Did business continuity arrangements enable the continuation of essential public services during the coronavirus (COVID-19) pandemic?
Why this audit is important
The Victorian Government delivers a wide range of services that are vital to Victorians’ economic, financial and social wellbeing. It is important that the government can keep these services running during a disruption.
To minimise the impact of disruptions, agencies need effective business continuity frameworks and actions. The COVID 19 pandemic has tested these arrangements.
Who we examined
We examined all eight Victorian Government departments, including the former Department of Health and Human Services.
We also included Cenitex, which provides ICT services to most departments.
What we examined
We examined each department’s business continuity arrangements to check if:
- they prepared departments for a major disruption prior to COVID-19
- departments effectively implemented them during COVID-19 to maintain prioritised services.
We did not look at the state’s emergency response to COVID-19.
What we concluded
Before the pandemic, most departments’ business continuity arrangements were inadequate. This meant that their response to restoring and maintaining their prioritised services was reactive and less efficient and effective than it could have been.
Nonetheless, departments' incident management structures allowed them to quickly set up teams, provide clear communication and make decisions. This helped them make changes and prioritise services.
The failure to adequately plan and prepare for a long-term disruption to services from a major event—and specifically, a pandemic—is compounded because for many years, a pandemic has been recorded as a state-significant risk.
Further, tests of business continuity planning arrangements in 2018 and 2019 found significant weaknesses in them, but many of these were not addressed.
Departments can be better prepared for foreseeable major disruptions by regularly testing their business continuity plans and treating them as living documents.
What we recommended
We made two recommendations to the Department of Premier and Cabinet and the Department of Treasury and Finance about whole-of-government business continuity arrangements.
We made one recommendation to the Department of Justice and Community Safety, the Department of Health and the Department of Families Fairness and Housing about developing standalone pandemic plans.
We also made six recommendations to all departments, including four about improving business continuity preparation and two about reporting following a disruption.
Note: The number of prioritised services can vary as departments review their services and undergo structural changes.
Source: VAGO, based on information from departments.
What we found and recommend
We consulted with the audited agencies and considered their views when reaching our conclusions. Their full responses are in Appendix A.
BCM is a management process that includes frameworks, planning and actions to ensure that departments can deliver prioritised services following a disruption.
Preparedness versus response
The ability of government departments to continue providing services during a disruption depends on how well prepared they are and how they respond. Good business continuity management (BCM) is key to this.
We examined whole-of-government business continuity arrangements. We also looked at departments’ preparedness for a major disruption and their response to the coronavirus (COVID-19) pandemic.
The ‘Risk IDC’, which is led by the Department of Treasury and Finance (DTF), helps the government identify and manage key shared and state-significant risks.
GSRN was established in 2015 to improve the resilience of Victorian Government departments and essential state systems. It is made up of all departments and Victoria Police.
Exercising is the process of training for, testing, assessing, practising, and improving an organisation’s business continuity performance.
A BCP is a document that outlines how a business will continue operating during an unplanned disruption and resume any services that have been disrupted.
COVID-19 has caused a disruption of a scale that most people have not experienced before. Responding to a pandemic is complex. It involves private industry and the public sector, emergency management, crisis management, and a health response.
However, a pandemic was foreseeable. For many years, statewide risk plans have listed a pandemic as a risk. In 2019, the State Significant Risk Interdepartmental Committee (Risk IDC) rated this risk as ‘likely’ to occur with ‘severe’ consequences.
Prior to COVID-19, the Victorian Public Service (VPS) had mitigation strategies for managing a statewide disruption. However, its focus was on the emergency response (protecting life, assets and the environment), not business continuity.
Business continuity planning
In October 2018, the Government Sector Resilience Network (GSRN) ran Exercise Petunia to examine what would happen if a significant percentage of the population could not work due to a pandemic. This exercise used a multi agency pandemic scenario.
Exercise Petunia highlighted opportunities to improve …
However, three years later …
departments' business continuity plans (BCPs)
only covered short term disruptions lasting one to two months.
departments’ BCPs do not address large-scale and complex disruptions.
whole-of-government ICT systems and inter agency staff redeployment
prepare the VPS for technological and staff resourcing surges.
there is no policy on whole of government staff redeployment. In April 2020, the government introduced the Industrial Relations Framework for managing the coronavirus (COVID-19) pandemic to help facilitate staff movements.
communication and coordination between all sectors
should allow a coordinated whole-of-government response to a large-scale disruption.
there is no whole-of-government oversight of business continuity.
Prioritised services are the products, services, processes, activities and resources that a department must prioritise to avoid unacceptable impacts to its business. They are also sometimes referred to as ‘critical’, ‘essential’ or ‘key’. services.
No single agency is responsible for coordinating prioritised services from a whole of government perspective. This means that each department largely acts on its own.
During the initial stages of COVID-19, the Department of Premier and Cabinet (DPC) took on a lead business continuity role for whole-of-government matters.
While this arrangement was beneficial, it was temporary and reactive, which led to some delays in communication and setting up processes.
The Victorian Government set up the Crisis Council of Cabinet and VPS missions in April 2020. However, these groups have understandably focused on the emergency response.
The Victorian Government set up the Crisis Council of Cabinet to oversee its COVID-19 response. It also established core VPS missions, which were led by the relevant secretary. These missions were designed to focus on specific elements of the COVID-19 crisis, such as health, economic development and public services.
Recommendations about whole-of-government arrangements
|We recommend that:||Response|
|Department of Premier and Cabinet and the Department of Treasury and Finance||1. develop communication protocols and a list of prioritised services that will inform business continuity responses at a whole of government level (see sections 2.1 and 3.1)||Partially accepted by: DPC and DTF|
|2. review business continuity exercises across the state to ensure that whole-of-government business continuity scenarios are tested at least every three years. This includes engaging with participants to either broaden the scope of any planned exercises or introduce new exercises (see Section 2.1).||Accepted in principle by: DPC and DTF|
Preparedness: departments’ individual arrangements
The ISO standard is an internationally recognised standard that sets out the core requirements for BCM.
BCM policies and procedures
All departments had BCM policies, procedures and response structures in place prior to COVID-19. While these had some minor gaps, they were mostly aligned with the requirements of the AS ISO 22301:2020 Security and resilience—Business continuity management systems—Requirements standard (ISO standard).
However, preparedness involves more than just having policies. It requires departments and the sector to understand the services they provide, the impact a disruption would have on these services and how they should respond.
A BIA is the process of analysing the impact that a disruption would have on an organisation over time.
The first step to do this is through a business impact analysis (BIA).
Business impact analysis
A BIA is one of the most important elements of business continuity planning. However, there are significant gaps in this practice across the departments.
A BIA should help an organisation:
- understand how a disruption might impact its services
- understand what services it should prioritise in a disruption
- identify the processes and resources that support its services.
However, many departments' BIAs did not fully assess the impact that a disruption might have on their services. They also did not all consider minimum resource requirements and the internal and external suppliers that their services need to run.
These gaps can impact how effectively departments respond and maintain their prioritised services during a disruption.
Despite the importance of BIAs:
- only the Department of Education and Training (DET), the Department of Environment, Land, Water and Planning (DELWP) and the Department of Justice and Community Safety (DJCS) have organisation-wide BIAs
- DPC had not undertaken a BIA since 2016
- the Department of Transport (DoT) and the Department of Jobs, Precincts and Regions (DJPR) did not undertake a BIA in 2019 after significant machinery-of-government changes. DoT stated that this is because it did not finalise its structure until December 2019.
- DET was the only department that had BIAs that included all elements of the ISO standard prior to COVID-19.
Business continuity plans
Organisations should use the information they gather through their BIAs to develop strategies to ensure they can maintain their prioritised services during a disruption. Departments document these strategies in their BCPs. However, we found several issues with departments’ BCPs prior to COVID-19, which Figure A shows.
Figure A: Gaps in BCPs
|Key findings||Gaps and limitations||Impact|
|Except for DET, departments do not have BCPs that both align with the ISO standard and include all prioritised services.||For example, BCPs that:
||Departments have reduced confidence that:
|Except for DJCS and DJPR, all departments have overly complex or inconsistent BCPs.||BCPs duplicate or include unnecessary information from BCM procedures, frameworks, other plans and/or policies.||This makes the plans more difficult to understand and maintain.|
|Only DELWP, DET and DTF have organisation-wide BCPs.||Other departments do not have BCPs that clearly highlight their organisation-wide priorities and strategies.||Departments needed to undertake more work to collate their services and assess relative organisational priorities during COVID 19.|
|No department has BCPs that are designed for a long-term disruption, but DELWP has a separate framework to manage large or complex events.||Departments’ BCPs largely focus on localised short-term disruptions of less than two weeks.||This limits their usefulness in a long-term disruption.|
Note: *Activation criteria are a list of factors that departments use to decide if an event is likely to disrupt services and if they need to use their BCPs.
