1.1 The Australian Bureau of Statistics (ABS) is an independent statutory body, providing official statistics on a wide range of economic, social, population and environmental matters. The data produced by the ABS is used by governments in the development and implementation of public policy, and by business, non-government organisations and the wider community. Key categories of statistical information provided by the ABS are shown in Table 1.1.

Table 1.1: ABS statistical categories

Source: ABS website, accessed 6 July 2018.

1.2 The primary functions, duties and powers of the ABS are set out in the Australian Bureau of Statistics Act 1975, the Census and Statistics Act 1905 and the Public Governance, Performance and Accountability Act 2013. The ABS’ purpose is to inform Australia’s important decisions by partnering and innovating to deliver relevant, trusted, objective data, statistics and insights. The ABS also works in partnership with other countries and international organisations on statistical matters, including ensuring consistency with internationally accepted frameworks.

The Statistical Business Transformation Program

1.3 In its 2012–13 Annual Report the ABS announced ‘ABS 2017’, an organisational transformation program to address concerns about the impact of ageing and increasingly fragile business processes and supporting infrastructure. This program sought to: address the risks associated with the ageing processes and infrastructure; enable sustainment of statistical programs; support statistical demands of the future; and establish more easily accessible statistical information. The core of ABS 2017 was the introduction of a robust information management framework and supporting infrastructure, for which the ABS would require government funding.

1.4 In 2014 the ABS sought $292 million in government funding for an integrated package of reform measures, which included investment in critical infrastructure to replace the ageing systems and business processes previously identified. In December 2014, the Government approved $257 million to implement the Critical Statistical Infrastructure Program.¹ Funding was included in the 2015–16 Budget and phased over five years from 2015 to 2020 (see Table 1.2). An additional $13 million was provided in the 2018–19 Budget.

1.5 The Critical Statistical Infrastructure Program was described, in the ABS Second Pass Business Case, as a major business re-engineering program to address a significant risk of statistical system failure resulting in an inability to deliver quality, relevant and timely data to ABS customers. It is intended to replace a large number of disparate systems and processes with an integrated, enterprise-wide business architecture solution that would reduce the risk of system failure, increase efficiency and improve access to data.

1.6 The Critical Statistical Infrastructure Program was subsequently re-named the Statistical Business Transformation Program (Program).

Table 1.2: Statistical Business Transformation Program budget, as at 30 June 2018

Note a: Funding of $15.8 million was approved in the 2018–19 budget. The ABS informed the ANAO that $13 million is for additional Program costs. The remainder is for other areas in the ABS.

Source: ANAO analysis of ABS documentation.

1.7 The Program, which commenced in early 2015, consists of 27 independent components that, when complete, are expected to form an integrated system. A diagrammatic representation of the components of the Program is included at Appendix 2.

1.8 The Program applies to all ABS data collections except for the Australian Census of Population and Housing.² The Program’s business case outlined five objectives, now referred to as benefit areas, which are detailed in the ABS’ Benefits Management Plan (see Figure 1.1).

Figure 1.1: Program benefits

Source: ABS, Benefits Management Plan, 9 November 2017, p. 6.

Risk management

1.9 The ABS Risk Management Framework defines risk as the ‘effect of uncertainty on objectives (positive and/or negative).’³ An issue is defined as ‘something that has happened and must be managed. It is a risk that has been realised, which may or may not have been an identified risk.’⁴

1.10 The 2016 Australian Census of Population and Housing (eCensus⁵) highlighted the need for robust risk management practices to ensure that treatments for identified risks are effective. On 9 August 2016, the ABS online lodgement system for eCensus data suffered a series of external system attacks that resulted in public unavailability of the system and later suspension of the eCensus website by the ABS. A review by the Department of the Prime Minister and Cabinet found that the risk of an attack of the kind that occurred on Census night had been specifically identified, but the impact of such an attack was underestimated. Further, there was a lack of focus on the effectiveness of treatments that were implemented to mitigate the risk.⁶ In December 2016 the Australian Statistician stated that ‘on the surface, we had a regime for risk management in place’, including that the risk of an attack was identified and assessed, and mitigations documented and reported. He then stated ‘however, the mitigations were not adequate.’⁷

Rationale for undertaking the audit

1.11 The 2016 eCensus events highlight the need for the ABS to have a strong risk management framework. The Statistical Business Transformation Program represents a significant investment of public resources and there are major risks involved with such a large and complex program of work. The audit will provide assurance regarding the adequacy of risk management arrangements underpinning the delivery of the Program. Any suggestions for improvement or recommendations from the audit could usefully inform the delivery of the remaining elements of the Program and assist the ABS to improve its approach to risk management.

Audit approach

1.12 The objective of the audit was to examine whether the Australian Bureau of Statistics has established effective risk management arrangements to support the implementation of the Statistical Business Transformation Program.

