ATO Business Continuity Management (BCM) Framework Comcover Insurance and Risk Management Conference

Presented by David Porter Director, Business Continuity Management Australian Taxation Office 21 August 2013

ATO BCM Framework 2

About the ATO

An effective tax system underwrites the Australian way of life. ATO Profile Locations: 67 sites across Australia Staffing: 22,000 (24,000 in peak periods) Cash Collections: over $300 billion Tax refunds: over $88 billion Transfers: over $9 billion New registrations: 1.5 million Client interactions: 230 million web, 12 million phone Source: ATO Annual Report 2012

ATO BCM Framework 3

BCM Cost / Benefits Disruptions impact the Tax Office, other agencies & Government moves work to expensive channels (eg. from call to paper) reduces revenue collected generates complaints, work backlogs and results in cyclical spirals impacts on staff engagement.

Disruptions impact Tax Practitioners, businesses & the wider community increases costs of compliance creates uncertainty reduces Community Confidence & reduces compliance impacts on other agencies which depend on the Tax Office.

Less than optimum speed… every 20 seconds added to AHT costs $3m pa

ATO BCM Framework 4

BCM Approach: A Holistic Framework

Integrated Security

Physical Security

ICT Security

Personnel Security

Contingency Planning

Incident Planning

Continuity Planning

Recovery Planning

BIARisk

Management

Response Management

Security Risk

ContinuityManagement

Test & Exercise

Incident / Recovery Management

Operational Risk

Strategic Risk

6

7

1

2

5

4

3

Integrated Security

Physical Security

ICT Security

Personnel Security

Contingency Planning

Incident Planning

Continuity Planning

Recovery Planning

BIARisk

Management

Response Management

Security Risk

ContinuityManagement

Test & Exercise

Incident / Recovery Management

Operational Risk

Strategic Risk

6

7

1

2

5

4

3

BCM Framework supports: People Buildings Systems Services Suppliers Communications Natural Disasters

July 2009: New BCM function created in BUSINESS OPERATIONS to develop enterprise wide BCM & new framework.

ATO BCM Framework 5

Governance

Governance and Executive sponsorship for BCM occurs through: ATO Executive Audit Committee BCM Steering Committee BCM Sponsor – 2nd Commissioner

Executive sponsorship backed by enterprise policies.

ATO BCM Framework 6

BCM Scope for Assurance and Activation Emergency Control Organisation (site & national) IT Incident management IT Disaster Recovery Pandemic Planning Integrated Security Framework National Emergency Contact Centre (ATO response) Community Disaster Responses (ATO response) Other business disruption events Project & IT Assurance (BCM is embedded)

ATO BCM Framework 7

Links to Enterprise Risk Management

Ability to maintain Business Continuity capability is acknowledged amongst key corporate focus areas.

ATO BCM Framework 8

ATO’s Key BCM Priorities

Maintain Communication

With Stakeholders

Ensure People are Safe

Contain the threat effectively

Maintain Reputation/ Community Confidence in order to support effective tax administration

Maintain Revenue Streams

Continue Obligations to

Partners

Maintain Integrity of Information

Maintain Tax Agent Services

Maintain Transfers

ATO BCM Framework 9

ATO Priorities Underpin RBIA

Facilities

Partners/Suppliers

Ensure People are Safe

Contain the threat effectively

Maintain reputation/ community confidence in order to support the maintenance of effective tax administration

Maintain Transfers

Maintain Revenue Streams

Continue Obligations to Partners

Maintain Confidentiality, Availability and

Integrity of Information

On-line

Internal

On-Site

On-Call

Bulk Data

W W WStaff

Systems

Data/Documents On-Paper

Business Impact Assessment Risk Assessment

Whole of Tax Office Key BCM Priority Outcomes

BIA Focus

Threats Facility Incident

Pandemic Terrorist Attack

Natural Disaster

ICT Outage

Agreeing the ATO’s priority Offerings Defining Critical Resources

What are the most important

resources to deliver key outcomes?

What are the priority offerings that have the

greatest impact on delivering key outcomes?

How do the critical

resources impact delivery

of priority offerings?

What are the critical

resources required to

provide these priority

offerings?

Maintain Tax Agent Services

Maintain Comms.

With Stakeholders

ATO BCM Framework 10

RBIA outputs

RBIA provides an enterprise view of critical functions.

ATO BCM Framework 11

ATO BCM Response Framework Single, centralised BCM

response framework

Ensures clarity of roles and is scalable based on impact

Utilises supporting frameworks

Framework supported

by endorsed strategies:

BCM RESPONSE FRAMEWORK

Triage Activation Escalation/De-escalation Deactivation Debrief

ATO

BC

MA

TO B

CM

Activate Level 1 Crisis Management TeamSee p.11

ATO

E/B

CM

SC

ATO

E/B

CM

SC

Activate Level 3 Crisis Management TeamSee p.11

Activate Level 2 Crisis Management TeamSee p.11

OTH

ER

AC

TIV

ATI

ON

SO

THE

R A

CTI

VA

TIO

NS

BS

LsB

SLs

Incident

Activate Level 0Business Continuity Management TeamPage 6

Monitor and manage crisis

See p.13

DeactivateCMT Team,Frameworks

See p.13

Crisis is over

Communicate with

StakeholdersSee p.13

BAU

Resume BAUNotify all stakeholders

Update databaseReview and implement learnings as required.

BCM TRIAGE(Includes Media

Monitoring Team)by

1800 800 800See p.5

Doe

s is

sue

requ

ire e

scal

atio

n /

de-e

scal

atio

n?

Do other frameworks need to be activated/de-activated?

Is it a level 3 incident See p.7

BCM Triage to reassess

No

Yes

Is it a level 2 incident See p 7

Is it a level 1 incident See p.7

Yes

Yes

No

Do other response frameworks need to be activated?

Pan

dem

ic R

espo

nse

Fram

ewor

k (R

efer

to p

age

47)

Inte

grat

ed S

ecur

ity F

ram

ewor

k (R

efer

to p

age

51)

IT D

isas

ter R

ecov

ery

Fram

ewor

k (R

efer

to p

age

45)

IT In

cide

nt M

anag

emen

t Tea

m F

ram

ewor

k (R

efer

to p

age

43)

Nat

iona

l Em

erge

ncy

Cal

l Cen

tre F

ram

ewor

k (R

efer

to p

age

32)

Com

mun

ity D

isas

ter R

espo

nse

Fram

ewor

k (R

efer

to p

age

22)

Em

erge

ncy

Con

trol O

rgan

isat

ion

Fram

ewor

k (R

efer

to p

age

7)

Does ECO need to be activated?See P.8

Is it a level 0 incident See p.7

Yes

No

No

ATO BCM Framework 12

Government and Industry collaboration To achieve best practice, ATO BCM has proactively shared methods, processes and documentation with other agencies including:

Department of Human Services Australian Electoral Commission Department of Defence Department of Agriculture, Forests & Fisheries Emergency Management Australia Department of Prime Minister & Cabinet

Department of Foreign Affairs & Trade Australian Bureau of Statistics Department of Immigration & Citizenship Attorney General’s Department Department of Families, Housing, Community Services and Indigenous Affairs

ATO BCM Framework 13

Government and Industry collaboration

ATO BCM regularly participates and contributes to industry forums including: BCM industry conferences and presentations Cross agency BCM Practitioner’s Network NSW Banking & Finance Sector BCM Round Table Annual Australasian Business Continuity Institute Summit.

ATO BCM Framework 14

Feedback and Recognition “I have to say that the ATO response has been excellent, sensitive, prompt and accommodating to my circumstances,” E-mail to Acting Prime Minister Wayne Swan from a Taxpayer whose QLD property was devastated by flooding.

“This was the best response to an incident I have ever been involved with across private and public sectors.” EAP Consultant, 2011 Natural Disasters

“I would like to pass on my gratitude and thanks to those involved in the decision making and to just say how much prouder I am that I work for such a well organised and caring organisation.” ATO Staff Member

ATO BCM Framework 15

Feedback and Recognition ATO BCM has received local and international recognition including: Winning 2012 BCI Australasian Business Continuity Team of the Year

Being short listed internationally for 3 years at BCI Annual Global Awards

Feedback received from APSC Capability Review Team

Positive simulation feedback from external observers

ATO BCM Framework 16

Learnings Executive mandate Top down approach to planning and response Clear view on cost/benefits Understand the business Leverage from other business drivers (efficiencies, service deliveries) Strong team Rotate & shadow

ATO BCM Framework 17

Thank you!

© COMMONWEALTH OF AUSTRALIA 2013

This presentation was current in August 2013