Risk Assessment of Government on Line (GOL)

Internal Audit and Risk Management Services Director General:     J.K. Martin Audit Director, IT:    J.R. Clark Team Leaders:          F. Gloade Audit Team:             P. LePage                                 D. Lefebvre                                 M. Winterburn                                 K. Rosolen                                 K. Jevons                                 C. Thomas       May 2001

 

 

TABLE OF CONTENTS

 

 

FINDINGS................................................................................................................................ 1

ACTION PLAN......................................................................................................................... 2

 

APPENDICES

 

APPENDIX a    –  oBJECTIVES

APPENDIX b    –  SCOPE

 

 

 

Background

 

By the year 2004, HRDC will offer Canadians the choice of receiving key services on the Internet and having employees use Internet technology for tools of work and communication. On behalf of HRDC’s GOL Coordination Office, the IARMS conducted a Risk Assessment as a requirement for Tier Two reporting for TBS in September 2000. Interviews were conducted with senior management at NHQ and four regions.

 

HRDC has assigned the responsibility of a coordinating body to oversee GOL activities. However, the GOL governance structure needs clarification on accountability, roles and responsibilities, at both the federal and departmental level. The GOL Coordination Office should assume the structure of a Project Office to assist in the development of a project charter, plan, funding strategy and modernization activities. Discussion on the federal GOL governance structure, legislative and security implications should be held with senior federal officials. TIER-1 deadlines for automated e-mail response and search engine are at risk of not being met because of the uncertainty around the changing infrastructure and the time required to implement the appropriate software.

 

Findings

HRDC has limited resources to deliver GOL and with federal funding restraints the implementation of HRDC GOL is at risk.

Concerns were raised during our assessment in the areas of horizontal risks to deliver web technology federally as well as departmentally. Examples of horizontal risks were the lack of standardization around e-mail, search engines, clusters, portals, linkages and connectivity. Fragmented development of standards, separate silos and duplication of efforts were also noted as areas of risk.

There is no overall HRDC GOL charter that defines the governance structure, which includes, accountability, leadership, roles, responsibilities, organization and committee structure. Also, no one has been mandated to deliver a detailed project plan. The Coordination Office has not been directed to assume the structure of a Project Office that would establish a project charter to support the planning, monitoring and funding strategy.  Legislative implications of e-business, such as electronic signature, require further examination. There is uncertainty around the protection of data, personal information, secure channel, privacy and access. Also, partnerships, ownership, content and funding need to be clarified. Federal jurisdiction agreements have not been worked out, nor have standards been defined.

HRDC has acknowledged that web based service delivery will have a direct impact upon how we deliver our business. However the organization needs to demonstrate how it will integrate GOL with its delivery vision and business modernization activities. Failure to do so could lead to inefficient use of web technology capabilities. Furthermore, a HR strategy to address the changing roles, training, skill sets and communications with employees is still in the early stages.

TIER-1 deadlines for automated e-mail response and search engine are at risk of not being met because of the uncertainty of the development life cycle (design requirements, development, testing and implementation). This is further complicated by changes currently underway to HRDC’s infrastructure that could impact upon both of the preceding deliverables.

 

ACTION PLAN

Observation 1

HRDC has limited resources to deliver GOL and with federal funding restraints the implementation of HRDC GOL is at risk.

Action

Actions at this time relate mostly to the development of the business cases for Tier Two. Other actions will be based on existing budgeting and planning processes.

 

Actions	Schedule	Status	Responsible
Recommendations to the Executive Management Committee	December, 2000	Done	J. Bimson
Development of GOL implementation scenarios (including prioritization) for TB	January, 2001	Done	N. Smith
Develop Business Case Framework	May, 2001	In Progress	N. Smith
Pathfinder reporting to T.B.	Quarterly 2000/01 and 2001/02	In Progress	N. Smith

 

Observation 2

Concerns were raised during our assessment in the areas of horizontal risks to deliver web technology federally as well as departmentally.  Examples of horizontal risks were the lack of standardization around email, search engines, clusters, portals, linkages and connectivity.  Fragmented development of standards, separate silos and duplication of efforts were also noted as areas of risk.

Action

Government wide horizontal issues were identified to TBS in the Tier II September report. Meanwhile, action is being initiated internally on horizontal issues specific to HRDC.

 

Actions	Schedule	Status	Responsible
Recommendations to the Executive Management Committee	December, 2000	Done	J. Bimson
Setting up Cluster coordination function	February, 2001	In Progress	J. Bimson

 

Observation 3

There is no overall HRDC GOL charter that defines the governance structure, which includes, accountability, leadership, roles, responsibilities, organization and committee structure. Also, no one has been mandated to deliver a detailed project plan. The Coordination Office has not been directed to assume the structure of a Project Office that would establish a project charter to support the planning, monitoring and funding strategy.

Action

The GOL office has begun to develop a Project Charter.   This charter will then be submitted to the Executive Committees for approval. The GOL office has taken steps to improve its ability to pull together a project plan for GOL at HRDC, by staffing project-planning positions within the office.

 

 

Actions	Schedule	Status	Responsible
Development of Management Charter	January, 2001	Done	J. Bimson
Recommendations to the Executive Management Committee on the Charter	February, 2001	In Progress	J. Bimson
Project Management Staffing	Ongoing	In Progress	J. Bimson

 

Legislative implications of e-business, such as electronic signature, require further examination. There is uncertainty around the protection of data, personal information, secure channel, privacy and access.   Also, partnerships, ownership, content and funding need to be clarified. Federal jurisdiction agreements have not been worked out, nor have standards been defined.

Action

The GOL office has recommended that the Program and Policy Committee within HRDC take leadership on these issues.  Departmental efforts will include identifying those legal limitations that are within departmental control for change and those that are government-wide.  Review of the internal issues will be ongoing and dealt with on a case-by-case basis.

Partnership and ownership issues may be a contributor to the complexities of achieving cultural change. Key steps to addressing these issues include a clear strategic plan, marketing and communications, an HR strategy and continued education and training.

 

Actions	Schedule	Status	Responsible
Recommendations to the Executive Management Committee recommending that Program Policy Committee takes leadership of issues	January, 2001	Done	J. Bimson

 

Observation 5

HRDC has acknowledged that web based service delivery will have a direct impact upon how we deliver our business. However, the organization still needs to demonstrate how it will integrate GOL with its delivery vision and business modernization activities. Failure to do so could lead to inefficient use of web technology capabilities. Furthermore, a HR strategy to address the changing roles, training, skill sets and communications with employees is still in the early stages.

Action

The GOL office has recruited a regional task team to look at the impacts at the front-end and provide issues and recommendations.   The first report from this team will be available soon and recommendations will be considered.

The Human Resource Committee has agreed to take on the leadership of the development of a comprehensive HR Strategy including GOL impacts within a larger context (i.e. UCS, aging workforce, etc.).

 

Actions	Schedule	Status	Responsible
Regional Assessment Report(s)	December, 2000	Done	J. Bimson
GOL office first response to regional assessment	February, 2001	In Progress	N. Smith

TIER-1 deadlines for automated e-mail response and search engine are at risk of not being met because of the uncertainty of the development life cycle (design requirements, development, testing and implementation). This is further complicated by changes currently underway to HRDC’s infrastructure that could impact upon both of the preceding deliverables.

Action

HRDC established and implemented a framework within which the Tier One requirements, including Common, Look and Feel, could be met. This process was resource intensive and weighed heavily in terms of coordination, consultation, negotiation and monitoring requirements. While the HRDC approach must be acknowledged as onerous, it has proven successful in meeting the basic Tier One deliverables, with associated costs for this fiscal year being risk managed. The experience gained from meeting these deadlines successfully, though with difficulty, has provided lessons, which will be, studied to ensure more effective management of HRDC’s electronic service delivery channels in the future.

 

Actions	Schedule	Status	Responsible
Tier One Reporting	December, 2000	Done	R. Macdonald
Monitoring quality of web sites and compliance to standards	February, 2001	In Progress	R. Macdonald

 

APPENDIX A

 

OBJECTIVES

The audit’s objective is to provide management with an opinion on their compliance with generally accepted GOL practices and control frameworks relative to the following functions:

·        Management Framework - Accountability, Leadership, Planning, Organization, Control, Communication and Performance Indicators

·        Human Resources Management

·        Project Management

·        Asset Management

·        Computer Operations

·        Network Management

·        Vendor Relations

·        Infrastructure

·        Security

·        Clients

 

This review will also conduct an audit of the GOL Project to advise the DM, HRDC, SADM - SDN and the ADM, Systems as to the:

 

·        efficiency, economy and effectiveness of managerial policies, practices and controls

·        compliance of these policies, practices and controls with legislative and other authorities including those of HRDC

·        adequacy of, and compliance with, managerial and operational controls to ensure the completeness, accuracy and authenticity of data processed

·        quality of service delivery

·        adequacy of, and compliance with, HRDC’s systems and procedures

·        risks and potential problems with current practices

 

APPENDIX B