Employment and Social Development Canada: 2018 to 2020 corporate risk profile
From: Employment and Social Development Canada
On this page
Introduction
The Corporate Risk Profile (CRP) describes an organization’s key risks which include both threats and opportunities. Risks are the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization’s objectives. A corporate risk profile is intended to be used to enhance senior management’s analysis and decision making related to priority setting and resource allocation as well as a tool to communicate risk information to employees throughout the organization so that employees may consider risk at all levels in the organization when planning and prioritizing their work.
In the development of the 2018 to 2020 CRP, the Enterprise Risk Management (ERM) Team in Strategic and Service Policy Branch (SSPB) undertook extensive consultations during 2018 to derive a comprehensive perspective of ESDC’s risk landscape. Consultations to identify risks were done from the top-down and the bottom-up; they involved generalists and functional specialists; and they took into account drivers within the Department as well as external threats outside of its doors.
To assess and treat each top risk, detailed risk profiles, including strategies to mitigate the risks, were developed and approved by responsible Tier 2 governance committees. The CRP was also approved by the Department’s Portfolio Management Board. Ongoing monitoring and reporting of the top risks will be carried out through the quarterly risk update process.
During 2018, ESDC also undertook an Internal Audit and an independent assessment of its risk management processes and practices. The Audit and the assessment generated a number of recommendations for strengthening risk management practices in ESDC. Many of these recommended improvements were introduced in the development of the 2018 to 2020 CRP, including:
- the integration of risk management into the Departmental planning cycle with the linking of risks to strategic priorities
- the implementation of oversight for risk identification, assessment, and mitigation actions with the introduction of Tier 2 committee reviews of risk profiles and the identification of the accountable executives responsible for implementing controls and mitigations; and
- monitoring the implementation of risk mitigation actions with the addition of key risk indicators to track trends for each top risk
Further efforts are required to respond to other recommendations such as:
- draft and publish an integrated Enterprise Risk Management (ERM) Framework to clearly establish the Department’s risk management processes, including accountabilities and governance; and
- review Departmental risk management training to ensure it is tailored to the levels and types of risk work performed throughout the Department
In 2019 to 2020, ESDC intends to further strengthen risk management practices in the Department by increasing dedicated resources and transferring the responsibility for coordinating the Department’s risk management from SSPB to Internal Audit Services Branch. Through a strengthened risk framework and challenge function, and enhanced training and advisory services, EDSC will be able to further mature risk culture across the organization.
While it is not possible to eliminate all risk - there will always be events outside of the Department’s control and a finite level of resources that can reasonably be dedicated to risk management – the CRP represents the Department’s best efforts to reduce risks to an acceptable level.
Operating context
In 2019 to 2020, the Canadian economy in is expected to grow at a modest and sustainable pace, with Canada projected to have the second-highest rate of Gross Domestic Product (GDP) growth among G7 countriesFootnote 1 . While this growth will create opportunities for Canadians across the country, it is anticipated that there will be a continued shortage of skills and labour in certain regions and occupations. In addition, over the medium-term, Canada will need to be ready to address other challenges and pressures to continued economic growth and improved well-being of Canadians that may arise.
Such challenges may include labour market adjustments resulting from an aging population and the changing nature of work, and the continued underrepresentation of certain groups in the labour market (for example, Indigenous people, recent immigrants, and persons with disabilities). These challenges, coupled with a desire for inclusive and sustainable economic growth, are informing the Department’s priorities and planned results for 2019 to 2020.
The Department will invest in training and skills development to support an efficient and resilient labour market and support a culture of continuous learning. This will help all Canadians, including those from groups that are less represented in the labour market to find and keep jobs and lead rewarding lives. The Department will also continue to assist Canadians in vulnerable situations by ensuring that the financial and social supports they need are available when they need them. It will support increased inclusion and opportunities for Canadians through efforts to reduce poverty and homelessness, and improve access to early learning and childcare. It will also make efforts to ensure workplaces are safe, healthy and accessible, as well as take steps to narrow the persistent gap in wages between men and women.
Embedding innovative approaches across the Department will ensure that Canadians remain at the centre of program and policy design and delivery. Design thinking, behavioural insights, and experimentation will allow the Department to better respond to Canadians’ complex life challenges as well as enable the modernization of our services.
The Department recognizes that Canadians expect high-quality, easy-to-access, simple and secure services that are responsive to their needs, whether they are offered online, through call centers, or in person. Innovative service development is fundamental to achieving the Department’s mandate and contributing to such priorities as poverty reduction, supporting the middle class and improving accessibility for Canadians. The Department will continue to optimize recent investments that seek to modernize benefits delivery, reduce time to process Old Age Security, Canada Pension Plan, and Employment Insurance applications, and improve the responsiveness of call centres. As it looks to the future, the Department will continue to leverage client and stakeholder feedback, along with advancements in other jurisdictions and sectors, to further improve service delivery.
Millions of Canadians depend on government services each year—to access benefits, obtain social insurance numbers or records of employment, submit their taxes, obtain passports and cross borders. These services help Canadians through some big transitions. So it is no surprise that they want quality services that are convenient, easy to use and focused on their needs. … What does this look like for Canadians? It means more accessible, connected and bundled services. And more than ever before, this means access to digital tools.
ESDC is responsible for delivering more than $120 billion in benefits annually (or more than 5 percent of Canada’s GDP) and for meeting over sixty major priorities of the Government of Canada. ESDC’s ability to effectively deliver programs and benefits to improve the lives of Canadians, is dependent on its capacity to be mindful of the changing environment in which it operates and the potential risks that may delay or prevent it from achieving its objectives.
ESDC’s 2018 to 2020 corporate risks focus on the internal capacity that is needed by the Department to build a stronger and more inclusive Canada and support Canadians to live productive and rewarding lives.
Methodology
The 2018 to 2020 Corporate Risk Profile highlights the results of this year’s enterprise-wide risk management process. The Profile is intended to provide an overview of key risks including an understanding of the organization’s operating context and objectives with respect to managing risk. ESDC’s process is based on international best practices such as ISO 31000 Risk Management Standard, as well as the Treasury Board Secretariat’s Framework for the Management of Risk. ESDC follows five phases of risk management annually, which include: establish the context, identify and assess risks, address risks, monitor and report quarterly and ongoing communication (Figure A).
1. Risk identification
In June 2018, Portfolio Management Board members identified risks in relation to the ESDC Risk Taxonomy (Appendix A) linked to the ESDC’s 2018 to 2019 strategic priorities (Appendix B). Based on this risk identification exercise, Assistant Deputy Ministers provided input on their top three risk categories to flag the biggest threats to meeting departmental objectives.
2. Risk ranking and assessment
The assessment phase that followed included an expanded consultation process with individuals and through key committees. The Directors General (DG) used a survey to rank the top risks according to likelihood and impact. Results were calculated by multiplying likelihood and impact (Figure B) to arrive at a severity score for each risk category. Risks that were assessed as being in the red zone (high likelihood/significant impact) as well as risks that were consistently flagged in follow-up DG consultations have been proposed as the corporate risks in the 2018 to 2020 CRP. These top risks were then validated through various committees, and finally presented and approved by Portfolio Management Board members in November 2018. The section, ESDC’s Top Risks (Figure D), outlines the results.
3. Address risks
Subject matter specialists in lead branches developed risk profiles that include:
- concise statements of the risk
- existing activities to control risks (“controls” are processes or activities already in place that serve to reduce exposure to risk)
- additional mitigations (new options to enhance opportunities and reduce threats)
- residual risk severity (assessment of the severity of the risk with all of controls in place)
- target risk severity (the level to which a risk is expected to be lowered with the controls and all mitigation activities completed or in place); and
- indicators by which to measure the progress made toward the targets
The responsible Tier 2 Governance Committees endorsed individual risk profiles prior to final approval by Portfolio Management Board.
Risk severity
Severity = Likelihood x Impact
Likelihood - The measure of the probability of a risk event becoming a reality within the next year.
- Low – 1 (unlikely to happen in the next year)
- Medium - 2 (might happen to happen in the next year)
- High - 3 (very likely to happen in the next year)
Impact - The qualitative measure of the consequences on the Department of a risk event becoming a reality.
- Minor - 1 (harm to the Department’s reputation and operations is minor)
- Moderate - 2 (harm to the Department’s reputation and operations is moderate)
- Significant - 3 (harm to the Department’s reputation and operations is significant)
4. Monitor and report
Monitoring of the Corporate Risk Profile occurs throughout the year on a quarterly basis. All branches and regions are required to engage their senior management in regular risk discussions and to provide risk updates and environmental scan highlights in each quarter. The Portfolio Management Board receives the quarterly risk results reports.
Interconnectivity of top risks
It is important to consider the relationships between the corporate risks to understand their impact on other risks. If risks become reality, they can influence one another, potentially introduce other risks and ultimately impact the Department’s ability to realize strategic priorities. At the same time, some corporate risks’ mitigation activities could also assist in the mitigation of other corporate risks.
Analysis of these relationships among risks will ensure that there are no unintended consequences of one risk on another as well as create opportunities to economize the Department’s approach to resourcing its risk treatment strategies across the portfolio. Understanding the links between risks and strategic objectives also supports senior management’s decision-making relating to priority setting, and resource allocation.
Figure C illustrates which risk categories have the potential to impact other corporate risks (in red) and which risk categories assist in the mitigation of other corporate risks (in green). Full details are described throughout the document.
Innovation and experimentation
ESDC recognizes that one of the biggest risks it faces is a failure to take risks, that it may not take the bold risks necessary to innovate and to keep pace with the expectations of Canadians.
As a result, it will continue to pursue innovation and experimentation to learn from the successes and failures that come from testing new and different approaches to policy development, program design, and service delivery.
Innovation at ESDC refers to the development of new ideas, services, and models to better address departmental priorities. Without informed risk-taking, the Department may not be able to innovate in order to deliver programs and services in a way that Canadians want and need.
