Public Accounts Committee on May 27th, 2015

Mr. Chair, thank you for this opportunity to discuss our spring 2015 report on information technology investments managed by the Canada Border Services Agency.

Joining me at the table is Martin Dompierre, principal, who was responsible for the audit.

This audit focused on assessing whether the Canada Border Services Agency has the corporate and management practices in place to enable the delivery of information technology investments that align with and support its strategic corporate objectives.

As part of the audit, we consulted six federal government departments and agencies to get their views on their collaboration with the agency.

The Canada Border Services Agency plays a key role in Canada's security and prosperity by managing the access of people and goods to and from Canada. In the 2013-14 fiscal year, the agency admitted close to 100 million travellers and cleared more than 14 million commercial shipments. These and other agency activities resulted in the collection of $26.9 billion in revenues.

Information technology plays an important part in the agency's ability to achieve its strategic objectives and its mandate to ensure border security. The agency's current portfolio is made up of 30 information technology projects, with a budget of more than $1 billion.

Overall, we found that the agency has had significant challenges in managing its information technology portfolio in a way that ensured it could deliver IT projects that meet requirements and deliver expected benefits.

In December 2013, the agency put in place a new project portfolio management framework to strengthen its management of IT investments. We found that the framework was comprehensive, but our review of five projects against the framework revealed that the agency had not fully applied it, which resulted in several issues.

For example, we found that the information provided to senior committees tasked with overseeing the information technology portfolio did not contain accurate financial information, project status information, or timelines. This information is important to ensure that projects are being managed to meet all stages of approval, meet delivery requirements, and align with the agency's strategic objectives.

In addition, projects often lacked clear requirements, had no defined and measurable benefits, or had poorly stated benefits. This resulted in project delays, duplication of effort, and business requirements that were not finalized. For example, over 75% of projects had minimal or no information on whether benefits would be realized or aligned with strategic objectives.

Information technology plays a key role in the agency's ability to achieve its strategic objectives and mandate. Without access to complete, reliable project information with clear business requirements, the agency is restricted in how efficiently and effectively it can manage its portfolio of projects.

Our report makes three recommendations to the Canada Border Services Agency. The agency has agreed with our recommendations and has shared its action plan with us.

Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee members may have. Thank you.

Thank you very much.

My name is Caroline Weber. I am the vice-president of corporate affairs at the Canada Border Services Agency, or CBSA. I have with me today my colleagues, the associate vice-president of information, science and technology, Mr. Louis-Paul Normand, and Mr. Chris Bucar, who is acting director general of resource management.

I'd like to thank the committee for affording us the opportunity to appear today in order to discuss chapter 5 of the spring report from the Auditor General of Canada.

As the committee is aware, the audit of CBSA's information technology investments examined whether the agency's corporate and management practices are enabling the delivery of IT investments.

As the Auditor General noted, the CBSA is a law enforcement agency, charged with a dual mandate to secure the border, while contributing to Canada's prosperity by managing the access of people and goods to and from the country.

Our responsibilities are diverse and complex. In a global age, modern border management means focusing our efforts on six core areas: pushing out the border; facilitating the entry of low-risk people and goods; delivering integrated and effective enforcement; improving efficiencies; increasing harmonization with our international partners; and focusing on client service excellence.

Managing the border in today's environment involves broadening our understanding of what is traditionally thought of as “the border”.

Rather than thinking of the border as a line across the 49th parallel, our approach increasingly is to manage the border as a corridor where decisions are sequenced and made, as much as possible, before people and goods arrive. Addressing threats at the earliest possible point is essential to strengthen security and improve the free flow of goods and people through our border, and investment in our information technology is critical to our ability to do that.

Since 2013 the CBSA has invested considerable time and energy to improve project management, while developing and delivering one of the most complex suites of IT projects in the Government of Canada, including significant responsibilities under the beyond the border action plan.

The investments being made in information technology are not solely about back office efficiencies. These projects are necessary to realize operational benefits such as improving the CBSA's lookout system, scrutinizing passenger name record information before inbound flights depart, and analyzing electronic manifest information before commercial import shipments arrive at crossings.

Consequently, the agency has an IT project portfolio totalling more than $1 billion. As noted by the Auditor General, the agency implemented a strong project portfolio management framework in 2013 to better manage these investments to 2020.

The CBSA is pleased that the Auditor General's spring report reinforces that the direction and actions taken by the agency are on the right path to further improve the management of major IT projects.

We also agree that the recognized strong project management framework will continue to evolve, providing more and more predictability for project delivery.

Overall, the audit reached three main conclusions: that while the CBSA has established a robust project portfolio management framework, it requires full implementation and a strengthened governance process for IT investments; that more clarity was needed for IT systems requirements to ensure project requirements could be met, and defined measures were needed to assess project benefits; and that clear requirements for how project dashboard information is collected, validated, and reported were required for consistent and complete project status reporting on IT projects.

