The Auditor General is absolutely right. Risk management is a challenge.
Again, because we have typically managed from the bottom up, assistant deputy minister level, or L1 level by L1 level, we have taken on the aggregation of risks identified by those L1s and tried to manage those at the corporate level. But clearly, with resource allocation should go an obligation to manage the risk as much as possible with the allocations to the L1 level.
Over the last year, first of all, we have established a risk management framework for the organization, which we are now populating. It will be evident in the context of the L0 strategy, which will not be just about our priorities and objectives but about a risk-informed set of priorities and objectives, and then we will make sure that we, as essentially a board of directors at the L0 or the L1 table, manage those on behalf of the organization.
But integrated risk management is as much a science and the development of a framework as it is about culture change. The entire organization needs to go through a process where they understand what risks we are collectively managing, because they're beyond any individual L1. It will take time to adjust the culture of the organization.
This is an organization that understands risk. When soldiers are putting their lives at risk, they understand risk. It doesn't mean, though, that collectively at the corporate level we have a handle on it. So it will take time. The science part of it we're getting our arms around; the culture part of it will take time.