Business Continuity Management and Emergency Management in Centrelink
The objectives of this audit were to:
- assess the current status of BCM and EM arrangements in Centrelink and identify opportunities for improvement; and
- review Centrelink's response to the recommendations.
In 2007–08, Centrelink distributed $70.5 billion in payments to 6.5 million customers. To deliver these payments, Centrelink employs a workforce of more than 26 000 staff who operate from over 1000 service delivery points across Australia. Supporting its staff and service delivery network, Centrelink also relies on a large and sophisticated information technology (IT) environment that processes approximately 6 billion transactions annually.
To ensure continuity of the vital services it provides to the community, Centrelink must have in place systems and processes that both reduce the risks of business interruptions and also helps restore functions when disruptions occur. These systems and processes should be complemented by appropriately trained staff that can react when interruptions occur or threaten to occur. It is the development, implementation and maintenance of a control framework to manage business disruptions and build entity resilience that constitutes an entity's approach to business continuity management (BCM).
Emergency management (EM) is linked with BCM and involves managing an emergency, such as a flood, that has an impact on the entity's activities. In Centrelink's case this can have an internal and/or external impact:
- An internal impact, such as a flooded building, that must be evacuated. This requires Centrelink to activate its business continuity plan and crisis coordination arrangements, and establish recovery and interim processes that can, over time, lead to a return to business as usual.
- An external impact, such as a town being flooded and residents requiring emergency assistance. In this respect Centrelink plays an important role in community recovery operations following a disaster through facilitating the payment of government financial assistance (the Australian Government Disaster Recovery Payment (AGDRP) and ex gratia payments) and providing other community support, such as social work and family liaison officer services, to people affected by disasters.
In some cases, internal and external impacts occur at the same time such that Centrelink may be required to simultaneously activate its business continuity plan and play a role in a community emergency response.
Accordingly, in addition to having BCM arrangements in place, it is important that Centrelink develops, implements and maintains arrangements to prepare for, respond to, and recover from, emergencies.
In 2003–04, the Australian National Audit Office (ANAO) undertook an audit of BCM and EM in Centrelink.1 The audit (‘previous audit') concluded that Centrelink generally had an appropriate framework for BCM and EM, however, it identified a number of continuity risks and made 11 recommendations to improve the implementation of BCM and EM in the agency. Centrelink agreed to all 11 recommendations.
Audit objectives, scope and criteria
The objectives of this audit were to:
- assess the current status of BCM and EM arrangements in Centrelink and identify opportunities for improvement; and
- review Centrelink's response to the recommendations and suggestions of the previous audit.
Centrelink's EM arrangements include an internal and an external component.2 Community recovery operations form a major part of the external component but are not included within the scope of this audit. They will be addressed in a separate audit report to be published during 2009–10. Centrelink's role in providing services and payments to those people affected by the Queensland floods and Victorian bushfires during January/February 2009 will be examined as part of the separate audit report.
As the community recovery aspect of EM will be considered in a separate report, Recommendation No.11 from the previous audit is not considered in this report.3
The criteria for this audit included an examination of:
- Centrelink's progress in implementing the 10 recommendations and eight suggestions in the previous audit;
- the alignment of recent Centrelink BCM and EM reforms with better practice;
- the extent to which BCM and EM arrangements reflect Centrelink's strategic issues and risks; and
- Centrelink's capacity to respond to business disruptions and community emergencies.
Centrelink is a primary contributor to Australian Government service delivery, administering over $70 billion of payments on an annual basis. It is therefore critical that Centrelink has in place a mature BCM framework that can successfully limit and, where required, respond to business disruptions.
A significant or prolonged disruption to Centrelink's ‘business as usual' activities has the potential to disrupt the delivery of payments to customers, often the more vulnerable members of the community, and more broadly impact on Centrelink's ability to efficiently and effectively achieve its purpose of ‘assisting people to become self-sufficient and supporting those in need'.4
Centrelink has an established BCM and EM framework that it continues to develop and which is supported by operational policies, processes and staff. Given its geographically dispersed network, a strength of Centrelink's BCM is its business resumption arrangements, which include the ability to seamlessly divert calls/processing from one call centre/customer service centre to another in the event of a disruption or failure. Centrelink also has effective crisis coordination arrangements that allow it to respond to a business continuity incident or disaster in an appropriate and timely manner.
Centrelink's implementation of its BCM framework generally follows the six steps outlined in the 2000 ANAO Better Practice Guide.5 Centrelink has in place processes that allow continuity risks and treatments for new projects to be identified and addressed, while continuity risks and recovery priorities are also identified for current services on an annual basis.
In some areas, however, the BCM framework and its implementation lack the maturity (that is the progress from planning, identifying risks and testing treatments to integration into ‘business as usual') that could be reasonably expected of an organisation of Centrelink's size and complexity. Specifically, there is:
- scope to improve the clarity, high-level oversight and coordination of the framework, in particular the coordination of IT business continuity and the implementation of BCM and risk management arrangements;
- inadequate assurance that the continuity risks and recovery priorities identified for individual processes and services reflect an agency-wide perspective, or whether they can be met;
- a need to improve business continuity planning (which currently focuses on the initial crisis response) and tests of continuity plans and risk treatments, which in turn will help clarify the approach to, and management of, the different phases of BCM; and
- a need to identify and report on key performance indicators that measure the success or otherwise of BCM arrangements and identify areas for improvement.
