Introduction

Audit Objective

In the fall of 2018, the Office of the Auditor General (OAG) released a performance audit whose purpose was to determine whether Global Affairs Canada (the Department or GAC) met its physical security needs “for the protection of staff and assets at Canadian missions.”[1] There are three types of security measures:

• 1) physical security—e.g., placement of fences or gates around a mission;
• 2) information security—e.g., collecting information about threats that could affect local staff, and the assets and the activities of foreign missions;
• 3) operational security—e.g., assignment of guards.[2]

For the purposes of this audit, the OAG did not examine information or operational security.[3]

General Information

According to the OAG, GAC “operates 175 diplomatic and consular missions in 110 countries. Staff members abroad, as well as buildings and other assets, are exposed to a range of security threats, including politically motivated violence, general crime, civil disorder and espionage.”[4]

Of the more than 7,800 people who work at Canadian missions, almost one-third are Canadian. In November 2017, “more than half of the Department’s staff members worked in locations where unpredictable political situations or civil unrest put their safety and security at risk, and where protective risk-reduction measures were therefore required.”[5] 

Physical Security

Figure 1 presents the main security measures defined by GAC to ensure the safety of staff members and visitors at Canada’s missions abroad. These measures are based on a layered approach around and within the missions, from the public zone to the high-security zone.[6]

Figure 1 – Layered Security Zones at Canadian Missions Abroad as Defined by Global Affairs Canada

Source: OAG, Physical Security at Canada’s Missions Abroad—Global Affairs Canada, Report 4 of the 2018 Fall Reports of the Auditor General of Canada, Exhibit 4.2.

The Department “uses threat and vulnerability assessments to determine whether the security at its missions is adequate:

A threat assessment evaluates the potential risks to a mission according to its location and operating environment. For example, a threat assessment would consider the security threats posed by criminality or political instability.

A vulnerability assessment evaluates a mission’s physical and operational security in relation to the overall risk and recommends measures to reduce the impact of such risk.”[7]

In terms of responsibilities, each Head of Mission “has a duty of care for all staff members at a mission,” and the Departmental Security Officer (DSO) is “responsible for developing and implementing security policies, procedures, and standards, and for ensuring that measures are in place to reduce vulnerabilities to acceptable levels.”[8] 

Improving the Physical Security at Missions

Over the course of 10 years, the Department “received $652 million for initiatives to improve the safety and security of staff and assets at missions abroad. In October 2017, the federal government committed a further $1.8 billion in new funding over 10 years to bolster the security of Canada’s missions abroad.”[9]

GAC “currently manages 78 major capital projects at its missions abroad. About half of these projects are in the planning phase while the other half are being implemented. Most projects are security-focused or have a security element to them.”[10]

Security Awareness Training

According to the OAG, GAC “has developed two mandatory security awareness training courses for the Canadian staff working at its missions abroad:

Personal Security Seminar is a two-day training seminar for Canadian staff members and their families posted to high-threat missions. The seminar provides an overview of threats to safety and security in high-risk situations, along with various management strategies.

Hazardous Environment Training is a five-day course held … for the Canadian staff posted to its highest-risk missions. The training covers topics such as first aid and explosive threat awareness.”[11]

Hearing

On 26 February 2019, the House of Commons Standing Committee on Public Accounts (the Committee) held a hearing on this audit. In attendance, from the OAG were Jerome Berthelette, Assistant Auditor General of Canada, and Carol McCalla, Principal. From GAC were Ian Shugart, Deputy Minister; Heather Jeffrey, Assistant Deputy Minister, Consular, Security and Emergency Management; and, Dan Danagher, Assistant Deputy Minister, International Platform.[12]

Findings and recommendations

Adequacy of Physical Security at Missions

Physical Security Vulnerabilities at Missions

The OAG “reviewed the physical security measures in place at six missions in medium- and high-threat environments to determine if they were functioning as intended.” As such, they visited two sites and relied on observations from GAC internal auditors for the other four. [13]

Addressing Physical Security Vulnerabilities

After examining these six missions, the OAG “observed several security deficiencies, ranging from minor to serious.” Specifically, it found “that a number of upgrades to physical security were made at each mission over the past decade,” but that there were “significant vulnerabilities in perimeter security at all sites, and not all of the security measures the Department had recommended to address these vulnerabilities had been implemented.”[14] Additionally, “physical security measures at each mission did not always match its threat level.” Finally, none “of the six missions had a preventive maintenance schedule to ensure that security equipment continued to work properly.”[15]

