Environmental Protection Agency has not conducted a comprehensive sector-wide risk assessment or used a risk-informed strategy to guide its actions to improve the water sector’s level of cybersecurity. We previously found that using a risk in formed strategy can improve the effectiveness of agency efforts to develop critical infrastructure cybersecurity programs.
CRITICAL INFRASTRUCTURE PROTECTION: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems GAO - USA 2024

50% of aid has been granted primarily for the development of information systems aimed at the state , although the role of the private businesses and the citizens in the development of information society has also been touched upon in the Information Society Development Plan. This means that state agencies have received as much aid as the other two target groups put together. The state is also favoured in the distribution of aid within the scope of implementation schemes: the actual target group of the open application call (local authorities, non-profit associations), for example, only received 15% of the money distributed on the basis of the scheme.
Use of European Union funds in promoting information society RKTR - Estonia 2012

Since there are no identified national cyber security risks, no national cyber security risk management plan has been drawn up and acceptable national cyber security risks and their tolerance limits have not been determined, therefore there is no coordinated risk management process at the national level that would ensure the necessary protection, prevention and response measures and capabilities utilization.
Cyber Security Assurance VK - Lithuania 2022

Australia Post has not met the requirements of its framework (…) has not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight [mitigation strategies in the Australian Government Information Security Manual].

not fully implemented information_security Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities ANAO AU 2019

A clear example of shortcomings in strategic considerations is Sweden’s approach to the issues within and in relation to the EU. The work in the EU is high paced and if Sweden is not engaged and influences that work early on, there is a great risk that the international regulatory framework will not favour Swedish interests to the same extent as would otherwise have been possible.

work in the EU information_security Government control of national information and cyber security – both urgent and important RiR Sweden 2023

model contract clause information_security Audit of the effectiveness of incident management in protecting federal ICT from cyber-risks SFAO Switzerland 2022

The strategic and legal framework of cybersecurity was not adopted, which affects the implementation of information measures and security standards. (…) Postponing the adoption and harmonization of the strategic and legal framework of cyber security with the EU legislation does not only result in failure to fulfil the assumed obligations, but contributes to the technological backwardness .
Activities of BiH institutions to ensure the basic assumptions for cyber security SAIBIH - Bosnia and Herzegovina 2022

The Federal Procurement Conference has drawn up a model contract clause on cyber-risks. The contractual provisions on information security are a step in the right direction. However, deadlines for reporting cyberincidents vary and would have to be defined in accordance with usual practice. Moreover, the clause would have to be renegotiated for longterm contracts.
Audit of the effectiveness of incident management in protecting federal ICT from cyber-risks SFAO - Switzerland 2022

Detection and response strategy not yet completed. (…) the objective set for the end of 2017 of instantly detecting any cyber attacks directed against critical water structures had not been achieved by the autumn of 2018. As a result, Security Operations Centre (SOC) does not have an up-to-date picture of the cyber security status of all critical water structures, which means that there is a risk of hackers being able to break into critical structures unnoticed. This also means that there is a risk of the Directorate-General failing to detect a cyber attack directed at a critical water structure, or of detecting such an attack too late.
Strengthening the digital defences: the cyber security and critical water structures NCA - Netherlands 2019

National strategies emphasizes the importance of developing outcome-oriented performance measures to assess the effectiveness of actions taken to help address long-standing challenges. Establishing such measures can help organizations demonstrate the degree to which desired results were achieved. Although the implementation plan tasks ONCD with assessing the effectiveness of the strategy, the plan does not identify any outcomeoriented performance measures to assess the effectiveness of the steps taken under the eight information sharing initiatives described in the plan. (…). Until ONCD identifies outcome-oriented performance measures to assess progress made in implementing the eight information sharing initiatives, ONCD will not have a clear definition of what it wants to accomplish.
National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods GAO - USA 2023

The SRMAs have not fully assessed the effectiveness of their support to sectors in addressing ransomware. Specifically, three of the six selected SRMAs have evaluated aspects of their support and three SRMAs did not demonstrate efforts to evaluate any of their support.
CRITICAL INFRASTRUCTURE PROTECTION: Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support GAO - USA 2024

The feedback given by the Ministry about the impact of the aid changes year on year, and is sometimes the most suitable for the Ministry itself. The expected levels of many indicators that measure the results achieved with the use of the aid have been changed with several of them now more modest than initially determined. This applies mostly to the indicators that were determined in the first years of the programme period and the new indicators added in recent years have generally not been changed. As the Ministry of Economic Affairs and Communications has been one of the quickest to use the EU funds due to its attempts to reduce the impact of recession on the IT sector, then such volatility may have been caused by rushing into things without thinking them through.
Use of European Union funds in promoting information society RKTR - Estonia 2012

One aim of the National AI Strategy is for the public sector to become an exemplar of safe and ethical deployment of AI. The activities to deliver this aim sit across many bodies and have not been underpinned by supporting governance arrangements, clear accountabilities, an implementation plan or performance metrics to track progress. The National AI Strategy – AI Action Plan published in July 2022 summarised activity, but did not set out outcome measures or detailed implementation plans to support the aim for the public sector to become an exemplar. Initially a cross-government AI Strategy Delivery Group was established by the Office for Artificial Intelligence to oversee delivery, but this was disbanded in March 2022.
Use of artificial intelligence in government NAO - UK 2024

No scenario had been constructed specifically for a crisis caused by a cyber attack. Moreover, no information was available at head office on the cascade effects caused by a cyber attack on the critical water structures. We also found that certain important documents relating to the response to a cyber attack (i.e. crisis maps and network reports) were not kept up to date. This means that there is a risk that the response to a cyber crisis may be neither sufficiently rapid nor sufficiently effective.
Strengthening the digital defences: the cyber security and critical water structures NCA - Netherlands 2019

The increased number of checks at the request of individuals has in recent years claimed an increased amount of the Commission's resources at the expense of supervisory activities. The Swedish NAO assesses that the Commission’s self-initiated supervisory activities constitutes an important part of its remit. If these activities have to give way too much there is a risk that the Commission on Security and Integrity Protection will not fulfil its remit.
Oversight of law enforcement agencies - An audit of the Swedish Commission on Security and IntegrityProtection RiR - Sweden 2016

The minister’s water saving strategy is facing a range of problems ; behavioural change cannot be taken for granted, drinking water has low price elasticity, and the compulsory technical measures being studied are making slow progress.
Drinking water under pressure NCA - Netherlands 2025

Mega-projects are often so costly, and carry so much risk and uncertainty, that cost increases can dominate the financial position of a department or even the whole of government and can also create opportunity costs elsewhere. Complexity can also lead to projects and their promised benefits being delayed. In 2023, the government decided to cancel Phase 2 of High Speed Two (HS2) due to the increasing costs of Phase 1, repeated delays to the schedule and changing patterns of travel since the COVID-19 pandemic. The government stated that the HS2 project accounted for over one-third of all government transport investments at that time, and that it prevented the government from spending on other transport priorities.
Lessons learned: Governance and decision‑making on mega‑projects NAO - UK 2025