Public Accounts Committee on May 27th, 2015

Mr. Chair, thank you for this opportunity to discuss our spring 2015 report on information technology investments managed by the Canada Border Services Agency.

Joining me at the table is Martin Dompierre, principal, who was responsible for the audit.

This audit focused on assessing whether the Canada Border Services Agency has the corporate and management practices in place to enable the delivery of information technology investments that align with and support its strategic corporate objectives.

As part of the audit, we consulted six federal government departments and agencies to get their views on their collaboration with the agency.

The Canada Border Services Agency plays a key role in Canada's security and prosperity by managing the access of people and goods to and from Canada. In the 2013-14 fiscal year, the agency admitted close to 100 million travellers and cleared more than 14 million commercial shipments. These and other agency activities resulted in the collection of $26.9 billion in revenues.

Information technology plays an important part in the agency's ability to achieve its strategic objectives and its mandate to ensure border security. The agency's current portfolio is made up of 30 information technology projects, with a budget of more than $1 billion.

Overall, we found that the agency has had significant challenges in managing its information technology portfolio in a way that ensured it could deliver IT projects that meet requirements and deliver expected benefits.

In December 2013, the agency put in place a new project portfolio management framework to strengthen its management of IT investments. We found that the framework was comprehensive, but our review of five projects against the framework revealed that the agency had not fully applied it, which resulted in several issues.

For example, we found that the information provided to senior committees tasked with overseeing the information technology portfolio did not contain accurate financial information, project status information, or timelines. This information is important to ensure that projects are being managed to meet all stages of approval, meet delivery requirements, and align with the agency's strategic objectives.

In addition, projects often lacked clear requirements, had no defined and measurable benefits, or had poorly stated benefits. This resulted in project delays, duplication of effort, and business requirements that were not finalized. For example, over 75% of projects had minimal or no information on whether benefits would be realized or aligned with strategic objectives.

Information technology plays a key role in the agency's ability to achieve its strategic objectives and mandate. Without access to complete, reliable project information with clear business requirements, the agency is restricted in how efficiently and effectively it can manage its portfolio of projects.

Our report makes three recommendations to the Canada Border Services Agency. The agency has agreed with our recommendations and has shared its action plan with us.

Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee members may have. Thank you.

Thank you very much.

My name is Caroline Weber. I am the vice-president of corporate affairs at the Canada Border Services Agency, or CBSA. I have with me today my colleagues, the associate vice-president of information, science and technology, Mr. Louis-Paul Normand, and Mr. Chris Bucar, who is acting director general of resource management.

I'd like to thank the committee for affording us the opportunity to appear today in order to discuss chapter 5 of the spring report from the Auditor General of Canada.

As the committee is aware, the audit of CBSA's information technology investments examined whether the agency's corporate and management practices are enabling the delivery of IT investments.

As the Auditor General noted, the CBSA is a law enforcement agency, charged with a dual mandate to secure the border, while contributing to Canada's prosperity by managing the access of people and goods to and from the country.

Our responsibilities are diverse and complex. In a global age, modern border management means focusing our efforts on six core areas: pushing out the border; facilitating the entry of low-risk people and goods; delivering integrated and effective enforcement; improving efficiencies; increasing harmonization with our international partners; and focusing on client service excellence.

Managing the border in today's environment involves broadening our understanding of what is traditionally thought of as “the border”.

Rather than thinking of the border as a line across the 49th parallel, our approach increasingly is to manage the border as a corridor where decisions are sequenced and made, as much as possible, before people and goods arrive. Addressing threats at the earliest possible point is essential to strengthen security and improve the free flow of goods and people through our border, and investment in our information technology is critical to our ability to do that.

Since 2013 the CBSA has invested considerable time and energy to improve project management, while developing and delivering one of the most complex suites of IT projects in the Government of Canada, including significant responsibilities under the beyond the border action plan.

The investments being made in information technology are not solely about back office efficiencies. These projects are necessary to realize operational benefits such as improving the CBSA's lookout system, scrutinizing passenger name record information before inbound flights depart, and analyzing electronic manifest information before commercial import shipments arrive at crossings.

Consequently, the agency has an IT project portfolio totalling more than $1 billion. As noted by the Auditor General, the agency implemented a strong project portfolio management framework in 2013 to better manage these investments to 2020.

