Centrelink’s Business Continuity Planning efforts have been largely endorsed by the Australian National Audit Office (ANAO), just weeks after being one of four agencies criticised for poor record-keeping practices.
A September report: Recordkeeping in Large Commonwealth Organisations, highlighted poor record keeping practices by Centrelink, the Department of Agriculture, Fisheries and Forestry, the Department of Family and Community Services, and the Department of Health and Ageing. It concluded failures in record-keeping left these agencies exposed to the risk that important data would not be captured and that records might be released or disposed of without authorisation.
And it found even though Centrelink was one of three of the agencies which had developed Business Continuity Plans (BCP), it found the plans of all three failed to identify vital records. It was also concerned that those BCP plans concentrated on the regular performance of Information Technology (IT) back-ups and gave little attention to the protection or retrieval of paper records or electronic records saved/archived on portable physical media such as floppy and compact disks.
But if Centrelink needs to lift its game on recording keeping, ANAO apparently does recognise its overall strength in BCP. In its latest Performance Audit Report: Business Continuity Management and Emergency Management in Centrelink, the ANAO found Centrelink is proving relatively effective in BCP. It found Centrelink’s BCM framework effectively addressed the main elements of business continuity outlined in the better practice literature, namely crisis response, crisis management, interim processing and business process recovery.
“For example, Centrelink’s crisis management organisational structure is logical, as it is based on a Crisis Command Centre structure, includes appropriate managers from Centrelink’s network, specifies appropriate Business Resumption Teams, and clearly defines the roles and responsibilities of the key business continuity participants. The Crisis Command Centre structure and Business Resumption Teams also generally work well in practice,” the report found.
As in most organisations, BCP in Centrelink is an evolutionary process. A 2001 ANAO report gave the organisation a “satisfactory” rating for I&T continuity planning training, distribution, back-up and administration, but reported Centrelink’s Internal Audit had recognised that Centrelink had yet to completely test its Business Continuity Management Plan for the Mainframe Operations centre.
Centrelink delivers the Government’s social policy agenda and other programs, paying around $55 billion to more than 6.3 million customers in 2001-02 alone. And it is also being increasingly required to play a role in responding to major emergencies affecting Australians, with the 2002 Bali terrorist bombings being a prime example. ANAO notes Business Continuity Management (BCM) strategies and plans are essential to its mission.
And it seems it is making a fair fist of those plans, with some caveats.
The latest report notes Centrelink has recently established a Business Continuity and Emergency Management team, and an IT Service Continuity Management team. It says the new structure should improve the alignment of BCM and EM in Centrelink, while warning Centrelink should clearly distinguish the objectives and operating requirements of BCM and EM.
One the whole the report found most of Centrelink’s BCM related plans and processes incorporated a risk management process consistent with that used for broader risk management in Centrelink. And it said ANAO’s risk management and BCM were well aligned at the operational level, while finding scope for further improvement to make business continuity plans and underlying risk management methodologies more consistent.
It also found Centrelink business continuity capability to be strongly bolstered by the nature of its business, especially the delivery of services to customers throughout its network. And it found Centrelink’s I&T infrastructure and applications (especially its mainframe processing of customer entitlements) and telecommunications constitute its most critical processes.
“At the time of audit fieldwork, the ANAO found that Centrelink’s I&T framework had a number of shortcomings but was generally consistent with established BCM practices. The ANAO notes that Centrelink has recently embraced an Information Technology Infrastructure Library (ITIL) framework. IT Service Continuity Management (ITSCM) is a component of ITIL. Fully implementing this ITSCM component should substantially assist Centrelink to improve I&T business continuity management,” it said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.