Public Accounts Committee on June 1st, 2010

Thank you, Mr. Chair.

We thank you for this opportunity to discuss the results of our audit of aging information technology systems. As you mentioned, I am joined today by Nancy Cheng, Assistant Auditor General, who is responsible for this audit.

The federal government relies on information technology systems to deliver programs and services to Canadians. Many of these systems are aging and several are at risk of breaking down. While systems are currently working, a breakdown could have severe consequences. At worst, some government programs and services could no longer be delivered to Canadians. The renewal and modernization of IT systems can take many years as well as significant investments that must be planned and budgeted for over the long term.

As part of this audit we looked at five government entities with the largest information technology expenditures to determine whether they have adequately identified and managed the risks related to aging IT systems. The audit also examined whether the Chief Information Officer Branch of the Treasury Board of Canada Secretariat has determined if aging information technology systems is an area of importance to the government as a whole and the extent to which it has provided direction or leadership in developing government-wide responses to address the related risks.

We looked at three major systems that deliver essential services to Canadians—the employment insurance program, the personal income tax and benefits return administration system, and the standard payment system. We also surveyed 40 chief information officers of departments and agencies in the federal government that accounted for more than 95% of spending on information technology. The survey of CIOs indicated that aging information technology was a significant risk.

The five organizations we audited have all identified aging IT systems as a major risk. They have taken some steps but most of them have not gone far enough to manage that risk. Organizations need to manage their IT systems as a portfolio and prioritize investment projects according to risk and impact on program delivery. They also need to prepare a multi-year investment plan and a funding strategy to meet the investment requirements.

The funding requirements to address aging IT risks can be significant. Three of the five organizations that have developed multi-year investments plans, that being the Canada Revenue Agency, HRSDC, and the RCMP, have identified significant shortfalls in the funding available to modernize their critical information systems and technology infrastructure. These organizations alone have estimated the funding shortfall at $2 billion.

We found that the chief information officer branch of the Treasury Board of Canada Secretariat has been aware that aging IT poses significant government-wide risks for over a decade; however, it has not formally identified the issue as an area of importance for the government. Furthermore, it has not established or implemented government-wide strategic directions to address the issue. We recommended that the chief information officer prepare a report on the state of aging IT systems across government and develop a plan to address it.

Mr. Chair, PWGSC and HRSDC have shared with us a copy of their management action plan. If fully implemented, these plans should address the concerns that we raised in our report. As well, the committee may wish to ask the chief information officer what she intends to do about this issue.

Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions that committee members may have.

Thank you.

Thank you, Mr. Chairman. I would like to thank you for having invited us to appear before the committee with regard to chapter 1 of the Auditor General's spring report, which deals with the aging information technology systems of the Government of Canada.

As you pointed out, I am here with my colleague Ms. Corinne Charette, the Chief Information Officer of the Government of Canada. Ms. Charette is responsible for the Chief Information Officer Branch in the Treasury Board Secretariat, which provides strategic direction and leadership in the areas of information management and information technology for the Government of Canada.

I would like to start by thanking the Auditor General for her work on the issue related to the risks and aging of IT systems.

When Ms. Fraser appeared before your committee in April to speak about her report, she remarked that this was the first time her office had looked at how the government as a whole was managing the risk of aging IT systems. Her report made us recognize that we haven't taken a government-wide perspective on the risks posed by aging IT systems.

I would submit that this is not surprising, in part given our accountability structure. This is a structure where deputy heads are responsible for managing all aspects of their operations, including their enabling IT systems and infrastructure to deliver on their legislative mandates. When it comes to IT systems, each deputy head has the responsibility to identify their IT plans, development, maintenance, and investment needs. They also develop and implement IT spending decisions and ensure appropriate ongoing measurement of their IT performance.

As a central agency, the Treasury Board of Canada Secretariat isn't there to tell departments how to manage their organizations. Rather, we are responsible for establishing overall government-wide strategic direction for information technology through policies and policy instruments. We also support capacity development and the coordination of efforts and initiatives as required. We do this in consultation with departments. We also monitor compliance of the policy instruments and we play a challenge function in relation to new IT investments.

The secretariat also plays an important enabling role. We support all departments and agencies in implementing the government's information management and information technology strategies. We do this through collaboration, tools and guidance. However, I do not want to give you the impression that we have not taken into account risks related to information technology systems.

That is why, until now, we have looked at the risk of departmental IT systems on a case-by-case basis, and we have worked with departments on renewing critical systems, such as those regarding pensions, pay, employment insurance, case management, and others.

Ms. Fraser, the Auditor General, has encouraged us, in her report, to adopt a more Canada-wide perspective. In response to Ms. Fraser's report, we have committed to assess the state of IT systems across government. Our action plan sets out how we will do this. The first step is to collect and analyze relevant information. Our assessment will be completed by April 2011. Based on this information, the secretariat will provide guidance and direction to all departments in setting their technology investment priorities. All departments will be strongly encouraged to have a plan in place by April 2012.

Our objective is to work with departments so as to not simply replace existing systems with new ones. We want to work with departments to identify mission-critical systems and to identify common systems and platforms where consolidation could reduce overlap and duplication, where possible. Through this process the goal is to enhance effectiveness and find efficiencies, ensure that departmental legislative and business requirements are met, and improve service delivery to Canadians. To do this well, it will take some time.

The timing of this assessment aligns also with the administrative services review announced in budget 2010. Through this review we will be looking to streamline and standardize business processes, which are important steps, before we look at replacing aging systems.

IT systems are not an end in themselves. They support departmental mandates and government priorities. Movement towards streamlined and standardized business processes and platforms should mean we'll have fewer systems to replace and to maintain.

All of this work is vital to ensuring that IT systems in the government are effective and that they have the capacity to meet current and future business needs. We look forward to working with departments and agencies on this important field.

Corinne and I would be pleased to take your questions.

Thank you, Mr. Chairman.

I am pleased to be here today to represent Human Resources and Skills Development Canada and to discuss and provide additional insights with respect to the recommendations laid out in chapter 1 of the Spring 2010 Report of the Auditor General of Canada.

