Good morning, colleagues.
This is meeting 129 of the Standing Committee on Public Accounts for Tuesday, February 26, 2019.
We're here today in consideration of report 4, “Physical Security at Canada's Missions Abroad—Global Affairs Canada”, of the 2018 fall reports of the Auditor General of Canada.
We're honoured to have with us from the Office of the Auditor General, Jerome Berthelette, assistant auditor general, and Carol McCalla, principal.
We also have, from the Department of Foreign Affairs, Trade and Development, Ian Shugart, deputy minister of foreign affairs; Heather Jeffrey, assistant deputy minister, consular, emergency management and security; and Dan Danagher, assistant deputy minister, international platform.
We welcome you all here. I would also remind members that we are televised today.
We will turn to Mr. Berthelette for his opening statement.
Mr. Chair, thank you for this opportunity to discuss our fall 2018 report on physical security at Canada's missions abroad. This audit examined whether Global Affairs Canada had physical security measures in place at its missions for the effective protection of its staff and assets.
Physical security measures include safeguards such as fences, and vehicle barriers or alarm systems to prevent unauthorized access or attempts to cause harm. As an employer, the department is responsible for the safety and security of its staff. More than half the mission's staff members work in dangerous locations that require protective security measures.
Overall, we found that Global Affairs Canada had not kept pace with evolving security threats at its missions abroad. Over the past decade, the department received $650 million to upgrade the physical security of its higher-threat missions. We found insufficient documentation to demonstrate how its physical security projects were prioritized to ensure that the most critical needs would be met. The department had identified more than 200 security measures that were urgently needed across all its missions, but it did not yet have a plan in place for their implementation.
We found weaknesses in the security assessments conducted by Global Affairs Canada at its missions. For example, more than one-third of threat assessments were out of date and many of the vulnerability assessments were incomplete or failed to recommend safeguards to resolve identified weaknesses. In fact, baseline security standards that specified the safeguards needed to protect missions against direct physical attack were still under development at the time of our audit.
Without these standards, Global Affairs Canada cannot comprehensively assess the measures needed for the effective protection of staff and assets across its missions, yet the department is responsible for the safety of its staff working at missions abroad, and security upgrades to its many missions are urgently needed.
We examined the security measures in place at six high-risk missions and found significant security deficiencies at all six. The department had known about several of these deficiencies for years, yet it had not put in place all the recommended measures to resolve them, such as improved video surveillance, alarms or vehicle barriers.
Security officials at these missions didn't know the status of the approved physical security upgrades or what interim measures were needed to mitigate the identified security risks. Most of the department's capital projects to upgrade security were at least three years behind schedule and were taking almost twice as long to complete as originally planned. We found that these delays were caused by weaknesses in the department's project management and oversight. For example, construction project plans didn't sufficiently assess and build into the schedule the risks unique to the host country, such as the time needed to obtain permits.
Other federal entities, such as Defence Construction Canada, have specialized knowledge and experience in international construction projects that could help Global Affairs Canada ensure that important security upgrades are delivered on time and on budget.
Finally, we found that more than one third of the staff members working in some of the most dangerous locations hadn't taken mandatory security awareness training. As a result, Global Affairs Canada didn't have assurance that its staff members had the appropriate level of security awareness needed for their effective protection. We made five recommendations, and Global Affairs Canada agreed with all of them.
This concludes my opening remarks. We would be pleased to answer any questions the committee may have.
Thank you, Chair, and good morning, ladies and gentlemen.
I would like to say before giving my official remarks this morning that I am accustomed to sitting beside the late Michael Ferguson. Through you, Chair, could I extend our sympathy to Mr. Ferguson's family, but also to his colleagues and to members of this committee who worked so closely with the late Auditor General?
At Global Affairs Canada, serving Canada and Canadians abroad is our mandate. To deliver on this mandate we regard our responsibility for the protection of our staff, visitors and assets at Canada's international mission network as our key priority.
To this end, we continually review our security posture, procedures and systems to ensure they are robust and effective, and that they respond to the latest developments in the security context. This review process involves not only the physical security measures that have been assessed in the OAG audit, but also our operational security procedures and our security intelligence information. Collectively, these three security pillars work together to create layers of protection required for staff, visitors, information and physical assets. We believe that no one pillar can be viewed in isolation, and in many contexts specific elements, for example deploying guards, can be strengthened to compensate and provide mitigation for another area that may not be as strong. This interlinked approach is consistent with that taken by other foreign ministries.
Global Affairs Canada welcomes the Auditor General's report on the physical security pillar, and as Mr. Berthelette has said, we have accepted all of the recommendations. These recommendations are broadly aligned with those made in a recent 2018 internal audit conducted by the department under its current risk-based audit plan. The internal audit made five recommendations, which were tabled before our departmental audit committee in March of last year.
We are particularly pleased that the Office of the Auditor General relied on internal audit results to inform its observations, findings and recommendations. As members of the committee know, that does not always happen. ln particular, the Auditor General relied on the internal audit work conducted at four of our missions abroad and then conducted its own independent work at two more missions. We appreciate the collaboration and welcome the consistency of the findings.
Last year the department began to implement the recommendations made in the internal audit and has since deepened its action in the process of implementing the Auditor General's recommendations. The action plan in response to both audits is largely being addressed through the $1.8 billion in funding—that's over a 10-year period—the department received in the 2017 fall economic statement as a part of the duty of care package to improve security at missions abroad.
To ensure that these investments are effectively prioritized, tracked and implemented, Global Affairs has established a new global security framework. The framework explicitly integrates risk management principles into security policy development and decision-making and enables risk-based priority setting and resource allocation. The framework also provides the flexibility to adapt more quickly to the changing international security environment and to address future security needs as they emerge.
ln addition, security assessments, which include both threat assessments and vulnerability assessments, have transitioned from a one-size-fits-all cyclical approach to a risk-based approach that prioritizes more frequent assessments of our highest risk environments. This change has also been supported by more regular and proactive communications and linkages with mission security teams on the ground. For example, part of the duty-of-care investments has been used to acquire and implement an enhanced security information management system that is being used to document and track security requirements by missions to ensure that they're effectively monitored and efficiently addressed.
As well, in line with the audit observations related to strengthening governance and clarifying roles and responsibilities, we have strengthened and will continue to strengthen our internal governance to better coordinate decision-making and enhance the consistency and effective delivery of physical security projects at our missions abroad.
More specifically, decision-making for the allocation of resources to all major capital projects has been streamlined with senior level oversight by an ADM level committee. The committee meets monthly and includes the departmental security officer as a key member, which is in line with one of the audit recommendations.
The DSO's membership in the committee reflects the fact that many of our real property projects include physical security aspects. The committee is critical to ensuring strengthened project management for real property projects and for improving their timely delivery. As well, project delivery is being supported now by a recently created project management office. The office is responsible for maintaining quality assurance, the timeliness of project delivery, and monitoring and reporting on results.
The AG's report also highlighted the need for the department to initiate discussions with other government departments and to adopt best practices. In this respect, we continue to learn from our federal colleagues as well as with respected project management divisions of our foreign counterparts worldwide. These lessons will also contribute to, and benefit from, the Government of Canada's project management community of practice.
While the new governance structure is strengthening project management oversight, and best practices continue to be adopted, it is also true that physical security projects abroad are often undertaken in complex and, at times, unstable overseas environments where foreign laws, policies and other local conditions are outside our control. Events and changing circumstances can seriously impede project delivery and sometimes call for alternative mitigation. New tracking systems will monitor and flag those areas where such alternative mitigation is required.
Finally, an additional area covered by the Auditor General that wasn't included in the scope of our internal audit relates to security training.
In line with the recommendations, and as part of the duty of care investment package, we have work under way to strengthen our security competencies and capabilities.
The security training program has been revamped and will be broadened to improve the preparedness of departmental staff and locally engaged staff. A new mandatory five-day security training course has been added to the learning curriculum for staff heading to hazardous environments. Other courses have been updated to keep pace with evolving security needs. All training is designed to respond to operational needs and to mitigate risks abroad. A tracking solution has also been implemented to document and monitor training completed.
In closing, I would note that the physical security function examined in this audit comprises only one component within a broad range of measures that are employed in an integrated fashion to enhance the protection of our staff, visitors, information and assets abroad.
Additional security measures, such as security briefings, security equipment, real-time intelligence, personnel movement protocols and guard protection provide critical security enhancements and additional layers of mitigation.
In extreme cases, where risks are elevated, or where physical security measures require enhancements that can't be achieved, restrictive movement protocols and adjustments to mission posture are implemented to compensate, up to and including staff withdrawals and mission closure as required to ensure the safety and security of all our employees. This has recently been the case in our missions in Caracas, Venezuela and Havana, Cuba.
Unquestionably, the safety of our employees is our duty and my foremost preoccupation. The modernization of our approach to all the elements required to operate securely, effectively and safely abroad is well under way and the full implementation of the audit recommendations is being facilitated through the duty of care investments recently announced.
We're already seeing the real impact of these efforts. The Auditor General's support for this direction is both valued and encouraging.
I will be assisted by my colleagues. Dan runs our international platform, and Heather is specifically charged with our consular program, as well as our security operations and emergency management. Heather and I were before the committee recently.
Thank you, Chair.
We're undoubtedly very concerned about many aspects of this case. The case clearly shows the limits that we face, in part because of privacy legislation and the fact that the issue is before the courts.
In addition, we must note that we have limited knowledge of what happened and the nature of the risks faced by our employees.
We are perfectly happy to answer questions in this regard, notwithstanding the limits.
I can tell you that we have learned as we have proceeded. We have worked with the Cuban authorities to the maximum degree possible. We have worked with our American colleagues to learn as much as we can. And we have applied more measures to safeguard our employees in Havana, including restricting the footprint in Havana to respond to continuing concerns and incidents there. We will continue to apply that standard of care.
We don't always know where the threats are going to come from. In this particular case, it is especially troubling that we don't know precisely what the source of the problem is. We have provided the appropriate diagnostic testing and care. We continue to meet with the staff concerned. Those cases represent a wide variety of circumstances and of reactions within those families, our staff and their dependants, so there is no single pattern that points very clearly to a problem and/or the nature of the problem.
As I said, we have learned as we've gone; we know more than we did in the early days. But this is an extremely troubling situation and we are open to whatever technical advice we are receiving from medical personnel and from our colleagues, as well as from other agencies we're working with, such as the RCMP and so on.
It's good to see you again. Thank you all for being here.
Starting with the focus of the audit, it states the following in paragraph 4.6:
This audit focused on whether Global Affairs Canada met its physical security needs at missions abroad to protect its staff and assets.
The overall message in paragraph is:
Overall, Global Affairs Canada had not taken all measures needed to keep pace with evolving security threats at its missions abroad.
Further, in the conclusions in paragraph 4.78, it states:
We concluded that Global Affairs Canada did not fully meet its physical security needs at missions abroad to protect its staff and assets.
I find this really surprising for a whole bunch of reasons, not the least of which is that in terms of governance, like it or not, security is a huge issue. In your department, it's what you do. I was really surprised and disappointed that something so important in a department that deals with security as its major focus would have these problems with obvious stuff. This isn't like deep intelligence and the analysis going wrong. These are basic things. It's really disconcerting when you think about how easily things can turn.
One of the greatest examples—and it's an extreme example, but a real one—was Iran in 1979. Going from no problem at all to all of sudden a crisis that can bog down a government and a nation for years, if not decades, can happen in a blink. These are the first lines of defence. I just find it passing strange.
I'll just leave that there. If you want to comment on that in some way, you can. Otherwise, I'm just going to move on to my questions.
