Managing high-value and high-risk information at Commerce Commission of New Zealand
Read about how the Commerce Commission achieved the ‘Maturing’ rating level for management of high-value/high-risk information in an information management maturity assessment.
Moving up the maturity curve
When it comes to high-value and high-risk information, the Commerce Commission of New Zealand (the Commission) sets a good example.
The 2021 audit, conducted remotely due to the COVID-19 restrictions at the time of the audit, rated the Commission at the ‘Maturing’ level (one step below ‘Optimising’, the top level) for management of their high-value/high-risk information.
Read the full Public Records Act 2005 Audit Report for the Commerce Commission of New Zealand
Over recent years, the Commission has been successful in moving the organisation up the maturity rating for several professional disciplines, including information management (IM). For the executive sponsor, certain key factors that the Commission has introduced also apply across all the IM topics. These include putting the right IM foundations in place, having a targeted focus, and using a phased approach.
Commerce Commission of New Zealand
The Commission is an independent Crown entity promoting market efficiency by enforcing and fostering healthy competition.
Its wide-ranging responsibilities include managing various regulatory systems under a wide range of legislation covering everything from commerce and fair trading to credit contracts and consumer finance, infrastructure industries (from telecommunications to fuel, gas and electricity), and aspects of the dairy industry.
The Commission creates and holds many high-value, high-risk public records — including research and analysis monitoring information, information gathered during market studies, and compulsorily acquired information about the ongoing operation of New Zealand markets. Along with commercially sensitive and legally privileged information, the Commission also receives thousands of complaints and enquiries that contain personally identifiable information.
The role of the executive sponsor
In a public sector organisation, the executive sponsor has strategic and executive responsibility for overseeing information and records management. The organisation’s administrative head retains the ultimate responsibility for ensuring that information and records management is implemented, and that the organisation complies with the Public Records Act 2005 (the Act).
The Act requires public sector organisations to create and maintain full, accurate and accessible records of central and local government affairs. Information and records must be correct and trustworthy, and accessible until their authorised disposal by the Chief Archivist.
The Commission has about 440 full time equivalent staff members. The executive sponsor at the Commerce Commission is responsible for the recently merged data and information teams, and is also a member of the Information Service and Security Governance Group (ISSG).
Developing maturity
The Act provides tools and empowers the Poumanaaki Chief Archivist and Te Rua Mahara to support public sector organisations in their creation, management, disposal and preservation of information and records, including data. This includes scheduled third party, point in time audits aimed at assessing IM maturity.
An IM maturity assessment can identify areas for improvement, track organisational trends if used over time, and provide data to support IM strategies, plans and business cases.
Maturity journeys
9 key factors have been identified as influencing the Commission’s successful progress with its IM maturity over recent years. These factors can be applied across the IM maturity topics and other professional disciplines.
Follow or use an external reference model, such as consulting with other government organisations.
Have honest conversations about where your organisation is at.
Set a clear target for where you want to get to.
Build foundational capabilities first.
Progress, step-by-step, through the maturity phases, to develop and build maturity over time, recognising that it may be a 3-year journey to get there.
Manage the process like a change programme, taking the whole organisation on a journey to change behaviours and practices.
Resource the effort.
Set realistic timeframes.
Organisational buy-in is a must, starting at governance level.
Building up to an audit
Audit reports from other organisations on our website are a good source of information about what auditors are looking for.
Assess your organisation first, organise the supporting evidence in advance.
If you have a gap to close, make an action plan.
Recognise that some things will be more important to auditors than they are to you so don’t be afraid to challenge draft findings.
Managing an asset register
An information asset register is fundamental to achieving the ‘Maturing’ rating for high-value, high-risk information. A functioning asset register is dependent on having strong foundational disciplines for information and asset management.
In order to demonstrate that an organisation is committed — and fully supported across the business — to treating information as an asset and managing it accordingly, it must ensure the following.
Current and legacy information assets (digital and physical) are documented in an information asset register (or similar), such as the resources available on Te Rua Mahara website. This includes good systems documentation (closely linked with IT information and architecture) and clear ownership.
A process is in place to ensure the information asset register is current and maintained to meet any technical or regulatory changes. The updating process needs to have a business owner who must understand that it’s their responsibility to maintain the register.
Risks to high-value/high risk information assets are identified. These should link to an organisation’s risk management and cyber security frameworks, and ideally should be assessed by the business unit responsible.
Watch the webinar linked below for a more in-depth explanation of how these can be achieved.
Managing high-value, high-risk information
The Commission has an information asset register that includes current and legacy information assets. The register is in Microsoft Excel, and high-value and high-risk information and records are formally recorded in the register.
The register is regularly updated and new information assets added. The Knowledge and Information team reviews the information asset register every six months to identify any missed assets.
Risks to high-value and high-risk information assets are identified. For example, natural disasters and loss of devices containing information are both risks that have been identified as part of business continuity planning.
The Commission holds most of their digital information in an Enterprise Content Management system (ECM) which is cloud-based. However, some digital information (such as recordings and video files) cannot be stored in the ECM and are therefore stored on shared drives.
A systematic approach
Taking a systematic approach to the management of government information is all-important. This starts with understanding what information must be created and captured. Public sector organisations are required to create complete and accurate records of their business which, for good management, involves knowing what high-value, high-risk information assets are held.
A high level of support and a commitment to building strong foundational disciplines is essential for the development and effective management of information assets.
Sharing good practice beyond audit webinar
This case study was originally presented as part of a joint webinar we organised on sharing good practice beyond audit. This was an opportunity for both Executive Sponsors and government IM practitioners to listen and share IM practice across the sector.
Watch the full Sharing good practice beyond audit webinar
The speakers shared their practice approach on specific topics from the Information Management Maturity Assessment:
Kate Kolich: Topic 3 Governance and the Executive Sponsor (presentation begins at 13 minutes into the webinar video)
Ralph Chivers: Topic 11 High-value/High-risk information (presentation begins at 34 minutes into the webinar video)
Helen Quaggin-Molloy: Topic 1 IM Strategy (presentation begins at 55 minutes into the webinar video).
Kate Kolich is the Assistant Governor/General Manager Information, Data, and Analytics and Executive Sponsor at the Reserve Bank of New Zealand.
Ralph Chivers is the Acting General Manager of Organisation Performance and Executive Sponsor at the Commerce Commission New Zealand.
Helen Quaggin-Molloy is the Manager, Information and Knowledge Management at the Office of the Ombudsman New Zealand.