The committee met at 10:05 a.m.

[S. Bond in the chair.]

S. Bond (Chair): Good morning, everyone. Welcome. I’ll begin by wishing everyone a happy new year. We have some very busy days ahead of us as the Public Accounts Committee. We’re starting today with three audits that will be presented. Tomorrow there will be another set, and then later in January, we’ll meet again so that we can continue to make progress on the audits that have been presented by the Auditor General.

We’re going to begin, as we usually do, with a presentation from the Office of the Auditor General. We’re very pleased to see Carol Bellringer with us this morning, with a number of her staff. The first report on the agenda today is the Auditor General’s report, Police Records Information Management Environment: PRIME-BC System — A Security Audit, which was released in March of 2017.

We’re going to begin with a presentation from the Auditor General and her staff. We’ll then move to hear from PRIMECorp, and then, obviously, the committee will be asking questions.

Welcome, Madam Auditor General. We look forward to hearing from you a number of times over the course of the next couple of days.

Consideration of
Auditor General Reports

Police Records Information
Management Environment:
PRIME-BC System — A Security Audit

C. Bellringer: Thanks so much, and good morning, Members. I’m joined this morning by Cornell Dover, the assistant Auditor General who was leading this project, and Pam Hamilton, the director of IT audit. We also have Ada Chiang in the room, another IT audit director who worked on the audit as well. I think you’ll be hearing from her later on, on one of the other audits.

In March 2017, we released this audit of PRIME-BC. PRIME-BC is the computer system used by all police and 911 operators in the province. We undertook the audit due to the importance of the system to policing in British Columbia. The focus of the audit was to assess whether PRIME-BC was properly protected from cybersecurity attacks. We had initially audited the system in 2013, but we did not release the results at that time. We had concluded that the system was not properly protected.

For the next two years, we monitored the progress that PRIMECorp made in addressing our 2013 recommendations, and in 2016 we completed another full audit. We found improvements in the controls protecting the system. There were good controls to protect against external attacks initiated from the Internet, for example, but we found that there were vulnerabilities with the internal security.

Because it’s a police system, it’s a target for attackers. As such, we expect stronger security controls than may be required for other systems. We also recognized it’s challenging to stay ahead of the threats and, thus, critically important to build in multiple layers of defence.

We found several areas for improvement and made recommendations to address those in a detailed management report that we gave to PRIMECorp in November of 2016. Our public report that we released in March ’17 contains just one recommendation. That is for the board to ensure that PRIMECorp implements the recommendations that were included in our detailed management report. This report that you have before you is very high-level. It’s not our intention to publicize details that could be used to compromise the system.

I’ll turn it over now to Pam for a short presentation on the audit itself.

P. Hamilton: Good morning, Members and Chair. As introduced, I’m Pam Hamilton. I was one of six senior staff on the security audit of PRIME-BC. I’d like to take the next five minutes to go through the background information on the system, our findings and recommendation. PRIME-BC stands for Police Records Information Management Environment Inc. I will just refer to it as PRIME-BC.

PRIME-BC is the IT system used by the police and the 911 operators provincewide. In the 911 centres, calls are recorded in the system, and the operators dispatch police officers, based on a map showing where every car is and which cars are available to take calls.

[10:10 a.m.]

The system is accessible to all police from mobile device terminals mounted in their cars. Police in their cars have full access to information about suspects, including mug shots and crime scenes. It is used for emergency and non-emergency, from the first contact with 911 or the police to the completion of the investigation.

The police system in B.C. is unique from other provinces, because it is one ICT system used by all police in the province. Other provinces have many different systems used by municipal police and the RCMP, which makes information-sharing more difficult. It was legislated in 2003 that all B.C. police must use PRIME-BC. The system was fully implemented in 2008.

There are many connections into PRIME-BC, including connection points from 13 municipal police agencies and 135 RCMP detachments. This amounts to about 13,000 users. There are also connections into the B.C. Attorney General, other provincial police agencies and the federal CPIC system.

PRIMECorp is an organization that exists to support PRIME-BC. In 2013, we gave PRIMECorp a detailed management report with 75 recommendations. Over the next several years, we monitored their progress in dealing with the recommendations and returned in 2016 for a full re-audit. By then, PRIMECorp had moved to a new, modern office building. There were leadership and staffing changes, new and upgraded tools and a noticeable culture shift with much more emphasis on security.

Now I will move into our findings. We found that controls were in place to protect against external attacks, but stronger controls were needed to prevent internal threats. Behind these statements, we did extensive testing, including hiring experts to try to break into the system. In November 2016, we provided PRIMECorp with a management report of the detailed recommendations.

We had just the one recommendation in the public report: that the board of directors ensure PRIMECorp implements the recommendations in our detailed management report. In December 2016, we updated the board on the findings and recommendations from the detailed report. At that time, we were told that most of these recommendations had been started and that many were already fixed. A decision was made by our office that releasing a high-level report would not expose the system to additional threats.

This concludes the presentation.

S. Bond (Chair): Thank you very much. We appreciate that.

We’re going to ask now for PRIMECorp’s response. I think we’re going to move the representatives over to the witness tables.

O. Grüter-Andrew: Good morning. My name is Oliver Grüter-Andrew. I am the chief executive officer of PRIMECorp. I’ve been in this role for about four months. Previously I spent 25 years leading technology-intense organizations in British Columbia and other jurisdictions. My most recent role was as chief information officer of the Provincial Health Services Authority in Vancouver Coastal Health. So I have a background in the materials that we’re discussing today.

I’m very pleased to have the opportunity to be here today. Two of my colleagues are with me: Mr. Bob Gehl, who is our chief operating officer, and Mr. Mike Webb, who is our chief technology officer. I will just ask them to briefly give a little background on themselves.

B. Gehl: Good morning, everyone. My name is Bob Gehl. My role at PRIMECorp is overseeing operations and includes aspects of the security of the PRIME-BC system.

I have been involved with PRIMECorp for approximately 20 years. I have been involved, in my former career, as a police officer with the Victoria police department, retiring in 2015 as an inspector. I have been involved in various aspects of PRIME and came over to PRIMECorp in 2011 as the chief operations officer.

[10:15 a.m.]

M. Webb: Good morning, Madam Chair and members of the committee. My name is Mike Webb. I’m the chief technology officer at PRIMECorp. I also have responsibility for technology services at E-Comm, which, of course, is the parent company of PRIMECorp.

I have about 31 years of experience in technology of various kinds. I’m an engineer by training. I’ve worked in public safety communications for the better part of the last 20 years, since 1998, when E-Comm was initially established. I’ve been in this role with PRIMECorp since 2014 and in my current role with E-Comm since 2011.

O. Grüter-Andrew: Thank you, Mike.

The police records information management environment, PRIME, is a mission-critical information system that supports policing and public safety in our province 24-by-seven, as we’ve already heard. The system allows police officers near real-time access to critical information when and where it is needed the most. Threats to IT systems are always evolving, and the importance of protecting the sensitive data contained within PRIME-BC is the utmost priority of PRIMECorp and the B.C. police community.

We’re very pleased that the OAG has recognized the significant advancements over the past three years, and we acknowledge and appreciate the recommendation provided to us with regard to further strength and controls to protect against attacks from within. This is an area that any organization that deals with sensitive data must be focused on.

We are pleased that the OAG concluded there are good controls in place to protect against external attacks. PRIME-BC maintains a very robust security program to support the PRIME-BC system. Internal controls refer to the necessary mechanisms required to maintain security of the system with respect to those users who have elevated or privileged access, such as system administrators and support specialists. PRIMECorp uses a variety of controls, providing multiple layers of protection that I evaluated and adapted to ever-evolving threats.

We recognize that we must ensure we take all possible measures to protect against internal attacks no matter who the users are or how low the risk is. This is simply the most responsible approach we can take.

Completing the remaining activities towards the recommendation is a high priority for PRIMECorp, and progress is being evaluated and tracked very closely. To date, we have made significant progress towards the recommendation — currently at 75 percent complete.

The target completion date is September 2018, and we’re very confident it will be achieved. Since March 2017, PRIMECorp has provided regular progress reports to both the board of directors and the Auditor General and will continue to report out until completion of the recommendation.

In summary, PRIMECorp has taken, and continues to take, all steps available to ensure that the integrity and security of the information entered into PRIME-BC are not placed in jeopardy at any time.

As noted by the OAG’s external security experts, PRIME-BC’s external perimeter is secure, and there have been significant enhancements to internal security practices. This now includes regular independent audits and testing of system security and practices. Our security roadmap will continue to include continuous improvement processes to stay on top of best practices for IT security.

The PRIMECorp board of directors and the police agency committees involved with PRIME-BC will continue to be vigilant and proactive in ensuring management takes all necessary steps to ensure the protection of sensitive data and to maintain secure systems.

We are grateful for the opportunity to work with the B.C. Office of the Auditor General and the audit team and for their valuable input towards strengthening security of the PRIME-BC system.

S. Bond (Chair): Well, thank you very much for those presentations. We recognize that it is a very overarching, generic type of report and audit because we don’t, by the very nature of our discussions, want to compromise the system.

I do want to remind members that they’re welcome to ask questions. Kate will take the speaking order and put it on a list for me. I think the most important thing to remember is that when we are asking the Auditor General’s office, it’s about the scope and some of the technical parts of the audit process. The other questions would then go to PRIMECorp about specific issues.

I see that Ralph is ready to go in the new year. He is first on the list, so we’ll start with Ralph, please.

[10:20 a.m.]

R. Sultan: I’d like to begin by paying a tribute to the pioneering champion of PRIME, who was our former Solicitor General, Rich Coleman. I know when I was first elected…. It was not too many sessions later when Rich talked about PRIME. He always used the case study of a bicycle being stolen in East Vancouver and recovered hours later on the North Shore because of PRIME.

We thought: “Well, that’s nice. We’re tracking lost bi­cycles.” But he repeatedly pointed out the importance of this information-sharing and the uniqueness — at the time, at least — of this new system. We accept that at face value.

I think the reports we’re reading today are confirmation of the soundness of the concept as it was proposed initially and implemented. I think all the players involved deserve a pat on the back. I wanted particularly to mention Rich — the vindication of Rich’s strong support in the early days.

My question relates to the fact that one cannot pick up the newspaper hardly any day without reading about some new troublesome breach of IT systems, whether they’re chasing after Hillary’s emails or Russian oligarchs in the Panama Papers or the scandal I recall reading some months ago of some police officer, I believe, looking up records on co-workers and his girlfriends, all the way to a story yesterday about this amazing, we hope, new fighter aircraft, the F-35. It sounds like a piece of flying software, being compromised, possibly, by Russian penetration of the information system embodied in the aircraft, in Turkey, of all places.

One layperson such as myself finds it hard to believe that any system these days can be guaranteed to be 100 percent secure and impenetrable. It all seems to be shades of grey and degrees of security. If 100 percent security is not, frankly, feasible all the time, everywhere, and I accept that probable reality, how could the PRIME system itself that we have be made even tighter? I ask whether three things are really pivotal here: the resources available to further enhance security and/or the technology itself and/or the fact that we have so many players accessing the system — 13,000. How can we always be sure that they are using the system in a responsible fashion?

I guess my question is a very general one. If we wished to make it even better…. From all appearances, it’s already very, very good. Is it a question of money, technology? Or, frankly, is it as good as it’s going to get?

O. Grüter-Andrew: I’ll take a stab at that, if I may, and involve my colleagues.

As you’ve correctly stated, technology and technology security are never perfect. So it’s a question of how close we can get to the state that we’re really aspiring to. I’d be foolish sitting here and saying it was not a matter of money. Money is always welcome, but it’s by far not the critical piece.

The really critical piece is to have the right kind of people working on the security provisions of the system. That means the resource allocation, the technology choices, the management of the technology, the access rights — as you’ve recognized, a large number of people have some form of access or other — and, most importantly, to constantly be aware of how security threats are changing and to prepare the organization and evolve both the organization and the technology it supports to match up to that.

[10:25 a.m.]

We believe that we’re in a strong position, doing that today. I also believe that the reports that we have received from the Auditor General’s office support that view. But I do also agree that there’s always more that can be done. We do have an evolving program that is constantly being studied and reviewed by our executive to ensure that we’re staying on top of this.

I’d like to ask Mike Webb, our chief technology officer, to add his views to that.

M. Webb: Thank you, Oliver. What I would just add to that is that the technology team that’s supporting PRIME-BC is about 85 staff in total, and probably about a third of those are directly involved day to day in the management of the system. We’ve put a lot of energy over the last three to four years both in recruiting and, obviously, going through security clearance processes to bring people into the organization. I think, as Oliver indicated, we’ve come to a pretty strong position as far as the resourcing. It’s now a matter of keeping that team focused but also continuing to develop skills within the team.

In parallel with that, we work very closely with our vendors. As the threat environment is evolving, so is the technology environment. That goes both ways, meaning there are new technologies and new capabilities that we can bring to bear that actually will help us strengthen our security position. So we are doing work on those systems.

As Oliver indicated, it’s not an issue so much of funding, it’s really a matter of…. You know, there’s a lot of diligence and a lot of work that has to go into really sort of advancing the security posture as we go forward, even just from a technology point of view.

I think maybe Bob may want to speak to more policy and operational aspects that go with securing the PRIME-BC system, but I’d just like to leave the committee with the message that every day we are focused on how we make improvements into the system to better leverage the tools and resources that we have available to us.

B. Gehl: Thanks, Mike. I’d like to speak specifically to the point about the 13,000 users and how one manages that much complexity, recognizing that security is an integral part of our information system.

The responsibility for the security of the system extends out to our police community and the agencies. Through our governance, we have user committees. Within those governance committees of user committees, we have the security experts from police agencies as well as our own dedicated team of security experts.

We have a full-time, dedicated team. All they do is security. They provide, as Mike alluded to, the monitoring of the PRIME-BC systems. They manage user accounts and manage the oversight in an oversight role providing best practices out to the client agencies — our customers, which are the police agencies.

We provide policy with respect to best practices and share that out. It is very much a collaborative model in terms of how we manage that large a stakeholder group.

A. Olsen: It was an interesting weekend. As I’m going through these reports, two things, I guess. A news article on an FOI’d CSIS report — the update that a high-level CSIS operative gave the federal government that’s now been made public through an FOI report — talking about technology in the rapidly changing world and, perhaps, our government’s response to that and our ability to respond to it. Then, of course, the events in Hawaii that happened this weekend.

In reading this report…. For one, I’m happy to hear that the perimeter of PRIME-BC is secure, but that wasn’t the problem in Hawaii. The problem was the internal aspects of the system in Hawaii.

It came from someone hitting the wrong button or something. Then further to that, from what I understand, the ability to send out the alternative message, which was: “Okay. Everything’s good. That was a mistake.” It took a while for them to be able to do that. More and more of the situation is going to become clear to us — exactly what happened.

[10:30 a.m.]

That said, we’re dealing with information here which could make or break someone’s life, frankly, if it’s accessed and changed. We’re talking about changing the scope of someone’s life, so ensuring the internal pieces of this is really, really critical.

I’d just take a look at the Auditor General’s report, which was back in March 2017 — so it’s been a while now — suggesting that we would have this complete by the end of 2017, and then, in the response here, dated last week, that the final activities, while they’re in progress, would be completed in the third quarter of 2018. I guess I’d just like to hear a little bit about the time frame. The extended length of time that it will take to secure the…. I guess this is suggesting that we’re not entirely secure at this stage. Maybe you can provide….

I just would like some assurance of the security and that we as government are doing everything we can. If it’s resources that’s holding us back three-quarters of a year…. I’ll just leave it at this.

O. Grüter-Andrew: Thank you for the questions. It’s a very good observation too.

The reason for the time difference between end of 2017 and Q3, 2018, was indeed related to resources. It had to do with the difficulty of securing the right technology skills with the right security clearance, because we require individuals working on the system who have a very high level of security clearance at the national level.

We chose to delay certain activities in order to ensure that the resources working on them were both appropriately skilled and appropriately screened. It was a judgement call on our part, and it was not made at the detriment of security for access to the system.

A. Olsen: Excellent. Thank you.

S. Bond (Chair): Thank you, Adam. That was one of my questions.

I’m just going to take the liberty, then, of putting an exclamation mark. It wasn’t financial resources. It was the ability to get the right person with the highest degree of security clearance. So that has resulted in the delay that Adam noted?

O. Grüter-Andrew: That’s correct. We’ve now confirmed the right resourcing, so that’s why we’re confident that we can move forward in the declared time frame.

S. Bond (Chair): I’m going to give Adam a follow-up here.

A. Olsen: It’s actually more of a comment. It’s not directed to PRIMECorp or the Auditor General. It’s more just a general comment. So I don’t know if this is the appropriate time to make it.

S. Bond (Chair): Sure. I think you might as well finish your thoughts, and then we’ll move on to Mitzi. Go right ahead.

A. Olsen: I guess, from my perspective, part of what government needs to do going forward…. All of us, all 87 of us, need to fully invest in this, in cybersecurity, frankly, and in securing our systems.

It’s going to take a completely different approach, I think, than we’ve had in past generations. As was pointed out in the CSIS report, there are new actors, and those new actors are being developed every single day as technology changes. We’ll talk about another report where cybersecurity threats are pointed out.

It’s just more of…. I think that we can be testing and having people crawl all over our systems to ensure their integrity.

S. Bond (Chair): Thanks for that.

Next up is Mitzi, please.

M. Dean (Deputy Chair): Thank you, to you both, for your reports and your presentations.

I agree with my colleague. For me, this is really important because it’s also about protecting vulnerable people. Having a provincewide system is really important, and having that collaborative approach is the best way of actually delivering best service to protect vulnerable people in our province, so we can roll out other provincial standards like VAWIR policies that actually mean that we provide a better service to people, especially if they’re vulnerable.

It’s continuing a little bit on the questioning so far. I’m interested in the Auditor General’s view of the feedback that we’ve had that about 75 percent of the recommendations have been completed. I’m interested not only in the timeline. Does that mean that 100 percent of those previous 75…? It’s a lot of recommendations. There were 75. So will we eventually reach a point where all of those have been completed?

When you went back and did the follow-up, were there new recommendations? I don’t expect you to divulge them, obviously. But were there then also new recommendations, and how far do you think progress has been made in working towards those?

C. Bellringer: There are a couple of questions in that question. We definitely saw improvements.

[10:35 a.m.]

The one aspect of it that we had to think through: can we actually follow up the old recommendations and just look at whether or not they’ve been improved individually, or do we have to do a full re-audit?

We chose to do the full re-audit, principally because, as time changes, you just don’t know where you stand today. So we didn’t want to assume that because something had been in place in 2013, it continued to be in place when we came in at the second point in time.

One of the challenges with all of these things is trying to stay ahead of where things are today as opposed to where they were at the point in time that we did the audit. I’m seeing nods, so I’m assuming that we’re all on the same page on this. The more critical — not only critical — aspect of it for PRIMECorp is to ensure that they are, at every point in time, going forward confident that their system is strong.

Ideally, 100 percent of our recommendations implemented are going to have a stronger foundational piece, of course, but equally as important is for them to stay on top of self-assessing, to ensure that things that were in place in the past continue to stay in place going forward. Things like the penetration testing that we did is not something that we would expect every organization to do. It’s expensive. It’s quite intense. But in a system of the risk level that we’re talking about today, it would be something we would expect to be done periodically, as well, going forward.

S. Bond (Chair): Bowinn, do you have some questions?

B. Ma: Yes. I’m wondering whether or not we had cases of exposure of the system in the past, whether from external or internal threats. If so, what were they? If not, what are potential consequences of someone actually breaching the system, either externally or internally?

B. Gehl: I am not aware of any external breach, in terms of a cyberattack. In terms of an internal, inappropriate access — that has happened within the police agencies. We have policy to deal with that and reporting mechanisms out, both to us and to the Privacy Commissioner, when an inappropriate access does occur.

B. Ma: Can you elaborate on that inappropriate access? I guess I’m having trouble…. Or it’s not that I’m having trouble, but I’d like some more information as to what the consequences of inappropriate access or a breach could be.

B. Gehl: Yes. In terms of an inappropriate access, it may be someone with user rights to the system inappropriately querying a licence plate in the system. We would characterize that as an inappropriate access. It’s not for law enforcement purposes.

That would be reported or dealt with by the police agency. It would likely result in a professional standards investigation, and the Police Complaint Commissioner becomes involved. The disposition or resolution for disciplinary action would range, based on the assessment by the complaints commission. I don’t have those with me, but they are available through the Police Complaint Commissioner.

S. Bond (Chair): Thank you very much, Bowinn.

Any other questions from members? I do have a couple, but I want to be sure that members have….

R. Sultan: I can think of another hopefully relevant question. I’ve been admiring the new building you have pictured. It recalled my days at the Royal Bank of Canada, early days of the IT world. Many, many decades ago I happened to be on their IT task force, and we interviewed the head of Royal Bank information technology, a brigadier general retired from the British Army, who liked to refer to himself as Brigadier Downing, and he ran his organization along the same lines — as if he’d never left Germany.

He explained his view of the data centres, the computing centres the Royal Bank should be operating across Canada. He wanted six or seven of them, and any one of them could pick up the load from the adjacent one, should anything happen to it.

[10:40 a.m.]

His other rule was that none of these buildings, although they needed to be centrally located in terms of staffing, could be within a grenade throw’s distance from the curb or the security fence. He envisioned some saboteur throwing a Molotov cocktail or something through the window, I suppose.

I look at this wonderful glass edifice, and I’m wondering. From a security point of view, this is hardly what I’d call a concrete bunker. Is this the very best choice?

O. Grüter-Andrew: I’m probably less concerned about grenade-lobbing than the Brigadier-General was, at this point, but a fair question nonetheless. Actually, when I saw the picture in the slides, my initial thought was: “I wish we hadn’t put the picture in.” There’s no indication on the building anywhere that we’re tenants in the building, and that’s certainly a best security practice. It’s not something we publicize.

At the end of the day, the physical security of the building is really no longer the major challenge, as you of course understand. It’s really about the electronic security of the data that’s sitting within it.

In terms of the site redundancy and those means, I’ll just ask my colleague Mike Webb to comment.

M. Webb: To the point about having multiple sites, that is, in fact, the case, and there’s a significant amount of investment being made to harden. Actually, we’ve already done a fair bit of hardening of the infrastructure. I’ll stop at that point, without going into a lot of detail. But suffice it to say that we follow that same philosophy, I guess, that same practice. Physical security is as much of a component of our security program as are the technical and cyber aspects of physical security.

R. Sultan: So a big seismic event is unlikely to knock out this system provincewide.

O. Grüter-Andrew: That is correct. The building in which the data is housed is highly seismic resilient. It is, in fact, not the building whose picture you saw on the slides.

M. Webb: It has multiple layers of both power and connectivity redundancy as well.

R. Sultan: Thank you.

S. Bond (Chair): Ralph always has some very colourful questions, and there’s a lot of history there, Ralph.

Someone else who has history and probably has some good questions, MLA Garry Begg. You’re up next.

G. Begg: Thank you, Madam Chair.

Thank you for the presentation. I do have a background, of course, in policing. I was with PRIME from the beginning, so I have some expertise, I think, in some of the areas that we’ve discussed today. Perhaps it will be helpful if I clarify — to a degree, I hope — some of the concerns that Bowinn had. I think Bob did a good job of sort of orienting us to what internal threats may be.

I would say, without qualification, that the majority of what we call internal breaches you would call misuse or improper use of the system. Ralph indicated that as well. Some of the cases that have become public have been as simple as a police member querying the licence plate of an attractive lady for whatever purpose. There are very firm rules in place — I was with the RCMP — that govern all of that activity, in cooperation with PRIME.

It’s important, from my point of view, that we don’t connote internal threats to be anything other than what they mostly are. I would not ever preclude the possibility that an employee would, for a criminal purpose — to divert an investigation or to otherwise pervert justice — do that.

I would say — hopefully, you will agree with me, Bob — that probably greater than 99 percent of all of the ones that require some sort of observation or consequence would be what you would see as very minor and inconsequential in nature. It doesn’t mitigate the overall need to ensure that we have stringent controls in place. I think we do, certainly from the RCMP point of view. I just wanted, hopefully, to clarify that for you.

S. Bond (Chair): Thank you very much. That is reassuring. Certainly, that’s important for the public to know as well.

[10:45 a.m.]

I have some specific questions, and I wondered if we could just, so that I understand…. I think it was Pam that mentioned…. Or at least in the Auditor General’s report, it talked about the use of contractors to do some of the work during the audit process. Were contractors used both in 2013 and 2016? And was it the same contractor?

C. Bellringer: I’ll let Cornell answer it.

C. Dover: Yes, it was. We used contractors for both the audits, and it was the same two contractors that we used. So we had a consistent process both times that we did the audit.

S. Bond (Chair): Yeah, that was my question. Building on the 2013 audit, it would be helpful to have the same contractor and be able to look at a consistent approach there.

I also had a question. It probably is to PRIMECorp, because it’s in the response on page 6 of the initial audit. Was there confusion about the governance model?

I found it interesting that PRIMECorp found it necessary to explain the board process. It actually says: “We’re happy to provide further information to the Office of the Auditor General.” I found that quite interesting. I’m assuming that the Auditor General’s office would know that. So was there confusion about the governance model?

O. Grüter-Andrew: Not from our point of view, I would say.

B. Gehl: No, I think we are unique in that we’re not necessarily a reporting entity pursuant to what normally would be a provincial ministry per se. We are slightly unique with our shareholder agreement as a subsidiary company to E-Comm in that relationship which is described within the report. Oftentimes people will ask: how are you governed? So I think it was important that that was depicted.

C. Bellringer: I’ll say also, from our perspective, that we didn’t feel there was any confusion. It’s a very complex governance structure. The board is chaired by the director of police services from the Ministry of Public Safety and Solicitor General. The representatives around the board table — senior police officials, representatives from municipal and provincial government — as a board, are responsible from PRIMECorp’s strategic direction and financial operating results.

We did at one point, through the planning, discuss whether we would actually look at the governance structure, because it is unique. We chose not to. I believe that the reference in the response was directly related to a comment we made around accountability through to the ministry. We still believe that to be the case, while respecting the fact that there are multiple stakeholders at the table.

S. Bond (Chair): I think that’s very helpful. I think that if there are questions about governance and how people communicate with one another, that’s probably something we want to make sure there isn’t an issue with. So I appreciate that.

I wanted to pursue the internal threat issue just a little bit. I’m certainly no expert. Garry has, I think, given us a great deal of comfort about the kinds of things that might happen.

Mine is more about the number of users and the fact that the system, according to the report, interfaces with other organizations, including federal police organizations, CPIC and others. For me, the question is: when you look at privileged access — I think that is how it was described — how are the controls in place?

I’m not suggesting for a moment that there would be, as Garry points out, some agency that would look at internal threat, but it could happen. How does the internal threat risk relate to users that are further afield than British Columbia? Obviously there are national connections to this system. How do you monitor that, and is that part of the process of looking at internal threats?

B. Gehl: The controls we maintain are in relation to our system. When we say there are connections to, say, the CPIC system, the federal system, that is an interface to that system. There are accounts which are monitored by us and, again, by national police services. Much like if there was a breach or an inappropriate access at the PRIME side, on our system, or on the CPIC side…. In the instance of CPIC, both entities would be notified that there was an inappropriate access or use of that information or system.

[10:50 a.m.]

That’s assessed for the users’ level of access, and that is subject to their role and responsibility within the system. While I say that, a police officer’s access to the system is very different than, say, someone who’s working on the IT support side of the system and people with access to the back end or the really deep part of the root systems. It’s all based on roles and responsibilities and levels of access.

With that, as Oliver alluded to earlier, different levels of security clearance are required. Those user accounts are now audited and monitored, as well as the ability to audit what their activities are. Should there be any type of breach or any type of activity that’s inappropriate, we can go back and look at those log files.

S. Bond (Chair): Maybe let me just pursue that for a moment. So there are approximately 13,000 discrete users in British Columbia. Is that the number?

B. Gehl: Roughly, yeah. Approximately 10,000 police officers and 3,000 non-sworn support staff.

S. Bond (Chair): But there are people outside of British Columbia who also access the data.

B. Gehl: They can access the data through other means, by way of an information portal. That’s not coming into our system per se. It depends on the system. Without going into a technical level of discussion, there’s a police information portal whereby the Ottawa police service, if they were looking for information on someone they’re dealing with, could access information through that portal.

The information is logged against our system that a query was made so that the owner agency knows that this particular record was accessed by a member in the Ottawa police. So that information is, in fact, tracked — not through our system but through the police information portal.

S. Bond (Chair): I guess you’re making my point for me. Obviously, having data sharing in British Columbia is important, but the last time I checked, criminals don’t really pay attention to the Alberta border. So you would want the ability to share that information more broadly. My point is just that risk likely increases as you share that information with ever-increasing — however they connect.

I guess I’m just asking that as that information is shared…. And I am supportive. I think most of us would be. If somebody has done something terrible in British Columbia and they end up in Ontario, we want to make sure that the police have that kind of information. I just want to be sure that as you look at internal risk, those people beyond our borders who have access are part of that strategy to deal with potential risks to our system. I hear from your answer that, yes, that is the case.

B. Gehl: That is the case. There are sharing agreements. Those agreements are maintained by national police services which have conduct of the police information portal and manage it on behalf of the Canadian police community to those agencies that want to publish their information.

S. Bond (Chair): I have one other, and then I’ve got two hands that have popped up there.

I also wanted to check. Government has a business continuity plan so that in the event of a catastrophic event, there remains…. You know, the business of government has to continue. Is PRIMECorp part of the business continuity process? Have they been part of the planning so that if there is a catastrophe in British Columbia, we still have protection of that information and also the ability to use that information in that circumstance?

O. Grüter-Andrew: We don’t participate in larger-scale government planning around disaster scenarios and continuity. But like many other entities in British Columbia that play an integral part in public safety, such as the health services and ambulance services, we pursue our own disaster recovery and recovery ability plans. It’s in the context of provincial events. So we are connected into that process, but we’re not an integral part of a single government planning process, if that’s what you mean.

S. Bond (Chair): Okay. I think that’s an important thing. One of the things we need to recognize is that, should that happen, there does need to be an overarching government strategy that deals with business continuity. I think that PRIMECorp, sadly, may have a role to play in some of the aftermath of a situation like that. Connected is good, but I think there needs to be a very well-thought-out and integrated plan in the event that there’s some sort of catastrophic event in the province.

[10:55 a.m.]

Hopefully, we can just make note of that — that business continuity matters and that all of the partners, including health services and others, have to have a critical role in how we respond in the event that something happens. We hope it never does, but we do need to be ready.

John Yap, do you want to go ahead?

J. Yap: It occurs to me, as the Chair said, that as sharing increases, the risks can increase, and mention was made about the sharing across Canada. Does the sharing go across to the United States? Is there any access for policing partners in the U.S.?

B. Gehl: Not through any system that we maintain, no.

J. Yap: So if there was a case involving American police agencies, how would they have a chance to access? What’s the arrangement there?

B. Gehl: I would think that would occur at the federal level versus at the municipal level, so that would be whatever the sharing agreements are with those entities.

J. Yap: What you’re saying is that any sharing of information or access is only restricted within Canada.

B. Gehl: Yes.

A. Olsen: I’m just reflecting on something that my colleague said with respect to scale of threats or use and misuse — nature of internal threats. For me, I accept that 99 percent of these are maybe deemed as being minor in nature or misuse. I guess I just want to say that, in one respect, we’re planning for…. We’ve got to create a system that deals with the 1 percent, and we’re creating a very resilient system that the most sophisticated cyber actors can’t get past.

On the other side, I think I just want to also state that those ones that could be deemed as minor in nature or misuse, while they may not be a global security threat for the system or for the police services or for PRIME, they do represent a security threat on a personal level. We could think of and talk about thousands of different examples, but that officer accessing that plate for that reason presents what could be quite a major personal security threat, and therefore, while they may make up 99 percent of it, it’s part of the 1 percent for that individual.

As I was kind of working through what you said, I completely agree. To the member on the opposite side here, I do completely agree. I just want to, I think, also put a fine point on it — that that is potentially a life-changing experience for an individual who becomes vulnerable to that. We are dealing with a range of threats and a range of perspectives.

C. Bellringer: There were just a couple of comments that tie into a few things that have been said.

In terms of risks and threats, one thing, certainly — not just from this audit but from all of our IT audits — we’re seeing as an increasing threat throughout the industry is the risk of those things you don’t know about, the risk of those things where access has been gained unknowingly, and it simmers. It just sits there silently until such time as it then occurs. So that aspect of it has to be taken into account.

Of course, we haven’t been sharing the detailed recommendations because of the nature of them and so on. I just wanted to agree with the importance of the disaster recovery plan aspect.

S. Bond (Chair): Any other questions from our MLA colleagues?

Well, thank you very much, first of all, to the Auditor General and her team. I think all of us very much respect the discretion that you have used in how you’ve presented the audit. We don’t want an audit to expose the vulnerabilities that we’re trying to fix, so I think that was a very prudent approach. We appreciate that.

To PRIMECorp, we thank you for the work that you’re doing. We do urge you to…. As several of my colleagues have brought up, the recommendations are important — getting through them in an expeditious way now that you have the appropriate resources. I think that the comment that was made about, “We want to get as close as we possibly can to that 100 percent,” is really important currency around the protection.

Thank you very much for the information shared today, and we look forward to making sure that that work continues to progress in the days ahead. So thank you very much for that.

We’re just going to take a couple of minutes recess and allow people to shift positions down there. Perhaps MLAs may want to get a water or a coffee as well.

The committee recessed from 11 a.m. to 11:10 a.m.

[S. Bond in the chair.]

S. Bond (Chair): I appreciate you coming back in an expeditious way as we work our way through our agenda today.

The second report that we’re going to discuss — again, a substantive report — will be the Auditor General’s report An Independent Audit of the Regional Transportation Management Centre’s Cybersecurity Controls. It was presented in October of 2017. As is our practice, we are going to ask the Auditor General to begin with some remarks, and then her staff will present the PowerPoint. Then we have a number of staff from the Ministry of Transportation who will bring us their perspective on the audit.

An Independent Audit of the
Regional Transportation Management
Centre’s Cybersecurity Controls

C. Bellringer: Thank you again. With me for this report are Morris Sydor, the assistant Auditor General on this particular audit, and Ada Chiang from the audit team, who will do the presentation. Greg Morhart is also here. He worked on this particular audit.

The Ministry of Transportation and Infrastructure has a Regional Transportation Management Centre, which manages traffic flow at major bridges and roadways throughout the province. We looked at just one aspect of the centre’s traffic management, which was whether it had foundational cybersecurity controls in place. We found that there were some gaps.

Foundational cybersecurity controls are essential to any IT system, not just traffic management. They’ll include basic things like knowing what software and devices are on the system so that you can secure them. It also includes controlling and monitoring who has access to the system and keeping the systems updated.

I’d like to be clear. We only looked to see if the Regional Transportation Management Centre had these controls in place. We didn’t assess their effectiveness. That said, we’re not aware of any cybersecurity breaches that have impacted traffic flow or safety, but we want to emphasize the importance of protecting those systems.

I’d like to end by saying that the Ministry of Transportation and Infrastructure is already making changes to fill the gaps we identified in this audit. I’ll turn it over now to Ada to provide you with a brief overview of the audit.

A. Chiang: Thank you, Carol, and good morning, Members. I will provide a brief overview of our audit of the cybersecurity controls at the Regional Transportation Management Centre. I will refer to the centre as RTMC in this presentation.

Variable speed limit signs like those on the Sea to Sky Highway and lane controls on the Lions Gate Bridge, George Massey Tunnel and Cassiar Tunnel are all managed from the RTMC of the Ministry of Transportation and Infrastructure. RTMC was built in 2013 and serves as a control centre for transportation management in the province.

The RTMC facility has modern IT systems to provide around-the-clock, live monitoring of road and traffic conditions of provincially managed highways across B.C. Today’s transportation systems are more advanced and interconnected than ever before. As a result, there is more exposure to cybersecurity threats.

Our audit focused on one particular aspect of traffic management: to look at whether the ministry has established foundational cybersecurity controls to protect these important traffic management systems. As mentioned by Carol earlier, we only looked at whether or not the cybersecurity controls were in place. We did not assess their effectiveness, and we did not audit whether the operations of the traffic management systems, including lane change, were operated or managed safely and reliably.

At the time of our audit, we found significant gaps in the RTMC’s cybersecurity controls. We concluded that the ministry has not established appropriate cybersecurity controls to protect its traffic management systems. In this audit, some of our results showed weaknesses that could potentially expose RTMC to cybersecurity attacks.

For security reasons, and as with many of our IT reports, we did not disclose our detailed findings in this report, as doing so could put the RTMC at greater risk. Instead, we provided our detailed findings and recommendations to the ministry in the form of a management report.

[11:15 a.m.]

We identified four key areas that the ministry needed to work on: knowing what hardware and software are in place, establishing baseline settings for hardware and software, performing vulnerability assessments and remediation, and managing access to systems. Our recommendations mirrored these key areas.

We made five recommendations. First, the ministry should conduct risk assessments of the RTMC operational environment and ensure appropriate security controls are implemented.

Second, the ministry should know what hardware and software it has in place so it can be secured.

Third, the ministry should establish and maintain baseline settings for its hardware and software. This includes things like regularly applying updates, installing IT antivirus software, using strong passwords and removing unnecessary software.

Fourth, the ministry should perform vulnerability assessments or scans that look for security weaknesses and then act on the findings to fill any gaps.

Fifth, the ministry should carefully manage and control access to its systems. Specifically, we mean the administrator accounts, which are those accounts required to set up and maintain the systems.

In conclusion, addressing the gaps will help ensure that the RTMC’s traffic management systems are secure. This is important because the systems are essential for efficient and safe traffic flow. We are encouraged that the ministry recognizes the risks and has promptly taken steps working to address the gaps we identified.

That’s our summary and concludes our presentation of the RTMC audit.

S. Bond (Chair): Thank you very much.

We’ll just make a shift in chairs. I think maybe Kevin Richter is going to move over there.

K. Richter: Good morning, Chair, committee members and officials from the Office of the Auditor General.

First, I’d like to thank the Auditor General and her staff for their audit and their report and, also, for recognizing the sensitivity of some of the information. I’d also like to thank the Chair and the committee members for the opportunity today to respond and give an update on our progress.

Before diving in, let me introduce myself. My name is Kevin Richter. I’m the assistant deputy minister for the highways department in the Ministry of Transportation and Infrastructure. I’m responsible for all the highways operations throughout the province.

Before introducing my colleagues, I also want to pass on my sincere apologies on behalf of our deputy minister, Grant Main, who is unable to be here today due to other competing priorities. He wanted me to assure you, Ms. Chair and committee members, that the right subject-matter experts are here today to answer your questions.

Joining me is Debbie Fritz, our executive director and chief information officer in the information management branch in the finance and management services department. Debbie manages all the information technology and related support services and activities throughout our ministry.

Joining me also is Caner Budakoglu, our director of information management, security and privacy at the information management branch, also in the finance and management department within the Ministry of Transportation and Infrastructure. Caner has been our lead for taking the actions and moving forward with the recommendations that have been in response to the Auditor General’s recommendations.

Also joining us is Gary Perkins, the executive director and chief information security officer at the office of the chief information officer, Ministry of Citizens’ Services. Gary and his team manage and coordinate information security activities across government. We’ve been working closely with Gary and his team to ensure that our action and response activities align with the IT practices implemented by the province so far.

[11:20 a.m.]

Finally, our fourth witness is Ed Miska, executive director of engineering services in the highways department at the ministry. Ed manages all the engineering services.

Now what I’d like to do is just ask my colleagues to give a bit of background.

D. Fritz: My name is Debbie Fritz. I’ve been in the Ministry of Transportation for just over six years, managing the IM and IT. I’ve been in government over 30 years, and 25 of those years have been working in information technology and information management.

C. Budakoglu: Good morning, Chair and members. My name is Caner Budakoglu. I’m the director of information management, security and privacy at the ministry. I’ve been with the ministry just over two years, and I’ve been with the provincial government working in various information, security and privacy roles for approximately 12 years. I’ve been working in the field for over 15 years.

G. Perkins: Good morning, members and Chair. My name is Gary Perkins. I’m the chief information security officer for the government. I work within the OCIO. I have over 20 years of experience in this field, and I’ve been working in government for four of that.

E. Miska: Good morning. I’m Ed Miska, executive director of engineering services. I have 34 years of engineering experience. I’ve been with government 25 years, all of them with the Ministry of Transportation and Infrastructure working primarily in traffic highway safety and intelligent transportation systems.

K. Richter: I’ve invited my colleagues here today to assist in answering the technical questions, if they’re required.

As already presented by the Auditor General, we support the five recommendations that they’ve put forward about bolstering and strengthening our cybersecurity. We’re taking action and have moved forward with completion of some and have taken great strides with others. I will skip through the recommendations but go directly to our response.

The ministry takes cybersecurity of its systems very seriously. The safety measures put into place since the RTMC’s opening in 2013 have allowed the RTMC to operate safely and reliably, and we’re established to ensure this continues well into the future.

The ministry has built its system with fail-safe mechanisms to prevent these systems from operating in an unsafe state. The fail-safe system for our lane-control systems prevents conflicting traffic signals on the same lane. These conflict monitors are not connected to the RTMC network, so they cannot be subject to cyberattacks. However, we want to be certain that the RTMC systems remain secure, so we accept all recommendations in order to make our security controls more robust and to further protect our systems from cyberattacks.

All organizations operating in cyberspace face ever-changing and increasing security threats that are a challenge to maintain a reasonable level of cybersecurity on an ongoing basis. When it comes to cybersecurity, there’s always room for improvement.

With that, the ministry has established server network security and operational technology teams to work on each recommendation. The ministry has already completed some items and is making substantial progress on the rest. For all of our work, the ministry is working in concert with the office of the chief information officer. The ministry will implement all the recommendations by the end of 2019, and the ministry will continue to make additional improvements to its cybersecurity controls and remain vigilant to further protect the RTMC’s systems from potential cyberattacks well into the future.

With regards to recommendation 1, the ministry first conducted a risk assessment and a risk-rating exercise based on the Auditor General’s findings. This helped the ministry prioritize its actions. The ministry will next perform a follow-up risk assessment once all the actions have been completed and will review and update the risk assessment on an annual basis, as per the B.C. government’s risk assessment standards and guidelines, going into the future.

To address recommendation 2, the ministry consolidated and updated its existing inventories of all hardware and software system components in a format that aligns with the Center for Internet Security good practice guide. The ministry also conducted multiple automated scans of the network and is currently reconciling the scan results with its updated inventory to identify and address any unauthorized components.

[11:25 a.m.]

Furthermore, the ministry is maintaining inventories on an ongoing basis and is investigating systems to help with maintaining its inventories. The ministry will be reviewing its inventories on an annual basis.

For recommendation 3, the ministry worked closely with the office of the chief information officer to establish secure baseline configurations for workstations, servers and network devices. Once the configurations were established, the ministry conducted detailed assessments for each of these components in order to determine what upgrade activities were required to ensure that they support and operate correctly using the secure baseline configurations.

The ministry also reviewed the physical security controls at the local operation centres and did an additional hardening, such as additional modifications to the doors and to fences that further restrict access to the control and server rooms.

In addition, the ministry is upgrading and replacing workstations, servers and network devices, as necessary, to implement the secure baseline configurations.

Throughout, the ministry has been working closely with its operational technology and engineering experts to identify all configurable operating technology components — like cameras, weather sensors and traffic sensors — that are on the network, and to establish and implement secure baselines configurations for all of them. The ministry will maintain secure baseline configurations for the RTMC system components, should additional ones be brought onto the system.

For recommendation 4, the ministry worked with staff at the office of the chief information officer and performed vulnerability assessments in May and June of 2017 on all the devices visible from the Internet. The ministry fixed all critical vulnerabilities that were found.

Furthermore, the ministry will perform monthly vulnerability assessments and fix any new vulnerabilities that are discovered. The ministry acquired a vulnerability scanner to perform these scans on internal devices which are not directly connected to the Internet. We’re now working diligently, and we’ve started doing this vulnerability assessment of these internal devices. In addition, the ministry is working with the staff at the office of the chief information officer to conduct external vulnerability scans on a monthly schedule.

To address recommendation 5, the ministry reviewed current administrative account configurations, procedures, users and documentation. Where possible, the ministry established user-specific administrative accounts to replace shared administrative accounts. The ministry also established a formal request, approval and review process for these accounts. Working closely with the OCIO, the ministry has established new user group permissions and policies and is testing them on all components.

The ministry is also conducting assessments of those workstations, server and network components to upgrade or replace, as necessary, and to apply the recommended additional improvements to the controlled use of system administration accounts. The ministry is reviewing operational technology components, like cameras, weather sensors and traffic sensors, to determine if additional administrative account controls can be applied to them.

Finally, the ministry is investigating the implementation of advancing improvements such as multi-factor authentication and the use of dedicated administrative machines.

In closing, on behalf of the Ministry of Transportation and Infrastructure, we would like to thank again the Auditor General and her staff for the recommendations to improve cybersecurity controls at the RTMC. The ministry accepted all of the recommendations in order to make our security controls even more robust and to further protect our systems from a potential cyberattack.

As mentioned, the ministry has completed many actions and is working diligently with its teams to address the remaining portions of the recommendations, with substantial progress already being made. The ministry will implement all recommendations by the end of 2019. The public can be confident that safety will always be the ministry’s top priority, and the RTMC has been operating safely and reliably since its opening in 2013.

The ministry is committed to the ongoing protection of the RTMC systems and will remain vigilant about its cybersecurity controls.

S. Bond (Chair): Thank you very much, Kevin. We appreciate that.

[11:30 a.m.]

Maybe just a comment. We also want to express our gratitude to public servants who have spent 30 years or 25 years and 12 years working for government. It’s really appreciated, on behalf of British Columbians. Having had experience as a minister, I know that you do an amazing job on our behalf. I just think it’s incredible that we have so many people who spend their entire careers with government. It’s awesome.

Adam, you’re up first.

A. Olsen: Thank you, Chair, and thank you to the Auditor and, as well, to the Ministry of Transportation staff for coming today and giving us this report.

This morning has been eye-opening. Reading both of these reports that we’ve had has been quite eye-opening to me just in terms of the range that we’re seeing, frankly, between the PRIME-BC report, which we just discussed, and then the Ministry of Transportation. I think that we can expect all aspects of government to have increasing levels of information technology and doors and windows open to the rest of the world as we change from…. Over the 34 years, as you’ve pointed out, we’ve probably come a long way in changing where we’re at.

I have a couple of questions, first to Mr. Perkins, with respect to just the overall approach to government. I know this is not directed directly at this report, but I think this report has uncovered for me, like I said, the range from us having quite an impervious external perimeter around PRIME-BC to, from this Auditor’s report, some very basic things that we, with our personal devices and personal computers, have been told to do right from the very start in changing the baseline networks and having appropriate virus software. When I saw that, it’s like those are some very basic things.

What, from your perspective, is government doing on a whole level to bring all of what must be dozens of systems that we’ve got in government into compliance and into some level of coordination?

G. Perkins: Well, first, it’s a few more than dozens, I’ll share with you. We do take, in government, security and privacy of systems very, very seriously. We do have a robust set of policies and standards to govern the adequate control of these different systems.

Let me also state in the same breath that no organization globally is immune to attack. As you say, this is a rapidly changing environment, and there are vulnerabilities being identified every day. So this is a continual effort.

Security is not a destination that you reach. It’s a continued effort of investment as well. We, in government, do have a robust set of policies and standards, as I say. Organizations have varying levels of adherence with them, and they’re working to complete them. That’s what’s happening here. There’s an opportunity that’s been identified. There isn’t an organization out there that doesn’t have opportunities for improvement, and it is a very complex area that the ministry, like other ministries, is working to address.

I hope I’ve answered your question.

A. Olsen: If I may continue, I completely agree that this is a journey that we’re going to be continuing to walk forever. It is, actually, that the context with which my questions and my statements are…. How can we ensure that this is a primary feature of what we’re doing to ensure British Columbians’ information is safe but, as well, their commute? In this case, it’s the commute across the bridge or through the tunnel which, should those systems be hacked, put lives at risk. And we want to make sure that we’re….

On one hand, I hear the language taking privacy and security very seriously. That’s good. On the other hand, to have some very baseline configurations not updated or not added is something, to me, which is very, very concerning. I mean, to take a piece of software, upload it onto a computer and just run it like that…. We know that that’s not basic practice, like I said, for our personal devices.

I think that it’s important for British Columbians to understand that that’s not wrapped in the language of taking privacy and security very seriously because those protocols should have been changed. At the very least, the baseline should have been changed to protect it.

[11:35 a.m.]

I just want to put a…. The work we’re doing here is serious work, and it’s also shifting. I respect that, but it needs to have a fine point on it that the statement and the action need to be consistent. And, for me, we need to be aggressively proactive on this right across government. That’s why I’m pointing towards you, but it’s every ministry, every technology person.

This is more of a statement. Is there anything that can be added to that in terms of what we’re doing to ensure that all of government is moving in this direction?

Maybe to the Auditor. I’m having a difficult time with some of what’s missing here. That is, we seem to be running systems that don’t have just the basic level of security on them. Or we were previously.

C. Bellringer: Indeed. We have quite a few audits we’ve done, plan to do. Often we do find problems. I will add that in this particular circumstance, there was definitely a culture of acceptance of the things that we were finding, and it’s a genuine desire to see it improve within the ministry. So we don’t have any concerns at that level.

We’ve made the comment. It’s actually going to expand it even more than what the member has brought forward. We do believe that the OCIO role should expand beyond just government ministries. If there’s a concern around…. Not only are the guidelines in place, and policies and procedures, and so on, but some level of inspection would be something you would add on to that — at a risk level and not everything. But there is that opportunity as well.

It goes well beyond the ministries, and that’s probably 10 percent of the total that’s in the broader public sector. That’s not the role of the OCIO — into the hospitals, the health authorities, the universities, the colleges, the school districts. I mean, you can go on and on. They’re also protecting public assets, and they all have similar risks.

There’s the inspection aspect. There’s education. There’s guidance. There’s pushing that out, getting back some assurance. Those would be the sorts of things, the nature of things, that we would expect to see throughout central government in assisting all of those systems.

A. Olsen: I think the tension that I’m attempting to create here is not directed towards the public service at all. It’s directed towards us in government, the elected. We need to have that tension constantly around us, because every system that we’ve got now….

There was a hard drive that may or may not have been — with school kids’ information from three decades…. It turns out that didn’t happen or that it might not have happened.

These things are going to increasingly become problematic in every aspect of our life. So the tension that I’m creating and what I’m trying to expose is not necessarily a lack of care put out by our public service or through the ministries. It is to put attention around the 87 individuals that are elected to government to — again, the language that I use — create a culture of being aggressively proactive in this so that we are ahead.

That’s what I’m hoping to do here with the questions. We need to make sure that the people of British Columbia can trust that their government is maintaining their data and looking after their security and that we’re not just saying we are but we are taking the actions to do it. It might cost us money, but we need to invest in that.

[11:40 a.m.]

I look at, as an example, technology and transportation changing around. We expect, at some point, self-driving cars. Well, wow. That’s the point that I’m trying to make with these questions.

M. Dean (Deputy Chair): Thank you so much for all of your work in this area. I appreciate that you’re really trying to reassure us with the level of safety and that substantial progress has been made with regard to the recommendations.

I guess what I wanted to ask is…. What you’ve said is you’re going to have all of the recommendations completed by the end of 2019, and we’re just at the start of 2018. For me…. I don’t think it is just because I grew up with terrorism and bombs on the Tube and stuff because I come from England. I think, on behalf of people living in my constituency, they might…. If I tried to explain that to them and said, “Yes, we’ve got this great report, the details are there, the ministry is committed to addressing them, and they’ll be done by the end of 2019,” when, actually, some of those issues could be safety-related, even if it’s the tip of the iceberg, the last percentage of those recommendations that are being worked on….

I’m interested in…. Do you really feel comfortable with that? Or is there a way that the completion of the work, to satisfy the recommendations, could be accelerated or brought forward so that we could actually reassure British Columbians that 100 percent of the recommendations can be implemented and then improved on and reviewed and monitored from an earlier point while people are still out and using transportation?

K. Richter: I’ll just start, and then I’ll turn it over to Caner.

First and foremost, when we did our risk assessment, we looked at the most critical or most vulnerable. Those issues we’ve tackled first. When you also look at the inventory of information at the RTMC, it has information all the way from lane control to picking up temperatures on the pavement or the moisture in the air. The complexity of the different systems is what’s taking so long, but I would like to assure you that all those critical ones, especially around the lane control systems…. Those ones have been addressed, and we also have the fail-safe systems with those.

The other components of the data…. We tackled the most critical ones, the ones that are absolute safety, and then we’re working through and we’re looking at…. So we will tackle that one, the device that picks up weather information, further down the line.

Caner, could you add…?

C. Budakoglu: Thank you, Kevin. Certainly, we prioritize all the actions in response to all the general recommendations and are working on them as quickly as possible. We have looked at what would be the exposure from the Internet, looked at that area as a priority, reviewed our access rules and implemented additional systems to monitor any intrusions into the network. We also reviewed remote access accounts to make sure that there are no unnecessary accounts on the systems. We have done those actions as a priority.

Although our commitment is to complete the actions by 2019, there is actually a gradual completion for each recommendation. For example, we aim to complete recommendation No. 2 by October 2018 or recommendation No. 4 by June 2018. So they are completion dates, but the last completion date is December 2019.

The complexity is basically…. This is an operational envi­ron­ment, and we are taking very careful and diligent steps to ensure that all of our changes are tested carefully before implementation in the production environment — not to impact operations of the environment as well.

S. Bond (Chair): I think that is an important question. I think Mitzi raised one that I certainly have. It’s a long time to the end of 2019. I think the message you’re hearing here is: if there’s a way…. I think prioritizing is very important, and I think we would agree. But at the end of the day, that’s a long time. By the time we get caught up from the gaps that exist, currency will be an issue, and we’ll be starting all over again. I think it has to be ongoing, so I really appreciate Mitzi’s perspective there.

[11:45 a.m.]

B. Ma: First off, thank you so much for your work. I really enjoyed reading this report, in particular, because it gave me insight into a program that the Ministry of Transportation and Infrastructure was operating that I had not had the opportunity to take a look at before.

I think it’s a great program. It’s very exciting to be able to network all of these pieces of our infrastructure together so that you are able to monitor them from a central place and control them to some extent.

I think I’m going to back up MLA Olsen on his previous comments here. I agree with his comments. When I was reading the reports and recognizing that absolutely, cybersecurity is something that is ongoing…. There is no organization in the world that will not have opportunities for improvement, like you’ve said. But when I was reading the report, many of the recommendations made seemed very basic expectations of a network of IT assets that are designed to function through a centrally controlled system.

Part of my background was that I worked in a consulting firm that actually managed implementation of IT programs. For instance, the UBC Faculty of Medicine’s distributed medical program was quite a large-scale IT program implementation project. Asset tagging and management of what cameras were where and software versions and passwords and access control levels were all items that were set up ahead of implementation. It was very clear to everyone working on the project that that was a very basic, baseline expectation.

Now, recognizing that we didn’t have that with this project, and now we are implementing them, I guess I am wondering where that knowledge gap came from. Are we short on IT expertise? Is it funding? Is it because the program is very new? I’m looking for, I guess, assurances that future projects will already have this in place. I’m not sure whether the OCIO has a role to play in this. What was the original gap? How do we ensure that in the future, that gap doesn’t exist — in future projects?

K. Richter: I would ask Caner.

C. Budakoglu: Thank you, Member, for the question. I’d like to address that question.

Our ministry’s technologies, which are considered general operational technologies, were deployed as stand-alone technologies in the past. They would be deployed. They wouldn’t be connected to the Internet or anywhere else. Data would be retrieved locally from the devices.

Before RTMC, these systems on our bridges and tunnels used to be managed locally as well. Again, there wasn’t a need to connect these environments to the Internet as well. So there is a trend in the industry where operational technology that is deployed by the engineers and IT technology deployed by the IT departments are converging together. Really, RTMC’s operation basically made that switch into that connectivity, as well as…. This is not just the situation that’s seen in the Ministry of Transportation. It is seen across other sectors as well — oil and gas, other transportation entities, hydro type of entities — where they have these large operational technology deployments within their environments. But that is converging into the IT.

As a result, there’s a need for both engineering teams and IT teams working together to implement the best practices into IT and ensuring protection of the systems. This audit really opened our eyes to that perspective and provided an opportunity to address that convergence.

[11:50 a.m.]

B. Ma: What I’m hearing is that because the assets and the programs were originally rolled out as localized programs and then, later on, networked, it was that jump. It was almost…. Sorry. I’m not explaining myself very well.

That does seem to help me understand where we’ve got here. Certainly, if they were simply localized, locally managed little mini-systems, then consistency across the board was less important at the time of rollout. I guess this is more of a learning experience for us — that when we start networking things together, we now have to go all the way back to the beginning and basically clean things up.

That’s what I’m hearing. Is that…?

C. Budakoglu: That’s correct. The ministry is already reviewing all the projects — part of their capital program board. Now our CIO sits at that board to make sure that all the projects with an IT component receive the proper attention from our IT and security perspective as well.

S. Bond (Chair): The Auditor General wanted to make a comment.

C. Bellringer: It’s just on the related matter of the topic itself. We had actually started out identifying that we wanted to do an audit of…. It’s called SCADA. I’m not sure what the acronym stands for, but it’s an industrial control system. We said: “We’d like to look at industrial control systems and the basic controls within B.C.” So we knew that Hydro has…. It’s a large part of the Hydro operation, so we identified that. We said: “Let’s do another one.” We decided to do RTMC.

It ended up that we’re still working…. Or we’ve only, actually, just started the Hydro audit. It is on our plan, and we are going to be working on that this year.

This one, however, was completed, so we’ve issued it separately. So we recognize that that integration issue is a big part of an industrial control system.

S. Bond (Chair): Thank you.

Bowinn, did you have any further comments?

B. Ma: No, that’s great. Thank you.

S. Bond (Chair): Anyone else? Other MLAs?

R. Sultan: I think MOTI has given us a glimpse of the future. I would suggest that as many of you as is feasible should somehow request a tour of the facility at the west end of the Port Mann Bridge. To me, it was jaw-dropping. The capability here was beyond my own technical imagination in terms of tracking the velocity of individual vehicles at these critical corridors. I didn’t know we had that capability. They’re doing it in real time. So it’s quite amazing.

I guess the risk, in a sense, is that you say: “Wow, I didn’t know we could do that.” Well, you kind of forget about all of the issues Adam has raised and so on and sort of say: “Well, we’ll get around to those some day.” It’s just quite amazing, what you’ve been able to do.

I just wanted to commend MOTI for having a very advanced system, it seems to me. I’m not familiar with what other metropolitan areas around the world do, but I suspect we’re very much in a leadership position here. I’m curious how we rank, however.

Adam raises two very important issues. One is privacy and personal risks. That’s probably something that isn’t necessarily paramount to operators who are primarily interested in keeping the vehicles moving. And secondly, the sabotage of the system itself and the cybersecurity aspect, which are the subject of the audit.

Adam, again, has hinted that as we look forward to automated vehicles and, what I would suspect, will be an interaction with what Ms. MacPhail and Allan Seckel will bring forward in terms of their commission’s work shortly…. I think the whole system of traffic management is due for a huge transformation. It will be very computerized, it seems to me, very likely.

[11:55 a.m.]

As we speculate about the future — and the future may be imminent, really, just in a few years; we’re not talking the 22nd century here — is MOTI…? Considering all of the risks that Adam and others raised, both in terms of privacy, sabotage — endless speculation of all the things that can go wrong, not the least of which is public acceptance — has MOTI been brainstorming this stuff? Or do you just sort of say: “Hey, let’s put this box in. It does great things. Isn’t that wonderful? We’ll worry about what the add-on next year might be depending on budgets.” It seems to me that some longer-term plan, imagination and creativity is appropriate here.

K. Richter: Absolutely. We certainly are thinking for the future. That’s why we have Ed. He gets involved with organizations across Canada and is interfacing with folks in the United States on what that next generation of transportation is and what it looks like.

Ed, can you comment on some of the working groups that you’re on and where they’re going?

E. Miska: Certainly. B.C. participates…. There’s a federal-provincial-territorial task force looking at automated and connected vehicles. That reports up through the Council of Deputy Ministers to the Council of Ministers. We’re participating in that task force, so we’re aligning with our provincial and Transport Canada colleagues as that work progresses.

We’re also participating…. The Transportation Association of Canada has a connected and automated vehicle task force, which was recently established, so we’re on that. We’re also in line with Intelligent Transportation Systems Society of Canada and the work that’s going on there. As well, we have staff, as does ICBC, on the Canadian Council of Motor Transport Administrators, who are also looking at this from a policy and rule-making framework.

There are many connections into this field, right now, both at the technical and policy levels, so we’re staying on top of that to make sure that B.C. is at the table, and we can have our voice heard and make sure that we’re moving forward in alignment with the rest of the provinces and Canada as a whole.

R. Sultan: Do issues such as Adam raises…? Personal privacy. If we’re going to start tracking — indeed, we already are, I suppose — the movement of individual vehicles…. It’s not that hard, with the scanners we developed, on the Port Mann — except, I guess, they’ve been deactivated — to figure out who’s in the car. Are these issues on the table for discussion? Because at some point, we risk a great public backlash.

E. Miska: They are. The information that we gather is not personal information. While technology exists to actually track the individual vehicle, what the Ministry of Transportation is doing…. We’re not doing that. We’re looking at aggregate numbers for traffic management statistics. As well, our webcam images…. We’ve lowered the resolution of those so we can tell what type of vehicle it is, but you actually can’t make out the individuals inside, who’s driving. You’ve can’t identify them.

We’ve been very diligent in terms of making sure we go through the privacy impact assessments to make sure that we’re doing the right things. That’s all checked by the experts in those areas.

R. Sultan: But the mind boggles at the cybersecurity risks. If the total vehicle system of the Lower Mainland is being monitored and, to some degree, directed by software somewhere, the potential for mischief is vast.

E. Miska: Yes. To that point, those systems provide advice, but we still have trained operators watching those monitors, so there’s that human element that’s checking to make sure that whatever data, feedback and recommendations are coming from the system, that is an appropriate action. If something arises that is inappropriate, then that would be flagged by the operator and not allowed to happen.

S. Bond (Chair): Thank you, Ralph.

Anyone else? Okay. I have a couple of questions.

Sorry. Why don’t I let John go first, and then, as Chair, I’ll go last.

[12:00 p.m.]

J. Yap: Just to follow up on this very interesting back-and-forth on technology and how it’s transforming transportation. We hear about — it’s quite commonplace now — applications like Google Maps, for example, where, because of the extent to which people have these devices, they’re able to provide real-time information. You actually can track, on Google Maps — through the magic of GPS and cell phones pinging their locations, I suppose — where the traffic flows are and the best route if you’re wanting to travel somewhere.

Is there a chance there will be a convergence? Have you looked at…? Google has all this information, which presumably has some level of security, and the phone companies have a lot of information about people’s travelling habits, practices. In government, you folks with your system…. At some level, it’s tracking what is happening.

In your deliberations and your planning, are we moving toward a world where there will be a sort of convergence, where you would be able to tap into and find out transportation flows based on all of this information? As Adam has said, this has implications for privacy going forward. Is that something that one of these working groups is looking at? Is it on their list of things to consider?

K. Richter: Perhaps you could answer that.

C. Budakoglu: Our ministry’s goal is to move people and goods safely on our provincial highways. We use technology to achieve that objective. That objective doesn’t require us to collect personal information. In the ministry initiatives, we do privacy impact assessments to ensure that there is no personal information collected.

For example, one of the systems that we utilize to measure the traffic congestion, as I remember you mentioned, is collecting the Bluetooth MAC identifier as the vehicles pass through on our roads. We collect the whole identifier, but we strip the portion that can be tied to the specific device so that we anonymize the identifier. We process based on that information, calculate when the vehicle passed from point A to point B, and estimate how long it takes to pass through that stretch of the road.

We utilize the available information from other sources, such as Google Maps — a layer that shows the traffic congestion. Our operators utilize that information as well. That’s one of the reasons why we cannot disable access to the Internet as well. They have be able to access that information.

Our ministry’s purpose, in terms of systems, really is to ensure that reliability, availability and integrity of our systems are there. We don’t necessarily collect lots of information that requires us to protect it and keep it confidential. Most of the information we collect…. For example, our cameras. We collect and process the images, resize them and push them out to Drive B.C. You yourself, by going to DriveBC.ca, see those images.

Some of our cameras are internal, which our operators look at in monitoring construction sites, etc. But other cameras that are monitoring highways are also available for public view as well. Similarly, those travel times, advisory systems, etc., are also available.

Lane control is a type of system can be seen as a critical system. We ensure that that system is closely watched and guarded and protected.

[12:05 p.m.]

For lane control systems, from the public safety perspective, we have additional controls built in by the engineering standards which are deployed on the field, completely separate from the network, soldered on the connectors to detect any kind of conflicts that may be issued.

J. Yap: I’m hearing that you’re taking these steps to preserve privacy by severing the identifying information. Is that something that’s required under the information privacy legislation, or is this the best practice that you’re adopting?

C. Budakoglu: Certainly, it is a combination of both — privacy, best practices. Organizations are only required to collect what they need to accomplish for their purposes. You know, if you need to collect only a vehicle passing from point A to point B, we don’t need to collect who is in that vehicle and how many people are travelling in that vehicle — that type of information.

J. Yap: Thank you.

S. Bond (Chair): Okay. I wanted to ask about…. I understand that prior to when the move to use technology was made, there were actually manual operators that actually did the lane changing and all of those things. Is part of the challenge that — the move to a technological approach — the culture was based on manual inputs, and perhaps when the transition was made…?

As Adam and others have pointed out, we’re starting at a pretty basic level when it comes to cybersecurity. Was part of that the transition from the manual process to an acceleration to get to where we’re using technology? Was there a gap in sorting out what those issues were based on, moving from a person on site doing it to the technological approach?

K. Richter: Yes, the transition from when, at each of the locations, we had staff in those locations that would activate the signals. Then as we shifted over, we were then in that transition period of moving forward and integrating, as Caner said — moving from the operational side to then recognizing that the IT side needs to work together with the operational activities.

S. Bond (Chair): So a pretty major shift in the culture of the organization when you’re moving from a manual process to one that’s highly technological. Not making excuses for the gaps that exist, but I think when you look at the history of what happened through the report that was presented, it was a pretty dramatic shift in terms of how the ministry made those decisions.

I was interested that the audit or the look at standards was a U.S.-based company for cybersecurity. Is that kind of the benchmark that was used? I think it was measured against U.S. cybersecurity standards. Is that the standard that we are looking at? Are the experts in the field in the United States, and that’s what’s used? Or how was that determined — that it was a U.S. based company, the standards that were considered?

A. Chiang: Many of the standards that we used are from the U.S. The reason why this one was particularly selected was it’s easy to understand. It’s easy that they were…. Globally, they’re accepted worldwide. The way that they structure the standards is they basically identify, like, top-20 key controls in terms of addressing the cybersecurity risk.

We only focused on the foundational ones. The reason was because it’s kind of the fundamentals of controls addressing the cybersecurity risk. Yet from their research, not our research but from the best-practices research, those particular controls address…. If an organization adopted those controls, you’re addressing — let’s take a number, like, 80 percent — a vast majority of the risk. That’s why we focused on that particular one.

S. Bond (Chair): I’m going to come back to that in just a minute with my thoughts that are related to things that both Bowinn and Adam have shared.

[12:10 p.m.]

Administrative privileges was a critical recommendation in the audit. I’m wondering how you’ve managed who uses the system now and how that was determined, because access and administrative privileges was one of the key recommendations. How has the ministry determined who uses the system, are there now controls, and are you looking at who gets access in a much more strategic way?

C. Budakoglu: Thank you for the question, Madam Chair.

For our administrative privileges, basically, the environment is supported by a combination of internal staff and third-party contractors through our ministry. As well, we just on-boarded our cross-government shared-services and managed-services providers into this environment, and they all have played various administrative roles in the section that they are responsible for.

We basically look at the old, existing administrative accounts, review them and make sure that there are no redundant or unnecessary accounts on the systems. We also went through the exercise of issuing individual accounts for each administrator that is assigned, authorized and approved to work on the systems.

S. Bond (Chair): Would you consider that recommendation, other than ongoing monitoring, as having been addressed?

C. Budakoglu: Not yet, Madam Chair, because that recommendation has a tie to a number of detailed items in our detailed report, and there are some of the advanced items we also need to work on. As well, some of the equip­ment that we have in place has limitations. For example, they are unable to support more than five administrative accounts. So we are looking at replacing those technologies that enable connectivity to those field devices, and that will be part of the progress as well — that action underway.

S. Bond (Chair): The audit was not intended, not designed, to look at effectiveness of the controls. But we know that ever-increasing congestion and management of traffic flow is pretty critical. So once we get past the cybersecurity issues and making sure the system controls are in place, is there a look at how they work, the effectiveness? Is there an ongoing process here, in terms of being current and dealing with some of the modern traffic issues that we’re going to face, much less the ones that we can’t even imagine — automated vehicles, those kinds of things?

This was about getting the controls in place. It wasn’t about effectiveness. Is there a plan to look at effectiveness?

K. Richter: Yes. We’re continuing…. As Ed said, we’re working with the information technology systems to see what further tools we have in the toolbox that can help us become more efficient or, with our existing systems, how we could upgrade them or modify them to assist in making sure that we can be more efficient in managing the traffic systems.

S. Bond (Chair): Thanks, Kevin.

I guess, just sort of in thinking about the comments that have been raised, started by Adam and working their way through a variety of people…. I’m sure that Gary didn’t intend to be the centre of attention here today, but perhaps it’s fate, because we have had two reports back to back that have dealt with the issue of cybersecurity. Maybe, if they’d been spread further apart, we wouldn’t feel the kind of energy we do around this.

I guess I ask a provocative question to Gary, on behalf of the ministry. Should it require an audit by the Auditor General for us to uncover vulnerabilities in our systems? I think that the Auditor General and her team have provided us with important information, but this is a big system. There are a lot of users. Even the fact that this particular report, for example, used U.S.-based security standards…. I don’t know how your office looks at those standards. Is that something that’s applied more generically across government?

[12:15 p.m.]

I think these two reports, taken together, do reflect the need, or for us, at least at this table and elsewhere, to better understand what the overarching plan is in terms of cybersecurity for us in individual ministries and organizations. One of the things I appreciated that the Auditor General said was that this ministry demonstrated a culture of — I wrote it down — “acceptance and recognition” in terms of the recommendations that have been provided. But there are a lot of ministries. There are a lot of skill sets in a variety of places.

Are there overarching monitoring standards? How do we look at all those other ones that the Auditor General isn’t looking at? We’ve looked at two today, but what about the ones that aren’t getting an audit by the Auditor General? Who takes care of the vulnerabilities and gaps in those ministries?

G. Perkins: Excellent question and very timely. Thank you.

Fortunately, we do have our friends at the Auditor General assisting us with identifying the opportunities for improvement. This is far from the last cybersecurity audit that you’ll see, with several already underway. The reason it is very timely is we do an annual information security review each year, with the exception of one year where we provided an opportunity for ministries to actually catch up and implement some of the things rather than just simply report on it.

We are in the process of changing the assessment criteria to actually fall in line with the NIST criteria that were used — previously we used another very recognized standard also out of the States — and globally with ISO. But we feel that the NIST is probably the best one to go with moving forward. There is a lot of investment in it. It’s a fantastic one.

The real challenge that you’re drawing a light to is the difficulty with maintaining investments and attention on what we would call, in the industry, hygiene- and compliance-level controls. Certainly some of the things that you have honed in on are expected to be in place for each one of these systems. That annual information security review helps us understand which ministries are focusing on this more than others.

This is one of the reasons why we launched, because we recognize this problem — and thank you for your comments that our role should extend beyond just simply core government and in the public sector — things like our publication, Defensible Security for Public Sector Organizations, which we launched last year.

It is specifically with the intention of making it okay for organizations to come forward and say they are struggling with some of these areas — it is not a simple area to address — and to beacon that we are going to be taking an increased role with administering this within the public sector.

We do pay attention to this annually, and it is not simply a reporting process. We work with organizations to build a plan to address them and help them identify areas to focus on, because not all of these areas are treated equally. There are some of these fundamental areas that you must address first before cresting into the risk-based ones.

I hope that I’ve addressed your questions. One more point I will add is we’ve taken steps, as you would have heard in other Public Accounts Committees, to address the ongoing vulnerabilities. This is an area that is a continuing challenge, with vulnerabilities being identified regularly.

We have a proactive program in place to identify vulnerabilities that are accessible from the Internet and address them before the bad guys find them. That’s the intent of that program, with our vulnerability management program. This is a best practice. We can be safe to assume that this program hasn’t been…. We haven’t found any accessible external vulnerabilities that would be exploited.

Another really important thing to recall from the ministry’s testimony is that there are fail-safes in place to prevent that. But I will also suggest — as some of the folks here have mentioned — that going forward in the future we want to ensure that these fail-safes and similar controls continue to be in place, to make sure folks are safe.

S. Bond (Chair): Well, you’re hearing clearly that, by virtue of the fact we happen to have two in a row and the fact that there are going to be more audits…. I think it’s just so critical that British Columbians and legislators actually understand what that overarching plan is for ministries and organizations. It shouldn’t be a “one-of” — that suddenly we see massive mitigation and gap-closing because the Auditor General brings a particular ministry here.

[12:20 p.m.]

It really does need to be an overarching goal. Maybe it’s a place where it’s part of mandate letters or…. I don’t know what it is, but I think there needs to be a sense that there is an overarching strategy and that we’re not going to see ministry after ministry being in front of Public Accounts and the Auditor General’s audit, and then we see the remediation that takes place.

I think perhaps just better awareness of what the strategy is and looking at it from that comprehensive perspective is important. I think you’ve heard it from virtually every member of Public Accounts today.

Thank you for being here. We’re glad that you are. I neglected to mention at the beginning, and I apologize for that, the fact that you were here as part of the discussion. But when an audit comes through, I think we have a responsibility, too, to look not just at how it applies directly to the Ministry of Transportation, who are responding well and working hard at it, but at how that is extended to other circumstances so we’re not simply catching up every time there’s an audit.

Any other comments before we excuse our guests?

D. Fritz: If I could add to your comments. In the last six years at the Ministry of Transportation, privacy and security actually have risen to the top, and we’ve resourced it. We are adding new qualified people, we’re spending money on sorting things out, and we’re preparing for emerging technologies. So we definitely are taking it seriously in our organization, and our executive is fully on board with that.

S. Bond (Chair): Thank you for those comments. I think your presentation today reflected that you’ve taken the recommendations seriously, and I think our point is simply: “Well done. Let’s keep moving and try to speed it up a tiny bit. And by the way, how’s everyone else doing?” We don’t want to see the Auditor General’s schedule of audits be related to cybersecurity from now until we’ve hit every ministry and every organization. Let’s learn from what’s been presented here today. It would be great to hear more about the work of your office.

A. Olsen: If I may, just to add that this is going to actually require a complete culture change within all of government, even to the point, in fact, where the Auditor General may not be playing this role in the future but perhaps an office of cybersecurity audits. As was pointed out, maybe it’s the Office of the Information Commissioner. But the fact of the matter is that every aspect of government now has some aspect of software, or it’s been computerized in some way.

Not to downplay the great work that the Auditor General does, but to the point that it is so expansive and that the office could probably have a whole department just combing through and making sure — again, not in order to expose or embarrass anybody but in order to keep British Columbians safe and secure.

S. Bond (Chair): I agree.

M. Sydor: Thank you for those comments. I’d just like to add to that. I share your interest in cybersecurity. These audits that we’ve done have pointed out the fact that there are issues that need to be addressed. Earlier, it was discussed that it seems to be that cybersecurity hacking is becoming more and more prevalent, and clearly, government systems need to be protected.

Within our area, I’ve talked with Cornell a number of times about the need to establish a group focusing on cybersecurity issues within our IT area. It’s a very specialized area. It requires a lot of training and experience. In fact, two of our staff, before we started this audit, even though they already have a lot of technical IT experience, spent the week in Idaho at a Homeland Security hands-on course, doing both attacks and preventing attacks on cybersecurity systems.

