Systems and administrative processes
Information and communication technologies (ICT) management
During the year, DAFF embarked on an aggressive agenda to implement our ICT Strategic Plan 2010–15. We successfully delivered a number of projects including refreshing regional desktop and laptop computers and rolling out Microsoft Windows 2007 office tools.
We also worked on mitigating the risks of failure in the import and export systems by addressing single-points-of-failure in the systems’ designs. DAFF’s secondary data centre in Fyshwick, ACT was used to locate redundant system components and to strengthen continuity arrangements. Alternate telecommunications paths were also put in place to minimise the risk of system failure. Despite this, hydraulic and electrical system failures in DAFF’s Canberra headquarters affected power and air-conditioning systems in the data centre. Following an engineering assessment of the building, DAFF decided to relocate its primary data centre to an offsite commercially-managed facility. The relocation is expected to be completed by October 2011.
During the year, DAFF was subjected to a number of cyber security attacks, including ‘phishing’ intrusions using bogus emails and ‘denial of service’ attacks that targeted our websites with numerous hits, preventing access by legitimate enquiries. To manage cyber threats while still increasing access and the use of social networking capabilities, we introduced a new internet filtering suite, a network logging and audit tool, and an integrated threat management suite.
We contributed to a number of whole-of-government ICT initiatives and assisted the Department of Finance and Deregulation to prepare and evaluate the request for tenders for telecommunication and data centre services. DAFF was also selected as one of the lead agencies for the internet gateway consolidation program which aims to further mitigate the risks of cyber security attacks by reducing the number of access points to government websites. In this capacity, we will establish contracted internet gateway services for a number of client agencies.
After successfully revitalising our approach to risk management in 2010, we set about integrating our processes into our day-to-day activities. We offered risk training to all staff, developed online risk training and added more tools to our portfolio of risk documentation and systems.
At the Comcover Awards for Excellence in Risk Management, we won the Risk Initiative category for our Sea Container Risk Management Policy, and also received an honourable mention for our Enterprise Wide Risk Framework. The case study below provides additional information.
DAFF was the top performer out of 134 agencies in Comcover’s 2011 Risk Management Benchmarking Program. We achieved our highest-ever score, excelling in accountability and responsibility, business continuity, integration and for having a positive risk culture.
We held our annual business continuity exercise in October 2010 to test the effectiveness of our business continuity processes to respond to a disruptive incident. An independent professional evaluator observed and made recommendations on further improving our business continuity and crisis management processes, as well as on the management of the exercise.
In response to the Brisbane floods and Cyclone Yasi in January 2011, DAFF successfully activated its Business Continuity Plan, and we were able to maintain all critical operations.
Award for DAFF’s approach to risk management
DAFF has been changing the way it manages risk—a move that has won us a national award for our risk initiative involving sea container inspections.
We won a 2011 Comcover Risk Management Award for our Sea Container Risk Management Policy (SCRMP). We also received an honourable mention for our enterprise-wide risk management approach.
The awards of excellence are presented annually by the Australian Government Department of Finance and Deregulation to recognise exceptional and inspiring examples of risk management in government agencies.
DAFF’s risk initiative relates to a change in a decade-long practice of inspecting the outside of all shipping containers for biosecurity hazards. The inspection statistics resulting from this work showed that very few containers required further action.
To help us target the containers that posed a biosecurity risk, the Australian Centre of Excellence for Risk Analysis developed a robust metric for determining when AQIS should intervene and inspect a container, as well as analysing the effectiveness of these interventions.
As a result, our AQIS inspectors now focus their attention on containers coming from high-risk countries and those going through or to rural areas. All of these containers are inspected before they leave the port area. Other containers, such as those coming from low-risk countries and going to metropolitan areas are now sampled rather than universally inspected.
SCRMP is only one part of the larger change being implemented across the whole department. Since 2009, DAFF has been revitalising risk management processes, comprehensively redeveloping our risk management framework and program to build a more agile, effective and resilient organisation.
With executive commitment and support for managers and staff, we have put in place widespread changes that have made us the top performer out of 134 agencies in the 2011 Comcover Risk Management Benchmarking Program (see Risk management and business continuity in this section).
Risk management is now part of everyday decision making, planning, reporting and corporate governance. Our thinking has evolved so that we can now work positively with known and calculated risks.
Above: DAFF staff at the Comcover Risk Management Awards presentation (Photo: DAFF)
Internal audit is part of our governance framework and is designed to examine, evaluate and monitor the adequacy and effectiveness of internal controls established to regulate DAFF’s operations. Our Audit Committee endorses the internal audit work program and monitors its implementation. The committee also reviews audit findings and recommendations and monitors management actions in response to recommendations.
Audit services for the year were provided through a co-sourced arrangement between DAFF and Deloitte Touche Tohmatsu that started in September 2010, providing assurance about current corporate, enterprise and operational risks to projects; information systems; programs; operations; departmental and administered finances; and administrative and logistic activities.
The overall results demonstrated DAFF’s control processes were operating effectively. Figure 16 compares the numbers and types of audits completed over the past three years.
In addition to the annual audit program, DAFF’s internal auditors:
- provided assurance services for three management-initiated assurance tasks
- provided consulting services on three systems that were under development
- undertook one assignment for the Interim Inspector General of Biosecurity.