First, let me say that HRSDC agrees with the recommendations put forth in the Auditor General's report concerning aging IT. I want to assure you that meeting the Government of Canada's commitments to Canadians is the department's first priority. Ensuring timely and accurate payments to Canadians, as well as the protection and security of the information entrusted to us by Canadians, is a priority for HRSDC.

We take our responsibilities very seriously. The EI, CPP, and OAS programs represent $80 billion annually in social benefits to Canadians, representing 85% of all Government of Canada payments to citizens. These payments all rely on technology. So a modern IT infrastructure is critical to the sustainability of the delivery of programs and services to Canadians.

While there are definitely areas that require some attention, let me reassure the committee that Canadians are not at risk. There have been no IT failures as a result of aging IT infrastructure that have impacted payments to Canadians.

When we speak about our IT infrastructure, it is important to understand that this is an ongoing process, similar to regular maintenance on a vehicle. Have we ensured the right level of maintenance on our IT infrastructure over the years? Perhaps not. However, I want to assure you that our IT systems are not in danger of collapsing. Our applications are stable. The department is proud to cite a 98% availability for its systems. No systems, government or otherwise, have an uptime of 100%.

I should also point out that the volume increases experienced over the last two years have been unprecedented. During this period, the EI system consistently delivered benefits to Canadians in need.

It is important to mention that over the last few years, we have been working towards refreshing our IT assets, and we continue to do so. For example, over the past three fiscal years the department has invested some $120 million to modernize its technology.

In the fall of 2007, existing mainframe computers were replaced with the next generation of mainframes. This replacement provided a newer technological platform and business continuity for ensuring continued delivery of essential services and benefits to Canadians.

Last year a multi-year project resulted in a fully modernized system to support Canada Pension Plan benefit delivery, eliminating two legacy applications. Implemented in May 2009, the new system has processed over 600,000 new CPP benefits and issued over 45 million CPP benefit payments for seniors, the disabled, and survivors.

In 2009-10, in response to the economic action plan, components that posed imminent risk to the continuity of business operations were replaced.

However, there is still much work to be done. As I said earlier, HRSDC agrees with all the recommendations in the Auditor General's report. HRSDC knows that it needs to make a concerted effort to address issues that are looming on the horizon with respect to our aging IT. We are developing a comprehensive plan to address the recommendations in the Auditor General's report. We need to position these efforts in the broader context of the department, and we need to plan for better ongoing maintenance going forward.

We are adopting a portfolio-wide approach for the management of IT, integrated into our five-year IM/IT strategic plan. Fully integrated into our strategic plan will be risk identification, mitigation strategies, and controls to ensure that we effectively manage any risks.

Linked to that, we are working on a multi-year investment plan. Specific attention will be paid to the full economic life cycle of IT assets and to establishing indicators that will support us in assessing the risks associated with our technology assets. This investment plan will also include a prioritization of what elements need to be addressed first in modernizing the department's IT infrastructure.

The level of financial investment required will be determined as part of our strategic plan, linked to the broader business plan for the department. In developing the funding strategy to support our investment plan, we need to be particularly cognizant of the fiscal realities facing the country and HRSDC.

In conclusion, it is important that I express HRSDC's commitment to Canadians and the programs and services that we deliver. Because of that, the issues identified in the audit are taken very seriously. What we have done to date, coupled with our future plans, are important steps in addressing what was identified by the Auditor General.

I'm happy to answer any questions you may have.

Thank you.

Thank you, Mr. Chairman.

I am very pleased to have this opportunity to appear before this committee with Mr. John Rath-Wilson, Chief Operating Officer, to discuss the Auditor General's report on aging information technology systems and her recommendations.

Let me begin by saying that after thorough analysis, PWGSC accepts all of the Auditor General's recommendations related to the management of risk associated with aging information technology systems.

PWGSC's Information Technology Services Branch—or ITSB—has a dual function: to both manage our own department's information management and information technology, IM\IT, services and to deliver the Government of Canada's common IT infrastructure services, while acting on Treasury Board Secretariat Government of Canada-wide IM\IT strategic direction and policy.

Conscious of its critical role, ITSB has developed and continues to implement risk mitigation strategies related to its mission-critical systems.

As you know, the department's goal is to excel in government operations by providing high-quality programs and services that meet the needs of federal organizations and ensure sound stewardship on behalf of Canadians. I am proud to state that during the 2009-10 fiscal year, we achieved a record of infrastructure availability for our mission-critical systems of 99.7%. This is beyond our expectations.

These services are supported by IT systems, and it is important to note that none of our critical systems have ever experienced or caused a business failure.

We are pleased that the AG acknowledged that PWGSC has many of the required planning and monitoring elements already in place. She identified three recommendations that are specific to our department. The first recommendation calls for the implementation of a department-wide portfolio management approach. PWGSC has enhanced its IT governance to ensure it provides effective oversight of its IT portfolio, including maintaining an organized and prioritized inventory of all assets. Specifically, the new framework, which will be implemented over the next twelve months, will enable the department to use a consistent value and risk assessment process when deciding on investment for IT systems within program priorities.

The second recommendation calls for the development of a multi-year IT investment plan. In fact, by the time the Auditor General's report was released in April, PWGSC had already developed the first iteration of its five-year plan for information management and information technology.

In bringing together several existing components of our planning process, we examine mandatory and discretionary investment to improve overall service delivery and ensure that existing systems can be sustained.

Public Works has successfully managed a number of IT-enabled business projects under our current management approach. I know that in previous audits, Public Works has received positive marks for its project management capacity and capability.

Each year we have invested in maintaining our infrastructure. Over the past three years, we've increased our capacity and developed a multi-year rust-out plan. For example, we've invested $9 million in 2009-10 against our department's five-year plan. We have invested $29 million through Treasury Board funding for program integrity. This fully addressed critical IT infrastructure rust-out issues that were identified in 2007 and 2008.

