More information
Be accountable for the service
Embrace contestability: Offer clear avenues for users to submit complaints, including security data and cyber concerns, contest decisions or report issues.
Wherever possible, make avenues anonymous by default and identifying by choice to grow the likelihood of useful feedback. Provide users with timely and transparent responses, tailored to their feedback, to demonstrate it has been addressed or will inform future action.
Undertake periodic audits: Audit your service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep your service fit for purpose (Criterion 10 ‘Keep it relevant’).
OffOther considerations in determining a Delivery Confidence Assessment (DCA)
This guide is not intended to be used in a prescriptive or formulaic way. Rather, it provides support to an independent assurer by providing the evidence on what has been found to contribute to digital project success and failure.
Similarly, there is no prescribed template. Rather, agencies are encouraged to incorporate these assessments into their own governance processes in managing assurance activities and their outcomes.
- When providing a DCA, assurance providers are encouraged to briefly comment on what has informed their confidence assessment. This guide can be used as a framework to structure this commentary.
- Not all criteria can be considered equal at all stages of a project. For example, a lack of purpose for a project in terms of the business value and benefits might warrant an overall DCA red rating, despite other factors being green.
- A lack of awareness or control over inter-agency system dependencies on a multi-agency project with a tight delivery schedule might warrant a rating of low confidence despite strength in other areas. Similarly, low supplier capability or capacity could warrant a low DCA if coupled with low in-house capability.
It is also anticipated that delivery confidence will change throughout the project. For example, when working with any but very familiar technologies, it could be difficult to justify high confidence against schedule and cost until the later stages of a project, especially given the frequency of over-time and over-budget projects.
The relevance of some elements will also vary based on whether the delivery team are using an agile, hybrid or waterfall approach to delivery. For example, while agile approaches may tend to de-emphasise up-front planning, this can be problematic in large projects with many interdependencies. Digital projects are both highly context dependant and vary significantly based on the degree of digital transformation they entail.
Finally, it is possible that the project status reporting indicates a DCA rating that is different to the DCA delivered by the assurance activity. This could happen when the assurance report reveals a mismatch between project documentation informing assurance and the active risks and issues that are manifesting in the project.
Consequently, while this document may provide a guide, any DCA rating must rest on the expertise and discretionary judgment of the independent assurance provider.
Assurance research series: 01
Assurance research series: 01