Tracking the Implementation of Security Measures

The OAG found that “the security measures recommended for implementation at each of the six missions had not been tracked or prioritized for action.”[16] It also found “insufficient tracking of the security measures needed to resolve identified weaknesses. Security officials at some missions and headquarters were unclear about the status of many physical security projects, and about what measures were needed in the interim to mitigate identified security risks.”[17]

Consequently, the OAG recommended that GAC “should formally document the physical security measures needed at each of its missions abroad, including those needed in the short term, to ensure that security risks are mitigated appropriately and resolved quickly. Senior officials’ responsibility and accountability for ensuring that the mission’s physical security measures are appropriate to its threat environment should be clearly established.”[18]

According to its Management Response and Action Plan, GAC reported that in 2017, it “secured $1.8 billion to invest over ten years to improve the security of its missions to ensure the government is fulfilling its duty-of-care obligation. The department has recently used some of this funding to acquire and implement an enhanced Security Information Management System (SIMS) that is being used to document and track security requirements by mission to ensure they are effectively and efficiently addressed.”[19] Furthermore, as accountability for “physical security measures is shared between the [DSO] and Assistant Deputy Minister, International Platform Branch,” these shared roles and responsibilities were to be further clarified and formally documented by December 2018.[20]

When asked if this new funding will help ensure such problems (i.e., tracking of required security measures, status of physical security projects) will be less frequent in the future, Ian Shugart, Deputy Minister, strongly affirmed it would, and explained that these resources cover physical capacity, training—documented and tracked with information systems—as well as the operational measures that have been implemented.[21] In response to questions about properly documenting important considerations, he provided the following:

First of all, this typically—and in this case—doesn't arise through conscious decision. I think it happens because of a practical focus sometimes on moving resources out. When the proper planning and documentation systems aren't in place, they're not used. It does take a conscious investment to put those systems in place, and that is what we are now doing.

As I said earlier, I think this is a broad problem. But during the period of those funding programs, one of the missions that had enormous security requirements was Kabul in Afghanistan. The needs there were obvious; they were patent. In the absence of a documentary system that will hold you to a plan, sometimes the urgent needs act as a big magnet. The resources are put where the practical, day-to-day assessment is needed.

We're not being blind to the circumstances as they evolve. We have in place the systems that will track what we're doing, whether we are on schedule, how the needs have changed, and we're evergreening those risk assessments so that we will not have this kind of finding in the future.[22]

Therefore, the Committee recommends:

Recommendation 1 – On physical security vulnerabilities at missions

That, by 31 July 2019, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining its progress regarding A) formally documenting physical security measures needed at each of its missions abroad, including those needed in the short term, to ensure that security risks are mitigated appropriately and resolved quickly; and B) clearly establishing senior officials’ responsibility and accountability for ensuring that a mission’s physical security measures are appropriate to its threat environment.

Additionally, considering the importance this Committee places on the proper collection and use of quality data, it recommends:

Recommendation 2 – Regarding the Security Information Management System

That, by 31 July 2019, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining what measures are being implemented to ensure the proper training and use of the enhanced Security Information Management System.

Status of Security Assessments

The OAG’s analysis of physical security standards, threat assessments and vulnerability assessments was based on a sample of “20 missions operating in low-, medium-, and high-threat environments.”[23]

Physical Security Standards

In 2016, the Department “updated its security standards to specify the safeguards it needed to protect missions against direct physical attacks.” At the time of the audit, “these standards were again under revision to clarify how they would be applied and rolled out.”[24]

Threat Assessments

GAC “conducts a threat assessment for its 175 missions every one to four years, with more frequent assessments in higher-threat locations.” The OAG found that “more than one-third of missions had an out-of-date threat assessment.”[25] Furthermore, in 2017-2018, “only 22 of the 57 scheduled threat assessments were completed.”[26]

Vulnerability Assessments

The Department “conducts a vulnerability assessment for each mission. [The OAG] reviewed a selection of vulnerability assessments for 20 missions abroad and found that none consistently assessed the mission’s vulnerability against the set of physical security standards in effect at the time.”[27] Moreover, “the quality and format of vulnerability assessments varied”[28] either because information was missing or out of date, or because of the level of training of those conducting the assessments.[29]

Priorities for Recommended Security Measures

In 2017, GAC “began to catalogue and prioritize the physical security improvements recommended for its missions.” At the time of the OAG’s audit, 875 measures were listed. GAC found that “because of weaknesses in its threat and vulnerability assessments, the Department did not have the information needed to prioritize the physical security measures to implement across its missions.”[30]

Hence, the OAG recommended that GAC “should further develop and implement physical security standards for its missions abroad. It should ensure that threat and vulnerability assessments are current for the local risk environment and conducted with reference to its security standards in order to prioritize the implementation of security measures across its missions. It should also ensure that staff members who conduct the vulnerability assessments have the required knowledge and skills.”[31]

In its action plan, the Department stated that it is “updating and enhancing its physical security standards, taking into consideration security risks, to further strengthen real property infrastructure abroad,” which will “enhance overall physical security across the network of missions. Approval of the standards is by section to ensure there is no delay in the implementation of the latest approved standards.”[32]

Regarding the second part of the recommendation, GAC stated that it will “continue its renewal of threat and vulnerability assessments using a risk-based approach” and apply new resources to increase its “capacity to deliver timely, risk-prioritized Baseline Threat Assessments.”[33]

At the hearing, Ian Shugart explained the following:

[Security] assessments, which include both threat assessments and vulnerability assessments, have transitioned from a one-size-fits-all cyclical approach to a risk-based approach that prioritizes more frequent assessments of [GAC’s] highest risk environments. This change has also been supported by more regular and proactive communications and linkages with mission security teams on the ground. For example, part of the duty-of-care investments has been used to acquire and implement an enhanced security information management system that is being used to document and track security requirements by missions to ensure that they're effectively monitored and efficiently addressed.[34]

Thus, the Committee recommends:

Recommendation 3 – On the status of security assessments

That, by 31 July 2019, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining its progress regarding A) further developing and implementing physical security standards for its missions abroad; B) ensuring that threat and vulnerability assessments are current for the local risk environment and conducted with reference to its security standards in order to prioritize the implementation of security measures across its missions; and C) ensuring that staff members who conduct the vulnerability assessments have the required knowledge and skills. Additionally, that the Department present the Committee with a final report by 31 January 2021.

Physical Security Upgrades at Missions

The OAG examined whether GAC funded “physical security projects based on those it identified as having the greatest need.”[35]

Project Selection

The OAG found that, over the past decade, GAC “prioritized specialized funding to bolster security to its high- and critical-threat missions” and that “three missions accounted for approximately half of the funding allocated to the 25 physical security projects under way in 2017.”[36] Also, there was “limited documentation to demonstrate how physical security projects were prioritized.”[37] Moreover, in 2017, GAC “developed the Global Security Framework, which calls for the security branch to prioritize security measures needed on an ongoing basis across its missions.”[38] Although the physical security needs “are to be identified and prioritized across missions by the security branch, the major capital projects necessary to implement these measures are undertaken by a different branch.”[39] Finally, “the list of major capital projects to be funded was not approved by senior Department officials.”[40]

Consequently, the OAG recommended that GAC “should formalize its process for identifying, prioritizing, and approving physical security projects at its missions to ensure that funds are appropriately allocated across missions. It should ensure that senior officials, including the Departmental Security Officer, approve the list of security projects to be implemented.”[41]

According to its action plan, the Department stated that it has “developed and formalized a risk-based approach to security investment planning, including for physical security projects, through its Global Security Framework. The purpose of the Global Security Framework is to establish a departmental structure for effective and integrated security risk management that enables strategic priority setting and resource allocation.”[42] Furthermore, GAC had planned to update the terms of reference of the Platform Project Oversight Committee (to formally include the DSO as a member) and review security planning and processes specific to real property projects by December 2018.[43]

In response to questions about the security project management concerns identified in this audit, Ian Shugart responded as follows:

Our goal, Chair, is that you won't read that in future reports of the Auditor General because of improvements in our planning capacity. For those, we would have—as for all of our projects—worked with our contractors in the implementation, but they would have been planned internally, often in consultation with other departments, depending on the particular project. That planning would typically be internal with expert-based capacity within the department, and that is what we are seeking to improve.[44]

Therefore, the Committee recommends:

Recommendation 4 – On the project selection process

That, by 31 July 2019, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining how it has A) formalized its process for identifying, prioritizing, and approving physical security projects at its missions to ensure that funds are appropriately allocated across missions; and B) ensured that senior officials, including the Departmental Security Officer, approve the list of security projects to be implemented.

Implementation of Major Physical Security Projects

Timeliness

The OAG found that of the $425 million allocated over the past decade, $103 million had still not been spent, and that GAC “had to obtain special permission to retain $82 million of the $103 million in order to complete the security projects.”[45] Additionally, “22 of the 25 security projects under way … were started late or were delayed during implementation.”[46]

The OAG “reviewed 13 physical security projects that were started between 2010 and 2015 and were delayed. Nine of these projects were an average of three years behind schedule as of August 2018 and were taking almost twice as long to complete as originally planned.” According to the OAG, “these delays were caused by weaknesses in the Department’s project management and oversight.”[47]

Capacity for Project Management

The OAG found that “the Department’s capacity to deliver its security projects was limited” mainly because of the number of vacant positions in the Department’s Real Property Branch and because the project management software was inadequate to manage large projects or to monitor their progress.[48] The OAG advised the Department to look to the example set by Defence Construction Canada, which the Spring 2017 audit found to be highly competent with regard to managing large capital projects abroad where security is an issue.[49]

Monitoring and Oversight

With respect to monitoring of investments and oversight of project progress, the OAG found that GAC “did not have a senior-level oversight committee” or project sponsors or senior authority sign-off for each project.[50] However, the Department has recently made progress by creating a senior-level advisory committee and a second committee to oversee capital spending.[51]

Nevertheless, the OAG recommended that GAC “should strengthen project management and oversight of its real property projects, including those related to physical security, to improve their timely and effective delivery. In doing so, it should identify the root causes of project delays for correction and consider partnering with other federal entities, such as Defence Construction Canada, to provide infrastructure advice and support for its real property projects.”[52]

In its action plan, GAC reported that it in addition to including the DSO as a full member of the Platform Project Oversight Committee, it had recently implemented other actions to improve project management governance, such as creating a “Project Management Office to strengthen existing project practices, delivery and reporting. Additionally, an external and independent review is being conducted to formally determine the root causes of project timeline delays. Finally, the department is working with other foreign Ministries and other government departments, including Defense Construction Canada, to identify best practices in support of timely, effective project delivery.”[53]

In addition to reiterating these new measures, Ian Shugart testified to the following:

The [OAG’s] report also highlighted the need for the department to initiate discussions with other government departments and to adopt best practices. In this respect, we continue to learn from our federal colleagues as well as with respected project management divisions of our foreign counterparts worldwide. These lessons will also contribute to, and benefit from, the Government of Canada's project management community of practice.[54]

Specifically regarding a Defence Construction Canada collaboration, Dan Danagher, Assistant Deputy Minister, International Platform, explained that this has already started, and that GAC is learning about best practices in project management from them.[55]

Therefore, the Committee recommends:

Recommendation 5 – On management and oversight of physical security projects

That, by 31 January 2020, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining A) how it has strengthened project management and oversight of its real property projects, including those related to physical security, to improve their timely and effective delivery; B) how it has identified the root causes of project delays for correction; and C) any new collaborations with other federal entities, such as Defence Construction Canada, to provide infrastructure advice and support for its real property projects.

Security Awareness Training for Mission Staff

Training for Canadian Staff

The OAG found that GAC “did not ensure that all Canada-based staff members located at its high-threat missions abroad had completed the two mandatory security courses” (Personal Security Seminar and Hazardous Environment Training), and “that training was not tracked to ensure that staff members had the appropriate level of security awareness for their effective protection.”[56] The OAG examined training provided in a selection of missions in high-threat locations and found that “41% of staff members had not completed the mandatory Personal Security Seminar and 35% of staff members had not completed the mandatory Hazardous Environment Training course.”[57]

Training for Locally Engaged Staff Members

The OAG also found that GAC “offered security awareness training for locally engaged staff members but did not normally provide enhanced security awareness training at its higher-threat missions.”[58]

Thus, the OAG recommended that GAC “should ensure that Canadian staff members working in dangerous locations successfully complete mandatory security awareness training. It should also establish mandatory security training for locally engaged staff members, according to the threat environment.”[59]

According to its action plan, the Department stated it will increase its training capacity and use a tracking solution to document training completed by its employees, as well as staff from other government departments and dependents of Canada-based staff.[60] It will “also re-assess the current mandatory security training for locally engaged staff and will expand the training, as required, to ensure that it continues to be appropriate to the threat environment.”[61]

In response to questions about the deficiencies of delivering crucially important training, Heather Jeffrey, Assistant Deputy Minister, Consular, Security and Emergency Management, explained as follows:

We have a number of specialized course offerings for high-threat missions—the hostile environment training and the personal security seminars—which are multi-day, very specialized, very well-regarded courses.

The issue we had faced in the past was that, while people were being trained going out to mission from headquarters, it was very difficult for operational reasons for us to train people moving between missions abroad, which is frequently the case with our rotational staff. Under our new duty of care investment program, training offerings have been prioritized. We've increased the quantity of those offerings by 40% this year. We've also piloted new ways of offering these courses. For example, they can now be offered abroad in the local environments there. Rather than bringing people back here, we're able to offer the courses on site in the local environment, which also enhances the training. We're well on track to implementing that recommendation.

Another aspect of the recommendation was, of course, the ability to track this. Our new security and information management system and a dedicated training tracker are already in place and functioning to make sure that we have adequate oversight of the completion of that training.[62]

Therefore, the Committee recommends

Recommendation 6 – On security awareness training

That, by 30 November 2019, Global Affairs Canada present the House of Commons Standing Committee on Public Accounts with a report outlining its progress with regard to A) ensuring that Canadian staff members working in dangerous locations successfully complete mandatory security awareness training; and B) establishing and documenting mandatory security training for locally engaged staff members, according to the threat environment. Additionally, that the Department present the Committee with a second progress report by 31 July 2020 and a final report by 31 January 2021.

Conclusion

The Committee concludes that Global Affairs Canada has yet to take all measures needed to keep pace with evolving security threats at its missions abroad. To help rectify this situation, the Committee has made six recommendations for the Department to ensure that it meet its physical security needs for the protection of staff and assets at Canadian missions.

Summary of Recommended Actions and Associated Deadlines

Table 1 – Summary of Recommended Actions and Associated Deadlines

Recommendation	Recommended action	Deadline
Recommendation 1	Global Affairs Canada should present the House of Commons Standing Committee on Public Accounts with a report outlining its progress regarding A) formally documenting physical security measures needed at each of its missions abroad, including those needed in the short term, to ensure that security risks are mitigated appropriately and resolved quickly; and B) clearly establishing senior officials’ responsibility and accountability for ensuring that a mission’s physical security measures are appropriate to its threat environment.	31 July 2019
Recommendation 2	GAC should present the Committee with a report outlining what measures are being implemented to ensure the proper training and use of the enhanced Security Information Management System.	31 July 2019
Recommendation 3	GAC should present the Committee with a report outlining its progress regarding A) further developing and implementing physical security standards for its missions abroad; B) ensuring that threat and vulnerability assessments are current for the local risk environment and conducted with reference to its security standards in order to prioritize the implementation of security measures across its missions; and C) ensuring that staff members who conduct the vulnerability assessments have the required knowledge and skills. The Department should also present a final report.	31 July 2019 and 31 January 2021
Recommendation 4	GAC should present the Committee with a report outlining how it has A) formalized its process for identifying, prioritizing, and approving physical security projects at its missions to ensure that funds are appropriately allocated across missions; and B) ensured that senior officials, including the Departmental Security Officer, approve the list of security projects to be implemented.	31 July 2019
Recommendation 5	GAC should present the Committee with a report outlining A) how it has strengthened project management and oversight of its real property projects, including those related to physical security, to improve their timely and effective delivery; B) how it has identified the root causes of project delays for correction; and C) any new collaborations with other federal entities, such as Defence Construction Canada, to provide infrastructure advice and support for its real property projects.	31 January 2020
Recommendation 6	GAC should present the Committee with a report outlining its progress with regard to A) ensuring that Canadian staff members working in dangerous locations successfully complete mandatory security awareness training; and B) establishing and documenting mandatory security training for locally engaged staff members, according to the threat environment. The Department should also present a second progress report and a final report.	30 November 2019, 31 July 2020, and 31 January 2021