In addition, ITSB is engaged in every major Public Works transformation project and investment, including $220 million for the pension modernization project; $192 million for the pay system modernization project, which will be completed in 2015-16; and $50 million in a new financial system aligned with the Treasury Board policy on the stewardship of financial management systems.

Also in support of our overall plan, we have established a central IT investment modernization fund to address other maintenance and evolution issues associated with legacy systems. As you can see, the department has various activities under way that will contribute to the success of our overall plan.

The third recommendation calls for the development of an action plan for managing risks related to aging IT systems.

We are pleased that the Auditor General has recognized Public Works' effort in identifying the risks associated with aging IT systems, and also recognizes that we have been diligent in submitting IT risks to our departmental risk officers.

Public Works has made significant progress in monitoring risks and is positioning itself to manage ongoing strategic and operational risks more proactively. The department is finalizing its operational risk profile and refreshing its corporate risk profile, both of which cite aging IT systems and their related applications as key risks. These profiles will better position Public Works to develop risk response strategies, to monitor and report on risk, and to identify emerging risks associated with IT infrastructure.

Semi-annual progress reports will be delivered to senior management while this strategy is being implemented.

Mr. Chair, ensuring the integrity of our critical systems is a top priority for PWGSC, and statistics indicate that we have achieved a high level of stability. For example, our standard payment system processed over 270 million payments last fiscal year, without system interruptions; and our print operations are ISO9001-certified, and we issue and distribute more than 100 million cheques and other documents per year. It is equally important to note that none of PWGSC's critical systems have ever caused a business failure, nor resulted in a disruption to business, due to our robust disaster recovery capability.

In fact, we rarely fall below our published performance targets. Meanwhile, we continue to witness that IT is enabling more and more government services and programs, so we will continue to aim for our best in service performance and evolution. I would be pleased to answer your questions. Thank you.

Thank you Mr. Chair.

My name is Borys Koba, and I am the chief information officer at Citizenship and Immigration Canada. I appreciate the opportunity to provide opening remarks to this committee on this subject.

Citizenship and Immigration Canada has accepted the three specific recommendations directed to it in the OAG report, and an action plan has been provided against each of those recommendations. I would like to point out that in paragraph 1.46 of the OAG report, there is an acknowledgement that, and I quote, “CIC has completed a comprehensive review of its IT infrastructure; however, it has not reviewed its applications at the same level.”

CIC agrees with this assessment, and, at a high level, CIC's plan is to do the following: (a) develop a more detailed inventory of CIC's application systems, including information on items such as the current technology environment and options for system rationalization; (b) integrate the information on application systems and IT infrastructure using a portfolio management approach, which will include an integrated risk assessment as well as criteria for the prioritization of investment decision-making; and (c) refine and extend existing departmental planning processes. CIC has completed an integrated corporate plan for 2010-11 that reflects departmental business priorities. One of the components of this document is the IT investment plan, which will be extended into a multi-year IT investment plan over this coming year.

Mr. Chair, for a number of years, the cornerstone of CIC's long-term strategy for its aging IT application systems has been the development and implementation of the global case management system. I am extremely pleased to indicate that exactly one week ago, on May 25, GCMS release two was put into production operation for the citizenship line of business, on plan.

The next major step is the implementation of GCMS release two to the first mission, Port of Spain, on June 30, to support the immigration lines of business. GCMS is planning to complete implementation in all missions by March 31, 2011.

With this success, CIC is now able to start more detailed planning for additional functionality, to support business requirements, and for decommissioning many of the current legacy systems.

CIC has continued to invest annually in IT infrastructure upgrades based on technology evolution and technology aging. In the application system area, in addition to the investments made in GCMS, CIC has been investing in updating specific legacy systems, usually based on risk and the costs associated with technological obsolescence.

Some examples over the past five years include updates to the technology environment in the Montreal call centre, which cost over $4 million; re-platforming of the case processing centre application, at over $1.5 million; and current upgrades to the departmental HR and financial systems, at over $1 million. It is recognized that these investment decisions, while necessary, have been made on an individual basis. Hence, we have the plan to develop an integrated portfolio approach, as recommended by the Office of the Auditor General.

My final remarks deal with the current legacy systems, especially the operational ones. They continue to operate at a very high level of availability and continue to be updated to respond to changing business requirements, such as the recent imposition of visa requirements for Mexico, the special processing in support of the Olympic Games, and the information system requirements in support of the Haiti crisis.

In summary, CIC accepts the OAG recommendations and believes the action plan will allow us to significantly improve the decision-making process related to IT investments and associated risks in the department.

Thank you, Mr. Chair.

Thank you, Mr. Chairman.

As chief information officer, I am responsible for the IT strategies and plans for the Canada Revenue Agency and the maintenance and development of all national infrastructure and applications in support of CRA's program delivery in its various lines of business. This role includes risk management with regard to the sustainability of infrastructure and applications as raised in chapter 1 of the Auditor General's spring 2010 report, in which the CRA's personal tax and benefit systems were reviewed.

The CRA data centres are the largest in the Government of Canada, hosting more than 450 applications, processing 4.5 million transactions per hour, and managing almost 6,000 terabytes of data storage. They also host all Canada Border Services Agency's infrastructure.

The CRA has an excellent track record for executing large re-engineering projects to ensure long-term sustainability: for example, in 2000, the implementation of the corporate tax redesign for $180 million over five years; in 2003, implementation of the other levies system to replace the old excise commercial system, $20 million over two years; and in 2007, implementation of the redesigned GST/HST system, which cost $200 million over five years. These re-engineering projects were undertaken to address the technical sustainability of these solutions as well as to modernize financial controls and improve services through enhanced functionality.

The personal tax and benefit systems reviewed in this audit were developed in the 1980s and 1990s respectively. They form the largest suite of applications in the CRA, comprised of 31 million lines of code that undergo hundreds of system changes every year in response to legislative changes and service improvements.

