Dear National Disability Insurance Agency,

Please provide a copy of the NDIA's current Project Risk Management Policy and Procedures and all prior versions. That is, all Project Risk Management Policies and Procedures created by the NDIA since 2013 up to and including Jun 2021.

Context:

It appears that the NDIA spends a considerable amount of public money on both procurement and projects each and every year for the past few years. To better understand both the volume and the value of project or procurement expenditure, the NDIA has confirmed that “Senate order 13 for Entity Contracts requires Commonwealth entities to publish (twice a year) on the internet lists of contracts with value of $100,000 (GST inclusive) or more” [7]. However, this information was not published in 2017, citing ‘confidentiality’ provisions [8], inclusive of ILC (Information, Linkages and Capacity Building) grants shared across a significant spread of projects. On the surface of publicly available information, it would seem the NDIA requires a robust, documented, consistent and effective means of managing project risk from inception to delivery.

The NDIA paid $7.1 million dollars to consultants during the 2020 calendar year , as part of the overall 2,026 individual contracts awarded for 2020 (with a total value of $100,000 or more) at the consolidated expenditure value of $310.9 million, decreasing marginally from the three year average [7]. These appear to be a combination of projects and procurements . By comparison, in 2020, SFDC Australia was paid $30,306,496.40 and Soda Strategic was paid $1,125,000 for work on “Software Salesforce Platform” [9]. Whereas, DB Results [10] were paid $614,004.80 for temporary staffing and recruitment [9], along with alleged ongoing payments as part of the nearly $250,000 per month spent on development of the NDIS mobile application [11]. For clarity, according to Dun & Bradstreet, SFDC Australia Pty Ltd is the Australian business name for Salesforce [20]. In contrast, McKinsey, which up to September 2019 reportedly received $25 million for consulting services [12] was paid $1,117,600 for consulting services [9] in 2020, on projects such as the recently leaked NDIS cost-cutting taskforce [13]. Most recently Australian media have reported, rather controversially, that ”McKinsey Pacific Rim has provided ongoing strategic advice and support to the department which is not contained in a specific document," a senior Health Department lawyer told 7.30. "This included collaboration and participation in a range of activities. However, McKinsey Pacific Rim did not provide specific advice" [14]. Seemingly not an isolated occurrence, prior government analysis conducted by the US Government’s Office of Audits stated that “improper pricing on McKinsey professional services contract may cost the United State and estimated $69 million” [15]. However, McKinsey appear to remain a provider of choice for the NDIA. Returning to the NDIA’s project expenditure, the Agency’s total outlay to date positions the NDIA in the top 62 information technology (IT) projects currently underway within The Australian Government [16]. Understandably, project risk management should be a matter or priority and focus for the NDIS. Noting the $30 million (+) Salesforce expenditure noted at the beginning of this paragraph, it would seem there is a requirement for the completion of the Risk Potential Assessment Tool (RPAT), which according to the Department of Finance “you must complete a RPAT for each new policy proposal with an estimated financial implication of $30 million or more” [18].

Most recently, the NDIA Chairman assured “the NDIA will look to develop more robust approaches to risk planning and management” [17]. This follows instruction from the Australian National Audit Office (ANAO) to “improve and strengthen risk management (including projects)” [19]. PWC has stated similar concerns during the Siebel to SAP ICT project transfer, expressing “the complexity of the stakeholder landscape, the amount of change leading up to and after the Full Scheme Launch, the low quality and timeliness of data, and the newness (immaturity) of the process all combined to created critical risk that payments would fail” [21], hastily implementing significant participant change in 2016 that lead to considerable disruption, prompting the PWC evaluation at the direction of Department of Social Services. Paradoxically, the NDIA has previously declared in 2015 that “the Agency has increased the Agency’s strategic, operational and project-level risk management maturity.” [22]. Moreover, “operational project risks are monitored and managed by the Agency’s senior executives regularly. Senior executives are supported in this task by an Agency wide framework which facilitates the rigorous identification and reporting of risks for consideration and action” [23,24]. Furthermore, “over the past year, data quality has improved, operational processes have evolved, provider markets have continued to develop, risk management initiatives have matured, and management have commenced several projects aimed at improving the participant experience and supports provided to the participant” [25]. Also, “the Agency is currently finalising a project to enhance the physical and electronic security of 51 service delivery sites” [26]. The NDIA seems to have a lot of projects underway or ongoing with many past shortfalls, disruptions and failings. According to similar NDIA reporting, the Agency has a department of ICT Strategic Projects (under Chief Information Officer Division) that “facilitates the delivery of ICT projects across the Agency. This includes technology strategy development, research and analysis of technology options, and development of an advice on delivery of the technical solutions to meet business requirements” [27]. Lastly the extant annual report asserts “the Agency’s Risk in Change guide has been integrated into the Agency Change Management Framework. This will facilitate a structured approach to identifying and mitigating risks associated with strategic projects and significant operational change” [28]. This presents as notably juxtaposed to the NDIA’s employee survey results that rate the Agency’s risk culture at just 50% over a number of years [29], despite the ‘three lines of defence’ model for risk management and the adoption of the Prudential Standard CPS 220 (APRA) for risk management [30] as part of the Agency’s risk governance and framework. Accordingly, this seems inconsistent with the NDIA’s declared risk appetite as ‘conservative’ [31] and the guarantee of ‘identifying strategic risks during the business planning process’ [32]. A consistent project management and risk framework appear mandatory.

The Department of Finance stipulates:

“relevant entities must establish processes to identify, analyse, allocated and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider and management their procurement security risk, including relation to cyber security risk, in accordance with The Australian Government’s Protective Security Policy Framework (PSPF)…processes of risk assessment, seeking, evaluation alternate solutions, and the awarding of a contract” [33]

Reinforcing these requirements, the ANAO states that “an appropriate system of risk oversight and management allows entities to effectively assess, control and monitor risks in order to achieve their business objectives. The Public Governance, Performance and Accountability Act 2013 (PGPA) prescribes that all Commonwealth entities must establish and maintain appropriate system of risk oversight and management” [34] while directing entries to the Department of Finance’s 2014 Commonwealth Risk Management Policy [4]. Moreover, specific to ICT transition projects, the ANAO noted, “major ICT replacement projects require a thorough understanding of business requirements, current functionality and current system shortfalls to plan for scope of the system replacement” [35], including “evidenced and risk-based ICT investment decisions for major ICT systems require and understanding of system operating costs, system shortfalls and future system design” [36]. Related to comparable ICT system transition while maintaining government services, the ANAO has previously observed that “Services Australia’s self-assessment of risk control effectiveness was inaccurate in light of the lack of cyber security risk assessment or accreditation for the welfare payment system, and internal audit findings that most systems across the agency did not have accreditation” [37]. These findings were summed up by stating that “risk assessments were conducted by reference to internal policies and ISO 31000 risk frameworks and not ISM (Information Security Manual) controls or controls effectiveness; and Services Australia did not cyber security risk assess or credit all elements of the welfare payment system as required by the PSPF” [38]. This seems highly relevant if not directly related to the National Disability Insurance Agency.

“The NDIA paid Services Australia $90.5 million for corporate ICT services in 2018-19, making the NDIA the largest financial contributor to Service Australia’s own revenue” [39], rising over 30% since 2016-17. The extensive ANAO audit notes that “ management of risk is an intrinsic part of delivering services and overseeing bilateral arrangements” [40], however they go on further to state that despite this essential requirement “there is no evidence that risk is proactively discussed at any of the operational or strategic governance committees” [41], largely due to the fact that “the NDIA agreement with Services Australia (formally the Department of Human Services) does NOT include a section on risk” [42]. Perhaps this has contributed to statements in article 3.117 of the audit report that “on several occasions, Services Australia invoices have been rescinded on the basis that there were unable to be substantiated”. Value for public money and transparency would seem an ongoing issue. It would also appear that Professor Shergold AC’s observations that “the PGPA Act represents a significant and positive step towards developing better risk practice and culture. The risk management policy established under the PGPA Act is designed to assess Accountable Authorities…to engage positively with risk, in order to embed risk practices into business processes” [44] went unheeded by both parties.

The Project Management Institute defines a project as “a temporary endeavour undertaken to created a unique project or service” [1]. Moreover, the Project Management Institute advises that:

“all projects are risky since they are unique undertakings with varying degrees of complexity that aim to deliver benefits. Consequently, the effectiveness of Project Risk Management is directly related to the project success. Each project contains individual risks that can affect the achievement of project objectives. It is also important to consider the riskiness of the overall project, which arises from the combination of individual project risks and other sources uncertainty.” [2].

