“SPER conducted at least 20 reviews (gateway reviews, program health checks and various other reviews)… SPER did not address warning signs raised through some of these reviews—including concerns with the lack of an operating model, the vendor’s product, and SPER’s relationship with the vendor” (3).
Audit office inquiry
Everyone has a stake but no one wants to be responsible
Interviewed governance professional, DTA
Project reporting should be “a single source of truth” to reduce reporting burden and to share with internal and external stakeholders, and contain the following (2):
From the Review of the Modernising Business Registers Program
- Key project milestones
- Spend to data and forecast spend to complete
- Earned value (or equivalent) to enable clear monitoring of work completed compared to plan
- Key workforce metrics
- Material risks
- Governance effectiveness metrics – feedback loops on quality of materials, engagement, debate and decision-making (e.g. short survey at end of each meeting)
- Change readiness indicators
- Go-live date
Good communication overcomes poor governance
Interviewed SRO, Australian Government
Governance tips from an experienced SRO
On structure:
- Use defined decision-making frameworks. Treat governance as a “friend” framed around risks
- In my programme with >10 projects, each had its own SRO. The formal programme board was a decision-making forum, with feedback mechanism to the agency head through to the organisation’s board and across government
- Underneath the programme board, I established good delivery governance. I also attended standups with each project and SRO every week to unblock things, clear change protocols and manage dependencies
- To succeed, we needed a high functioning PMO, tracing original requirements to delivery, governance ensuring that “right people are working on right things at right time”
On decision-making:
Experienced SRO
- Ensure clear delegation of decisions and authority between the programme and project levels
- Defined project and programme tolerances:
- Programme level – decision-making sits with SRO. For example, there were 34 milestones. If we shift on those, that is a decision for SRO and minister.
- Project level - decision making authority to make decisions around their milestones, as long as it doesn’t impact delivery of government milestone and SRO has transparency.
"Over governance is worse than under governance"
Interviewed SRO, Australian Government
“There was a dearth of expertise and continuity of membership on these bodies which affected the skills applied over the life of the Project” (1)
Queensland Health Payroll Inquiry
Understand government's directions and decisions for digital
“In Australia, we have over 9,000 partners. Seventy per cent of those are Australian small and medium-sized businesses”
Microsoft submission, page 5 Economic Reference Committee – Influence of international digital platforms
“I like not having to start from the start.”
A buyer from a large Government agency
“Half the time agencies miss out on things they are entitled to”
Agency buyer
"The Plan sets a proactive stance to increase purpose AI technologies. AI adoption. It ensures the Australian Government keeps pace with community expectations as well as international peers."
Senator the Hon Katy Gallagher, Minister for Finance, 12 November 2025
"An AI use case is a specific application of an AI system or systems to achieve certain objectives or perform certain tasks."
"An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment."
"An AI use case is a specific application of an AI system or systems to achieve certain objectives or perform certain tasks."
"an event, circumstance or series of events where the development, use or malfunction of one or more AI systems by, or under the direction of, an Australian Government agency directly or indirectly leads to any of the following:
- injury or harm to the health of a person or groups of people;
- disruption of the management and operation of critical infrastructure;
- violations of human rights or harms arising from a breach of obligations under applicable laws, including intellectual property, privacy and Indigenous cultural and intellectual property;
- harm to property, communities or the environment."
“With clear requirements in place, agencies can make more consistent and confident cloud decisions. This will lift the security, performance and long-term sustainability of the systems that underpin essential services accessed daily by Australians,”
Lucy Poole, Deputy CEO, Digital Transformation Agency
Criterion 3 – Protect users
Your responsibilities
To successfully meet this criterion, agencies need to:
- establish and maintain a safe digital environment for users
- counter scams and misinformation
- provide transparency and feedback loops.
When to apply
Apply Criterion 3 throughout Live as you build and maintain a safe user environment.
Revisit this criterion across the Service design and delivery process to ensure Safety by design principles are incorporated where appropriate.
Off
Questions for consideration
- How can we establish confidence and trust among users?
- Are we clear about potential risks to users and proactive in mitigating these risks?
- How can we monitor and respond to safety-related incidents quickly?
- Have we incorporated safeguards that allow services to be used in public spaces, such as libraries and service centres?