CRA is vigilant in keeping these systems running and makes every effort to ensure that quality services are available for Canadians to file their taxes and receive benefits. Re-engineering these systems is in the planning phase and will take a significant investment and several years to complete. We are currently engaged in discussions with central agencies regarding funding to initiate this work.

To monitor and plan for infrastructure sustainability, the CRA creates an annual asset management plan for each technology platform, managing within the custodial budget allocated for infrastructure maintenance. In addition, an annual information technology infrastructure investment plan is tabled to the chief financial officer of the agency, identifying longer-term financial pressures that do not fit within the custodial budget over a 10-year planning window for inclusion in the priority setting of the agency strategic investment plan.

For application sustainability, we conduct an annual review of the sustainability status of each application from the perspective of system architecture, maintainability of operations, and business needs. The priority setting that is the outcome from this process then drives sustainability fund allocation within our application sustainability plan.

The CRA thanks the Auditor General for her report and findings.

And I thank you, Mr. Chair, for providing the opportunity to appear here today and to answer any questions the committee members may have.

Thank you, Mr. Chair, and honourable members.

As the chief information officer of the Royal Canadian Mounted Police, I am pleased to have this opportunity to provide you with more information on the RCMP's information technology systems in response to the 2010 Report of the Auditor General.

I am accompanied today by Brendan Dunne, one of the directors general within the CIO sector and responsible for business solutions.

The RCMP's chief information officer sector supports operational policing by providing members and partners in the Canadian law enforcement community with the technology they need to record, share, and communicate essential police information. The chief information officer sector supports a broad range of applications and systems. These include operational systems, mobile communications tools such as radios, and administrative systems.

The 2010 Report of the Auditor General recognized the RCMP for assessing aging IT risks, for establishing strategies to manage those risks, and for following a portfolio approach. The RCMP accepts the findings and recommendations of this report. I would like to provide an update on the actions taken to address the Auditor General's two key recommendations for the RCMP.

The first recommendation for the RCMP is to develop an action plan for each significant aging IT risk and report regularly on aging IT risks to senior management. The RCMP has made enhancements to its established risk management processes to ensure IT assets are adequately protected and could be recovered or replaced in accordance with organizational priorities. Applying the existing and improved risk management methodology to each aging IT risk will enable the RCMP to develop an action plan for each one.

The RCMP has integrated IM/IT program risk reporting into the corporate governance process. The CIO first reported on this to the RCMP senior management on March 24, 2010. As well, the CIO strategic review council, which is responsible for prioritization and decision-making surrounding IT investment planning within the RCMP, will begin reporting to RCMP's senior executive committee on a regular basis this fiscal year.

The second recommendation for the RCMP is to prioritize IT investments based on the priorities of the organization in order to develop an overall funding strategy. By ensuring that IT risks are incorporated into organizational prioritization and investment processes at the senior management level, the RCMP will be able to develop a corporate funding reallocation strategy. This strategy, to be developed for the 2011-12 fiscal year, will prioritize and baseline all RCMP program activities, including IT.

In recent years, the RCMP has made several investments in critical enhancements and system replacements, including $130 million investment in the Canadian Police Information Centre in 2005, and $111 million investment between 2002 and 2009 in a police records and occurrence system and the police records information management environment to replace the RCMP's legacy system. The RCMP has also invested $22 million in the national integrated interagency information system, which is scheduled for completion this June. This system allows police and federal agencies to access and share appropriate police occurrence information.

Uniquely within the RCMP, radio systems fall under the mandate of the chief information officer. In order to ensure police officer and public safety, the RCMP has taken proactive measures towards national evergreening and modernization of the radio systems. The most significant expenses in radio system evergreening include user equipment, followed by infrastructure updates to enhance the system's capacity.

Some significant investments in radio systems in the past 10 years include $180 million invested in radio modernization projects. These projects include a $55-million project in British Columbia since 2001; $47 million invested in Saskatchewan between 2001 and 2009; $21 million in Newfoundland from 2001 to 2010; $23 million for the creation of a national emergency stock from 2002 to 2010; and $13 million in Ontario, including infrastructure updates to be used for the G8 and G20 summit.

Over the past 20 years, the RCMP has also invested $30 million in the development and modernization of the RCMP's radio dispatch system, which is used in every province and territory.

Within the next five years, the RCMP plans to modernize radio communications in Prince Edward Island, Nova Scotia, and New Brunswick under the maritime radio communications initiative.

As you can see, the RCMP has taken many steps to enhance processes and systems to meet operational requirements. We will continue to monitor, identify, and address IT risks and priorities.

I would like to thank you for allowing me the opportunity to speak with you. I would be pleased to answer any questions you may have.

Thank you, Mr. Chair.

To answer the member's question, yes, the CRA has identified which projects constitute that large sum of investment required to ensure sustainability. It breaks down largely between the information slip reporting system, at $180 million; the individual tax system, at least $215 million, most likely more; the T3 trust system, $120 million to build a system; and the benefits system, a minimum of $60 million.

All these investments are made to assure sustainability. We've never suggested that we would undertake all these projects at one time. Our tendency has been, as evidenced through the previous re-engineering projects we've done, to take on a project and execute over three to five years, starting the next project a year or so before the one we're working on ends.

This isn't a five-year problem for us, it's a 20-year problem for us, especially with regard to the T1 system. Individual taxes represent an enormous system.

Thank you very much. Yes, we do know what to do with those funds, but as my colleague from Revenue Canada said, it is still a long-term process.

I mentioned earlier in my opening remarks that a lot of the work we need to do to refresh our infrastructure is like the maintenance on a vehicle. It's actually more like trying to fuel an airplane in flight. We cannot stop processing payments, ensuring that Canadians receive their benefits, while we upgrade both our infrastructure--the platforms that these systems run on--and the applications.

We do have in place an application modernization project that is working towards clearly identifying every area of the infrastructure, as well as the applications that we need to work on, in order to do a complete refresh, but as my colleague has already indicated, this will take a number of years.

So in answer to your question, if you were to give us that money today, we would not be able to spend it all in one year. We could not affect the operations to that degree. It has to be done in a planned, methodical way over a period of time.

