The RKDIR (or more appropriately, I suppose, the DIR-RK, but that sounds too pointy) points at it, but from an awful long distance out. MAF purports to study and measure it, but with no real strength or teeth.
What is information risk? There’s a fancy definition, but in lay-persons’ terms, it’s the risk associated with decisions made without access to appropriate information. Poor information, risk of poor decisions. That’s information risk. That, and nothing else.
Do we approve this drug? Do we trade with this country? Do we purchase this weapons system? Do we contribute towards this organization?
These, and tens of thousands of other decisions, huge and tiny, are made by the public servants that make up our federal government, as a part of governing, every day of the week. And from having interviewed extensively with these people – doctors, scientists, policy-makers, first responders, bureaucrats – what I have learned is that they really don’t care about MAF (at least about Section 12), or about the RKDIR…they care about doing their job. The job they were hire to do. The job they are passionate about.
To the extent they can access appropriate information, they can de-risk the decisions they make. To the extent that they cannot access appropriate information (internal documents unmanaged or stored in unstructured manners; published information unavailable because they no longer have access to a departmental library, or because their library has insufficient staff or funding; large datasets unavailable due to lack of sharing, lack of technology or simply not asking)…to the extent any of those things are unavailable, the REAL information risk increases. The risk that we will allow someone into or out of the country inappropriately. The risk that the government loses a case that, for the welfare of its citizenry, it should have won. The risk that we approve a medical treatment – or deny one – inappropriately, and that Canadians are worse off – even die. These are the real information risks. Everything else – GCDOCS, RDIMS, MAF, RKDIR – it’s all just good management.
Below is a table of some major and minor government departments and agencies. They are arranged on a risk continuum from EXTREME to LOW. The table speaks to the risk, on balance, to a given department, of having poor information access.
– Programs or individuals within departments may not follow the norm, and programs or individuals, indeed departments, MAY move from one category to another due to a given situation/context. My standard illustrative story to demonstrate this point is that of the Parks Canada ranger who is staring at a bear. If it’s rabid or has attacked humans, she may need to make the decision almost immediately to destroy the bear. Her Information Risk Profile is extreme in that moment, despite the fact that, overall and on a day to day basis, the average risk level for a Parks Canada decision is low.
– Although it is a valid (and useful) argument to determine which department/agency might fall where, what is more important is to understand that not all clients are equal: Information Risk Profiles vary. In practice, standardized solutions that meet the need of a given type of client will create Information Gaps and Risks in ALL departments/programs where the Information Risk Profile is greater than the norm. These risks and gaps must be identified and managed down. My standard illustrative story to demonstrate this point is that of the Pan-Canadian Governmental Library Service – if it ever comes into being. My discussions with those involved describe a one-tier common service, developed to meet the needs of a middle manager at HRSDC who is looking for a book on team-building. HRSDC is a Medium risk department, and this is a common middle manager whose needs are being described, so it is a service being built for a Medium risk environment. Which is wonderful – unless you live in a department to the LEFT of HRSDC. If your information risk is High or Extreme, this Pan-Canadian Governmental Library Service might be creating a profound information risks for you.
So…what does this mean? It means several things. One, the further you are LEFT on the grid, the more you should be pressuring your CIO to ensure that your information risks are being managed. Two, if you work in a central agency and are creating whole of government services, you simply cannot adopt a one-size-fits-all approach. Three, wherever you work…when you witness public servants who are “breaking the rules” – using memory sticks to transfer files, forwarding protected emails to their gmail account so that they can address issues in a timely manner, purchasing subscriptions to periodicals through petty cash or accessing them through student university accounts – understand that most of the fault lies within the Information Services organization, NOT with the individual who has been caught red-handed.
Public servants are hired to serve the public – to be lawyers or scientists, to protect and enable the rights of at-risk communities, to develop Canadian commerce at home and abroad. They do not choose a career in public service primarily because they really want to safeguard information as per the RK Directive. When they have to go around, over or through rules, that’s probably because it’s the only way they can get their “real” job done.