Audit of the Government Operations Centre
Table of contents
October 2016
This material may be freely reproduced for non-commercial purposes provided that the source is acknowledged.
Executive Summary
Background
The Government Operations Centre (GOC) is part of Public Safety (PS) and an asset of the Government of Canada created in 2004 as part of a restructuring and enhancement of the security and emergency management elements of the federal government.
The Government established the GOC to provide stable, round-the-clock coordination and support across government and to key national players in the event of national emergencies. It provides an all-hazard integrated federal emergency response mechanism to events (potential or actual, natural or human – induced, accidental or intentional) of national interest. Examples include traditional emergency management events such as flooding and industrial accidents as well as national security events such as acts of terrorism and cyber events. The GOC assesses incidents, which it then triages for an appropriate response. In 2015, GOC management indicated that over 5,000 incidents were triaged, of which over 500 met established criteria for the GOC to issue an alert to government and trigger a risk assessment, planning and coordinated response.
Audit Objective and Scope
The objective of the audit was to provide reasonable assurance that the GOC has fundamental controls and practices that work together to help an organization manage its risk and achieve its objectives. This includes:
- Effectiveness and efficiency of operations and programs;
- Safeguarding of assets; and
- Compliance with laws, rules, regulations, standards, policies and procedures.
The scope focused on examining the governance, risk management and control processes related to the management and operations of the GOC that enable the following:
- Clear mission, roles, responsibilities and accountabilities;
- Effective coordination among players within and beyond the department;
- Effective dissemination of information, in support of situational awareness and information for decision-making;
- Robust response and notification protocols; and,
- Appropriate infrastructure for operational effectiveness, resilience and compliance with security requirements.
The scope of the audit included an assessment of the related policies, processes, controls and protocols in place to effectively respond to and manage events that took place between April 1, 2015 and March 31, 2016. The scope was restricted to the internal operations of the GOC and did not extend to an assessment of external stakeholder feedback. This decision was taken owing to the independent review, whose remit included examining the GOC’s mandate with external stakeholders, which was being conducted concurrently.
The Deputy Minister approved the Audit of the GOC as part of the Risk-Based Audit Plan for 2015-16.
Summary of Findings
Mandate and Accountability
To ensure sound management of the GOC, the audit expected to find that the mandate, governance structure, and roles and responsibilities are established, clearly defined, understood, communicated, and documented. Although, the GOC’s mandate and governance structure are clearly understood within PS; the findings from past reviews and the interviews conducted indicated that there is still a differing interpretation between external stakeholders of the GOC’s role pertaining to national security and international events. An independent review of the GOC, which was being conducted concurrently to this audit, examined the GOC’s mandate, governance, resources as well as its relationship with other federal government departments/agencies, other levels of government and non-governmental stakeholders.
GOC Policy and Procedure Framework
The audit expected to find that the GOC has implemented and maintains appropriate policies, procedures, plans, and reporting criteria. The audit found that GOC operations are supported by a robust, comprehensive and documented framework of policies, guidelines, protocols and processes. It was noted that aspects of the GOC policy and procedure framework can be streamlined and that they are not reviewed on a set schedule.
Human Resources
The audit expected to find that the GOC has adequate human resources strategies and protocols related to periods of peak activity and “surge-capacity”. The GOC has deployed staffing techniques to address their hiring challenges. However, it has not conducted data analysis of its historical workload, such as overtime costs and projected number and type of events to guide changes to its workforce and staffing needs.
Infrastructure (physical, technology & communications)
The audit expected to find that the GOC has defined physical, technology, and communications infrastructure requirements. The GOC has formally defined its infrastructure requirements and has successfully presented a business case to move to a new location that meets these requirements; however, the GOC currently remains in facilities that have been deemed to be inadequate.
Performance Measurement
The audit expected to find that the GOC has established a performance measurement strategy. The GOC has developed key performance indicators (KPIs) for corporate reporting processes and it gathers basic data on performance to address corporate requirements. It was noted that GOC management does not consider its current KPIs to be sufficient measures of performance that support day-to-day operations and manage the GOC effectively and efficiently. The GOC has developed new performance measures for corporate reporting, albeit they have not yet been implemented.