Mr. Chair, as the agency has responded in the report and in the management action plan provided to this committee, the CBSA agrees with the Auditor General's conclusions. We are committed to continuing to strengthen the controls and oversight necessary to fulfill our commitments on IT projects and ensuring that they deliver expected benefits.

We have a detailed work plan in place to address the key issues. That has been reviewed by the Auditor General's office. We are tracking on time to meet those commitments. A few examples of this work include the following: updating important IT planning documents, such as the annual IT plan and an investment plan, which includes all significant capital projects over the next five years; establishing directives to ensure that enterprise architecture is adhered to by all IT projects through formal gate reviews and approvals; formalizing the coordination and oversight function across all project stakeholders, developing a baseline set of performance benefits indicators and quarterly reporting to the executive cadre on benefits realization status of IT projects; and initiating a formal review process of the procedures and practices of how project dashboard information is collected, reported, and enforced.

The agency has also delivered its IT investment plan, which includes all major activities.

Mr. Chair, we have duly noted the need to continue to implement our strong project portfolio management framework and will take steps to improve project portfolio management, project planning, and project reporting.

We are pleased, however, that the chapter presented by the Auditor General credits the work and our work plan already underway, and that we are well-positioned to meet our commitments on time.

Mr. Chair, I would like to note the Auditor General's own comments on the audit. When he appeared before this committee on April 29, 2015, he stated: We were very happy with the framework that had been put in place in the agency and the fact that it was comprehensive. Our concern, again, was that it wasn't at this point in time always being applied in the management and the oversight of the projects.

This concludes my opening statement. I would be pleased to answer any questions the committee may have.

I'd like to ask my colleague to respond to the question. He's responsible for managing our IT projects and I think he can give you more detail on a couple of particular projects.

Thank you for the question.

I don't know whether you had any particular projects in mind. The audit report focuses on five of them.

I think I'll start with entry-exit, because it goes to explain the complexity of IT, which you alluded to. In our world, it's the complexity of the ecosystem we work in. It's a global system out there and our partners are strewn around the world.

In the case of entry-exit, this is the ability to capture exit information as people leave Canada and to share this, in some cases in land mode with the U.S. and in other cases in air mode with other government agencies. We are at the pointy end of 90 acts of Parliament, so our partners who are using some of the information we collect are not within our direct control.

Entry-exit is a good example of this. There are nine partners within the government that wanted the information there. The first major hurdle we ran into involved a horizontal privacy impact assessment not of the collection of the data but of how that data was going to be used. I'm looking at my colleague here who is at the heart of the privacy impact assessment work. That caused some delays. More recently on this is the fact that the regulations to be able to do this are in the border bill and we're still waiting for confirmation of the border bill.

This goes to tell you that there are a lot of dependencies external to the projects. We have to manage those. We know the business we're in, but by and large we have to account for those constraints and that was for entry-exit.

That's right.

If I may add one more thing, there's the airline industry as well.

I think the challenge for IT in this context is that all of those things aren't always specified up front and sometimes there are policy decisions that change and that are made along the way that really had nothing to do with whether or not we had good project management or project planning. People change their minds; something happens that creates a different need, and so that ends up creating a pressure on the IT systems.

I don't know if there's time for another project description.

I would say that we have sufficient resources for the projects, but we often use a combination of approaches.

I will ask my colleague to provide you with more details.

Of course, with such a large project portfolio, resources are always a challenge. So far, we have managed to address the shortcomings using the resource increase model.

When it comes to the larger projects currently being launched, we are looking at various service delivery models to give industry more and more responsibilities with regard to delivering our projects.

There is no single response. We have to consider each case, as well as the challenges and necessary skills. So far, it has not affected us directly.

Thank you.

I believe this refers to the issue that has been in the media in the last couple of days.

Our officers have access to a variety of tools at the primary inspection booth. If we talk particularly about CPIC, officers in secondary have full live access to CPIC. Officers in the primary booth have access to a variety of information, including lookout information from our law enforcement partners, including information they're pulling from CPIC and therefore asking us to look out for a particular individual.

I think there was a bit of a misrepresentation in the media. Officers do have access to a lot of information at primary inspection.

Can I ask my colleague to answer?

Yes. As we mentioned in the entry/exit initiative example, the observed backlogs rarely stem from a lack of funds or resources. In general, they have to do with the fact that we depend on other organizations. In the case of the entry/exit initiative, there are regulations surrounding the interactive advance passenger information initiative. Backlogs are caused much more by this dependence than by a lack of money or resources. You will note that none of the projects analyzed exceed their budgets. So the source of the problem is not that, but rather the need to effectively manage interdependence and, in this context, to find solutions to help us meet our deadlines.