1.13 To form a conclusion against the audit objective, the Australian National Audit Office (ANAO) adopted the following high level criteria:

• Has the ABS established an effective enterprise-level risk management framework?
• Are identified Program risks being effectively managed?

1.14 The audit team examined the risk frameworks, policies and procedures established at the enterprise-level and the ABS’ processes for identification and management of risks associated with the delivery of the Statistical Business Transformation Program. The audit did not examine the management of risks throughout planning and implementation of eCensus 2016.

1.15 In undertaking this audit, the ANAO analysed departmental records and data, and interviewed key managers and personnel at the ABS.

1.16 The audit was conducted in accordance with the ANAO Auditing Standards at a cost to the ANAO of approximately $389,000.

1.17 The team members for this audit were Jennifer Myles, Veronica Clement-Jones and Deborah Jackson.

Has the ABS established an enterprise-level risk management framework?

The ABS risk management framework

2.1 The ABS Risk Management Framework was endorsed in October 2015 and remains in force as at 26 June 2018. It consists of two parts: the Risk Policy and the Risk Guidelines.

The Risk Policy

2.2 The Risk Policy contains high-level statements about the ABS’ approach to risk management, its risk appetite, culture and responsibilities, as follows:

• approach — an integrated approach to risk management encompassing policy, governance, planning and reporting and assurance activities; risk controls will take into account interdependencies and assess the effectiveness of controls;
• risk appetite — includes risk appetite statements for statistical risk, enabling services risk and the Statistical Business Transformation Program (Program);
• risk culture — develop and maintain a culture with strong leadership, collaborative and cooperative approaches and responsible decision-making;
• responsibilities — assigns a range of specific risk management responsibilities.

The Risk Guidelines

2.3 The Risk Guidelines contain information about the risk management process, risk categories and thresholds, and actions for managing risks. It includes an overview of the risk management process (see Figure 2.1).

Figure 2.1: ABS risk management process

Source: ANAO analysis of ABS documentation.

2.4 The ABS risk management process is further expanded in the document and relevant examples are included. The Risk Guidelines also include a brief section on likelihood and consequence thresholds, risk categories and risk assessment matrices. The guidelines specify a preference for the use of a four by four matrix to analyse risks and assign a risk rating (see Figure 2.2). Risks rated at medium or higher are to have a treatment plan developed and be included in a risk register.

Figure 2.2: ABS Risk Management Framework risk rating matrix

Source: ABS Risk Management Guidelines, 2015, p. 27.

Compliance with the Commonwealth Risk Management Policy

2.5 As a non-corporate Commonwealth entity, the ABS is required to implement the Commonwealth Risk Management Policy, which includes 22 specific requirements organised in nine policy elements. The ANAO assessed the ABS Risk Management Framework’s level of compliance with the Commonwealth Risk Management Policy. The results are summarised in Table 2.1. A more detailed evaluation of compliance against each requirement can be found at Appendix 3.

Table 2.1: ABS’ Risk Management Framework’s compliance with the Commonwealth Risk Management Policy

Source: ANAO analysis of the ABS Risk Management Framework.

Comcover Risk Management Benchmarking Survey — overall maturity rating

2.6 The Comcover annual Risk Management Benchmarking Survey enables an entity to self-assess the maturity of its risk framework against the nine elements of the Commonwealth Risk Management Policy.⁸ A six level maturity model is used to assess the level of alignment an entity has achieved with the Policy and allows entities to analyse their risk management capability and track their performance. Survey results include the entity’s current overall maturity level and its target and current maturity level against the nine elements. In 2018 the ABS assessed its overall maturity rating as ‘Integrated’ (see Figure 2.3).

Figure 2.3: ABS’ self-assessed overall risk management maturity levels 2015–2018

Source: ANAO analysis of Comcover Risk Management Benchmarking Survey data, 2015 to 2018.

2.7 The self-assessed rating of ‘Integrated’ does not align with the status of key activities in the ABS’s Risk Action Plan (see paragraph 2.15 and Table 2.2) and the ANAO’s findings. For example:

• the current risk management framework does not comply with the Commonwealth Risk Management Policy and work on a revised framework is not complete (see Table 2.1 and Table 2.2);
• the ABS has not actively managed its strategic risks (see paragraphs 2.17 to 2.19); and
• there has been limited executive oversight of strategic risk (see paragraphs 2.21 to 2.24).

Reviewing the Risk Management Framework

November 2016 internal audit

2.8 In November 2016, an ABS internal audit reviewed the Risk Management Framework. It reported that risk management related initiatives undertaken since 2015 had identified weaknesses in the application of risk management across the ABS.

2.9 The internal audit found that risk management was conducted inconsistently across each risk and across each business unit. The root causes included a lack of overall strategy or direction for risk management, a perception that the risk appetite statement was unrealistic and the absence of checks in the governance structure. A total of 18 actions under five categories were proposed to enable the ABS to achieve a fit-for-purpose risk management framework. As a minimum, the audit recommended the ABS start the following activities:

• appoint a dedicated, senior, technically competent expert resource;
• understand the cost benefit relationship between risk and control; and
• report on risk performance.

