Information in a modern organization takes many forms — most of them electronic. Today, even the smallest organizations will find themselves with gigabytes of digital information used to perform business activities, or generated as a result of those activities. Companies large and small run the risk of drowning in their own data.
A number of solutions address this challenge. Electronic discovery, which means setting systems up so personnel can find the information they need. Archiving and backup, used to protect organizational data and store it responsibly. Content management systems, which help keep information current and usable. Electronic forms and workflows, which guide personnel through the creation and use of information.
Technological solutions such as these improve workers’ ability to create, protect, find and use the soup of unstructured data found within many organizations. But for organizations in highly regulated industries, or organizations dealing with exceptional risk, the adoption of a formal management system typically forces the organization to control the information it uses to manage risk and ensure compliance.
The formal control of information includes measures such as approval and authorization of information for use, reviews and verification of information, process-based revisions and deletions of information, unique addressing (numbering) to allow unambiguous referencing and retrieval, and a range of other quality-management features intended to ensure that information is appropriate, accurate, complete, and available.
The formalized control of information is important for the following reasons:
- Prevents inappropriate, inconsistent, incomplete or incorrect inputs to work activities
- Ensures information will be discoverable, retrievable and usable when needed
- Reinforces authority and accountability throughout the organization — through approvals and workflows
- Prescribes how organizational activities will be conducted, implementing quality assurance
- Ensures and demonstrates compliance
- Documents evidence of organizational activities and outcomes
- Demonstrates application of quality control.
These goals are achieved by ensuring that controlled information is created, revised, distributed and destroyed in accordance with prescribed processes, procedures, standards and other controls that protect the integrity of information.
Implementing this level of control typically forces an organization to think about its information in a more structured way. And that structure starts by differentiating between information in documents, and information in records.
Controlled documents versus controlled records
When an organization takes its first steps to manage quality and control its information, a common question is the difference between documents and records.
People may naturally think of Word files as documents, and spreadsheets as places where things are recorded, but the nature of the information contained in an electronic file — and not the file format — should be the key factor when deciding whether a file is a document or a record. In fact, many digital files don’t naturally fall into either category — think about photographs and videos, audio files, configuration files, models, etc.
The definition of documents and records can also depend on the nature of the organization’s activities, its industry, and its regulatory obligations.
But as a general rule, documents prescribe and records describe. That, in a nutshell, is the most important difference between controlled documents and controlled records:
- Documents prescribe how something is to be done. Records capture how something was done.
- Documents prescribe how or what something must be. Records capture how or what something was.
Another key difference is the lifecycle of the information:
- Documents may be revised. In fact, they may be revised and re-issued repeatedly.
- Records on the other hand should never be altered once issued. (Although they can be appended with additional information or corrections. And newer records may make older records irrelevant.)
How documents and records are addressed is also different:
- Records have a unique number or address identifying that specific record, assigned on the day the record is registered. That unique number is not used for any future records, and will always “point” to that one record. Other records about the same topic, customer, component, etc. will have different addresses or record numbers. This ensures that a record can be unambiguously referenced and retrieved without being mistaken for other related or unrelated records.
- Documents have a unique number or address identifying the most current, “in force” revision of that document. That unique number will always point to the most current authorized version of the document, no matter how often the document is revised. This ensures that workers retrieving a document will always work from the currently authorized version, and not a historical revision that is no longer valid.
Finally, the authority needed to create information can differentiate documents from records:
- Documents typically require review and approval.
- Records can typically be issued by anyone, without review and approval (although there can be exceptions).
How controlled documents and records work together
While distinct from each other, records and documents combine to make up the information “fabric” of the organization, supporting its activities and quality management:
- Each issued revision of a controlled document is also a record of that document having been issued and being in force. (This is very important when it comes time to audit the organization, demonstrate compliance, participate in legal proceedings, and perform root cause analysis.)
- Records can refer to documents, and vice versa, and personnel may use both controlled documents and controlled records to perform tasks.
- Controlled records are often generated through the use of controlled documents — for example, the creation of records during the execution of a controlled procedure.
Uncontrolled documents and records
In contrast to controlled information, an organization may have a large cache of information generated or collected during business activities, but not critical to quality, safety, compliance etc. and thus not controlled under its management system. This less important information often sits in working repositories or individual workspaces, and doesn’t need the rigor or structure described above.
In these uncontrolled information spaces, documents and records may be interchangeable.
- Uncontrolled documents may be containers for the creation, management and communication of working information (for example, processes and designs used within a project) that does not have quality implications or controls.
- Uncontrolled records may be containers for the storage of working information (for example, entries in a requirements database or a project spreadsheet).
Workers creating and using uncontrolled information don’t have to differentiate between documents and records, and can create and store information in whatever form most suits the individual worker and task.
Document and records control under ISO 9001
ISO 9001, which is a very widely adopted quality-management standard used in many industries, provides its own detailed requirements regarding documents and records control:
ISO 7.5.2 Creating and Updating
Documents are created as a part of the organization’s planning. Therefore, ISO requires that these planning documents are approved prior to use to ensure they are adequate (appropriate). Documents need to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning documents.
Users need legible, up-to-date, and readily available documents to do their job.
Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available.
ISO 7.5.3 Control of Information
Records are not the plan; records are created by plans. Records are data collected by operating the quality management system, but data is not information. Data must be converted into information through the use of charting or trend analysis. Thus, the requirements for records are different. Records need to be identifiable (labelled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.
Documents are created by planning what needs to be done and records are created when something is done. Documents can change, and records don’t change. Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. Records need to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete.
This function is now referred to as documented information control rather than documents and records.
How NOCTURNE can help
Planning and implementing appropriate information control for your organization can be daunting. Your information structure and information-management processes must be robust enough to address your risk, compliance and quality requirements, but efficient enough to protect the “bottom line”. Your information-management strategy should be customized to your organization’s unique needs, reflecting your goals, capabilities and constraints. Mapping out a solution that will support the full scope of your organizational activities can be a challenge.
And if you have a wealth of legacy information that must be brought under control, that adds to the challenge. You need to decide what information needs to become controlled, when that control must be achieved, and how to “bless” historical documents and records to bring them under your management system.
You don’t have to do this alone. NOCTURNE can help by:
- Analyzing your objectives and requirements and developing an effective but streamlined information-management strategy
- Designing an information structure that allows adequate control while maximizing usability for your workforce
- Implementing processes and standards for the control of information
- Implementing content management systems or information libraries within your IT infrastructure
- Establishing rules and guidelines for the conversion of legacy information into controlled information
- Change-managing both process changes and changes to legacy information
- Training personnel regarding documentation and records control, the creation of documents and records, information retrieval, etc.
- Providing interim documentation and records support to ensure your organization gets up and running and succeeds in its evolution to a more effective, compliant information solution.
For more information about how we can help you make this transition, or even about whether this is something your organization should be considering at this time, tell us about the opportunity or problem you’re trying to tackle. We’d love to help!