What is the RMAT?
The Records Management Assessment Tool is a self-assessment tool designed to assist:
- public offices to self-assess and report their alignment with the regulatory framework (the State Records Act 1998.)
- public offices to identify areas for improvement, and support business cases for these
- State Records NSW to have an overview of regulatory alignment across the sector
- State Records NSW to identify trends or key issues for targeted support
The questions in the self-assessment tool are focused on the management of records, information and data in NSW public offices. It shows how these practices align with requirements in the State Records Act. They highlight the links between records management requirements and information access under the Government Information (Public Access) Act 2009 (GIPA Act).
The Records Management Assessment Tool consists of:
- Instructions for using the Records Management Assessment Tool
- RMAT WORD document
- RMAT EXCEL Spreadsheet
You can use either the Word document or the spreadsheet to do your assessment. The spreadsheet format includes support for automated scoring and results graphs. The document format can be more easily printed if required.
How do I use the results of the assessment?
The results of an assessment can be used for:
- reporting on the current status of records and information governance programs
- planning for improvement in a particular business unit or information system
- justifying investment and measuring progress.
The results can also support planning and reporting for cyber security, privacy, data sharing, open data and information access under the GIPA Act.
Public offices are also encouraged to use the RMAT assessment results for:
- internal or external audit exercises
- annual or quarterly management reporting
- work planning and budgeting
- workforce capability planning
- training needs analysis
- staff development plans
- organisational restructure or machinery of government (MOG) changes
- digital initiatives to buy, decommission, or upgrade systems
- measuring and reporting the impact of an IT or information management project
- formal requests from State Records NSW for information on the organisation’s records and information management practices and conformity with requirements.
Do I send the results of my assessment to State Records NSW?
We encourage all public offices to use the RMAT routinely as part of your own internal monitoring.
You are only required to submit your most recent results to State Records NSW when requested, which is usually done annually as part of our Recordkeeping Monitoring Exercise.
RMAT FAQ
This is a list of frequently asked questions about the Records Management Assessment Tool.
We recommend the person or team responsible for records and information management should answer the RMAT questions – or complete the questions collaboratively with key staff, such as a system owner, data custodian or business manager.
This is important because:
- The assessment includes some technical terms that may require explanation from a records and information professional These may not be the same terms that you usen your organisation. You can also refer to the Glossary for definitions.
- Some questions may be more applicable at the organisation-level (e.g. if there is a central policy or executive leadership). You could consider pre-filling the answers to these questions before asking a system owner, data custodian or business manager to complete other questions.
- It builds awareness and communication between the business and the person or team responsible for overseeing records and information management. For example: the senior responsible officer (SRO) must have visibility of records and information management in all parts of the business in order to fulfil their responsibilities, and business managers should be aware of corporate-wide policies.
- It enables the person or team responsible for overseeing records and information management to better appreciate the ecosystem of records, information and data; and how well it is supporting business needs.
- It enables the person or team responsible for overseeing records and information management to fully understand the level of maturity in their public office, plan for improvements and justify requests for resourcing.
Yes, the RMAT is based on all obligations and requirements from the State Records Act and the standards issued under the Act.
When you are using the RMAT, look at the Requirements column in the spreadsheet or the word document; this section of the RMAT will tell you which regulatory requirements are linked to a question.
When you are looking at the Results of your assessment, have a look at the Baseline Compliance Table. This table links regulatory requirements with the RMAT questions and indicates whether compliance is demonstrated for each requirement. This table has traffic light reporting; green indicates compliance and red indicates non-compliance.
Public offices should use the RMAT regularly, the assessment needn’t be a one-time or annual activity. We don't mandate how many times a year you should use the RMAT.
We want to see public offices using the RMAT because it helps your business, assists your organisation to understand how recordkeeping is working or not working in your organisation.
The RMAT uses a 5 level maturity scale to determine the level of compliance with a requirement. You will need to select the maturity level that reflects your organisation’s current situation.
| Level | Description |
|---|---|
| 1. Ad hoc | The desirable processes are non-existent or ad hoc, with no organisational oversight. The organisation or senior responsible officer is unaware of whether a requirement is met. |
| 2. Developing | Processes are becoming refined and repeatable, but only within the scope of individual teams or projects. There are no organisational standards. |
| 3. Defined | Processes are standardised within the organisation based on best practices identified internally or from external sources. Knowledge and best practices start to be shared internally. Level 3 is considered Baseline Compliance for meeting requirements for high risk / high value records and information. |
| 4. Managed | The organisation has widely adopted the standard processes and begins monitoring them using defined metrics. |
| 5. Optimising | The organisation is optimising, refining and using innovation to increase efficiency within the organisation and, more widely, within its business sector. |
The RMAT seeks confirmation that an organisation has formally identified high risk/high value areas of the business and the records of these business operations. This area of recordkeeping should have the highest priority for investment and management. Identifying and managing records of high risk/high value areas of business means that it is likely that appropriate controls have been implemented for the organisation’s most critical information. This approach to prioritising records of high risk/high value also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.
In undertaking the assessment, your organisation will need an agreed list of high risk/high value activities or systems for the organisation or business unit being assessed.
If the records and information management team does not have relevant documentation, check with colleagues in ICT, Security, Governance, Corporate, Risk or Legal to find out if this analysis has been carried out for another purpose. High risk/high value areas of business and systems may be identified during:
- cyber security attestation or information security planning
- business continuity and disaster recovery planning
- corporate risk management (risk registers and plans)
- responses to audits, inquiries or litigation
- systems audit or IT asset inventory
- information lifecycle management planning
- open data planning and reporting
- development of a retention and disposal authority.
Once you have an agreed list of criteria, it will be possible to identify records and information relating to those activities – and plan to manage them appropriately.
It will depend on the scope of the assessment (e.g. business unit, business system, whole of organisation) and the process you’ve decided to use (e.g. one person doing the assessment, a small team of information professionals from across the organisation, records and information management team with other key staff). It may take a couple of hours or a day to complete the assessment depending on the scope and process used.
TIP: Take some time before you start the assessment to read through the questions and responses to familiarise yourself with the content.
TIP: Allow an hour to factor in the evidence and additional guidance to make preliminary responses.
TIP: If doing the assessment as a team or in collaboration with others, allocate time for everyone to complete their assessments and then have a workshop to discuss individual responses to each question and settle on an overall score.
We publish the results of the annual reporting on our website and in our Annual Report. The reporting is at an aggregate or summarised level (i.e. Sector/Cluster).
We suggest that large and complex organisations should consider undertaking individual assessments of divisions, lines of business, or groups of business units. These assessments can then be brought together, and a consolidated view of the organisation’s records and information management is developed. Importantly, the consolidated view should be negotiated and agreed upon by those who have undertaken the assessments.
The individual assessments of divisions, lines of business, or business units will be useful in understanding the current state of recordkeeping within these areas of the organisation and will identify gaps or issues. This information can then be incorporated into the plans for corrective actions. This will also enable the organisation to track progress over time and ensure that recordkeeping issues are managed.
One of the organisations that pilot-tested the RMAT took this approach. The RMAT was provided to a number of different officers within their organisation, and these individuals went away and carried out the assessment from their own organisational perspective. Then they came together to discuss the individual responses to each question and settle on an overall score for each question. From the individual assessments, they could identify areas of good practice and areas that needed improvement.
If you have queries about the assessment process or the results, please feel free to contact us.
Email: govrec@staterecords.nsw.gov.au