Experimentation provides an opportunity to exercise modern risk management, where a certain small amount of failure is anticipated, accounted for, and managed in order for an organization to achieve its goals. Organizational innovation can be enhanced by experimentation, that is, by evaluating what works and what does not, by analyzing client expectations, and by testing the validity and efficacy of these ideas through experimentation.
Public servants are inviting more voices to the table to talk about priorities and policies, and we are bringing new tools, approaches, and perspectives to tough problems. We are taking bolder risks, being more creative, and experimenting with fresh ideas.
ESDC has existing controls through its history of experimentation that includes efforts by the Department’s Innovation Lab and Acceleration Hub. The Innovation Lab, through its Strategic Plan, integrates experimentation in the development of services and brings stakeholders together at the beginning of a project to discuss the relationship between policy development, design, and delivery, which ultimately facilitates better results for Canadians. As well, ESDC’s Acceleration Hub collects leading practices from other governments and the private sector, analyzes client feedback, creates journey maps, designs and prototypes service solutions and conducts qualitative and quantitative testing to help ESDC employees design services by considering the context and relevant life events that clients typically face.
Currently, the Department is innovating and experimenting in areas such as artificial intelligence-based modelling of internal processes; the assessment of the impact of Labour Market Agreements on the use of Employment Insurance; initiatives in the Service Transformation Plan; and in developing generic terms and conditions to deliver transfer payment programs. ESDC has also supported a number of experiments with organizations such as the Social Research and Demonstration Corporation and in ESDC functions such as Evaluation that have been using experimental approaches in their products.
As well, ESDC has introduced an expanded Enterprise Risk Management (ERM) function, including the establishment of a Chief Risk Officer. This new ERM team will support the culture shift to intelligent risk taking through advancing awareness of risk management practices and conducting risk tolerance and risk appetite discussions.
Going forward, the Department is proposing several mitigation strategies that will encourage intelligent risk-taking, including further projects in the Innovation Lab to engage ESDC partners in human-centric approaches that address departmental priorities; support for departmental efforts to build competency and capacity for innovation and experimentation; and collaboration across the Government of Canada and with other external organizations. The Acceleration Hub will continue to modernize ESDC’s services through innovations such as the auto-enrolment for Old Age Security benefits and the Guaranteed Income Supplement.
ESDC will explore developing an experimentation strategy to act as a framework to encourage intelligent risk-taking. ESDC will also use the Innovation Lab to increase the Department’s capacity to connect with Canadians for solutions, and will leverage the Chief Data Office to enable data access through greater governance and literacy. As well, ESDC will look for opportunities to publish and disseminate ESDC experiments in journals and online. Finally, consideration is being given to identifying dedicated funding to support innovation within the Department.
ESDC’s top risks
The results of the Department’s risk identification and ranking phases (outlined on page 7) yielded top risks to be treated in the 2018 to 2020 Corporate Risk Profile.
Results were calculated by multiplying likelihood and impact (Figure B) to arrive at a severity score for each risk category. Risks that were assessed as being in the red zone (high likelihood/significant impact) as well as risks that were identified consistently through follow-up DG consultations were proposed as the corporate risks to be further treated in 2018 to 2020.
The top risks were then validated through various committees, and presented and approved by Portfolio Management Board members in November 2018.
ESDC’s eleven top risks in order of initial severity score are outlined below (Figure D).
Detailed descriptions for each of the corporate risks follow.
1. Information technology
Given that ESDC carries significant technical debt both in systems and infrastructure, there is a risk that ESDC does not have the ability to continuously operate, transform, and innovate to adequately deliver on the digital government priorities that support ESDC programs and services and ensure IT Service Continuity.
ESDC carries significant technical debt in both systems and infrastructure, and this indirect cost of owning and managing old IT assets and applications affecting IT infrastructure, employee tools, and program and administrative applications, can potentially delay or compromise benefits and service delivery to Canadians. To this end, the Department is moving forward with modernization initiatives to strengthen and sustain IT infrastructure and replace and enhance existing IT systems and services that support benefits to Canadians most in need.
Should an IT risk event occur, it has the potential to affect the Department’s ability to maintain the infrastructure required to effectively access and mine data, to protect personal information from potential breaches, and to support the provision of ESDC programs and services, thereby impacting the Information/Knowledge Management (Data), Privacy/Safeguarding Personal Information, Fraud and Service Delivery risks.
The Department’s IT controls include overarching strategies (such as the 2018 to 2021 ESDC IT Plan the People Management Strategy), as well as governance structures (such as the Enterprise Architecture Review Board and Application Portfolio Management). These controls and planned mitigations will maintain the likelihood and moderately reduce the likelihood and impact by March 31, 2024.
ESDC will continue pursuing mitigation activities to further reduce the likelihood of a risk event from occurring. Key to ensuring IT Service Continuity, ESDC will undertake a complete renewal of business processes and technology for Employment Insurance, Old Age Security and Canada Pension Plan. Other more moderate enhancements to various systems and services will support the portfolio and its delivery of programs. Other mitigations will focus on strengthening and sustaining infrastructure delivery to ensure there are no gaps in continuity between partners’ responsibilities, and implementing effective workforce strategies to attract, recruit, and retain skilled IM/IT employees and increase training for existing employees on new application solutions and tools.
