21 January 2019

Biometrics Project Management

The ANAO has damned the Australian Criminal Intelligence Commission(ACIC) for comprehensive mismanagement  of the Biometric Identification Services Project, concerned with the national fingerprint database and the Commonwealth's ever-expanding facial biometric vision. That administration is characterised as "deficient in almost every significant respect".

The Australian Criminal Intelligence Commission’s Administration of the Biometric Identification Services Project report states
ACIC did not effectively manage the BIS project with its approach characterised by:
  • poor risk management; 
  • not following at any point the mandated process in the contract for assessing progress against milestones and linking their achievement to payments; 
  • reporting arrangements not driving action; 
  • non adherence to a detailed implementation plan; and 
  • inadequate financial management, including being unable to definitively advise how much they had spent on the project.
ANAO comments that
The objective of this audit was to assess the effectiveness of the Australian Criminal Intelligence Commission’s administration of the Biometric Identification Service project. ... 
On 1 July 2016, the Australian Criminal Intelligence Commission (ACIC) was created through the merger of the CrimTrac agency (CrimTrac), the Australian Crime Commission (ACC) and the Australian Institute of Criminology (AIC). 
Prior to the merger, CrimTrac had commenced planning and initial administration of the Biometric Identification Services project (the BIS project or BIS). 
BIS was a $52 million project with two key goals: replacement of the existing National Automated Fingerprint Identification System (NAFIS); and addition of a facial recognition capability to enhance law enforcement’s biometric capabilities. 
A Biometric Identification Solution Contract was signed on 20 April 2016 between NEC Australia (NEC) and CrimTrac, just prior to ACIC’s creation. 
The BIS project encountered difficulties at an early stage. Despite intervention by the executive of ACIC and ultimately unsuccessful negotiations between ACIC and NEC, the ACIC CEO announced on 15 June 2018 that the project had been terminated. 
 When it became apparent that BIS would not be completed prior to the expiry in May 2017 of ACIC’s contract with Morpho, the company that operated NAFIS, ACIC extended its contract with Morpho (for a substantially higher price). The NAFIS contract is now due to expire in May 2020. ACIC has yet to decide the future of NAFIS. 
Rationale for undertaking the audit 
The audit was requested by ACIC’s Acting Chief Operating Officer on behalf of ACIC on 14 February 2018; and the BIS (and the system it was to replace, NAFIS) are critical enabling systems for Commonwealth and state law enforcement. A threat to the availability of this capability would be of significant concern to the Australian Government. 
Audit objective and criteria 
The objective of this audit was to assess the effectiveness of ACIC’s administration of the BIS project. 
The audit criteria were: Was the procurement process for the BIS project conducted in accordance with the Commonwealth Procurement Rules?; and Has ACIC effectively managed the BIS project to achieve agreed outcomes? 
Conclusion 
While CrimTrac’s management of the BIS procurement process was largely effective, the subsequent administration of the BIS project by CrimTrac and ACIC was deficient in almost every significant respect. The total expenditure on the project was $34 million. None of the project’s milestones or deliverables were met. 
The procurement was designed and planned consistent with the Commonwealth Procurement Rules and ICT Investment Approval requirements and the tender assessment process supported value for money. However, two critical requirements were overlooked in the requirements gathering phase and the approach to negotiating and entering the contract did not effectively support achievement of outcomes. This was a result of the contract not explaining the milestones and performance requirements in a manner that was readily understood and applied. 
ACIC did not effectively manage the BIS project with its approach characterised by: poor risk management; not following at any point the mandated process in the contract for assessing progress against milestones and linking their achievement to payments; reporting arrangements not driving action; non adherence to a detailed implementation plan; and inadequate financial management, including being unable to definitively advise how much they had spent on the project.
Further
The approach to negotiating and entering the contract did not effectively support achievement of outcomes because the contract did not explain the milestones and performance requirements in a manner that was readily understood and applied. 
Management of the project 
The governance framework for BIS was not effective. Risk registers established for the project were not used effectively. External reviews in June and November 2017 identified the absence of a robust governance structure. ACIC’s Audit Committee was not informed of the status of the project. 
Contract management was not effective. The stipulated contract process by which progress against milestones and deliverables was to be assessed was not followed at any stage and ACIC thus had no way of assuring itself that it got what it paid for. ACIC agreed to more than $12 million in additional work. Documentation showed that some of this work may have been unnecessary and other work may have already been covered under the contract. ACIC ‘inherited’ the former CrimTrac and ACC Electronic Document and Records Management Systems (EDRMS), leading to duplication and ineffective record keeping. Further, many staff did not use any EDRMS, instead keeping records on their own computers, in uncurated network drives or in email inboxes. While a Benefits Management Framework was developed and evidence showed that a benefits realisation and documentation process was intended, it was not implemented. An internal audit report had found that ACIC did not have an effective contractor management framework. 
ACIC established appropriate arrangements for reporting to stakeholders. However these were not fully effective because they did not result in sufficient action being taken and the external stakeholders felt that reporting dropped off over time. 
The contract provided an implementation plan including Solution Delivery and Solution Design, with more detail for Solution Delivery. The agreed schedule was not adhered to and was repeatedly extended before BIS was terminated in June 2018. In order to maintain the uninterrupted availability of a national fingerprint capability for law enforcement, ACIC was obliged to renegotiate the existing NAFIS contract at a significantly increased cost. 
Financial management of the BIS project was poor. ACIC’s corporate finance area had no responsibility for management of the financial aspects of the BIS project; neither did the project team have a dedicated financial or contract manager. ACIC was unable to advise definitively how much they had spent on the project. 
ACIC made a ‘goodwill’ payment of $2.9 million to NEC which was not linked to the achievement of any contract milestone. ACIC was not able to provide details of how the quantum of this payment was calculated.