Audit of Governance of Information Management

2 Summary of Findings

2.1 IM Governance

  • The Information Management Directorate (IMD) is a relatively small group that is accountable for IM governance activities across the organization.
  • An IM strategic plan was created in 2007. The plan was approved by the EMC, but there is little evidence that its recommendations were implemented. A new IM strategic plan is currently under development.
  • The Information Management Steering Committee (IMSC), chaired by the Director General of IMD and with DG-level members from all branches, was set up to provide strategic direction to the IMD on the impact of information management practices on business. Despite the strategic nature of the committee, specific responses to IM issues have yet to be developed into actionable plans that can be implemented across the organization.
  • Senior management across various regions/directorates have indicated they are unaware of the key contacts for concerns or issues on IM. In the absence of relationships between these managers and IMD key contacts the various areas within EC conduct IM practices as they see fit, seeking only limited guidance from the IM Directorate.
  • IM training is not delivered consistently across the department. There is no training plan for IM in the Department; training is provided only when requested; it is not actively promoted; and the IMD has hired no staff specifically assigned to deliver it.

2.2 Recordkeeping and Disposition

  • Some progress has been made towards meeting the Directive on Recordkeeping requirements to be enforced by 2014, but opportunities for improvement remain.
  • Recordkeeping requirements and standards, such as the need to identify information resources of business value, to protect that data and the need to carry out activities that support good recordkeeping, are not consistently understood by managers across the Department. Each directorate’s recordkeeping practices are different, and are influenced by the tools they have at hand, such as SharePoint, shared drives, Microsoft Exchange,Server, etc.
  • An inconsistent understanding of disposition authorities was observed. Guidance is available to employees through best practices on how to dispose of administrative, operational and transitory records, but such guidance is not actively promoted.

2.3 Information Classification

  • Guidance on security classification of information is available; however, interviews indicated varying levels of employee awareness.
  • For the most part, the treatment of hard-copy information is well understood; however, there is no central inventory of these information holdings.

2.4 Tools and Processes

  • Tools are used to foster collaboration, to improve document management practices, and to increase efficiency within the organization. Each EC area employs whatever tools are available in a manner considered to be suitable for operational needs. Although these tools function within an operational unit, a common departmental approach to ensure the consistent use of tools and technologies does not currently exist. Quite often, the tools were chosen or developed when each program was managing its own IM/IT function. With the integration of the IM/IT function into the CIOB, this diversity of tools and technologies has made IM in the Department complex and costly to maintain and this has reduced the reusability of the information being maintained.
  • The lack of a consistent EC approach to IM limits the ability to share, leverage and find information. The IMD has indicated that they have limited capacity to provide guidance, standards and support to programs. This means that a number of high-priority projects each year must be carried out with little or no guidance or support from the IMD. This, in turn, increases the complexity and the cost of maintenance of resulting information, applications and systems.

2.5    Recommendations from prior audit work

  • Two of the three original recommendations arising from prior audit work (development of tools and processes for IM and on-going efforts to communicate IM responsibilities and increasing overall IM awareness) are still valid and will be addressed by the action plans for recommendations from this audit. One of the recommendations (requirement to build a business case before acquiring a records management system) is no longer applicable in the current environment and will be closed. 
  • We note that opportunities exist for improvement in the preparation of management action plans so that they respect the risk tolerance of the Department and are realistically actionable, given the levels of resources available.

Date modified: