Part 5: The Electoral Commission's approach to managing election risks

5.1
Our review looked at how the Electoral Commission considered and managed risks related to running the 2023 General Election. The Commission has a low tolerance for certain risks, including the risk of significant reputational damage, loss of trust in the system or the Commission by the public, political parties, or other key stakeholders, and an actual or perceived lack of integrity in its processes, systems, and behaviours.

5.2
Risk management is about identifying and treating risks so that the Electoral Commission can achieve its objectives. Assurance is about having confidence that risks are being managed as intended and residual risks are within the organisation's risk tolerance.

5.3
Risk treatments can include ways to manage or control risks by reducing their likelihood or impact, mitigating their impact, or avoiding the sources of risk. It can also include taking advantage of opportunities that may make a favourable outcome more likely.

5.4
The Electoral Commission has a Risk Management Policy (the Policy) and Risk Management Operational Framework to govern its risk management.

5.5
The Electoral Commission recognised weaknesses in risk management and assurance in its 2022 review and has recently invested in risk management and assurance to strengthen these functions.

Risk management before the election mostly focused on external risks

5.6
Our overall observation is that the Electoral Commission had a well-structured approach to managing external risks in the lead-up to the 2023 General Election. There was less emphasis on internal risks to the accuracy of the count.

5.7
In the lead-up to the election, the Electoral Commission was particularly focused on external risks, such as potential disruptions due to serious weather events, mis/disinformation, threats to health and safety, privacy risks, and external cyber security risks.

5.8
The Electoral Commission told us that they focused on some internal risks in the lead up to the election, including financial controls, health, safety, and well-being, the integrity of enrolment processing in relation to the Māori electoral option, and security preparedness, including insider threats. The Electoral Commission Board did site visits to electorates to understand field activities. However, there wasn't a focus on post-election internal controls.

5.9
In our view, the post-election internal risks did not receive enough attention, meaning that they were not well understood, were underestimated, or assurance was not available about whether internal controls could effectively reduce the risk to a tolerable level. It is unclear to us how the executive leadership team or the Board received assurance that risks affecting the accuracy of the count were well understood and would be well managed.

5.10
Legislative responsibility for electorate matters sits with electorate managers, and a lot of decisions are delegated to electorates. The Board received information on voting statistics and was informed of risks and statistics affecting electorates.

5.11
Getting ready for the election was managed separately from the Electoral Commission's usual operations. It was managed as a programme of work (the GE2023 Programme). We consider this is an appropriate way to manage an election, which is a significant event made up of inter-related activities, held every three years, that is different from day-to-day operations. Good programme management typically includes good risk management discipline.

5.12
A separate governance structure (the Programme Board) was established to oversee the successful running of the election and ensure that election integrity was maintained. The GE2023 Programme had five workstreams, each managed by a project manager. The Programme Board reported to the Electoral Commission Board, providing it with assurance about readiness for the election.

5.13
In May 2023, an external independent quality assurance (IQA) provider carried out a "health check" of the GE2023 Programme. A health check looks at how a programme is managed and governed to consider whether everything is in place for the programme team and governance to plan, deliver, guide, and control the programme.

5.14
The Electoral Commission received an overall delivery confidence of "likely" from the IQA. This meant that attention was required to ensure that risks did not materialise into issues that would threaten key milestones. The report contained 23 summary recommendations, categorised into 11 focus areas. The Board accepted the recommendations, prioritised them, and prepared action plans. Progress reports and evidence that recommendations had been completed was reported to the Programme Board monthly.

5.15
One high-priority recommendation was to conduct quarterly risk workshops with key programme/project stakeholders. Ongoing risk workshops involving a range of stakeholders is a useful way to identify risks or changes to identified risks.

5.16
This was not completed before the Programme Board was replaced by a General Election Delivery Taskforce (discussed below). Up until the Taskforce took over, risks were being managed, documented, and reported.

5.17
Voting Services (a workstream within the GE2023 Programme) was responsible for designing and delivering all voting services for the election, including field readiness and the post-election process design. We did not see evidence that internal (largely manual) controls that affect the accuracy of the official count were identified as a risk to be managed. This would have been challenging to do because, as we describe in Part 4, the Electoral Commission did not, at that stage, have a fully documented end-to-end process for the election. We consider that the effectiveness of controls within these processes was misunderstood or over-estimated.

5.18
The approach to managing risks in the lead-up to the election was structured, and included regular monitoring using a risk register and escalating risks to the Electoral Commission's Board when required. There were also recognised constraints to be managed. These were time, cost, resource, and legislative constraints affecting how the election needed to be run.

5.19
It is widely recognised that there are three constraints to managing any project that affect whether the project will deliver its full scope – time, cost, and quality. These are often competing constraints, and trading between them is usually possible. However, when trade-off options are limited, there is a heightened risk that the quality of the end product (in this case, the accuracy of the election results) may be adversely affected.

5.20
For the 2023 General Election, the scope was well defined (the election and its result) and there was limited ability to adjust time and cost (including the ability to increase resourcing). As a result, quality was more vulnerable and was the option that was, effectively, traded off.

5.21
Risk can be defined as the impact of uncertainty on objectives. The shift in voter behaviour to later enrolment, the high volume of enrolments, the compounding pressure on post-election processes, and the instruction to not continue investigating apparent dual votes inevitably brought uncertainty. We consider that this should have been identified as a serious risk with implications for reputational damage (as has happened) and should have been managed appropriately until the election results were announced.

The approach to managing risks changed before the election

5.22
From 10 September 2023, about a month before election day, the General Election Delivery Taskforce was set up specifically to manage running the election. This replaced the Programme Board. During the election, the Chief Electoral Officer and the Acting Chairperson of the Board received assurance from the Taskforce on the status of election activities across the country.

5.23
In our view, planning for and running the election, including the official count, should be regarded as a single programme made up of multiple projects. Maintaining the same programme management discipline throughout the entire period would have provided a continuous and consistent approach to identifying, assessing, managing, and reporting risks to the Board.

5.24
The Taskforce was large, with 16 staff members and five regional managers. The Chairperson of the Taskforce reported daily to the executive leadership team. The Chief Electoral Officer (a member of the executive leadership team) escalated issues to the Electoral Commission's Board, which he was also a member of.

5.25
The Taskforce took a less structured approach to reporting and managing risks and issues. It did not formally report on risks (previously monitored through risk registers) or track progress against expected election milestones. Updates at the taskforce meeting were provided verbally, and the situation report was a record of discussions held and actions taken or to be taken. The situation reports were available to the executive leadership team.

5.26
We were told that there was not a good understanding (including by the executive leadership team) of roles and responsibilities in the post-election period and the sequencing of tasks, including the effect of delays.

5.27
When the executive leadership team became aware of significant delays in processing enrolments in the post-election period, there was limited time and few options at that stage to address the issue. The executive leadership team and the Board were not receiving sufficient information about the post-election process to be able to make informed and timely decisions to manage the risks before they became issues.

5.28
We were also told that there was, at times, reluctance to raise and escalate risks, and a tendency to downplay the likelihood and/or impact of risks.

5.29
The Electoral Commission has low tolerance for risk of a "loss of trust in the system by the public, political parties, or other key stakeholders". With that in mind, we consider it needs to improve its risk management approach to ensure that there is an appropriate focus on post-election risks, and improve its processes for preventing and detecting errors.

5.30
Although we welcome the Electoral Commission's investment in its risk and assurance functions, we did not see a holistic assessment of all sources of risk to the integrity of the election, or complete documentation of the associated controls it would use to ensure that these risks were well managed. Without that, assurance to the Board will remain limited.