As well, ESDC will develop a departmental framework for managing technological change via programs, major projects, and regular projects, in conjunction with minor modifications and maintenance to application so as to increase infrastructure reliability and ensure that systems meet business and IT requirements.
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a medium likelihood by March 31, 2029.
2. Investment planning and investment portfolio management
There is a risk that Departmental capacity, in terms of people, money, and infrastructure is not sufficiently aligned to support the successful realization of the portfolio benefits. In addition, there is a risk of misalignment between strategic planning and portfolio management.
Understandably, in a department the size of ESDC, with its vast and varied programs and benefits, there is a risk of misalignment in the number, type, interdependencies, and sequencing of portfolio benefits (departmental programmes and projects); or that the investment portfolio could exceed human resource or funding capacity; or that there could be a significant change in organizational priorities. Changing priorities without re-evaluating and downgrading other priorities is a key driver for this risk augmented during times of uncertainty. Ongoing insufficient or ineffective use of existing capacity and ineffective portfolio management practices are also contributing factors.
The misalignment of planning and portfolio management and the unsuccessful realization of portfolio benefits could have a direct impact on other risks: Information Technology and Service Delivery.
ESDC relies heavily on governance and oversight to mitigate this risk, including the financial management forecasting and reporting and its tri-annual investment plan submission and annual updates process. In 2019 to 2020, the Chief Financial Officer Branch will establish additional mitigations such as a mechanism to integrate the portfolio schedule (the integrated alignment and sequencing of the schedules for programs and projects in the investment portfolio) and establish a risk review board to augment its existing controls and better coordinate and sequence priorities. These mitigations will allow for better resource management, as well as a more robust understanding of the interdependencies between programmes and projects.
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a target of medium likelihood/moderate impact by April 30, 2020.
3. HR management
There is a risk that ESDC may not have the workforce skills, competencies, and distribution to meet current and future needs due to changing skills requirements, as well as demographic trends. In addition, challenges with the current HR-to-Pay environment may continue to affect the Department’s ability to recruit and retain talent and skills across all business lines. This could have an impact on Departmental service standards and objectives.
Changing skills requirements, shifting demographics (including a significant proportion of projected retirements over the next several years) and compensation issues stemming from the HR-to-Pay environment, have important implications for HR management across the Department. With the Department’s policy and service transformation agenda and other government-wide priorities, it is increasingly important that ESDC has the right mix of skills and competencies within its workforce. If this risk is not mitigated, Departmental objectives and service standards may not be met, and the ability to maintain the desired quality of analysis and advice, and respond to Canadian’s expectations of services that are easy-to-access, timely, accurate and efficient, could be compromised.
An inability to have a sufficient and right workforce at ESDC would heighten all other corporate risks. For example, the Information Technology risk set its risk severity target based on its successful implementation of their workforce strategy to attract, recruit, and retain skilled IM/IT employee. Similarly, without sufficient project management capabilities, programmes and projects will not fully realize benefits on time, budget and scope.
To address this risk, the Department will continue implementing the ESDC Workforce Strategy and annual Workforce Action Plans containing numerous initiatives to attract, develop and retain a skilled and diverse workforce. Additionally, established governance structures will continue to ensure strategic management of human resources.
To further reduce the risk relating to HR, and improve pay outcomes for employees, ESDC is implementing the Compensation POD Plus Model to add its own compensation resources to the standard Pay Centre POD service delivery model. It will leverage the capacity of trained, ESDC Compensation Advisors with access to the Phoenix pay system, to increase the compensation capacity for processing ESDC pay cases.
The Department is also implementing the 2019 to 2020 Workforce Action Plan, which includes the following initiatives:
- implement the Executive Integrated Workforce Management Approach
- implement new ESDC talent approaches and continue to evolve succession planning efforts
- implement the ESDC 2017 to 2020 Recruitment Strategy
- develop and implement a renewed Action Plan on Official Languages training
- advance and implement the Competency Based Management (CBM) project; and
- implement the Compensation POD Plus Model
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a target of low likelihood/significant impact by March 31, 2022.
4. Project management
Due to a combination of high volumes of programmes and projects and insufficient project management capabilities and capacity, there is a risk that programmes and projects will not fully realize benefits on time, budget and scope. This may result in exposure to key risks including the inability to meet client expectations, reputational damage, financial loss, operational ineffectiveness, and political and regulatory challenges.
Project Management is central to the accomplishment of any goal within federal departments as it ensures the successful delivery of programmes and projects. However, high volumes of programmes and projects, insufficient capability and capacity for project management, along with competing priorities and ineffective portfolio management practices put the Department at risk of not being able to meet its commitments. Without effective project management, the Department may not be able to meet clients’ expectations, which could damage the Department’s reputation and lead to a loss of public trust. An inability to deliver on commitments could also result in financial loss if the desired results are not delivered or not delivered on budget.
