|
Home   Newsroom 2004 Speeches (archive) Bloodworth: 2004-10-19
Speaking notes for
Margaret Bloodworth Ottawa, Ontario
October 19, 2004
As delivered
Introduction Good afternoon, everyone. I am very pleased to be here. As some of you will know – certainly people from my department and perhaps some of the other government departments – that I've had a great interest in risk management for a long time, so I am pleased to have a chance to talk about it. I'd like to begin by thanking the Conference Board of Canada for organizing this important conference and for assembling what is a pretty impressive list of speakers. I'm sorry I'm not around to listen to more of them. In today's complex environment, sharing information, perspectives and experiences, and lessons learned is an essential part of risk management. And this conference certainly provides an excellent opportunity for us to do that across a number of fields. I must say I have always been struck by how, in very different fields, the same principles of risk management can be applicable. What's applicable in principle in financial management is not all that different in principle from what's applicable in civil aviation regulation or public safety for that matter. But let me also say at the outset that, when it comes to risk management, I consider myself very much still a student. I am speaking to you here not as an expert, but rather as a practitioner who is very much in a learning mode. So I offer my thoughts not as a road map of what to do, but as thoughts and experiences of someone who deals with risk management every day, as do many of you. Hopefully some of those thoughts will resonate with some of the issues that you're confronting. With that in mind, I'd like to discuss some of the risk management activities of the new department and portfolio of Public Safety and Emergency Preparedness Canada, and to place those in the wider context of what the federal government is doing as a whole on integrated risk management. PSEPC Let me begin by telling you a little bit about Public Safety and Emergency Preparedness Canada itself. This new portfolio is the next logical step in the refinement of Canada's all-hazards approach to emergency preparedness and planning. I must say that we are in good company with a number of the provinces who've moved in that direction – a number of them before we had – where they have put different public safety organizations under one umbrella. The PSEPC portfolio brings together CSIS, the Royal Canadian Mounted Police, the Canada Firearms Centre, the Correctional Service of Canada, and the National Parole Board. In addition, it includes the new Canada Border Services Agency, which itself brings in customs officials, food inspection agents, and immigration enforcement agents, who were in three different organizations prior to the creation of the Agency on December 12, 2003. Within the department itself, we have the public safety and security functions of the previous Department of the Solicitor General, the former Office of Critical Infrastructure Protection and Emergency Preparedness, which was part of the Department of National Defence, and the National Crime Prevention Centre, which was formerly with the Justice Department. For the first time at the federal level we have security and intelligence, policing and a wide range of enforcement, corrections and crime prevention, border services and border integrity, immigration enforcement and emergency management all under one roof, led by a single, very senior minister. In other words, the key agencies that allow us, and particularly allow a single senior minister, to provide leadership on public safety and security issues, and to respond to the consequences and prevention of all emergencies. Now, that sounds fairly easy to say, and I can say it fairly quickly. But integrating these diverse but closely related responsibilities, while it will make us more effective, is a challenge. I would be misleading you if I suggested that we had reached the optimum state at only ten months into our existence. But we can already see evidence that this structure will make us more effective in identifying and closing public safety gaps, communicating with one another, and operating more strategically to help protect Canadians. In a sense, the creation of PSEPC itself can be seen as an exercise in risk management because how you structure things is part of how you manage risk. Not only does this more streamlined structure enable us to do a better job within the federal government, but it also means we can work more productively with our partners – provinces and territories, which we have already started doing; municipalities and other government departments – again we've already seen significant progress in our ability to work, particularly on the emergency side, with other government departments, the private sector, and our colleagues in the United States and around the world. Indeed, with our relationship with the Department of Homeland Security in the United States we can already see that we have helped improve our ability to relate to that very important partner of ours through our organizational structure. I see from the list of people here today that we have a number of both of our partners and portfolio members, people from other government departments, the Ontario government, the Canadian Food Inspection Agency, the RCMP, and a number of others. The simple fact of your presence shows that you understand, as we all do, that nobody works in isolation anymore. If we ever did