The objective of the audit was to assess the adequacy and effectiveness of the BCM practices and procedures within the Tax Office in preparing for, or responding to, disruptions to ‘business as usual' operations.
Government agencies deliver a wide range of programs and services which are critical to the economic and social well-being of our society. Single or multiple events may cause a significant disruption or outage to the ‘business as usual' operations of agencies, compromising their ability to function, which could have significant consequences for citizens, businesses and government.
In order to respond to such disruptions, agencies need to consider business continuity management (BCM) as an integral part of their organisational risk management framework. BCM planning guides agencies in responding to unplanned disruptions or outages, variously described as an emergency, crisis and/or disaster1 , when normal management practices and procedures may be unable to cope. The primary objective of BCM is to ensure the uninterrupted availability of all key resources required to support essential (or critical) business activities and to return the agency to ‘business as usual' within a predefined acceptable time limit (the maximum acceptable outage—MAO) following a disruption.
Effective BCM planning is particularly important for agencies such as the Australian Taxation Office (Tax Office). As the main administrator of Australia's tax and superannuation systems, it is critical that the Tax Office has in place an appropriate BCM framework to minimise disruptions to its role as the Government's principal revenue collection agency.
As at 30 June 2008 the Tax Office employed 23 303 ongoing and non-ongoing employees and occupied office space in some 70 buildings across Australia. During the year to 30 June 2008, the Tax Office processed more than 32.5 million income tax and Business Activity Statement lodgements, and responded to more than 12 million taxpayer enquiries, in collecting revenues of some $278.0 billion on behalf of the Government.
Audit objective and scope
The objective of the audit was to assess the adequacy and effectiveness of the BCM practices and procedures within the Tax Office in preparing for, or responding to, disruptions to ‘business as usual' operations.
Particular emphasis was given to examining whether the Tax Office:
- has in place an appropriate framework for the administration of BCM;
- adheres to sound BCM principles for its plans, practices and procedures; and
- has appropriate mechanisms to test, evaluate, report and improve on its administration of BCM.
The scope of the audit did not include an examination of the continuity planning for business processes between the Tax Office and external agencies such as the Reserve Bank of Australia and Centrelink.
As the main administrator of Australia's tax and superannuation systems it is critical that the Tax Office has in place effective BCM practices and procedures to ensure a timely and appropriate response to business disruptions. A significant or long term disruption to ‘business as usual' within the Tax Office has the potential to disrupt the collection of taxation revenues. It could also have a significant impact on the efficiency and the effectiveness of the Tax Office in administering and regulating the tax and superannuation systems. This in turn could lead to a loss of reputation, and reduced taxpayer confidence in the self assessment taxation system.
The Tax Office has a well developed BCM framework which is integrated into its ‘business as usual' operations. Its BCM framework consists of the following four elements:
- emergency management;
- crisis management;
- disaster recovery; and
- business resumption planning.
The Tax Office has documented its BCM processes in the: Emergency Control Organisation Corporate Management Practice Statement2 (Emergency Control Organisation CMPS); and Business Continuity Corporate Management Practice Statements3(Business Continuity CMPS) and Risk and Issues Management Corporate Management Practice Statement4 (Risk and Issues Management CMPS). These documents describe practices and procedures that business and service lines (BSL) should use in relation to the BCM framework.
There is however scope for the Tax Office to better integrate the administration of the component elements of its BCM framework into a single program of work and to enhance the functioning of its emergency management within the framework. The Tax Office's approach to BCM has been developed by drawing on the ANAO Better Practice Guide—Business Continuity Management 5 and by seeking to enhance its BCM capacity through the ongoing consideration and adoption of improved practices. The BCM framework is supported by a wide-ranging set of policies, practices and procedures.
The BCM framework implemented by the Tax Office has evolved over a number of years and reflects the benefits of having key operational processes and people distributed across a number of locations throughout Australia. In most cases work flows affected by an outage or disruption occurring in one of the 70 office locations occupied by the Tax Office can be redirected and dealt with by staff located elsewhere while the cause of the disruption is being addressed.