Failure to adequately mitigate this risk could result in not fully realizing benefits on time, budget and scope, which would have a direct impact on the Department’s finances and the potential inability to meet client expectations and operational effectiveness which are encapsulated in the Investment Planning and Investment Portfolio Management and Service Delivery risks.
Various controls have been established to minimize project management risks, including the establishment of the Enterprise Project Management Office (EPMO) that offers various advisory services such as, risk management and benefits management. Governance and oversight further mitigate the risks through committees such as the Major Project Investment Board and Internal Audit Reviews of project management. Best practices are communicated through the EPMO to inform project management delivery.
To further reduce the likelihood of the project management risk, ESDC will pursue other mitigation activities in 2019 to 2020, including project management development and maturation services for branches and enhanced oversight for risks at the project, programme, and portfolio levels. ESDC is also developing a Service Transformation Portfolio Risk Review process to enhance risk oversight and promote better resource management.
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a target of low likelihood/significant impact by March 31, 2020.
5. Information/Knowledge management (Data)
Given the high volume and complexity of information to manage and the lack of mature data management and information management programs, there is a risk that ESDC is unable to adequately protect, access, or analyze data and information of business value. This may result in potential privacy and security breaches, and reduced productivity in support of ESDC programs and services.
ESDC must manage a high volume and complexity of information while protecting the information from increasingly sophisticated cybersecurity attacks that can ultimately result in breaches of privacy and security. With the continued need to mature information management skills, tools and overall strategy, there is a risk that the Department’s policies, programs and services may not respond to the needs of Canadians.
Since this risk event could result in potential privacy and security breaches from inadequate protection of information, this risk has the potential to compound the Fraud and Privacy/Safeguarding of Personal Information risks. Additionally, the possible impact on ESDC’s ability to access and analyze data to inform policy development and delivery of programs and services could exacerbate the Policy Design risk and Service Delivery risk.
To address this risk, ESDC has implemented an ESDC Data Strategy (including Analytics and Data Governance & Stewardship programs) as well as an Enterprise Information Management (IM) Policy Suite Strategy and Roadmap to reduce the volume of information and the risk of unresponsive policies, programs, and services. The Department has also implemented the Policy on Government Security, which provides direction on the secure delivery of government programs and services, the protection of information, individuals and assets, and provides assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management.
In addition to these controls, ESDC is taking steps to further reduce the risks relating to information and knowledge management. The Department is working to further mature its IM practices, increase IM awareness and training, and address IM tools and technology challenges, all of which are expected to be completed by June 2022. Policy and process updates such as Data Policy 1.0 and the Data Stewardship and Analytics Program are also on track to be completed in June 2021. Additionally, to further reduce the Department’s vulnerabilities to cyberattacks, ESDC continues to increase cybersecurity protection measures, in collaboration with government partners and service providers. ESDC is also continuing to implement its enterprise data strategy.
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a target of high likelihood/moderate impact by June 2022.
6. Fraud
Due to emerging and sophisticated fraud threats and the potential for wrongdoing, there is a risk that ESDC may be unable to effectively prevent, detect, and/or manage internal and/or external fraudulent activity and wrongdoing in relation to the delivery of its programs, services, and operations.
The Department has identified fraud and wrongdoing as risk areas that could result in loss of money, assets, information or public trust in the Canadian government. Additionally, risks posed by fraudulent activities and wrongdoing may impact the delivery of accurate and timely services to clients and the credibility of the Department of being an effective steward of public funds and personal information.
Should this risk event occur, then it could impact the Privacy/ Safeguarding of Personal Information risk by increasing the likelihood of inappropriate access/ disclosure of personal information. This risk could also exacerbate the Service Delivery risk by potentially reducing the funds available within programs that support legitimate and eligible beneficiaries, impacting the Department’s ability to deliver financial support and services to those in need. Finally, this risk event could also increase the Policy Design risk. For example, if fraudulent activity and wrongdoing in relation to the delivery of programs, services, and operations were to occur, then it could distort evidence related to the social or economic well-being of Canadians. This could challenge ESDC’s ability to provide informed advice and policy recommendations.
The Department has taken steps to minimize the likelihood and impacts of fraud and wrongdoing from occurring. It has refreshed its Fraud Framework, which provides a cohesive, integrated and enterprise-wide approach to prevent, detect, and address fraud and wrongdoing against the Department. These measures incorporate controls rooted in a privacy-aware culture, accountability and governance, risk assessment, disclosure, investigation, monitoring, and reporting. They increase the Department’s capacity to prevent and respond to cases of fraud and wrongdoing sooner and more effectively, reducing the impact on the Department.
Although the Department has already taken steps to reduce the risk of fraud, it continues to improve its understanding of potential fraud and wrongdoing against and within its programs, services, and operations through regular analysis of the frequency and amount of fraud as well as the drivers behind it (malicious intent or accidental). The Department is seeking to align its systems and reporting mechanisms to improve its ability to identify, limit, and respond to incidents of inappropriate access to, or manipulation of, information in its electronic systems. ESDC will be introducing a secure website in 2019 to 20 through which citizens can report suspected program abuse. The Department will also test software to centralize and manage data for more efficient monitoring to ensure ESDC can keep pace and act on wrongdoing and fraud within a changing technological environment.
