fahcsia nomination 2010 by 9b2SLCz2


									Criterion One
Risk management framework – creating a foundation to effectively manage
This criterion asks you to consider your agency’s approach to adopting risk management.
Agencies need to demonstrate how the following five elements underpin its framework and
contributed to the strategic planning, management and decision making processes of the agency:
   Risk management policy and objectives;
   Accountability and responsibility;
   Integration;
   Review and evaluations; and
   Risk culture.
Evidence to demonstrate excellence against this criterion will include a description of your
agency’s risk management framework. There would also be evidence that the agency’s culture is
one where understanding, accepting and managing appropriate risk is part of the everyday
decision making process.
Over the past few years, FaHCSIA has undertaken a systematic, coordinated and Executive-led
approach in the development and implementation of Departmental risk management practices and
procedures. The Department has sought to learn from the experience of other government
agencies and to address areas of weakness identified through staff surveys and audit evaluations.
The result has been the development of a risk management system that is fully integrated into
FaHCSIA’s corporate governance arrangements, is effectively promoted across the Department
and, importantly, is now increasingly embedded in the daily work practices of staff.
FaHCSIA has developed and implemented an enterprise Risk Management Framework, based on
the Australian/New Zealand Risk Management Standard (AS/NZS 4360:2004). This is currently
being redeveloped to reflect the strategic intent of the new International Risk Management
Standard, AS/NZS/ISO 31000:2009. The Risk Management Framework includes the following
main elements:
   Governance - provided at the highest level by the Department’s most senior executive
    committee, the Executive Management Group (EMG) supported by the Risk Assessment and
    Audit Committee (RAAC);
   Risk Management Policy - this articulates the Secretary’s commitment to effective risk
    management with an overarching policy statement about the aims of risk management in
    FaHCSIA and the associated responsibilities of management and staff. The Policy integrates
    with the Chief Executive Instructions (CEIs) and Financial Rules, requiring staff to take a
    conscious and systematic approach to risk management as an everyday part of our work;
   Strategic Risks - are the high-level risks to the organisation identified by EMG. The current
    Strategic Risks and their risk ratings are as follows:
     o   Programs - ineffective management of third parties to implement and deliver initiatives
         and programs in accordance with government priorities (High);
     o   Workforce - inability to properly support the health and well-being of staff or to attract
         and retain staff with the required skills, experience and capacity (High);
     o   Compliance - Non-compliance with the Public Service Act and the Financial
         Management and Accountability Act (High);

                                                Page 1 of 10
                           FaHCSIA Nomination for Enterprise-wide Risk Management
                          Comcover’s Awards for Excellence in Risk Management 2010
     o    Policy - Failure to establish the evidence base to support timely and responsive policy
          advice (High); and
     o    Whole-of-Government - Failure to engage effectively with other agencies and
          jurisdictions in the development and delivery of whole-of-government initiatives (High);
   Guidelines and tools - practical guidance and resources for risk management are provided
    to staff on the FaHCSIA intranet (STAFFnet) and are also available from the Risk
    Management Helpdesk. Briefly, these resources are as follows:
     o    Risk Management Guidelines - a step-by-step guide to identifying, assessing and
          treating risks;
     o    Risk Management Worksheets - a collection of worksheets, each relating to one of the
          six steps in FaHCSIA’s risk management process;
     o    Risk Management Quick Guide - a summary of the key steps in the risk management
          process for staff who are familiar with the risk management process;
     o    Risk Matrix - a five-by-five risk matrix that produces four possible risk ratings (low,
          moderate, high and extreme) from the combination of ratings stemming from likelihood
          and consequence tables that are ordinal scales each with five descriptors. The
          consequence table gives the choice of four different categories (people; financial;
          reputation; and business process and systems); and
     o    Risktracker - an Excel-based tool structured to document the main elements of a risk
          assessment: contextual information; risk source; identified risks; existing controls;
          likelihood and consequence ratings; risk rating; risk ownership; treatment action;
          monitoring and review methods; and target risk levels.
EMG oversees the Department's financial well-being by allocating resources, monitoring
performance and risk, and ensuring the department meets its regulatory requirements. It also
provides a forum for cross-group issues to be managed, and guides, coordinates and champions
key organisational reform processes. EMG’s charter expressly identifies the management of risk as
one of its responsibilities and also includes overseeing FaHCSIA’s business continuity plan.
In April 2010, the EMG agreed that the Department’s risk management approach would be further
strengthened by implementing a ‘subset’ to the Strategic Risks to be known as ‘Specific
Implementation Risks’ (SIRs). This new layer in our Risk Management Framework focuses on risks
to the implementation of critical policies, programs or projects, and any consequential risks these
create for the Department’s business operations, reputation and budget.
SIRs are the top ‘handful’ of FaHCSIA initiatives in terms of complexity and sensitivity. The
initiatives that are included as SIRs are determined by EMG and will be subject to review on a
three to four monthly basis (the most appropriate frequency is currently being determined). Each
SIR is required to complete an assessment of the risks to implementation and to FaHCSIA.
EMG is supported in its risk management governance by RAAC which is a mandatory committee,
established by the Secretary pursuant to the Financial Management and Accountability Act 1997.
RAAC provides independent assurance and assistance to the Secretary and EMG on the design
and operation of FaHCSIA’s risk, control and compliance framework, and on its external
accountability responsibilities.
Under its charter, RAAC has the following responsibilities in respect of risk management:
   to satisfy itself that FaHCSIA’s risk management strategy is effective and that all key
    business risks are identified and the assessment of risks is appropriate;