Audit Opinion
ImprovementsFootnote1 are required to the GOC’s policies and procedures framework, the analysis of human resource (HR) requirements, and the GOC’s performance measurement in support of day-to-day operations to ensure that adequate management controls are in place to achieve its objectives.
Statement of Conformance and Assurance
Sufficient and appropriate audit procedures were conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The opinion is applicable only to the entity examined and within the scope described herein. The gathered evidence complies with the Treasury Board Policy and Directive on Internal Audit. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered is sufficient to provide Senior Management with proof of the opinion derived from the internal audit.
Recommendations:
- The Assistant Deputy Minister (ADM), Emergency Management and Programs Branch (EMPB), should:
- Establish a process to conduct periodic reviews and updates of the FERP and NERS in consultation with government partners.
- Establish a set schedule to review and update event team guidelines and standard operating procedures as needed to ensure documented processes are current and relevant.
- Streamline risk assessments and contingency plans to increase their usefulness to event teams and other stakeholders and to reduce the level of effort for the required annual updates.
- The ADM EMPB should:
- Undertake an analysis of the HR requirements that estimates the number and type of GOC operations and support positions required over a multi-year period so that staffing needs are informed by historical workload volume and changes to its workforce.
- Develop mechanisms to improve the efficiency of designating and committing temporary resources from within Public Safety and from other government departments and agencies to the GOC in times when "surge capacity" is required.
- The ADM EMPB should:
- Ensure that performance measurement in support of the GOC’s day-to-day operations is developed and that mechanisms such as dashboards be introduced to support managers and inform senior management.
Management Response
Management accepts the recommendations of Internal Audit.
The key actions to be taken by management to address the findings and recommendations and the associated timelines can be found in the ‘Management Response and Action Plan’ section of the report.
CAEE Signature
____________________________
Audit Team Members
Denis Gorman, Chief Audit and Evaluation Executive
Gabrielle Duschner, Director Internal Audit and Evaluation
Sonja Mitrovic, Internal Audit Project Lead
Sophie Carrier, Senior Auditor
Deloitte consultants
Acknowledgements
Internal Audit would like to thank the all those who provided advice and assistance during the audit.
1 Introduction
1.1 Background
Public Safety Canada (PS) provides strategic policy advice and support to the Minister of Public Safety and Emergency Preparedness on a range of issues, including national security, border strategies, policing countering crime and emergency management. On behalf of the Department also coordinates the efforts of PS's Portfolio agencies, and provides guidance on their strategic priorities.
The Government Operations Centre (GOC) is part of PS and an asset of the Government of Canada created in 2004 as part of a restructuring and enhancement of the security and emergency management elements of the federal government.
The Government established the GOC to provide stable, round-the-clock coordination and support across government and to key national players in the event of national emergencies. It provides a mechanism to enable an all-hazards integrated federal emergency response for events (potential or actual, natural or human – induced, accidental or intentional) in the national interest. Examples include traditional emergency management events such as flooding and industrial accidents as well as national security events such as acts of terrorism and cyber events.
Under the Emergency Management Act, the Minister of PS is responsible for exercising leadership relating to emergency management in Canada by coordinating, among government institutions and in cooperation with the provinces and other entities, emergency management activities. Emergency management is defined as “the prevention and mitigation of, preparedness for, response to and recovery from emergencies”Footnote2. In support of this responsibility, PS developed the Federal Emergency Response Plan (FERP) in consultation with other federal departments in 2009, which was updated in 2011. The FERP is designed to harmonize federal emergency response efforts with those of provincial/territorial governments, non-governmental organizations, and the private sector. The EMA charges the Minister with responsibility to coordinate the Government of Canada’s response to an emergency. The FERP identifies PS as the federal coordinating department. PS led the development of the National Emergency Response System (NERS) with provincial and territorial officials in 2011, which provides for the harmonization of joint federal, provincial and territorial response to emergencies.
In 2015, GOC management indicated there were over 500 events that met the criteria to issue an alert to government and trigger a risk assessment, planning and coordinated response. Significant events affecting the national interest are wide-ranging in scope and complexity. The GOC organizes event teams as part of its preparation and response. In addition, there are on average 30 to 40 events that include national security activities each year, for which the GOC carries out risk assessments, interdepartmental coordination and planning.
The GOC indicates that its key functions include:
- 24/7 Monitoring and Reporting - The GOC continuously (24/7) monitors events of national significance and shares information with senior officials, provincial/territorial (P/T) governments and/or the private sector. The GOC is connected to multiple information and intelligence sources—media, law enforcement, intelligence organizations, emergency management organizations, private sector bodies—at international, federal government, P/T and non-governmental organization (NGO) levels.
- National-Level Situational Awareness - As a result of coordinated sharing of information with appropriate partners, the GOC is able to build and share common situational awareness at the national level related to all hazards of national interest, emerging or occurring.
- Warning Products and Integrated Risk Assessments - Based on the developed situational awareness, products related to emerging and occurring events are prepared and distributed to appropriate partners but not the general public. Among others, these products include notifications of events, situation reports that provide updates on the event and efforts to address it, technical reports and Geomatics products to facilitate sharing and understanding of issues. The GOC conducts risk assessments based on information to provide senior and elected officials and the private sector with accurate, timely and comprehensive information to quickly develop proper responses to an imminent or potential occurring event.
- National-Level Planning - The GOC assesses the requirement for development or amendment of plans to prevent, mitigate or manage events. Event-specific contingency plans (e.g. floods, earthquakes, industrial disasters) include the coordination of various departments’ actions as well as the provision of personnel and goods and/or transportation of resources to regions affected by an emergency. Requests for assistance from other federal departments and P/T governments come to the GOC and are part of the planning process. Planning is always done in concert and coordination with partners in order to harmonize existing authorities and responsibilities.
- Whole-of-Government Response Management - Concurrent to all the above activities is the management of the response to the event itself. Response management is principally the coordinated implementation of plans or established processes in concert with all partners to ensure a harmonized response to the event. Additionally, issues are identified for continued planning and decision making.
- Support to Senior Officials - The GOC, working with its partners, keeps senior officials informed of evolving events and identifies issues requiring their engagement. These issues are assessed and courses of action are developed, which are presented for senior-level decision or guidance through the GOC. Decisions are implemented through the GOC.
1.2 Audit Objective
The objective of the audit is to provide reasonable assurance that the Government Operations Centre (GOC) has fundamental controls and practices that work together to help an organization manage its risk and achieve its objectives. This includes:
- Effectiveness and efficiency of operations and programs;
- Safeguarding of assets; and
- Compliance with laws, rules, regulations, standards, policies and procedures.
1.3 Scope and Methodology
The scope of the audit focused on examining the governance, risk management and control processes related to the management and operations of the GOC that enable the following:
- Clear mission, roles, responsibilities and accountabilities;
- Effective coordination among players within and beyond the department;
- Effective dissemination of information in support of situational awareness and information for decision-making;
- Robust response and notification protocols; and,
- Appropriate infrastructure for operational effectiveness, resilience and compliance with security requirements.
The scope of this audit included an assessment of the related policies, processes, controls and protocols in place to effectively respond to and manage emergency events that took place between April 1, 2015 and March 31, 2016.
The Deputy Minister approved the Audit of the GOC as part of the Risk-Based Audit Plan for 2015-16.
Exceptions:
- The scope of the audit was restricted to the internal operations of the GOC and did not extend to an assessment of external stakeholder feedback. This decision was taken owing to the independent review, whose remit included examining the GOC’s mandate with external stakeholders, which was being conducted concurrently.
- The audit did not provide assurance in regard to whether specific incidents and events were managed effectively.
1.4 Risk Assessment
The risk assessment conducted in the planning phase of the audit informed the development of the audit scope and criteria. See Annex A and B for details.
1.5 Audit Opinion
ImprovementsFootnote3 are required to the GOC’s policies and procedures framework, the analysis of human resource (HR) requirements, and the GOC’s performance measurement in support of day-to-day operations to ensure that adequate management controls are in place to achieve its objectives.
1.6 Statement of Conformance and Assurance
Sufficient and appropriate audit procedures were conducted and evidence gathered to support the accuracy of the opinion provided and contained in the report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence gathered complies with the Treasury Board Policy and Directive on Internal Audit. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered is sufficient to provide Senior Management with proof of the opinion derived from the internal audit.
2. Findings, Recommendations and management responses
Throughout the audit fieldwork, we observed several examples of how controls are properly designed and applied effectively. Examples of these observed strengths include:
- GOC operations are supported by a robust, comprehensive and documented framework of policies, guidelines, protocols and processes.