Given that the risk of fraud and wrongdoing is a variable threat, and considering existing controls and additional mitigations expected to be completed by March 31, 2021, ESDC accepts to maintain a residual and target risk severity level of medium likelihood / moderate impact.
7. Privacy/Safeguarding personal information
The large volume of personal information obtained or prepared by ESDC, the risk of its inadvertent or inappropriate access, use, disclosure or disposal by ESDC or its appropriation by threats that are constantly evolving, could result in a significant unauthorized loss or disclosure.
ESDC manages volumes of personal information much of which is sensitive. Not only can a loss or unauthorized disclosure of information lead to identity theft, fraud, or physical threats to individuals, but in a significant privacy breach situation, ESDC could also risk losing public confidence and trust. The large quantity of personal information and the technical sophistication of current and future threats means that ESDC must actively keep pace by continuously focussing on privacy controls and the implementation of safeguards.
Should this risk event occur, it could increase the risk of fraud by potentially reducing the Departments’ ability to effectively prevent, detect, and manage internal or external fraudulent activity and wrongdoing in relation to the delivery of its programs, services and operations. The Physical Security risk could also increase this risk to ESDC clients since an information breach could result in the divulgence of personal client information.
To protect personal information, the Department has established a robust privacy regime, including the Departmental Policy on Privacy Management (DPPM) and the Privacy Management Framework (PMF) for the management, safeguarding and judicious use of personal information. Together, the DPPM and PMF, aligned with the Treasury Board security policy and standards, consist of a risk-based and proactive approach for the management of personal information which includes:
- structured and coordinated risk management processes
- technical, physical and administrative safeguards to protect personal information throughout its life-cycle
- awareness campaigns and mandatory training to foster a privacy-respectful organizational culture; and
- a governance structure that provides senior-level privacy risk oversight
Considering the risk controls in place and the planned mitigations, it is anticipated that the target risk severity will be reduced from medium likelihood/significant impact to low likelihood/significant impact.
8. Service delivery
There is a risk that ESDC will not be able to provide and maintain high quality, timely, accurate, and efficient government services, delivered through multiple channels, in both the short and long-term. ESDC must be able to deliver day-to-day services to Canadians and, at the same time, transform service delivery to respond to Canadians' evolving needs and expectations.
Emerging technologies are Canadians’ expectations that government services, become more accessible, responsive and easier to use. While the Department is expected to continue to deliver services that meet the current high standards, it is also expected to modernize and transform to meet rising expectations. There is a risk that the Department will not have the ability to maintain consistent high-quality day-to-day services while innovating to keep pace with service delivery models enabled by modern technology.
Should this risk event occur with ESDC not being able to effectively deliver ongoing services, it could increase the likelihood of the risks associated with Project Management because programmes and projects may not fully realize benefits on time, budget and scope.
The Transformation and Integrated Service Management Branch (TISMB) – introduced as a mitigation and now an existing control – is working collaboratively with its partners within the Department, across the federal government, and with provinces and territories to transform how ESDC engages to better understand Canadians and deliver services that meet their needs. The Department will continue to perform regular reviews of its transformation initiatives to adjust the sequencing and prioritization of deliverables and balance its resource needs through vehicles such as the Major Projects and Investment Board and ADM Service Transformation Committee. It will also continue to report on progress through regular service dashboards and scorecards.
Further mitigations have been developed to streamline processes and to address specific issues relating to service delivery, client expectations, technology, and human resource needs.
Mitigations planned to streamline processes include those to boost ESDC’s capacity to secure a sufficient workforce with in-depth and program-specific knowledge for both ongoing operations and transformation initiatives. ESDC will allocate people resources to support the success of both operations and transformation initiatives. It will also fast track and increase the capacity of Branches to hire and onboard a workforce to meet the needs of today and the future.
To address specific service delivery issues, ESDC will review and streamline the Grants and Contributions process to reduce administrative burden, and through conducting internal and external consultations, it will develop a multi-year action plan to identify other key areas for improvement. ESDC will also mature the Integrated Service Management function to support an integrated approach to managing services across programs, branches and channels and will further mitigate against competing service workloads.
To manage client expectations, service standards and real-time performance results will be published on a monthly basis on Canada.ca.
Service delivery is dependent on technology. ESDC plans to conduct a complete business process and technology renewal (Benefits Delivery Modernization) for Employment Insurance, Old Age Security, and the Canada Pension Plan to enhance client service by transforming the way benefits are delivered. It will migrate to the Hosted Contact Centre Solution (HCCS), which will replace existing end-of-life call centre technology with a modern, hosted, centralized, and shared platform.
Considering the risk controls in place and the planned mitigations, it is anticipated that risk severity will be reduced slightly by March 31,2021but ultimately; it can only reach its target of medium likelihood/significant impact once the IT Risk mitigations are in place in 2024.