                                                 Page 2 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
   to monitor the implementation of the FaHCSIA Risk Management Framework;
   to satisfy itself that the internal audit plan addresses FaHCSIA’s risks and that any changes
    in risk are reflected in the internal audit work plan;
   to review whether a sound and effective approach has been followed in establishing
    FaHCSIA’s business continuity planning arrangements, including whether disaster recovery
    plans have been tested periodically; and
   to review and monitor FaHCSIA’s fraud control plan and satisfy itself that FaHCSIA has
    appropriate processes and systems in place to capture and effectively investigate fraud
    related information.
FaHCSIA’s CEIs and Financial Rules provide for sound risk management processes to underpin
the effective and efficient use of Commonwealth resources, which are obligations under section 44
of the Financial Management and Accountability Act 1997 (the FMA Act). These require that the
Chief Operating Officer must maintain a Risk Management Framework and that officials must
comply with FaHCSIA’s Risk Management Policy.
In addition, officials undertaking tasks or activities in relation to procurement must pay due regard
to FaHCSIA’s Strategic Risks and the Risk Management Framework.
These arrangements are further embedded by the inclusion of standard accountability
requirements in managers’ performance agreements.
All Groups in FaHCSIA are required to develop and implement financial year business plans
setting out, among other things, business objectives and the risks to achieving these. These risk
plans also document how business areas contribute to the management of FaHCSIA’s Strategic
Some Strategic Risks are more relevant than others to particular business areas and this varied
emphasis is reflected in the risk plans. For example, the Strategic Risk most relevant to the work of
the Social Policy Group is the Policy Risk ‘Failure to establish the evidence base to support timely
and responsive policy advice’.
Risk management and sharing in FaHCSIA also occurs as part of the internal audit program and
informs the development of FaHCSIA’s Fraud Control Plan. The Risk Management and internal
Audit Teams work closely together, exchanging risk assessment and audit information to help
focus the work of both areas. For example, the Business Planning and Risk Management Section
keeps the Audit Team informed of FaHCSIA’s changing risk profile as reflected in the risk data
gathered from across the department, and the Audit Team uses that information to help structure
its audit work program and focus on areas of exposure.
Business Planning and Risk Management Section and the Audit Branch are currently working
collaboratively in developing a strategy to further strengthen the Department’s Risk Management
Maturity. This will encompass strategies for strengthening our risk management application,
experience, processes and culture.
To set the foundations for developing this strategy these teams will conduct a workshop to gather
stakeholders’ views on FaHCSIA’s Risk Management Maturity, the desired state and key
deliverables that should produced as part of this program of work.
The Risk Management Framework integrates with a series of other risk-specific frameworks,
   a Program Risk Management Framework;
   a Business Continuity Management Framework;
   governance, information and support for managing insurable risks through Comcover;
   guidance on managing risks in the procurement life-cycle;

