An information review is a key component of an effective information governance program. It:
- identifies your agency's most valuable information assets. The Building trust in the public record policy recommends that agencies register their information assets where there is business value in doing so (action 5).
- evaluates the ability of your agency’s information assets to meet its business needs and outcomes, consistent with your agency’s information governance framework
- supports enterprise-wide governance for records, information and data as recommended by the Building trust in the public record policy (action 2).
Why conduct an information review?
An information review can be done for a number of reasons to support your agency’s information management practices.
Understanding how information assets help meet business needs
An information review should focus on the quality of your information assets. It may consider:
- what information is created, captured or used
- who needs to use it, including internal or external stakeholders
- how effectively information assets meet the needs of the business and users
- how long they need to be kept
- who is accountable for ensuring specific information assets remain fit for purpose.
Assessing the strategic opportunities and operational risks of information assets
An information review may consider:
- potential benefits and efficiencies in the use of information assets
- sensitivities such as privacy and security
- information assets that are being underused or misused
- areas where insufficient or untrustworthy information assets hinder business practices or accountability.
An information review may:
- build on the outcomes from existing interoperability projects
- work alongside active projects to benefit from their outputs
- inform next steps for building interoperability across specific business areas.
Create a shared understanding and program to manage information assets
An information review supports your agency’s information governance framework and mitigation strategies for information management related risks.
Benefits of an information review for your agency include:
- enabling business continuity planning for information assets
- having necessary information discoverable, indexed and described, ready to respond to enquiries, business audits and emergency response situations
- identifying silos of information that have wider use across your agency. Breaking down silos and sharing information appropriately will build interoperability and maximise business benefits
- supporting the development of an information architecture. This helps your agency understand its information structure and to plan for the future
- documenting datasets created or held by your agency and the business systems that generate or retain them. These can then be strategically managed
- identifying information assets that can be made available to the community and key stakeholders
- developing or maintaining other information-based resources such as controlled document registers, data catalogues or data inventories.
- maintaining corporate knowledge and lessons learnt after a major transition such as an administrative change or at the end of a major project
- aligning with the principles of the Information Management Standard for Australian Government
- informing the development of a records authority
- meeting obligations for an Information Publication Scheme, as required by the Freedom of Information Act 1982.
Steps of an information review
Below are suggested steps for conducting an information review. You can customise these steps to address your agency’s own work environment and business needs.
Step 1: Determine the purpose and scope
The scope of your information review will depend on its purpose, the size and complexity of your agency and its business, and its information assets.
A complete enterprise-wide review can be done to help address common concerns for all information assets. In comparison, a review focusing on specific business systems might use a staged approach with multiple smaller reviews. These can target priority business areas, processes or activities.
Your review should focus on your agency’s most important business activities and identified areas of risk.
The project’s purpose and scope should:
- target areas where poorly managed information assets are hindering effective business or undermining accountability
- consider ways to realise the full value of information assets
- apply the work and findings of other supporting projects
- prioritise issues according to your agency’s strategic and risk management frameworks.
Below are some example scenarios to help scope your information review.
Scenario 1: Enterprise-wide system overview
In this scenario the value of information assets throughout the agency are unknown. The agency has not clearly identified business-critical assets or legacy assets that are no longer required.
In this case, the purpose of the information review is to:
- identify high-value information assets and the business areas that create, manage and use them
- identify legacy information assets that are no longer in regular use
- investigate the cause of identified issues.
In this scenario the review should have a broad scope across your agency and include less-detailed review of individual information assets or supporting systems. This type of review may be used to help identify trends or prioritise follow-up actions.
Scenario 2: Compliance audit
In this scenario the agency is concerned whether sensitive information assets (such as those with privacy or security related risks) are being managed appropriately in business systems.
In this case, the purpose of the information review is to:
- identify systems that contain sensitive information assets
- understand whether these systems’ security measures are appropriate for the information assets stored in them
- identify whether permissions and user rights for accessing information assets are configured and managed appropriately.
In this scenario the review should have a narrow scope. It focuses on individual information assets and the business systems that contain them.
This type of review may be used to address a particular risk across many systems or business functions.
Scenario 3: Reviewing silos
In this scenario the agency has pockets of information assets that many business areas could benefit from using, but do not know about.
Discovering and accessing the information assets is a time-consuming process. The siloed nature of information assets also compromises interoperability.
In this case, the purpose of the information review is to:
- identify information assets that are difficult to find and access but that have a broader application in the agency.
- identify systems or business processes that create silos of inaccessible information assets
- investigate the causes of identified issues. Findings from a recent data quality assessment can be used for data analysis.
In this scenario the review should have a narrow scope. It focuses on similar business activities and supporting information assets to understand how information is used in each business context.
