PACP Committee Report

INTRODUCTION

            The federal government relies heavily on information technology (IT) systems to manage its business and to deliver essential programs and services to Canadians, with departments and agencies spending about $5 billion a year on IT in 2005. Many of these systems are aging, which refers not just to the age of systems in years but also to the fact that these systems are becoming increasingly expensive to operate and they may pose certain risks, such as being difficult to update in order to respond to new business needs. While aging IT systems may be functioning, many of them are at risk of breaking down, which could have significant consequences for the ability of the government to conduct its business and deliver services to Canadians. For example, the Standard Payment System issues payments for Old Age Security, Canada Pension Plan, and Employment Insurance benefits. The renewal and modernization of aging IT systems will take significant planning and funding, as it can take several years to develop and implement new systems. It is thus important that the government effectively manage its aging IT systems to ensure that risks do not become reality.

            In an audit included in its Spring 2010 Report, the Office of the Auditor General (OAG) examined whether five of the federal departments with the largest IT expenditures – Canada Revenue Agency (CRA), Public Works and Government Services Canada (PWGSC), Human Resources and Skills Development Canada (HRSDC), Royal Canadian Mounted Police (the RCMP), and Citizenship and Immigration Canada (CIC) – had adequately identified and managed the risks related to aging IT systems.^[1] The audit also reviewed three major systems that provide essential services to Canadians – the Employment Insurance Program, the Personal Income Tax and Benefits Return administration system, and the Standard Payment System – to determine whether the organizations using them had identified and managed risks. Lastly, the OAG looked at whether the Treasury Board of Canada Secretariat (the Secretariat), its Chief Information Officer Branch (CIOB) in particular, had determined if aging IT systems are  a priority for the government as a whole and to what extent direction or leadership had been provided for developing government-wide responses.

            Given the risks that aging IT systems pose, the Committee met with representatives from the OAG and the departments audited on 1 June 2010.^[2] From the OAG, the Committee met with Sheila Fraser, Auditor General and Nancy Cheng, Assistant Auditor General. From the Secretariat, the Committee met with Michelle d'Auray, Secretary of the Treasury Board and Corinne Charette, Chief Information Officer. The Committee also met with the chief information officers of the various organizations audited, as follows: Gini Bethell, HRSDC; Maurice Chénier, PWGSC; Borys Koba, CIC;  Peter Poulin, CRA; Joe Buckle, RCMP.

PROGRESS REPORT

            The audit found that aging IT systems were identified as significant risks by the five organizations examined, specifically:

• CRA’s corporate risk profile notes that the ability to keep applications and infrastructure operating and meeting operational demands is a significant risk for the organization.^[3]
• PWGSC’s corporate risk profile identified the ability of information management and IT infrastructure to meet needs as the organization’s fourth most severe risk, and some systems, such as the pay and pension systems, were close to imminent collapse, recognizing that the Department had initiated new projects to modernize both pay and pension systems. PWGSC has noted that outdated systems have led to lower productivity, inability to support business requirements, and increased time and costs to search for information.^[4]
• HRSDC identified the lack of sustainable funding for renewing IT infrastructure as a significant corporate risk, and that there is a high risk that its IT infrastructure will not be able to support the delivery of its core programs, such as Employment Insurance.^[5]
• CIC has determined that the obsolescence, redundancy, and complexity of its legacy systems and infrastructure are a security and business risk.^[6]
• While the RCMP did not include aging IT systems as one of the top five risks in its risk register, the lack of funding to replace aging IT systems was identified as one of the organization’s top five risks.^[7]

            The audit also noted some specific examples of risks to IT systems. In one case, a data centre was located in a building where the heating and ventilation system was no longer supported by the manufacturer. If the air conditioning breaks down, the computers would not be able to function.^[8] A different data centre was located in a      40-year-old complex that was not built to accommodate a data centre and thus would not be able to support the organization’s long-term needs.^[9] In another case, the IT system was written in a programming language that was no longer taught and the staff familiar with it were retiring.^[10]

