Part 1: Introduction

Governance of the National Security System.

1.1
In this Part, we discuss:

Why we did our audit

1.2
The Department of the Prime Minister and Cabinet (DPMC) has a strategic objective to ensure that national security priorities, the civil defence emergency management system, and the intelligence system are well led, well co-ordinated, and well managed.

1.3
The National Security System (the System) provides the platform for governance of national security. The System needs to be governed effectively so it can prepare for, and respond to, national security events and emergencies well.

1.4
New Zealand takes a holistic and integrated approach to managing national security risks. Known as "the 4Rs", this approach includes:

  • Reduction — identifying and analysing long-term risks and taking steps to eliminate these risks if practicable, or if not, to reduce their likelihood and the magnitude of their impact;
  • Readiness — developing operational systems and capabilities before an emergency happens;
  • Response — taking action immediately before, during, or directly after a significant event;
  • Recovery — using coordinated efforts and processes to bring about immediate, medium-term, and long-term regeneration.2

1.5
Given the importance of national security to all of us, we considered it important to provide assurance to Parliament and the public about the effectiveness of the governance arrangements for the System.

Who and what we audited

1.6
We carried out a performance audit to assess how well the System is governed. People working in the System refer to a "response" side and a "governance" side. We looked at the governance arrangements for both. Referring to governance arrangements for the governance side of the System could be confusing. For ease of reading, we refer to a response side and a strategic side (see Figure 1).

1.7
We wanted to know whether governance structures on the response side enable responses to national security events and emergencies to be managed effectively. We also wanted to know whether governance structures on the strategic side contribute to national resilience-building and risk management.

Figure 1
The National Security System, response side and strategic side

Figure 1 The National Security System, response side and strategic side.

1.8
DPMC is responsible for co-ordinating and supporting the System, as well as providing risk management advice to the Government. Support for the System is largely delivered by DPMC's Security and Intelligence Group. Within this group, the National Security Systems Directorate (the Directorate) has specific responsibility for:

  • co-ordinating all-of-government responses to national security events; and
  • providing support to the strategic side.

1.9
In its 2014/15 annual report, DPMC said that it will work to ensure that New Zealand has world-class processes for identifying and dealing with national security events and emergencies, and for building national resilience.

1.10
We considered DPMC's desire to have a world-class system as we carried out our audit and measured DPMC against that high standard.

How we carried out our audit

1.11
To assess how well the System is governed, we used the eight elements of good governance published in our recent report, Reflections from our audits: Governance and accountability.

1.12
The eight elements of good governance are:

  • set a clear purpose and stay focused on it;
  • have clear roles and responsibilities that separate governance and management;
  • lead by setting a constructive tone;
  • involve the right people;
  • invest in effective relationships built on trust and respect;
  • be clear about accountabilities and transparent about performance against them;
  • manage risks effectively; and
  • ensure that you have good information, systems, and controls.

1.13
We looked at whether these elements were in place for the System, and whether they were providing effective governance of the System. Governance of the System needs to enable agencies to work together in a co-ordinated way. Information also needs to flow through the System effectively and efficiently.

1.14
We interviewed staff involved in the governance of the response side and the strategic side of the System. We also reviewed and analysed relevant documents, mostly from DPMC.

1.15
We looked at two examples of recent responses to assess the response side of the System. Figure 2 sets out background information about each response, the main agencies involved, and the duration of the response.

Figure 2
The National Security System responses that we selected as examples for our audit

ExampleReason for system activationKey agencies involvedDuration of response
Operation Concord Fonterra and Federated Farmers received anonymous letters threatening to contaminate infant formula and other formula products with 1080 poison. Ministry for Primary Industries

New Zealand Police

Ministry of Foreign Affairs and Trade

Ministry of Health
November 2014 to March 2015
Paris attacks A series of terrorist attacks, including several suicide bombings and mass shootings, took place in Paris in November 2015. It was initially uncertain whether the attacks posed a threat to New Zealand or whether they would have other implications that might affect the country, so the System was activated to consider possibilities. Ministry of Foreign Affairs and Trade

New Zealand Police

New Zealand Defence Force
November 2015

1.16
We also observed governance meetings that DPMC convened to co-ordinate responses to two national security events that took place during our audit. We did not fully assess how the responses to these events were governed because the responses were not completed when we wrote this report. However, our observations about the responses have contributed to our overall audit findings.

1.17
As part of our assessment of governance of the strategic side of the System, we observed the first day of Exercise Tangaroa. Exercise Tangaroa was a national exercise to test New Zealand's preparations for, response to, and recovery from a nationally significant tsunami.

1.18
In late 2013, the strategic side of the System was reorganised. Our performance audit was the first external review of that relatively new structure.

1.19
We looked at the boards involved in the strategic side of the System. We looked at how the boards have been operating since the new structure was established. These boards are described in Part 2, and they are:

  • the Officials' Committee for Domestic and External Security Coordination (Governance);
  • the Security and Intelligence Board;
  • the Hazard Risk Board; and
  • the Strategic Risk and Resilience Panel.

1.20
For each of the boards, we:

  • interviewed members of the board;
  • reviewed the terms of reference and charter;
  • analysed meeting agendas, minutes, and action points; and
  • reviewed documents produced for and by the boards to enable them to fulfil their governance function.

1.21
We assessed how the Directorate supports both sides of the System. We looked at how the Directorate co-ordinates responses to national security events, and how it supports the boards on the strategic side of the System to fulfil their governance functions.

1.22
Our work included reviewing policy and accountability documents and internal review documents. We also interviewed Directorate staff and members of the various groups and boards that they support on the response and strategic sides of the System.

What we did not audit

1.23
For the two examples we examined – Operation Concord and the Paris attacks – we did not form a view on whether the right response was decided on. Our focus was on the effectiveness of the governance arrangements behind each response.

1.24
Similarly, we did not form a view on whether the strategic side of the System focuses on the right risks.

1.25
We did not audit the work of subcommittees and working groups reporting to the boards on the strategic side of the System. Our focus was on how clear the lines of governance and accountability were between the boards and these subcommittees and working groups.

1.26
Some agencies have specific roles in responding to national security events. For example, the Ministry of Civil Defence and Emergency Management has a specific role in the event of a civil emergency and the Ministry of Health has a specific role in the event of a pandemic. We did not audit these agencies.

Structure of this report

1.27
In Part 2, we describe the structure of the System. We explain the governance arrangements for the response side and the strategic side in more detail.

1.28
In Part 3, we examine the effectiveness of governance of responses to national security events and describe the aspects of effective governance we observed. We also discuss our observations about the two examples we looked at – Operation Concord and the Paris attacks.

1.29
In Part 4, we examine the effectiveness of the arrangements that govern national security risks and resilience-building (the strategic side of the System). We describe some of the improvements already under way and those that could still be made.

1.30
In Part 5, we discuss how governance needs to continue to improve throughout the System as a whole for it to be a world-class national security system.


2: From the National Security System Handbook. See dpmc.govt.nz/national-security.