Source: VAGO assessment of departments’ BCPs prior to COVID-19.
Practising for a disruption
Departments need to exercise their BCPs to ensure they will be effective in a disruption. They also need to ensure that staff know how to respond.
Only DET and DJCS had a clear program of exercising and tracking recommendations for their entire BCM program.
Types of BCM exercises range from simple discussion-based, desktop exercises to familiarise staff with a BCP to complex full scale exercises that require an organisation to activate its BCP.
Departments often limited their BCM exercises to small-scale or desktop exercises, such as testing SMS functionality or testing the impact of a disruption on one or two business units.
Limited exercising of complex disruptions means that departments have missed opportunities to train staff and identify and implement lessons learnt, such as workforce planning or large-scale communication issues.
Staff training and resourcing
DELWP, DET and DJCS were the only departments that had dedicated training for business continuity staff. This means that business continuity personnel may not have the necessary skills and competencies to fulfill their roles during a disruption.
The Department of Health (DH) and DPC also do not have dedicated BCM resources. This further reduces their ability to take preventative action and respond to a disruption.
Recommendations about departments’ preparedness for a major disruption
|We recommend that:||Response|
|All departments||3. undertake business impact analyses every two years or more often when there are significant changes to their organisation (see Section 2.3)||Accepted by: DELWP DET, DFFH, DJCS, DJPR, DoT, DPC and DTF
Accepted in principle by: DH
|4. review their business continuity plans at least every two years to assess if they:
||Accepted by: DELWP DET, DFFH, DJCS, DoT, DPC and DTF
Partially accepted by: DJPR
Accepted in principle by: DH
|5. review their business continuity management exercising program every two years to:
||Accepted by: DELWP DET, DFFH, DJCS, DJPR, DoT, DPC and DTF
Accepted in principle by: DH
|6. include mandatory training for staff who have dedicated business continuity responsibilities when they commence in the role and at least every two years. This should include their:
||Accepted by: DELWP DET, DFFH, DJCS, DJPR, DoT, DPC and DTF
Accepted in principle by: DH
Response: individual departments
Departments’ pandemic planning
A pandemic is a unique disruption. Pandemics can affect multiple areas, such as staffing, suppliers, site availability and occupational health and safety, and therefore require specific response strategies. Only DELWP, DET and DPC had a pandemic plan prior to COVID-19. This means that departments spent valuable time developing plans during the pandemic.
During the initial stages of COVID-19, DJPR, DoT and DTF finalised their pandemic plans and DELWP, DET and DPC updated theirs. We found that departments’ pandemic plans contained varying levels of detail. For example, DJPR and DoT did not list all of their prioritised services in their plan.
We also found that:
- DJCS does not have a pandemic plan. Instead, it incorporates pandemic strategies in its BCPs
The Victorian action plan for influenza pandemic (2015) sets out Victoria’s strategic approach to reduce the social and economic impacts and consequences of a pandemic. It also recommends that departments develop their own pandemic plans that include plans to resume interrupted services.
- while the Department of Health and Human Services (DHHS) (now DH) has a pandemic plan for the health sector and coordinated the development of the Victorian action plan for influenza pandemic, DH and the Department of Families, Fairness and Housing (DFFH) do not have pandemic plans for their departments.
As a result, there is a risk that departments have not planned for or mitigated the threats to their business continuity due to a pandemic.
Incident management plans and teams form part of broader BCM. They focus on the immediate response. Key features include:
- a response group to manage the crisis
- senior-level involvement and accountability
- internal and external communication plans
- activation protocols.
Departments use incident management plans to coordinate their strategic response to a crisis. They are also known as crisis management plans.
All departments used BCM incident response teams to respond to COVID-19, except DoT, which developed a specific COVID-19 task force, and DELWP, which used its critical incident management team. These structures were essential because they helped departments:
- quickly make and communicate key decisions
- address gaps in understanding of their prioritised services (particularly at a whole-of-department level)
- transition to remote working.
A department’s decision to activate a BCP is discretionary and based on its assessment of risks and impact.
Only DHHS, DJCS, DPC and DTF activated all of their BCPs. Other departments activated some on a group basis or none at all.
DELWP activated its critical incident management plan to manage the effects of COVID-19 on its department. Both DELWP and DET introduced specific activation criteria during COVID-19 to help staff understand when they should use their BCPs.
During a disruption, departments may need to temporarily stop some services to focus on their prioritised services.
Most departments must deliver their prioritised services to ensure public safety or to meet their legislative obligations.
Data on prioritised services
Organisations use MTPDs to describe the timeframes that their key products and services can be unavailable for before they deem the impact unacceptable.
Departments told us that they were able to provide their prioritised services during the pandemic. However, only DET, DELWP, DJCS and DTF have a comprehensive list of prioritised services in an organisation-wide BIA or BCP. Further, no department comprehensively tracks disruptions at an organisational level against its listed maximum tolerable periods of disruption (MTPDs).
Departments relied on staff knowledge to identify instances where a disruption to their services was likely. They then used their crisis management processes to track and report on selected services. However, all departments did not do this for all of their prioritised services.
Following a disruption, departments assess their response through their post-incident review (PIR) process. Although COVID-19 is ongoing, DELWP, DJCS, DPC and DTF have conducted PIRs or wider reviews of their BCM.
An RTO is how quickly minimum levels of service and/or supporting functions and resources, such as systems and applications, must be recovered following a disruption. RTOs need to be shorter than MTPDs.
However, the incident reporting processes and PIRs we reviewed did not clearly list departments’ prioritised services, their recovery time objectives (RTOs), MTPDs, and if they met them.
Without detailed data on prioritised services, we looked at departments’ other performance measures. While all departments have key performance metrics for their Budget Paper No. 3: Service Delivery (BP3) measures, they do not have BP3 measures for all of their prioritised services. As a result, we could not determine if departments:
- had service disruptions that exceeded their MTPDs
- had reduced service levels (as indicated in some BP3 measures), or
- maintained services as normal.
We also surveyed business continuity staff at each department. The results of our survey indicate that despite departments’ assertions, there were respondents who reported that they were not able to restore all services within their MTPDs.
Transition to remote working
To reduce the impact of a disruption, BCPs need to cover a range of impacts, including when staff are not available or cannot work from their physical office location.
Departments did not foresee that a pandemic would result in such a widespread, immediate and long-term need to work remotely. Many departments had to onboard additional staff to support the emergency response or backfill roles. Departments also had to change the way they delivered many services.
DELWP, DHHS, DJCS, DJPR and DoT could not immediately transition their entire workforce to remote working due to inadequate planning in their BCPs, a lack of equipment (such as laptops or remote access), issues with technology, their size and their complexity.
All departments, except for DET, rely on Cenitex to access ICT services. Transitioning public servants to a largely work-from-home model put significant strain on Cenitex and the network. Cenitex service requests increased from 22 104 in February 2020 to 33 389 in March 2020. Departments also reported significant connectivity issues.
Cenitex's capacity to deliver at this scale was not tested prior to COVID-19.
Surge workforce issues
Key areas, such as health and law enforcement, needed additional staff to respond to the pandemic. This had a flow-on effect in other departments as staff were seconded to assist with the emergency response.
Only DELWP, DJCS and DHHS considered surge workforce issues in some of their BCPs. This meant that most departments had not adequately considered surge workforce issues for their business-as-usual services.
Further, there is no whole-of-government surge workforce policy that addresses workforce movements to fill internal vacancies during an extended disruption.
Recommendations about responding to a disruption
|We recommend that:||Response|
|Department of Justice and Community Safety, Department of Health and the Department of Families, Fairness and Housing||7. develop standalone pandemic plans (see sections 2.4 and 3.1)||Accepted by: DFFH and DJCS
Accepted in principle by: DH
|All departments||8. develop guidelines to ensure that when a significant business continuity event occurs, at a minimum, they report to their executive on:
||Accepted by: DELWP DET, DFFH, DJCS, DJPR, DoT, DPC and DTF
Accepted in principle by: DH
|9. review their post-incident report templates to include a section that outlines their prioritised services, recovery time objectives, if their services were disrupted and if so, for how long (see Section 3.4).||Accepted by: DELWP DET, DFFH, DJCS, DJPR, DoT, DPC and DTF
Accepted in principle by: DH
The Victorian Government delivers a wide range of services that are important to Victorians’ economic, financial and social wellbeing—from managing state finances to child protection, transport and criminal justice.
Disruptions to these services can have a significant negative impact on communities, businesses and industries. Effective business continuity strategies ensure that departments can respond quickly to disruptions and continue to deliver prioritised services to the community.
This chapter provides essential background information about:
All businesses, whether government or non-government, need to ensure that they can anticipate, prepare for, respond and adapt to change and sudden disruptions to continue their operations. This is known as organisational resilience. Business continuity is a key element of organisational resilience.
BCM is a management process that includes frameworks, planning and actions to ensure that departments can deliver prioritised services following a disruption. It is a continuous process that requires commitment from senior management and ongoing monitoring and reviews. Figure 1A outlines the BCM process.
