news An audit of departments and agencies within the Victorian Government has found many don’t have sufficient business continuity/disaster recovery facilities to keep them operating in the event of a major disaster, with the situation exacerbated by the lack of capability found at IT shared services agency CenITex.
CenITex was set up in July 2008 from the merger of the previous Shared Services Centre and Information & Technology Services divisions under the Department of Treasury and Finance, and has since rolled in a number of major departments and agencies to use its services, such as the Departments of Human Services (health) and Justice.
However, the agency has failed a number of its core functions over the past several years and had also become a haven for unethical procurement practices. It has gone through several major redundancy rounds, and in September the Victorian Government went to market for IT outsourcing partners to replace large chunks of the service delivery functionality currently provided by the agency.
In a report published last week regarding the state’s 11 major portfolio departments and their 197 associated entities, Victorian Government Auditor-General piled more fuel onto the CenITex fire.
In the report, available online in PDF format, Doyle noted that the portfolio departments in general, which provided services to their constituent agencies, had business continuity plans for individual divisions but “lacked overarching plans that provided whole-of-agency coordination and prioritisation”.
As a result, if Victoria suffered a major disaster, the auditor wrote, “services may not be re-established efficiently, particularly if an event impacts more than one area of a portfolio department’s operations”.
Exacerbating the situation is the fact that a number of the agencies depend on CenITex for such capabilities, but the IT shared services agency itself was not adequately prepared for an emergency situation.
“The effectiveness of the plans of portfolio departments is at risk as CenITex do not have sufficient disaster recovery capability to respond to a significant event. Consequently, portfolio departments’ ability to recover from events affecting their information technology infrastructure and operations is at risk. Unassessed and unmanaged, such a risk should be unacceptable to Parliament and the public,” the report states.
“Portfolio departments, and the shared service providers upon which they rely, need to work together to mitigate the risk of prolonged service failure in the event of business disruption. At the date of this report, this has not occurred in the key area of IT infrastructure. The consequential risk of not knowing if public services and portfolio department operations can be recovered is significant and unacceptable.”
The auditor noted that almost all all portfolio departments and the Business Services Technology agency did have disaster recovery plans in place. However, the effectiveness of these plans in the event of a significant disruption was “unknown”, because “CenITex has no disaster recovery capabilities should this occur”.
“To compound this risk, portfolio departments are not informing themselves adequately about the disaster recovery capabilities of CenITex,” the report added. “The service agreement contracts between eight portfolio departments and CenITex do not address disaster recovery, and CenITex does not test its disaster recovery capabilities unless specifically requested to, and paid for by a portfolio department.”
“While it is not necessarily the role of an IT services provider to manage risks impacting on its customer data, CenITex is a not-for-profit entity providing essential infrastructure to enable services to be provided to the public. The public sector focus of CenITex means that by not working with the portfolio departments to develop a DRP, it is leaving the public exposed to an unacceptable risk of being unable to recover services after a significant event.”
Wow. You would think it would be a basic for any major Australian organisation to have a disaster recovery/business continuity plan, let alone a major IT shared services provider like CenITex. But, as I’ve previously written, nothing would surprise me when it comes to the agency. I sometimes wonder what precisely CenITex does do well, because so many reports into the agency have starkly demonstrated a huge list of things it needs to improve.