We’re trying to build up our expertise within the office, and I certainly see there are a lot of other opportunities. As was indicated earlier, there are a number of government organizations outside of central government that have systems that we can certainly have a look at. I think it will probably be some years before there is a separate cybersecurity audit unit, if there is, and during that time, I think we’ll still be in there.

[12:25 p.m.]

As you indicated earlier on, I think you said MLAs need to be aggressively proactive. I feel the same way about our office in the cybersecurity area. We need to be proactive. I’m sure Cornell and I will have further discussions about the need for a cybersecurity unit within our IT area, and we’ll bring Carol into it.

S. Bond (Chair): Well, thank you for those comments.

Thank you to Kevin and your team for being here today and, obviously, the Auditor and her staff. We appreciate the fact that this audit actually gave us the opportunity to look at some of the broader issues. We’re happy to have taken your report and used it for a much more wide-ranging discussion than we might normally have had. I think it’s been really important, and I think the two reports back to back were probably helpful in identifying that. Thank you to the public servants that presented today. We very much appreciate it.

With that, I think we’re going to take a bit of a break. We’re going to take a lunch break, and I think we are going to leave the start time the same because staff are coming back….

Interjection.

S. Bond (Chair): We’re going to try to expedite the start of the meeting, the next section, if we can. We’ll certainly let you know. We will hope to reconvene at 1:30, if you can keep yourself available for that. We’ll try to track down the other presenters.

Thank you, again, for a really good discussion.

The committee recessed from 12:26 p.m. to 1:35 p.m.

[S. Bond in the chair.]

S. Bond (Chair): Good afternoon. I appreciate everyone being here and adjusting their schedule. We thought that in the interest of saving some time at the end of the day that we could move the agenda ahead slightly.

I once again want to welcome the Auditor General and her team. We also have staff here on behalf of the Ministry of Municipal Affairs and Housing, and I believe the Ministry of Attorney General is also represented here — those two ministries. As is our practice, we’ll start with some opening comments from the Auditor General, and then we’ll have her team walk through the PowerPoint that will review the audit for us.

Auditor General, it’s over to you.

An Audit of Community Gaming Grants

C. Bellringer: Good afternoon, everyone. We’re pleased this afternoon to present our report on the community gaming grant program. With me from the office is Laurie Selwood, the director who led the audit, and Ken Pomeroy, a senior audit associate who was a member of the audit team.

The Deputy Auditor General, Russ Jones, was the lead on this one. He’s actually home recovering from some surgery. If you’re listening in, Russ, all the best from us here for a rapid recovery.

The community gaming grant program touches communities throughout British Columbia. Each year this programs distributes almost $135 million to a diverse group of non-profits across the province to run programs to benefit their communities. This is a significant amount of annual government spending that’s also important to the viability of many non-profits, who, in some cases, rely quite heavily on this funding and wouldn’t be able to provide programs without it.

To ensure these grants provide value for public money and that grants are awarded in a fair and open manner, it’s crucial that government effectively manage the program. Our audit looked at whether government has a suitable framework in place to administer the community gaming grant program. We completed this audit just over a year ago. Even at that time, we saw that government was already taking steps to improve the program.

I’d also like to note that the community gaming grant program is now the responsibility of the Ministry of Municipal Affairs and Housing. At the time of our audit, the program was jointly administered by the Ministry of Community, Sport and Cultural Development and the Ministry of Finance. The presentation will talk about the ministries involved in the program at the time of our audit — but just to be aware of those changes.

I’ll now turn it over to Laurie to go through the details of the audit with you.

L. Selwood: Good afternoon. The community gaming grant program is one of the largest grant programs in the province. In each of the last five years, it has awarded nearly $135 million in gaming revenue to about 5,000 non-profit organizations to support programs that benefit communities. That’s over $1 billion that the government has given out over the last ten years.

Our audit looked at whether the Ministry of Community, Sport and Cultural Development and the Ministry of Finance have a suitable framework in place to manage the program.

We expected: (1) that the program had been designed to be transparent and accountable; (2) that appropriate policies and procedures would be in place to ensure grants are awarded in a fair, consistent and transparent manner; (3) that appropriate processes were in place to ensure that funds were being used for the intended purpose; and (4) that the program’s results were being evaluated and reported in a timely way.

We concluded the government’s framework for administering the program is suitable but that improvements are needed in some key areas. First, we found that government should expand the way it measures and reports the program’s success. Government already provides detailed information on how it distributes the $135 million to non-profits, but more robust performance monitoring and reporting would provide both government and program stakeholders with better information about the operations and the impacts of the program.

[1:40 p.m.]

We also found that the program’s guidelines should be updated and clarified to better communicate the eligibility requirements to both applicants and grant analysts. Both would benefit from having clear and more consistent information about what’s required in an application.

Government also needs stronger policies and procedures to better ensure its funding decisions are consistent and well documented. There are few formal policies and procedures to guide the assessment of applications beyond the program’s guidelines. This creates a risk that analysts might not follow the same process to assess each application, that not all eligibility criteria are assessed or that guidance on how to apply the criteria may be lacking.

We also found room for improvement in how special one-time grants are awarded and the reconsiderations of original decisions. Under the reconsideration process, applicants can apply for a review of the original funding decision. Applicants can also apply for a special one-time grant, if they’re ineligible for a regular grant or in extenuating circumstances like an emergency.

In some of the cases we reviewed, we found that the documentation was not adequate to justify the reconsideration or the awarding of a special one-time grant. At the time of our audit, government was aware of the need to improve these two processes and was taking steps to do so.

Government can also do more to keep tabs on how the grant money is spent. Grant recipients must follow clear reporting requirements, but we saw cases where grants were given even though the recipients hadn’t submitted their report on how the prior-year grants were used.

Finally, we recommend that it’s time for government to reassess whether the program design still makes sense. Government hasn’t stepped back to look at the program since 2011, and there are questions to be answered. First, only six sectors are currently eligible. Should others be funded? Second, is $135 million still the right amount of funding? Third, is the funding model still appropriate? Is there a better way to get this money to non-profits?

Improvements to the program were already underway at the time of our audit. For instance, after our field work, government transferred the program administration to the Ministry of Community, Sport and Cultural Development to increase efficiency and effectiveness.

That concludes our presentation.

S. Bond (Chair): Thank you very much. We appreciate that.

We’ll just take a moment so that we can shift to the ministry response. I think we’re ready to go. You can begin your presentation. Maybe just introduce your staff to us.

K. Volk: Good afternoon, everyone. My name is Kevin Volk. I’m the assistant deputy minister of community and legislative services for the Ministry of Municipal Affairs and Housing. I’d like to introduce Joanna White, who is the executive director of the community gaming grants program with our ministry, as well as Anna Fitzgerald and John Mazure. John Mazure is the ADM, gaming policy and enforcement, and Anna is the executive director of the compliance division with the Ministry of Attorney General.

[1:45 p.m.]

I’d like to send regrets from our deputy, Jacquie Dawes. She’s currently on holidays, but she does send her greetings.

We’re here today to provide an update on the community gaming grants program and the progress that has been made in addressing the recommendations made by the Office of the Auditor General. To begin, I would like to thank the office’s staff for their presentation and for their constructive and professional review of our program.

I’d first like to provide an update on the changes to the ministerial accountabilities since the audit was conducted. In April 2016, the community gaming grants program was consolidated within the former Ministry of Community, Sport and Cultural Development. This was noted in the OAG report.

Since the publication of the report in December 2016, and following the 2017 provincial election, the program is now within the Ministry of Municipal Affairs and Housing. Certain support services, including the gaming on-line system administration and audit, continue to be provided by the gaming policy and enforcement branch, which is now part of the Ministry of Attorney General.

As Laurie mentioned, the fundamental conclusion of the audit of the community gaming grants program was that a suitable framework is in place to administer the program. Ten recommendations were made. Nine were specific to the former CSCD, now the Ministry of Municipal Affairs and Housing, and one was a joint accountability between our ministry and the gaming policy and enforcement branch, which is now part of the Ministry of Attorney General.

Actions to address seven of the recommendations are now considered, in our view, to have been implemented. Actions to address the remaining three recommendations are in progress.

Just some context on the program. As noted in the audit, many not-for-profits accessing funding through the community gaming grants program rely on funding to deliver their community programming. Given the depth and impact of this funding on community organizations, the implementation of actions to address the audit recommendations had to be managed very carefully to avoid major impacts to program funding in the not-for-profit sector, who operate on a year-to-year basis. For this reason, ministry actions over the last two years have been deliberately managed to facilitate improvements on a phased basis.

This phased approach began with first securing the appropriate resources that would provide us with the capacity to deliver on our program commitments, improve customer service and enable the branch to begin working on operational policy and compliance improvements.

The second phase required a focus on improving our operational policies, compliance with reporting and eligibility requirements. This work provided us with the ability to establish baseline data on the organizations that are currently eligible for funding. We believe that this baseline information was necessary before consideration could be given to the broader policy questions relating to the funding model, funding sectors and overall level of provincial investment.

The third phase, which is just being initiated right now, will be a strategic review of the program and development of appropriate performance measures. Work on this phase is now underway.

In terms of progress in the program since December 2016, when the audit was released, the ministry has made significant progress in terms of implementing program improvements, which we believe has resulted in an improved experience for our not-for-profit partners and an optimization of government resources.

Some of the key successes to date. Our staffing levels are now aligned with our customer service commitments. We received temporary funding from contingencies in the summer of 2016 for that, and it was formalized in a budget adjustment in the 2017 budget. The 2017 budget also included a new $5 million capital project program that was initiated, in part, in response to stakeholder feedback from agencies like UBCM, chambers and the B.C. Association for Charitable Gaming.

We’ve improved our program guidelines. They were first released in December 2016, with a second edition in December 2017. The initial improvements were for clarity. Subsequent improvements used the policy cycle to analyze and implement critical changes such as calculations for deferred revenue.

We also now have a formalized and dedicated community outreach function. We’ve so far managed to reach out and do 22 presentations to over 1,300 people representing 800 organizations in 2017 alone.

This work that has been done has also resulted in a reduced number of reconsideration requests from applicants. We’ve seen a reduction in appeals from agencies that either did not receive any money or did not receive the money they anticipated — a reduction from 445 appeals in 2014-15 down to only 157 appeals in 2016-17.

[1:50 p.m.]

At the same time, when these appeals are reviewed by our staff…. Back in 2014-15, over 76 percent of the time, the staff agreed with the person making the appeal. That has now changed to a point where only 29 percent of these appeals are being supported. While the number of reconsideration requests has gone down, the percentage of these recommendations on reconsideration has also gone up.

Although not explicitly included in the ten recommendations, the Office of the Auditor General did refer to the need to create separation between funding decisions and program assistance. This has been managed in part through the development of a formal community outreach function within the branch.

Since the creation of the dedicated function, the ministry has delivered 22 presentations to 1,300 people in 2017 alone. The presentation material has been formalized and is available on line. The community outreach manager has also worked with key stakeholders, such as the B.C. Association for Charitable Gaming and the B.C. Association of Aboriginal Friendship Centres, to ensure that a single and consistent source of material is used to assist organizations applying for grants.

A collaboration agreement was signed with the B.C. Association for Charitable Gaming in September 2016, and regular meetings occur between the board and the ministry leadership to maintain the relationship and provide an avenue for feedback.

We believe that community outreach is a critical function in our ability to assist long-term funding recipients in their transition to full compliance with program guidelines, eligibility and conditions.

The OAG made ten recommendations. For the purposes of the way we’ve been evaluating them, we’ve broken them into three functional groups. Madam Chair, with your permission, I’d like to propose that we review the recommendations in that order.

Phase 1 was to address resources. In 2016, the ministry was able to complete a comprehensive assessment of the required human resources. The work was led by the Public Service Agency to provide an independent assessment. Based on the adjusted staffing levels, we accessed contingency funding in 2016.

In 2017, the provincial budget provided funding to sustain the staffing levels recommended by the PSA. The branch has also concluded a review of procedures and developed and implemented a training plan for new staff.

In terms of systems, the branch assessed the capacity of the gaming on-line service and determined that although the service could be improved, it is providing the necessary services and is essential to the ability of the branch to continue to deliver the program with minimal disruptions to clients.

Having said that, questions related to the system will be included in the upcoming client surveys, and the ministry, along with our partners at the gaming policy and enforcement branch, remain committed to continuous improvement, including systems.

Phase 2 of our work is to improve operational policy and compliance. In response to the OAG’s recommendations, the ministry has restructured the program guidelines to highlight the four primary elements of eligibility for a community gaming grant: organizational eligibility; program eligibility; financial eligibility; and program compliance.

All of these elements existed previously, but feedback indicated that people did not understand how decisions were made in the branch. In 2016, the guidelines were reviewed and organized to reflect how assessments are conducted and decisions are made.

Other changes were added to clarify areas of confusion that were flagged in the report as well. For example, there was a mention of provincial standards for financial accountability. We investigated the origins of this criteria and its intended purpose, which was to ensure that organizations are financially viable, and determined that we could not point to specific standards that the public could review and adhere to. Therefore, this was removed, and language explaining the need for financial viability was added.