FIGURE 1A: The BCM process
Source: VAGO, based on the ISO standard.
The ISO standard outlines what organisations should include in their BCM processes. While Standards Australia adopted the ISO standard in 2020, it is identical to the recognised international standard for BCM: ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements (ISO 22301:2019).
Prior to COVID-19, the Standing Directions 2018 Under the Financial Management Act 1994 (Standing Directions) required agencies to align with the Australian standard on business continuity (AS/NZS 5050:2010 Business continuity—Managing disruption related risk) or an internationally recognised standard. The international standard for BCM prior to COVID-19 was ISO 22301:2019. All departments used this standard or its earlier 2012 version.
The response continuum
Business continuity, crisis management, emergency management and disaster recovery are interrelated and exist along a continuum to return an agency to a normal (or ‘new normal’) operating level after a disruption. Figure 1B shows this response continuum.
FIGURE 1B: The response continuum
Source: VAGO, based on publicly available information and sources, including the Business Continuity Institute.
The incident determines what plans are activated, as Figure 1C shows.
FIGURE 1C: Different types of response plans
Source: VAGO, based on publicly available information, including the ISO standard and the Business Continuity Institute.
This audit looked at business continuity, or departments’ internal responses and ability to continue delivering their prioritised services. We did not assess their emergency response to the pandemic.
The World Health Organization (WHO) officially declared COVID-19 a pandemic on 11 March 2020. COVID-19 has caused a disruption of duration, complexity and impact that most people have not seen in their lives.
Influenza pandemics have historically occurred every 10 to 50 years, caused high rates of illness and death and resulted in severe social and economic disruption.
Various government bodies, such as Emergency Management Victoria, DJCS, DJPR and DHHS, have been (and still are) responsible for managing various aspects of the state’s emergency response to the pandemic, including quarantine, business grants and the health response.
Departments continue to respond to the challenges of COVID-19, which has been the first novel coronavirus pandemic in Australia. This has meant that departments have needed to adapt depending on health advice, changing virus transmission and government policy decisions.
The pandemic has reshaped how many organisations, including the VPS, work. Tens of thousands of VPS employees transitioned to remote working in March 2020.
Figure 1D presents a timeline of relevant events relating to the COVID-19 pandemic in Victoria.
FIGURE 1D: Timeline of relevant events
Source: VAGO, based on publicly available information.
Legislation requires departments to plan for disruptions. The Standing Directions requires each department to:
- have business continuity planning processes that are consistent with the latest Australian standard on business continuity (this is the ISO standard)
- ensure that it reviews and tests its business continuity processes on a regular basis (at least every two years)
- annually assess its compliance with the business continuity requirements in the Instructions supporting the Standing Directions 2018 under the Financial Management Act 1994 (Standing Directions Instructions) and report any compliance deficiencies to DTF.
The business continuity requirements in the Standing Directions Instructions are issued under the Financial Management Act 1994. As a result, DTF’s focus is primarily on business continuity matters in the context of financial risk management.
All departments had incident or crisis management processes and BCPs in place both prior to and during COVID-19.
Machinery of government changes
In February 2021, DHHS became two new departments—DH and DFFH. We use ‘DHHS’ in this report except for in the recommendations and when we refer to actions that the new departments have taken since February 2021.
DoT and DJPR also had machinery of government changes that affected their business continuity processes. On 1 January 2019, the Victorian Government split the Department of Economic Development, Jobs, Transport and Resources (DEDJTR) into two departments—DoT and DJPR. On 1 July 2019, the government also merged Public Transport Victoria and VicRoads into DoT. DoT announced its final structure on 25 November 2019, which took effect from 9 December 2019.
Cenitex delivers a range of essential ICT services to departments and other agencies, such as network services, security and hosting, professional services, workplace computing, service management and cloud services. Cenitex’s ability to provide key ICT services during a disruption is an important element of business continuity in the VPS.
All departments, except for DET, rely on Cenitex for ICT.
We looked at how Cenitex managed remote service delivery for departments but did not review its business continuity arrangements.
Other decision-making and business continuity groups
In response to the pandemic, the Victorian Government established the Crisis Council of Cabinet in April 2020 as the core decision-making forum for all COVID-19-related matters. New VPS missions supported the Crisis Council of Cabinet to help the state respond to and recover from the pandemic.
There are also several information-sharing groups that relate to business continuity. We outline these groups in Figure 1E.
FIGURE 1E: Relevant information-sharing groups
2015 to date2
BCM—Multi Agency Forum
2015 to 2019 and November 20202 to date
To share BCM approaches, foster collaboration and build organisational resilience between Victorian Government emergency services and related departments
Public Sector Administration Committee (PSAC)
Deputy secretaries from:
Integrity and Corporate Reform Subcommittee (ICRS)
2016 to April 2020
Note: 1Cenitex is not included in any of these groups.
Note: 2Meetings were put on hold in 2020 when the government established several other bodies to coordinate its response to COVID-19.
Source: VAGO, based on committee meeting minutes and departmental documentation.
In addition to these groups, some departments also set up their own interdepartmental working groups. For example, DJCS, DHHS, DJPR and DELWP had business continuity working groups to share ideas and help them work through issues as they occurred.
Each department develops its own list of the prioritised services it needs to deliver. Failure to deliver these services is likely to cause significant damage to the department or its reputation.
In 2017, DPC commissioned a project on behalf of GSRN to consider services from a whole-of-government perspective. The project aimed to:
- strengthen the Victorian Government's resilience
- define and identify 'mission critical' departmental services
- identify services that would be critical to the Victorian community during a major emergency or disaster
- enhance the government’s ability to maintain these services during a sustained disruption.
As a result of this project, DPC identified 28 whole-of-government prioritised services, including 20 community-facing services and eight within-government support services. As Figure 1F shows, these services centre around four key themes.
FIGURE 1F: Key themes for whole-of-government prioritised services
|Theme||Examples of prioritised services|
Managing a major emergency or disruption
Maintaining public safety and security during a major emergency or disruption
Providing critical community services
Critical within-government support services
Source: VAGO, based on GSRN's 'Identification of whole-of-community critical services delivered by Victorian Government departments’ report.
The VPS was not adequately prepared for the COVID-19 pandemic.
The VPS had limited central oversight and leadership on business continuity. This meant that it was not able to harness lessons learnt across all departments, and departments did not have a clear understanding of whole of government business continuity priorities in a large-scale disruption.
Departments had various business continuity policies, procedures, plans and structures in place. However, not all BCPs and BIAs aligned with key elements of the ISO standard and were suitable for dealing with a complex and long-term disruption. This reduced their effectiveness during the disruption.
This chapter discusses:
Since at least 2018, the Risk IDC has continued to note in its risk scans that a statewide emergency (such as a natural disaster, pandemic, or health crisis) is a state-significant risk. Further, in 2019, it assessed that this risk would be of ‘severe consequence’ and was ‘likely to occur’.
Various controls and mitigation strategies have been in place to minimise the impact of such a disruption. They focus on the state's emergency response and include:
- initiatives on emergency warnings, responding and monitoring
- developing the National Disaster Risk Reduction Framework and the State Emergency Management Plan
- multi-agency emergency management exercises to test their preparedness, response, and recovery processes.
The mitigation strategies also involve:
- Emergency Management Victoria working with departments to develop surge workforce capacity to respond to an emergency
- planning for the Victorian Preparedness Goal across all departments, which is a long term project to:
- identify the key capabilities that departments require in an emergency
- improve staff training and skills to help departments’ response.
No department or agency is responsible for leading or delivering multi-agency exercises that specifically include business continuity. Each department is responsible for exercising and testing its own individual plans, which limits its understanding of how plans and departments interact in a large-scale disruption.
Victoria has structures for whole-of-government emergency management and coordination but not for business continuity. There is also no lead department to drive best practice for the whole sector or ensure that lessons learnt from earlier disruptions are captured and shared.
However, there is some inter-agency collaboration on business continuity. As Figure 1E shows, this includes GSRN, the BCM—Multi-Agency Forum, ICRS (pre-April 2020) and PSAC (post-April 2020). Agencies use these forums to share lessons learnt and suggest improvements but there is no responsibility for tracking and implementing improvements.
Understanding whole-of-government services
In addition to central coordination, it is also important that the government understands and identifies the most important services that different departments deliver.
This helps the government decide and prioritise its resources and actions during a disruption. It also helps departments prepare for a statewide emergency.
On behalf of GSRN, DPC commissioned a project in 2017 to define and identify whole-of-community critical services across the sector. We outline these services in Section 1.4.
GSRN highlighted the importance of this work and stated that:
‘Whilst all departments have lengthy lists of critical functions identified through 'bottom-up' business continuity processes, these lists do not necessarily reflect a strategic, whole-of-department top-down agreement as to the importance of the continuity of the services that these functions underpin’.