                                                 Page 3 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
   guidance for hazard identification and risk management;
   a risk-based approach to developing and implementing the audit work program;
   guidance for limiting liability in ICT contracts and managing risk; and
   work on the development of a Security Risk Framework, which has recently commenced.
These tailored models apply the standard FaHCSIA risk process and language, so that data from
the resulting risk assessments can be integrated into the department-wide risk analysis and
reporting done by the Business Planning and Risk Management Section.
FaHCSIA conducts structured reviews on the application and effectiveness of its enterprise-wide
approach to risk management. These are in the form of staff surveys and internal audits. In
November 2007, an audit on ‘the Application of Risk Management in Business Plans’
recommended promotion of a Risk Management culture in FaHCSIA, including developing
practical ways to better integrate Risk Management into Business Planning processes.
In early 2010 a subsequent audit was conducted, focusing on FaHCSIA’s Risk Management
Maturity. The audit assessed the effectiveness of current risk management processes and the
integration of risk activities across FaHCSIA. It also examined controls specific to the risk
management framework. The audit compared existing practices with better practice guides and
standards used by FaHCSIA.
In addition to ‘AS/NZS ISO Standard 31000 4360:2004‘, the audit was guided by the Standards
Australia Handbook (HB) 158 (2006) ‘Delivering Assurance Based on AS/NZ 4360-2004’. The HB
was developed in partnership with the Institute of Internal Auditors (Australia). The audit used the
five attributes of an enhanced Risk Management Framework from the Standard as part of the
guidance on suggestions for improvement.

                                                 Page 4 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
Criterion Two:
Risk management program – operationalising your risk management

This criterion requires your agency to demonstrate how each of the five elements below contribute
to its risk management program, and ensuring that resources and processes are in place to
manage risk at an operational and strategic level:

   Resourcing
   Communication and training
   Risk Assessment
   Risk Profiling and reporting; and
   Business Continuity.
Excellence against this criterion would include evidence to demonstrate how your agency has
allocated resources effectively and efficiently across the agency to develop a culture of sharing
information as well as an understanding of the cost of risk management.

FaHCSIA understands that effective risk management requires an investment in people, process
and tools and that there is a correlation between organisational risk management maturity and the
level of investment made to developing and embedding enterprise-wide risk management.
FaHCSIA has established two dedicated teams to focus on building consistent, integrated         risk
management practices, processes and tools. The first, the Risk Management Team within           the
Business Planning and Risk Management Section, focuses on the enterprise-wide                   risk
environment and the development of the organisational risk management culture. The              key
responsibilities of this team are:
   building FaHCSIA’s risk management maturity;
   development and implementation of FaHCSIA’s risk management policy and processes;
   coordinating the development and implementation of FaHCSIA’s Strategic Framework,
    Strategic Risks and Specific Implementation Risks;
   developing and implementing FaHCSIA’s business planning and risk management
    processes and integrating these with budget allocation processes;
   reporting to EMG and RAAC on the Department’s performance in identifying and managing
   integrating risk management principles and processes with other Departmental policies,
    planning and decision making processes;
   identifying and delivering new initiatives that will strengthen organisational awareness,
    capability and competency in identifying and managing risks; and
   providing education, guidance and support on risk management practices, processes and
    tools. The team also provides guidance and support for identifying, analysing, evaluating,
    treating and reviewing risks.
The second team, the Program Risk Management Team, focuses on supporting the quality of
business processes in program management. This includes analysis of program management and
service delivery risks, design and implementation of risk management and quality assurance tools

                                                 Page 5 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
and processes, and providing assistance to program areas and the network with program, provider
capacity and service delivery risk assessments. This Section also provides ongoing monitoring and
reporting on the effectiveness of program risk management to RAAC and the Program
Management Committee.
FaHCSIA uses several methods and vehicles to communicate risk internally and to educate staff to
identify and manage risk. One of the primary means is the use of the FaHCSIA intranet, STAFFnet.
The risk management site on STAFFnet provides links to all documents and tools included in the
Risk Management Framework. The site also includes links to the specialist risk areas, such as the
sites for Workplace Safety and Rehabilitation and Service Delivery/Program Risk Management,
Project Management, Audit, Business Planning and Comcover Insurance.
The Risk Management Team also uses the weekly electronic FaHCSIA newsletter, distributed to
all staff by email, to publish risk articles and publicise risk management-related news,
developments and issues. The weekly newsletter is also used as a vehicle for senior executives to
promote risk management in FaHCSIA.
On a more formal level, risk is also communicated internally through the Department’s risk
escalation process which requires that ‘extreme’-rated risks be brought to the Executive’s notice
and ‘high’-rated risks are referred for senior management attention.
The Risk Management Team plays an active role in building risk management capability by
providing personalised guidance and support on risk management practices and processes and
acting as a facilitator in risk assessments and risk review exercises.
To support FaHCSIA’s risk management capability, the team also provides short training sessions
for individuals, teams, sections or branches. Staff attending the training gain an increased
awareness of the importance of risk management in FaHCSIA, knowledge of the support and
resources available to staff when conducting a risk assessment, and an understanding of
FaHCSIA's six step approach to managing risks. Recently FaHCSIA introduced an e-learning
program to provide an Introduction to Risk Management. This program guides participants through
the steps to managing risks with advice for obtaining further information, training or support.
Advanced risk management training is accessed externally through providers such as the Risk
Management Institute of Australia and Comcover.
Other courses, which are provided in a classroom or workshop setting, include Financial
Management in FaHCSIA, Working with Commercial Contracts, and Managing Stakeholder
Engagement. These courses are particularly relevant to the management of FaHCSIA’s Strategic
Risks, such as the ‘Ineffective management of third parties delivering our programs’ and ‘Non-
compliance with the Public Service Act and the Financial Management and Accountability Act’.
One of the ways that the Strategic Risks are integrated into broader Departmental risk
management practices is through the requirement for risk assessments and risk reports to the
Executive to identify the Strategic Risks being managed, or to which the assessed or reported risks
relate. This requirement is designed into FaHCSIA’s risk assessment tool (Risktracker) and the
format of Group Performance and Risk reports to EMG as well as being a mandatory element of all
Business Plans. The integrity of theses reports is supported by consistent processes for assessing
and rating risks.
Groups and States are required to report regularly on progress against their business and risk
plans, at least six monthly. The Risk Management Team uses the information gathered through
Risktracker for reporting to EMG and RAAC on risks that have been identified through business
planning processes, the alignment of these against the Department’s Strategic Risks and the
status of risk treatments. The Team will soon commence reporting to EMG on Specific
Implementation Risks and the implementation and effectiveness of treatments for these.
FaHCSIA managers are required to provide ‘Certificate of Compliance’ reports tri-annually to the
Chief Finance Officer (CFO) for subsequent reporting to RAAC providing assurance that they are

                                                 Page 6 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
meeting their obligations under the CEIs and Financial Rules. These include assurances of
adequate risk management on various issues.
In turn, the CFO and RAAC are required to provide annual assurance to the Secretary before he
signs FaHCSIA’s Certificate of Compliance.
Monitoring and review of risk plans occurs as part of FaHCSIA’s risk management governance
arrangements, in particular reporting to EMG and RAAC. RAAC reports to the Secretary through
the RAAC Chair after each of its five meetings during the year.
Effective business continuity management (BCM) allows FaHCSIA to manage disruptions to its
business operations caused by the unavailability of key resources in the event of a crisis or
significant business disruption. It is an integral part of the Department's comprehensive and
systematic approach to managing risk. The key elements of BCM governance in FaHCSIA are:
   EMG’s responsibility for overseeing business continuity management and regularly reviewing
    BCM priorities and the status of the program;
   RAAC’s provision of independent assurance and advice to the Secretary, including on
    ‘whether a sound and effective approach has been followed in establishing FaHCSIA’s
    business continuity planning arrangements (and) whether disaster recovery plans have been
    tested periodically’ (as stated in RAAC’s charter); and
   the Information and Communication Technology Disaster Recovery (ICT DR) Committee’s
    monitoring of FaHCSIA’s ICT disaster recovery arrangements.
FaHCSIA’s Business Continuity Management Framework outlines the governance structures and
activities to be undertaken by FaHCSIA in managing business continuity risks. Our BCM program
   a BCM policy that is readily accessible to all FaHCSIA staff on STAFFnet;
   a governance structure that includes regular review of the program by the Department’s
    senior executive;
   a dedicated BCM team that supports, promotes and coordinates business continuity
    management in FaHCSIA;
   an overarching Business Continuity Plan, with 31 sub-plans that outline response and
    recovery strategies;
   a Crisis Response Team (CRT) headed by one of the Deputy Secretaries, which is activated
    in the event of a business disruption to take control of the restoration and recovery of
    FaHCSIA’s business processes;
   a dedicated business continuity database; and
   an established exercise regime to test the effectiveness and provide assurance on the
    currency of all plans.
In the event of an emergency or serious disruption, FaHCSIA’s priorities are to protect human life
(through its emergency management) and to minimise disruptions to services to the department
and its clients. Our business continuity management is designed to deal with any such disruptions
by ensuring the uninterrupted availability of departmental resources or, where this is not possible,
the rapid restoration of those resources. Consequential benefits are the minimisation of financial
loss, protection of the department from adverse legal consequences and the preservation of
stakeholder confidence and goodwill.
The critical business functions that support FaHCSIA are documented in an overarching Business
Continuity Plan. The six Mission Critical Activities (MCAs), identified by EMG, are the activities
whose loss would have the greatest impact and which need to be recovered most rapidly during a
major disruption to FaHCSIA’s business.

