Part of a Bigger Picture

For instance, the IT team’s capacity to provide secure and accessible digital records is contingent upon strong RM practices, while legal and compliance departments depend on RM to uphold data protection, retention, and regulatory requirements. Similarly, human resources’ ability to manage sensitive personnel files and risk management’s efforts to identify and mitigate organisational threats both hinge on the integrity of records management. Finance, too, is dependent upon RM for accurate auditing and transparent financial reporting. 

Therefore, to create a truly coherent governance structure, these functions must collaborate and coordinate with RM at the centre, agreeing on mutually reinforcing policies, procedures, and responsibilities. By placing RM at the heart of the governance framework, records managers ensure that governance objectives are consistently and effectively supported throughout the organisation. 

Moreover, an effective governance framework must establish robust processes for surfacing RM issues and disseminating information at every level. By ensuring records management is a fixed topic within key corporate meetings—such as leadership briefings, departmental reviews, and cross-functional forums—it is recognised as a strategic dependency and remains prominent on the executive agenda. This integration guarantees that leadership is both informed and engaged, thereby supporting timely and strategic decisions that reinforce RM’s central role. 

Finally, clear and structured communication channels should be defined to ensure that information about RM flows both upward to senior leaders and downward to all staff. This may be achieved through team meetings, internal communications, or digital platforms, embedding RM responsibilities and updates into the fabric of organisational life. Such an approach promotes transparency, strengthens compliance, and reinforces the understanding that effective records management is not a peripheral concern but a critical dependency underpinning the entire governance framework. 

Data Controller 

The Data Controller is the entity—often an organisation or sometimes an individual—that determines the purposes and means of processing personal data. This role is central to data protection compliance and includes: 

• Deciding what data is collected and how it is used. 

• Ensuring data processing follows legal and ethical standards, especially under the UK GDPR and Data Protection Act 2018. 

• Implementing policies for security, retention, and lawful sharing of data. 

• Responding to data subject requests and overseeing breaches or incidents. 

This is often the Chief Executive or leadership team.  

Information Asset Owner (IAO) 

Information Asset Owners are typically senior staff responsible for specific information assets (collections of records or data sets). Their key tasks include: 

• Identifying and classifying information assets within their remit. 

• Ensuring the assets are handled securely and in line with organisational requirements. 

• Assessing risks related to their assets, including access controls and retention schedules. 

• Promoting awareness of information governance among their teams. 

• Reporting incidents or concerns to senior managers or relevant officers. 

Data Protection Officer (DPO) 

The Data Protection Officer is a statutory role, required in many public bodies and larger organisations. The DPO’s tasks include: 

• Advising the organisation on its obligations under data protection law. 

• Monitoring compliance and conducting audits. 

• Serving as a contact point for the Information Commissioner’s Office (ICO) and for data subjects. 

• Providing guidance on data protection impact assessments (DPIAs). 

• Raising awareness and training staff in data protection principles. 

Caldicott Guardian 

In health and social care settings, the Caldicott Guardian is a senior figure who ensures personal information about service users is used appropriately and ethically. Their role focuses on: 

• Championing confidentiality and data protection within their organisation. 

• Advising on information sharing decisions and balancing patient rights with operational needs. 

• Ensuring compliance with the Caldicott Principles, which stress the importance of patient consent and minimal use of identifiable information. 

• Overseeing audits and responding to concerns related to patient data handling. 

Senior Information Risk Owner (SIRO) 

The Senior Information Risk Owner is typically a board-level executive responsible for information risk across the organisation. Key activities include: 

• Owning the organisation’s overall information risk management strategy. 

• Promoting a risk-aware culture and ensuring risks are identified, assessed, and mitigated. 

• Reviewing and approving risk assessments and action plans relating to information assets. 

• Overseeing incident management and ensuring lessons are learned from breaches or near misses. 

Implementing Accountability Locally

For records managers, understanding these roles and their tasks is essential. Start by mapping out who undertakes each role locally, what their responsibilities are, and how their activities impact recordkeeping and information governance. Collaborate with IAOs, DPO, Caldicott Guardians, and SIROs to develop tailored procedures, define clear lines of responsibility, and promote best practices throughout your organisation. This proactive approach supports compliance, minimises risk, and upholds the integrity of your records management function. 