Once a clearer and maintainable BCM framework has been implemented, Centrelink will need to shift its emphasis towards the testing, training and identification of opportunities for performance improvement. It is testing, training and continuous improvement which will assist Centrelink in building its capability and instilling a culture of readiness. This will inturn improve the maturity of its business continuity preparedness.
The BCM framework and its implementation require further development and this is reflected in the fact that, of the 11 recommendations in the previous audit of BCM and EM, Centrelink has fully implemented five recommendations and partially implemented five recommendations.6
The ANAO has made five recommendations in this audit aimed at assisting Centrelink to further improve its BCM framework and its application, and address the areas not covered in the partial implementation of five recommendations from the previous audit.
Current status of business continuity management arrangements in Centrelink (Chapters 2 and 3)
Centrelink's business continuity management framework
Centrelink's BCM framework includes a Business Continuity (BC) Policy,7 governance arrangements for the operation and high-level oversight of BCM, crisis escalation and coordination arrangements, identification of high-level BC priorities and other supporting processes and documents.
High-level oversight of BCM is provided by the Business Continuity, Crisis Management and Security (BCCM&S) Sub-committee, with day-to-day operational responsibility residing with the Business Continuity and Crisis Management Section. Until it was reconstituted in February 2009, the BCCM&S Sub-committee received reports on BCM and EM activities but not on IT continuity issues. This meant that the Sub-committee was not in a position to fully exercise agency-wide oversight of BCM issues. While the reconstitution of the Sub-committee occurred after the audit fieldwork was completed, Centrelink advised the ANAO that the Sub-Committee is now better positioned to provide agency-wide oversight of BCM and will receive regular reports on IT business continuity.8
Centrelink's BC Policy recognises that BCM is part of risk management. There are limited processes in place, however, to coordinate the planning and implementation of BCM and risk management policies and to exploit synergies between the two. For example, the risk assessments undertaken for risk management and BCM planning are completed separately, meaning they are not necessarily used to inform the other. High-level oversight of each process is also the responsibility of a different strategic committee. Centrelink has advised the ANAO that it plans to integrate BCM planning with its business and risk management planning from 2009–10.9
Centrelink published its BC Policy and supporting processes in a coordinated package of booklets in 2005. While information on Centrelink's BCM framework is now maintained on its Intranet, some of this information, such as planning templates, requires improvement. Within the documentation and processes supporting Centrelink's framework, there is a lack of clarity in the use of terms relating to a disaster. This lack of clarity can limit a common understanding among staff of the steps and strategies involved in responding to a disaster and in turn impact on the organisation's BCM and EM preparedness. The framework could be improved by more clearly distinguishing the approaches to the initial crisis response, and the subsequent BCM and EM phases and treatments.
Centrelink has effective crisis coordination arrangements that include: established escalation arrangements; the ability to convene National and/or Area Crisis Coordination Centres; a number of core ‘business resumption teams' to coordinate the restoration of services and support the National Crisis Coordination Centre (NCCC); and the Centrelink Operations Facility that monitors network performance and acts as the conduit for other internal and external information vital to an event.
Centrelink is planning further development and refinement of its BCM framework and supporting tools. Improvements in BC planning and testing, together with clarification and better agency-wide oversight of the framework, will provide Centrelink with the opportunity to improve its BC readiness and ability to respond quickly and effectively to continuity disruptions.
Implementation of business continuity management framework in Centrelink
In implementing its BCM framework, Centrelink has largely followed the steps outlined in the 2000 ANAO Better Practice Guide.10 There remain, however, some areas where implementation has either not fully covered the steps outlined in the BPG or where improvements can be made.
To ensure sufficient coverage of BC within an organisation, there is a need for all key business services and supporting processes to be identified. The impact of an interruption to these services and processes should then be analysed to establish the maximum length of time they can be interrupted before business objectives are compromised the ‘maximum allowable outage' (MAO). This can be done through a business criticality review, which allows an organisation to establish where its service risks exist, assess their relative importance through comparison (including using agreed MAOs) and identify strategies to address them. Centrelink last conducted a business criticality review in 2002 and has since then relied on annual assessments by National Support Office branches of MAOs for the services or processes they manage. These are complemented by seven high-level service business continuity priorities that were endorsed by Centrelink's Executive in 2008.
There are some limitations in this approach. In particular, there is no assurance that the MAOs determined by individual branches represent an agency-wide view of the relative criticality of those services or processes, or that they can be achieved. Given that it has been seven years since a formal business criticality review has been undertaken for all business processes performed within the agency, and there have been changes in Centrelink's business during this time, it is timely that Centrelink conduct another such review. A centralised annual review and endorsement of MAOs determined by branches would also help address the ability for an ongoing agency-wide assessment of the relative criticality of services and processes.