                                                 Page 7 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
Following the 2007 Federal election and subsequent Machinery of Government changes, EMG
reviewed FaHCSIA’s BCM priorities and approved the following prioritised MCAs:
   urgent Ministerial support (including media, communications and liaison);
   support of the Australian Government Disaster Recovery Committee;
   enabling Centrelink to make payments on FaHCSIA’s behalf;
   making payments to service providers;
   making payments to FaHCSIA staff; and
   making payments to suppliers and state and territory governments.
The FaHCSIA BCP is modular in structure, being made up of a crisis response plan, a site
management plan and recovery plans, primarily for the enabling services and functions that
support the MCAs, such as Ministerial support, property services, communications, financial
services and an ICT DR plan. There are also several system-specific recovery plans that are
subsidiary to the ICT DR plan and State Office recovery plans.
In developing plans that will respond to possible threats, FaHCSIA has taken an ‘all hazards, all
threats’ approach and focuses mainly on the impact of the loss or disruption of the processes or
services involved. The risks of loss of service, that the recovery plans address, are generally high
or extreme-rated with low likelihoods but severe consequences. However, where warranted by the
likelihood of a specific threat, or called for by Government or departmental policy, we have threat-
specific strategies and plans, such as cyclone preparation and response plans for our northern
offices as well as a pandemic influenza plan.
The recovery plans are underpinned by business impact analyses, conducted by the BCM Team
with business owners, that document the maximum allowable outages for business processes (that
is, the time within which those processes must be restored), the assets, resources and
dependencies required to recover and maintain those processes and workarounds that can be
applied as interim measures to maintain services until a return to normal operations.
The business continuity database, titled the Living Disaster Recovery Planning System (LDRPS)
was put into full operation on 30 June 2009. This provides the Department with the ability to quickly
update and amend our business continuity plans in response to organisational restructures, staff
movements or changing business priorities.
The LDRPS database is also fully backed up on two stand-alone laptops and stored in two
separate off-site locations to ensure it is always available to the CRT.
FaHCSIA’s business continuity management includes an established exercise program under
which major components of the BCP, such as the crisis response plan and the ICT DR plan, are
tested regularly. FaHCSIA’s exercise program includes major scenario exercises, audits of plans,
desktop reviews, walkthroughs and component testing of key elements of plans. The CRT has
completed two scenario exercises over the past 12 months.

                                                 Page 8 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010
Criterion three
Demonstrable Results

This criterion considers the results and benefits the agency has achieved through the
implementation of an enterprise-wide risk management framework.

To demonstrate excellence against this criterion you should provide evidence of the results your
agency has achieved, or what future benefits will emerge from its risk management framework.
Agencies should provide comparative evidence of the costs vs the value of the results or benefits
achieved, as well as evidence of the intangible benefits obtained, such as the overall reduction in

The positive results achieved from FaHCSIA’s enterprise risk management framework can be
demonstrated at both the strategic and operational levels by two examples.

