Part 4: Effectiveness of governance of national security risks and resilience-building

Governance of the National Security System.

4.1
In this Part, we discuss:

Summary of our findings

4.2
Governance of national security risks and resilience-building on the strategic side is maturing. Many of the members of ODESC(G) and the two main governance boards (the Security and Intelligence Board and the Hazard Risk Board) said to us that the current governance structures for the strategic side of the System were an improvement on the previous structures and were providing better governance over time.

4.3
The right people are coming together with greater purpose. Strong, trusting, and respectful relationships established over time between members of ODESC(G) and its boards are enabling the governance of national security risks and national resilience to mature quickly.

4.4
The Directorate is providing more strategic support for improving governance over time. Also, the National Exercise Programme helps the System to be prepared. Allowing the main players to practise responding, and to learn lessons, should help ensure that governance of all-of-government responses to national security events and emergencies is effective.

4.5
Some improvements are under way and others can be made for governance of the strategic side of the System to continue to mature quickly and to be fully effective. The work to define national security risks is particularly important for ODESC(G) to be more effective as the overall governance body for overseeing management of national security risks and resilience-building.

4.6
Clearer and stronger accountabilities are needed throughout the strategic side of the System. Identifying risks is also important to achieving this by providing a better framework for delegating accountabilities for risks from ODESC(G) to the boards and subgroups, and reporting against the delegated accountabilities. Work to achieve this is under way.

How governance of national security risks and resilience-building is maturing over time

4.7
In contrast to the governance structures for the response side of the System, which have remained significantly unchanged since they were introduced, the governance structures for the strategic side have changed over time. Governance of national security risks and resilience-building through the most recently introduced structures is maturing.

The current governance structures provide a better platform for effective governance

4.8
In 2013, DPMC carried out an internal review of the arrangements for co-ordinating national security and intelligence priorities. Also in 2013, the State Services Commission completed a Performance Improvement Framework (PIF) review of DPMC. The PIF review's findings about governance of national security risks and resilience-building included that DPMC needed to ensure:

  • that appropriate governance was in place and roles and responsibilities were clear to mitigate and manage risk in new threat areas, including through further refining and rationalising the governance structures so that they were targeted to deal with specific risks and responsibilities; and
  • that appropriate co-ordination and leadership of the roles and responsibilities of all relevant agencies.

4.9
After the reviews, the current structures for governance of national security risks and resilience-building (see Figure 4) were introduced in late 2013. Many of the members of ODESC(G), the Security and Intelligence Board, and the Hazard Risk Board told us that the current governance structures for the strategic side of the System are an improvement on the previous structures and are providing better governance over time.

4.10
Under the current structures, responsibilities are split more clearly between traditional security threats such as terrorism and broader threats to national security such as tsunamis, food safety failures, or pandemics. The current structures provide a basis for co-ordination and leadership of activities to mitigate and manage these different kinds of risk.

The right people are coming together with greater purpose

4.11
ODESC(G), the Security and Intelligence Board, and the Hazard Risk Board generally include the right people from the right organisations. Most of the members of ODESC(G) and its boards who we spoke to thought that their membership was appropriate. The membership of the boards has been refined over time. For example, the Security and Intelligence Board recently agreed to bring in a member from the Ministry of Business, Innovation and Employment, and the Hazard Risk Board brought in a member from the New Zealand Fire Service about 12 months ago.

4.12
A balance needs to be struck between broad representation on the boards and keeping them to a suitable size so they are effective as governance bodies. Some of the people we spoke to thought that there could be some useful additions to the boards, but most agreed that additional people could be brought in as required to prevent the boards from becoming too large. There is flexibility to allow officials who would not normally attend meetings to attend when needed.

4.13
Various documents set out the purpose of ODESC(G) and its boards. These include Cabinet papers, terms of reference, and the National Security System Handbook. It is important that these documents are kept up to date. The purposes of the boards are well documented. However, continued work is needed to ensure that the purposes of these boards are well understood by members.

4.14
The Security and Intelligence Board and the Hazard Risk Board have found better focus during the last 12 months because national security risks have been better defined and they have been better supported by the Directorate. Governance through the boards has gained momentum and is becoming more strategic, forward looking, and focused on defined risks.

4.15
In our view, the Security and Intelligence Board is the most mature as a governance body. It is widely viewed by people involved in the System as providing good co-ordination and leadership for the security and intelligence sector. The Board is operating constructively and is valued as a critical governance body by members.

4.16
The Hazard Risk Board is becoming more effective in its governance role over time. Recently, the Board adopted six focal areas, and dashboards were created to help track the progress of work against them. These improvements are helping the Board to be focused and purposeful.

4.17
ODESC(G) is the least mature as a governance body, partly because it has not had a set of clearly defined risks to focus its governance role on. The Strategic Risk and Resilience Panel is providing valuable independent advice to ODESC(G) on defining national security risks. We discuss the status of work on defining national security risks and the importance of this work for enabling better governance by ODESC(G) in paragraphs 4.31-4.33.

Strong relationships are enabling governance to mature quickly

4.18
The strong, trusting, and respectful relationships between members of ODESC(G) and its boards are enabling governance of national security risks and national resilience to mature quickly. The members of ODESC(G) and its boards are part of the network of people who are also sometimes called on when the response side of the System is activated. Most of the people we spoke to said that the relationships between people involved in the System were one of the System's main strengths.

4.19
We observed a meeting of the Security and Intelligence Board and of the Hazard Risk Board, and interviewed most of the members of the boards individually. We saw and heard that the tone of board meetings was constructive, and there appeared to be a good level of trust and respect between members.

4.20
There was good rapport between members at the meetings we observed, and we heard considered, focused, and collaborative discussion of issues. We also observed active listening and participation by board members. We heard support from members for jointly resourcing initiatives.

4.21
The Security and Intelligence Board, which meets monthly, is a particularly cohesive board. Chief executives give priority to attending board meetings.

4.22
The established and constructive relationships between members of the boards mean that the boards are well positioned to continue to become more effective in their governance roles and to do this quickly.

The Directorate is maturing in providing more strategic support over time

4.23
Members of ODESC(G) and its boards mostly see the Directorate as a small directorate that provides good and improving secretariat support for them. For example, the Directorate:

  • developed dashboards and focal areas to help the Hazard Risk Board to target its efforts better;
  • improved the timeliness of distribution of papers for meetings of the boards by introducing standard operating procedures, which outline time frames for collecting and sending out papers; and
  • sends out weekly updates to members of the boards to keep them informed of activities and developments throughout the System between meetings.

4.24
A recent survey by DPMC showed that a notable minority of members of boards were not satisfied with the support they received from the Directorate. Some of the people we interviewed also told us that they experience variation in the Directorate's overall support for their board. For example, some papers are still late on occasion.

4.25
The Directorate needs to be more proactive in facilitating the boards to be strategic and forward looking. This is increasingly happening. For example, the Directorate has initiated senior officials' groups, which help set future agendas for the Security and Intelligence Board and the Hazard Risk Board. Directorate staff also told us that they have received extra resourcing to increase staff numbers. Additional capacity within the Directorate should help it to provide more strategic support.

The National Exercise Programme helps the System to be prepared

4.26
Cross-agency exercises were held before the National Exercise Programme was set up. Those exercises were in response to emerging issues or in preparation for major events, such as the Rugby World Cup.

4.27
The National Exercise Programme was set up in 2013 and more formally plans exercises between agencies on an all-hazards basis to help ensure that New Zealand has the capability to effectively respond to national security events on- and offshore. The National Exercise Programme is designed to help officials confidently follow best practice crisis-management processes. It complements, but does not replace, agency-readiness programmes.4

4.28
The Hazard Risk Board oversees the National Exercise Programme, which operates on a four-year time frame. The 2015-19 programme uses a philosophy known as "crawl-walk-run". Each year, there is at least one "run" exercise conducted to fully test the System in a realistic national security scenario. The "run" exercise is preceded by two "walk" exercises to help prepare for the "run" exercise.5 Exercise Tangaroa is an example of a "run" exercise that took place in August 2016.