Even more so for agile/adaptive environment due to “high variability environments, by definition, incur more uncertainty and risk” [3]. Possibly, due to these observed concerns, the Department of Finance asserts “each entity must ensure that the systematic management of risk is embedded into key business processes” [4], including projects and programs. “Project and program implementation involves constantly identifying and managing risk, such as shared risk in complex projects and risk interdependencies between projects [5]. Shared risks also requires dedicated consideration and analysis [6].

While it has been stated, in a Commonwealth government context, that “every organisation will face different types of risk- internal, external, strategic, and those arising from major projects” [44], project management as a discipline is well documented and prescriptive process [1, 2, 45, 54] comprehensively outlined in the Project Management Body of Knowledge (PMBoK), broadly considered an industry standard [46]. Moreover, IT project management utilising ‘Scrum’ methodologies attest that “Scrum employs and iterative, incremental approach to optimise predictability and to control risk” [47], also citing the importance of transparent artefacts that increase value and reduce risk. In this context, artefacts relates to information, documentation and assessments, including risk, throughout the scoping, management and delivery of a single or multiple project/s. Seemingly, government outsourced IT projects (especially the identification and management of risk) are of such concern, that other jurisdictions have even created and published detailed, comprehensive project and risk management guides [48] in order to protect public money and citizens. The Department of Foreign Affairs and Trade supports this process by offering clear, specific guidance on the management or risk within general projects [49], inclusive of alignment and referencing of ISO 31000: 2018 Risk Management. Therefore, the issue of control presents as a key aspect.

The broad suite of activity, management, automation and governance indicative of controls is summarised as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance” [50], inclusive of risk assessments, risk analysis and risk management [51]. With regards to information technology and the outsourcing of cloud computing services, APRA goes even further by stating there is “a heightened inherent risk, high degree of difficulty in transitioning to alternate arrangements, and jurisdictional, contractual or technical considerations which may inhibit operational oversight or business continuity in the event of a disruption (including impediments to timely access to documentation and data/information); and/or transition to the arrangement involves a complex, resource intensive and/or time constrained program of work” [52], subsequently recommending the requirement for detailed risk and control assessments, concurrently updated risk profiles and alignment to risk appetite/tolerance [53] . Comparable projects involving digital delivery of government services and transference have experienced major disruptions, failures and elevated risk by not heading such qualified advice. In particular, State government auditors noted recently “ the business case also included several risk assumptions as a result of of not fully exploring risks leading to an increased risk that [department] had overestimated the benefits of the program, predominately due to a lack of a rigorous risk management plan” [55], specifically citing complexity and a lack of knowledge needed to delivery a project of this nature [56]. The NDIA’s project risk management policy, procedure and mandatory terms of reference will no doubt address this and all previous issues.

Thank you for your assistance.

Yours faithfully,

Shirley

Reference:

1. Elhoush, R. (2017) Investigation into the current project risk management practices within the Libyan oil and gas industry, Masters’ Dissertation, University of Salford. Available at: < http://usir.salford.ac.uk/id/eprint/4459... >. Accessed [4 Jun 21]
2. Project Management Institute (2017) A guide to the project management body of knowledge: includes the standard for project management ANSI/PMI 99-001-2017, 6th ed, Project Management Institute (PMI)
3. Ibid
4. Department of Finance (2014) Commonwealth Risk Management Policy, Australian Government. Available at: <https://www.finance.gov.au/sites/default...>. Accessed [10 Jun 21]
5. Ibid
6. Comcover (2021) Managing share risk: Comcover fact sheet, Australian Government. Available at: < https://www.finance.gov.au/sites/default...> . Accessed [7 Jun 21]
7. NDIS (2021) Senate Order 13 for Entity Contracts. Available at: < https://www.ndis.gov.au/about-us/policie...> . Accessed [10 Jun 21]
8. NDIA ( 2017) Sentate Order 13: 2017 Calendar Year, National Disability Insurance Agency, Australian Government. Available at: < https://web.archive.org/web/201803172157...>. Accessed [10 Jun 21]
9. NDIS (2020) Sentate Order 13: 2020 Calendar Year, National Disability Insurance Agency, Australian Government, Available at: < Senate Order for Entity Contracts Listing Relating to the period 1 January 2020 to 30 December 2020 (PDF 1MB)>. Accessed [10 Jun 21]
10. DB Results (2021) https://dbresults.com.au/
11. Barbaschow, A. (2021) Nearly AU$250,000 spent per month on staff costs to develop NDIS app, ZDNET, dated 11 may 21. Available at: <https://www.zdnet.com/article/nearly-au2...>. Accessed [10 Jun 21]
12. Aston, J. (2019) McKinsey’s $25m NDIS haul, Australian Financial Review, dated 19 Sep 2019. Available at: < https://www.afr.com/rear-window/mckinsey...>. Accessed [1 Jun 21]
13. Henriques-Gomes, L. (2021) NDIS cost-cutting taskforce told to reduce growth in participants and spending, The Guardian, dated 13 Apr 21. Available at: < https://www.theguardian.com/australia-ne...>. Accessed [10 Jun 21]
14. Farrell, P. And McDonald, A. (2021) A consultancy firm was paid $660,000 to advise on Australia’s COVID-19 vaccine strategy. But a government official said they provided no ‘specific advice’, ABC News, dated 3 Jun 21. Available at: <https://www.abc.net.au/news/2021-06-03/f...>. Accessed [10 Jun 21]
15. Office of Audits (2019) Improper pricing on McKinsey professional services contract may cost the United State and estimated $69 million, Office of the Inspector General, US General Services Administration, Report Number A170118/Q/?6/P19004.. Dated 23 Jul 2019. Available at:< https://www.gsaig.gov/sites/default/file...>. Accessed [4 Jun 21]
16. Barbaschow, A. (2020) Australian Government is currently juggling 62 high-cost IT projects, ZDNet. Available at:< https://www.zdnet.com/article/australian...>. Accessed [10 Jun 21]
17. NDIS (2020) Letter to Adutor-General from Dr Helen M. Nugent AO, Chairman, in ANAO (2020) Bilateral Agreement Arrangements between Services Australia and Other Entities, The Auditor General, Auditor General Report No. 30 2019-20 Performance Audit, Available at: < https://www.anao.gov.au/work/performance...> . Accessed [7 Jun 21]
18. Department of Finance (2020) Risk Potential Assessment Tool General Guidance (RMG 107), Australian Government. Available at: < https://www.finance.gov.au/publications/...> . Accessed [10 Jun 21]
19. ANAO (2016) National Disability Insurance Scheme - management of the transition of the disability services market, The Auditor General, ANAO Report No.24 2016-17 Performance Audit, Australian Government. Available at: < https://www.anao.gov.au/sites/default/fi...>. Accessed [7 Jun 21]
20. Dun & Bradstreet (2021) SFDC Australia Pty Ltd (Salesforce). Available at: <https://www.dnb.com/business-directory/c...>. Accessed [10 Jun 21]
21. PWC (2016) National Disability Insurance Scheme MyPlace Portal Implementation Review - Final Report, section 21: Conclusions, dated 31 Aug 2016. Available at: < https://www.dss.gov.au/sites/default/fil...> . Accessed [6 Jun 21]
22. NDIA (2015) Annual Report 2014-15, National Disability Insurance Agency, Australian Government. Available at: < https://www.ndis.gov.au/about-us/publica...>. Accessed [8 Jun 21]
23. NDIA (2016) Annual Report 2015-16, National Disability Insurance Agency, Australian Government. Available at: <https://www.ndis.gov.au/about-us/publica...>. Accessed [7 Jun 21]