An Information Asset Register (IAR) is a comprehensive document that lists and describes all the information assets within an organisation. It serves as a critical tool for managing and protecting valuable data. Here’s what a typical IAR includes: 

Core Fields: 

1. Name: The unique identifier or title of the information asset. 

1. Owner: The individual responsible for the information asset, typically an Information Asset Owner (IAO). 

1. Description: A detailed explanation of what the information asset is and its purpose. 

1. Retention: The period for which the information asset should be kept before it is reviewed for disposal or archiving. 

Information Security Fields: 

• Classification/Sensitivity: The highest classification level of the information asset or the sensitivity associated.  

• Impact of loss: This should link to the same scales used in data incident assessments  

Business Continuity Fields: 

• Criticality: Whether the asset is critical to the organisational outcomes 

Systems, Structured, and Unstructured Collections: 

• Technical asset: what technical asset supports the information asset.  

By including these fields in an IAR, organisations can ensure that they have a clear understanding of their information assets, the risks associated with them, and the measures in place to manage and protect them effectively. This is essential for compliance with data protection regulations and for maintaining the integrity and availability of valuable organisational data. 

Relationship between a ROPA and an Information Asset Register 

The relationship between a Record of Processing Activities (ROPA) and an Information Asset Register (IAR) is fundamental to effective information governance and compliance with data protection regulations. 

ROPA: A ROPA is a detailed document that data controllers and processors are required to maintain under the UK General Data Protection Regulation (UK GDPR). It outlines all processing activities, including the purposes of processing, categories of data subjects and personal data, and the categories of recipients to whom the data may be disclosed. For data controllers, this is mandated by Article 30(1) of the UK GDPR, and for data processors, by Article 30(2). 

IAR: An Information Asset Register, on the other hand, is a comprehensive list of all information assets within an organisation. An information asset is any body of knowledge that is owned or controlled by the organisation and can be in any form or media. The IAR includes details about the information assets, such as the type of data, format, owner, and the location of the asset. 

Relationship: The ROPA and IAR are interconnected in that the ROPA can be seen as a subset of the IAR, specifically focusing on personal data processing activities. The IAR provides a broader view of all information assets, while the ROPA drills down into the details of how personal data is processed, ensuring compliance with data protection laws. 

Both documents are crucial for demonstrating accountability and compliance with data protection regulations. They help organisations to: 

1. Understand and manage the data they hold. 

1. Identify and mitigate risks associated with information assets. 

1. Ensure transparency and accountability in data processing activities. 

1. Respond effectively to data subjects’ requests and regulatory inquiries. 

These two documents—the Information Asset Register (IAR) and the Record of Processing Activities (ROPA)—are particularly important for Records Managers because they provide a structured framework for understanding, controlling, and safeguarding organisational information. The IAR enables Records Managers to keep track of all information assets, ensuring that nothing is overlooked and that assets are managed according to established policies. Meanwhile, the ROPA ensures that personal data processing is documented in line with legal requirements, supporting compliance and facilitating responses to data protection queries. 

By maintaining both documents, Records Managers can demonstrate accountability, streamline data audits, and quickly identify areas where improvements are needed. This not only helps in meeting regulatory obligations but also strengthens the organisation’s overall information governance, reducing risks associated with data loss, misuse, or non-compliance.

Crucially, risk management is escalated all the way up to the senior management level, ensuring that these risks gain visibility at the highest levels of oversight. This heightened visibility empowers records managers to prioritise issues, allocate resources more effectively, and drive continuous improvement across the organisation. 

Moreover, regular risk reviews and escalation processes motivate records managers to continuously assess and refine their methods. This ongoing cycle of evaluation and improvement fosters a culture of accountability and ensures that records management aligns with evolving legislative requirements and organisational objectives. With the involvement of senior managers, the process also guarantees that records management function aligns with and meets the information requirements of corporate and other governance concerns and  are integrated into broader organisational strategies, further amplifying their importance and impact. 

Annual Cycle of Risk Management  

We need to have a cycle of risk management which is often referred to as an information rusk framework.  