- The governance structure and roles and responsibilities within Public Safety for the GOC and its supporting functions (i.e. Communications, IT) are established, clearly defined, understood, communicated and documented.
- To manage its human resources effectively, the GOC has deployed staffing techniques to address hiring challenges.
- The GOC has formally defined its infrastructure requirements and has successfully presented a business case to move to a new location that meets these requirements.
- The GOC is the lead in the development of an interdepartmental program called Continuous Improvement of Federal Event Response (CIFER) to identify continuous improvement and ensure that lessons learned are incorporated into operations.
The audit team also noted some areas for improvement within the existing management control framework of the GOC, and where management practices and processes can be improved. The improvement opportunities are further described in the remainder of this report.
2.1 Mandate and Accountability
The audit expected to find that the mandate, governance structure, roles and responsibilities, and accountabilities are established, clearly defined, understood, communicated, and documented.
There are differing interpretations of the GOC’s mandate.
Under the Emergency Management Act, the Minister of PS is responsible for exercising leadership relating to emergency management in Canada by coordinating, among government institutions and in cooperation with the provinces and other entities, emergency management activities. The Government Operations Centre supports the Minister in discharging this responsibility.
PS, in consultation with other federal departments, developed the Federal Emergency Response Plan (FERP). The FERP outlines the governance structure when the GOC is preparing for or responding to an event in the national interest. In support of the FERP, the GOC developed a Concept of Operations, which outlines its mandate to support response coordination of events affecting the national interest, on behalf of the Government of Canada. This mandate is achieved through five main functions, including the responsibility to ensure a "whole-of-government" response capability. In light of these documents, we found that within PS, the GOC’s mandate, governance structure, roles and responsibilities are well defined and understood.
In 2010, a review of the GOC's role and understanding of its mandate by other government departments and agencies was conducted (referred to as the Purdy Report). The review found that despite the support for the GOC, there was "a widespread confusion and uncertainty" about the GOC's mandate and its ability to fulfill a whole-of-government coordination role. During the conduct of this internal audit, we noted the GOC has shared material to raise stakeholder awareness of its mandate. Since the Purdy Report, interviewees indicated that stakeholders have shown better understanding of the GOC’s mandate for events that occur frequently, or on a recurring basis. However, they also indicted that there still seems to be a differing interpretation of the GOC’s mandate related to national security and international events. The audit’s scope did not extend to an assessment of external stakeholder feedback on the GOC.
Stemming from our review, we found that the current governance structure does not include an advisory or governance body that provides advice or that assists in the communication and clarification of the GOC's mandate to other government departments and agencies. In addition, the absence of a formal authority for the GOC defined in legislation allows for varying interpretation by stakeholders of its role and mandate as a horizontal, whole-of-government entity. Therefore, owing to the differing interpretation of the GOC’s mandate among other federal government institutions, there is a risk that the GOC's ability to initiate and coordinate a timely and effective response to events may be compromised.
At the time of this audit report (September 2016) PS was in the process of conducting an independent review to examine the GOC’s mandate, governance, resources, as well as its relationship with other federal government departments/agencies, other levels of government and non-government stakeholders. This review continues the work of the 2010 Purdy Report to assess progress made in communicating the GOC's mandate and its role throughout the Government.
2.2 GOC Policy and Procedure Framework
The audit expected to find that the GOC has implemented and maintains appropriate policies, procedures, plans, and reporting criteria to guide its response to incidents and events.
Aspects of the GOC policy and procedure framework require streamlining and a set review schedule.
The audit found that GOC operations are supported by a comprehensive framework of policies, guidelines, protocols and processes that is rooted in the Federal Emergency Response Plan (FERP) and the National Emergency Response System (NERS); however, no periodic review and update of these documents was evident.
Policy and Procedure Framework
In addition to the FERP and the NERS, the GOC has a comprehensive list of guidelines and standard operating procedures to support their operations. However, the timely review and update of these documents by the GOC is a challenge due to resource availability. In addition, operational responsibilities of GOC personnel take precedence over administrative tasks, including the updating of standard operating procedures and guidelines. While the intent of the FERP and the NERS is to be evergreen documents that outline the processes and mechanisms to facilitate an integrated government response to an emergency, PS has not initiated a review or update since 2011. More specifically, the FERP is expected to be “formally reviewed based on lessons learned through exercises and actual events, and will be republished annually”; whereas the NERS is expected to be reviewed and updated every five years, in collaboration with provincial and territorial governments. Without periodic reviews and updates of these overarching documents, in consultation with government partners, there is a risk that the roles and responsibilities of the GOC and its partners in emergencies will not be communicated or understood, which could negatively affect the GOC's ability to coordinate a whole-of-government response.
Plans and Processes for Event Response
GOC management identified a need to review and update standard operating procedures and event team guidelines, and has included responsibility for updating these documents in tasks assigned to specific individuals within the GOC. However, there is no set schedule to review and update these procedures and guidelines. Since operational responsibilities and priorities take precedence, this has resulted in the deferral of such work that the GOC intended to undertake in the past year. We noted that GOC operational personnel have a clear understanding of the procedures and guidelines that they are to follow during the management of an event, so the GOC considers the update of these documents to be a lower priority than other activities. Without a set schedule to review and update these documents, there is a risk that the procedures and guidelines followed by GOC staff during a response to an event are outdated, and therefore considered to be of limited use, or discarded by event teams when an emergency occurs.
In our review of a sample of events managed by the GOC, we found that GOC staff followed procedures and guidelines, but event teams did not consider all of these useful:
- While risk assessments and contingency plans are intended as communications tools and guidance for incident and event management response, there are differing perspectives related to the purpose and audience of incident and event management plans among GOC personnel interviewed during the audit.
- Based on interviews with planning personnel, plans are intended for use by the emergency management community as a whole, suggesting that the additional context and description that is provided in the plans is appropriate. Interviews with event teams, however, indicated that detailed plans have limited use for operational purposes. The audit noted that efforts are underway to simplify plans as a result of feedback from event teams.
- Performing annual updates to risk assessments and contingency plans that are not viewed as useful in event management operations increases the risk of an ineffective use of the GOC's limited resources.
- While processes for event response, including event team guidelines and standard operating procedures, are documented and recognized as operational guidance, these documents are not typically consulted by operations staff during an event, since personal experience and the judgement of the GOC Operations staff are the primary inputs to the conduct of events.
- Since event management processes are well understood by GOC staff and given most events are managed using a similar overall approach and follow similar steps, some operational staff noted that there may not be a need for documenting detailed processes for event response. However, if event teams do not refer to or find documented processes useful for event response, there is a risk that they may not follow appropriate protocols and processes for event management.
Lessons Learned and Continuous Improvement
The GOC has established a ‘lessons learned’ process that is intended to be applied following all major events. During our review, we found examples of after-action reports and the Incident Review and Evaluation forms that were completed and reflected in contingency plans, standard operating procedures and event team guidelines. Although lessons learned trigger revisions and updates, where required, there is no set schedule to review all standard operating procedures and other documentation maintained to support operations.
A program called Continuous Improvement of Federal Event Response, or "CIFER", was soft-launched in 2015 to implement continuous improvement in how the GOC responds to events. CIFER is intended to formalize after-event reporting so that lessons learned can inform standard operating procedures and other documentation to support operations. Interviewees indicated that there were insufficient resources to implement new programs, such as CIFER given the number of events managed during the year. GOC management noted that they had identified this program as a resource/funding pressure.
Recommendation:
- The ADM Emergency Management and Programs Branch should:
- Establish a process to conduct periodic reviews and updates of the FERP and NERS in consultation with government partners.
- Establish a set schedule to review and update event team guidelines and standard operating procedures as needed to ensure documented processes are current and relevant.
- Streamline risk assessments and contingency plans to increase their usefulness to event teams and other stakeholders and to reduce the level of effort required for annual updates.
2.3 Human Resource Capacity and Capability
The audit expected to find that the GOC has appropriate human resources and capabilities to deliver on its mandate.
There is an opportunity for the GOC to analyze its overarching human resources/staffing needs and develop strategies and protocols related to periods of peak activity and “surge capacity”.