The CBSA is pleased that the Auditor General's spring report reinforces that the direction and actions taken by the agency are on the right path to further improve the management of major IT projects.

We also agree that the recognized strong project management framework will continue to evolve, providing more and more predictability for project delivery.

Overall, the audit reached three main conclusions: that while the CBSA has established a robust project portfolio management framework, it requires full implementation and a strengthened governance process for IT investments; that more clarity was needed for IT systems requirements to ensure project requirements could be met, and defined measures were needed to assess project benefits; and that clear requirements for how project dashboard information is collected, validated, and reported were required for consistent and complete project status reporting on IT projects.

Mr. Chair, as the agency has responded in the report and in the management action plan provided to this committee, the CBSA agrees with the Auditor General's conclusions. We are committed to continuing to strengthen the controls and oversight necessary to fulfill our commitments on IT projects and ensuring that they deliver expected benefits.

We have a detailed work plan in place to address the key issues. That has been reviewed by the Auditor General's office. We are tracking on time to meet those commitments. A few examples of this work include the following: updating important IT planning documents, such as the annual IT plan and an investment plan, which includes all significant capital projects over the next five years; establishing directives to ensure that enterprise architecture is adhered to by all IT projects through formal gate reviews and approvals; formalizing the coordination and oversight function across all project stakeholders, developing a baseline set of performance benefits indicators and quarterly reporting to the executive cadre on benefits realization status of IT projects; and initiating a formal review process of the procedures and practices of how project dashboard information is collected, reported, and enforced.

The agency has also delivered its IT investment plan, which includes all major activities.

Mr. Chair, we have duly noted the need to continue to implement our strong project portfolio management framework and will take steps to improve project portfolio management, project planning, and project reporting.

We are pleased, however, that the chapter presented by the Auditor General credits the work and our work plan already underway, and that we are well-positioned to meet our commitments on time.

Mr. Chair, I would like to note the Auditor General's own comments on the audit. When he appeared before this committee on April 29, 2015, he stated: We were very happy with the framework that had been put in place in the agency and the fact that it was comprehensive. Our concern, again, was that it wasn't at this point in time always being applied in the management and the oversight of the projects.

This concludes my opening statement. I would be pleased to answer any questions the committee may have.

I'd like to ask my colleague to respond to the question. He's responsible for managing our IT projects and I think he can give you more detail on a couple of particular projects.

Thank you for the question.

I don't know whether you had any particular projects in mind. The audit report focuses on five of them.

I think I'll start with entry-exit, because it goes to explain the complexity of IT, which you alluded to. In our world, it's the complexity of the ecosystem we work in. It's a global system out there and our partners are strewn around the world.

In the case of entry-exit, this is the ability to capture exit information as people leave Canada and to share this, in some cases in land mode with the U.S. and in other cases in air mode with other government agencies. We are at the pointy end of 90 acts of Parliament, so our partners who are using some of the information we collect are not within our direct control.

Entry-exit is a good example of this. There are nine partners within the government that wanted the information there. The first major hurdle we ran into involved a horizontal privacy impact assessment not of the collection of the data but of how that data was going to be used. I'm looking at my colleague here who is at the heart of the privacy impact assessment work. That caused some delays. More recently on this is the fact that the regulations to be able to do this are in the border bill and we're still waiting for confirmation of the border bill.

This goes to tell you that there are a lot of dependencies external to the projects. We have to manage those. We know the business we're in, but by and large we have to account for those constraints and that was for entry-exit.

That's right.

If I may add one more thing, there's the airline industry as well.

I think the challenge for IT in this context is that all of those things aren't always specified up front and sometimes there are policy decisions that change and that are made along the way that really had nothing to do with whether or not we had good project management or project planning. People change their minds; something happens that creates a different need, and so that ends up creating a pressure on the IT systems.

I don't know if there's time for another project description.

I would say that we have sufficient resources for the projects, but we often use a combination of approaches.

I will ask my colleague to provide you with more details.

Of course, with such a large project portfolio, resources are always a challenge. So far, we have managed to address the shortcomings using the resource increase model.

When it comes to the larger projects currently being launched, we are looking at various service delivery models to give industry more and more responsibilities with regard to delivering our projects.

There is no single response. We have to consider each case, as well as the challenges and necessary skills. So far, it has not affected us directly.

Thank you.

I believe this refers to the issue that has been in the media in the last couple of days.

Our officers have access to a variety of tools at the primary inspection booth. If we talk particularly about CPIC, officers in secondary have full live access to CPIC. Officers in the primary booth have access to a variety of information, including lookout information from our law enforcement partners, including information they're pulling from CPIC and therefore asking us to look out for a particular individual.

I think there was a bit of a misrepresentation in the media. Officers do have access to a lot of information at primary inspection.

Can I ask my colleague to answer?

Yes. As we mentioned in the entry/exit initiative example, the observed backlogs rarely stem from a lack of funds or resources. In general, they have to do with the fact that we depend on other organizations. In the case of the entry/exit initiative, there are regulations surrounding the interactive advance passenger information initiative. Backlogs are caused much more by this dependence than by a lack of money or resources. You will note that none of the projects analyzed exceed their budgets. So the source of the problem is not that, but rather the need to effectively manage interdependence and, in this context, to find solutions to help us meet our deadlines.

Under our project management framework, we assess privacy factors for each of our projects. As I said in the example I provided, that assessment covers everyone involved. In this particular case, every department that needed the information had to present their own case to the Privacy Commissioner to be able to use the information for the purpose sought.

The two reports have been delivered on time. In fact, the annual investment plan—and I'm looking at my colleague, here—was delivered on April 23, 2015. The annual IT plan.... By the way, both of them went to Treasury Board. They were done on time, and they do map all our investment to our PAAs and our priorities. In fact, in the case of the investment plan, it was the second one in a row that has been delivered. It was also the case for the annual IT plan.

We have taken the recommendation seriously. In fact, we had started on updating those documents prior to the audit.

That's right.

Yes.

We look at this information every couple of weeks, and then every month at our senior executive committee, as well.

In my organization we're responsible for looking over the shoulder of my colleagues in making sure the information is accurate. We are putting in place more robust and clearer instructions on how to populate some of those things.

We did have some discrepancies, as the Auditor General referred to. We knew about those discrepancies, but we were living with them because there were time gaps or time lags between some of the information. We were not including some standard information that would have been easy to add because we knew it was there and it's not the way we usually reflect things internally. However, we are changing that as a result of this audit.

We will continue to look at this and conduct our own internal audits. I imagine the Auditor General will revisit this audit in a few years, as they usually do, and provide an external check on us, as well.

It's a good news story. It's completed.

The business case was tabled and approved by TB ministers in—I forget the date—I think it was April, as well. It was presented and approved.

I'll do it in 15 seconds.

I mentioned that we enact 90 acts of Parliament. We collect information on behalf of a number of departments. Think of Health, Agriculture, CRA, and so on. Every department that wanted information collected at the border used to have their own forms and their own ways of collecting it. We would enact or enable that. Now it's all been concentrated into a single window for coming into Canada, if you want to call it that. That has streamlined the process at the border a lot.

The sources can come from a variety of places. Sometimes there's a change in policy direction, as well.

Yes, it can be our partner departments. We are sort of at the end of many policy processes for other departments. We enforce the law for Agriculture, the Public Health Agency, Health, DFATD, etc. We are often kind of at the operational end of what they're doing.

Can you give me the paragraph number?

Master data management?

No. If I may clarify, first of all, the master data management decision is still before us. We had a comment on the enterprise architecture framework in the report. This is part of our town planning that we're doing right now.

Master data management has the ability to create a single entry record for either the traveller or commercial...so that we always make sure the name we scan at the border is matched against the right record. So this is the ability—

We'll have the business case on master data management and we'll take into consideration the impact on Citizenship and Immigration Canada, and if that impact prevents the successful business case from being realized, it will be factored in there. The decision for master data management has not been made. We have not impacted anyone at this point, not Citizenship and Immigration Canada, nobody.

I guess when you look at that whole paragraph in terms of project deliverables, it goes through, as you said, what was happening in terms of.... I think the issue is really around the project deliverables, identifying what the project was intended to do, and the milestones, and I think probably in the process of identifying what some of those project deliverables and milestones would be, that would have had an impact on the other organizations that were involved.

Again, the particular part of what was identified as being an important part of this project was having the master data management. But when they were through the process of identifying what the deliverables were going to be and what those milestones were going to be, I think some of the changes in that process caused an impact, in this particular case, on Citizenship and Immigration Canada.

What we've identified, essentially, is that, again, they have designed a strong project portfolio management framework, so, as I've said before, we were happy with the fact that the framework existed.

Over the course of the next number of paragraphs, we talk about many of the aspects of that framework, such as governance structure in paragraph 5.17 and their investment planning in paragraph 5.21. Then we talk a bit about enterprise architecture and the risk profile. Again, they have a number of different components to that framework which we found were good.

However, I think that in order to have the level of confidence you were talking about—and it is a billion-dollar portfolio of projects—what's important is to make sure that the framework is fully implemented and is used. The first step is there, and it's an important step to have the framework, but then what's really important is to make sure that framework is being followed. Some of the things, such as making sure that all of the information going to committee is rigorous and agrees with all of the supporting documentation so that the committee has the information, I think are a good example of that.

Absolutely, and thank you very much for the question.

We did recognize a number of years ago that we needed to improve with regard to IT project management, so we put in place this framework and started implementing it. I can tell you that our IT projects are being delivered on time now and on budget, so the framework that we put in place has achieved that.

In addition to some of the issues that the AG has identified, benefits realization was part of our framework as well, but we hadn't implemented it yet, so we are following through on that plan. We've had the benefits realization discussions at our technology and innovation project committee—I don't think I have the title of that committee right, because we use acronyms all the time—and we are moving forward. There are people mobilized to look at benefits management and benefits realization.

I think that we're not alone in the Government of Canada. There is no excuse for that, given the size and the importance of what we're doing, but I think it's something that we've been struggling with across the government in terms of making sure that even if we have an idea of what the IT system is going to do—and many of ours are replacements of legacy systems to improve security, not always to generate savings—we haven't always quantified that. Our task before us is to operationalize the savings that have been previously identified or the benefits that have been previously identified.

Oh, oh!

I will turn to my colleague.

Thank you for the question.

The replacement of that system is actually twofold. One is within the CBSA's control, and it's the lookout database that we talked about earlier. The other aspect is for our officers in the ports of entry to use GCMS, the global case management system, deployed and managed by CIC. In this case, we are using what's called FOSS right now. When you scan your passport it goes to the database called FOSS, and that's what we're decommissioning. FOSS is currently doing the two systems.

We had to agree as to what would be done in GCMS, so in the CIC system, and what had to be done and developed by CBSA. It's not an incremental cost, in that if we hadn't done it—in this case we decided to do it—then CIC would have had to do it.

The disagreement had to do with who was to do it, not the cause of an overrun. The $2.3 million was the licence for the FOSS vendor, the legacy vendor. The decision would have been to carry it on anyway because of the rollout plan that we deployed. In other words, there was no way that we would have been able to turn off FOSS as a back-up system in December 2013 as originally planned.

It was not really an incremental cost.

It's difficult to explain what the delays were. I was not around at the time.

There are a lot of moving parts in FOSS. It's a complex project. There are over 19 systems that FOSS interacts with to get the information we should be looking for at the border. In addition to the other transformation projects at the agency, and the fact that this one is internally funded—not funded through Treasury Board—it became a matter of can we live a little longer with the old one.

I may turn to Chris to answer this. I believe we did generate our next plan in 2013-14, 2014-15.

Anyway, I'll let Chris speak to this.

Mr. Chairman, thank you for the question.

CBSA agrees with the audit findings and acknowledges that material changes should have been reflected in the update of the investment plan to Treasury Board. Going forward, the agency will review and update future investment plans if similar circumstances arise, as required by Treasury Board.

I would like to reiterate that the agency's investment plan and annual IT plan have been approved. They were submitted to Treasury Board and approved on April 23, 2015.

It wasn't something that we looked at. This was just looking at CBSA. We didn't extend the audit to look at other organizations because of the scope of this audit.

Thank you for the question. The idea of beyond the border is that collecting information earlier gives us more of an opportunity to assess threats and risks and to ensure that those threats and risks don't actually come to the border. We call it pushing the border out. The concept really is to collect information earlier and to then facilitate the easier flow of legitimate goods and travellers that are low risk or that there is no reason to stop.

As for which projects might be most interesting or helpful, I think of things like the single window initiative, which makes it easier for traders to provide information to federal government entities by putting the information in once and other government departments that need access to it get it. Everything we do that makes it easier for them to interact with us I think makes it easier for legitimate goods to flow across the border. I don't know if you want more on that.

When do we finish everything? There are a couple of dates that haven't quite been identified for 2015 and 2016.

We're even talking about beyond the border 2.0 at some point as well.

To add to what my colleague was saying, it also has a lot to do with trusted travellers and trusted traders in border communities, so that as these people approach the port of entry, we already see them coming before they are there. RFID, radio frequency identification, enables them to access the right booth and the right information. The idea is that for people in those communities that straddle the borders, who cross all the time, the NEXUS program comes to mind and the trusted traders program comes to mind. The FAST program, free and secure trade, allows commercial goods to go through unstopped. It's more about that. It's knowing about who is coming prior to doing all the business at the border which slows the border down.

I think from a NEXUS perspective perhaps that's true. We have more capacity in general to handle our trusted travellers, NEXUS card holders, at the larger ports of entry than we do at the smaller ports of entry.

Before I turn it over, the short answer is yes. I don't know if you want to enlarge on that.

One thing I would say is that we're also caught in midstream on some of these projects. For projects that had already started, we implemented these frameworks, and then the question was how far back in time to go. Some of the issues we confront here, such as benefits realization for a project that was almost done, we had to look at and ask whether it was worth going back to try to figure out how to measure what the benefit would have been if it was already past gate six and was about to be closed anyway.

The service life cycle management framework is not the same framework that changed names along the way. The project management framework was created to manage the projects once we knew we had a project. The portfolio management framework broadened that to include the investment management, what we're talking about, investment and benefits, and realization of that investment.

The key elements of those two frameworks are gates and governance. In other words, we gate all the investments through the seven gates in our framework and then we present information to the governance committees to seek their approvals. The service life cycle management framework takes that further and describes what information should be presented for approval. We had a bit of a gap there in the sense that we said you need to have your requirements presented but we didn't specify from a methodology perspective what the document looked like. Now with the service life cycle management framework we do.

Thank you for the question.

That is actually what I was talking about a little earlier when we were discussing enterprise architecture. It enables us to do our town planning, if I may call it that, to ensure not only that the CBSA systems are interconnected—and there are some challenges with that—but that they are also linked with external partners' systems. Citizenship and Immigration Canada is one of those partners. When we deal with the global air industry, we have to make sure those standards are in place. We are doing that now. It was central to our enterprise architecture. We call it service-oriented architecture, and it's what will enable us—or is already enabling us—to interact with external partners in an effective and secure manner.

I would just add that what we're dealing with here in many cases are legacy systems that don't talk to each other, and a lot of what we're trying to do is overcome those silos. Much of the IT that we have is at least 20 years old and it came from the old Immigration, the old CCRA, Agriculture.... They were all separate systems, so the task before us is to take 40 databases and systems and start to move them together.

They just laid the groundwork for doing what you are talking about.

I would like to specify something about CIC. The relationship is so close that we have an independent governance system with the associate deputy minister. We meet every two weeks to discuss those issues and ways to make the projects operational. We talk about significant impacts at the border. We have to train our staff and the CIC staff. All those issues are discussed at that governance level.

That is our objective, of course.

To make the border more secure, we have to interact with our partners. That means we need another system. However, when we say that, we are not just talking about a system. We are talking about 288 applications and 42 databases. The main challenge is the integration and interaction of those systems.

The system must do everything in an exemplary manner. That is why the architecture is becoming absolutely critical. We have to make sure that it is open, but that we also increase security. That is of the utmost importance.

It is actually the main challenge. The CBSA often decides not to go ahead with a system because it cannot really put the right bolts into the right places to ensure that the system will be secure.

I think that again the agency has put in place an appropriate framework, but in order to ensure that the systems are going to deliver what they're supposed to deliver, that framework has to be operating as intended. There's more than just making sure systems are delivered on time and on budget. There's also making sure that the systems are delivering what they were intended to deliver. That's why we talk in the report about the need to assess the benefits and assess whether the systems are aligned with the objective of the agency.

Again, I think where I would be right now is that they have the tools to try to make sure these systems are appropriately delivered, but they need to really make sure, because we are talking about $1 billion, we're talking about a complex business, and we're talking about complex systems. It's really important to make sure that this framework is rigorously applied in order to get the types of outcome that you're talking about.

I'm afraid I haven't come prepared to speak explicitly to that and I don't come from operations. My colleagues in enforcement and intelligence, I think, are better able to respond to that. I did follow the media, though, and I know that the funding is for us to increase our capacity to follow foreign fighters basically and conduct investigations.

Thank you for the question.

I'll turn to my colleague to describe the current state of play on the FOSS-GCMS transition.

As I mentioned earlier, there are two parts to FOSS. There is the use by our border services officers of GCMS for entering immigration data as they process immigrants as they show up at our ports of entry. That's been operational since last summer. We are tweaking that right now because we have some choke points, namely the large airports. We're tweaking the performance of GCMS to handle the volume before we switch FOSS off.

On the side of the CBSA, the information from GCMS will be made available and located in a high-performance database so that, at primary scan, your passport won't hit GCMS, which is not necessarily the right level of performance for our peak periods. It will hit our database on our servers. Those two pieces are actually developed and in operation right now. What we're working with operations on is the ability to terminate the use of FOSS as a crutch. It's been in use since the 1970s and, as we are about to pull it, there are some concerns whether the other systems can hold their own.

I don't know the answer to that.

Do you know the answer to that?

Well, I'm not sure. I had a hard time hearing, so....

Yes, me too.

We worked on a procedure for how to assess benefits and how to identify benefits. That discussion happened in January at the committee which my colleague chairs. We're now in the process of going after that benefits identification for those projects.

My safe guess is that we're actually about the same, but by the end of June we will be in a very significantly different place, because people have been working in teams since the conversation we had in January to figure out how to operationalize benefits for those other projects.

We've mandated that all active projects go back and revisit their business case, their business requirements, and their project plan to make sure that the benefits are clearly identified, measurable, and harvestable.

Sorry, I was not around at the time of the first, but certainly as soon as we were made aware of the need for updating the capital plan, which is a five-year capital plan or investment plan, we did so immediately. This is the second version of the plan we produced after we were made aware of this.

The original plan was supposed to be for five years, but in the middle of it, all those investments came pouring in. As soon as somebody identified that we needed to update our investment plan, we did.

I think it did result in some frequent and intensive conversations with our colleagues in Treasury Board Secretariat.

We've been around since 2013...?

Yes, 2013.

Right. Thank you for the question.

With regard to those five projects, we mentioned that we've had a project measurement framework since 2012. The project measurement framework did not include an investment management component and benefits realization component. All of those projects were gated under the project management framework. The portfolio management framework, which was deployed in February 2014, added that rigour.

It's not a matter of if a project should be exempted; all projects are subjected to this now. At the time of the audit, no new projects had gone through the early gates. All the projects were in the latter gates of the portfolio management framework.

As I mentioned earlier, for all active projects I've pushed people back to meeting the requirements of the earlier gates—having all of the benefits identified, the requirements identified, and all of that. There's no exception. It's just that they had gone through those gates without doing it originally.

Do you want me to read the five projects into the record?

They're the entry-exit initiative, FOSS, or the field operations support system replacement project, the interactive advanced passenger information initiative, the single window initiative, and the temporary resident biometrics project.

Our issue was that as we were implementing our new framework, some of these projects—all of them, really—were in flight already. It was a question of how far back do you go given the project is.... For example, the single window initiative was approaching release to meet the previous gates, when the gates didn't exist when the project started.

I would like to turn to my colleague in IT.

It's a very germane question to my everyday life, so thank you for the question.

It is a complex business. I talked about dependencies. I talked about the size of some.... We're talking about half a trillion dollars crossing the border every year and 14 million shipments. The multipliers are massive, and the legacy world my colleague alluded to with coming out of CRA, Citizenship and Immigration, and other areas of departments has created a challenge from an immigration perspective. We have a lot of point-to-point connections between systems that are legacy and aged, and are on the IT list to be replaced within the next five years.

That's what we have to take into consideration when we start large projects like the ones you have here that have very specific business requirements. We have to look at those as opportunities to achieve our goals toward a town plan and not as a separate investment, which is unfortunately the way some of those investments were managed in the past. It is constant awareness of the need to converge toward a better world that pushes us to intercept as many of those investments as we can.