The BCM framework demonstrates a mature application of key elements of sound BCM practices including:
- management support for BCM activities through the appointment of dedicated BCM executives and staff to develop, maintain and test the BCM plan;
- identifying key business processes and critical IT applications;
- incorporating risk management and business analysis activities into the BCM strategy;
- the tailored design of business continuity treatments to address specific Tax Office challenges resulting from its decentralised operations;
- creating a detailed business continuity planning (BCP) database; and,
- the ongoing testing, evaluation, updating and reporting of the BCM plans and the overall framework.
The Tax Office has appropriate mechanisms to test and evaluate its administration of business continuity enabling it to continuously reassess the effectiveness of its policies and procedures. This assisted the Tax Office to demonstrate that the challenges arising from the actual crisis events, as well as the testing exercises, that occurred during the course of the audit were met effectively through the implementation of the current BCM plans. Where appropriate, lessons learnt from responding to these specific disruptions were used to reassess the ongoing effectiveness of the Tax Office BCM plans, practices and procedures.
The ANAO has made six recommendations aimed at improving the Tax Office's BCM planning and procedures.
Key findings by chapter
Background and Context (Chapter 1)
The Tax Office has allocated significant resources to achieve its outcome of effectively managing and shaping Australia's self assessment taxation systems. A key contribution to the achievement of this outcome is the work that the Tax Office has undertaken to build taxpayer confidence in the system. A significant or long term interruption to ‘business as usual' within the Tax Office has the potential to disrupt or undermine revenue collections or affect its ability to respond to taxpayer enquiries on a timely basis. BCM is critical if the Tax Office is to meet Government expectations that revenue collection will continue to be managed despite disruptions to ‘business as usual' which will inevitably occur.
A comprehensive approach to developing a business continuity strategy requires consideration of risk management and business analysis processes in identifying the potential sources of, and impacts from, disruptions to ‘business as usual'. The Tax Office has identified key risk assessment information and business processes to form part of the data used to produce its business impact analysis. This in turn has also assisted the Tax Office in building its BCP database.
The Tax Office has a BCM strategy which is articulated in its CMPS. This strategy is communicated through a framework consisting of emergency management, crisis management, disaster recovery and business resumption.
The Tax Office has distributed its key operational processes and people across a number of locations throughout Australia. This matrix structure adopted by the Tax Office gives it a high degree of business resilience that has allowed it to effectively withstand business disruptions or outages. Most documented disruptions in the 12 months to August 2008 arose from the total or partial loss of the use of buildings occupied by the Tax Office, rather than other disruptions, for example loss of IT systems capacity.
The Tax Office has an overarching framework that it uses to implement BCM. However this framework does not address the program management aspects of implementing BCM across an organisation as large and geographically dispersed as the Tax Office. The British BCM standard proposes that BCM is best run as an integrated program of work at a whole of organisation level.6 At present the Tax Office separately completes a number of related BCM projects without having an integrated program management structure that clearly articulates how the individual project components of BCM are organised, directed and implemented in a coordinated way. An integrated program structure would allow for stronger coordination of the management of the individual BCM projects and activities within the Tax Office; and their success could be better monitored and reported to inform Tax Office management of the status of overall BCM preparedness.
Business Continuity: Better Practices and Benchmarks (Chapter 2)
A number of Australian and international standards and publications are available to assist organisations in setting up their BCM frameworks, which can also be used to benchmark their implementation strategies. Currently the Tax Office uses the ANAO Better Practice Guide—Business Continuity Management7 as its principal source of reference in guiding its approach to BCM. However the Tax Office recognises that BCM is a dynamic field and so also reviews overseas standards to identify evolving elements of better practice that may be appropriate for its circumstances and enhance its BCM approach.
The Tax Office has implemented a BCM framework incorporating key elements of sound BCM practices which have been articulated in a series of CMPS and other documents.
