Part 3: Before Covid-19: Our pandemic preparedness had limitations

Co-ordination of the all-of-government response to the Covid-19 pandemic in 2020.

In this Part, we make observations about the public sector’s general state of readiness for potential and actual emergencies, and pandemics in particular, before Covid-19 emerged. We discuss:

Because of New Zealand’s vulnerability to natural hazards, as well as recent disruptive events (see paragraph 3.17), we expected that:

  • there would be appropriate systems to manage potential and actual emergencies that would generally function well, and focus on reducing risks; and
  • there would be well-embedded processes and practices for routinely identifying and incorporating improvements to ways of operating.

Given New Zealand’s concerns about, and experience of, new influenza and coronavirus threats from the early 2000s20 and international requirements to plan for disease outbreaks,21 we also expected that:

  • systems would be in place and agencies would be reasonably ready to respond to a public health emergency, specifically a pandemic;
  • recommended actions from pandemic readiness exercises and evaluations of previous public health emergencies would have been implemented or be in progress; and
  • planning would be reasonably current and familiar to those most likely to use it.

We also expected that there would be active central co-ordination and accountability for ensuring that these readiness activities were carried out.

Summary of findings

Before Covid-19 emerged, there were many systems, structures, frameworks, and plans in place to help prepare for, and respond to, a pandemic. However, some of these were not as current or functioning as well as they should have been.

Some documentation to inform pandemic and other emergency preparedness was outdated and confusing. It also did not provide sufficient information for agencies on how to review and learn lessons from responses to emergencies. The public sector was not generally familiar with, and did not have a good understanding of, pre-existing emergency management arrangements.

The governance of nationally significant risks, including pandemics, had not been working as intended. Recommendations from pandemic readiness exercises had not been systematically implemented.

The public had limited visibility of how the government had responded to previous assessments of the country’s preparedness for a health emergency. No central mechanism ensured that agencies had developed and updated their pandemic plans. There was also no mechanism in use for co-ordinating these plans across government.

Overall, there was limited public assurance that the public sector was adequately prepared for pandemics and other significant threats and hazards.

Before Covid-19 emerged, our national security, emergency management, and health systems had shortcomings that could have affected the effectiveness and efficiency of a pandemic response. In Part 8, we discuss steps that have been taken, or are being taken, to address these issues.

Governance and strategic management of national security risks needed improvements

Before Covid-19 emerged, the Hazard Risk Board had not been meeting regularly and was not performing as intended.22 Minutes from its June 2020 meeting described struggles to carry out strategic governance properly, and members agreed that the board needed to “lift” its discussions to focus on system-wide risks instead of issues and do so with a national security lens.23

Over the years, there have been various attempts to refocus the way agencies manage risks through the national security system. However, these have not always been sustained or delivered as intended.

The Royal Commission of Inquiry into the terrorist attack on Christchurch mosques found that agencies’ delivery against the intelligence priorities had not been monitored. It also found that threat assessments provided to Ministers were not always accompanied by advice on what to do about the risks.

Our 2019/20 annual audit of DPMC recommended that it more clearly demonstrate the desired impact of the National Security Group’s work.

Agencies had limited capacity to contribute to wider risk reduction and readiness

Before the Covid-19 pandemic, a multi-year work programme was under way to improve New Zealand’s emergency management system. This work included initiatives to build the system’s workforce capability and capacity.

The work programme was started in response to a review that an independent advisory group carried out in 2017.24 The Minister of Civil Defence commissioned the review in 2017 after concerns had been raised about the civil defence sector’s effectiveness in dealing with a series of emergencies.

This reform work continued in 2019. Part of this work involved establishing NEMA.25 At the same time, the emergency management system and its people came under significant pressure as they responded to another series of major events.26

In 2017, a performance improvement review found that 15 of 17 organisational management areas at the Ministry of Health were weak or needed improvement.27 A 2020 report found that the health and disability system was “under serious stress”.28

The 2020 report found:

  • underfunding and financial management problems;
  • a lack of mandatory longer-term integrated planning;
  • that aspects of system leadership and accountability needed strengthening;
  • significant service delivery issues;
  • rising demands on staff; and
  • workforce shortages.

