Queensland Audit Office

Governments often need to make decisions and implement policies in a rapidly evolving environment, such as when responding to natural disasters or other economic and environmental crises. The urgency of the COVID-19 pandemic is a similar example. It not only demanded fast decision-making by governments, but also meant public sector entities and local governments needed to rapidly implement and operationalise decisions.

During the pandemic, entities were forced to operate in an incredibly agile and iterative manner. This was integral to effective decision-making on the design, implementation and delivery of the economic stimulus, as well as other response and recovery activities. Our recent report on Managing Queensland’s COVID-19 economic response and recovery (Report 3: 2022–23) provides some key learnings and recommendations that all organisations can consider when undertaking rapid response initiatives.

Build on existing emergency response frameworks

In these situations, entities typically build on existing emergency response frameworks, which are updated to address new and emerging business impacts and risks. Additionally, entities need to set up a fit-for-purpose governance framework and multi-disciplinary teams to design and deliver the new response.

It is important that the framework the entity will use for decision-making is clear, for example, decision makers should be clear on what decisions they are empowered to make, who they need to consult for advice, and how outcomes will be measured.

Ensure a regular supply of current data and information

This need for decision makers to focus on the ‘here and now’ means they must iteratively review the metrics for the outcomes of the rapid response initiatives they are implementing. They then can use this data to drive decisions about matters such as whether to continue, change the course of action or change pace.

Urgent situations also require more judgment, and often a change in management controls. This can unintentionally create situations that increase the risk of errors and fraud. To manage these risks, entities need to document their risk assessments and mitigation strategies. Entities also need to review their internal control framework to ensure it remains robust but responsive to making quick decisions. There is also an opportunity for entities to explore collaborating and sharing data with each other regarding new and emerging risks.

Some normal requirements can be relaxed temporarily

Based on the risk assessments, processes can be redesigned to improve the speed of decisions and assessments, while still ensuring preventative (before a decision is made) and detective (after a decision is made) controls can operate effectively. An example is what information can be assessed before and after is the processing of claims or payments. Risk management plans must include a mechanism for a timely review of program outcomes after the event that includes identifying errors or fraud and remedial actions. The entity can also incorporate this review into its existing compliance program if it has one for addressing similar risks.

Related article