2.10 The role of Chief Risk Officer was allocated to the existing Chief Financial Officer in March 2017 and the position is supported by the Risk, Planning and Policy Branch. The Chief Finance Officer/Chief Risk Officer is a Senior Executive Service Band 2 and is responsible for the Finance, Risk and Planning Division. The ABS has revised the governance structure and incorporated risk responsibilities in the ABS Executive Board Terms of Reference and some committees. No other actions have been taken in response to the review.

July 2017 review

2.11 In July 2017, Deloitte Risk Advisory Pty Ltd was engaged to review the state of risk management and develop a risk management strategy and roadmap.⁹ The Deloitte review assessed the ABS’ level of maturity against the elements of the Commonwealth Risk Management Policy to be between ‘Fundamental’ and ‘Developed’, and its target level between ‘Integrated’ and ‘Advanced’ (see Figure 2.4). The ABS assessed its overall risk management maturity level as higher: ‘Systematic’ in 2017 and; ‘Integrated’ in 2018 (see Figure 2.3).

Figure 2.4: Assessed overall risk management maturity level

Source: Deloitte Risk Advisory Pty Ltd, ABS Risk Management Review — Risk Roadmap and Strategy 18 July 2017.

2.12 Key findings from this review included:

• understanding of the Risk Management Framework, risk appetite and key risk management concepts varied across the organisation;
• risk assessment processes were inconsistent; and
• resources allocated to risk management were limited and/or shared with other responsibilities.

2.13 A comprehensive risk roadmap and strategy, a risk glossary and risk appetite statement were delivered as part of this contract, but have not been implemented by the ABS.

October 2017 consultancy

2.14 Following the Deloitte review, in October 2017 the ABS engaged Aerosafe Risk Management Pty Ltd (Aerosafe) to assist with work relating to strategic risk. Austender records show the contract value of $82,500 covers consultancy services for the period 1 September 2017 to 31 March 2018.¹⁰ By 28 June 2018, Aerosafe had submitted two invoices totalling $122, 650.¹¹ On 9 July 2018, the ABS signed an agreement with Aerosafe for $122,650. As at 6 August 2018, the contract details recorded on Austender had not been updated to reflect the revised amount. As at 30 June 2018 Aerosafe had delivered:

• one-on-one engagement sessions and a risk management workshop with ABS management¹²;
• an environmental scan and Enterprise Strategic Risk Context; and
• ABS strategic risks for 2018–20.

ABS Risk Action Plan

2.15 In July 2017 the ABS developed a Risk Action Plan to enable it to achieve its target maturity level. The plan includes 24 activities to be completed by the end of 2018. Table 2.2 shows the status of key activities included in the plan (see Appendix 4 for further detail of the ABS Risk Action Plan and progress against the activities).

Table 2.2: Key risk management activity status, as at 31 May 2018

Note: The Risk Action Plan incorporates three phases: Foundational; Implementation; and Optimisation. Key risk management activities were selected from the Foundational phase.

Source: ANAO analysis of ABS Risk Action Plan, May 2018.

2.16 The ABS has expended significant time and effort on reviews of its approach to risk management, but has not finalised its framework. The ABS should ensure that the framework is finalised, the Risk Action Plan is implemented and progress is monitored and reported to its executive.

Strategic risks

2.17 Since 2015, the ABS has defined three sets of strategic risks (see Table 2.3).

Table 2.3: ABS strategic risks 2015, 2016 and 2018

Note: Strategic risk descriptions in this table have been summarised from ABS documentation.

Source: ANAO analysis of ABS documentation.

2.18 The Risk Guidelines, which remain current as at 26 June 2018, refer to five strategically important risks, listed in the first column of Table 2.3 above. In May 2016 the ABS articulated seven strategic risks, listed in the second column of Table 2.3 and developed treatment plans for six of these seven strategic risks.¹³ The treatment plans indicate the risks were to be evaluated in August 2016, February 2017 and August 2017. None of the risks were evaluated in accordance with the schedule. In March 2017 the ABS Audit Committee acknowledged that the 2016 strategic risks ‘are not the right strategic risks for the organisation to be focussing on’ and was advised that work was to commence to develop a new approach to identifying and managing strategic risks. On 1 June 2018, in its response to the ANAO’s audit findings, the ABS acknowledged that the 2016 risks were no longer current and were not being actively managed. In June 2018, a revised list of six strategic risks was endorsed, as listed in the third column of Table 2.3.

2.19 None of the risks referred to in Table 2.3 have been included in a risk register, or been subjected to the systematic application of management policies, procedures and practices referred to in the ABS risk management framework.

Is the enterprise-level risk management framework embedded into business processes and procedures?

