Using the Business Systems Assessment Framework
Assessing information management functionality in business systems
The Business Systems Assessment Framework provides a streamlined, risk-based approach to the assessment of information management functionality in business systems. It is based on Part 3 of ISO 16175 Principles and Functional Requirements for Records in Electronic Office Environments.
The framework provides a consistent approach for Australian Government agencies in assessing business systems for information management functionality.
The framework will enable your agency to better manage its business information through:
- assessing information risks and values
- identifying the systems functionality required to manage information appropriately
- providing solutions to address gaps in a system's ability to manage information
- ensuring greater accountability and transparency
It recognises that not all information is of equal value. It has been developed so that business systems managing high-risk and high-value information undergo a more extensive assessment than systems managing low-risk information.
The framework can be applied to both new and existing systems. It can be used by information and records management practitioners, ICT staff and business owners. The framework does not apply to Electronic Document and Records Management Systems (EDRMS).
The Business Systems Assessment Framework is a key product supporting the Digital Continuity 2020 policy. It supports
- Principle 3 (information and systems are interoperable) by providing a consistent approach to business systems
- Principle 2 (information is managed digitally) by helping to identify and treat weaknesses in business processes such as paper-reliant work flows and approvals
- Principle 1 (information is valued) by providing a key tool for building sound information governance in your agency
What’s in the framework?
The framework has three phases:
- Phase 1: Risk assessment
- Phase 2: Assessment of information management functionality
- Phase 3: Implementing solutions.
Phase 1: Risk assessment
This phase will help you to prioritise which systems need to be assessed for information management functionality. You should perform this top-level risk assessment on each of your business systems to help you determine which need to progress to the next phase and which do not need to advance further.
The risk assessment consists of six decision points or questions that test your risk tolerance:
- Three decision points determine the importance of the system and information. If the system and the information have sufficient risk or value, the risk assessment guides you to the Information is trusted module in Phase 2.
- One decision point relates to disposal and asks whether there is sufficient business benefit for managing disposal within the system. In instances where you intend to dispose at the whole-of-system level, there is no need to assess its disposal capability.
- Finally, there are two decision points that relate to longer-term access. In this case, longer-term means longer than you expect to keep the system. It is not a reflection of longer-term preservation needs. These questions will help you determine whether export or import functionality is a requirement for your system.
Depending on the outcomes of the risk assessment, you may then be required to complete up to four of the Phase 2 assessment modules.
Phase 2: Assessment of information management functionality
The Phase 2 checklist, which includes additional guidance will assist you. Only assess against the modules identified in your Phase 1 assessment. You may also find this diagram of Phase 2 (pdf, 1250kB) useful.
For each system, you are asked a series of questions depending on the modules suggested in the Phase 1 risk assessment. The four modules are:
- Information is trusted
- Disposal is accountable
Module 1: Information is trusted
This module helps determine if you can trust the information in the system. It is based on the records characteristics described in ISO 15489: Australian and International Standard for Records Management. The mechanisms for meeting the requirements in this module rely wholly on the system's metadata.
Module 2: Disposal is accountable
This module is for those cases with a business need to manage disposal within the business system. The key functions are to:
- manage disposal at the appropriate item or aggregated level
- destroy information in the way you need to
- manage multiple disposal classes if you need to.
Module 3: Export/ import
Export/import functionality may be a business or information management requirement depending on what you need to do with the data over time. There may be a requirement to import long-term temporary or permanent information into a new system when the existing system is no longer supported or the cost of maintaining the system over time is significant. Export/import functionality is vital for information management through machinery of government change, or restructure or reorganisation within agencies.
Module 4: Reporting
This module asks if the system is capable of reporting on information management processes such as the number of records due for destruction on a particular date. Accurate and efficient reporting is essential for accountable information management. Most systems are capable of generating reports. Often it is a case of configuring the systems to produce the types of reports required for a particular business need.
Phase 3: Implementing solutions
Phase 3 provides suggestions on how to manage any shortfalls, gaps or risks identified in Phase 2. The decision to actively address an identified gap or risk will be based on your agency's risk tolerance. Where you have identified a risk or gap in Phase 2 (where you have answered 'No' to any of the assessment questions), you will need to consider if it is acceptable to your agency.
If the risk is acceptable, make a record of the decisions and reasons in the system information management plan.
- build in
- external (export)
- external (governance).
Solution 1: Build in ‒ configuring, modifying or upgrading the business system to manage the risk or gap. For example, if you have identified that you cannot prove the information is authentic, you might build in this functionality by configuring metadata fields to capture additional information to support authenticity.
Solution 2: Integration ‒ integrating the business system with another system to manage the risk or gap. For example if disposal is not controlled, systematic and recorded in a particular system, you could manage the gap by integrating the business system with your agency's EDRMS and manage the disposal process there.
Solution 3: External (export) ‒ managing the risk or gap by exporting the relevant data so it can be managed in a separate system. For example, if the system cannot generate reports of its information management processes, consider exporting the data periodically into a format that allows you to interrogate the data (for example spreadsheets).
Solution 4: External (governance) ‒ managing any risk or gap by implementing procedures and business rules. For example if the system cannot prevent unauthorised changes, consider controlling access to the system by using business rules and security protocols.
You may find this diagram of Phase 3 (pdf, 877kB) useful.
You may also find that it is useful to read the standard ISO 16175-3:2012 Guidelines and functional requirements for records in business systems. This publication provides background information on the importance of records management and describes key terms and concepts. It also specifies mandatory and optional records management functional requirements for records in business systems.
Before you begin
The framework is part of a larger suite of information governance tools. To assist with assessing your business systems, you should have:
You need to identify the systems in your agency. One way of doing this is to create a systems register listing all the business systems in use in your agency including any legacy systems. The register should list key details about the system including name, version, business owner and a summary of the type of information held. It should also indicate where systems are linked to, and relied on by, other systems. The details in the systems register will help you to prioritise which systems to assess. High-risk and/or high-value systems should have priority.
Identifying all the systems in use will help you keep track of where you are up to with your assessments. If you do not have a systems register, a good place to start to identify systems would be your ICT area. You may also be able to draw on information from your business continuity plan, Check-up Digital assessments or information review findings.
Systems information management plan
The assessment of each system should be documented in a systems information management plan template This plan:
- will link to your systems register and other information governance documents
- should cover all relevant information about the system including software, business owners, how it will be managed over its life and details about its assessment against the framework
- may extend to systems and technology hosted in the cloud, or via social media and mobile devices.
You need to know what metadata is needed to meet your accountability needs.
The Archives base-level requirements can be found in our minimum metadata standard. This is based on the Australian Government Recordkeeping Metadata Standard 2.2 (AGRkMS).
- Phase 1 – Risk assessment checklist (docx, 105kB), (pdf, 396kB)
- Phase 1 – Risk assessment diagram
- Phase 2 – Assessment of information management functionality checklist (docx, 103kB), (pdf, 328kB)
- Phase 2 – Assessment functionality diagram
- Phase 3 – Implementing solutions diagram
- System information management plan template (docx, 100kB), (pdf, 308kB)