Yes, absolutely. Since we have already identified the risks, because we have already invested $120 million over the last three years, we already know which infrastructure components present a priority risk and we would invest in that environment, yes.

Thank you for the questions.

I'll look at it in a couple of sectors. The first one is the systems that we need to replace or modernize immediately in order to ensure that police officers have the ability to communicate and share information. As I indicated in my opening remarks, in the last number of years, we've invested quite heavily in the Canadian Police Information Centre renewal and the systems that allow police officers to share information, and the building of a system--the N-III project--that allows agencies and police officers to look into each other's areas.

We're looking forward to the modernization of our radio systems. We have in place a multi-year program plan to work with the provinces to improve their radio systems, many of which we've worked on in the last number of years, and many that we have cued up to work on in the upcoming years.

To help us prioritize those over the next number of years, between the next three to five years, we look to the policing community and the provinces and territories. As well, we are using a strategic review council within the RCMP to ensure that the CIO sector is actually responding to the operational needs of the RCMP and its law enforcement partners.

Thank you, Mr. Chair.

I just wanted to clarify that the figures come from the plans prepared by the departments and agencies. During our audit, we checked whether those organizations had prepared a long-term plan, by identifying the priorities and the critical systems and infrastructures. We noted that three out of five had done it. Those are the cost estimates that they prepared themselves.

Our concern is that the funds that come from the current budget aren't sufficient to meet the future needs. It is therefore important that there be a plan to fund those projects that the departments themselves identify as critical.

It's the Canadian firearms information system.

An evaluation of the IT systems for the program? I'm not aware of an evaluation. If there is one, I can certainly get it to you.

I'm not aware if there was an evaluation of the--

Absolutely.

Yes, absolutely. Mr. Chair, business cases must be done. Also, different options must be analyzed. The secretary mentioned it. This is not just about replacing existing systems. Several of them are a few decades old. Maybe there are more effective and efficient ways to do the same work or to get the same results. This is a lot more than simply replacing one system by an equivalent system. The processes must be examined. Since we are talking of an expense of several million dollars, I think this is a good opportunity to take the time to do things well.

Mr. Chair, we have two major policies on the management of IT investments. One concerns investment management and planning, and the other project management. I think the work we have done—and I will ask Ms. Charette to give more detail—with the departments to make sure they have project management capacity follows from an audit made by the Office of the Auditor General in 2006. You mentioned that audit.

I will ask Ms. Charette to give you a more specific answer.

The purpose of our policies, be they on project management or on other issues, is to provide the best practices and the necessary direction to departments. It is up to the departments to capture, apply and implement them. I must say that these policies are not difficult to follow and that my colleagues are very rigorous and methodical in applying them.

We are not here to conduct an exhaustive review, but under our annual accountability and evaluation process, we review the indicators we asked the departments to provide to ensure that they did indeed follow the various policies.

Certainly.

You'll note there were no recommendations for the Canada Revenue Agency in the AG's report. This is because we did follow up rather rigorously. We have a very rigorous, strict program on assuring that the sustainability of all infrastructure, hardware and software, is within its expected life cycle and that we do the annual refresh on our inventory of applications to track which ones are in need of sustainability investment. As well, we have plans for each line of business as to what applications need that investment, and we work with the CFO internally to try to fund these largely from within the agency.

In the case of the individual benefits systems, we work with central agencies to try to find funding to take on those larger challenges.

Thank you, Mr. Chair.

Certainly, at CIOB we have in fact been aware of this issue and working on it over the last ten years in a variety of ways, and certainly, over the last year that I've been in my role, with a more sustained focus on a number of different facets.

What we have not done, and I do agree with the OAG's report, is that we have not yet come up with an aggregated view of this issue from a pan-government or pan-Canadian--

We work with the different CIOs and different departments constantly and continuously on many different issues. We do have a view of many different pressures, in both infrastructure and applications across the community...and a number of strategies to implement that. In fact, over the last three years we've been working through the MAF process to reinforce the necessity for the CIO in each department to have IT investment plans in accordance with the government policy on investment planning. In fact, in the last round of MAF, we specifically asked them to identify aging IT as a pressure.

What we have not yet done is we have not yet aggregated specifically the inventory of mission-critical systems across the government; prioritized them in some format; and/or aggregated the total investment that might be required once we really normalize what people mean by mission-critical, whether they are in fact key priorities of every department. That will take some time. It will take the time that we need to consult with the community, agree on what is a priority individually by department within their portfolios, and bring that back.

Well, Chair, we certainly would have expected, given the risks involved with aging IT across government, that there would have been a central location--the CIO branch is clearly the one that was indicated to have a government-wide strategy--and that they would have assessed what the priorities would be, what the coming funding pressures would be.

If we talk as well about changing systems to become more efficient, we can get into perhaps a long debate about this, but I really think there has to be some central direction given on that to departments, not leaving all the departments to do as they wish.

We clearly, based upon the responsibilities that have been set out for the chief information officer branch, would have expected that overall strategy and that information to be available.

It's $5 billion.

Thank you, Mr. Chair.

The $120 million expended over three years was to actually address some of the more critical infrastructure areas of the EI system. I think the $2 billion--you're right--is an aggregate of what's required for three departments to actually upgrade and refresh the infrastructure across the board. We have approximately $524 million of that identified for our department.

So I didn't think it was...I was not trying to brag; I was just trying to say that we have been demonstrating that we have an awareness that this needs to be done and that we have segregated funds to actually work on the improvement of our infrastructure environment. It was more to demonstrate that this was a known requirement within our department, that we were taking it very seriously, and that we have taken methodical steps to address the infrastructure issue.

Thank you, Chair.

Each department...and I'll perhaps mention CRA, because I think we noted in the report that they do this in quite a rigorous fashion. They go through and identify all of the improvements or changes that they think will be required over the next while; I think it's a five-year plan that CRA has, five- or ten-year plan. Then they go through a prioritization to see which ones are critical to the continued sustainability of their systems.