Thank you for the question.

As we've noted, we have completed our IT plan, our investment plan, and a number of things you see in our management action plan. I've looked at a pilot version of a report on benefits realization, and we have a way to go. We'll have that report ready in September. As I said, we have people working to make sure we have benefits operationalized for all of these projects that are beginning.

We really appreciate the opportunity.

We've worked very hard in the agency to take an attitude toward audits and evaluations that these provide us with management information and help us to do our job better. As I said, benefits realization was part of our work plan anyway, but the audit did highlight some other areas where we decided we had better put something more robust in place to make sure it's institutionalized and continues into the future.

Speaking to the complexity issue, I also think our framework allows us to identify problems earlier so that we can talk about alternatives and solutions, so that we're not marching blindly off a cliff into a project that doesn't work or doesn't contribute to our agency's goals. The gating process lets us monitor if something's starting to go in a bad direction, or out of budget. I think we have a lot of information on a very frequent basis.

Thank you.

That's what this was about. Yes.

In this particular instance, the two agencies funded that work, and the work to be done by CIC was paid for by CIC. The work to be done by CBSA was paid for by CBSA.

If I may, we would need to go back to the transcript, but I think what my colleague was trying to say was that the—

Thank you for the question.

We were all involved in the decisions about which gates would get checked off as we implemented a new framework. The challenge for us has been IT projects that were already in progress, had been started, were a long way down the road to being completed when we bring in a new project management framework. The question then was whether we were going to go back in order to check the boxes on these projects, or whether we were going to continue and deliver, especially when we're near the end of a project, knowing that we would leave it undocumented, but thinking perhaps it wasn't the right way to use our resources at that time.

On a go-forward basis, all of our projects are being put through the entire framework with no exceptions, and we review that all the time. It wasn't that these projects—

The reference you are making is in paragraph 5.56. We're talking about the importance of the health of a project being reported to the people who have oversight of those projects so they understand where the project is.

This is an example in the business-to-business project where it was confusing to understand exactly what stage the project was at because they seemed to have said it was closed, but then they were also continuing to work on it.

Understanding that is important. Going through projects and making sure that each stage is met along the way is critically important to understand that all the requirements as well as the time and the budget are on schedule, to make sure the project is going to deliver what was intended.

We would never ask a department to go back and try to redo gates that have already been passed. But we would expect the department, at the point they were putting in place a new framework, to at least look at those projects that were in place and identify if they seem to be on the right path to deliver what they were intended to deliver, regardless of the fact that you can't go back and re-document certain gates, whether they were passed or not passed.

Thank you, Mr. Chair, for the question. May I turn to my colleague? Thank you.

Thank you for the question.

The earned value management technique has been around for years and years. The first requirement is that you need to have a good plan. Based on that plan, you load up with your resources that you need to deliver on that plan. Then the tracking becomes the planned value. As you go through six months of activities, you should be 50% done on a 12-month project. If your actuals, your financials, are over that or below that, it creates a variance that you track. That's the essence of earned value. It does that for scheduling variance. It does that for cost variance.

Now in our dashboard to Treasury Board, the colour for cost and schedule is no longer subjective. It is based on a percentage of variance on cost or scheduled variance.

We removed a lot of subjectivity from the process using earned value analysis. At the risk of repeating myself, the key element is to produce a quality plan up front. People in a hurry will often produce subpar plans if they feel they can get away with it later.

Earned value catches bad plans early in the process.

Right.

Certainly. I will try to be quick about this.

As we've said, we've updated our investment plan and our annual IT plan as part of our regular cycle, and we've presented it to the Treasury Board for their approval already.

I'll move on.

Enterprise end-state architecture, we'll continue to expand that in both breadth and depth. A functional directive covering every domain of the enterprise architecture will be finalized by September 2015. Also, we've begun to move individual projects toward architecture standards that fully align with Shared Services Canada's directions, and the service life-cycle management framework ensures that enterprise architecture directions are adhered to by all projects.

Finally, we're going to continue to maintain our beyond the border project level risk profile and to provide a full portfolio risk update roll-up at the quarterly beyond the border senior project advisory committee.

Am I running out of time?