Systems and controls
Risk management and business continuity
We continue to apply the risk management principles and guidelines set out in Comcover's Better practice guide on risk management and in the AS/NZS ISO 31000: 2009 Risk management—Principles and guidelines to DAFF's enterprise-wide risk framework. Implementation of the revised framework has been successful and continues to be underpinned by regular communication from the secretary and the executive, sending a strong message about the importance of risk management and driving a positive risk culture. The department is committed to continuous improvement, especially in its ability to maintain and grow its risk maturity level and to use ICT tools to support its work.
Risk influences the outcome of all work in DAFF and appropriate risk management enables all staff to understand, accept and manage risks as part of everyday decision making. Through our corporate governance framework we have integrated the management of risk into business functions, processes, systems, programs and projects. Accountability for managing risks is clearly articulated in the specific roles and responsibilities of all staff.
The department performed well in the 2012 Comcover Risk Management Benchmarking Survey. DAFF's greatest strengths in terms of its risk management capabilities were assessed as accountability and responsibility, integration and business continuity. As a result of our performance in the survey, we obtained a discount of 8 per cent on our 2012–13 Comcover insurance premiums.
At the 2011 Comcover Awards for Excellence in Risk Management, held in March 2012, we received two 'Highly Commended' awards and an 'Honourable Mention'. In the Enterprise-Wide Risk Management category, the department was highly commended for its commitment to managing risks as part of our everyday decision making and for moving from a risk-averse culture to one in which we engage with known risks. In the Risk Initiative category, we were highly commended for our work to address the risks posed by Asian gypsy moth. The department also received an honourable mention for its online system AquaticHealth.net, which tracks and forecasts outbreaks of aquatic animal disease.
The DAFF Business Continuity Plan (BCP) identifies actions for delivering critical functions and the provision of services and procedures to activate and implement the emergency, continuity and recovery or restoration strategies. We conduct BCP exercises regularly and the BCP plan is reviewed and updated annually.
The BCP was successfully implemented during business continuity incidents, including industrial action associated with the enterprise agreement negotiations, which required the department to deliver critical services with limited resources. Following each major business continuity incident, we held a debrief to capture lessons learned and develop actions to enhance the department's capacity to respond to future incidents.
In June 2010, the Attorney-General announced that a new Protective Security Policy Framework (PSPF) was to be implemented within Commonwealth agencies from 1 August 2012, and to be fully implemented by 31 July 2013. The department undertook a significant body of work during 2011–12 to review all protective security policies and procedures, culminating in the launch of our Protective Security Policy and Protective Security Plan in May 2012. The timely completion of this work brought our protective security policies and procedures in line with the PSPF, supported the delivery of staff awareness sessions in central and regional offices and enabled the development of a suite of protective security communication products ahead of the August 2012 commencement date.
We are committed to ensuring that we have effective protective security programs in place and continually review security risks that might adversely impact on our operations. To support this work, the department has commenced a review of its protective security risks in accordance with the PSPF. This work is scheduled to be completed in 2012–13.
To achieve departmental objectives and business requirements, we control acquisition of, and enhancements to, assets under a capital investment framework approved by executive management. Capital budget proposals are submitted to the Investment Committee for consideration. This committee also assesses the business cases for investment in either new or existing assets. Throughout 2011–12, the committee relied on a capital management plan and comprehensive ICT and property investment plans for capital management.
Our asset register is centrally managed to ensure the integrity of the department's asset data and reporting procedures. We have specialist team members to provide guidance on the management and disposal of assets. Our land, buildings and leased assets are managed by third parties under outsourcing contracts.
At 30 June 2012, the department's asset base was valued at just over $126 million. In 2011–12, we continued renewing our ICT infrastructure, including investing significantly in software to ensure sustainability of operations reliant upon ICT.
We carried out urgent upgrade works at our five quarantine stations and the site for the new quarantine station development has now been finalised.
Our major investments are in land, buildings, ICT and intangibles. We manage approximately 1250 building, leasehold improvement, property, plant and equipment assets at 156 locations across Australia, 49 of which are considered to be remote. We have more than 5300 ICT-related assets under a leasing arrangement, also located across Australia.
Information and communication technology management
In November 2011, all ICT functions were consolidated into one division, with the aim of enhancing the department's capability and creating greater efficiencies in ICT functions.
The department submitted an ICT Second Pass Business Case to the Australian Government Information Management Office in January 2012 for the development of ICT systems and infrastructure to support changes in business processes proposed under the Biosecurity Reform Program. Key priorities of the ICT Second Pass Business case are:
- stabilising and modernising the ICT environment
- enabling a 'risk-return' operating model to facilitate the development of policy, strategy and operations based upon risk assessment and the most effective intervention points
- providing opportunities for whole-of-government collaboration.
The department also completed a tender evaluation for the provision of secure internet gateway services.
DAFF has been appointed as a lead agency under the Australian Government Internet Gateway Consolidation Program and will supply shared internet gateway services to 11 client agencies.
Development commenced on an Enterprise Infrastructure Project to begin in July 2012. This project will provide a scalable, robust and future-proof infrastructure environment that will support ICT reforms within the broader biosecurity reform agenda, as well as support the strategic direction of ICT within DAFF.
Development of the ICT Strategic Plan 2012–2016 is also nearing completion. The strategic plan identifies key business initiatives and programs requiring ICT support over the next four years and will shape future ICT investment and strategy in the department.
Program and project management
The department continued to build its capability to better deliver change management to achieve its objectives. This contributes to whole-of-government requirements to improve agency capability by applying the portfolio, program and project management maturity model (P3M3) and initiatives relating to Ahead of the game: blueprint for the reform of Australian Government administration.
Efforts during the year included enhancements to the project management framework launched in 2010 and improvements to support resources and tools. These activities continue to inform future requirements for our portfolio, project and program management arrangements.
Our annual internal audit program is developed through risk analysis, review of previous and current assurance engagements and discussions with senior management. The secretary endorses the annual internal work program and the Audit Committee monitors the program's implementation. The committee also reviews audit findings and recommendations and monitors management actions in response to recommendations.
Audit services have been provided through a co-sourced arrangement with Deloitte Touche Tohmatsu since September 2010. Audits during the year explored:
- information systems
- departmental and administered finances
- administrative and logistic activities.
As an example of the coverage provided by internal audit, the following areas were reviewed:
- the upgrade of the department's human resource management system to Aurion Version 10.0
- the management of incursions and outbreaks of pests and diseases into Australia
- governance arrangements in place for research and development corporations
- management of personal information
- the department's procurement framework and practices.
The overall results showed that our control processes are operating effectively. Figure 17 compares the numbers and types of audits completed over the past three years. While there has been a reduction in the number of audits, this has not affected the level of assurance the department receives. We have been increasing the number of assurance activities across the department, particularly through the development and undertaking of an annual program of biosecurity audit and verification activities. Assurance is also provided through the Certificate of Compliance process, a strong enterprise risk management culture and independent reviews by the Australian National Audit Office and the Interim Inspector-General of Biosecurity (IIGB).
In addition to the annual audit program, DAFF's internal auditors:
- undertook seven management-initiated assurance tasks
- assisted DAFF with the development of an assurance framework
- undertook two assignments for the IIGB.