2.20 The internal audit of ABS risk management in November 2016 and the review of July 2017 made a number of findings that indicate that some areas within the ABS manage risk effectively, but the ABS Risk Management Framework is not embedded in processes and procedures. For example, the reviews found:

• the ABS Risk Management Guidelines did not include the ABS’ approach to embedding risk management into existing business processes¹⁴;
• inconsistent levels of understanding of the ABS Risk Management Policy and its objectives;
• no clear linkage between planning, budgeting and reporting processes and risk assessments;
• inconsistent or ad hoc risk management processes; and
• limited ability to monitor enterprise risk management performance.

Executive oversight of strategic risk

2.21 ABS records indicate limited oversight of strategic risk. Prior to April 2017 the terms of reference for the senior executive board responsible for oversight of the ABS (the Executive Leadership Group) did not include any risk related responsibilities and the Group’s meeting agenda did not include consideration of risk. In April 2017 the ABS Executive Board replaced the Executive Leadership Group and was allocated the following risk related responsibilities:

• monitoring of enterprise-wide risks;
• risk planning and mitigation strategies; and
• risk management skills, culture and capability development.

2.22 The ABS Executive Board’s fortnightly meeting records from April 2017 to April 2018 indicate:

• there is no standing agenda item relating to risk;
• there was no record of discussion or decisions relating to monitoring of enterprise-wide or strategic risks¹⁵;
• there was no record of discussion or decisions relating to risk management skills, culture or capability development;
• risk planning and mitigation strategies were reported once;
• risk management processes were discussed twice; and
• risks relating to the Program, which is classified as a strategic risk, appeared five times.¹⁶

2.23 The ABS informed the ANAO that: its strategic risks are driven by the specific risks identified in its programs and projects; that strategic risk management frames discussion in relation to the operations of those programs and projects; and that this approach vests the risk management process in the core business of program and project management.

2.24 The ANAO found evidence that Divisions report to the ABS Executive regularly and include information relating to risks identified within those Divisions, supporting the ABS’ statement that programs and projects address risk. However, the ABS could not demonstrate how it determined whether this information had any impact on the ABS strategic risks shown in Table 2.3.

2.25 In order to ensure that the risk framework is embedded across the entity and risks are effectively managed, the ABS should ensure that oversight of strategic risk occurs in accordance with its governance arrangements.

Has the ABS identified and maintained an appropriate level of risk management capability?

Comcover Risk Management Benchmarking Survey — capability maturity rating

2.28 The Comcover Risk Management Benchmarking Survey includes element 8 of the Commonwealth Risk Management Policy — maintaining risk management capability. The ABS’ results for element 8 are shown at Figure 2.5. The survey shows the ABS’ target maturity rating fluctuated between 2015 and 2018, while its self-assessed maturity rating has increased overall and now meets its target rating of between ‘Systematic’ and ‘Integrated’.

Figure 2.5: ABS maturity levels for maintaining risk management capability 2015―2018

Source: Comcover Risk Management Benchmarking Survey, 2015 to 2018.

2.29 Recent reviews of risk management in the ABS (discussed in paragraphs 2.8 to 2.14) found the level of risk management capability needed improvement. The reviews found varying degrees of understanding of key risk management concepts, inconsistent practices, limited ability to monitor enterprise risk management and ad hoc reporting.

2.30 The ABS Risk Action Plan identifies a number of key enterprise-level risk management functions that had not been completed as at 31 May 2018 (see Table 2.2 and Appendix 4). The ABS’ self-assessed increase in risk management capability in 2018 does not align with the incomplete status of these activities.

3.1 Overall responsibility for the Statistical Business Transformation Program (Program) rests with the Senior Responsible Officer, who is the Deputy Australian Statistician (Corporate Services and Transformation Group). The Program’s structure is shown in Figure 3.1. Approximately 350 Australian Public Service staff and over 90 contracted personnel were employed in the Program as at April 2018.

Figure 3.1: Program organisational structure

Source: ANAO analysis of ABS Organisational Chart.

3.2 Responsibilities of the Program Office are depicted in Figure 3.2.

Figure 3.2: Program Office functional breakdown

Source: ANAO analysis of ABS documentation.

3.3 The Program Office provides risk management support to the Program and projects through:

• authoring the Risk and Issue Management Strategy and Process;
• participating in the identification, assessment and control of risks and issues;
• ensuring all Program risks and issues are logged, all fields complete and information updated on a regular basis;
• co-ordinating monthly review and reporting of Program risks and issues;
• providing risk and issue management support systems, tools and documents;
• conducting regular reviews of project risks and issues to ensure consistency, active management and accurate reporting;
• identifying best practice and opportunities for improvement; and
• identifying cross project and sub-program related risks for consolidation and/or escalation.

3.4 The Program consists of 27 separate components (depicted in Appendix 2). Each component is managed as an individual project. Project managers are responsible for delivery of products specified in the relevant project management plan. They are also responsible for managing risk within their respective projects and for recording and reporting risks to the relevant Branch Managers.

