In This Section
4C Partners
'Trust, certification, sustainability and framework agreements' by Matthew Addis
In my previous post I looked at some of the basic things that service providers and organisations could do to work together when building sustainable products and services. These simple things are not going to change the world, but they are small steps in the right direction.
At the other end of the scale are disruptions to the whole ecosystem that trigger large-scale change, for example government intervention or major collaborations. One example is Images for the Future [1] in the Netherlands, a €170M+ digitisation initiative by a collaboration of Dutch institutions and supported by the Dutch Economic Structure Fund. Another is the 100,000 Genome Project [2] in the UK. This saw an initial injection of £100M from the UK Government with a subsequent commitment of £168M from Illumina and a total now stretching to £300M. The project has the potential to revolutionise the use of whole genome sequencing as part of UK healthcare. On the surface, both projects appear very different, but actually share a lot of common ground - they are both creating a long-lasting large-scale digital legacy at the national level. Investment of this scale disrupts the normal world order in a way that would never happen if the sector was left to its own devices. Wouldn't it be great if there were something along these lines for sustainable curation products and services? Personally, I suspect that's unlikely, both because the business case is non-specific and hence hard to write and fund, and because curation is something that should in general be 'embedded' into other day-to-day activities rather than something requiring its own 'special measures'.
Maybe there is somewhere in-between national intervention and grass-roots sustainability? What would the middle ground look like? I think sector specific framework agreements and large-scale shared-services have a pivotal role to play. I was prompted to think about this was when David Rosenthal reminded the 4C Advisory Board that trust and certification can be a major cost element in curation and digital preservation. What's that got to do with sustainability and the 4C Roadmap? Well, you might need to bear with me for a bit before I get to that.
David knows first had about the costs (and benefits) of certification having recently been through TRAC with CLOCKSS [3]. When we started Arkivum we also went for certification - ISO27001 in our case. The rationale was that it aligned well with our business, it would help us engender trust in our customers, and it would help us to understand how to do the best job we could. This was from the relatively easy position of a small organisation running as a green-field site. We engineered ISO27001 into our business from the outset and from ground-up, yet it still took someone full-time for six months to put everything in place. We get audited every six months and have been passing with flying colours ever since. It's a natural part of our business but auditing and certification is a very real and substantial cost. For example, we recently had a pharmaceutical company in at our offices to do their own audit for due diligence - that took the whole day and involved several staff on our side. ISO27001 certification is one thing, but certification for Trusted Digital Repositories, ups the game further, e.g. ISO16363 and TRAC. David says in his blog post that "We estimate that our audit consumed between two and three person-years of senior staff time."
It is interesting to see how many of our customers impose standards on us that are higher than they achieve internally, as well as the requirement to prove this through certification or audits. Certification has benefits, especially for customers, but it also has costs, and those costs need to be accounted for. There are benefits to service providers too, beyond a nice piece of paper to hang on the wall - if you have good auditors then they work with you to help you do your job better, e.g. suggesting improvements as well as highlighting weaknesses. Thankfully it's not just expensive rubber stamping!
Expecting service providers to be achieve high standards is not in any way unreasonable - especially when they are long-term custodians of valuable content. But it does require an understanding of the consequences for service providers if they are expected to prove this through certification. The main problem is that certification can require substantial initial investment, both in terms of time and money, and this on its own this can be enough to stop a service provider dead in its tracks when considering certification.
There could be other interesting consequences if it becomes common place for organisations to require TRAC or ISO16363 TDR. For example, those suppliers that can afford to go through the audit process have the potential to monopolise the market. If organisations start demanding ISO16363 from suppliers then this could simply kick a lot of smaller service providers into touch. Not because they don't do things well, but because they can't afford to get a certificate to 'prove' it. This is surely a risk to the sustainability of the marketplace because it limits who can play the game. With this comes a responsibility for those who guide organisations in what to expect from suppliers. Inadvertently setting the bar too high could have the consequence of hobbling [4] the market. It may be better to recommend that organisations identify the minimum set of mandatory features they need from a provider and a way to test these. This approach would allow organisations to start with the widest possible supply base, adopt a 'trust but verify' approach [5], and then raise the bar to narrow things down to achieve the right balance of cost and quality.
The 4C Roadmap should perhaps consider the role of certification/audit bodies in more detail - at the same time as considering 4C's own responsibilities in recommending or promoting applicable standards. The Roadmap should perhaps also consider the role of self-certification, peer review, and other community-based lower-cost routes to establishing and verifying trust. This is about establishing other ways to demonstrate that service providers are 'doing the right thing' and are 'doing it right'. The Data Seal of Approval [6] sits in this category and more could be done to promote this model. This peer–review approach to trust has a lot of potential in keeping the playing field not just level but with as many players on it as possible.
Back to framework agreements. Hopefully you've stayed with me this far! Not only can these provide a practical alternative to formal certification, but they can simultaneously address some of the other barriers to sustainability. A framework agreement can be a very good way of combining audit, certification, contracts, service levels, procurement and pricing into one practical bundle. This can be tailored to a given sector, and, most importantly, can be constructed by an organisation that is trusted in that sector. It is the trusted organisation that does the due diligence on behalf of the sector and at an appropriate level. In a sense, the sector trusts the organisation creating the framework agreement, then that organisation determines if the suppliers under the framework are trustworthy. For example, JANET put a framework agreement in place for JANET users to purchase archiving as a service from Arkivum. The framework agreement was a competitive process and JANET did extensive due diligence on Arkivum when selecting us as the provider. This included using independent reviewers for all responses to the Invitation to Tender (ITT), onsite visits and assessments, and then some pretty serious contract negotiation. The ITT contained many questions similar to those you'd see in TRAC or ISO16363 and the responses we made now form part of the contract with our customers. The framework also includes the price of the service. Therefore, when people buy through the framework, not only is the service easy to procure and at known cost, but customers know that they are getting a contract and SLA that JANET have thrashed out with us on the behalf of the sector. JANET could have mandated TRAC or ISO16363, but instead they chose to use a simpler set of criteria that better matched what users in the sector actually need to see from a provider on a practical basis. This greatly widened the base of suppliers that could be selected from, which is good for competition, and hence good for the sector in getting the best mix of value for money and quality of service.
Framework agreements have a lot to offer in helping a sector to establish sustainable curation and preservation services, including lowering lot of the barriers to adoption that go beyond the issues of trust and certification. Likewise, collaboration between organisations to define and establish shared services, either federated or centralised, can achieve similar benefits. DPN in the US is one to watch in this area [7].
It seems to me that framework agreements have a lot of potential in several sectors, including where collaboration between vendors is needed to provide complete solutions. Maybe the framework agreement model is something that 4C could, or should, become more involved in, either through comment about its role in helping promote sustainability, or by providing practical guidelines on how relevant organisations can put framework agreements in place.
[1] http://beeldenvoordetoekomst.nl/
[3] http://blog.dshr.org/2014/08/trac-audit-lessons.html
[4] http://en.wikipedia.org/wiki/Hobble_%28device%29
[5] http://en.wikipedia.org/wiki/Trust,_but_verify
[6] http://www.datasealofapproval.org/en/
Matthew Addis, Arkivum
Matthew is part of the 4C Project Advisory Board and repesents Service Providers and Curation Experts. He has spent 15 years leading a diverse portfolio of industry-led applied research projects including archiving and digital preservation, service-oriented computing, data mining and knowledge management to name but a few.
