ATO Business Continuity Management (BCM) Framework · ATO BCM Framework 3 BCM Cost / Benefits...
Transcript of ATO Business Continuity Management (BCM) Framework · ATO BCM Framework 3 BCM Cost / Benefits...
ATO Business Continuity Management (BCM) Framework Comcover Insurance and Risk Management Conference
Presented by David Porter Director, Business Continuity Management Australian Taxation Office 21 August 2013
ATO BCM Framework 2
About the ATO
An effective tax system underwrites the Australian way of life. ATO Profile Locations: 67 sites across Australia Staffing: 22,000 (24,000 in peak periods) Cash Collections: over $300 billion Tax refunds: over $88 billion Transfers: over $9 billion New registrations: 1.5 million Client interactions: 230 million web, 12 million phone Source: ATO Annual Report 2012
ATO BCM Framework 3
BCM Cost / Benefits Disruptions impact the Tax Office, other agencies & Government moves work to expensive channels (eg. from call to paper) reduces revenue collected generates complaints, work backlogs and results in cyclical spirals impacts on staff engagement.
Disruptions impact Tax Practitioners, businesses & the wider community increases costs of compliance creates uncertainty reduces Community Confidence & reduces compliance impacts on other agencies which depend on the Tax Office.
Less than optimum speed… every 20 seconds added to AHT costs $3m pa
ATO BCM Framework 4
BCM Approach: A Holistic Framework
Integrated Security
Physical Security
ICT Security
Personnel Security
Contingency Planning
Incident Planning
Continuity Planning
Recovery Planning
BIARisk
Management
Response Management
Security Risk
ContinuityManagement
Test & Exercise
Incident / Recovery Management
Operational Risk
Strategic Risk
6
7
1
2
5
4
3
Integrated Security
Physical Security
ICT Security
Personnel Security
Contingency Planning
Incident Planning
Continuity Planning
Recovery Planning
BIARisk
Management
Response Management
Security Risk
ContinuityManagement
Test & Exercise
Incident / Recovery Management
Operational Risk
Strategic Risk
6
7
1
2
5
4
3
BCM Framework supports: People Buildings Systems Services Suppliers Communications Natural Disasters
July 2009: New BCM function created in BUSINESS OPERATIONS to develop enterprise wide BCM & new framework.
ATO BCM Framework 5
Governance
Governance and Executive sponsorship for BCM occurs through: ATO Executive Audit Committee BCM Steering Committee BCM Sponsor – 2nd Commissioner
Executive sponsorship backed by enterprise policies.
ATO BCM Framework 6
BCM Scope for Assurance and Activation Emergency Control Organisation (site & national) IT Incident management IT Disaster Recovery Pandemic Planning Integrated Security Framework National Emergency Contact Centre (ATO response) Community Disaster Responses (ATO response) Other business disruption events Project & IT Assurance (BCM is embedded)
ATO BCM Framework 7
Links to Enterprise Risk Management
Ability to maintain Business Continuity capability is acknowledged amongst key corporate focus areas.
ATO BCM Framework 8
ATO’s Key BCM Priorities
Maintain Communication
With Stakeholders
Ensure People are Safe
Contain the threat effectively
Maintain Reputation/ Community Confidence in order to support effective tax administration
Maintain Revenue Streams
Continue Obligations to
Partners
Maintain Integrity of Information
Maintain Tax Agent Services
Maintain Transfers
ATO BCM Framework 9
ATO Priorities Underpin RBIA
Facilities
Partners/Suppliers
Ensure People are Safe
Contain the threat effectively
Maintain reputation/ community confidence in order to support the maintenance of effective tax administration
Maintain Transfers
Maintain Revenue Streams
Continue Obligations to Partners
Maintain Confidentiality, Availability and
Integrity of Information
On-line
Internal
On-Site
On-Call
Bulk Data
W W WStaff
Systems
Data/Documents On-Paper
Business Impact Assessment Risk Assessment
Whole of Tax Office Key BCM Priority Outcomes
BIA Focus
Threats Facility Incident
Pandemic Terrorist Attack
Natural Disaster
ICT Outage
Agreeing the ATO’s priority Offerings Defining Critical Resources
What are the most important
resources to deliver key outcomes?
What are the priority offerings that have the
greatest impact on delivering key outcomes?
How do the critical
resources impact delivery
of priority offerings?
What are the critical
resources required to
provide these priority
offerings?
