Audit of Two Areas of Risk To Security in Health Canada: Roles and Responsibilities and Funding

February 7, 2003

Report Summary

The overall objective of the audit was to provide an independent assessment of the Department's progress in implementing the Government Security Policy (GSP). The scope of this Security Audit was determined through a preliminary survey which identified major areas of risk associated with departmental security. Specifically, the audit examined two high risk areas of the management framework: roles and responsibilities for security and the funding for security within the Department.

The GSP has recently changed to become more rigorous in terms of required action on the part of the Department and places more emphasis on the management framework and accountability structure within Health Canada. The GSP also now requires more stringent, formally documented processes to be in place and the use of security risk management to identify departmental safeguards above a base level of security. The Policy is more explicit in defining the accountability of Deputy heads for implementing this policy, in delineating the role of the DSO and in describing an expanded series of security policy functions the DSO is accountable for coordinating.

Security at Health Canada (HC) operates within a complex and diverse environment that offers significant challenges to meeting Security Policy requirements, as follows:

• Within the Department, responsibility for security has been delegated from the Deputy Minister, through the ADM Corporate Services and the DG Assets Management, to the Executive Director of Safety, Emergency and Security Management Division (SESMD), who is designated the DSO. As the functional expert in Security, SESMD has come to be well regarded by its government peers and by many in the internal security community within the Department for the quality of the staff and the content of security material. SESMD has been acknowledged for its Threat Risk Assessment models, Emergency Building response models, briefing material on security subjects such as Suspicious Package handling, for the departmental response to "9-11" and for the accessibility of its staff.
• Even though the Security group is the centre of the Department's security program, it does not fully own the accountability to adequately discharge its role for policy requirements: this is shared by various organizational entities in HC. As a result, though SESMD has put in place some excellent operational components for a potentially solid security program, the focus on managing security risk is missing as the Department has not provided for the mechanisms needed to adequately implement such a program. For example, a lack of strategic reach - that is, the DSO's reporting level and influence in the organization - means that it is quite difficult to accomplish the coordination of security policy functions, communications with operational departmental elements and promotion of a universally-accepted DSO role. In all, the current accountability structure and reporting level of the security function inhibit the DSO in achieving the GSP-mandated role. The ultimate impact of this situation is that the DSO cannot completely assure the Deputy Minister that departmental accountability for security is being effectively managed.
• As noted earlier, many components of security have been well developed by SESMD, including risk management TRA methodologies and Security Awareness documentation. The administrative framework for security, however, under which the DSO and SESMD attempt to operate the departmental security program, is adversely affected by a lack of clarity on roles and responsibilities. Weaknesses exist in department-wide security planning, the organization of job responsibilities across HC's security community, a standardized implementation of program requirements, a common base for security and effective, overall risk monitoring. This results in an insufficient assurance that policy requirements can be adequately achieved.
• Almost all interviewees characterized Security as a corporate service - that is, the provision of common, administrative support for operating managers - rather than a means for strategic risk management. Although the Security function has had recent success in gaining some funding toward its Business Continuity Planning initiative, generally corporate funding tends to be in reaction to events that have already occurred, such as post-9-11 funding, rather than to safeguard against potential threats. Hence, the capability to effectively manage a departmental investment in security is not there. Furthermore, in the absence of an executive champion promoting the DSO's role, the Security function will continue to be seen merely as a corporate service.
• Financial data for security is decentralized within branches with no financial roll-up to facilitate a coherent review of security expenditures. Consequently, the pursuit of overall, department-wide or strategic security goals is difficult. The impact is on the quality of decision-making: without a fully-costed base for security requirements the incremental costs for security are not known and thus the effectiveness of any investment decision is extremely difficult to monitor

Conclusion

Overall, the audit concludes that the implementation of the GSP at Health Canada is progressing well. The Security function at Health Canada has been highly effective at developing key elements of a departmental security program, particularly with respect to physical security issues within the NCR. The protection of employees and assets has long been understood as the key security risk element and physical security continues to be a concern due to the size and dispersed nature of the Department. The focus is well warranted by contemporary environmental considerations.

The capability to establish and direct a successful department-wide security program, however, is now an increasingly challenging mandate of the Government Security Policy, and poses a risk for the Department. This capability is largely dependent on the overarching accountability structure through which the DSO is empowered to discharge his role, and the administrative framework under which the Security function is constituted. These mechanisms of the security management architecture now require senior management's attention.

To this end the audit makes the following three recommendations:

1. It is recommended that the ADM Corporate Services Branch, with the support of the Departmental Executive Committee, authorize a review of the mandate, mission and reporting level of the DSO to ensure that they support the Deputy Minister's accountability for safeguarding employees and assets and for implementing the Government Security Policy.
2. It is recommended that the ADM Corporate Services Branch empower the DSO with adequate authority and responsibility to effectively undertake the management functions of planning, organizing, leading, controlling and monitoring of Health Canada's security program.
3. It is recommended that the ADM Corporate Services
   
   
   1. require the segregation of future funding for Security into
      
      
      1. ongoing operational funding - to ensure that a fully-costed base level of security is provided for; and
      2. funding for incremental investment - to reflect achieving the security risk management objectives of the Department; and
   2. examine the potential for financial budget and expenditure data for security-related items to be captured as a roll-up item in the HC financial system - to facilitate the aggregation and reporting of the investment in department-wide security.

The audit team is grateful to all the participants - interviewees and resource people - for their individual contributions.