It's really a way to prioritize and to accord importance to the various changes that they see in their investment plan.

Thank you, Mr. Chair.

I will start, and then I will ask my colleague Ms. Charette to pick up.

One of the key elements that has been mentioned, and that Ms. Fraser has also mentioned, is that we have been working with departments to ensure that they do have investment plans. We may not have a list right now of all the mission-critical systems across the government, because there are currently very varying definitions of what is a mission-critical system. Each organization does really have the responsibility to do its own investment plan, and I think the Auditor General has just recognized that by saying that CRA has a very good planning process and priorities. HRSDC--each one of these organizations has to have their own plan, because they have a responsibility to deliver on their mandates and their priorities.

What we have not done is come up with a common set of definitions as to what is mission-critical. Can we start looking at them across the Government of Canada? That is what we are endeavouring to do and have committed to do. We have looked, obviously, at what are some of the key priorities per department, per mandate, and have been working very actively with those organizations when those mission-critical systems are identified.

So I do not want to leave the committee with the impression that we have not done anything, that we don't have a sense of what the risks are. But what we have been asked to do and what we have agreed to do is to come forward with a more systematized, coordinated approach, where the definitions are shared and where in fact we can look at what the overall picture is.

It is, and will still remain, the responsibility of each organization to do their investment planning and to do their portfolio management, because they are ultimately responsible for the delivery of their services.

I'll ask Ms. Charette to just pick up on the process we will then be following to make sure that we respond to the Auditor General's report.

Thank you, Secretary.

In fact, we will be launching very soon our work in order to develop the report, and the action plan, and the strategy that the OAG has asked us to move forward with and that we do agree is necessary. Between the period of June and December, we will be in fact conducting our own comprehensive survey of the departments across the federal government to make sure that we do get a complete inventory of mission-critical systems that is consistent to common definitions and that identifies the risks and the priorities that these departments believe these mission-critical systems are to them.

That will take us over the next six months. In December, we will then start to basically standardize and aggregate those findings so that by April we can come up with a really thorough and easy-to-understand government-wide assessment of what is mission-critical, how many are out there, what would be the overall investment required to address these, and how might we attack priorities given a situation where investment may well exceed the funds of any one department. We will be looking at that very carefully.

Then, for the next year, we will work with our CIOs across departments, who will be working with their own business stakeholders, to work out really what are the government-wide priorities that we can agree on and to focus in on what really has to be renewed, what can be consolidated or replaced, what can be sunsetted--because programs do evolve--so that by December 2011 we should have fundamentally finished our analysis, and we intend to wrap that up with a report on our recommended direction and our guidance to departments by April 2012.

I would also add that even though we have not come up with an aggregate view of certain, if you will, high-risk infrastructure, we have been working very closely with Public Works over the last eight months on a data centre strategy that involves really addressing the risk of this fundamental infrastructure across the government. We've in fact a mid-term strategy for data centres that looks at some of the more pressing data centre risks across the government, and we have a more long-term study under way, which will in fact be completed by the end of the calendar year, that will identify just what we can do moving forward on this fundamental infrastructure. We're also working with a number of other departments on different efforts on other, if you will, back-office systems and pressures, and we continue to work with departments in helping them adopt our policies so that they may assess the risk of their operational systems.

Thank you for that question.

We've looked at it from a portfolio perspective to ensure that we understand where the priorities lie and how we may address them. Although we've identified a $620-million spend, we know that we can prioritize that to the more pressing needs. We've been recognized for the portfolio approach, and we've taken measures to ensure that supporting technology is understood by the senior management of the RCMP and is factored into their planning and prioritization process.

If I may, Mr. Chair, we did not want the intent of putting forward the funding request to be the responsibility of the Treasury Board Secretariat, because the funding requests and the accountabilities for the expenditure of those funds do rest with each organization and the minister responsible for that. That's what we meant by that.

We can give direction, we are giving direction, and we are working with organizations. But on the specific requests for funding, for example, we worked very closely with the renewal of the pension systems that are with Public Works and Government Services, National Defence, and the RCMP. We as a secretariat worked very closely with those organizations to ensure that there was a coordinated approach, a common platform, and we did not end up with three disparate systems that could not communicate with each other.

We did that, but their specific requests for funding were each put forward by the respective ministers, because the delivery of those initiatives rests with those respective organizations. That's all we meant by that. We did not carry the funding requests, nor do we intend to carry those funding requests. We help shape, coordinate, and support. We play our challenge function and make sure that the funding requests are reasonable and the priorities are clear, but we do not carry the responsibility for taking those requests and for receiving the funds.

So that's all we meant by that. There is a divided responsibility, for obvious reasons, for the accountability for the expenditure of funds.

I am of the view that deputy heads, Mr. Chair, are in fact well aware of the management of their responsibilities. They have, as you've seen, investment plans--

If I may finish--

Well, the deputy heads do inform their ministers. When those requests for funding are made, they are made to cabinet after the due process of examination and establishing the priorities.

So the short answer to your question would be “yes”.

Oh, oh!

Chair, I don't think our report says “spend, spend, spend”. What our report does say is that aging IT—I'll come back to what we mean by aging IT—is a significant risk for the government. There needs to be a good assessment of what that risk is, and then there has to be a plan to deal with it.

We have seen, in the five departments we looked at, that there were three who had prepared longer-term plans and who had indicated that they had done the assessment of the funds they required. And the shortfall from their current funding levels is $2 billion. So to me, this is a significant issue. There are significant investments.

Now let me come back to what we mean by aging IT. It doesn't simply mean that a system is 30 years old. A system could in fact be that age and still be working efficiently and still continue on. But we note in the report that there are systems in the government in a language that is no longer taught in schools. And people are retiring, so there is a question of human resources and who is actually going to be able to modify these programs if modifications are needed.

There are issues with the infrastructure. We have a case of a data centre where the HVAC heating and ventilation system is no longer supported by the manufacturer. So if the air conditioning breaks down, those computers can't work.

At CRA, one of the major data centres is 40 years old and was never designed to be a data centre.