To ensure delivery of its mandate, the GOC has used various staffing techniques to address hiring challenges, and has been successful in obtaining short-term help from other Directorates within Public Safety, and from other government departments when additional "surge" capacity was required during the management of events. However, the GOC has not developed and implemented overarching HR strategies to guide changes to its workforce and staffing needs based on historical workload volume. More specifically, GOC management has not developed an analysis of ongoing staffing needs based on HR data such as overtime costs, workload, and the projected number and type of events. It has not used such analysis to support the development of an overall HR strategy that includes skills requirements and staffing level projections. The GOC, however, has established a comprehensive training schedule for its staff.
Given its focus on managing events, the analysis of staffing requirements and the subsequent development of a staffing strategy and plans are de-prioritized. In a more ad hoc or single time fashion, the GOC has indicated its needs to the Department. For instance, it leveraged a recent Department-wide "pressures" exercise to request additional human resources to assist with CIFER (an interdepartmental continuous improvement initiative) and national exercises.
Based on interviews, we noted that Operations positions are subject to high turnover. Typical public service alternatives to hiring full-time staff (e.g. term and casual employees) are often not well suited to the GOC and, in particular, to Operations staff since qualifications and skills sets required for Watch Officers are comparatively scarce. Management has implemented proactive mitigation strategies to help deal with HR staffing challenges associated with the nature of the GOC's work. The GOC has secured the assistance of an HR consultant who has assembled a pool of candidates for Operations positions (i.e. Watch Officers, who require specialized skills sets and experience) so that it can complete hiring cycles as quickly as possible. The GOC is developing training plans specific to individual positions. Once implemented, focused training will increase the alignment of skills sets to requirements defined by management.
We noted challenges related to the GOC's need to staff up quickly to support event teams (i.e., "surge capacity"). GOC management indicated that although many temporary staff recruited from other government departments were dedicated and useful to the GOC teams, most resources are not trained in emergency management and require the support of trained officials. This approach is also constrained by the need to request resources outside of PS, getting departments to identify appropriate individuals and having them then released to work at the GOC – all of which takes time. Management issues such as the payment of overtime and the loss of the “call-up” resource to the Department to respond to GOC requests impede the ability to supply temporary staff to meet "surge capacity". The GOC has maintained informal lists of people who have assisted with past events, but GOC management noted in interviews that these lists are of limited benefit, since it must make a new request each time a requirement is identified. Furthermore, designated individuals may not be available or on leave, or may have moved on to a different position or to a different Department.
In the absence of a documented HR/staffing strategy based on the number and type of events managed over a given period and tied to the mandate of the GOC, there is a risk that GOC management will continue to face ongoing staffing pressures to meet operational needs. Similarly, the GOC's access to outside help from other sources during times when management must demonstrate "surge capacity" will remain ad-hoc. When “surge capacity” is required for a designated event the GOC staff is reallocated to support that event. As a result, the reallocated staff stop performing their regular duties that would otherwise support the operations of the GOC. This affects the GOC's ability to deliver on its key functions for the duration of the event such as; planning, exercises and CIFER. If more support is required for a designated event, staff from PS and other government departments are requested, however as previously mentioned, the need to request and obtain permission can be a drawn-out process.
Recommendation:
- The ADM Emergency Management and Programs Branch should:
- Undertake an analysis of the HR requirements that estimates the number and type of GOC operations and support positions required over a multi-year period so that staffing needs are informed by historical workload volume and changes to its workforce.
- Develop mechanisms to improve the efficiency of designating and committing temporary resources from within Public Safety and from other government departments and agencies to the GOC in times when "surge capacity" is required.
2.4 Infrastructure (physical, technology, communications)
The audit expected to find that the GOC has defined physical, technology, and communications infrastructure requirements to support the operations and sustainability of the GOC.
The GOC has defined its infrastructure requirements and has successfully presented a business case to move to a new location that meets these requirements. However, the GOC currently remains in facilities deemed inadequate.
Throughout the audit, interviewees frequently identified the current physical infrastructure – the building itself as well as its fixtures, equipment and utilities systems – as the greatest risk faced by the GOC. The Department identified this risk in its corporate-level risk register. From an operational perspective, the principal risk to the GOC's ability to fulfill its mandate is that current infrastructure would likely be unable to support the concurrent management of two or more events. Investment priorities in recent years have not included replacement of GOC infrastructure.
Current facilities were noted as outdated by interviewees. For example, capacity of the current building’s electrical wiring does not meet GOC’s requirements, and the physical space does not permit establishment of appropriate security zones (i.e., for the review of classified information).