GSRN recommended that the government completes further work to address:
- staff redeployment in an emergency
- departments' dependencies and interdependencies, such as their relationships with other departments and third-party suppliers
- emergency management and cyber attacks.
In June 2018, ICRS approved an implementation strategy and paper on GSRN's report. It recommended that each department review its whole-of-community critical services to manage identified vulnerabilities, including:
- loss of specialist staff
- staffing resources for a prolonged emergency
- loss of access to ICT (departments noted dependencies, such as licences or specific ICT systems)
- poor communication between departments.
Departments introduced a number of strategies to address these issues, such as new ICT solutions. However, we found that weaknesses still exist, such as surge resourcing and access to technology. We discuss these issues in Chapter 3.
Following a request from ICRS, DPC sought information on departments’ preparedness and received departments’ completed reviews in 2019 and January 2020. Some examples of vulnerabilities identified in these reviews include:
- departments' heavy reliance on third-party suppliers, such as Cenitex
- the need to redeploy staff to support service delivery during a major emergency.
DPC advised us that there was some whole-of-government COVID-19 coordination through ICRS, and later PSAC. However, it did not provide advice to departments on the vulnerabilities identified. This was a missed opportunity to improve whole of government preparedness.
Whole-of-government training and exercising
The ISO standard requires departments to undertake exercising because it is an important part of preparing for disruptions.
In October 2018, the then DEDJTR and DHHS led a multi-agency exercise on behalf of GSRN. This was known as Exercise Petunia and was based on a major influenza pandemic scenario. Its purpose was to understand:
- state arrangements and responses during and after a pandemic
- interdependencies and communications between the government during a complex event.
Exercise Petunia identified that …
which means that departments should have …
reviewed their BCPs to address these issues
these issues still remained in March 2020.
The VPS has since taken steps to address them during COVID-19.
remote working would increase ICT demand
done more planning and testing of ICT dependencies
departments need to assess the impact of potential disruptions to inform their planning
introduced a process to collect and analyse data on their prioritised services
it is important for departments to have established protocols for coordinating and communicating with each other
improved their coordination and communication
Exercise Petunia also identified that departments need to consider surge resourcing during a disruption. It observed that:
‘There will likely be a need for surge capacity during the recovery phase in order to address the backlog of works/activity resulting from the prolonged reduction in business as usual’.
While departments’ surge resourcing considerations focus on emergency response roles, there is also a need for surge capacity to backfill business-as-usual roles. This has been challenging for the VPS during COVID-19. We look at surge capacity issues further in Chapter 3.
Each department is responsible for having BCM systems and processes that align with the ISO standard to prepare them for a disruption. The rest of this chapter discusses departments’ business continuity governance, BIAs and BCPs prior to the COVID-19 pandemic. It also discusses how departments validate and improve their BCM.
Effective BCM requires leadership and commitment from senior management and proper resourcing, reporting and monitoring. Departments detail these governance arrangements in their business continuity policies and procedures.
Policies and procedures
A business continuity policy is a key document that outlines the purpose, context, scope and governance of an organisation’s BCM program.
Prior to COVID-19, all departments had business continuity policies and procedures that outlined BCM roles, responsibilities and governance. While these mostly aligned with the ISO standard, we found gaps in all departments’ policies and procedures except for DET’s.
For example …
DJCS, DHHS, DJPR, DoT, DPC and DTF
policies and procedures that could be improved by including more detailed objectives and scope
would allow for greater understanding of their BCM programs’ expected outcomes.
DELWP, DJPR, DoT and DTF
poor documentation of approvals and version control in key BCM documents
increased the likelihood that they would refer to outdated or incorrect information.
not reviewed its policies and procedures in the two years prior to COVID-19 (but had a project underway to do this)
meant that its policies and procedures were also not consistent with the Standing Directions.
We also found that DJPR, DPC and DTF had policies and procedures that contained duplicated or overlapping information. This meant the documents were less effective and contained outdated, confusing or incorrect information.
Accountability and reporting structures
Prior to COVID-19, all departments outlined BCM accountabilities for senior staff in their policies, procedures and/or plans. We found that DET demonstrated strong commitment to its BCM by providing regular BCM staff-wide communications and endorsing specific training programs and modules to uplift its BCM capability, which is in line with the ISO standard. However, DJCS, and DoT and DTF's secretaries did not articulate a clear commitment to BCM in their policies and procedures.
We also found that:
- as at January 2022, DPC and DH do not have dedicated business continuity resources
- DJPR did not set up its BCM function until late 2019 due to changes within its organisation.
Business continuity and risk management training doesn't occur in most departments. This includes training for executives in managing and responding to incidents as part of an incident response leadership team.
This reduces their ability to focus on business continuity issues.
Regularly reporting business continuity matters ensures that a department understands its readiness for a disruption and has recovery strategies in place that reflect its current operations. Departments report on their BCM program to their audit and risk management committee via their annual attestation under the Standing Directions and more frequently during large-scale disruptions.
The ISO standard requires that all staff who are involved in BCM have the appropriate level of training and experience. However, we found that prior to COVID-19, only DELWP, DET and DJCS had a dedicated BCM training program.
We surveyed departments’ business continuity staff in August 2021 and asked them about their understanding and experience of BCM both prior to COVID-19 and at the date of the survey. Our survey results showed that prior to COVID-19:
A business continuity qualification includes a professional certification, such as from a bachelor degree or postgraduate degree, that specifically covers BCM.
- 13 per cent of respondents did not have any BCP experience
- 55 per cent of respondents experienced informal on-the-job training
- the remaining respondents reported that they received uncertified internal or external training (24 per cent) or had a business continuity qualification (8 per cent).
Most staff (64 per cent) indicated that they did not have any formal training at all or the training they received was after March 2020. Despite this, most staff reported that they understood their role in BCM.
However, 20 per cent of staff did not know where to find their BCPs and 24 per cent did not know where to find their BCM policy prior to COVID-19, as Figure 2A shows.
FIGURE 2A: Survey responses on staff BCM knowledge
Note: We received 194 responses to these questions.
Source: VAGO survey.
Departments need to clearly understand the activities and processes they deliver and how a disruption might affect them. A BIA is a key element of this.
Assessing prioritised services
The ISO standard requires departments to undertake BIAs at planned intervals or when their organisation significantly changes. However, three departments could not demonstrate that they did this prior to COVID-19:
- DPC had not undertaken any BIAs since 2016.
- DoT and DJPR (as DEDJTR) undertook BIAs in 2018. However, they did not undertake BIAs in 2019 after significant machinery of government changes that year. DoT stated that this is because it did not finalise its structure until December 2019.
This increases the risk that these departments did not have all of their services or mitigation strategies in their BCPs.
It is also important that departments conduct and drive BIAs, not individual business units. As GSRN’s guide ‘Key Success Factors in business continuity management (2015)’ says:
‘It is often difficult for managers to objectively determine the criticality of their own business processes in terms of supporting the agreed key services. The tendency is for individuals to consider their process as more critical than it actually is, thus requiring significantly more investment in either interim workarounds or speedy function resumption than is necessary or desirable on a cost-benefit basis’.
Undertaking BIAs at a business unit level can lead to unrealistic RTO and MTPD timeframes. It also makes prioritising services in complex scenarios more difficult.
We found that DET, DELWP and DJCS had assessed their services from a whole of organisation view and had organisation-wide BIAs prior to COVID 19. However, only DET had evidence of both executive approval for its organisation-wide BIA and BIAs that met the ISO standard.
We also found common gaps in departments’ BIAs, which we detail in Appendix D.
For example …
DHHS, DJCS, DJPR*, DoT* and DPC
not conducted BIAs for all of the business units/divisions that were within their BCM program’s scope
creates a risk that they had not captured and accounted for all of their prioritised services in their BCPs at an operational level.
not identified their prioritised services’ minimum resource requirements and internal and external interdependencies
could reduce their understanding of the resources, processes and suppliers they need to maintain and restore their prioritised services
reviewed its services and minimum resource requirements, which it documented in its BCP, but had no evidence of any formalised BIAs
means it has not demonstrated that it has assessed the impact a disruption would have on its services over time.
Note: *DJPR and DoT had significant machinery of government changes in January 2019. As a result, both departments had not updated their BIAs prior to COVID-19 (March 2020).
Departments should use the information they gather through BIAs to design solutions to help them respond to disruptions. Departments document these solutions in their BCPs, which can be strategic or operational.
A pandemic plan is a specific type of response plan that helps an organisation to respond to the unique challenges of a pandemic. As departments are large and complex, it is good to have a pandemic plan as well as strategic and operational BCPs. BCP triggers should direct departments to activate their pandemic plan if necessary.
A department’s ability to understand its strategic priorities is particularly important during complex disruptions that affect multiple units or agencies. This helps the department focus its resources on its core objectives. The ISO standard does not specifically require organisations to have an organisation-wide BCP but it states that they must have plans that are appropriate to their scale and size.