The Tax Office Business Continuity CMPS provides policy and procedural instruction to staff in relation to the operation of BCM within the Tax Office.
The development and maintenance of these policies and procedures at an operational level is reflected in detail in the Tax Office's BCP database which was produced by applying the process methodology outlined within the ANAO Better Practice Guide—Business Continuity Management.7
The Tax Office has recognised that emergency management, crisis management, disaster recovery and business resumption should be wholly integrated, in accordance with business continuity standards, and has based its training and awareness packages around this concept.
Business Continuity Management Framework (Chapter 3)
The Tax Office's BCM framework, which has evolved over a number of years, in conjunction with its decentralised management operations, and its alternate BCM management structure which is activated in the event of a crisis situation, gives the agency a high degree of resilience.
The Tax Office business continuity framework consists of four elements that deal with continuity issues at different times and with different yet integrated strategies. The framework is supported by the various CMPS. These documents guide Tax Office staff in the management of a business continuity event by stating who and in what circumstances a crisis or disaster may be declared. The business continuity policies then authorise designated Tax Office staff, such as the BCM Director and the Disaster Recovery Manager, to resolve the business disruption and return to normal services.
In dealing with a crisis or disaster, the Tax Office has three designated teams responsible for business continuity, emergency control and disaster recovery respectively, that are staffed from business service lines. The National BCM Director coordinates across all three of these designated teams to manage the transition from one phase of a crisis to another. Information from a crisis or disaster is ultimately captured in the BCP database and this information is subsequently used to improve business continuity planning.
The National BCM Director within the Tax Office plays a crucial role in coordinating some, but not all, aspects of the implementation of the business continuity framework. At present responsibility for the emergency management component of BCM rests with individual staff located within each Tax Office occupied building. These staff are part of the Emergency Control Organisation (ECO) within the Tax Office and are guided specifically by the Emergency Control Organisation CMPS and the separately constituted Emergency Planning Committee (EPC) for each major Tax Office site.
The EPCs independently produce practices and procedures documentation and arrange for testing of the procedures. The ANAO sees benefits in using a systems based approach to managing and recording emergencies. Ideally the ECO could use the BCP database which would also more fully integrate emergency management into the business continuity framework. By more closely aligning emergency management to crisis management, staff safety could be better integrated into the response to business continuity disruptions.
Certificates of Assurance are provided to the Commissioner annually on business continuity, to verify BCM practices and procedures. There would be value in the Tax Office also extending the coverage of these Certificates to the ECO in order to further assist in the integration of staff safety within the business continuity framework.
BCM better practice suggests that most chief executive officers are unlikely to have the time to properly dedicate themselves to BCM during a crisis if they are to continue to manage their organisations. The Tax Office could therefore consider the appointment of a person other than the Commissioner as the national crisis manager. This would allow the Commissioner to ensure appropriate liaison with Government, other senior public sector agency managers, media and other stakeholders as required during the course of a BCM event.
Implementing the Business Continuity Management Framework (Chapter 4)
The Tax Office business continuity framework is based on accredited standards and benchmarks. In addition to these standards and benchmarks, the Tax Office has built a business continuity tool in the form of a BCP database. The creation and ongoing use of this database is a significant achievement in defining and operationalising business process resumption plans. The information on the BCP database provides a level of structure and integration around continuity issues that is not achievable through the use of standard templates and worksheets.
At present the updating of the BCP database is coordinated and undertaken largely by the National BCM Director. In light of potential ‘key-man' risks and the need for succession planning there may be advantages in extending the maintenance of the BCP database to other staff within the Tax Office BCM workspace to increase their BCM knowledge and skills. During the audit the ANAO witnessed a number of business continuity events. The Tax Office managed these events in an appropriate and effective manner that either avoided business disruption or quickly resumed business as normal. In each case Tax Office staff, especially those with BCM responsibilities, demonstrated that lessons were learnt from the event and the BCP was, where appropriate, updated.