A succession of planning steps have been taken in support of new accommodations for the GOC in past years, including the development of architectural documentation, and the drafting of government funding requests (i.e., Treasury Board submissions, Memoranda to Cabinet). At the time of the audit report (September 2016), the business case for new accommodations has been accepted.
Physical infrastructure requirements for a new, purpose-built structure to house the GOC have been documented and include details related to physical construction, utilities, and use cases, such as the layering of security zones within the building to ensure appropriate separation of information and personnel, according to security classification. GOC management has included provision for additional FTEs in its investment plans given that the new GOC location may not benefit from its close proximity to the downtown location of PS headquarters.
From a technology perspective, the audit found that the GOC has defined requirements and implemented solutions to support its operations and sustainability, although interviewees noted that there are operational risks related to the handling of classified information. The principal software system used by the GOC, the Operations Centres Interconnectivity Portal (OCIP), intended to enable the sharing of incident data and information among federal, provincial and territorial operations centres, is certified only to manage unclassified information. There is a risk to the GOC that information management procedures are more complex due to the absence of an information repository for classified information, to complement the OCIP application's functions with unclassified data.
2.5 Performance measurement
The audit expected to find that the GOC has put in place mechanisms to effectively monitor and report on its operational performance.
The GOC has not developed performance measures in support of its day-to-day operations.
The GOC has key performance indicators (KPIs) for corporate reporting processes. GOC management indicated that they did not consider those KPIs to be sufficient measures of performance. Consequently, the GOC developed new KPIs to provide greater assessment of its performance. While these KPIs meet corporate requirements, they do not address performance measures for day-to-day operations. Furthermore, there are no mechanisms to report to senior executives at PS on how the GOC is delivering on its mandate and objectives. In the absence of quantifiable measures and targets to assess effectiveness and performance throughout the year, there is a risk that the GOC cannot demonstrate whether it is successfully delivering on its objectives. In addition, it limits the ability of the GOC to demonstrate how its workload is increasing over time and thus support requests for resources and demonstrate value.
Recommendation:
- The ADM Emergency Management and Programs Branch should:
- Ensure that performance measurement in support of the GOC’s day-to-day operations is developed and that mechanisms such as dashboards be introduced to support managers and inform senior management.
2.6 Overall Conclusion
The audit has established that the GOC has a number of management controls and practices required to ensure the achievement of its objectives. Through the evidence gathered, we found five areas that require improvement. Two of these areas, the GOC mandate and physical infrastructure, were already being addressed during the time of the audit. We have developed recommendations for the remaining three areas requiring management attention (i.e. the GOC policy and procedures framework, the analysis of the HR requirements, and the GOC’s performance measurement to support its day-to-day operations).
2.7 Management Response and Action Plan
# |
Actions Planned |
Target Completion Date |
---|---|---|
1 |
Recommendation:
|
|
Following completion of the GOC Review, the GOC will consult with federal, provincial and territorial stakeholders to develop a process and action plan for reviews and updates of the FERP and NERS.* |
March 31, 2017 |
|
Establish a schedule for the review of event team guidelines and standard operating procedures. A review section outlining timelines will be included in each document. |
March 31, 2017 |
|
Review the risk assessment and planning approach to ensure it is efficient and useful to event teams and other stakeholders. |
September 30, 2017 |
|
2 |
Recommendation:
|
|
Seek advice from Corporate Management Branch regarding how to establish a process for the analysis of future human resources requirements. Consult with the Policy and Outreach Directorate to obtain trends and predictive analytics from an all-hazards perspective. Conduct analysis of past GOC resource requirements for events and day-to-day operations.* |
April 1, 2018 |
|
Establish a process (internal and external) for surge capacity and develop related tools.* |
December 31, 2017 |
|
3 |
Recommendation:
|
|
Develop measures to assess the GOC’s ongoing operational performance.* |
August 31, 2017 |
* Subject to the timeline and outcome of the GOC Review
Annex A: Preliminary Risks
The following is a summary of the key risks identified in relation to the Government Operations Centre during the Planning phase of this audit, and which were assessed during the conduct of this audit.
