Public Accounts Committee on Feb. 26th, 2019

Mr. Chair, thank you for this opportunity to discuss our fall 2018 report on physical security at Canada's missions abroad. This audit examined whether Global Affairs Canada had physical security measures in place at its missions for the effective protection of its staff and assets.

Physical security measures include safeguards such as fences, and vehicle barriers or alarm systems to prevent unauthorized access or attempts to cause harm. As an employer, the department is responsible for the safety and security of its staff. More than half the mission's staff members work in dangerous locations that require protective security measures.

Overall, we found that Global Affairs Canada had not kept pace with evolving security threats at its missions abroad. Over the past decade, the department received $650 million to upgrade the physical security of its higher-threat missions. We found insufficient documentation to demonstrate how its physical security projects were prioritized to ensure that the most critical needs would be met. The department had identified more than 200 security measures that were urgently needed across all its missions, but it did not yet have a plan in place for their implementation.

We found weaknesses in the security assessments conducted by Global Affairs Canada at its missions. For example, more than one-third of threat assessments were out of date and many of the vulnerability assessments were incomplete or failed to recommend safeguards to resolve identified weaknesses. In fact, baseline security standards that specified the safeguards needed to protect missions against direct physical attack were still under development at the time of our audit.

Without these standards, Global Affairs Canada cannot comprehensively assess the measures needed for the effective protection of staff and assets across its missions, yet the department is responsible for the safety of its staff working at missions abroad, and security upgrades to its many missions are urgently needed.

We examined the security measures in place at six high-risk missions and found significant security deficiencies at all six. The department had known about several of these deficiencies for years, yet it had not put in place all the recommended measures to resolve them, such as improved video surveillance, alarms or vehicle barriers.

Security officials at these missions didn't know the status of the approved physical security upgrades or what interim measures were needed to mitigate the identified security risks. Most of the department's capital projects to upgrade security were at least three years behind schedule and were taking almost twice as long to complete as originally planned. We found that these delays were caused by weaknesses in the department's project management and oversight. For example, construction project plans didn't sufficiently assess and build into the schedule the risks unique to the host country, such as the time needed to obtain permits.

Other federal entities, such as Defence Construction Canada, have specialized knowledge and experience in international construction projects that could help Global Affairs Canada ensure that important security upgrades are delivered on time and on budget.

Finally, we found that more than one third of the staff members working in some of the most dangerous locations hadn't taken mandatory security awareness training. As a result, Global Affairs Canada didn't have assurance that its staff members had the appropriate level of security awareness needed for their effective protection. We made five recommendations, and Global Affairs Canada agreed with all of them.

This concludes my opening remarks. We would be pleased to answer any questions the committee may have.

Thank you.

Thank you, Chair, and good morning, ladies and gentlemen.

I would like to say before giving my official remarks this morning that I am accustomed to sitting beside the late Michael Ferguson. Through you, Chair, could I extend our sympathy to Mr. Ferguson's family, but also to his colleagues and to members of this committee who worked so closely with the late Auditor General?

At Global Affairs Canada, serving Canada and Canadians abroad is our mandate. To deliver on this mandate we regard our responsibility for the protection of our staff, visitors and assets at Canada's international mission network as our key priority.

To this end, we continually review our security posture, procedures and systems to ensure they are robust and effective, and that they respond to the latest developments in the security context. This review process involves not only the physical security measures that have been assessed in the OAG audit, but also our operational security procedures and our security intelligence information. Collectively, these three security pillars work together to create layers of protection required for staff, visitors, information and physical assets. We believe that no one pillar can be viewed in isolation, and in many contexts specific elements, for example deploying guards, can be strengthened to compensate and provide mitigation for another area that may not be as strong. This interlinked approach is consistent with that taken by other foreign ministries.

Global Affairs Canada welcomes the Auditor General's report on the physical security pillar, and as Mr. Berthelette has said, we have accepted all of the recommendations. These recommendations are broadly aligned with those made in a recent 2018 internal audit conducted by the department under its current risk-based audit plan. The internal audit made five recommendations, which were tabled before our departmental audit committee in March of last year.

We are particularly pleased that the Office of the Auditor General relied on internal audit results to inform its observations, findings and recommendations. As members of the committee know, that does not always happen. ln particular, the Auditor General relied on the internal audit work conducted at four of our missions abroad and then conducted its own independent work at two more missions. We appreciate the collaboration and welcome the consistency of the findings.

Last year the department began to implement the recommendations made in the internal audit and has since deepened its action in the process of implementing the Auditor General's recommendations. The action plan in response to both audits is largely being addressed through the $1.8 billion in funding—that's over a 10-year period—the department received in the 2017 fall economic statement as a part of the duty of care package to improve security at missions abroad.