The ANAO observed that there was a reluctance in both exercises and in real time events, where appropriate, for Tax Office staff to formally declare a crisis and subsequently to declare a cessation of the crisis. If staff were provided with clear and succinct guidance on crisis declaration and cessation, it would provide a basis for the crisis management structure to be implemented thereby specifically identifying who is in control of the situation and hence responsible for decision making. This is in itself more likely to result in a more timely return to business as usual.
BCM better practice suggests that a schedule of exercising and testing needs to be agreed upon and implemented across an agency if it wants to assure the currency of its BCM practices and procedures. The Tax Office tests its disaster recovery procedures on a regular basis in order to maintain the currency of its recovery procedures as changes are implemented across its information communication and technology (ICT) platforms. Desk top and scenario crisis exercises have been less frequent, however the Tax Office is aware of this and has advised it is addressing this as part of the move to a site based business continuity leadership model.
The majority of business continuity events, as recorded on the BCP database, related to facilities, specifically buildings. In the past few years, a range of natural disasters as well as power failures and flooding due to burst water pipes has rendered all or part of at least one Tax Office building unusable each year. However with some 70 office locations across Australia the Tax Office has been able to transfer the operation of critical processes to other buildings or locations. This has created a multi-dimensional capacity to perform critical functions despite the loss of a site.
Tax Office senior managers and those staff with direct BCM responsibilities who were interviewed during the audit demonstrated a good knowledge of BCM practices and procedures. However, overall staff awareness and specific knowledge gaps could be further improved by implementing a computer based awareness raising campaign to ensure the knowledge is available easily and can be readily accessed by new staff in all locations.
In relation to disaster recovery the Tax Office has adopted a standard that ensures that its most important data is protected to a very high degree and is recoverable in any current realistic scenario. The Tax Office, through testing and in conjunction with its outsourced ICT provider, has developed a technical solution for its mid-range mainframe and data warehouse, which based on the information and documentation provided, meets the maximum acceptable outage for these services as set by their internal clients within the Tax Office.
Summary of agency response
The Tax Office welcomes this review and considers the report is supportive of our overall direction in improving the continuity of business in the ATO.
As noted in the body of this report the ATO is managing its business continuity responsibilities by taking a systematic approach and forging and maintaining key relationships across the organisation. A number of sections of corporate documents relating to business continuity in the ATO have been reproduced in the report, and their content and relevance is noted in a positive way, in paragraph [3.32 in the Audit Report], it is stated “BCM process detailed within the Tax Office Business Continuity CMPS represents sound BCM practice.”.
A number of the recommendations are quite specific to one area requiring some minor changes to procedures or documentation. In all cases these will be implemented as soon as practical and completed well before 30 June 2009.
A few of the recommendations refer to more integration of services within the ATO, and in particular Recommendation No. 1 recommends that the ATO views business continuity management as an ongoing, integrated business ‘program' to be implemented across the Tax Office.
The ATO will explore a range of options to achieve this goal, and have engaged Booz and Company to work with us on this task to ensure we have a clear strategy for improvement. Particular focus will be given to the critical issues of integration of activities and regular reviews of our disaster recovery capabilities.
The ATO notes the constructive way in which this audit was conducted and looks forward to implementing the recommendations of the report.
1 A number of other terms are used to describe unplanned disruptions or outages such as: event; incident; business disruption or interruption; and, business interruption event. All terms refer to the same concept.
2 Tax Office, Corporate Management Practice Statement, Emergency Control Organisation, 2003/21.
3 Tax Office, Corporate Management Practice Statement, Business Continuity, 2003/20.
4 Tax Office, Corporate Management Practice Statement, Risk and Issues Management, 2002–03.
5 ANAO Better Practice Guide—Business Continuity Management, January 2000, Canberra, is currently being updated for release in 2009.
6 British Standard BS25999-1:2006 Business Continuity Management, Part 1: Code of Practice.
7 ANAO, Better Practice Guide—Business Continuity Management, January 2000, Canberra.
8 ANAO, Better Practice Guide—Business Continuity Management, January 2000, Canberra.