Maintain Tax Agent Services
Maintain Comms.
With Stakeholders
ATO BCM Framework 11
ATO BCM Response Framework Single, centralised BCM
response framework
Ensures clarity of roles and is scalable based on impact
Utilises supporting frameworks
Framework supported
by endorsed strategies:
BCM RESPONSE FRAMEWORK
Triage Activation Escalation/De-escalation Deactivation Debrief
ATO
BC
MA
TO B
CM
Activate Level 1 Crisis Management TeamSee p.11
ATO
E/B
CM
SC
ATO
E/B
CM
SC
Activate Level 3 Crisis Management TeamSee p.11
Activate Level 2 Crisis Management TeamSee p.11
OTH
ER
AC
TIV
ATI
ON
SO
THE
R A
CTI
VA
TIO
NS
BS
LsB
SLs
Incident
Activate Level 0Business Continuity Management TeamPage 6
Monitor and manage crisis
See p.13
DeactivateCMT Team,Frameworks
See p.13
Crisis is over
Communicate with
StakeholdersSee p.13
BAU
Resume BAUNotify all stakeholders
Update databaseReview and implement learnings as required.
BCM TRIAGE(Includes Media
Monitoring Team)by
1800 800 800See p.5
Doe
s is
sue
requ
ire e
scal
atio
n /
de-e
scal
atio
n?
Do other frameworks need to be activated/de-activated?
Is it a level 3 incident See p.7
BCM Triage to reassess
No
Yes
Is it a level 2 incident See p 7
Is it a level 1 incident See p.7
Yes
Yes
No
Do other response frameworks need to be activated?
Pan
dem
ic R
espo
nse
Fram
ewor
k (R
efer
to p
age
47)
Inte
grat
ed S
ecur
ity F
ram
ewor
k (R
efer
to p
age
51)
IT D
isas
ter R
ecov
ery
Fram
ewor
k (R
efer
to p
age
45)
IT In
cide
nt M
anag
emen
t Tea
m F
ram
ewor
k (R
efer
to p
age
43)
Nat
iona
l Em
erge
ncy
Cal
l Cen
tre F
ram
ewor
k (R
efer
to p
age
32)
Com
mun
ity D
isas
ter R
espo
nse
Fram
ewor
k (R
efer
to p
age
22)
Em
erge
ncy
Con
trol O
rgan
isat
ion
Fram
ewor
k (R
efer
to p
age
7)
Does ECO need to be activated?See P.8
Is it a level 0 incident See p.7
Yes
No
No
ATO BCM Framework 12
Government and Industry collaboration To achieve best practice, ATO BCM has proactively shared methods, processes and documentation with other agencies including:
Department of Human Services Australian Electoral Commission Department of Defence Department of Agriculture, Forests & Fisheries Emergency Management Australia Department of Prime Minister & Cabinet
Department of Foreign Affairs & Trade Australian Bureau of Statistics Department of Immigration & Citizenship Attorney General’s Department Department of Families, Housing, Community Services and Indigenous Affairs
ATO BCM Framework 13
Government and Industry collaboration
ATO BCM regularly participates and contributes to industry forums including: BCM industry conferences and presentations Cross agency BCM Practitioner’s Network NSW Banking & Finance Sector BCM Round Table Annual Australasian Business Continuity Institute Summit.
ATO BCM Framework 14
Feedback and Recognition “I have to say that the ATO response has been excellent, sensitive, prompt and accommodating to my circumstances,” E-mail to Acting Prime Minister Wayne Swan from a Taxpayer whose QLD property was devastated by flooding.
“This was the best response to an incident I have ever been involved with across private and public sectors.” EAP Consultant, 2011 Natural Disasters
“I would like to pass on my gratitude and thanks to those involved in the decision making and to just say how much prouder I am that I work for such a well organised and caring organisation.” ATO Staff Member
ATO BCM Framework 15
Feedback and Recognition ATO BCM has received local and international recognition including: Winning 2012 BCI Australasian Business Continuity Team of the Year
Being short listed internationally for 3 years at BCI Annual Global Awards
Feedback received from APSC Capability Review Team
Positive simulation feedback from external observers
ATO BCM Framework 16
Learnings Executive mandate Top down approach to planning and response Clear view on cost/benefits Understand the business Leverage from other business drivers (efficiencies, service deliveries) Strong team Rotate & shadow