To ensure that these investments are effectively prioritized, tracked and implemented, Global Affairs has established a new global security framework. The framework explicitly integrates risk management principles into security policy development and decision-making and enables risk-based priority setting and resource allocation. The framework also provides the flexibility to adapt more quickly to the changing international security environment and to address future security needs as they emerge.

ln addition, security assessments, which include both threat assessments and vulnerability assessments, have transitioned from a one-size-fits-all cyclical approach to a risk-based approach that prioritizes more frequent assessments of our highest risk environments. This change has also been supported by more regular and proactive communications and linkages with mission security teams on the ground. For example, part of the duty-of-care investments has been used to acquire and implement an enhanced security information management system that is being used to document and track security requirements by missions to ensure that they're effectively monitored and efficiently addressed.

As well, in line with the audit observations related to strengthening governance and clarifying roles and responsibilities, we have strengthened and will continue to strengthen our internal governance to better coordinate decision-making and enhance the consistency and effective delivery of physical security projects at our missions abroad.

More specifically, decision-making for the allocation of resources to all major capital projects has been streamlined with senior level oversight by an ADM level committee. The committee meets monthly and includes the departmental security officer as a key member, which is in line with one of the audit recommendations.

The DSO's membership in the committee reflects the fact that many of our real property projects include physical security aspects. The committee is critical to ensuring strengthened project management for real property projects and for improving their timely delivery. As well, project delivery is being supported now by a recently created project management office. The office is responsible for maintaining quality assurance, the timeliness of project delivery, and monitoring and reporting on results.

The AG's report also highlighted the need for the department to initiate discussions with other government departments and to adopt best practices. In this respect, we continue to learn from our federal colleagues as well as with respected project management divisions of our foreign counterparts worldwide. These lessons will also contribute to, and benefit from, the Government of Canada's project management community of practice.

While the new governance structure is strengthening project management oversight, and best practices continue to be adopted, it is also true that physical security projects abroad are often undertaken in complex and, at times, unstable overseas environments where foreign laws, policies and other local conditions are outside our control. Events and changing circumstances can seriously impede project delivery and sometimes call for alternative mitigation. New tracking systems will monitor and flag those areas where such alternative mitigation is required.

Finally, an additional area covered by the Auditor General that wasn't included in the scope of our internal audit relates to security training.

In line with the recommendations, and as part of the duty of care investment package, we have work under way to strengthen our security competencies and capabilities.

The security training program has been revamped and will be broadened to improve the preparedness of departmental staff and locally engaged staff. A new mandatory five-day security training course has been added to the learning curriculum for staff heading to hazardous environments. Other courses have been updated to keep pace with evolving security needs. All training is designed to respond to operational needs and to mitigate risks abroad. A tracking solution has also been implemented to document and monitor training completed.

In closing, I would note that the physical security function examined in this audit comprises only one component within a broad range of measures that are employed in an integrated fashion to enhance the protection of our staff, visitors, information and assets abroad.

Additional security measures, such as security briefings, security equipment, real-time intelligence, personnel movement protocols and guard protection provide critical security enhancements and additional layers of mitigation.

In extreme cases, where risks are elevated, or where physical security measures require enhancements that can't be achieved, restrictive movement protocols and adjustments to mission posture are implemented to compensate, up to and including staff withdrawals and mission closure as required to ensure the safety and security of all our employees. This has recently been the case in our missions in Caracas, Venezuela and Havana, Cuba.

Unquestionably, the safety of our employees is our duty and my foremost preoccupation. The modernization of our approach to all the elements required to operate securely, effectively and safely abroad is well under way and the full implementation of the audit recommendations is being facilitated through the duty of care investments recently announced.

We're already seeing the real impact of these efforts. The Auditor General's support for this direction is both valued and encouraging.

I will be assisted by my colleagues. Dan runs our international platform, and Heather is specifically charged with our consular program, as well as our security operations and emergency management. Heather and I were before the committee recently.

Thank you, Chair.

We're undoubtedly very concerned about many aspects of this case. The case clearly shows the limits that we face, in part because of privacy legislation and the fact that the issue is before the courts.

In addition, we must note that we have limited knowledge of what happened and the nature of the risks faced by our employees.

We are perfectly happy to answer questions in this regard, notwithstanding the limits.

I can tell you that we have learned as we have proceeded. We have worked with the Cuban authorities to the maximum degree possible. We have worked with our American colleagues to learn as much as we can. And we have applied more measures to safeguard our employees in Havana, including restricting the footprint in Havana to respond to continuing concerns and incidents there. We will continue to apply that standard of care.