Have sound governance arrangements been established to monitor the effectiveness of risk management arrangements for the Program?

Program governance

3.5 The Program governance arrangements are described in the Statistical Business Transformation Program Governance Plan. An overview of the arrangements in place to oversee the ongoing management of the Program are shown in Figure 3.3. The two main governance bodies for the Program are the Statistical Business Transformation Program Executive Board (Program Executive Board) and the Statistical Business Transformation Program Delivery Board (the Delivery Board).

Figure 3.3: Program governance, as at 30 March 2018

Note: Arrows represent reporting arrangements.

Source: ANAO analysis of ABS documentation.

3.6 The Program Executive Board is the sponsoring body for the Program with investment and strategic responsibilities, and supports the Program’s Senior Responsible Officer. The Program Executive Board meets every two months and is chaired by the Australian Statistician. Membership includes the three Deputy Australian Statisticians and three external members.¹⁷ The Program Executive Board’s terms of reference do not include responsibility for risks and issues. The Program Executive Board receives the Program Performance Report, which includes high level information about Program risks and issues.

3.7 The Delivery Board is the primary governance board and is responsible for: delivery, management, monitoring and review of the Program; defining the acceptable risk profile and risk thresholds for the Program and constituent projects; and supporting risks and issues management.¹⁸ The Delivery Board undertakes its responsibilities through monthly meetings chaired by the Program’s Senior Responsible Officer.

3.8 The Delivery Board receives a range of regular reports that include risk related information. The monthly Update on Program Risk and Issues report provides the most detailed information on current risks and issues and includes the following information for each risk and issue:

• risk or issue owner;
• risks or issues update;
• risk status (stable, improving or worsening); and
• treatments including:
  • treatment description;
  • person responsible for completing the treatment;
  • due date for completion; and
  • status (in progress, ongoing, completed).¹⁹

3.9 Prior to February 2017 risk related matters were raised intermittently at Delivery Board meetings. In February 2017 Program risk owners presented risk status updates to the Delivery Board. The Board agreed that the active discussion of risk at the meeting was a positive step. Between February 2017 and June 2018, the Delivery Board met 14 times²⁰ and risk related topics were included on the agenda for 11 of those meetings. Discussions included:

• general risk related matters;
• risk management processes; and
• specific Program risks, including two occasions when each risk and issue on the register was discussed.

3.10 The Delivery Board reports to the Australian Statistician through the Program Executive Board. Neither the Delivery Board nor the Program Executive Board report to the ABS Executive Board. The ABS has stated that formal reporting to the ABS Executive Board is not necessary as the members are also members of the Program Executive Board and both Boards are chaired by the Australian Statistician. Formalising the arrangements would help to maintain proper record keeping and ensure that decisions made regarding Program risks are also considered in the context of the ABS as a whole.

Program oversight

3.11 Two mechanisms operate externally to the Program to provide assurance to the ABS executive on the progress of the Program: engaging an assurer; and being subject to Gateway reviews.

3.12 In November 2015, the ABS engaged KPMG as an ‘Independent Assurance Partner’ (Assurer).²¹ The contract under which KPMG is engaged states that the role of the assurance partner is to provide: assurance advice to the Program Executive Board and the Senior Responsible Officer; and support and advice to the Senior Responsible Officer on Program delivery. There is a potential for conflict when an organisation is contracted to provide assurance and advice services — that organisation may be required to provide assurance about advice it has provided. The ABS should be aware of any potential conflicts and manage them appropriately.

3.13 The Assurer conducts reviews of specific aspects of the Program’s performance in accordance with a predetermined assurance map.²² Twenty-one reports were delivered between February 2017 and June 2018 covering various aspects of Program delivery.

3.14 The Department of Finance Gateway Review Team undertook Program Reviews in 2015 and 2016, and a Mid Stage Program Review in 2017.²³ The Mid Stage Review found that the Program met the review requirements and assessed five of six focus areas as ‘Green’.²⁴ Risk Management was found to be ‘Amber’²⁵ and the subject of three of six recommendations. A further review has been scheduled for January 2019.

ABS Audit Committee

3.15 The Public Governance, Performance and Accountability Rule 2014 specifies that the function of an entity’s internal audit committee must include reviewing the appropriateness of the entity’s:

• financial reporting;
• performance reporting;
• system of risk oversight and management; and
• system of internal control.

3.16 The ABS Audit Committee Charter includes the requirement to satisfy itself that a sound approach has been followed in managing ABS’ major risks, including those associated with projects, program implementation and activities.

3.17 In October 2016 the Australian Statistician advised the Audit Committee that it did not need to undertake assurance or internal audit for the Program as ‘sufficient independent assurance and advice in relation to the [Program]’ was provided through:

• the Program governance arrangements;
• regular reports provided to the ABS Executive Board (then ABS Executive Leadership Group)²⁶;
• engagement of the Assurer; and
• the Gateway Review process.