In our view, these challenges are likely to have impacted the Ministry of Health’s and the wider health system’s ability to prepare for and respond to a pandemic.

More generally, we understand that agencies had limited capacity to contribute to system efforts to proactively manage hazards and risks. The Royal Commission of Inquiry into the terrorist attack on Christchurch mosques highlighted that agencies were expected to supply information on National Security Intelligence Priorities. However, those expectations were not enforced.

Accountability for carrying out adequate planning was lacking

Under the National Civil Defence Emergency Management Plan, agencies are expected to develop and maintain risk-based emergency management plans.

The plans should describe how agencies will carry out their responsibilities for the 4Rs (see Figure 1). They should also be comprehensive (for all hazards and all risks) and integrated with other agencies’ planning. It is recommended – but not required – that they follow a generic risk management standard.29

These planning activities were supported by accountability arrangements, but monitoring and reporting requirements were not as well developed as they could have been.

The Director of Civil Defence Emergency Management can request to see a department’s plan. However, this request applies only to business continuity plans (see paragraph 2.7) and not wider emergency planning.30

The New Zealand Security Intelligence Service requires chief executives to sign and submit an annual self-assessment of how their organisation meets the government’s mandatory protective security requirements.31 These include requirements to specifically manage business continuity, as well as risks, incidents, and threats (to people, information, and assets) more generally.

Agencies are also required to develop plans and security measures for responding to events, threats, and activities of varying likelihood of causing harm (for example, terrorist attacks and earthquakes).

Guidance advises agencies to monitor and continuously review their preparations for disruptive events and to co-ordinate with other emergency prevention and response planning.32 However, we do not know whether and how well agencies carry out these activities.

DPMC told us that, to the best of its knowledge, no formal expectation directly links emergency management planning to agencies’ activities under the protective security requirements.

We consider that a cross-agency stocktake of planning for disruptive events would provide valuable insights. During our audit, we saw and heard evidence that the need for centralised responsibility for co-ordinating cross-system business continuity planning on an ongoing basis has been a long-standing issue.

Agencies that have an audit and risk committee may engage that committee to look at their organisation’s arrangements for managing emergencies as part of their wider risk mitigation and assurance practices, but this is at the discretion of a chief executive.

Te Kawa Mataaho is responsible for setting expectations and reviewing chief executives’ overall performance in leading their departments. As part of this, chief executives are expected to ensure that operational matters, including emergency management planning and reporting against the protective security requirements, are carried out in line with their general responsibilities set out in the Public Service Act 2020.

Te Kawa Mataaho told us that it monitors chief executives’ performance through its close connections and ongoing conversations with them. Ministers also provide updates about chief executives’ performance to Te Kawa Mataaho. We understand that chief executives are not required to formally confirm to Te Kawa Mataaho that they have carried out their expected activities and operational responsibilities.33

We found stronger statutory requirements for emergency planning elsewhere.34

For example, the Civil Defence Emergency Management Act 2002 requires regional councils and territorial authorities to prepare civil defence emergency management plans. These plans must:

  • include the opportunity for public submissions;
  • be consistent with the National Civil Defence Emergency Management Strategy;
  • be sent to the Minister of Civil Defence for comment; and
  • be reviewed after five years if this has not been done sooner.

Before the Covid-19 pandemic, there was no central mechanism in regular use to confirm that central government agencies had developed pandemic plans that were suitably up to date, aligned with planning guidance, and co-ordinated with other plans (see paragraph 2.43).35

Accountability for improving readiness was limited

We saw some evidence of how actions to improve New Zealand’s readiness to respond to a pandemic were to be carried out, monitored, and communicated to Parliament and the public.

However, recommendations from previous pandemic exercises had not been systematically implemented. When officials met to discuss the escalating issue of Covid-19 in January 2020, they were advised that recommendations from the 2017/18 pandemic exercise had not been fully implemented.