While all departments had BCPs at a business group or divisional level prior to COVID-19:
- DHHS, DJCS, DJPR, DoT and DTF did not have a specific influenza pandemic response plan (as recommended by the Victorian action plan for influenza pandemic) to manage pandemic-related risks, such as losing staff, disruptions to service delivery and social distancing requirements due to capacity limits. In particular:
- DHHS did not have a pandemic plan for its department (despite coordinating the development of the Victorian action plan for influenza pandemic)
- DJCS incorporated pandemic strategies into its BCPs
- DJPR and DoT had not approved a new pandemic plan since their machinery of government changes
- only DELWP, DET and DTF had an organisation-wide BCP that included a consolidated view of their overall prioritised services to ensure they had considered them and had appropriate response strategies. This is helpful due to the scale and variety of BCPs and prioritised services within departments.
Complexity and focus
According to the Business Continuity Institute’s Good Practice Guidelines 2018 Edition, BCPs should be focused, concise, specific and easy to use because organisations rely on them in high-pressure, time-limited situations. We found that:
- except for DJCS and DJPR, departments have overly complex and/or inconsistent BCPs. Many BCPs include information that is already in their BCM procedures, frameworks and/or policies
- DTF has a BCP summary in a one-page format, which makes it easy for staff to quickly understand their key actions and responsibilities in a disruption. This is good practice, but only a small number of its group BCPs are in this format.
Further, all departments’ BCPs focused on short-term or localised disruptions, which is a common business continuity practice. While short-term disruptions can be complex in themselves, it is also important to have flexible and living BCPs and strategies to address disruptions that affect the whole department, multiple departments or the sector over a long period of time. This is supported by Exercise Petunia in 2018, which found that departments needed to plan for more sustained disruptions and coordination across all sectors. The Business Continuity Institute's Good Practice Guidelines 2018 Edition also suggests that agencies should devise short, medium and long term strategies depending on the type of crisis.
DELWP acknowledged the importance of planning for a complex, long-term disruption following a significant fire in one of its buildings in 2018. It established its Critical Incident Management Framework in 2015 and updated it in 2019 following the fire. This framework provides integrated guidance on emergency management, business continuity, disaster recovery and crisis management.
Assessing BCPs against the ISO standard
Prior to COVID-19, only DET had BCPs that were all up to date and aligned with the ISO standard. This is still the case. Common gaps, which we provide more detail on in Appendix D, include:
BCPs that …
As a result …
are not reviewed or updated on a regular basis.
departments had limited assurance that their BCPs captured all of their services and current practices.
lack or had unclear activation criteria.
staff did not have a good understanding of when they should activate a BCP, which can lead to departments inconsistently activating them.
have inadequate recovery strategies.
there could be delays or additional work that departments need to do to restore their normal business operations.
have limited detail on their scope, purpose, objectives or dependencies.
Despite Exercise Petunia’s observations before the pandemic, departments still do not have BCPs that prioritise all of their essential services and assess the scalability of their services.
As highlighted by the ISO standard, departments should
Validation involves ensuring that a department has effective BCPs and a BCM program that meets its policy objectives. It includes exercising, maintenance and review activities.
validate their BCM arrangements on a regular basis to ensure they are suitable and effective to use during a disruption. During this process a department should:
- review its BCM arrangements, including policies, plans and procedures
- conduct exercises to train for, test, assess, practise and improve its business continuity performance
- conduct internal and external audits of its BCM
- complete PIRs.
Departments use many different types of exercises to test and validate their BCM performance. These exercises range from simple discussion-based desktop exercises to familiarise staff with their BCPs to live, complex, full-scale exercises where a department activates a BCP.
Despite its importance, only DET and DJCS had a clear program for exercising, validating and tracking recommendations for their entire BCM program prior to COVID-19. Appendix D contains further details about this.
Further, departments often limit their testing to desktop exercises. While desktop exercises can increase BCP teams’ awareness, they often only evaluate broad principles and may not provide a true indication of how effective a department’s BCP response will be in an actual event.
Internal and external audits and reviews
Internal and external audits and reviews can help departments assess the effectiveness and practicality of their business continuity processes. Audit findings allow departments to identify weaknesses in their BCM programs and develop action plans to uplift their capability.
However, only DET, DHHS, DJPR, DoT and DTF had conducted audits or reviews of their BCM program in the two years prior to COVID-19.
Real-life disruptions give valuable insights on how effective a department’s response to an incident was. A department should complete a PIR following a disruption to harness learning opportunities by both reinforcing strengths in its business continuity processes and identifying any gaps. Departments can also use recent disruptions as an alternative to undertaking an exercise for a similar type of event.
DET, DELWP, DHHS, DJCS and DPC completed PIRs for disruptions that occurred prior to COVID-19. These PIRs related to sustained power ICT outages, water disruptions and electrical faults. We discuss post-COVID-19 PIRs in Section 3.5.
Exercising, internal and external audits and PIRs are valuable because they help departments continuously improve their BCM capabilities. This has helped some departments address issues prior to COVID-19 and uplift their readiness to respond to the pandemic by:
- confirming that business continuity staff contacts are up to date and staff are familiar with their roles and responsibilities
- improving staff awareness and knowledge of business continuity
- identifying and implementing process improvements
- optimising communication during a disruption.
Figure 2B provides an example of how DELWP learnt from a past disruption to improve its BCM capabilities prior to COVID-19.
FIGURE 2B: Case study: Learning from prior disruptions
In 2018, DELWP experienced a fire at its 8 Nicholson Street building. This resulted in a significant extended disruption where approximately 1 500 staff had to relocate, some for up to eight months.
DELWP responded by activating its critical incident management team. The team’s responsibilities included leading and coordinating the department’s response, communications, reporting and business continuity.
This helped DELWP respond by:
- facilitating communications to all staff through multiple channels, for example, twice-daily critical incident briefings and weekly progress reports
- assisting in relocating staff to alternative work sites
- rolling out more than 500 new devices for remote working.
As staff could not work onsite, the disruption also resulted in a significant uptake of digital technologies and helped DELWP show the benefit of flexible working arrangements.
The disruption also highlighted issues with DELWP’s BCM, including:
- communication issues
- limited training for BCM staff
- its list of prioritised business functions was outdated.
DELWP addressed these issues to improve its BCM and critical incident management system prior to COVID-19.
Source: VAGO, based on information from DELWP.
Departments responded quickly and flexibly to COVID-19 and continue to do so. Departments’ BCM processes, structures and strategies have helped them quickly set up teams, make decisions and communicate to staff.
However, departments were not sufficiently prepared for a complex disruption. This meant they had to invest resources into developing documents, streamlining processes, upgrading technology and transitioning to remote working during the early stages of the pandemic.
While departments report that they continued to operate their prioritised services within their business continuity timeframes, a lack of sufficient data means that departments have limited assurance that they were able to do so.
This chapter discusses:
While various bodies were responsible for managing aspects of the state’s emergency response to COVID-19, there was limited whole-of-government focus on business as usual services.
As there was no lead business continuity agency prior to COVID-19, DPC took on this role. However, as it is not one of DPC’s permanent functions, it has been limited to key aspects of the pandemic response, including:
- supporting the VPS missions
- reviewing departments’ BCPs and pandemic plans
- developing and managing whole-of-VPS communications
- helping the VPS transition to remote working.
Supporting the VPS missions
DPC established a specific unit to oversee the VPS missions’ work programs. It also chaired PSAC, which met weekly in the early stages of the pandemic. Meeting minutes suggested that these meetings:
- considered whole-of-government issues, such as staff wellbeing and remote working
- discussed COVID-19 initiatives underway, such as health advice and post-pandemic work reforms.
Reviewing BCPs and pandemic plans
In March 2020, DPC reviewed departments’ BCPs and pandemic plans to ensure they were prepared to manage the risk of service disruptions.
DPC found that departments needed to undertake further work on their plans and it developed a list of issues for them to address. However, DPC advised us that it has not monitored if departments have successfully addressed these issues because this is outside its role. This is a missed opportunity to improve departments’ preparedness for service disruptions.
We reviewed departments’ BCPs and pandemic plans and assessed them against key issues (including those that DPC identified). In March 2020, DJPR, DoT and DTF finalised their pandemic plans and DELWP, DET and DPC updated theirs. However, DJCS, DH and DFFH still do not have a standalone pandemic plan.
We also found that the remaining departments addressed some (but not all) of DPC’s improvement suggestions. For example:
DPC suggested that departments’ pandemic plans should clearly outline …
We found that …
which means that …
the prioritised services they need to deliver during a sustained disruption.
DoT and DJPR’s pandemic plans do not outline their prioritised services
they do not have a clear understanding of which services they need to prioritise and how to do this.
the key resources, such as staff, that they require to deliver services at different stages of a pandemic.