Step 2: Get management support
Once you have confirmed the purpose and scope of the information review, you will need the formal support of a senior management sponsor who understands the benefits of the project.
Management support will encourage cooperation from business owners across your agency and help get agreement for required actions during or after the review.
Step 3: Gather sources
Things to consider when planning your review:
- What questions does the review need to answer or insights does it need to provide? Will the identified information assets provide these answers? What other questions might need to be asked as part of the review and what additional information could support this?
- Are your sources primary (created for the review project) or secondary (already exists from other projects or business procedures). How long will they take to gather?
- How will information from these sources be analysed to support the project’s purpose.
- What resources are available for analysing the information? Does your agency have the necessary expertise, time and money?
Your review should also consider other available sources of information about your agency’s information assets:
- Check-up results, which can provide a baseline for your review.
- Staff surveys. These can quickly identify issues for investigation across a range of information assets or lines of business.
- Other projects. Research from data migration, data indexing and discovery and data quality assessments can give your analysis a head-start.
- Checklist or templates. These can retrieve similar, structured criteria across a range of information assets or lines of business. Guiding criteria such as mandatory data fields can help with this method.
- Focus groups. These may discuss problems shared by the business owners of information assets.
- Interviews. Talk to business owners for a better understanding of a specific information asset or business process.
- Reporting. Most information management systems generate custom reports that can be used to address specific questions.
More than one method can be used to gather the necessary information to support the review. For example, interviews or focus groups are often most valuable if basic information is first gathered through surveys or checklists.
Your business intelligence or information technology teams may be able to help you identify available sources to support the review.
Questions to ask when conducting the review
- What are the core information assets created or used in relevant business areas?
- What information assets serve business purposes?
- Who creates and uses these information assets?
- Who is responsible for maintaining the information assets?
- Are there problems or issues that reduce business effectiveness, such as timeliness, accuracy or completeness of the information asset? Can the information be trusted and can you prove it hasn’t been tampered with?
- What is the value of the information asset? Is it critical for business and community? How long will the asset hold its value?
Depending on the purpose of your information review, you may wish to collect additional information about:
- legislation, standards, policies, procedures and commitments that dictate how business activities are carried out
- security or privacy issues relating to the information asset
- systems and technology used to create, manage and access the information asset
- location and security of the information
- possibilities for reusing information
- changes to business practices
- the format or volume of the information
- rules or restrictions for altering the information
- how long the information remains useful for agency business
- duplicated information
- consequences of the information asset being unavailable. Are there adequate backups?
- if the information asset is in paper or other physical format, have you considered transitioning to a digital format?
- suggestions to improve the way the information asset is managed
- opportunities for (and barriers to) making the information available to the community.
Step 4: Analyse the information from your sources
Plan your analysis of the information from your various sources to support the purpose of your review. This step should include:
- assessing and preparing the information at a high level. Can it be analysed as you planned?
- analysing the information and documenting the results
- identifying information assets that can be included in an information asset register or similar inventory.
- forming your review recommendations
About information asset registers
An information asset register is a structured list that helps identify, control and monitor information assets within your agency.
An information review project often results in updating an existing information asset register or creating a new one. Registers can be used for regular monitoring and as templates for future reviews.
The National Archives' advice on designing and maintaining an information asset register and the information asset register template (XLSX, 88kB) can help your agency plan how to use a register to support your information review.
Step 5: Report your findings
The report from your information review should bring together the results of your information analysis to:
- highlight the strengths and weaknesses of each information asset
- present opportunities to better use or apply information assets
- identify business processes specific information assets support
- outline the key issues identified and the significance and status of each
- recommend actions for addressing these key issues to your agency’s information governance committee and other stakeholders.
Areas of weakness may include information assets that:
- are not fit-for-purpose
- are unavailable to those with a legitimate need
- do not appear to serve a purpose or are underused
- are duplicated.
Recommended actions as a result of an information review may include:
- undertaking functionality assessments of newly discovered assets or those likely to have critical risks
- raising key issues to your agency’s information governance committee
- establishing registers and reporting mechanisms to monitor information assets
- adapting the management of information assets to align with relevant standards, policies, guidelines or procedures
- targeting resources to address risks or make use of opportunities
- preparing valuable information assets for appropriate public use or sharing.
The research, analysis and findings of your report may also inform other strategic documents, such as your agency’s information governance framework and enterprise-wide information management strategy.
Your business processes and their information assets are always changing. Performing regular information reviews lets your agency:
- monitor the status of core information assets and update information asset registers
- account for a growing range of information assets
- ensure you are making decisions using current and complete information assets
- identify new issues, weaknesses, strengths and opportunities
- adjust its actions to reflect any changes or developments in its business environment
- monitor and improve its overarching information management practices
Once an information review process has been established, it can be adapted for future review projects.