or ever could, we certainly cannot today. In an information age and global economy, both the negative and the positive sides of that, we are interdependent in a big way. And I guess while we all said that maybe for many years, we're now living it. These interdependencies and connections mean that a vulnerability for one can pose a threat to all. Both the complexity of the risks and the potential consequences are amplified. We've seen how deadly viruses and bacteria can travel halfway around the world in a matter of hours and exact major costs in both lives and dollars; how a relatively minor local problem in the power grid can, in a matter of minutes, plunge a good part of the continent into darkness. We've seen how a single diseased cow can put a multi-billion-dollar industry in jeopardy; how a teenager at a computer in Germany can infect hundreds of thousands of computer systems around the world, inflicting millions upon millions of dollars in losses. And what's more, we've seen all of those very events occur in the span of barely a year. And in some cases, such as BSE and SARS, they overlapped one another. Within a span of about six to eight months in 2003, federal assistance was requested for SARS, BSE, the August 2003 power outage, forest fires in the west, and severe weather including hurricanes in eastern Canada. The events do not occur singularly either, as consequence management, recovery and other activities often extend beyond, and overlap, other emergencies. Planning and preparedness activities, including risk management, are of course ongoing throughout all of this. And we cannot assume that emergencies will space themselves out according to our timetable or state of readiness. We must recognize that we may well be called upon to manage a range of emergencies that could occur consecutively or even simultaneously. Risk management in this environment is a key tool that can assist in meeting that challenge. Indeed, I would argue that it's an essential tool. Without it you would simply flounder from day to day on whatever the particular whim of the moment was. Our focus at Public Safety includes the importance of planning and exercising, the need to be proactive rather than reactive, seeing the link between risk management, transparency and accountability, and the importance of practicing and promoting good risk management. National Security Policy Let me turn for a moment to Canada's new National Security Policy, which recognizes and underscores the need for government to be prepared to address anything that could put the health and safety of Canada at risk or disrupt our economy. The policy assesses threats to Canadians, articulates our national security interests, outlines an integrated management framework for national security issues, and provides a blueprint for action in six key areas: intelligence, emergency management, public health, transportation, border security, and international security. Government has committed national resources to advance those priorities – never enough – I hasten to add. I am no different than any other Deputy Minister in town in that I could use more resources as well. But the amount is significant. Since September 11, 2001, they had already committed some $7.5 billion, and an additional $690 million was committed with the new National Security Policy. Our portfolio, Public Safety and Emergency Preparedness Canada, is involved in all of the issues covered by the National Security Policy. In some we are the lead, such as emergency management and critical infrastructure protection. In others, we provide policy advice to the Minister on a portfolio lead agency, such as borders. In other cases, such as health emergencies, our role is to provide support while the responsible department or agency takes the lead. Let me pause on that for a moment. If there's one lesson we have all learned over the last few years, it's that very quickly what is supposedly a health emergency or an agriculture emergency can achieve dimensions far beyond the scope of the expertise of one department. Similarly, in a province or a municipality, I think how much more readily now emergencies can quickly go beyond the scope of individual governments or jurisdictions to cope with all on their own. So working together has never been more important. Our goal is to ensure a coordinated federal approach to preparing for, protecting against, and responding to emergencies of all kinds, whether they be natural disasters such as Hurricane Juan, public health emergencies such as SARS, questions of national security, or the protection of our critical physical and cyber infrastructure. Risk Management Now, determining our responses in such a complex environment cannot be left to chance, or indeed to the views, no matter how informed they are, of a few individuals at a particular moment in time. That's simply too subject to the winds of change, and it doesn't allow sufficient time to focus when actually dealing with issues. We must take a proactive approach that is both systematic and transparent. That is also a key part of building public confidence in our capacity in the public safety area – which is an essential component, I would argue, of everything government does. But nowhere is it more important than in safety and security areas for there to be public confidence in what it is we're doing and how we're doing it. Now, we all take risks every day in the choices we weigh and the decisions we take. Risk management is about bringing more discipline to decision making and making our choices