FaHCSIA’s Audit Work Program
The annual Audit Work Program (AWP) provides assurance to the Secretary that strategic and
operational level risks have been adequately addressed. An appropriately targeted and executed
AWP results from the employment of risk management techniques. The 2010-11 AWP was
developed principally from risk based information, obtained from a variety of sources, including
consultation with FaHCSIA’s senior executive, external audit agencies, Group Business Plans,
direct engagement with the corporate risk and fraud function areas and past and recent external
and internal audit reports. This risk information was used to develop a series of audit topics that
were weighted, based on five categories:
    relevance to FaHCSIA’s goals and outcomes or compliance obligations;
    public, political or media sensitivity;
    adequacy and effectiveness of internal controls and risk management;
    inherent risk; and
    materiality or level of policy importance.
The weighted list of audit topics forms the basis of the annual AWP, to provide a high level of
coverage of FaHCSIA’s key business risks to the Executive. In addition, the 2010-11 AWP
provides for three program audits that will be informed by the results of the program risk
assessment process to facilitate coverage of the three highest risk program areas in FaHCSIA.
The AWP has contributed to a reduction in FaHCSIA’s risk profile and will further strengthen that
risk profile by continuously identifying operational and strategic level risks. In addition to the AWP
process, risk management is utilised at the operational level at every stage of the audit process
using FaHCSIA’s Risk Management Framework.
FaHCSIA has rigorous processes in place to monitor progress on outstanding audit
recommendations and the treatment of unacceptable risks. Responses to recommendations with a
Low and Moderate level risks can be cleared by the Chief Internal Auditor. Those with a High and
Extreme level risk must be cleared by RAAC. The business owners of recommendations must
formally demonstrate that they are either undertaking appropriate action to mitigate risks in their
area, or if no action is taken, the business owner must formally accept the risk. This provides
RAAC with a strong understanding of existing and emerging risks and how these are being
managed by the organisation.

                                                  Page 9 of 10
                             FaHCSIA Nomination for Enterprise-wide Risk Management
                            Comcover’s Awards for Excellence in Risk Management 2010
Business Continuity Management
Effective business continuity management allows FaHCSIA to manage disruptions to its business
operations caused by the unavailability of key resources in the event of a crisis or significant
business disruption. It is an integral part of the Department's comprehensive and systematic
approach to managing risk.
The annual Business Continuity testing and review program includes conducting CRT exercises,
where CRT members work through a mock incident to test our BC plans for maintaining our
Mission Critical Activities (MCAs). Experience and training provided to CRT members through
these annual scenario exercises proved to be invaluable when FaHCSIA was confronted with the
loss of power and IT systems in June this year.
At 9:07am on Friday 11 June 2010, Canberra’s Tuggeranong Valley suffered a significant power
outage that resulted in a power failure across several suburbs. This power outage included our
primary IT data centre at TOP which services FaHCSIA and Centrelink. As a consequence, power
to FaHCSIA and Centrelink offices in Tuggeranong was disrupted and FaHCSIA’s IT systems were
shut down abruptly – impacting on all FaHCSIA sites across Australia.
An initial assessment of the incident indicated that there were risks that the IT system may not be
able to be quickly restored, as doing so would have presented an unacceptable risk exposure to
the critical and sensitive FaHCSIA and Centrelink ICT infrastructure housed within the facility.
At 10:15am, the Crisis Response Team (CRT) was activated to coordinate our crisis response /
disaster recovery and to respond to any business continuity issues that were created by the
At its first meeting, the CRT evaluated the situation to address the coordination of our disaster
recovery efforts and to focus on the maintenance of our six key MCAs while the power and IT
issues were being addressed. The two most significant business continuity issues arising from the
outage were ensuring Ministerial support and the on time processing of Centrelink payments.
These MCAs were successfully addressed by implementing processes that had been identified
and practiced in our business continuity planning and exercises.
The CRT met on four separate occasions during the course of the outage to review progress;
develop messages for key stakeholders; ensure that we continued to effectively coordinate and
risk manage our response; and reconsider any business continuity issues that may arise should
there be extended delays in restoring our IT systems.
The CRT responded effectively and managed the incident without any critical services being
interrupted or any adverse media comment.
Lessons learned from the power and IT outage are now being implemented and will be tested in
another half-day CRT scenario exercise that is scheduled for late 2010.

                                                 Page 10 of 10
                            FaHCSIA Nomination for Enterprise-wide Risk Management
                           Comcover’s Awards for Excellence in Risk Management 2010

To top