DoT, DJPR and DPC’s plans do not outline their minimum resource requirements
their service delivery could be affected due to insufficient staff or ICT access.
social distancing measures and how they can practically apply them.
all departments include guidance in their pandemic plans or COVID safe plans on how to implement social distancing measures
they have a clear process to implement social distancing measures, which decreases the risk of delays and staff falling ill.
how they will make and communicate decisions.
all departments have outlined communication strategies but the detail of these vary
DPC coordinated whole-of-government COVID-19 communications, including information to share across the VPS. However, prior to COVID-19 there was no written guidance on how departments should:
- communicate or escalate whole-of-government issues
- access or share resources within the VPS to deal with surge resourcing issues
- prioritise services at a whole-of-government level.
Several departments told us that there were initial delays and confusion about communicating whole of government issues. This included issues around the requirement to work from home, if staff could take office equipment home or communicating to staff about a positive COVID-19 case.
Our business was maintained through the commitment, knowledge and skills of staff combined with hard work and long hours. The department's business continuity provided very little guidance or support during this time.—Survey respondent
Departments used their BCM arrangements during COVID-19 to varying degrees:
- All used their incident response structures, except for DoT, which developed a specific COVID-19 task force.
- Some activated their BCPs.
- Most developed specific COVID-19 guidance or amended their pandemic plans to assist them early in the pandemic.
As discussed in Chapter 2, departments’ BCPs were not designed for a complex long term disruption, so departments heavily relied on their incident response structures and staff flexibility during this time.
Incident response structures
Incident response structures help a department to clearly understand who is responsible during a disruption and how it should make decisions.
These structures, which include senior leadership and operational staff, have allowed departments to make decisions quickly during the pandemic. All departments used BCM incident management teams to respond to COVID-19, except DoT, which developed a specific COVID-19 task force, and DELWP, which used its critical incident management team. All departments’ incident management teams:
- meet regularly
- involve key and senior stakeholders
- have enabled whole-of-department coordination and communication.
Minutes from these meetings show that departments have made many complex decisions during COVID-19. Departments have used these meetings to consider their response, reassess their prioritised services and respond to changing health advice.
While incident response structures are an essential part of departments’ COVID-19 response, they have some limitations. For example, they:
- centralise decision-making, which resulted in some delays at a local level. For example, regional DELWP staff waited nearly six hours for its central office to authorise and issue communications about a suspected COVID-19 case
- may rely on advice from other government departments, such as the whole of government position on workforce or health issues.
A department’s decision to activate its BCPs is discretionary. While BCPs list factors that staff should consider when making activation decisions, these are broad. For example, BCPs often require a department to assess the impact of a disruption and if it is likely to affect its prioritised services or damage its reputation.
While all departments activated their crisis or incident management teams, they did not all activate their BCPs consistently. For example:
none of its BCPs
none of its BCPs
it managed its response through its incident management team.
its critical incident management plan. It also activated its group BCPs on a case-by-case basis
it uses its critical incident management plan to address complex disruptions and only activated individual plans when localised disruptions occurred.
its group BCPs on a case-by-case basis
most units were able to continue business-as-usual services and it only activated BCPs in individual cases when a disruption to the business unit occurred.
DHHS, DJCS, DPC and DTF
all of their BCPs
they assessed it was necessary after considering the potential impact of the disruption.
DELWP and DET had specific activation criteria to help staff understand when they should use their BCPs during the pandemic. For example, a business unit should activate its BCP if it experiences staff absenteeism between 25 to 30 per cent.
DHHS and DJCS also considered specific mitigation strategies during staff absences of 10, 25 and 40 per cent. This is good practice because it helps business units clearly understand when they should activate their BCPs. However, most departments have not had significant levels of staff absenteeism from COVID 19.
Everyone was asked to do too much and burn out is a significant issue across the department in 2021 as a result.—Survey respondent
During the pandemic, the VPS workforce had to quickly adapt to non-traditional workplace arrangements and handle surge resourcing requirements. Departments’ ability to effectively respond to these changing conditions helped them to continue delivering services in a new working environment.
While departments had BCPs, they did not have strategies to prepare them for remote working and surge capacity during a long-term disruption. There also was no whole-of-government policy for staff redeployment for continuity of government services. This meant that departments responded reactively to COVID-19 and devoted their resources to developing new remote working processes and addressing surge capacity issues.
Remote working was crucial to departments’ pandemic responses. It helped them to continue delivering services when social distancing measures were introduced.
While some services cannot be delivered remotely, such as prison services or emergency child protection, all departments were able to transition most of their workforce to a remote working environment. This took a significant amount of time and investment.
DELWP, DHHS, DJCS, DJPR and DoT could not immediately transition their entire workforce to a remote working environment due to their lack of preparedness, technology limitations, size and complexity. This meant that these departments had to do extra work to increase their remote working capabilities.
Departments’ technology capabilities varied, with some departments being more prepared to transition staff to a remote working environment than others. Prior to COVID-19, DET, DPC and DTF had equipped most or all their workforce with laptops and remote access, which assisted their remote working transition.
On the other hand, DELWP, DHHS, DJCS, DJPR and DoT had to source and allocate more equipment for their staff when there were global supply issues for ICT equipment. Figure 3A outlines some of the ICT-related challenges that DHHS experienced at the start of the pandemic.
FIGURE 3A: Case study: ICT challenges during DHHS’s transition to remote working
In response to the government’s work from home direction, DHHS conducted a survey in March 2020 to assess how prepared its staff were to work remotely.
As the table below shows, not all DHHS staff had access to essential equipment to transition to a remote working environment at the start of the pandemic.
|Did staff have access to …||Yes (per cent)||No (per cent)||Other* (per cent)|
|Remote working licences||77||14||9|
As a result, DHHS introduced temporary arrangements that required staff without work laptops and phones to use their personal devices. However, 204 staff (6 per cent) reported that they did not have access to either a work laptop or a home computer with internet.
DHHS’s lack of prior preparation and investment in technology meant that it had to allocate resources to help staff transition to remote working at the start of the pandemic.
To do this, DHHS introduced rapid change during a challenging time. For example, in late April 2020, DHHS introduced new ICT platforms to allow frontline staff and child protection staff to deliver some of their services from home. DHHS reported that it took six weeks to transition 90 per cent of its staff to remote working.
Despite its challenges, DHHS used this major disruption as an opportunity for improvement. It fast-tracked several ICT projects to improve its staff’s remote working experience and allow teams to stay connected and productive.
Note: *Other includes staff who did not respond to the equipment survey at the time.
Source: VAGO, based on information from DHHS.
The Victorian Government’s March 2020 work from home direction required departments to immediately transition their workforce to remote working.
As Figure 3B shows, this urgent directive put stress on Cenitex and the network.
Go Connect licences allow users to work remotely by providing a secure connection from a computer or laptop to the internal corporate network.
FIGURE 3B: Number of Go Connect licences purchased by departments from Cenitex between December 2019 and June 2020.
Source: VAGO, based on Cenitex data.
ICT disaster recovery is the process of recovering systems after a major disruption.
Cenitex service requests also increased from 22 104 in February 2020 to 33 389 to March 2020 with a corresponding increase in average Cenitex handling times from 7 minutes 33 seconds in February 2020 to 13 minutes 37 seconds in April 2020.
Cenitex's capacity to deliver at this scale was not tested prior to COVID-19. Further, while departments can engage with Cenitex for disaster recovery design, only DJCS uses this service.
Any business continuity plan, no matter how rigorous and well thought out, will inevitably fail if you do not properly resource teams. Critical services remained available, not through good policy and process, but through the sheer willpower of staff...—Survey respondent
Prior to March 2020, Cenitex was improving its outdated remote working technology to service departments. At the time, departments’ demand for Go Connect licences was low, which caused scalability issues at the start of the pandemic. Departments that use Cenitex experienced connectivity issues at the start of the pandemic due to the overwhelming demand.
Cenitex brought forward its new technology to address these connectivity issues. Departments and Cenitex also introduced workarounds, such as advising staff to log off when not using the system and stagger use.
It took Cenitex at least four weeks after the Victorian Government’s work from home direction to stabilise its services and enable most public servants to work remotely.
There is currently no whole-of-government strategy on how departments can re-prioritise VPS resources in response to a large-scale disruption.
Prior to COVID-19, only DELWP, DJCS and DHHS had strategies in some of their BCPs to manage surge resources. However, this was limited to emergency management. For example, DELWP addresses its need for surge resources in its emergency management activities by training staff in other divisions to deliver emergency management roles.
In July 2019, DPC launched the Jobs and Skills Exchange to make it easier for departments and staff to find internal candidates and opportunities within the VPS. The Jobs and Skills Exchange had been operational for nine months when the pandemic occurred.
Redirecting staff to emergency roles can affect other work within the department. DELWP recognised this during the 2020 bushfires and considered whole of department resourcing and strategies to address and monitor this.