and their implications more explicit. Now, that's not a scientific definition, but it's the definition I use because I think it's a theory. I know there are many, many theories and models in risk management – but if it can't meet that definition then I have to say as a practitioner it probably isn't of much use to me. So let me just repeat my personal definition. Risk management is about bringing more discipline to decision-making – more rigour, if you like – and about making our choices and the implications of those choices more explicit. There are lots of ways to do it, but that's the goal. It's an approach used to analyze, assess, compare information on threats and risks, and determine if they can be avoided, removed, reduced, or simply prepared for. While I'm talking mostly about emergency management, safety and security here, I would argue that that could be applied to just about any area if you think about it. The issue isn't whether we manage risk or not. We must do so, given the uncertainty in what we all do. We all manage risk every day. So the issue is not whether or not we manage risk; the issue is how we manage it, and whether we're going to do it in a more proactive, structured way or a more traditional way of having individuals do it on their own basis. Emergency management activities such as planning, preparedness, response and recovery, build on risk management tools such as hazard and vulnerability assessment to refine and target specific areas or types of event mitigation and response. This is what we should do in advance of an event to enable better and faster decision making during an event. You can understand then why I would say that risk management is basic, and indeed fundamental, to much of what we do in Public Safety and Emergency Preparedness. Now, when the department and portfolio were created, the components of the portfolio arrived with their own well-established and effective approaches to risk management already in place. And as you, I'm sure, will know – if you're attending a risk management conference, you're probably among the more knowledgeable about risk management – as you will know, where risk management is concerned there is no one-size-fits-all approach. And indeed, be wary if someone tries to sell you a system that can fix everybody's problem. There isn't one. In the Government of Canada, all departments are expected to adhere to the standards set out in the government-wide integrated risk management framework. But it is just that: a framework. Individual departments and agencies have to tailor their approach according to their particular responsibilities and capabilities. I know from my experience as Deputy Minister of Transport and as Deputy Minister of National Defence that this is real. Risk management is essential to carrying out the mandate of both of those departments. You can readily see how a risk management strategy that works for civil aviation regulation may not necessarily fit the decision made about troop deployment to Afghanistan. So it is within PSEPC, in public safety and emergency preparedness. The point is not to impose an identical approach to risk management across departments, but to ensure that we build the discipline that allows for an integrated approach to risk management across the entire public safety and emergency preparedness sector. Of course to provide effective risk management for Canadians we must be able to manage our own internal risks. That includes, among many other things, ensuring that the new organization meets government accounting standards for business continuity planning. Indeed, PSEPC is now mandated to provide leadership on business continuity planning for the Government of Canada. And if we're going to do this, we must ensure that the department sets the standard, that we indeed walk the talk and set a good example for business continuity planning, development and implementation. Our new role will also include conducting regular audits of other departments' business continuity plans, as well as providing advice and support on developing business continuity standards and criteria under the government security policy. Here again, the structure of the organization allows us to bring multiple perspectives to the review process, providing greater support and assurance to other government departments so that any shortcomings in planning will be identified and corrected. Again, we are dealing with risk management. There is no business continuity plan in the world that can assure that all parts of your business can continue under any and all circumstances. But you can identify the highest or the most significant risks and deal with them. The business continuity process of the Government of Canada requires departments to complete exercises such as the threat and risk assessment and business impact analysis. The information gathered through these exercises is essential to understanding organizational risks and to developing the appropriate planning to manage those risks. Communicating Risk I've spent some time giving you examples of how the new department's structure contributes to effective risk management. But I would be remiss if I did not mention the emphasis we place on risk communications. In my view, we are not practicing good risk management if we're not also practicing good risk communications. We need to inform people of threats and hazards and the steps they can take to minimize and prepare for emergencies. The Government of Canada has worked with provinces and the Canadian public for many years to