We don't always know where the threats are going to come from. In this particular case, it is especially troubling that we don't know precisely what the source of the problem is. We have provided the appropriate diagnostic testing and care. We continue to meet with the staff concerned. Those cases represent a wide variety of circumstances and of reactions within those families, our staff and their dependants, so there is no single pattern that points very clearly to a problem and/or the nature of the problem.

As I said, we have learned as we've gone; we know more than we did in the early days. But this is an extremely troubling situation and we are open to whatever technical advice we are receiving from medical personnel and from our colleagues, as well as from other agencies we're working with, such as the RCMP and so on.

Yes. I think you'll appreciate that I want to be careful about going into too much detail, but as far as we know, we have full information about where staff have been affected physically—what locations—and we take that into account.

We have reduced the footprint to provide the core support to Canadians who visit Cuba. As you know, that is very substantial, as Canadian companies work in Cuba. We have, in prudence, not exposed more staff. We continue to assess the nature of the exposure, and we do that virtually continuously with the staff in Cuba. We have all—Heather particularly, and the ADM responsible for the geographic region—been in touch with the head of mission and with the staff who have returned.

I think you're referring now more generally—

The head of mission is effectively the CEO for Canada corp. in that location.

However, it is a collaborative effort between headquarters, which has to apply standard protocols and also has some objectivity of distance that can look at the data and the assessment and make final decisions on security posture, and the mission. But on the ground, the head of mission has considerable scope, including authority with respect to other departments located in our missions, to manage the security posture.

I think we would empathize that it's a highly collaborative thing between the mission and headquarters.

The ongoing news on this Cuba episode really brings into focus the very real dangers and threats that exist to our missions.

Your answers to the questions by Madam Mendès about trying to quantify or to understand the threats that exist, I think are going to be cold comfort for the 7,800 employees in Canada's foreign missions. We have an Auditor General's report that is full of examples of failures to address known threats. We're not even dealing with the threats we know about, never mind new threats that are only beginning to be understood.

I bring to your attention, under paragraph 4.24, the following:

security measures recommended for implementation at each of the six missions had not been tracked or prioritized for action. For example, at one mission, the perimeter was identified in 2011 as a critical vulnerability requiring very urgent attention. But during our site visit in 2018, we found that this issue had not yet been resolved....

You identified a critical threat in 2011, and in 2018 it hadn't been addressed.

This is a committee where we demand accountability for how the funds authorized by Parliament have been spent to execute the policy of the government. We have a report full of examples of failures to protect our own employees in foreign missions.

Please explain why there have been these failures to implement known security mitigation measures.

First, I would say that we accept all of these findings and the implications of the findings. As I said, we found them ourselves in our own internal audit.

Second, we make use of the resources that we have available to us at any given time, and we have to allocate those resources on the basis of current need. In some cases, the more urgent security needs would account for the delay in identified projects or the pacing of projects.

Third, as I indicated, and as the Auditor General's office indicated, the documentation of projects both for tracking needs and for tracking implementation was, as is so often the case, not there. We have now put those tracking systems in place.

These cases that are described are accurate, and we have put in place, as I indicated in my comments, the measures to know exactly where we are in our projects and to make decisions on the basis of risks as they emerge over time.

The report identified that some of your funding almost lapsed or had to be retained by special applications. I do understand that you must deal with what is allocated, but you didn't even spend what was allocated. I don't find it an acceptable reason for not having implemented known security improvements when you have lapsing money. It's good that your internal audit appears to at least match the Auditor General's. That's positive, and it contrasts with some other studies that have been before this committee.

Mr. Berthelette, you visited two sites yourself and relied on their audit. I'll have you comment on the congruency of the internal audit and what you found. This is an important point if it's just not practical for you to audit these physical sites in most cases.

Mr. Chair, I'll ask my colleague, Ms. McCalla, to answer that question.

Thank you, Mr. Chair.

We did rely on the the recent internal audit done by Global Affairs on physical security. We had worked with them very closely to ensure we could do that. In our and their view this would provide the most value to Global Affairs. They had done a series of site visits. The objective of their audit was to determine, out of the past tranche of funding Global Affairs had received to upgrade physical security, what upgrades had indeed been done. They developed a test program in their various missions to identify the status of the physical security measures that were on the books to be implemented. We had developed a similar audit approach with Global Affairs to go to additional sites and rely on their sites, and together we would have a much better picture with six sites.

I want to get back to Mr. Shugart about how we got to this point. The Auditor General said the department's capacity to deliver its security projects was limited. Many positions that dealt with capital projects at missions abroad were vacant, and the department had not conducted lessons learned or studies on past failures. Failures of project oversight and project management were identified as problems in the security shortcomings. Again you were here to account for the department and for the funds allocated for that. How do you explain these kinds of failures?