The Ministry of Health told us that, after the 2017/18 exercise, the Intersectoral Pandemic Group met a couple of occasions. However, it was decided that the best way to make progress with planning would be for the Ministry to meet with the lead agency for each workstream instead.

We were told that there was some tracking of progress, but we did not see evidence of how action against the exercise’s recommendations had been monitored and communicated to all agencies. When Covid-19 emerged in early 2020, the Pandemic Plan had not been updated to reflect any changes from the 2017/18 exercise.

Before the Covid-19 pandemic, two external assessments had identified areas for improvement in New Zealand’s health emergency preparedness.

In 2019, a joint World Health Organization and Ministry of Health review was published that assessed New Zealand’s capacities against International Health Regulations.36 Although the review reported many positive findings, it made four overarching recommendations and identified 54 priority actions. These included putting corrective actions and other lessons identified from public health emergency exercises and responses into practice in a timely way.

Included in one of the recommendations was that the Ministry of Health address critical human resource needs and build dedicated capacity to communicate risk for a public health emergency.

The Ministry of Health published a link to this report on its website, but not until April 2021 – almost two years after the report had been finalised.37

The 2019 Global Health Security Index scored New Zealand 54 out of 100 for pandemic readiness.38 This was a desktop assessment of 195 countries against a range of indicators for dealing with the risk of infectious disease outbreaks.

The Index relied on open-source information, based on the principle that people should be able to access information about their country’s existing health emergency capacities and plans.

Views about the Index are mixed. Some have commented on its limitations, particularly since Covid-19 emerged. Conversely, New Zealand public health academics and other researchers have commented on the value of the Index and its methods.39 The Ministry of Health told us that it did not participate in the preparation of the Index or recognise its findings.

In any case, New Zealand still had areas where improvements were needed. This included the public availability of information about how ready the country was for a health emergency.

In our view, it is important for the public to have an opportunity to access and engage with assessments of pandemic and wider emergency and crisis readiness, including the findings of exercises, evaluations, and independent reviews. We also consider that there needs to be greater public transparency to show how the government responds to findings from such assessments.

Recommendation 1
We recommend that the Department of the Prime Minister and Cabinet, National Emergency Management Agency, Te Kawa Mataaho Public Service Commission, the Ministry of Health, and other relevant organisations continue to work together to ensure that there is central co-ordination and clear roles and responsibilities for:
  • government agencies to keep emergency management plans up to date and consistent with agreed standards, current guidance, and other best practice;
  • implementing improvements from regular emergency management exercises and other evaluations of emergency readiness; and
  • monitoring progress in implementing those improvements.

Some guidance and legislation needed updating

The National Security System handbook (2016) was and remains a critical document about the arrangements for responding to a potential, emerging, or actual national security event. However, when Covid-19 emerged, some content in the handbook was outdated.

In October 2021, DPMC published a separate two-page online fact sheet listing key changes to help address confusion. However, until this date (about 18 months into the Covid-19 response), guidance still included information about structures, agencies, and ODESC arrangements that no longer existed.

When this report was published, DPMC’s webpage stated that the handbook was under review. We encourage DPMC to conclude this work as soon as possible.

Similarly, the Guide to the National Civil Defence Emergency Management Plan (2015) refers to an ODESC National Hazardscape Report from 2007, as well as guidance that the Ministry of Civil Defence and Emergency Management produced in 2006 that reflects best practice from 1998 on how to debrief after events.

In July 2022, NEMA told us that the general guidance in this document is sound but updating it is on its work programme.

Some legislation was also outdated. In July 2020, an inquiry by the Finance and Expenditure Committee found that the Health Act 1956 did not provide suitable and enduring powers for managing a significant long-term health emergency such as the Covid-19 pandemic. We discuss changes to legislation in Part 5.