            At the hearing, some of the CIOs stressed that their systems were operational. The CIO for HRSDC stated, “[L]et me reassure the committee that Canadians are not at risk. There have been no IT failures as a result of aging IT infrastructure that have impacted payments to Canadians.”^[11] The CIO for PWGSC said, “[I]t is important to note that none of our critical systems have ever experienced or caused a business failure.”^[12] The CIO for CIC noted, “[The legacy systems] continue to operate at a very high level of availability and continue to be updated to respond to changing business requirements.”^[13] On the other hand, in her opening statement the Auditor General said, “Many of these systems are aging and several are at risk of breaking down. While systems are currently working, a breakdown could have severe consequences. At worst, some government programs and services could no longer be delivered to Canadians.”^[14]

            The Committee wants to see further action taken to deal with aging IT systems. The organizations have all identified aging IT systems as a significant corporate risk. Some of these systems perform very important functions and the consequences of a failure of one these systems could be quite dramatic. Identifying something as a risk does not mean that the systems are not functioning, but there is a possibility that they may fail or not meet operational needs in the future. The departments themselves determined that these systems pose a significant risk, and they need to take appropriate actions to manage those risks in a timely and effective manner in order to ensure that the problems posed by aging IT systems do not increase.

            The audit found that while the organizations audited had taken some steps to address the risks, there were a number of improvements that needed to be made. CIC, HRSDC, and PWGSC had not developed department-wide portfolio investment plans to manage their aging IT risks.^[15] These plans are important because they provide a basis for prioritizing projects. The monitoring of risk mitigation and control activities by CIC, HRSDC, PWGSC, and the RCMP was incomplete.^[16] As well, CIC and PWGSC did not have multi-year investment plans. While CRA, HRSDC, and the RCMP did have investment plans, these plans did not identify sufficient sources of funding to complete the initiatives deemed necessary.^[17]

            All of the organizations audited accepted the OAG’s recommendations and had developed action plans to address them (with the exception of CRA, as the OAG did not include CRA in any of its recommendations). The Auditor General told the Committee that her office had reviewed the action plans of PWGSC and HRSDC and, “if fully implemented, these plans should address the concerns that we raised in our report.”^[18] In order to monitor whether departments stay on track in implementing their action plans, the Committee recommends:

RECOMMENDATION 1

That Public Works and Government Services Canada, Human Resources and Skills Development Canada, Citizenship and Immigration Canada, and the Royal Canadian Mounted Police provide the Public Accounts Committee with a report by 31 April 2011 on progress in addressing the recommendations made by the Office of the Auditor General in Chapter 1 of the Spring 2010 Report.

FUNDING AND BUSINESS CASES

            The majority of CIOs surveyed by the OAG indicated that the major obstacle in modernizing aging IT is insufficient funding.^[19] Three of the organizations audited—CRA, HRSDC, and the RCMP—had developed multi-year investment plans. These plans outline the organizations’ priorities and planned investments in IT for the coming years. However, each of these organizations had a significant shortfall between investments needed to maintain operations, as well as meet future priorities, and funding available. CRA estimates its shortfall to be $830 million, HRSDC’s shortfall is $523.4 million, and the RCMP’s shortfall is $620 million, for a total estimated shortfall for these three departments of approximately $2 billion. This figure does not include CIC or PWGSC, as they did not have multi-year investment plans in place, or the numerous other government organizations that were not audited.

            CRA is the only organization audited that has made a comprehensive proposal to obtain long-term capital funding, without which 19 major investment projects would be on hold beyond 2018.^[20] The OAG recommended that the RCMP and HRSDC should identify an appropriate funding strategy,^[21] and both of these organizations indicated in their action plans that they will be doing so.

            Clearly, the potential costs of modernizing aging IT systems are considerable, and it will be difficult to obtain funding in an era of fiscal restraint. Nonetheless, departments must set priorities and plan their investments, which is why the OAG recommended that departments should have a funding strategy.

            The Committee believes that departments must also conduct appropriate analyses to ensure that funds are spent wisely. When deciding what systems to maintain or upgrade, it is essential that departments develop sound business cases that include a thorough consideration of available options. As the Auditor General said, “Maybe there are more effective and efficient ways to do the same work or to get the same results. This is a lot more than simply replacing one system by an equivalent system. The processes must be examined. Since we are talking of an expense of several [b]illion dollars, I think this is a good opportunity to take the time to do things well.”^[22] However, in its 2006 audit of large IT projects, the OAG found that five of the seven projects examined were allowed to proceed with a business case that was incomplete, out of date, or contained information that could not be supported.^[23]

            During the hearing, a request was made for a chart of planned investment projects for each department, including an indication of whether a business case was completed for these projects. After the hearing, CIC sent the Committee such a chart, but the Committee has not received similar information from the other departments. Given the significant sums to be invested in modernizing aging IT systems and the importance of business cases to sound decision-making, the Committee recommends:

RECOMMENDATION 2

That Public Works and Government Services Canada, Human Resources and Skills Development Canada, Canada Revenue Agency, and the Royal Canadian Mounted Police provide the Public Accounts Committee, by 30 April 2011, with a chart outlining their planned information technology investment projects and whether business cases have been completed for these projects.

GOVERNMENT-WIDE DIRECTION

            The federal government’s overall strategic direction for IT is the responsibility of the Secretariat, through its CIOB, in consultation with the deputy heads of departments. According to the Treasury Board’s Policy on Management of Information Technology, the Secretariat is responsible for:

establishing the overall government-wide strategic directions for IT in consultation with deputy heads; identifying areas that offer significant government-wide benefits or are of importance to the government; and leading initiatives to achieve government-wide solutions and the implementation of government-wide directions with the appropriate common service or shared service organizations that are of importance to the government.^[24]

Therefore, the OAG expected that CIOB would have assessed whether the aging of critical IT systems poses significant government-wide risks.

            The audit found that CIOB had initiated some work that relates indirectly to the aging of IT systems and had made a number of presentations on IT trends.^[25] However, it had not formally established any strategic directions since 1999. It had also not systematically gathered and analyzed the nature, extent, and impact of aging IT risks across the government. This means that there is no government-wide plan outlining the government’s strategic direction, priorities, and resource requirements to address the risks posed by aging IT systems.

            The OAG recommended that CIOB prepare a report on the state of aging IT systems across the government, including cost estimates, and develop a plan that will set IT strategic directions for the government to mitigate the risks associated with aging IT systems.^[26] At the hearing, the Secretary of the Treasury Board noted that the audit report made the Secretariat recognize that they had not taken a government-wide perspective on the risks posed by aging IT systems, and that they will collect and analyze relevant information by April 2011 in order to develop a government-wide picture of departments’ mission-critical IT systems and their investment needs to address risks. ^[27] By April 2012, the Secretariat will then provide guidance and direction to departments in setting investment priorities. 

            Under the Policy on Management of Information Technology, it is important for the Secretariat to: establish an overall government-wide direction for IT, identify areas that offer government-wide benefits, and lead initiatives for government-wide solutions. Given the significant costs involved in maintaining or replacing aging IT systems, as noted earlier, it would be an opportune time to develop a government-wide strategy for IT in order to seek potential efficiencies or savings through a coordinated approach to IT.

            Secretariat officials did describe some activities they are undertaking in this direction. According to the Secretary, they are working with departments to identify common systems and platforms where consolidation could reduce overlap and duplication.^[28] While there will continue to be program-specific applications, the Secretariat hopes to reduce the burden of renewing and investing in infrastructure that is very similar.^[29] For example, they are working with PWGSC to develop a data centre strategy in order to address the risks facing this fundamental infrastructure across the government.^[30] However, these activities do not appear to be part of an overall government-wide plan with specific goals, targets and timelines.

            In January 2010, the UK government released its IT strategy, which outlines a plan for making the country’s IT systems “smarter, cheaper, greener,” by focusing on a common infrastructure, common standards, and common capabilities.^[31] The Committee believes that the Secretariat could do more to identify how and where the CIOB is working with departments to develop IT solutions. The Committee recommends:

RECOMMENDATION 3

That the Treasury Board of Canada Secretariat incorporate a strategy into its April 2012 directions to departments on aging information technology systems. This strategy should include specific goals and priorities of how and where the Chief Information Officer Branch will work with departments to develop a coordinated approach to information technology.

CONCLUSION

            The departments audited told the Committee that to date, there have been no failures of their aging IT systems. However, their own analyses identified the risks of aging IT systems to be high, and more importantly, the consequences of a failure could be significant. It will not be easy to modernize these systems because, as one witness put it, it is like “trying to fuel an airplane in flight.”^[32] Additionally, the cost to modernize these systems is high. The shortfall in planned funding for just the RCMP, CRA, and HRSDC is approximately $2 billion.