The basic details of the framework are as follows:  

Risk Identification and recording  

Step 1: Baseline 

The Information asset owner (IAO), or their delegated representatives, must identify any risks associated with their Information Assets (IAs). Risks may be identified by other business processes such as Data processing Impact Assessments (DPIAs) or Information breach action plans.  

The risks should be categorised: 

• Confidentiality 

• Integrity 

• Accessibility  

or  

• Compliance (with regulatory or statutory requirements)  

The information risks must be assessed and scored on the risk register.  

An information risk register is a document that helps an organisation to identify, record and manage the potential risks that may affect its information assets. It is a useful tool for implementing data protection by design and by default, as well as complying with relevant laws and regulations. An information risk register typically includes the following information: 

• The description of the risk, including its source, cause, and consequence. 

• The likelihood and impact of the risk, using a scale or matrix to assess its severity. 

• The current controls or mitigation measures in place to reduce the risk. 

• The residual risk level after applying the controls or measures. 

• The action plan or treatment options to further address the risk, including the responsible person and the target date. 

• The status and review date of the risk and its treatment. 

An information risk register can help an organisation to: 

• Improve its information security and governance by identifying and addressing the threats and vulnerabilities that may compromise its information assets. 

• Enhance its decision-making and prioritisation by evaluating and comparing the risks and their potential consequences. 

• Communicate and consult with relevant stakeholders about the risks and their treatment, as well as reporting any high risks to the appropriate authorities. 

• Monitor and review its information risks and their treatment on a regular basis and update them as needed. 

Step 2 Risk Assessment  

Once we have identified risks we need to assess them against our framework.  

     i. What is the likelihood of the event occurring? 

     ii. What is the Impact if that event does occur?  

It is helpful to create an organisationally relevant impact or consequence scale specifically for information.  

      iii. What is our overall score? 

      iv. What is our risk appetite for this what is our target score?  

At this point we need to consider how we are going to handle the risk there are a number of options:  

• Tolerate: This means accepting the risk. It is often used when the cost or effort of mitigating the risk is greater than the potential damage that could occur from the risk. 

• Treat: This involves taking steps to reduce the impact or likelihood of the risk. This could involve implementing controls, improving processes, or adopting best practices. 

• Transfer: This involves shifting the risk to another party. This is often done through insurance or outsourcing.  

• Terminate: This involves eliminating the activity that is causing the risk. If a particular business activity is causing a high level of risk and it’s not core to your operations, you might decide to stop doing it. 

      v. This decision then informs our next steps  

• Tolerate: the risk score will remain ‘as is’ no mitigations will be implemented  

• Treat: mitigations need to be identified and a target risk score based on our risk appetite  

• Transfer: identify how and when this may occur and this effectively removes the risk form our register.   

• Terminate: identify how and when this may occur and this effectively removes the risk form our register.   

      vi. This all needs to be recorded on the risk register.  

Step 3 Reporting  

Once we have a baseline level of risks, we need to implement a regular review. It is usually best practice to do a quarterly information risk review of all risks within the IAO business area in Quarter 1, 2, 3 then an annual review which is submitted to the SIRO for end of year, Quarter 4.   

The primary purposes of the quarterly risk assessments are to:  

• review progress against the actions taken to mitigate the risks assessed as moderate or higher in previous assessments.  

• identify new assets or new threats to existing assets.  

The opportunity should also be taken to review:  

• breach or ‘near miss’ incidents and the lessons learned.  

• legislative or policy changes with implications for data handling.  

• progress made in encouraging culture change, whether in-house or across the range of suppliers who handle information in some form.  

You can embed the risk register in M365 List and through the use of a simple M365 forms and flow, automate the IAO risk review and capture.  

Step 4: Risk escalation 

You may wish to have a hierarchy of risk registers with some below the IAO level to capture information risks relating to projects and business activities.  

If a risk can not be mitigated at any level or the risk score is so high, there needs to be an escalation process to get that risk recorded on the SIRO, then the organisational risk register. 

This will ensure that the risk is given the due consideration and resources from across the organisation to concentrate efforts to mitigate it.