Emergency management arrangements were not well understood

Evaluations of pandemic exercises had highlighted the need to improve and maintain central government agencies’ familiarity with, and understanding of, pre-existing emergency management arrangements. A review of the emergency management system (see paragraph 3.15) and other reports had identified this as a wider issue.

Before the Covid-19 pandemic, agencies already needed to better understand roles, responsibilities, and accountabilities for given emergencies. DPMC told us that agencies also needed to better understand legal and operating frameworks, the national security system, and the concept of lead agencies.

We found that the various plans, guidance, strategies, and frameworks meant to inform pandemic planning formed a complex picture that was difficult to understand. There was a lack of clear information on, for example, the relationship between the national security system and the emergency management system.

Some people we interviewed told us that it was not always clear how the Pandemic Plan would be implemented during a pandemic. However, we also heard from the Ministry of Health that being involved in the 2017/18 pandemic exercise, the joint review exercise (see paragraph 3.42), and the response to the domestic measles outbreak had given participants a good applied understanding of health emergency responses.

NEMA is carrying out work to improve emergency management capability and clarify roles and responsibilities. This should help agencies and other relevant organisations better understand what arrangements mean in practice.

We expect that guidance will be reviewed and updated as part of this process. It is also important that Parliament and the public can understand how things should work and who to hold to account.

Other countries have also identified improvements to deepen and broaden emergency management competencies. The Victorian Auditor-General’s Office has recommended that all departments include mandatory training for staff with dedicated business continuity responsibilities when they start their role and at least every two years.

In the United Kingdom, a Parliamentary inquiry recommended that Ministers also receive guidance and training on planning and crisis responses and participate in exercises along with the most senior officials.

Recommendation 2
We recommend that the Department of the Prime Minister and Cabinet, National Emergency Management Agency, Te Kawa Mataaho Public Service Commission, the Ministry of Health, and other relevant organisations continue to work together to ensure that:
  • key staff maintain a good understanding of all-of-government strategic crisis management, hazard risk management, and emergency management frameworks, including relevant legislation and guidance on lessons management.

Guidance on reviewing emergency responses and learning lessons was limited

Before the Covid-19 pandemic, there were plans, strategies, and frameworks in place that broadly expected an emergency response would be reviewed.

The National Security System handbook mentions formal post-response debriefs and “lessons identified processes”. The CIMS framework has general requirements for handover briefings and debriefings between operational shifts.

The Pandemic Plan states that, after the peak of the response and during recovery, all agencies are expected to debrief, then collate and review lessons. The Ministry of Health is responsible for producing a final report, guided by an evaluation framework.

However, we found minimal guidance about good practices and processes for how to carry out reviews of emergency responses. The emergency management material we looked at did not always explain the complete cyclical process of lessons management, including implementation and evaluation, or how to go about it.

One key reference document presented post-event debriefs as optional.40 In 2020, the Hazard Risk Board noted the absence of a system-level, centralised continuous improvement function.

Insufficient advice about how to best capture and embed learning could affect agencies’ efforts to make meaningful improvements during and after emergency responses.

In our view, more work needs to be done to improve agencies’ understanding and application of the term lessons learned. This term is commonly used to describe insights that have been collected (sometimes as raw observations or opinions) but not actually validated and acted on.41 NEMA told us that its has recently carried out work to support the consistency of practices and systematic management of lessons. We discuss this further in Part 8.

20: Severe Acute Respiratory Syndrome (SARS), Avian Influenza, and Middle East Respiratory Syndrome were added to the schedule of notifiable infectious diseases under the Health Act 1956. The Pandemic Plan states that these various threats and experiences had informed “accelerated” pandemic planning.

21: As a member of the World Health Organization, New Zealand is required to detect, plan for, and respond to disease outbreaks of all kinds. The Ministry of Health is responsible for liaising with the World Health Organization on these matters.

22: The Hazard Risk Board did not meet for the first six months of 2020. This was the second consecutive year where that happened.

23: The State Services Commission (now called Te Kawa Mataaho Public Service Commission) led performance improvement reviews of DPMC in 2013 and 2015. These found that DPMC needed to strengthen its leadership and co-ordination of national security interests to be more focused on the future. To read the reviews, see In 2016, we also found that DPMC needed to improve the governance of risks to be fully effective. See Office of the Auditor-General (2016), Governance of the national security system, at

24: The work programme is based on this report: New Zealand Government (2018), Delivering better responses to natural disasters and emergencies: Government response to the Technical Advisory Group’s recommendations, at

25: NEMA replaced the Ministry of Civil Defence and Emergency Management as a departmental agency with greater autonomy. It is hosted by DPMC.

26: The National Crisis Management Centre was activated four times for a total of 147 days during 2019/20. NEMA’s Chief Executive described this as unprecedented. See the Governance and Administration Committee (2021), 2019/20 Annual review of the National Emergency Management Agency, at

27: State Services Commission (2017), Performance improvement framework: Review for Manatū Hauora, the Ministry of Health, at

28: Simpson, H (2020), Health and disability system review: Final report/Pūrongo whakamutunga, at This review led to a programme of reforms to the health and disability system. Planning started in 2021 for implementation from July 2022. The Covid-19 pandemic was not part of the review’s parameters. However, the pandemic was taken into account as context for the report’s release in June 2020, and at that time the health and disability system was described as being under “extreme” stress.

29: AS/NZS ISO 31000.2009: Risk management – Principles and guidelines.

30: In June 2021, NEMA told us that the Director had not been using this power.

31: This was made compulsory for 36 central government agencies when the protective security requirements were introduced in 2014. Other organisations, including some in the private sector, have since adopted the protective security requirements framework.

32: New Zealand Government (2018), Overview of protective security requirements, at See, in particular, “GOV 3 – Prepare for business continuity” and “GOV 7 – Be able to respond to increased threat levels”.

33: For example, through legal compliance statements or overarching attestations (that they fulfil the requirements of their performance expectations and the Public Service Act 2020).

34: We looked at other countries’ initiatives to strengthen the rigour of their planning. In Queensland, for example, legislation requires publication of disaster management standards (developed by the state’s independent Inspector-General of Emergency Management) that all entities involved in disaster management must follow.

35: In our 2020 report Ministry of Health: Management of personal protective equipment in response to Covid-19, we found that the Ministry of Health was responsible for ensuring a co-ordinated planning approach between district health boards for health-related emergencies. District health boards were meant to publish their health emergency plans on their websites but had not done this consistently. The Ministry had not been checking whether these plans had been published. It also did not have any process for formally reviewing those plans.

36: World Health Organization (2019), Joint external evaluation of International Health Regulations core capacities of New Zealand, at

37: World Health Organization (2019), Joint external evaluation of International Health Regulations core capacities of New Zealand. Accompanying information stated that the Ministry of Health was developing a National Health Security Plan. The Ministry told us that the measles outbreak and Covid-19 had disrupted this. See

38: The Global Health Security Index is co-authored by the Nuclear Threat Initiative and the Johns Hopkins Center for Health Security. See

39: See Boyd, M, Baker, M, and Wilson, N (November 2019), “New Zealand’s poor pandemic preparedness according to the Global Health Security Index”, in Public Health Expert, at See also Boyd, M, Baker, M, Nelson, C, and Wilson, N (June 2020), “The 2019 Global Health Security Index (GHSI) and its implications for New Zealand and Pacific regional health security”, in New Zealand Medical Journal, at

40: Although the CIMS framework does recognise the value of identifying broader lessons to inform future response planning, it presents this as optional. It states: “after demobilisation, lead agency, multi-organisation, and community debriefs may occur”. It also states that these can be formal or informal.

41: The widespread misuse of this term is discussed in Australian Institute for Disaster Resilience (2019), Lessons management handbook, at In New Zealand, the 2014 and 2019 editions of the CIMS framework briefly stated that lessons are not learned until they have actually been applied, but the CIMS framework does not discuss how to do this.