24. NDIA (2017) Annual Report 2016-17, National Disability Insurance Agency, Australian Government. Available at: <https://www.ndis.gov.au/about-us/publica...>. Accessed [7 Jun 21]
25. NDIA (2018) Annual Report 2017-18, National Disability Insurance Agency, Australian Government. Available at: <https://www.ndis.gov.au/about-us/publica...>. Accessed [7 Jun 21]
26. NDIA (2020) Annual Report 2019-20, National Disability Insurance Agency, Australian Government. Available at: <https://www.ndis.gov.au/media/2724/downl...>. Accessed [7 Jun 21]
27. Ibid
28. Ibid
29. NDIA (2019) Corporate Plan 2019-2023, Australian Government. Available at: < https://www.ndis.gov.au/media/1645/downl... >. Accessed [6 Jun 21]
30. Ibid
31. NDIA (2018) Corporate Plan 2018-2022, Australian Government. Available at: < https://www.ndis.gov.au/media/406/download >. Accessed [6 Jun 21]
32. NDIA (2015) Corporate Plan 2015-2019, Australian Government. Available at: < https://www.ndis.gov.au/media/410/download>. Accessed [6 Jun 21]
33. Audit Office of New South Wales (2019) Internal Control Framework, New South Wales Government. Available at: < https://www.audit.nsw.gov.au/sites/defau... >. Accessed [6 Jun 21]
34. ANAO (2020) System Redevelopment - Managing Risks While Planning Transition, The Auditor-General, Auditor General Report No.10 2020-21 Performance Audit, paragraph 19 and sections 2.5-2.30. Australian Government. Available at: < https://www.anao.gov.au/work/performance...>. Accessed [5 Jun 21]
35. Ibid
36. Ibid
37. Ibid
38. Ibid
39. ANAO (2020) Bilateral Agreement Arrangements between Services Australia and Other Entities, The Auditor General, Auditor General Report No. 30 2019-20 Performance Audit, Available at: < https://www.anao.gov.au/work/performance...> . Accessed [7 Jun 21]
40. Ibid
41. Ibid
42. Ibid
43. Australian Public Service Commission (2015) Learning from failure: Why large government policy initiatives have gone so badly wrong in the past and how the chances of success in the future can be improved, Australian Government. Page 37. Available at: < https://legacy.apsc.gov.au/sites/default... >. Access {4 Jun 21]
44. UK Government (2017) Management of risk in government. Available at: < https://assets.publishing.service.gov.uk...>. Accessed [7 Jun 21]
45. British Standards Institute (20140 BS EN 62198:2004 Managing risks in projects
46. The Treasury (2012) TPP12-01b Risk Management toolkit for NSW Public Sector Agencies: Volume 1 Guidance for Agencies, NSW Government. Available at: < https://www.treasury.nsw.gov.au/sites/de...>. Accessed 10 Jun 21]
47. Schwaber, J. And Sutherland J. (2020) The Definitive Guide to Scrum: The Rules of the Game. Available at: < https://www.scrumguides.org/docs/scrumgu...>. Accessed [8 Jun 21]
48. Office of the Government Chief Information Officer (2011) Practice Guide to Project Management for IT Projects under an outsourced environment, Government of Hong Kong Special Administrative Region of the People’s Republic of China. Available at: < https://www.ogcio.gov.hk/en/our_work/inf... > . Accessed [5 Jun 21]
49. Department of Foreign Affairs and Trade (2019) Risk Management for Aid Investments, Australian Government. Available at: < https://www.dfat.gov.au/sites/default/fi... >. Accessed [5 Jun 21]
50. Department of Finance (2020) Commonwealth Procurement Rules, dated 14 Dec 20, Australian Government. Available at: < https://www.finance.gov.au/sites/default...> > Accessed 5 Jun 21
51. Ibid
52. APRA (2018) Outsourcing involving cloud computing services: information paper, dated 24 Sep 2018. Available at: < https://www.apra.gov.au/sites/default/fi...> . Accessed [8 Jun 21]
53. Ibid
54. Olson, D. And Dash Wu, D. (2015) Enterprise Risk Management, 2nd ed, World Scientific
55. VAGO (2021) Service Victoria - Digital Delivery of Government Services, Victorian Auditor-General’s Office (VAGO), Victorian Government, dated Mar 2021. Available at: < https://www.audit.vic.gov.au/sites/defau...>. Accessed [8 Jun 21]
56. Ibid

Dear foi,

I agree with the 30 day extension request.

Yours sincerely,

Shirley

Dear FOI,

Thank you for the update.

Received and understood.

Yours sincerely,

Shirley

Dear foi,

Just to clarify, after 3 months (60 days over the usual FOI statute). because it took you 2 hours to find what would seem to be an essential, daily-accessed public document, upon which you then decided to think about (decision-making) for another estimated 10 hours.... you would like to now levy a fee for this 'process'?

Yours sincerely,

Shirley