So there are major issues throughout government. What we are calling for is to have a good profile, good information about what these expenditures are going to be, recognizing that changing some of these systems is not a question of a few months or even a year. It can take many years, and if they all come in at once and they all need money, there will never be enough money to do it. So it's a matter of planning out how this is going to happen, making sure there is some coordinated approach to this, making sure as well—and the secretary talked about the administrative services review—that there is a thought given to how these services can be delivered in a different way. Some of the systems we have here are no longer....

I mean, we often talk about getting more efficiencies from government, and there probably are ways to make these programs more efficient, but it will require an investment in technology and a different way of doing things. Many of the programs have a lot of steps and a lot of complexity to them. To make it simpler to manage, you are going to have to change the way the systems work, and that is going to involve a lot of money.

Thank you, Mr. Chairman. I will answer the many aspects of this question.

First, I do not have any information with me concerning the business volume on the federal government's request for proposals system. I therefore cannot answer the question, unfortunately. However, I can make a clarification.

It often happens that at the start of the year, when we get our information technology budgets, the money is spent on the first stages of a project. Therefore, it is not abnormal that some departments, like Public Works and Government Services Canada, have a small surplus at the beginning of the fiscal year. I think it is a sign of good management to begin a project early on, so that it can be finished on time and as authorized by the management team.

Another aspect deals with the smart management of information technology investment. Yes, it is true that, given the current financial constraints faced by every department, it is not business as usual. Because of the way governance operates at Public Works and Government Services Canada, we agree with the Auditor General that we need to review our priorities and spend money on priority projects, and to keep in mind the issue of whole-of-government governance. We have already done this. As a result, we want to keep on investing in our priority systems. We do not want government employees to miss a single paycheque, which is important for a motivated and functioning public service. Further, it is important for future pensioners to receive their benefits. As you know, we are investing in these systems to modernize them, since we do not want to reach a point of crisis.

We are constantly talking with Ms. Corinne Charette. The chief information officers meet every month. These discussions happen more and more frequently. Has the situation been explained in detail? I believe things will become clearer as we gather information, as Ms. Corinne Charette and Ms. d'Auray said today, in the interest of gaining a better picture of how these pressures affect government as a whole. Ms. Corinne Charette reviews every request for IT funding. She does so every year. So she is very aware of the pressure we are under right now.

Thank you, Mr. Chairman.

It is a two-year action plan. We have two years to gather the information and to prepare the action plan. As for the operating budget freeze, let me distinguish between two different things. The freeze of operating budgets begins in fiscal 2010-2011, and it will apply over three years, namely 2010-2011, 2011-2012 and 2012-2013. It is a freeze of operating budgets, rather than cutbacks.

Thank you, Mr. Chairman.

Yes, from 2007 on, in fact to this point in time, we have been making investments on an ongoing basis.

The notion that I would hope we have clarity on here is that in the longer term, if my colleagues and I were not making investments and were not planning to renew the infrastructure, then we would be putting Canadians at risk--in the longer term. Where we stand today is that we are taking measured approaches on a year-by-year basis to ensure that whether it's the hardware, the software, or the applications themselves, they continue to be refreshed in such a way to be able to respond not only to the departmental priorities but also to any changes that we may have to make. For example, EI for the self-employed last year was something that our department needed to respond to, and we did so.

I think what we need to be focused on is that we are able to manage and deliver the responsibilities we have today. If we were to not make investments moving forward, for the next foreseeable future, we would be putting Canadians at risk. What we have been trying to demonstrate here today and with the support of the Auditor General is that we are aware, we are making those investments, and we are continuing to ensure that as we proceed forward, the availability of our systems continues to support the requirements.

So that's why, when you hear us talking about 98% or 99% availability, that hopefully gives you confidence that we are able to manage today. But longer term, if we were to wait two or three more years and not continue these investments, we would be in difficulty. Why? It costs more and more money to manage those older systems. Sometimes maintenance and expertise are no longer available. So the costs and the amount of workload that our people have to undertake to keep things running continues to grow. That's why in the longer term it is untenable for us to continue.

I can't give you a percentage. What I can tell you is that we work with the policing agencies in each province as we renew the infrastructure. With the new bandwidth becoming available, that allows us to bridge some of those gaps. If we go from 170 megahertz to 400 megahertz to 800 megahertz, it gives us a little more latitude.

We would assess it on a case-by-case basis. For instance, the new system that we're looking at down in the Maritimes will address some of those low-signal areas in New Brunswick. Right now we're working with the province to determine exactly where we would position our towers to do this.

Yes, it is.

Thank you, Mr. Chair.

Not kicking and screaming: I was actually pleased to be here today to bring some comfort, I think, to the members of the committee.

What I was hoping to demonstrate in the opening remarks was that all of us have been aware of this situation—

No. Actually, I have taken initiatives during the last three years to begin to address this issue. I think with the Auditor General's report, it has given additional support for the reality of the situation we face. It has been quite helpful.

So no, we haven't been waiting. We are aware. It's a confirmation of the reality that we have in our departments.

Thank you for that.

The response to that question comes down to how we look at our risk and how we use the integrated risk management methodology. As I pointed out in my opening remarks, we have spent a great deal of money over the last many years enhancing or replacing those systems that we felt were at highest risk.

The systems that we feel we have to replace most urgently are the radio systems, and we have a strategy in place for that. Where the aging IT systems actually did hit the top five--the risks were assessed, and we included the top five on the RCMP risk register--“aging IT systems” as a title didn't make the top five. What did make the list was “lack of funding”. That's where we can tie in our need to get funding to replace the systems, as we prioritize them.

The risk of cyber attack or the maintenance of cyber security is a top priority of CIOB. We reissued the government security policy last year with a strong focus on this matter. In fact, we're working on the number one initiative to address that, which is a consolidation of Internet access points for the government-wide network. This really is the first line of defence: to permit only authorized access into the government cloud, so to speak, and the use by authorized people of data and systems. For the last six months, we've been working with Public Works on consolidating these access points across government departments. We continue to work on that, and we hope to have quite reduced that risk over the next six to eight months.