Branches' annual assessments of MAOs are prepared using a business impact analysis (BIA) template. The BIA assesses the tangible and intangible impacts of a business process being affected or downgraded for different time periods. A BIA is intended to guide the development of a business continuity plan (BCP), with the BCP including treatments (such as disaster recovery plans or interim processing) to deal with any continuity risks identified in the BIA. Centrelink business units currently only prepare emergency management plans (EMPs). EMPs have a focus on the initial crisis response phase and include checklists of immediate steps to be taken in the event of a crisis. While EMPs are a useful tool they do not identify continuity risks to business processes and proposed treatments for the risks that can then be tested – both of which are important elements of BCPs.
Centrelink is reviewing its continuity planning templates. Given the role of BCPs in the BCM framework, it is important that the BCP template is finalised and that business units are required to identify continuity risks and treatments in their BCPs. This process should align to the existing BIA process and usefully also link to business units' risk management planning.
Once BCPs have been prepared, Centrelink's focus can increasingly move to testing the continuity treatments in them and bedding BCM into its ‘business as usual' operations. In this regard, and in the absence of BCPs, the continuity testing of EMPs has been ad hoc in nature. Centrelink does schedule tests of its IT disaster recovery plans but these are not necessarily being completed in a timely manner because of operational priorities. More regular and rigorous testing of its BCPs (once implemented) and disaster recovery plans will be useful for informing Centrelink of both strengths and weakness in its BCM framework and its application.
The previous audit identified a number of BC risks and/or opportunities for improvement in Centrelink's IT infrastructure and applications. Three of those risks related to Centrelink's data centres, off-site data storage and IT back-up arrangements. Centrelink is taking ongoing action to address these issues.
With the exception of the completion of scheduled tests of IT disaster recovery plans, Centrelink does not have established measures against which BCM performance can be assessed and areas for improvement identified. Accordingly, performance measurement could be improved by establishing key performance indicators and then reporting against those to the BCCM&S Sub-committee so that an agency-wide assessment of BCM preparedness can be provided to the Executive. Further, in line with the BCCM&S Sub-committee fulfilling its role and endeavouring to seek improved performance, post-implementation review reports on continuity incidents, including IT continuity incidents, should also be submitted to the Sub Committee for consideration.
Update on Centrelink's response to the recommendations of the previous audit (Chapter 4)
Centrelink has fully implemented five of the recommendations (Nos. 2, 3, 5, 8 and 10) and partially implemented five of the recommendations (Nos. 1, 4, 6, 7, and 9) of the previous audit that relate to business continuity.
Areas where Centrelink has not fully implemented the recommendations of the previous audit include: under-utilising links between BCM and risk management arrangements, gaps in the BC planning and rehearsal area (reliance on EMPs only, with BCPs still to be implemented, and no minimum standards for plan rehearsals), inadequate maintenance of other key documentation (such as the IT Services Catalogue) that support IT continuity planning, and limited identification of corporate records and treatments for their protection.
Summary of agencies' responses
Summary responses to the proposed audit report and its recommendations were provided by Centrelink and the Department of Human Services. These responses are set out below.
Centrelink welcomes this report and considers that implementation of the recommendations will further enhance Business Continuity Management in Centrelink. In particular, the recommendations will inform the governance and performance management and testing of business continuity arrangements in Centrelink.
Centrelink agrees with the recommendations in the report.
Department of Human Services
The Department of Human Services (DHS) welcomes the follow-up report and notes that Centrelink agrees with the overall recommendations outlined in the Section 19 report. Of the eleven recommendations made in the previous report, five recommendations have been fully implemented. A further five areas have been identified where improvements can be made. DHS notes the ANAO's acknowledgement that the reforms and initiatives already in hand address the outstanding matters raised in the Report.
1 Australian National Audit Office, ANAO Audit Report No.9 2003–04, Business Continuity Management and Emergency Management in Centrelink, Canberra.
2 Refer Chapter 1, Figure 1.1, p. 29.
3 Recommendation No.11 related to Centrelink monitoring and reviewing its emergency stakeholder liaison and response planning at a national level.
4 About Us Index [Internet], Centrelink, available from: <http://www.centrelink.gov.au/internet/internet.nsf/about_us/index.htm> [accessed 19 April 2009].
5 ANAO Better Practice Guide–Business Continuity Management-Keeping the Wheels in Motion: A Guide to Effective Control, January 2000, Canberra, p. 30 64. Given the timing of this audit and the release of the ANAO's updated BPG – ‘Business Continuity Management: Building resilience in public sector entities' – in June 2009, the original BPG has been used as the basis for analysing Centrelink's BCM framework. Where relevant, regard has been given to the updated BPG.
6 As the community recovery aspect of emergency management has been separated from this report (refer paragraphs 7-8), Recommendation No.11 from the previous audit is not considered in this report.
7 Centrelink, Business Continuity Policy, Canberra, 2007.
8 This is supported by early evidence of reporting to the February 2009 meeting of the BCCM&S
9 Sub-committee that included IT business continuity related information.
Centrelink advice 16 April 2009.
10 ANAO Better Practice Guide–Business Continuity Management-Keeping the Wheels in Motion: A Guide to Effective Control, January 2000, Canberra, p. 30-64.