4.29
We observed how governance of co-ordination of the all-of-government response was practised by DPMC and agencies on the first day of Exercise Tangaroa. This involved simulating activation of the response side of the System, calling and running a Watch Group meeting, calling and running an ODESC meeting, and organising a National Security Committee meeting. There will be a formal debrief of the exercise as part of the National Exercise Programme. We have summarised our observations here. They are our views and do not replace the formal debriefing that DPMC will carry out.

Figure 6
About Exercise Tangaroa

Exercise Tangaroa

Exercise Tangaroa was a national inter-agency exercise designed to test New Zealand's arrangements for preparing for, responding to, and recovering from a nationally significant tsunami.

This was an all-of-government exercise led by the Ministry of Civil Defence and Emergency Management (which is the lead agency for geological, meteorological, hazards, and infrastructure failure emergencies).

Sequence of events for governance of the response (as the simulated emergency unfolded)

The Directorate activated the response system after the Ministry of Civil Defence and Emergency Management notified it of a potential tsunami threat just before 10am.

Co-ordinated by the Directorate, relevant elements of DPMC's Security Intelligence Group relocated to the National Crisis Management Centre in the basement of the Beehive to support governance of the response alongside where the operational management of the response by the Ministry of Civil Defence and Emergency Management had already started.

The Directorate convened a "co-ordination" meeting of DPMC staff to plan the sequence and timing of Watch Group, ODESC, and National Security Committee meetings for the day ahead. The Ministry of Civil Defence and Emergency Management's National Controller briefed staff on the situation.

A plan for DPMC's support to the governance of the response was determined at the co-ordination meeting, and tasks were assigned to those who attended.

Directorate staff notified relevant agencies of the Watch Group meeting by email and prepared an agenda for the meeting, based on their understanding of the issues requiring all-of-government support and attention, which became clearer as further information was received.

The Watch Group met at 12.30pm with the primary objective of supporting public safety and preservation of life. The issues discussed included a situation update from the National Controller, provision of support to the Ministry of Civil Defence and Emergency Management, impact on lifeline utilities, and issues to take to ODESC for a decision.

Actions from the Watch Group meeting were agreed and assigned.

Directorate staff sent out an email calling an ODESC meeting, prepared an agenda for the meeting, and recorded minutes from the Watch Group meeting.

ODESC met at 2.30pm and received a situation update from the National Controller before discussing the issues identified by the Watch Group.

The Chairperson of ODESC received advice from agencies and advised the Minister of Civil Defence of decisions needed from the National Security Committee.

The National Security Committee met by teleconference at about 3.15pm to discuss and agree on decisions to support the all-of-government response.

Impressions and observations

The exercise seemed quite real for those participating in it.

There was a sense of bringing as much organisation as possible to a response to an uncertain and unfolding situation.

The governance followed a planned sequence of events, through response structures (Watch Group, ODESC, and National Security Committee) that seemed to be understood by those organising and participating in them. This sequence of events seemed to fundamentally get the job of support and co-ordination of the all-of-government response done.

There were some glitches – for example, email distribution lists seemed inefficient to compile from different sources, and a few of the invited agencies did not send a representative to the Watch Group meeting.

Committing to action on the basis of uncertain, conflicting, and imperfect information is hard and requires judgement, and considered judgements were made.

Communication, including keeping the public informed, was recognised as important.

There was a focus on capturing lessons from the exercise from those participating in governance roles (at all levels) as the day unfolded.

We note that there were two more stages to the exercise: the response after the tsunami, followed by the management of the longer-term recovery two weeks later (desk-based stages that we did not observe).

