenting programs and activities, providing direct records management support to knowledge management initiatives, assigning archival status to files before records are created, etc.)
KPA Activities (one for each action or grouping of actions):
AC-1 The organization has established criteria for helping users create the
records required to document their activities
AC-2 Standards and best practices are in place to manage the capture of
records.
… …
AC-6 The transmission and dissemination of information in records to
users in the organization is optimized through the application of standards and practices.
… …
AC-15 Retention standards are in place to control the length of time records
are to be held to support business needs and to comply with law and policies
AC-16 Security standards and practices have been applied to ensure the
protection of records from unauthorized or inadvertent destruction
AC-17 Records disposition is in accordance with approved retention and
disposition authorities.
Institutionalization Common Features (in support of the KPA)
Commitment to Perform:
The organization establishes, communicates and follows organizational and central agency policies and procedures for the development of standards and practices for the management of records. These policies and procedures guide the organization’s efforts to prepare realistic standards development, implementation and review plans that are in line with the recordkeeping requirements and objectives of the organization’s business lines and in compliance with laws and policies.
Ability to Perform:
The organization establishes, communicates and maintains a standards development, implementation and review plan for the records management function.
The plan typically covers the strategies and goals, work plans, resources required, roles and responsibilities, for standards development, implementation, and review that supports directly the needs of the business and compliance with central agency and organizational policies and directives.
Adequate resources (e.g. human, physical, technical, and financial) are provided for the standards development, implementation and review activity. Responsibility, accountability and authority for the standards development, implementation and review activity are assigned.
Individuals performing the standards development, implementation and review activity receive appropriate training.
Measurement:
Performance indicators are used to monitor the status of the standards development, implementation and review activity.
Verification:
The activities, outputs and controls associated with the standards development, implementation and review activity are independently reviewed to ensure that they meet the organization’s needs and that the activity is performing as intended.
The responsible manager reviews the standards development, implementation and review activity on a continuous and event-driven basis. The organization has mechanisms for providing senior management with assurance that the standards development, implementation and review activity has been carried out properly and effectively.
5.7.8 This structure could be repeated for each of the KPAs (i.e. laws and policies, standards and practices, systems, people) that collectively comprise a given maturity level. If five levels are established for a records management maturity model then it follows that there would be at least 20 KPAs (5 levels x 4 KPAs).
5.7.9 The challenge, however, is not the application of the structure of the KPA to the records management function. The greater challenge is the definition of the records
these levels. Hopefully, the example provided above, the model approach based on the matrix, and the proposed records management maturity levels set out in the next section will be useful in addressing this challenge.
6. Towards a Maturity Model for Records
Management
6.1 The previous section of this report explained how the FCM could be used as the basis for the development of a similar maturity model covering the records management function. This section addresses the steps involved in moving towards the development of such a model. Three points are important to highlight in this regard:
• If public sector organizations are to understand how well their records management functions are performing in terms of objectives such as transparency, trust, protection of entitlements, the development and application of a records management maturity model similar to those being developed for other resource management functions is crucial;
• The OAG’s Financial Capability Model, as informed by other related models such as those associated with e-government capacity measurement, records management checklists, as well as models under development by the World Bank, provides an excellent basis for the development of a similar maturity model for the records management function.
• A records management maturity model should be mapped against a similar maturity model for governance. While an assessment of the feasibility of establishing such a model is beyond the scope of this project, such an assessment should be conducted to ensure that any emerging records management model is used in context.
6.2 These points are important to confirm. If they are not shared by those reviewing this report, then it will be nearly impossible to move forward on the development of a relevant model for the records management function.
6.3 In order to advance the development of a records management maturity model, this section builds on the previous sections by proposing a framework within which a more comprehensive and detailed maturity model might be developed. In effect, it is designed to jump-start efforts to develop a records management maturity model that is effective and relevant and that can be implemented in any public sector organization.
6.4 The following generic view of a proposed records management maturity is based on the records management infrastructure model described in section 4 as derived from an analysis of the structure used in the FCM. The levels of maturity described below are not intended to pre-empt the much-needed exercise of building a comprehensive and relevant
maturity model for records management. Rather, they are intended to illustrate the kind of framework against which any proposed maturity model would need to be developed.
6.5 The perspective begins with an expression of the five levels of maturity for a records management function:
Level 1: An infrastructure for managing records is not in place. Records are created,
used and retained based on protocols established by individuals or work groups.
Level 2: An infrastructure is in place for controlling the retention, protection, and
disposition of records. The relationship between records management and business needs is weak.
Level 3: An infrastructure is in place to ensure that records are created to document
business activities, that records are accessed and retrieved effectively and that they are retained and disposed of according to corporately approved standards and in compliance with laws and policies. The relationship between records management and business needs is strong.
Level 4: An infrastructure is in place to ensure that the right information in authentic
and reliable records is provided to the right person at the right time in the right format at a reasonable cost.
Level 5: An infrastructure is in place to exploit information in records to meet the
needs of a knowledge-based organization functioning in a continuous learning environment.
6.6 A set of 4 KPAs (laws and policies, standards and practices, system, people) would be associated with each maturity level and a set of “actions” and “Institutionalization Common Features” (not included in this example) would be described for each KPA. 6.7 For instance, under ‘laws and policies’ the progression of KPAs might be reflected as follows:
Level 1 - fragmented or existent laws and policies leading to fragmented or non-existent accountability frameworks for records management;
Level 2 – laws and policies are in place assigning responsibility for basic records management functions such as file classification, retention and disposition, etc.; Level 3 – laws and policies assign responsibility for records management to a senior manager in the organization; policies acknowledge records as important assets in the delivery of programs and activities (though not so much as instruments of accountability);
Level 4 – laws and policies acknowledge the strategic role of records in the achievement of the strategic goals of the government; policies reflect the central accountability of heads of departments and agencies for the management of records as strategic assets; and
Level 5 – laws and policies acknowledge the role of records as instruments of accountability and as direct contributors to transparency and the reinforcement of public trust and citizen engagement.
6.8 Under ‘standards and practices’, the progression might appear as follows:
Level 1 - fragmented or non-existent standards and practices that would have otherwise regulated the management of records;
Level 2 – standards and practices are in place to manage the retention and disposition of records already created by selected programs and activities; archival records have yet to be identified;
Level 3 – standards and practices are in place to manage the use of records across all programs and activities based on their classification, the application of access and retrieval tools and techniques, etc.; the retention and disposition of records across all programs and activities is systematized to the point where archival records can be identified and scheduled for transfer to the National Archives;
Level 4 - standards and practices are in place to manage the creation of records in addition to their use and preservation (i.e. standards for documenting programs and activities; providing direct support to knowledge management initiatives; assigning archival status to files before records are created; etc.); and
Level 5 – standards and practices are in place to help the organization harness the information in its records, combine it with the intellectual capital of its staff and exploit it to support the objectives of a learning organization and a transparent accountable government.
6.9 Under ‘systems’ the following maturity levels might be identified:
Level 1 - fragmented application of or non-existent technologies that would have otherwise enabled effective records management functions
Level 2 – basic desktop applications are used to mange the location of files (largely paper based); users submit requests for files via manual means;
Level 3 – automated tools are in place to support the file classification scheme and some aspects of the records management function (e.g. retention and disposition; charge in and charge out; etc.); a shared directory may h