9. Policy design
A quickly evolving social and economic context could put at risk ESDC’s ability to provide timely and high quality policy advice.
Employment and Social Development Canada has a mandate to build a stronger and more inclusive Canada, to help Canadians live productive and rewarding lives and to improve Canadians' quality of life. While the Department continues to develop policies in support of its mandate, it is also operating in a quickly evolving social and economic environment. As such, there is a risk that it may not be able to provide timely policy advice that keeps pace with these rapid shifts.
Should this risk event occur, it could result in less than optimal designs of policies and programs. The risk of Policy Design must be addressed in order to maintain targeted and responsive policies that address the public’s needs.
The Department has a number of existing controls in place to reduce the Policy Design risk. For example, ESDC has well established governance structures, both internal and external, such as the Strategic Policy Committee and Federal/Provincial/Territorial Committees (e.g. Forum of Labour Market Ministers), which serve as fora for discussing emerging issues and advancing the Government’s policy agenda. As well, through Government-wide committees such as the Deputy Minister Committee on Inclusive Growth, ESDC is able to apply a forward-looking lens to assess the impacts of public policies and programs in support of growth. ESDC also undertakes stakeholder engagement through Public Opinion Research, social media, and policy co-design, to understand the needs and expectations of Canadians and work to ensure policies and programs are responsive. Priority Trackers, Ministerial Stock Takes, Memoranda to Cabinet and Treasury Board Submissions are also used to monitor and track Government commitments.
Along with the controls in place, the Department is working to further reduce this risk by establishing new mitigation activities that improve policy responsiveness. The development of a coherent research strategy and plan will seek to improve the policy foundation by integrating research and analysis across the Department and making them easily accessible to teams responsible for policy development and implementation. ESDC will also leverage its Medium Term Planning process and further leverage Policy Horizons Foresight to understand the uncertainty surrounding emerging policy issues. Through these processes, ESDC will assess the responsiveness of programs to potential changes in the economic and social landscape, in consultation with internal and external partners (e.g. academics and other experts). The Department will capitalize on the work being done in the ESDC Innovation Lab to create more responsive policy approaches and use its Data Strategy to enhance key data foundations, including a Data Policy and Data Stewardship Program to support greater use, access, and collection of data to inform policy design and evidence-based decision-making.
After taking into consideration the existing controls in place and planned mitigation activities it is anticipated that the risk severity will be reduced to a target of low likelihood and vary between low to moderate impact depending on planned completion dates for activities.
10. Business continuity
Due to external threats such as natural disasters, cyber-attacks workplace violence and terrorism, there is a risk that critical systems go offline or facilities close. This may result in an interruption in the delivery of services to Canadians.
Although the likelihood of external threats such as natural disasters, cyber-attacks, workplace violence, and terrorism is highly variable, the potential impacts to service disruption are high, and it remains a risk.
Should systems go offline or facilities close it could directly impact the Service Delivery risk by further challenging ESDC’s ability to effectively deliver services to Canadians.
ESDC maintains a schedule for the renewal and communication of its Business Continuity Plans, Recovery Strategies, and Emergency Management Procedures. To date, these processes have benefitted from collaboration with departmental partners as well as external stakeholders, and that will continue.
In 2019 to 2020, the Department proposes to focus on readiness to respond and validate the effectiveness of its approaches through training and simulation. Minimum service levels and recovery time objectives will be measured on an annual basis to assess the Department’s progress towards business continuity.
Considering the risk controls in place and the planned mitigations, it is anticipated that risk severity will be reduced to a target of medium likelihood/moderate impact by March 31, 2023.
11. Physical security
Due to the types of programs administered by the Department and given the public access to service delivery areas, there is a risk that the security of employees or clients may be compromised. This may have an impact on employee mental health and morale or may result in physical harm or injury.
Should this risk event occur, the Business Continuity risk could be exacerbated if a Departmental workplace or Service Canada Centre needs to close. Risks to the physical security of employees and the public have the potential to impact the Service Delivery risk because it would interfere with the Department’s ability to provide quality and timely service to Canadians.
An evidence-based Security Communications Plan is in place and a Security Awareness, Training, Education and Outreach Program is being developed to ensure that security awareness tools and products are in place and aligned with security trends and that they sustain a strong security culture respectively. The Departmental Security Officer’s ongoing monitoring and regularly reporting on the statistics and trends in security incidents will continue to be a critical control to mitigate this risk.
To enhance the aforementioned controls, ESDC will continue to implement recommendations from the Threat and Risk Assessments of client-facing sites, and assess the awareness of and training on the tools available through the Security Awareness, Training, and Education Plan. It will also review and update its Security Policy, directives, guidelines and tools to align with the new Policy on Government Security that came into effect in July 2019, and to respond to the needs of the modern workplace
Considering the risk controls in place and the planned mitigations, it is anticipated that the risk severity will be reduced to a target of low likelihood/moderate impact by March 31, 2021.
