GERMANY: Success factors for crisis resilience of federal IT during the Covid-19 pandemic

28.05.2022

SAI Germany pic1

 In 2021, the German SAI examined how the federal administration's IT functioned under the particular challenges of the Covid-19 pandemic. One of the central questions was why some authorities were more affected by limitations in their IT-supported business processes than others.

For this purpose, we surveyed representatively selected federal authorities and enriched the survey feedback with previous audit findings. Based on the results we were able to make recommendations to the German administration on how the resilience of federal IT can be increased. Our advice complemented the demand for action that the Federal administration had identified in its own lessons learned process.

A fundamental and less surprising insight was that the degree to which a federal authority was equipped with mobile IT had a direct effect on its ability to maintain its business processes. Authorities that experienced fewer issues in the first phase of the Covid-19 pandemic had a twice as high percentage of mobile IT workplaces compared to those that had a higher business process impact.

SAI Germany pic2

 

A high percentage of mobile IT workplaces in combination with a sufficiently dimensioned network connection were two important basic premises that stabilised the ability of numerous authorities to act. However, we identified further factors that need to be considered to be prepared for crises that affect IT more directly, e.g. cyberattacks, large-scale power outages due to natural disasters or the failure of global supply chains. In order to effectively deal with such crisis events, we identified three core elements. Based on these insights, we made the following recommendations to the German government.

  • Crises are easier to manage when federal authorities have an organisation-wide risk management system in place. Authorities that had a risk management process implemented experienced fewer difficulties maintaining their business processes. Thus, effective risk management is an important precondition for increasing the crisis resilience of individual federal authorities. In addition, the federal administration must consider relevant risks in a cross-authority risk management process, as cascading effects can occur due to increasing interconnectedness and interdependencies. Furthermore, the authorities should commit to a binding standard for risk management.
  • Effective Business Continuity Management strengthens crisis resilience. As a precaution for large-scale (IT) emergencies and crises, it is particularly important for authorities to analyse their critical business processes at regular intervals according to a standardized methodology.
  • Increasing digitisation combined with constantly rising threats makes it necessary to effectively interlink general crisis management and IT crisis management. IT has become a fundamental aspect in the crisis resilience of federal authorities. Crisis management should therefore identify the information and communication technology capabilities and resources that are imperative to remain able to act in a broad spectrum of crises and crisis-like manifestations

 

SAI Germany pic3

Conclusion

Beyond the Covid-19 pandemic monitoring federal authorities’ capabilities to withstand crisis-level events will remain a significant audit focus of the German SAI. The current Russian war of aggression against the Ukraine highlights the relevance of this audit field once again.