Yes, certainly risk assessments were completed. I can confirm that, and my colleague from SSC is also confirming that.
I think we're also learning about the robustness of those risk assessments as we move to the cloud: Should we ask different questions? Should we look for different information? Certainly with respect to some of the findings by the Auditor General around the implementation of the guardrails, the two big lessons we take away have to do with automation and making sure we have put in place a good compliance framework.