Conclusion
The Corporate Risk Profile provides an enterprise level overview of the risks that ESDC faces. The information found in the CRP is intended to be considered as part of decision-making relating to priority-setting within the organization. It also provides assurance to senior management and key stakeholders that a comprehensive risk management framework is in place, that potential enterprise risks are identified and monitored, and that actions are taken when required. It also empowers employees with the risk information they require to inform and influence their work.
The CRP delivers a structured approach to identify the top risks and the plans to be put into motion to help reduce risk, increase controls where required, and seize opportunities. It highlights the interconnected risks that could have the greatest impact on the achievement of the Department’s strategic objectives. Knowledge of risk information at all levels of the organization will support the Department to meet its objectives and deliver on results.
As the Department strives to ensure that Canadians receive high quality and efficient services, it must remain mindful of the changing environment in which it operates. Risk management will play an important role as the Department navigates the uncertainty. By understanding its risks and managing them effectively, ESDC can explore new opportunities. Intelligent risk-taking allows an organization to identify areas where risk exposure is within its tolerance allowing for opportunities to innovate, experiment and find new ways to adapt to a changing environment.
The CRP is only one part of ESDC’s approach to risk management. It is up to all employees to consider risk at all levels of the organization when planning and prioritizing. The goal is that the information in the report is taken into account when making decisions about priorities and reinforces sound risk management practices in ESDC.
Appendix A – ESDC risk taxonomy
Risk areas
- HR management
- Threats/Opportunities linked with recruitment and retention of staff, succession planning, and staff management and capacity building.
- Information/ Knowledge management (data)
- Threats/Opportunities related to with an organization’s capacity and sustainability of information management procedures and practices, of collection and management of knowledge such as operational information, records, research, scientific data and intellectual property.
- Privacy/Safeguarding of personal information
- Threats/Opportunities linked with an organization’s protection of personal information including sharing information agreements.
- Project Management
- Threats/Opportunities linked with an organization’s processes, practices and capacity of developing and managing projects in support of its overall mandate, as well as risks associated with specific projects that may require ongoing management.
- Resource management
- Threats/opportunities linked with the availability and level of resources of an organization to deliver on its mandate, as well as the organization's management of these resources.
- Investment planning and investment portfolio management
- Threats/Opportunities linked with the capacity of an organization to adequately prioritize and schedule its resources (human and financial capital, information technology, and physical assets) to deliver on its mandate and priorities
- Service delivery
- Threats/Opportunities linked with an organization’s design, implementation and delivery of services as well as service channel capacities.
- Business continuity
- Threats/Opportunities linked with business processes including implementation failure and disruption of activities, programs or services due to natural, technological or human-induced event.
- Business process controls/Integrity
- Threats/Opportunities linked with business process design and implementation, including implementation gaps, inadequate measures, tools or methods, or poor documentation.
- Communications
- Threats/Opportunities linked with an organization’s approach and culture of communication, consultation, transparency and information-sharing, both within and outside the organization.
- Financial management
- Threats/Opportunities linked with the structures and processes of an organization to ensure sound management of financial resources and its compliance with financial management policies and standards.
- Fraud
- Threats/Opportunities linked with a form of false representation with the specific intent of gaining an unfair or dishonest advantage. It involves either wilful misrepresentation or deliberate concealment of material facts for the purpose of inducing another person or organization to either part with money or something else of value or to surrender a legal right.
- Governance and strategic directions
- Threats/Opportunities linked with an organization’s approach to leadership, decision-making and management capacity i.e. complexity of governance structure, definition of roles and responsibilities.
- Information technology
- Threats/Opportunities linked with an organization’s capacity and sustainability of information technology, both the infrastructure and utilization of technological applications i.e. obsolescence, transformation.
- Stakeholder relations/Partnerships
- Threats/Opportunities related to our relationship with other governments, other departments, organization’s partners and stakeholders.
- Transfer payments
- Threats/Opportunities related to the design, the delivery and management of transfer payment programs (benefit to individuals, funding to organizations and transfers to other governments) in a manner that respects sound stewardship transparency, accountability, and fairness.
- Capital infrastructure
- Threats/Opportunities linked with an organization’s capital infrastructure including hard assets (e.g. buildings, vessels, scientific equipment, fleet), but excluding IT.
- Contracting and Procurement
- Threats/Opportunities linked with an organization’s acquisition of goods or services from external sources.
- Legal obligations
- Threats/Opportunities linked with an organization’s achievement of its legislated obligations (compliance with, laws, regulations, and domestic and international treaties, agreements and policies).
- Policy design
- Threats/Opportunities linked with an organization’s design, implementation and delivery of policies and programs which may impact the organization’s overall objectives.
- Reputation/Public perception
- Threats/Opportunities linked with an organization’s reputation and credibility with its partners, stakeholders and the Canadian public.
- Values and ethics
- Threats/Opportunities linked with an organization’s culture and capacity to adhere to the spirit and intent of the Values and Ethics Code for the Public Service.
- Physical security
- Threats/Opportunities linked with an organization’s provision of safe and secure work places.
Appendix B – Priorities for Transformation
Page details
- Date modified: