RMAT FAQ
This is a list of Frequently Asked Questions about the Records Management Assessment Tool. We will be adding to this page as questions arise.
What is the RMAT?
The Records Management Assessment Tool (RMAT) is a new self-assessment tool. The RMAT will enable public offices covered by the State Records Act 1998 to assess the maturity of records and information management in their organisation, or a part of the organisation (e.g. business unit or information system), or a group of public offices.
The questions in the self-assessment tool are focused on the management of records, information and data in NSW public offices, and how these practices align with requirements in the State Records Act 1998. They highlight the links between records management and regulations for cyber security, privacy, data sharing, open data and information access (GIPAA).
The results of the assessment can be used for reporting on current status; planning for improvement; justifying investment; and measuring progress.
Who should use the RMAT?
We recommend the person or team responsible for records and information management should answer the RMAT questions – or complete the questions collaboratively with key staff, such as a system owner, data custodian or business manager.
This is important because:
- The assessment includes some technical terms that may require explanation from a records and information professional. Perhaps you use different or specific terms in your organisation. You can also refer to the Glossary for definitions.
- Some questions may be more applicable at the organisation-level (e.g. if there is a central policy or executive leadership). You could consider pre-filling the answers to these questions before asking a system owner, data custodian or business manager to complete other questions.
- It builds awareness and communication between the business and the person or team responsible for overseeing records and information management. For example: the SRO must have visibility of records and information management in all parts of the business, in order to fulfil their responsibilities; business managers should be aware of corporate-wide policies.
- It enables the person or team responsible for overseeing records and information management to better appreciate the ecosystem of records, information and data; and how well it is supporting business needs.
- It enables the person or team responsible for overseeing records and information management to fully understand the level of maturity in their public office, plan for improvements and justify requests for resourcing.
Does the RMAT cover all obligations from the State Records Act 1998?
Yes, the RMAT is based on all obligations and requirements from the State Records Act 1998 and the standards issued under the Act.
When you are using the RMAT, look at the Requirements column in the spreadsheet or the word document; this section of the RMAT will tell you which regulatory requirements are linked to a question.
When you are looking at the Results of your assessment, have a look at the Baseline Compliance Table. This table links regulatory requirements with the RMAT questions and indicates whether compliance is demonstrated for each requirement. This table has traffic light reporting; green indicates compliance and red indicates non-compliance.
How frequently should I use the RMAT?
Public offices should use the RMAT regularly, the assessment shouldn’t just be a one-time or annual activity. We don't mandate how many times a year you should use the RMAT.
We want to see public offices using the RMAT because it helps your business, assists your organisation to understand how recordkeeping is working or not working in your organisation.
What are the maturity levels in the RMAT?
The RMAT uses a 5 level maturity scale to determine the level of compliance with a requirement. You will need to select the maturity level that reflects your organisation’s current situation.
Level | Description | Practices and processes are ... |
---|---|---|
1. Ad hoc | The desirable processes are non-existent or ad hoc, with no organisational oversight. The organisation or senior responsible officer is unaware of whether a requirement is met. | ad hoc, unpredictable, poorly controlled, no processes, or unaware |
2. Developing | Processes are becoming refined and repeatable, but only within the scope of individual teams or projects. There are no organisational standards. | aware, reactive, repeatable, documented processes |
3. Defined |
Processes are standardised within the organisation based on best practices identified internally or from external sources. Knowledge and best practices start to be shared internally. Level 3 is considered Baseline Compliance for meeting requirements for high risk / high value records and information. |
controlled, established, standardised, followed processes |
4. Managed | The organisation has widely adopted the standard processes and begins monitoring them using defined metrics. | capable, proactive, measured and reported |
5. Optimising | The organisation is optimising, refining and using innovation to increase efficiency within the organisation and, more widely, within its business sector. | efficient, reviewed and audited, data-driven process improvement |
Why does the RMAT focus on high risk/high value records and information?
The RMAT seeks confirmation that an organisation has formally identified high risk/high value areas of the business and the records of these business operations. This area of recordkeeping should have the highest priority for investment and management. Identifying and managing records of high risk/high value areas of business means that it is likely that appropriate controls have been implemented for the organisation’s most critical information. This approach to prioritising records of high risk/high value also matches up with the approaches taken by cyber security to protect the most critical information assets of the organisation.