Jobs and Skills Exchange
In May 2020, the Jobs and Skills Exchange launched a ‘COVID-19 mobilisation’ program. This promoted departmental 'surge opportunities' for staff from sector agencies who were out of work due to the lockdowns. The program provided candidates from impacted agencies, for example Arts Centre Melbourne, with the opportunity to be placed into surge-related roles in departments.
The program attracted approximately 2 000 applicants. However, only 134 applicants (less than 7 per cent), successfully gained job placements in another department or government agency. This is mostly because there was a mismatch in the skills needed to fill vacant surge positions.
COVID restrictions on attending the workplace (ours and suppliers) meant that some work was disrupted for several weeks.—Survey respondent
Departments also used the Jobs and Skills Exchange to advertise secondment opportunities and backfill roles. However, departments do not have to indicate whether advertised positions are vacancies due to COVID-19, surge capacity related or business as usual roles, which limits the ability to assess the program's effectiveness.
During a disruption, an organisation may need to temporarily suspend some of its services to allow it to focus on its prioritised services. This is an important part of the business continuity process.
Critical services were able to be maintained with acceptable service decreases, [but] availability of remote working technology contributed to some delays.—Survey respondent
All departments reported that their prioritised services did not exceed their listed MTPDs. However, departments cannot substantiate this claim because they have limited data on their prioritised services, particularly at a whole-of-department level and against their MTPDs.
Staff views of COVID-19’s impact
Our survey asked departments’ business continuity staff if COVID-19 disrupted their prioritised services between March 2020 and March 2021. Nearly 60 per cent of respondents reported that there was no disruption to services due to COVID-19.
Of those that did experience a disruption, 43 per cent said they were not able to restore some or all of their services within their MTPDs, which Figure 3C shows.
FIGURE 3C: Staff survey responses on restoring services
Note: We received 68 responses to this question. The maximum margin of error for this question is plus or minus 11.8 per cent at the 95 per cent confidence interval.
Source: VAGO survey.
Reporting on disruptions
Most departments rely on ad hoc reporting and PIRs after a disruption to understand the impact it had on their services. They also use incident management processes to report on the ongoing impacts of a disruption.
For example, DHHS provided regular reports to its executive staff on prioritised services during COVID-19, such as child protection. This reporting covered case loads and backlogs to help outline ongoing risks.
However, departments’ reporting through these processes is often qualitative and focused on specific services. No department systematically reports against its business continuity RTOs or MTPDs. As a result, departments are unable to determine how effective their BCM arrangements are in maintaining their prioritised services.
Quality of services during COVID-19
Business continuity focuses on ensuring that services are up and running within minimum timeframes after a disruption. It does not consider if a disruption has impacted the quality of a service.
Departments faced many service delivery challenges during COVID-19. These challenges, which departments have highlighted in their annual reports, caused a drop in VPS-wide performance in the 2019–20 and 2020–21 BP3s, which Figure 3D shows.
FIGURE 3D: BP3 performance over time for all departments
Note: This chart presents an aggregate of all the BP3 measures that departments met in each financial year.
Source: VAGO, based on BP3 data.
Customer-facing services had a higher risk of being impacted by COVID-19 due to social distancing measures. Figure 3E provides an example of how COVID-19 impacted VicRoads’ registration and licensing division.
FIGURE 3E: Case study: COVID-19’s impact on driving tests
While VicRoads had a plan to transition more services to its existing digital platform (myVicRoads), approximately a quarter of its services were still paper-based or required an in person interaction in March 2020. This included services such as in vehicle driving tests, online learner permit tests and online hazard perception tests.
In response to the pandemic, VicRoads activated its business continuity arrangements and its incident management plan. It also developed a dedicated COVID-19 registration and licensing task force on 17 March 2020. The task force met weekly and continually assessed which transactions it should cease, move to digital channels or move to other modes of delivery.
VicRoads ceased in-person transactions, such as driving tests and assessments, during stage four COVID-19 restrictions. However, it introduced hardship/compassionate grounds exemption for driving tests from 6 April 2020 for essential workers, carers and people facing domestic violence. It delivered this service, which had limited eligibility criteria, across four sites in Victoria.
To maintain its business continuity, VicRoads considered alternative ways to deliver its registration and licensing services. It prioritised online learner permit and hazard perception tests because there was a backlog of approximately 395 000 suspended services that included driving tests, hazard perception tests, learner permit tests, medical review driving tests and assessments.
The government also approved an additional $26.8 million of funding in October 2020 to make computer-based tests available online and further boost VicRoads’ testing capacity. VicRoads announced additional temporary customer service sites and licence testing officers to address the backlog.
VicRoads has used COVID-19 as an opportunity to accelerate its digital program and extend the range of services available in its online platform. It cleared its backlog by the original projected date of April 2021 with additional temporary staff and test centres and expanded digital services. However, further lockdowns have created a new backlog, which VicRoads projects to clear by April 2022.
Further digital transformation will benefit VicRoads in the medium as well as long term because it can provide more efficient registration and licensing operations.
Source: VAGO, based on information from DoT (VicRoads’ registration and licensing division).
It is important for departments to review their response to a major disruption. This can help them replicate their successes and avoid repeating failures in similar future events.
Although COVID-19 is ongoing, DELWP, DJCS, DPC and DTF have conducted PIRs or wider reviews of their BCM program. While it did not conduct a PIR, DET discussed its COVID 19 learnings with its executive board and other internal committees.
We acknowledge that many departments are still in the middle of responding to the pandemic. However, by not reviewing their learnings to date, departments limit their ability to identify and take early action to address risks and implement improvements.
Despite this, COVID-19 has created opportunities for departments to make positive changes, such as accelerating their digital transformation or adopting more efficient processes.
Improving BCM policies, plans and procedures
The COVID-19 pandemic has allowed all departments to adapt and improve their business continuity policies, procedures and plans.
We assessed departments' BCM documentation against the ISO standard both prior to COVID-19 and after March 2020.
We found that prior to COVID 19 …
but this …
14 per cent of the ISO elements assessed were ‘not achieved’
dropped to 5 per cent after COVID 19
shows that departments have improved their BCM.
Sharing information with other departments
There are several cross-department information-sharing groups that relate to business continuity, including the BCM—Multi-Agency Forum.
While the forum postponed its meetings at the peak of the pandemic in 2020, it resumed meeting on 19 November 2020. Departments have used this forum to share better-practice procedures and discuss lessons learnt from COVID-19.
However, there is no central body to ensure that departments implement whole of government learnings from this forum or other groups.
Improving remote working technology
The pandemic has made departments rethink how they work and, in some cases, accelerated their digital transformation plans.
Meeting minutes from departments’ incident management teams suggest that they rolled out new technology-related processes and projects, such as electronic approval processes and Microsoft Teams, within weeks during the early stages of the pandemic. This would usually take months or years.
This presents an opportunity for departments to apply some of their leanings, such as the value of streamlining processes and adopting new technology earlier, to future ICT projects.
Remote working has increased other risks though, such as:
- privacy concerns
- cybersecurity threats
- occupational health and safety risks.
Departments have advised their staff about the importance of privacy and occupational health and safety (for example, ergonomic desk set-ups) as remote working continues. However, departments need to further manage these risks as new challenges arise, such as work-life balance or security risks, that were not as common in an office-based environment.
We have consulted with DET, DELWP, DFFH, DH, DJCS, DJPR, DoT, DPC, DTF and Cenitex, and we considered their views when reaching our audit conclusions. As required by the Audit Act 1994, we gave a draft copy of this report, or relevant extracts, to those agencies and asked for their submissions and comments.
Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.
|BCM||business continuity management|
|BCP||business continuity plan|
|BIA||business impact analysis|
|DEDJTR||Department of Economic Development, Jobs, Transport and Resources|
|DELWP||Department of Environment, Land, Water and Planning|
|DET||Department of Education and Training|
|DFFH||Department of Families, Fairness and Housing|
|DH||Department of Health|
|DHHS||Department of Health and Human Services|
|DJCS||Department of Justice and Community Safety|
|DJPR||Department of Jobs, Precincts and Regions|
|DoT||Department of Transport|
|DPC||Department of Premier and Cabinet|
|DTF||Department of Treasury and Finance|
|GSRN||Government Sector Resilience Network|
|ICRS||Integrity and Corporate Reform Subcommittee|
|MTPD||maximum tolerable period of disruption|
|PSAC||Public Sector Administration Committee|
|RTO||recovery time objective|
|VAGO||Victorian Auditor-General’s Office|
|VPS||Victorian Public Service|
|WHO||World Health Organization|
|BP3||Budget Paper No. 3: Service Delivery|
|ISO 22301:2019||ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements|
|ISO standard||AS ISO 22301:2020 Security and resilience—Business continuity management systems—Requirements|
|Risk IDC||State Significant Risk Interdepartmental Committee|
|Standing Directions||Standing Directions 2018 Under the Financial Management Act 1994|
|Standing Directions Instructions||Instructions supporting the Standing Directions 2018 under the Financial Management Act 1994|
|Who we audited||What the audit cost|
|DELWP, DET, DHHS (DFFH and DH), DJCS, DJPR, DoT, DPC, DTF and Cenitex||The cost of this audit was $800 000.|
What we assessed
This audit used the following lines of inquiry and criteria:
|Line of inquiry||Criteria|
|Prior to COVID-19, agencies’ BCM prepared them for a major disruption.||Agencies had:
1. BCM policies, procedures and assurance processes that complied with relevant legislation, standards, and guidelines
2. current BIAs that identified and prioritised essential services and the impact of disruptions on these services
3. detailed and up-to-date BCPs for all essential services that were consistent with relevant legislation, standards, and guidelines.
|During COVID-19, agencies effectively implemented their business continuity arrangements to maintain essential services.||1. Agencies used their BCM arrangements, including BCPs, to guide their response to COVID-19, including their transition to remote working.