I'm going to pick up where you were just recently. You talked about managing projects. There's been a vulnerability for governments for years, as we know. However, the Auditor General makes reference in paragraph 4.63 to the following:
Other federal entities that deliver security projects internationally have knowledge and expertise that, in our view, could benefit Global Affairs Canada. For example, Defence Construction Canada runs construction and engineering projects internationally, many with unique security requirements. It delivers most of its projects for National Defence, but it also provides services to other government entities, such as Communications Security Establishment Canada. In our 2017 special examination, we found that Defence Construction Canada did a good job
—shout out to them—
of managing construction projects and contracts. For example, it carried out contracts according to the client's requirements, and it met deadlines and budgets.
How about that? You said there are vulnerabilities, but the Auditor General was able to point to a major player in the development of projects that does a really good job. From what I know about security, when you're starting to talk of Communications Security Establishment Canada, we're getting into some really serious stuff. These have to be trusted folks.
Why didn't you go down this road? Why did you let yourself...?
The last thing I'll say concerns the chart on page 13. Holy smokes. Where were the grown-ups in the room?
I would be delighted to. Indeed, I was wondering about asking the chair if I could make a comment on this.
My experience as deputy minister in three departments now points to a tendency across government that I think would be of broad interest to the public accounts committee. It is that frequently these faults that are exposed—rightly—in audits point to an inclination to do things rather than to plan, track and document things. As well, when you're dealing with finite resources, often putting in place the information systems and documentary systems is seen, or has been seen, as less inherently valuable than actually spending the money on the core purpose.
However, when you don't do that, what we have found over and over again is that you actually pay for it, sometimes through really bad AG reports, but also in an ability to know exactly what you're dealing with.
The proper planning and documentation actually does help manage the risk. Also, I think, as a general proposition, that is something we have been learning across government—painfully—and you can see how that lesson is driving our way forward in this particular case.
Thank you, Mr. Kelly, and thank you, Mr. Chair.
Thank you all for being here this morning. It's very nice to see you.
I was very fortunate to have a career at Global Affairs Canada for 15 years and to have served as security officer at mission twice. So this is something that is very dear to my heart.
I am encouraged by the recommendations within the report and the explanation we've had here today, but my former colleague Madame Jeffrey certainly knows that a lot of the time, when the rubber hits the road, it comes down to these nuts and bolts types of things.
When I reflect back upon my time at mission, there were generally three obstacles. I want to address each of them briefly, because they are a little bit more in the weeds, and of course give my colleagues from Foreign Affairs a chance to address each of those.
The first one is personnel. Certainly as MCOs, we were often in charge of three or four programs at a time—human resources, property, finance—and finally, often we were the security officers as well. While the training certainly encourages me, of course our colleague Madame Cameron, who served as head of mission in Lebanon, comes from my.... I consider her a contemporary. Have we addressed the capacity situation? Have we put the numbers in place for people to effectively address these problems? That's the first thing.
The second challenge I always encountered—out of fairness to the Government of Canada, the people of Canada—was procurement. Of course, this is something that is always incredibly complex and incredibly time-consuming. Procurement processes in the Government of Canada do not happen overnight; they take a lot of time. I was there during the time of MERX, which I want to say had a $75,000 threshold, so you could certainly achieve things like installing minor alarm systems, but anything that was larger required an extensive, month-long process, especially when we're looking at major missions.
The third, which Monsieur Shugart addressed briefly, was money, of course. Historically, this went the other way, where it was difficult to move from capital to operations, rather than the other way.
It sounds as though these things have been addressed, but I wanted to put forward these three obstacles that I continuously faced as a security officer at mission. That's the capacity of the personnel, the procurement processes and then finally the financing, although I am encouraged by this process you outlined.
Mr. Shugart, could you please comment on those three things, because when the rubber hits the road, those were the three obstacles I found in terms of implementing the necessities required to keep my people safe?