3.18 The Assurer and Program representatives regularly attend Audit Committee meetings, and provide:

• Gateway Review reports;
• progress updates on implementation of Gateway Review recommendations;
• Program Performance Management Reports;
• risk and issue reports; and
• the Executive Summary of reports completed by the Assurer.

3.19 The Mid Stage Program Review completed by the Gateway Review team in November 2017 stated that the ABS Audit Committee’s engagement with the Program ‘represent[ed] better practice.’²⁷ This statement refers only to the Program; it does not consider the Audit Committee’s role in oversighting enterprise-wide risks.

3.20 In order to fulfil its responsibilities under the Public Governance, Performance and Accountability Rule 2014, audit committees should take an active role in reviewing risk, assurance and operational frameworks to ensure that they support the achievement of the entity’s objectives.²⁸

Is the ABS appropriately managing Program risks?

Risk appetite for the Program

3.21 A risk appetite statement for the Program was articulated in the Risk Management Framework Part A - The Risk Policy:

We have a relatively high risk appetite early in a project’s life to allow maximum creativity and innovation. The high risk appetite extends to the early phase of a project’s life, to ensure that any potential shortcomings are identified rapidly, before there is a significant impact on cost, time or dependencies. As such, we will test early and learn quickly to help ensure the overall success of the Program.

We will use appropriate program and project methodologies to deliver agreed scope on time and budget and we will choose systems and services that are reliable, fit for purpose, and financially sustainable.

We will actively manage the impact of change through effective engagement and communication across all relevant areas of the ABS and with key external stakeholders to ensure ownership and support for the business solutions implemented as part of the Transformation.²⁹

3.22 Following the events of the 2016 Australian Census of Population and Housing (eCensus), in December 2016 the Program Executive Board reported it needed to ‘review its risk appetite given the changed environment.’³⁰ The ABS informed the ANAO that the Program’s risk appetite did not require updating and remains current and accurate.

3.23 Although the Australian Census of Population and Housing was not intended to be included as part of the Program (see paragraph 1.8), it was recommended as part of the options for a changed delivery approach presented to the Program Executive Board on 27 June 2018 (see paragraph 3.38). This option was reported to the Minister as being endorsed by the Board and is currently being progressed. The risks associated with including Census in the Program have not yet been assessed, are not included in the Program risk register and are not currently reflected in the risk appetite.

Program risk and issue management framework

3.24 The ABS has developed a Program risk and issues management framework that broadly aligns with the ABS Risk Management Framework. The Program’s framework consists of two documents:

• the Risk and Issue Management Strategy, which includes the Program’s approach to risk management, tools and techniques, an overview of the process, review and reporting arrangements and accountabilities; and
• the Risk and Issue Management Process, which contains information about the risk and issue registers and includes a four step process, which is shown in Figure 3.4.³¹

Figure 3.4: Overview of the Program Risk and Issue Management Process

Source: ANAO analysis of ABS documentation.

Managing Program risks

3.25 Program risks and issues fall into two categories:

• those relating to the delivery of Program benefits; and
• those relating to delivery of defined project outputs.

3.26 As at 8 June 2018, the ABS was managing 13 Program risks and seven issues (see Appendix 5). Of the 13 risks, nine are rated high, three are medium and one is low. All issues are rated as high except for one rated as medium.

3.27 The ABS uses a range of project management methodologies including Prince2³², Managing Successful Programmes³³ and Agile.³⁴ Program risks are managed using Managing Successful Programmes. In August 2016, a commercial software tool (Jira) was introduced to record and report project and Program risks and issues.

Implementing the Risk and Issue Management Process

3.28 The following activities are to be undertaken in the Program Risk and Issue Management Process:

• Identify risk — risks and issues can be raised by anyone at any time, and are often identified through regular project and Program level meetings and workshops. This step involves the description of the risk and communicating with relevant stakeholders.
• Assess risk — risk assessment is conducted using a four by four risk matrix to determine the risk rating.
• Plan risk response — the risk or issue is registered, a risk owner is assigned and treatment strategies are developed to mitigate the risk or manage the issue.
• Implement response — ensure that treatment strategies are actioned, their effectiveness monitored and corrective action taken where responses do not meet expectations.

3.29 The ANAO observed that the ABS conducts the first three steps of the risk management process in accordance with the Program Risk and Issue Management Process. In practice the ABS does not always evaluate the effectiveness of Program risk treatments once they have been applied.³⁵

3.30 On 2 February 2017 the Delivery Board stated that risk descriptions and treatments needed to be improved. Risk descriptions were revised following this directive and are now more concise, but treatments remained the same. On 15 September 2017 the Delivery Board agreed that the measure of ‘ongoing’ was insufficient to measure the progress of treatments for the Program’s cyber security and integration risks (see Appendix 5) and that metrics should be included to track progress. The status for these two risks has not been revised and remained ‘ongoing’ in the 8 June 2018 Update on Program Risk and Issues report.