build individual and community resiliency by encouraging preparedness. And I say advisedly worked with the provinces and municipalities because by and large the biggest bulk of the work every day on emergencies, if you think about it, falls first of all on municipalities and their police and fire organizations, and secondly on provinces. It's only when something becomes really big that you need either help from neighbouring jurisdictions and/or from the federal government. However, unfortunately we seem to be facing more and more events, perhaps because of the interconnected nature of our world, that require assistance beyond a particular jurisdiction. A wide variety of information is disseminated on preparing for emergencies, including natural hazards, such as severe weather and earthquakes or terrorism. Now, this is not about becoming Chicken Little, or being perceived as the boy who cried, 'Wolf!' Rather, it's about reasoned and reasonable communications regarding the risks to Canadians. And this itself is a very important activity on which we have worked for many years with our provincial colleagues. But I think there is something, with which my provincial colleagues will certainly agree: collectively we can do even more and better than we have done if we put our resources together. And that's one of our priorities over this coming year. Encouraging awareness and the capacity to assess relative risks actually works, and we have some examples of where it works. The approach taken by the commercial airline industry provides one of those examples. As Stephen Flynn at the Council on Foreign Relations noted in an article in the most recent issue of Foreign Affairs, despite the periodic horror of airplanes falling out of the sky, the public by and large remains convinced that it is safe to fly. Now, I believe this can be attributed to the cooperative efforts of the private and public sector aviation officials to incorporate safety into every part of the industry. So when they tell the public that flying is an acceptable risk, the public actually accepts this as a credible statement. I think that's true. I think there's a lot of polling that shows that the public accepts not that it's perfectly safe, but that it is an acceptable risk to fly. Even when disaster does strike, and it does strike from time to time as it does in any other industry, the fact that the lessons learned are compiled and released and that the government and industry take corrective action itself provides a degree of reassurance to the public. Every time we board a plane, flight attendants explain how to fasten our seatbelts and don oxygen masks, where the emergency exits are and how to use them. Now, that provides a subtle reminder, I would argue, of two things that are important – despite the fact that not all of us follow the message all the time we're on the plane. We all know it's given, and we would notice if it wasn't given. But it provides reminders of two important factors: one, that the industry is serious about safety – and I would argue government as well, because they're regulated to actually have to do that – but that the crew is thinking safety every time they get on a plane; and secondly, and I would argue every bit as importantly, that each of us has a role in managing risk. It's not just about what somebody else does; it's also about something that I do. Now, what does that mean for the Public Safety and Emergency Preparedness Department and portfolio? It means meeting the ongoing requirement to inform people of real or perceived risks and provide them with information that allows them to take reasonable steps to avoid risk where possible and be prepared to deal with potential emergencies that cannot be avoided, and saying up front that not all emergencies can be avoided. There will be crises that occur. As well, we must meet some professional challenges of risk communication across and among a diverse community of government partners, including internal communications within the Government of Canada. This is part of risk management, as it is a clear and tested approach to crisis and emergency communications. Communicating risk implies the capacity to assess and communicate risk or threat information appropriately to provide advance notice and, where possible, time to prepare or strengthen emergency planning and response capacity. Crisis and emergency communications mean communicating the right message at the right time to the right people. Again, easy to say but, I can assure you, much tougher to do. But it is an essential part of managing an emergency or crisis, or preparing for an emergency or crisis. And there are multiple audiences with multiple needs. A strategy must be devised, agreed upon and tested through exercises to ensure that when an emergency occurs, timely information can be delivered to the appropriate decision makers, responders and the public. Provision must also be made for the potential disruption of communications networks and alternate modes of communications emplaced. The key behind this is advance planning based on sound practice of risk management. Indeed, we have already seen improvements over the first ten months with our communications professionals setting up what's called a public safety cluster of all of those in town who are interested in risk communications of the various kinds. Again, some of that is simply about making sure you know people and don't have to introduce yourself when something actually happens. A Culture of Risk Management All of these things I've mentioned – the structure of PSEPC, the National Security Policy, creating and enhancing mechanisms through which we work with our domestic and international partners, communicating risk – all are about managing risk and securing the safety of Canadians in today's complex threat environment. More than that, they're about reinforcing what I call a culture of risk management. And a culture of risk management may be the most important factor, more important than any of the others. It's certainly more important than any particular theory or process. We cannot anticipate every threat, nor can we prevent every crisis or emergency. What we can do, by establishing a culture of risk management, is ensure that when the unforeseen does occur we have a well understood and practiced approach to decision making, response and recovery in place. Never has the value of this cultural aspect of risk management been clearer to me than on September 11, 2001. I was Deputy Minister of Transport Canada at the time when the terrorist attacks took place. Like everyone that day, we had very limited and uncertain information to guide us. Indeed, we had almost no information beyond what CNN was providing for the first hours. But we certainly knew that the consequences of even one more attack could be huge. And we knew that there were more than just the two in New York because others kept occurring, which seemed pretty regular at the time. So delay was not an option. A decision was reached quickly to ground all flights – very quickly considering that no one had ever even considered doing that before. Then we had to decide immediately how to deal with the many flights over the North Atlantic that had suddenly been denied entry to the US but did not have enough gas to go back to Europe. These were unprecedented decisions with huge logistical and economic implications. And indeed, we had no knowledge of the actual probability of another attack occurring. But given all things, even to this day – and believe me, I've thought about it many times since – I'm convinced the decisions made in the first hour were ones I would make again, if I had to do it over again. But what I want to emphasize, those decisions, decisions that were of an unprecedented magnitude, were taken within about 45 minutes. Now, obviously in those circumstances we were forced to tailor the degree of sophistication and depth of analysis to the time and information available. We didn't haul out a sophisticated risk management plan to do that. We had to make decisions, and we had to make them quickly in circumstances for which we had no manual or practice because nobody had ever envisaged that might be done. But we were doing so in an environment that was conducive to good risk decision-making. Risk management was often talked about and part of how the whole regulatory area at Transport dealt with it. We were familiar enough with the process to realize there could be no perfect decision and to quickly take stock of the relevant factors that we were aware of. We must also realize that risk management is not about waiting until you have knowledge of all the factors and implications before making a decision. It's about knowing when it's necessary to make a decision and making the best decision possible with often very imperfect information. There is no area in which this is more important than emergency or crisis management. And any risk management theory that suggests to you that you have to analyze and compile everything in all circumstances, beware of it. You need to put in the culture that allows you to think about that and ensure that the people around you think about that, but you will not have time at many times to do a long, elaborate analysis. This is an extreme example I've given you, but there are lots of others I'm sure you can think of in the same way. It also underlines the importance of advance planning, testing and exercises. Lots of things look good on paper or sound good when somebody stands up and spends half an hour talking about it. Only by exercising plans and responses, and exercising them with the people that you have to deal with in the event of a crisis, will we know if they're robust enough to perform when we need them, and that we have the necessary structures, institutions and relationships that are robust enough to respond to the unexpected. Conclusion Which brings me to the final thought I'd like to leave with you today. Risk management is an active process. There's no room for a 'set-it-and-forget-it' approach. If you think you've got it just about right and perfect, you can be sure that tomorrow morning something will happen to prove you wrong. Just as the threat environment is evolving constantly, so too must the Government of Canada's approach to managing the risks associated with the environment evolve. And that indeed is the purpose of National Security Policy and the role of Public Safety and Emergency Preparedness Canada: to provide leadership on public safety with a risk management framework that is robust enough to manage the risks of today, yet flexible enough to adapt quickly to threats of tomorrow. I think we're not unlike many of the rest of you when you think about what you have to do. Do not think that this will provide you an answer. It provides you a framework and a culture, and that's what's important in terms of risk management. And you'd better be sure that you're able to change it, because you probably will be called upon to do so. Thanks very much, and I wish you a very good conference.
|
Printable version
Send this page