2. Agencies have reviewed and updated their BCM arrangements in response to COVID-19, captured and shared lessons and implemented improvements.
3. There was a whole-of-government response to business continuity during COVID-19 that helped departments to continue providing their essential services and share lessons learnt.
This audit focused on departments’ business continuity preparedness and response. We included Cenitex in the audit due to its role in providing essential ICT services. We did not look at Cenitex’s BCM processes. The audit also did not include emergency management and portfolio entities.
As part of the audit we:
- reviewed departments’ policies, procedures, plans and BIAs and assessed if they met relevant standards and requirements (both before and during COVID-19)
- used data from Cenitex and departments to assess if departments were able to effectively transition to remote working
- reviewed departments’ prioritised services using available data, BP3 measures and departments’ documentation
- met with relevant key staff at each department
- conducted a survey of business continuity personnel.
In July and August 2021, we surveyed all nine Victorian Government departments. We did this to understand staff experiences and views about the adequacy of their department’s BCM.
We sent the survey to 493 business continuity staff across nine departments. We received 194 responses (a response rate of 40 per cent). As the survey was optional, there was a risk that respondents did not accurately represent business continuity at the whole-of-government level due to self-selection.
We have included our survey results in this report. All survey result percentages have a margin of error of plus or minus 5.5 per cent at the 95 per cent confidence level unless we state otherwise. This margin of error does not affect the qualitative findings in this report.
We conducted our audit in accordance with the Audit Act 1994 and Assurance Engagements ASAE 3500 Performance Engagements. We complied with the independence and other relevant ethical requirements related to assurance engagements.
Unless otherwise indicated, any persons named in this report are not the subject of adverse comment or opinion.
BIAs prior to COVID-19
Figure D1 outlines our assessment of departments’ BIAs prior to COVID-19.
FIGURE D1: Our assessment of departments’ BIAs prior to COVID-19
|Department||Organisation-wide BIA?||Group BIAs?||Aligned with ISO standard?||VAGO commentary|
|DELWP||✓||✓||✕||DELWP had group BIAs and consolidated them into an organisation-wide BIA. It met the requirements of the ISO standard except evidence of executive approval.|
|DET||✓||✓||✓||DET had group and consolidated BIAs that met the ISO standard.|
|DHHS||P||✕||✕||DHHS had not undertaken an organisation-wide BIA since 2012, but it did highlight prioritised business activities with an RTO of less than one hour in its December 2018 executive board report and individual plans.
DHHS does not have completed BIAs that demonstrate its assessment of impacts over time, which organisations use to determine RTOs. It also did not outline resource requirements or independencies.
|DJCS||✓||P||✕||DJCS had an organisation-wide BIA. It embedded its group BIAs in individual BCPs, but had no evidence of individual assessments of impacts over varying timeframes.
Six out of 51 BCPs were not complete (and therefore did not include BIA results) in 2019–20. As such, the department could not demonstrate that its BIAs covered all of its services.
|DJPR||✕||✕||✕||DJPR relied on BIAs conducted by its legacy department DEDJTR in 2018. Given the machinery of government change that occurred in 2019, DJPR should have conducted a new BIA in line with the ISO standard, which recommends a BIA when there are significant changes within an organisation. It also did not include dependencies in all instances.|
|DoT||✕||P||✕||DoT relied on BIAs conducted by its legacy department DEDJTR in 2018. It did not conduct a new BIA despite significant changes to its department. However, it did conduct a BIA for Transport for Victoria. Gaps in this BIA included a lack of minimum resource requirements and instructions around how it established RTO and MTPD timeframes.|
|DPC||✕||✕||✕||DPC has not undertaken any BIAs since 2016.|
|DTF||P||✕||✕||DTF reviewed its services and captured a partial BIA in its departmental BCP. This included the MTPDs for its prioritised services, resource requirements and peak periods of time that may impact prioritised services during the disruption. Its individual group BCPs did not consistently capture this information. DTF does not have a clear risk assessment of what services were excluded or impact over time.|
✓ = Met
P = Partially met (for example, evidence in some BIAs but not all)
✕ = Not met
Source: VAGO assessment of departments’ documents.
BCPs prior to COVID-19
Figure D2 outlines our assessment of departments' BCPs against key elements of the ISO standard.
FIGURE D2: BCP consistency with key elements of the ISO standard and BCP coverage of services prior to COVID-19
|The purpose, scope, and objective||✓||✓||✓||✓||✕||✓||✕||✓|
|The roles and responsibilities of the team that will implement BCM||✓||✓||✓||✓||✓||✓||✓||✓|
|Actions to implement the solution (recovery strategies to respond to a disruption and the steps needed to restore services)||✓||✓||✓||✓||P||✕||✕||✓|
|Supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions||✓||✓||✓||✓||✓||✓||✓||✓|
|Internal and external interdependencies||✓||✓||✓||✓||✓||✓||✓||✕|
|A process for standing down the BCP||✓||✓||✓||✓||✓||✓||✓||✓|
|Evidence of approval||P||✓||✓||✓||P||✕||✕||P|
|Covers all prioritised services||✓||✓||✕||✕||✕||✕||✕||✕|
|Surge workforce capacity*||✓||✕||P||P||✕||✕||✕||✕|
Note: We have assessed a department as not meeting an element if we have evidence that it did not capture all of its prioritised services in its 2019 BCPs, or if it had BCPs that were not updated in the previous two years, which would increase the risk that it had not captured all of its prioritised services.
✓ = Met
P = Partially met (for example, evidence in some plans but not all)
✕ = Not met
*This is not an ISO requirement but it is a relevant element of BCP coverage in a pandemic.
Source: VAGO assessment of departments’ documents.
Exercising and validating BCM
Figure D3 shows our assessment of departments' exercising and validating process.
FIGURE D3: Departments’ exercising and validation of BCM
|Department||Exercising program||Exercises undertaken||Recommendation tracking||PIRs||VAGO commentary|
|DELWP||✓||P||✓||✓||DELWP has a program of exercising, tracking and updating its BCM program. It conducted exercises (mostly desktop-based) for almost half of its BCPs in 2018–19 due to a fire at its 8 Nicholson Street building in August 2018. It postponed its exercising program in 2019–20 and 2020–21 due to COVID-19 and the summer bushfires. DELWP has evidence that it has done PIRs to assess service disruptions prior to COVID-19.|
|DET||✓||✓||✓||✓||DET has an exercising program that it has implemented. It also has analytics on compliance with its BCM program and a lessons register to track improvements.|
|DHHS||P||P||✕||✓||DHHS had biannual exercises involving its executive board and conducted some exercising of its group BCPs. It had no organisation-wide exercising program or central recommendation tracking.|
|DJCS||✓||✓||✓||✓||DJCS has a scorecard for each business area that outlines its BCM testing and exercising. It has also provided evidence of exercises, recommendation tracking and PIRs.|
|DJPR||✕||✕||✕||✕||DJPR had no exercising program prior to COVID-19, and only conducted testing with a disaster recovery focus. DJPR has since drafted a 2021–22 forward plan to review and exercise its BCM program and has undertaken exercises in November and December 2021.|
|DPC||P||P||✓||✓||While DPC has conducted PIRs, it did limited exercising in the 2018–19 and 2019–20 financial years. In November 2019, DPC approved a testing schedule for the 2020–21 period. However, it has not implemented this yet.|
|DoT||✓||P||✓||P||DoT has exercised its BCP arrangements and developed a register to capture and address key issues. However, its exercises are desktop-based and were limited to VicRoads’ registration and licensing division prior to COVID-19. DoT has a 2020–22 forward program for BCM, which includes training, reviews and exercises.|
|DTF||✓||P||✕||N/A||While DTF’s BCM policy includes an exercising schedule, it does not have a central register to track recommendations. Its testing is also limited to small scale tests. DTF did not experience any BCM incidents between 2018 and February 2020.|
✓ = Met
P = Partially met
✕ = Not met
N/A = Not applicable
Source: VAGO assessment of departments’ documents.