Key Area |
Risk Statement |
---|---|
Mandate |
Given the number of stakeholders involved, the unique role of the GOC, and its increasing number of responsibilities, there is a risk that the mandate of the GOC, including its overarching purpose and objectives, may not be clearly articulated and understood. |
Roles and Responsibilities |
Given the number of entities and stakeholders involved with the federal government emergency management process, there is a risk that the roles and responsibilities of each of the players and stakeholders, and specifically the GOC, are not consistently understood. For instance, it was indicated that the role of the GOC with respect to national security events is not as well established or understood and some stakeholders do not consider these situations to be within the mandate of the GOC. |
Situational Awareness |
Given the importance of the GOC having the ability to monitor numerous sources of real-time information while retaining the ability to accurately assess the meaningfulness of observed events, there is a risk that key information is not appropriately or accurately obtained and synthesized in a timely fashion to ensure awareness and understanding to enable decision-making. This includes the risk that the GOC does not monitor the necessary number of information sources in an appropriate fashion, the GOC’s Operations Centre Interconnectivity Portal (OCIP) is insufficient to support real-time monitoring, and/or the criteria for identifying incidents and events are not clearly established or understood. |
Communication |
Given the GOC must engage a number of stakeholders to support the whole-of-government response to an event, there is a risk that communications channels are ambiguous and the flow of communications between the GOC and stakeholders is ineffective and/or inefficient. This includes the risk that the GOC does not have a process for rapidly identifying and engaging key stakeholders or succinctly communicating information requirements from subject matter experts and combining inputs into decision-enabling information products for a wide range of consumers. This may lead to decision makers not benefiting from the full value of available actionable knowledge. |
Event Management Planning and Protocols |
Given the mandate of the GOC to coordinate a whole-of-government response effectively and rapidly to emergencies, there is a risk that incident and event response protocols and processes, including contingency plans, are not sufficiently comprehensive, or clearly defined and documented. |
GOC Human Resources |
There is a risk that the current human resources strategy and capacity of the GOC is not sufficient to support the operations of the GOC, including appropriate surge capacity and the ability to effectively respond and manage incidents and events, given the expectation that the GOC can manage at least two events simultaneously. This includes the risk that either through inadequate training or the lack of defined requirements, the capability of GOC staff is not aligned with the expectations to successfully manage and respond to incidents and events. |
Continuous Improvement |
There is a risk that the GOC does not have a comprehensive process to review and conduct lessons learned on previous incident and event response. This includes the potential failure to implement improvements to GOC processes and protocols based on lessons learned that are conducted, which increases the risk that critical improvement opportunities are missed. |
Performance Indicators |
There is a risk that the effectiveness of the GOC may not be appropriately measured because it either does not have clear performance indicators to report on the effectiveness of its operations, or the processes to monitor and manage against performance indicators are inappropriate. |
GOC Infrastructure |
Given the mandate of the GOC to coordinate a whole-of-government response effectively and rapidly to incidents and events, there is a risk that the current physical and IT infrastructure in place for the GOC is not suitable based on the requirements of the GOC, thereby limiting operational effectiveness, resilience and compliance with security requirements. |
Annex B: Audit Criteria
Audit Criteria |
|
---|---|
Criterion 1: |
The mandate, governance structure and roles and responsibilities for the GOC are established, clearly defined, communicated, and documented. |
Criterion 2: |
The GOC has implemented an appropriate policy and procedure framework. |
Criterion 3: |
The GOC has appropriate processes for planning and risk assessment, situational awareness and event management to effectively respond to incidents and events. |
Criterion 4: |
There is appropriate human resource capacity and capability to effectively deliver and manage the activities of the GOC. |
Criterion 5: |
The GOC has defined the physical, technology and communications infrastructure requirements to support the operations and sustainability of the GOC. |
Criterion 6: |
Mechanisms are in place to effectively monitor and report on the performance of the GOC. |
Annex C: Internal Audit and Evaluation Directorate Opinion Scale
The following is the Internal Audit and Evaluation Directorate audit opinion scale by which the significance of the audit collective findings and conclusions are assessed.
Audit Opinion Ranking |
Definition |
---|---|
Well Controlled |
|
Minor Improvement |
|
Improvements Required |
Improvements are required (at least one of the following two criteria are met):
|
Significant Improvements Required |
Significant improvements are required (at least one of the following two criteria are met):
|
Footnotes
- Date modified: