Since its emergence in late 2019, coronavirus disease 2019 (COVID-19) has become a global pandemic that is impacting on human health and national economies. From February 2020 the Australian Government introduced of a range of policy measures in response to COVID-19 that included:

• travel restrictions and international border control and quarantine arrangements;
• financial support for affected individuals, businesses and communities; and
• support for essential services and procurement of critical medical supplies.

With the release of the 2021–22 Budget on 11 May 2021, the Australian Government reported that it had committed $20 billion to COVID-19 health support measures and $291 billion to economic response measures. 

The COVID-19 pandemic and the Australian Government’s rapid response to it significantly impacted on the risk environment faced by the Australian public sector. To account for this change in risk environment, the ANAO developed a COVID-19 multi-year audit strategy outlining its approach to auditing COVID-19 related measures and five early response audits of front line entities implementing COVID-19 policy measures. In addition, the ANAO published an audit insights in April 2020 summarising key messages from ANAO performance audits that examined rapid implementation of Australian Government initiatives, including in response to the Global Financial Crisis. 

Between December 2020 and May 2021 the ANAO published five performance audits, conducted under phase one of the COVID-19 multi-year audit strategy, examining key aspects of the Australian Government’s early response to the COVID-19 pandemic:

• Auditor-General Report No. 20 of 2020–21 Management of the Australian Public Service’s Workforce Response to COVID-19;
• Auditor-General Report No. 22 of 2020–21 Planning and Governance of COVID-19 Procurements to Increase the National Medical Stockpile;
• Auditor-General Report No. 23 of 2020–21 Services Australia COVID-19 Measures and Enterprise Risk Management; and
• Auditor-General Report No. 24 of 2020–21 The Australian Taxation Office’s Management of Risks Related to the Rapid Implementation of COVID-19 Economic Response Measures.
• Auditor-General Report No. 39 of 2020–21 COVID-19 Procurements and Deployments of the National Medical Stockpile.

This audit insights edition covers keys messages from phase-one audits, and builds on the messages outlined in the April 2020 edition on rapid implementation. Key learning areas covered in this audit insights relate to:

1. crisis preparedness;
2. governance arrangements in an emergency;
3. identifying and managing implementation risk;
4. mobilising resources and planning for rapid implementation;
5. managing emergency procurements; and
6. reviewing outcomes and lessons learnt.

The Department of the Prime Minister and Cabinet’s 2017 Australian Government Crisis Management Framework (the framework) sets out Australian Government arrangements for managing crises across four phases: prevention, preparedness, response and recovery. It defines crisis preparedness as ‘arrangements to ensure that, should a crisis occur, the required resources, capabilities and services can be efficiently mobilised and deployed’. 

The framework outlines standing governance and coordination arrangements for hazard-specific crisis responses, including domestic public health crises. National crisis response plans and arrangements developed by Australian Government agencies are required to reflect the roles and responsibilities set out in the framework.

In February 2020 the Department of Health (Health) published the Australian Health Sector Emergency Response Plan for Novel Coronavirus (COVID-19) to guide the national COVID-19 health response, which incorporates governance and coordination arrangements from the framework. 

The learnings from Australia’s experience in responding to the COVID-19 pandemic provide an opportunity to review existing crisis management plans and arrangements to address any identified gaps or weaknesses.

Governance involves the systems and processes in place to manage performance (such as strategy development and performance monitoring and reporting) and conformance (such as compliance with legal requirements and relevant standards). 

In an emergency, such as during the COVID-19 pandemic, governments and public service entities need to respond promptly and decisively to emerging threats. The imperative to act quickly does not diminish the importance of good governance. Focus may need to shift from strategic to tactical governance, establishing fit-for-purpose arrangements to ensure delivery of essential services through resource mobilisation, while gaining assurance over compliance with legal requirements and quality expectations – in both rapid response activities and business as usual.

Appropriate governance arrangements need to be established early in any emergency response or rapid implementation process to optimise their value. At the whole-of-government level, this can be achieved by mobilising standing governance and coordination arrangements outlined in crisis preparedness frameworks and plans. At the entity level, accountable authorities need to determine what is fit for purpose in the specific circumstances facing their entities and ensure that governance considers impacts on business as usual activities and changes to risk tolerance levels and risk control measures.

Leveraging existing governance mechanisms can provide an effective means to support the rapid implementation of measures, where these mechanisms provide for fit-for-purpose accountability, oversight and reporting arrangements. Existing resources, such as internal audit, can be used to provide timely assurance that frameworks are being followed and that decision-making processes are appropriately documented.

Keeping sufficient documentation of decision-making processes and outcomes is fundamental to effective governance, accountability and transparency. Accordingly, governance bodies should adopt a disciplined approach to:

• clearly and comprehensively recording decisions and actions, including deliverables and timeframes;
• assigning responsibility for actions and risks;
• determining and documenting an appropriate set of performance indicators;
• maintaining risk registers, ensuring enterprise risks and associated tolerance levels are systematically identified and assessed; and
• following up with responsible parties and recording reasons for the closure of actions, including when not completed.

Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) provides that accountable authorities of Commonwealth entities must establish and maintain appropriate systems of risk oversight and management. The 2014 Commonwealth Risk Management Policy sets out the government’s expectations for Commonwealth entities in undertaking the business of government. Risk is defined as the ‘effect of uncertainty on objectives’ and risk management as the ‘coordinated activities to direct and control an organisation with regard to risk’. 