This is just an observation. One of the challenges of dealing with security issues in a democracy is that accountability and transparency don't necessarily go hand in hand with security and preparation. I just want to say that I think we've done a pretty good job, all of us concerned: you, representing the department; the Auditor General's office; the committee itself; and the governance by the chair. I think we've done about as good a job as we can on transparency without doing damage to the very entities we're trying to help. I would just make that observation.
The second thing I want to say, and this is really important, is that I really, really liked what you said, Mr. Shugart, at the beginning of your answer to a previous question. As you know, I am likely the least academic member who has ever sat, and who likely ever will sit, on the public accounts committee, but one thing I've learned from my years on this committee is that there's the planning ahead of time, the processes, the checks and balances, the evaluations, and then, when you're done, there's the starting all over again, the re-evaluating, and the going back and examining. You know the old tradesperson's proverb, “measure twice, cut once”. That is so important.
Given your broad experience in recognizing that this is not an area where the government has been as effective.... The Auditor General's office has been pounding it and pounding it and pounding it, certainly to the point where I get it, and as I said, my knowledge based on that is the least. So I'm so glad to hear you say that, because my experience tells me that that's where it is—that and the other part of what we do, which is the follow-up to make sure you honour the commitments you make. Those two things really make a huge difference. I just wanted to emphasize that.
I have one more question. As Ms. Yip already brought forward, 41% of the staff had not completed the mandatory personal security seminar, and 35% of staff had not completed the mandatory hazardous environment training course. Now, when we're dealing with security and with mandatory, that seems pretty important to most people. When did Global Affairs decide that they can create their own definition of mandatory? Where else in your organization is mandatory not being treated as mandatory? Do we need a new word?
My understanding is that “mandatory” means “must do”. You didn't do it. Even in your response you said that you're going to start doing it, playing with your tenses. You say here: “Mandatory training for staff being posted abroad, especially to designated high and critical threat missions, is a key element of Global Affairs pre-posting practices.” But you didn't seem to believe that before you were held to account by the Auditor General's report.
So what's the deal with “mandatory”? When did mandatory in Global Affairs, as it relates to security, become not mandatory?
As the chair of our ethics committee, one thing we've studied exhaustively is how groups can organize quickly around the world now on platforms like Facebook, etc.
I respect you, sir, as a servant of the public, but I'll read paragraph 4.18. This is what all of this comes down to:
This finding matters because physical security vulnerabilities must be resolved in a timely manner for the effective protection of staff and assets at missions abroad.
You sit here and survive this committee meeting and you go away to your normal life. You don't come back here maybe for another four years—I don't know—but we have a fence that hasn't been fixed for eight years. Who do you answer to?
I've been in bosses' offices before, answering for something that I haven't done properly. It's been rare, but it has happened.
What's your commitment to seeing this fixed? Are you going to be here maybe next year, and maybe the next year again, and it's not fixed for the next 20 years?
At what point do you actually get it done and answer what this audit report is challenging you to do? What's your response to, “Okay, I've just been taken to the cleaners here; I'm going to make sure this problem is resolved”?
When is that going to happen?
That can be a question that a lot of members are concerned about, because we see departments commit to something time and time again and then don't do it.
Let me say that in this public accounts committee we've now taken on a follow-up approach so that deputy ministers—and Mr. Shugart is not one of them—will not come in and have a “one and done”, that is, doing one meeting and thinking they're done for another year.
We will follow up on these with our analysts. I have already been told by our analyst at this meeting that he is confident that the timelines in the action plan can be met and are reasonable. But if they are not done, then we will invite departments back. I know Mr. Shugart knows that the second time on one issue is not a good meeting typically.
Thank you for that question. It gives us the opportunity to explain it a little bit.
I want to thank our guests for their testimony today, the Auditor General for his good work on this, and the department for being here and being accountable.
We're going to suspend this meeting. I'm going to ask those who don't have to stay to leave fairly quickly so we can have this in camera committee meeting where we have two items we want to quickly discuss.
[Proceedings continue in camera]