2. Organisations need a robust and agile approach to digital transformation and strategic procurement
Selective technology advances were made during the COVID-19 crisis on a needs basis, while some less urgent or legacy modernisation projects were deferred. Two guiding comments are provided from the Queensland Audit Office’s most recent review of Queensland technology projects:
- the public continues to become more reliant on working, learning, and doing business remotely, and it will be essential for governments to use technology to transform their services, but
- the current economic climate emphasises the need to ensure public sector technology investment delivers value.
The pandemic accelerated public sector adoption of cloud solutions, providing flexibility to scale and more rapid delivery, as well as the possibility of shifting capex investment into more consistent and predictable opex funding. It has been reported by Gartner that by 2025, 95% of new IT investments made by government agencies will be made in “anything as a service” (XaaS) solutions, and over 75% of governments will have more than half their workloads with hyperscale cloud service providers. As well as the now-traditional categories of software and platform, categories of IT infrastructure and software services provided by subscription include business process as a service, unified communications as a service, and case management as a service. A shift from direct management to brokering ICT products and services will impact required organisational skillsets.
Organisations are facing continuing challenges. These include:
- increased risks of disruption,
- security management risks (cyber, data and operational),
- the imperative and consequences of rapid decision-making,
- maintaining workforce productivity, and
- ensuring the stability of critical business processes underpinned by core technology and systems such as ERP, Network, Infrastructure, Applications and Data.
These challenges call for robust and agile procurement response strategies with implementation horizons ranging from immediate, short to mid-term and long term.
In respect of digital transformation approach and methodology, experience is showing that smaller, incremental development, and agile development methodologies, are more successful. Our technology consulting team has advised 70+ clients across federal, state, and local government.
3. Data protection and management requires its own transformation
Data, its management and protection, is a key consideration for public sector entities. Data-sharing between agencies is becoming commonplace (notwithstanding some regulatory compliance hurdles). Government data is becoming more widely considered for input to decision intelligence systems. It is reported that, by 2024, it's anticipated that 60% of government AI and data analytics investments will aim to directly impact real-time operational decisions and outcomes.
Government data-sharing requires an appropriate balance between managing compliance while also improving transaction speed and reducing friction. Outcomes-focussed perspectives can result in stakeholder confidence to apply data and data-sharing in support of an organisation’s strategic goals.
Data protection and management goes well beyond privacy. In Queensland, public sector entities should be aware that the Queensland Government has released for consultation proposed reforms to Queensland's privacy and right to information framework. This includes introduction of a mandatory data breach notification scheme. If implemented, the changes would no doubt introduce changed administrative and resource burdens.
Many organisations now recognise that while they thought they were embarking on digital transformation, in fact what they need is data transformation. The public sector will need to allow citizens to pay a greater role in controlling and accessing their data to ensure there is trust in the technology, and in the responsible deployment of AI.
4. Integrating digital and strategic goals is critical
The ICT changes due to the COVID-19 shock were largely tactical and responsive in nature, though the role and utility of ICT in government has been elevated by those changes. Recovery provides the opportunity to take stock and consider more strategic issues.
Technology strategy will link an organisation’s technical developments and work programs to the overall strategic goals of the organisation, while remaining agile and responsive to changes in organisational requirements, and identifying, managing and communicating risk. Scenario planning and roadmaps can assist to finesse and communicate strategy. Citizen experience remains a top concern.
In Queensland, the Queensland Audit Office has emphasised its expectation that technology projects need to be strategically set up to maximise success, that an organisation’s need for projects should be actively challenged and validated on an ongoing basis, and that periodic reassessment should be undertaken to confirm that projects have the right approach and skills.
Digital strategy often involves a shift to the cloud. This shift offers organisations compelling benefits, including reduced capital expenditure, increased operational agility and faster innovation. However, the move also comes with contracting risks that – unless deftly negotiated – could leave an organisation facing significant legal and commercial harm.
The cloud services landscape is becoming increasingly complex, particularly in a quickly evolving regulatory environment. Organisations should enter the cloud services procurement process armed with a clear understanding of their regulatory requirements and risk settings.
Overall, the digital strategy needs to build trust in government through use of digital tools and policy that enable transparency, accountability and 'explainability' such that there is ethical use of data and equitable access to services.
5. Regulatory compliance should be a priority as obligations increase
Security of Critical Infrastructure (SOCI) regulation has become a central feature of the regulatory space of technology management. Recent amendments have imposed new obligations on entities operating critical infrastructure assets. These include a positive obligation to report incidents, an expansion to the coverage of the regulation, and obligations in respect of risk management programs. Relevantly, hospitals, energy and other utilities, universities, ports, transport can all be impacted.
Other flagged regulatory changes that may impact technology leadership and strategy include, for example, the Queensland privacy and RTI reforms, as well as proposed changes to the Commonwealth Privacy Act, broadening the definition of personal information and increasing enforcement powers and penalties for a breach.
The previous Commonwealth government also released a Ransomware Action Plan in October 2021, which flagged an intention to introduce ransomware-specific laws including a mandatory reporting regime. The appointment of a dedicated Minister for Cyber Security tends to suggest these issues remain front-of-mind for the current government. The legal and policy constraints on paying of ransoms needs to be well understood.