Risk tolerance is defined as ‘the levels of risk taking that are acceptable in order to achieve a specific objective or manage a category of risk’.  The concept of risk tolerance assists entities to make informed decisions about whether mitigation strategies in addition to existing controls are required and, if so, the level of resourcing required to achieve desired outcomes.

Risk tolerance may necessarily increase during an emergency, to ensure the response is implemented rapidly. Articulating risk tolerance early in the implementation phase of new measures, and reviewing this throughout the implementation phase, provides a sound basis on which to support effective risk management, including the best use of entity resources. The rationale for setting the risk tolerance for particular risks or categories of risk should be clearly documented, both to evidence entity decision-making and to support subsequent assurance activities.

In a complex emergency multiple entities, including government and non-government entities, may need to work together to coordinate the response and manage shared risks. The identification of risks that extend beyond a single entity, and that require shared oversight and management, is a key aspect of effective risk management at an entity and whole-of-government level. Effective management of shared risks can involve:

• formalising roles and responsibilities for managing different aspects of the identified risks;
• understanding different entities’ risk tolerances;
• establishing arrangements to monitor the effectiveness of agreed risk management controls and treatments; and
• ensuring appropriate oversight of shared risks by relevant entity and interdepartmental governance and coordination bodies.

During an emergency response, the demands of rapid implementation may require entities to adopt a flexible and adaptive management stance, ready to mobilise skills, resources and systems to high priority areas, while maintaining a focus on risks and impacts to existing operations. In such circumstances, planning may be difficult due to the imperative to commence implementation as soon as possible. Planning may need to occur in stages, prioritising critical foundations and building on them later.

Where there is a need to mobilise staff rapidly to work on new and urgent initiatives, clear assessment and decision-making about business priorities can support appropriate reallocation. Reallocating existing staff to rapid response activities can assist in reducing risk, as they require less training and have familiarity with embedded business processes and systems. A taskforce approach can be an effective means to develop governance and delivery arrangements in compressed timeframes.

The ANAO’s phase-one COVID-19 audits highlighted that scalable procurement, resource allocation and ICT systems supported by crisis preparedness planning can assist entities to adapt service delivery to the requirements of an emergency response. Most entities examined through these audits had established taskforces to plan and deliver COVID-19 response measures.

In January 2021, after the initial COVID-19 response, the Australian Public Service Commission (APSC) published a toolkit to help government taskforces achieve good outcomes through structured planning processes. The toolkit provides guidance and templates for key stages of the lifecycle of a taskforce, covering:

• determining scope, key deliverables and timeframes;
• establishing clear and effective governance arrangements;
• achieving the right fit and mix of staffing and leadership;
• planning and managing taskforce work and identifying and mitigating risks;
• actively engaging with stakeholders;
• ensuring corporate and administrative processes and supports are in place;
• managing closure and handover, including documenting lessons learnt; and
• avoiding or resolving common problems experienced by taskforces. 

Emergency responses may require the procurement of resources within compressed timeframes. Paragraph 2.6 of the Commonwealth Procurement Rules (CPRs) allows accountable authorities to decide that the CPRs do not apply to a procurement under certain circumstances, including to safeguard national security and to protect human health.  Under paragraph 10.3b, procurements can also be exempted from the CPR requirement to be conducted through open tender for reasons of extreme urgency.

When deciding that the CPRs do not apply under paragraph 2.6, accountable authorities can assist officers conducting the procurements to meet the PGPA Act requirement to use and manage public resources properly by: determining the extent of departure from specific requirements of the CPRs; and specifying an alternative framework for conducting procurements. The accountable authority should revoke the measures in place under paragraph 2.6 when they are no longer necessary.

Implementing non-competitive or limited tender emergency procurements in a manner consistent with the PGPA Act can be facilitated by:

• establishing probity measures early in the process;
• documenting an evaluation plan that sets out consistent criteria underlying procurement decisions;
• using benchmarking to demonstrate value-for-money; and
• maintaining adequate records to facilitate transparency.

As an emergency response moves to a different phase it is important to allocate time and resources to completing project closure activities, including reviewing outcomes and identifying lessons learnt. Undertaking appropriate closure activities supports accountability, and documenting lessons that were learnt through the project can provide a valuable resource to inform future planning.

The ANAO’s phase-one COVID-19 audits identified the following good practices — which are also highlighted in the APSC’s 2021 Taskforce Toolkit  — for concluding a taskforce project:

• having a dedicated closure plan, and setting aside time at the end of a project to tie up loose ends and provide a comprehensive handover;
• keeping appropriate records throughout the project, especially for decisions made;
• engaging with corporate areas to schedule the closure of administration supports (for example, ICT access and accommodation); and
• engaging with secondees and their home areas early to plan for their return and ensure a positive transition.

In addition to the phase-one COVID-19 audits, the ANAO is conducting the following performance audits under phase two of the ANAO’s COVID-19 multi-year audit strategy:

• Administration of the JobKeeper Scheme (due to table in October 2021);
• International Travel Restrictions during COVID-19 (due to table in November 2021);
• Human Biosecurity Practices for International Air Travel during COVID-19 (due to table in March 2022); and
• Overseas Crisis Management and Response: The Effectiveness of the Department of Foreign Affairs and Trade’s Management of the Return of Overseas Australians in Response to the COVID-19 Pandemic (due to table in March 2022).

Additional COVID-19 response audits are identified as part of the ANAO’s annual audit work program.