3.31 The use of terms such as ‘ongoing’ and ‘in progress’ as a risk treatment status is consistently used within Program risk reporting. The term does not provide sufficient information to determine whether the treatment is effective, as required by the Program Risk and Issue Management Process. One key example where the treatments applied to high risks has not been effective in reducing the risk rating is the Program affordability risk.

Program affordability risk

3.32 The risk of insufficient funding to complete the Program was first raised in January 2016, when the Program Delivery Board identified ‘Cannot afford to develop all essential capabilities (cost greater than budget)’ as one of 16 high Program risks.³⁶ The risk, referred to as ‘affordability risk’, was reported as being included on the Program risk register in January 2016. Table 3.1 outlines the treatments that have been in place to address affordability risk up to June 2018.

Table 3.1: Affordability risk treatments, as at 8 June 2018

Note a: Financial contingency of $2.6 million was allocated for 2017–18.

Note b: Disseminate and Process and Analyse are Program components and are depicted in Appendix 2.

Source: ABS, Update on Program Risks and Issues, 8 June 2018.

3.33 The ABS sought additional funding in October 2017, which was received as part of the Budget (see Table 1.2). On 6 April 2018 the ABS noted that affordability risk remained high and that the status of the risk was ‘worsening’.³⁷

3.34 In May 2018 the Program Executive Board reported to the ABS Executive Board that an additional $30.9 million would be required in 2018–19 to progress the Program as planned. A number of savings options were proposed, with the preferred option expected to reduce the additional amount required to $10 million and including the following actions:

• replace contractors with staff — estimated saving of $3.4 million;
• reduce Disseminate work — estimated saving of $2.0 million;
• reduce executive and Program office staff — estimated saving of $0.7 million; and
• reduce the number of statistical collections onboarded³⁸ in 2018–19 from approximately 70 to 11 — estimated saving of $14.2 million.

3.35 No decision was recorded by the ABS Executive Board, but three of the options were included as treatments for affordability risk (see Table 3.1).

3.36 On 13 June 2018, the Program presented a strategy to prioritise delivery of selected ‘pioneer’ statistical programs. The ABS Executive Board noted the following financial implications of actions recommended:

• an additional $16.5 million required in 2018–19;
• an unspecified additional amount required in 2019–20;
• an estimated $7 million required in 2020–21; and
• an estimated $1 million required in 2021–22.

3.37 On 18 June 2018, the ABS Executive Board endorsed an additional $10 million for the Program.

3.38 On 27 June 2018 a paper was presented to the Program Executive Broad highlighting Program delays and the need for a different delivery approach. The Program identified the following four initiatives ‘to improve likelihood of delivery’³⁹:

• prioritise Disseminate work;
• consider changing the underlying Program model;
• prioritise data acquisition capability; and
• increase the number of statistical collections onboarded in 2018–19⁴⁰;

3.39 The ABS advised the ANAO that the first three initiatives would not require further funds above the $10 million endorsed by the ABS Executive Board on 18 June 2018. The fourth initiative was estimated to cost an additional $6.5 million, which had not been endorsed.

3.40 No decision was recorded by the Program Executive Board, but advice to the Minister indicates that the following options were endorsed:

• prioritise delivery of enhanced Disseminate capability;
• review details of the Program technical design; and
• increase investment to support the onboarding of statistical programs.

3.41 There does not appear to be a correlation between the May 2018 and June 2018 papers. It is also not clear which actions are being progressed with additional funding. For example, according to the June Update on Program Risk and Issues report, Disseminate work is being reduced, whereas the Minister was informed that enhanced Disseminate work was being prioritised.

3.42 The actions taken are designed to reduce financial pressure in 2018–19. The impact of the decisions taken on program affordability in future years is not assessed. The ABS has not quantified the estimated total cost to complete the Program. The options developed and treatments applied to the affordability risk do not address longer-term budget challenges, including the cost to complete any deferred capability and the impact on benefits realisation.

3.43 Budget and expenditure data provided to the ANAO indicates that the ABS is forecasting a total Program underspend. However, the forecast underspend assumes the Program will not exceed its budget in 2018–19 and 2019–20 and will be completed on schedule in 2020. It does not take into account the information provided to the ABS Executive Board and the Program Executive Board on cost pressures in 2018–19 or additional costs associated with treatments for other risks identified in the Program such as:

• schedule — elevated to an issue in April 2018;
• capability and capacity — elevated to an issue in October 2016; and
• the cost of system maintenance.

3.44 In April 2016 the ABS Executive Leadership Group (replaced by the ABS Executive Board) was advised that the Program budget excluded maintenance costs. These costs were expected to be offset by savings across the life of the Program.