A full report on the exercise, including lessons learned, is due in early 2017.

Improvements under way and others that could be made

4.30
Some improvements are under way and others could be made for governance of the strategic side of the System to continue to mature quickly and be fully effective.

More focused and proactive risk management

4.31
During the last 12 to 18 months, DPMC has been working with agencies across government and beyond to better identify and define national security risks and mitigations for these risks. This work is important because it will provide focus for the governance of the strategic side of the System and provide a forward-looking, proactive perspective for governance of national security risks and resilience-building on an ongoing basis. DPMC has identified risks and needs to clarify how that identification will be used to strengthen governance and management of risks through the strategic side of the System.

More focused purpose for ODESC(G)

4.32
The purpose of ODESC(G), as set out in its terms of reference, is "to identify major risks facing New Zealand and ensure that appropriate arrangements are made throughout Government to efficiently and effectively mitigate and manage them". Most members of ODESC(G) told us that ODESC(G) was not yet fulfilling this purpose or providing effective governance over the Security and Intelligence Board and the Hazards Risk Board.

4.33
This is partly because ODESC(G) does not yet have a clear set of risks to govern. The work to define national security risks should help members of ODESC(G) to be clearer about its purpose and enable ODESC(G) to be more effective as the overall governance body for overseeing management of national security risks and resilience-building.

Clearer accountabilities and better reporting against them

4.34
It is unclear how the Security and Intelligence Board and the Hazard Risk Board are accountable to ODESC(G). Some members of these boards did not have a good understanding of what they are accountable for or of how the boards report against their accountabilities.

4.35
What each of the boards is accountable for and who it is accountable to is set out in the board's terms of reference. However, there has not been a strong focus on monitoring and reporting against accountabilities using appropriate metrics. Reporting and accountability is primarily done informally by the chairpersons of the boards. The recent DPMC survey of board members showed that most believed that there could be better transparency and greater focus in reporting outcomes against accountabilities for the System as a whole. DPMC is working on strengthening its approach to monitoring and reporting through forward work programmes and dashboard performance reports.

4.36
A large number of subgroups sit beneath the Security and Intelligence Board and the Hazard Risk Board. In August 2016, the Directorate completed a stocktake to find out how many subgroups there are, what their terms of reference are, and who they report to.

4.37
Lines of accountability between the subgroups and the boards are not clear. There was some confusion among board members we interviewed about their roles and responsibilities for these subgroups, and about the roles and responsibilities of the subgroups.

4.38
Not being clear on accountabilities means that the boards cannot effectively govern the subgroups. DPMC has identified that the number of subgroups needs to be rationalised and that accountabilities and reporting against them need to be clearer. It has begun work to address this.

4.39
Recent work by DPMC has helped to strengthen some aspects of accountability on the strategic side of the System, such as identifying priorities and focal areas for the Security and Intelligence Board and the Hazard Risk Board and introducing dashboard reporting against them.

4.40
Clearer and stronger accountabilities are needed throughout the strategic side of the System. Identifying risks will help to clarify and strengthen accountabilities further by providing a better framework for delegating accountabilities for risks from ODESC(G) to the boards and subgroups, and reporting against the delegated accountabilities. When the identified risks are used in this way, the accountabilities of the boards and subgroups will need to be updated.

Recommendation 1
We recommend that the Department of the Prime Minister and Cabinet sharpen the focus of governance of the management of national security risks and of national resilience-building by:
  • using the work it is doing to define national security risks to establish clear accountabilities for governance of the management risks, and reporting regularly against the accountabilities; and
  • rationalising the number of subgroups beneath the main governance boards and clarifying lines of accountability between the subgroups and the boards.

4: For more information on the National Exercise Programme, see www.dpmc.govt.nz/sig/nep.

5: "Walk" exercises generally do not involve the same scenario as the "run" exercise. At the national level, exercises are designed to test and strengthen officials' capability to operate in the System when responding to national security events, almost regardless of the type of scenario.