Thank you, Mr. Chair.

Yes. As a matter of fact, we do have departmental licences that we have negotiated on behalf of our department, and I believe some would apply at the government level as well.

I would think that would be the responsibility of the Treasury Board, as opposed to my specific responsibility, but we would certainly be prepared to share the information on what we currently have and make that available.

Although the applications that really produce the cheques--or the warrants, as we call them--are written in COBOL, an old code, they work extremely well. We still have the in-house expertise to continue to support those applications. All three--CPP, OAS, and EI--are on that platform.

We've also modernized the mainframe platform that processes the applications and does all the work to make sure that the cheques can be printed. The reality is that we can produce them. We have the people, the knowledge, and the expertise. We have the technology in place at this point in time to continue to produce. That's why, as a result of the economic action plan, we were able to make improvements to the system over the last year and were also able to significantly raise the processing requirements while maintaining the levels of service that we've had historically.

I think I would suggest to Canadian citizens that they're in good hands. We are aware that we have some continued work to do. We have started the process. Today we have the people, the applications, and the technology to continue to deliver; the reason the future is so important to us is that as the systems and the applications get older, it's more and more difficult to make changes to those applications, so as the government sets new requirements for our particular department and as we align with those departmental priorities, it's more complex to actually start to modify that.

Absolutely.

Mr. Chair, I think there are two points I would make. The first is that we would move toward standardization, standard business process and streamlined business process. That would be the first step for us, and we are doing that. Madame Charette could speak to a couple of those areas.

The second is that I think the idea of merging everything into one big system or platform is not ideal for an organization the size of the Government of Canada. You have to build redundancies. You have to build the capacity to manage differently, and you have to look at what the core business lines are.

I'll maybe ask Corinne to add a few elements to that.

I would say that from an administrative systems perspective, and that's the focus of administrative review, there are opportunities to consolidate, standardize, simplify, and then renew back-office platforms. That's not necessarily on one massive...because government is too big and the requirements are still quite diverse, but certainly to renew a smaller number of platforms that currently exist across government.

But if we look at program-specific applications, such as EI or taxation or immigration, those applications are difficult; there's not much of a good argument for centralizing. Those areas are where departments will continue to focus their investment plans, strategies, and renewal efforts. Hopefully over time, and as a result of this review, we can reduce their burden of renewing and investing in common infrastructure that is very similar--for instance, data centres, as I mentioned, or more secure renewed networks, and certain back-office applications that can be streamlined and standardized before being renewed. Hopefully we can reduce the overall burden of investment and renewal.

I am reassured, Mr. Chairman, because the government stated it agreed with me and several departments have investment plans.

However, I think Mr. Dion raises a very good point, which is that we are living in an era of budget cutbacks. Even though budgets will remain the same, salary increases, as well as other expenditures, will have to be paid, so the question is, will the government maintain its level of investment in IT systems?

The report clearly reflects the fact that departments have indicated in their plans that the money available is not enough for them to meet their objectives. So there is a funding shortfall. The RCMP identified this funding shortfall as one of five risks. I believe it is a serious problem, and we absolutely need a strategy to clearly identify where money must be invested, and where that money will come from.

Thank you, Mr. Chair.

That is why I said that we agreed with the Auditor General. I think that if you do not have, as you mentioned, this feeling of urgency, it is because the priorities have been identified in most of the essential systems. The investment plans have been identified by the departments and Ms. Fraser has noted this. All that is missing is really the establishment of priorities for a government-wide plan. The departments have all done this. If you put all of this together, this may look staggering.

What is important for us, and this is where we agree with Ms. Fraser, is that we need to have an overall vision. If we were to invest in everything, we may not be making the best possible or necessary investments. So we have to make choices. We have to set priorities. What Ms. Fraser told us, and this is something that we agree with, is that we need to have this capacity for planning. If we go too quickly, for example, if we declare an emergency and proceed too quickly, we may spend a great deal of money without necessarily having set the right priorities and the best mechanisms for making such investments.

Yes, investments in this sector may be very expensive. So we want to take the time that we need. We want to set the right priorities to ensure that the investments are made in the right places according to a reasonable and doable timeline. Even though you may think that this takes time, in order to do this properly, we need to take the time that it takes because the investments are very significant.

No, Chair, this is not something that we looked at, and this is not something the office has done in the past, so we wouldn't have that information.

Thank you, Mr. Chair.

Basically, what we look at first and foremost is if the investments made in technology are aligned to the priorities of the department. We start with that.

When there is a direction set in the Speech from the Throne or the budget, one of the first things we look at, working in concert with our program branches, is what the specific requirements are going to be compared with what we currently have available. Then as we go through and identify the requirements, we start to cost out what is required, whether it's any kind of upgrade, code development, people skills, etc. At the end of that assessment, we have a budget that we put in place, in terms of being able to deliver on that particular requirement. It goes back through the governance process in the department to ensure that it is, again, aligned, and that it has scrutiny in terms of what the assessment results were.

If we receive the support from what we call our portfolio management committee that the deputy chairs, then we actually go and develop a detailed implementation plan to address those requirements.

Yes.

Thank you.

I would ask Madame Charette to speak to that.

Well, that is going to be in fact a very important exercise, and one we're going to have to address as a community with great care. Once we have conducted our survey and we have responses from every department individually on their mission-critical systems and how they prioritize them and the potential range of investments, when we aggregate that, we're going to have to have a portfolio view of the entire government mission-critical systems and all of these relative priorities. And we will approach it in consultation with our stakeholders in support of their specific missions. We will come up with a few alternatives, which of course will be widely shared and discussed by deputy ministers and so on until we can come up with a collective view of how priorities might be addressed that we would put forward to the government for decision purposes.

But it's going to involve individual analysis by departments, a consolidation exercise by the CIOB and the Treasury Board, consideration of prioritization mechanisms, and a few proposals to finally find a list of priorities.

Mr. Chair, I have a copy with me.

Oh, oh!