In undertaking the assessment, your organisation will need an agreed list of high risk / high value activities or systems for the organisation or business unit being assessed. For further information see Identifying and managing high value and high risk records and information.
If the records and information management team does not have relevant documentation, check with colleagues in ICT, Security, Governance, Corporate, Risk or Legal to find out if this analysis has been carried out for another purpose. High risk and high value areas of business and systems may be identified during:
- Cyber security attestation or information security planning
- Business continuity and disaster recovery planning
- Corporate risk management (risk registers and plans)
- Responses to audit, inquiries or litigation
- Systems audit or IT asset inventory
- Information lifecycle management planning
- Open data planning and reporting
- Development of a retention and disposal authority.
Once you have an agreed list, it will be possible to identify records and information relating to those activities – and plan to address them.
How long does the assessment take?
It will depend on the scope of the assessment (e.g. business unit, business system, whole of organisation) and the process you’ve decided to use (e.g. one person doing the assessment, a small team of information professionals from across the organisation, records and information management team with other key staff). It may take a couple of hours or a day to complete the assessment depending on the scope and process used.
TIP: Take some time before you start the assessment to read through the questions and responses and be familiar with the content.
TIP: Allow an hour to factor in the evidence and additional guidance to make preliminary responses.
TIP: If doing the assessment as a team or in collaboration with others, allocate time for everyone to complete their assessments and then have a workshop to discuss individual responses to each question and settle on an overall score.
How should I use the assessment results?
The results of an assessment can be used for reporting on the:
- current status of the records and information governance programs
- planning for improvement in a particular business unit or information system
- justifying investment and measuring progress.
The assessment results can also support planning and reporting for cyber security, privacy, data sharing, open data and information access (GIPAA).
Public offices are also encouraged to use the RMAT assessment results for
- Internal or external audit exercises
- Annual or quarterly management reporting
- Work planning and budgeting
- Workforce capability planning
- Training needs analysis
- Staff development plans
- Organisation restructure or machinery of government (MOG) changes
- Digital initiatives to procure, decommission, or upgrade systems
- Measuring and reporting the impact of an IT or information management project.
- Formal request from State Records NSW for information on the organisation’s records and information management practices and conformity with requirements.
Do I send the results of the assessment to State Records NSW?
The formal monitoring activity for 2024 took place from 1 March to 5 April, where we requested copies of your assessment results.
We will contact each public office with further information in early 2025 about future monitoring activities.
When will State Records NSW be undertaking annual reporting using the RMAT?
As noted in the Regulatory Framework, State Records NSW re-commenced annual reporting processes using the RMAT in 2022. Each public office needs to do an assessment of their records and information management at that point in time and to provide a report to us. This reporting will give us an overview of the state of records management in NSW Government. The reports on the 2022 Recordkeeping Monitoring Exercise and the 2023 and 2024 State of Recordkeeping in NSW reports are on the website.
We will contact each public office with further information about future Recordkeeping Monitoring Exercises in early 2025.
When and where will the results of the annual reporting be published?
We publish the results of the annual reporting on our website and in our Annual Report. The reporting is at an aggregate or summarised level (i.e. Sector/Cluster).
The Report on the 2022 Recordkeeping Monitoring Exercise and the State of Recordkeeping in NSW (2023 and 2024) are on the website.
How should large and complex organisations undertake RMAT assessments?
We suggest that large and complex organisations should consider undertaking individual assessments of divisions, lines of business, or groups of business units. These assessments are then brought together, and a consolidated view of the organisation’s records and information management is developed. Importantly, the consolidated view should be negotiated and agreed upon by those who have undertaken the assessments.
The individual assessments of divisions, lines of business, or business units will be useful in understanding the current state of recordkeeping within these areas of the organisation, as it will identify the gaps or issues, and this information can then be incorporated into the plans for corrective actions. This will also enable the organisation to track progress over time and ensure that recordkeeping issues are managed.
One of the organisations that pilot-tested the RMAT took this approach: The RMAT was provided to a number of different officers within their organisation. Those individuals went away and assessed from their perspective or lens on the organisation. Then they came together to discuss the individual responses to each question and settle on an overall score for each question. From the individual assessments, they could see where there’s good practice or areas that needed improvement.
If you have queries about the assessment process or the results, please feel free to contact us on govrec@staterecords.nsw.gov.au
Published July 2021, updated October 2021, updated November 2022, updated January 2023, updated February 2024, updated September 2024