3.45 In October 2017, the cost of maintaining the systems implemented by the Program was discussed by the Program Delivery Board. The Program Office provided a paper proposing system maintenance costs be included as a Program issue. The paper specified that the costs associated with licensing and maintenance for the new capabilities delivered by the Program could potentially be higher than the legacy capabilities being replaced. As these costs had not been incorporated into the overall Program costs, there was a potential funding shortfall in the Program budget.

3.46 The Delivery Board decided that the proposed system maintenance costs issue was not a Program issue and requested it be included as an enterprise level risk on the ABS risk register. This has not occurred. Unfunded system maintenance continues to be referred to as a factor effecting the Program affordability risk in the Update on Program Risk and Issues report.

3.47 In summary, the affordability risk has been identified and registered, and a number of treatments have been applied. However, the ABS has not estimated the total Program cost. In addition:

• different options to address the Program’s budget pressures have been presented to different Boards;
• some of the options presented have been included in the Program risk register as treatments without a formal decision-making process and approval; and
• the options developed and treatments applied to the affordability risk refer to the current financial year but do not address longer-term budget challenges and the impact of short-term solutions on the Program in the longer-term.

3.48 Without quantifying the scale of funding issues, it is not possible to identify and implement initiatives to effectively manage affordability risk and to meet the required Program outcomes.

Has the ABS identified and maintained an appropriate level of risk management capability for the Program?

3.53 Project and program management qualifications include coverage of risk management as an integral part of managing complex projects and programs. In February 2016 the Program’s Assurer reported that 26 per cent of people working within the Program had a project management qualification and 14 per cent had a program management qualification. Based on this finding, the Assurer recommended increasing program management capability to support the Program.

3.54 The ABS developed an action plan to address the Assurer’s suggested actions. These actions included engaging experienced project managers and a program manager to support the Program management team. Actions taken as at June 2018 include:

• project and program management coaching in place;
• sub-program co-ordinators introduced to advise project managers;
• coaches working to improve implementation of the Agile methodology;
• 57 Program staff trained in Managing Successful Programs;
• 89 Program staff trained in Prince2;
• 81 SBTP staff trained in the Agile methodology; and
• non-ongoing staff and contractors with specialist project management expertise recruited.

3.55 The increase in project and program management capability has the potential to increase the level of risk management capability within the Program. An assessment of risk management capability would identify whether the actions taken have been successful in increasing capability.

Are arrangements in place for communicating, consulting and reporting on risks with stakeholders?

3.56 In April 2016 the Assurer found there would be benefit in enhancing the capability of the Program Office to improve predictive analysis and make reporting less reactive and more responsive. Since then, the introduction of the project management system Jira has contributed to improvements in Program reporting. The Program Office currently produces three reports that include risk related data (see Table 3.2).

Table 3.2: Statistical Business Transformation Program internal reports

Note a: Prior to November 2017, this report was produced monthly.

Source: ANAO analysis of ABS documentation.

3.57 The Update on Program Risk and Issues report provides the most detailed information on risks and issues. As noted in paragraph 3.8, the report includes detailed information about the status of current risks and issues. It provides a concise aggregation of the data held in Jira, but does not include a measurement of the effectiveness of treatments on Program risks and issues, or indicate whether the treatment had any impact on the rating or status.

3.58 In a brief to the Minister for Small Business on 1 September 2016, the ABS undertook to provide an update on the progress of the Program following each Program Executive Board meeting (every two months). Since that time, the ABS has provided updates to the relevant Minister⁴¹ on Program status through: a brief section in a fortnightly circular; periodic status reports; and face-to-face briefings by the Australian Statistician.

3.59 The ABS developed an External Engagement Strategy for ABS Transformation in October 2017.⁴² The strategy includes roles and responsibilities, engagement materials and a list of 37 external stakeholders.⁴³ The objectives of the strategy are that stakeholders:

• are aware of how the ABS Transformation will impact them;
• have an opportunity to provide input to the ABS Transformation;
• expectations are managed through delivery of aligned and coherent transformation messages from across all areas of the ABS; and
• are satisfied the changes will produce the desired outcome.

3.60 The ABS has developed plans outlining regular engagement activities to be undertaken with external stakeholders, and the ABS presents at various forums where risk is included as a discussion point. These plans and presentations include an element of Program information.

Appendix 1 Entity response

Appendix 2 Statistical Business Transformation Program components

Source: ABS, Statistical Business Transformation on a Page, 20 November 2017.

Appendix 3 ABS’ Risk Management Framework Compliance with the Commonwealth Risk Management Policy

Source: ANAO analysis of ABS documentation.

Appendix 4 ABS Risk Action Plan at 31 May 2018

Source: ANAO analysis of ABS Risk Action Plan, 31 May 2018.

Appendix 5 Statistical Business Transformation Program risks and issues — at 8 June 2018

Source: ABS, Statistical Business Transformation Program, Update on Program Risks and Issues, 8 June 2018.