We also added notes to explain how we conduct calculations in the financial analysis and adjusted the value assigned to volunteer labour so that organizations could assess value in the context of their operations, up to a maximum allocation of $20 per hour. Appendices were also added, including an overview of the considerations for local, regional and provincial organization status, to ensure that reference material for applicants is all in one easily accessible spot on line.

In 2016-17, we also implemented an annual operational policy review cycle. The policy review cycle identifies key timing relating to the potential for policy improvements to the community gaming grants program. With an open intake of ten months, there is a very small window for implementing change in any given year, and we want to be able to target that small window to implement our improvements. Therefore, efforts were undertaken to identify and prioritize operational policy and eligibility criteria that required an in-depth review. This resulted in a focus on a few areas of eligibility in 2017.

[1:55 p.m.]

One example is the method used to calculate operational surplus for the purpose of establishing financial eligibility. The OAG noted that several organizations were funded, despite having an organizational surplus of over 50 percent. We therefore initiated an independent review of these assessment criteria to ensure it is fair and reasonable to establish financial need in any given year. The review resulted in recommendations to improve the surplus calculation that have been implemented for the 2018 grant cycle. The 2017 updates are based on feedback from stakeholders and analysts, in terms of wording and clarification, as well as the outcome of policy projects such as the surplus calculation mentioned above.

With respect to recommendation No. 5, on documentation, the ministry has created a working policies and procedures document in Microsoft OneNote. This is a living policies and procedures manual that is now used daily by analysts to review grant applications. The OneNote system captures operational policy and management direction, processes and procedures, checklists as well as standard paragraphs and language to assist with consistency in communication for common eligibility issues. This was implemented in a format for ongoing discussion and includes regularly scheduled meetings and opportunities for feedback. This enables the analysts who work on the files day to day to provide input relating to policy and procedure on a continuous basis.

In terms of the structure of the group, the addition of a second team lead, who oversees the grant analysts, has enabled the branch to initiate an issues-tracking process and provides greater opportunity for analysts to acquire management direction on more complex files.

The new operational policy cycle provides an opportunity to ensure that policy issues are noted and can be analyzed and addressed in future iterations of program guidelines. The policy cycle also provides opportunities for analysts to be engaged annually in focused working groups to discuss operational policy and any challenges in applying eligibility criteria in practice.

With respect to recommendations 6, 9 and 10, which dealt with compliance in reporting, the ministry has documented the approach for assessing applications through the OneNote policies and procedures manual and the training material. It has provided analysts with a grant assessment sheet that captures all aspects of an application review to ensure consistency. We’ve ensured that steps are taken in every application review to identify non-compliance with the program guidelines. We’ve also created an ability for an organization seeking additional assistance in understanding the eligibility requirements to be referred to our manager of community outreach, who can work directly with those organizations.

We’ve also developed and implemented operational policy relating to non-compliance in reporting. This includes a system of warnings to non-compliant organizations that enable them to transition to compliance. We’ve ensured that all efforts are made to educate and assist organizations in achieving compliance with program eligibility requirements.

Many organizations are sometimes unaware of the issues of historic ineligibility. For example, parent advisory councils generally have a higher level of reporting non-compliance. They’ll get their grant, but then the next year they won’t submit a report as to what the money was spent on. To address this challenge, we implemented a system requiring parent advisory committees to submit their funding summary reports for previous years prior to receiving current-year funding. This was implemented in September 2016.

As part of this work, the branch worked with the B.C. coalition of parent advisory committees to provide detailed information on how to complete reports. As a result, in 2016-17, 96 non-compliance letters were issued out of 1,500 PACs. Seventy-eight of those PACs responded by completing the required reporting. The 18 PACs that did not respond were not eligible for funding but can certainly follow up with the branch if they need more information. To date, in this year’s cycle, 56 letters have been issued. So a reduction over last year.

In addition, the branch performs ongoing tracking and monitoring of issues relating to non-compliance with program requirements, including eligibility requirements, reporting, grant conditions and use of funds. We proactively address known challenges using the new community outreach function.

In collaboration with the GPEB audit team, we’ve developed and implemented a shared risk matrix, process map and procedures document that articulates the actions required to address instances of non-compliance, including inappropriate use of funds. We’ve established a liaison function between the branches that includes meetings on a scheduled recurring basis. We’ve established and implemented regular reporting between branches on audited files, and we presented the 2017 guideline edits for implementation in 2018 to GPEB audit in preparation for the 2018 audits.

[2:00 p.m.]

With respect to recommendation No. 7, reconsiderations, the ministry has evaluated the process used to conduct reconsiderations in 2016. The process existed but was not documented.

Improved correspondence to applicants regarding reconsiderations was initiated in 2016. We’ve also improved the consistency of notation added to our on-line service worksheets. We’ve initiated a tracking system for reconsideration requests to be used for future training analysis and outreach, and we’ve developed a reconsideration checklist that must now be attached to every reconsidered file. This includes the review of the original decision as well as feedback for the original analyst and a record of the decision and rationale.

Phase 3, with respect to recommendations 1 and 2, which were the specific strategic program review evaluation and performance reporting. The community gaming grant program is relatively unique in its approach to providing access to funding based on requests from not-for-profits, rather than directing funding to specific strategic objectives of the government.

Our collective challenge as program administrators and grant recipients — and, ultimately, the Legislature, which approves the budget for the program — is to determine how to evaluate a program whose outcomes, year to year, will be driven by the types of grants the sector is seeking, rather than any predetermined outcomes from government. This is why we believe that the key to a successful and significant review of the program relating to its effectiveness, types of grants, level of funding and funding method requires feedback from the stakeholders it supports.

In preparation for this work, the ministry has implemented an operational policy cycle for continuous program improvement. We’ve initiated preliminary stakeholder consultation. We’ve received feedback from the B.C. Association for Charitable Gaming and the B.C. Association of Aboriginal Friendship Centres regarding funding levels and the appropriateness of the sectors.

We’ve incorporated a new $5 million capital project program in 2017-18. This action was in response to initial stakeholder feedback regarding sectors and the level of funding and the need for renewed funding for capital. We’ve undertaken cross-jurisdictional best-practice research, and we’ve initiated analysis of historic funding trends.

Following the initial research, and in collaboration with other branches of the ministry, we’ve established the need for and initiated a process to develop a client survey to establish baseline data and broad community consultation. The ministry plans to develop and implement a targeted public consultation survey through B.C. Stats in 2018. This survey will be sent to all previous recipients of community gaming grants and other not-for-profits that have not yet applied for grants. The results of the survey will be incorporated into our ongoing policy work.

In consultation with our key stakeholders — including the B.C. Association for Charitable Gaming, the B.C. Association of Aboriginal Friendship Centres and others — we will present options to government for decisions relating to policy considerations, specifically regarding funding levels, sectors, the grant process and the reporting framework. The outcomes of the program review and subsequent implementation of any significant policy changes can also inform the development of an evaluation framework.

With respect to the timeline for this work, the ministry intends to field a survey through B.C. Stats in February-March 2018. Analysis of the results will occur during the summer of 2018, with options for government likely available in fall of 2018. The window for implementing changes in the community gaming grant program is December and January. Therefore, any proposed changes would occur in December 2018–January 2019. If changes are likely to have a wide, sweeping implication for applicant organizations, a transition schedule would need to be developed for implementation with any proposed policy.

With respect to recommendation 8, special one-time grants, the ministry has developed and implemented a special one-time-grant framework and rationale sheet in 2014. This was the first phase of the establishment of policies relating to special one-time grants.

In Budget 2017, we normalized funding for some of the legacy special one-time grants. Budget 2017 included base budget funding in other ministries — primarily the sports branch of Tourism, Arts and Culture — and emergency management B.C. for the grants that were identified in the OAG review as recurring special one-time grants. They are no longer funded through the gaming grant program.

The ministry now plans to develop options relating to special one-time grants that will be built into the policy recommendations for submission to government per recommendations 1 and 2.

In summary, we believe that seven out of the ten recommendations have been fully implemented. We believe that we have established an appropriate system to enable us to produce clear program guidelines on an ongoing basis, with sound mechanisms to facilitate continuous improvement based on feedback from within and outside the program.

[2:05 p.m.]

We also believe that our new approach to documenting and implementing operational policy is leading to improved consistency while providing an opportunity for the not-for-profit sector to work with us to access funding. We believe that our approach to reconsiderations is now consistently applied and well documented in terms of both the decision-making process and the communication to the applicants. We believe that the review of the gaming account system is more consistently applied, and applicants are provided with more information about how to be successful in reporting.

For the final three recommendations, we require public consultation, and we anticipate completing that by the end of fiscal 2018-19. We continue to agree that the program would benefit from broader success measures but feel that this should be developed after public consultation and in alignment with any future policy direction from government.

We intend to address the special one-time grants within any future policy recommendations and, in the interim, have sought to minimize the use of special one-time grants as much as possible. Future potential changes in the reporting process would be considered based on any shifts in program policy in alignment with the direction from government.

With that, I thank you for your time. Thank you for the report. We’re happy to take any questions.

S. Bond (Chair): Thank you very much. We appreciate the very detailed and thoughtful response to the Auditor General’s work, and we certainly agree with you. I’m sure you’ll hear lots of comments about community gaming grants on the ground and what it means, even in new MLAs’ offices.

B. Ma: I have a lot of questions. I’ll go through them. Did you want me to break them up or just kind of…?

S. Bond (Chair): No, I think you should just work through them, and any of us that have…. If you have questions and you have a list like I do — I probably have as many — we’ll just check them off where we have similar ones. But go ahead and work your way through.

B. Ma: All right. Fantastic.

Thank you so much for this presentation. It’s really great to see all the improvements that are happening and that are already underway in the ministry. I have several questions. I hope that they aren’t taken the wrong way, because, of course, it’s not enough that our funding programs are above reproach, but they must be seen to be above reproach. So I have a number of questions around those.

My first question is in regards to strategic vision. I think it was on page…. You had mentioned it as well, but certainly in the report, there were sections of the report that gave me the impression that there was no overall strategy or vision for how we want funds to be spent — no overall goal that we were trying to reach with these funds. I think that you had mentioned that in your report as well.

If you could clarify what the ministry’s position on that is right now and whether or not we are likely to go forward towards more of a strategic vision approach.

K. Volk: The history of the program, when it was initially created, was to be a mechanism for almost…. “Replacing” is probably the wrong word. But prior to the program being in place, there were bingos, casinos and not-for-profits that were raising their own money for funding and then using that funding to provide their programs.

The purpose of the program when it was brought in was to provide a service where gaming grant money would be collected by government and then redistributed out to the not-for-profits. At the time of the program’s creation, that was pretty much the sole intent of the program. You know, it wasn’t to advance any government policy positions. It was a mechanism to redistribute gaming money to communities.

We have maintained that position. It was certainly flagged in the report that success of a program needs to be measured. You need to make sure that funds are appropriately spent and that you’re gaining some sort of objectives out of it. But to date, the view of the ministry has been that this program remains one which reinvests gaming money in communities.

In terms of strategic vision, that’s how we’ve characterized it as well — to efficiently and fairly and transparently be able to redistribute that funding.

B. Ma: Without that strategic vision, then, it does seem like it’s a bit of a first come, first served, or that funds are almost distributed according to the…. I’m sorry. Do you feel like the funds are being distributed a little bit on a first-come, first-served basis?

[2:10 p.m.]

K. Volk: I think it’s fair to say that any eligible organization receives funding. We’ve got intake periods for the different sectors, and we’ve worked hard over the years to get a good understanding of what the likely amounts of funding will be in each sector. We have never not funded an organization which was eligible and got their application in within their application window.

I wouldn’t characterize it as first come, first served. Whether you get it on the first day of the window or the last day of the window, if you are eligible, you should receive the same amount of money.

B. Ma: So there’s no risk of the funds running out early because you came in on the last day of the application process rather than the first.

K. Volk: We watch that very closely. It has never happened.

B. Ma: I’m wondering also about your…. I believe on page 26, one of the recommendations or part of the Auditor General’s report identified that there seemed to be some ambiguity in regards to whether or not an organization is applying for a regional- or a provincial-level grant, versus, I guess, the regular-level grant. It also mentioned that the ministry is considering or that you’re perhaps going through efforts to define those terms. Have you reached a definition that you’re able to share with the committee today?

J. White: We did add, in the first iteration of the revised guidelines, in December 2016, an appendix to the guidelines that speaks to how the branch assesses the local/regional/provincial. I wouldn’t call it a definition, because it’s largely based on the size and scope of the operation that’s presented to us in the program. There may be an organization that clearly has a provincial reach but doesn’t have an overall program budget that would require it to be funded beyond the $100,000 local maximum.

Those are maximums, and the funding is awarded based on the requirement that’s presented to us in the program, in the application. We have provided additional clarification on how we make that determination, but to give it really strict definitions is challenging.

B. Ma: Can you share those clarifications with the committee today?

J. White: Yes, it’s in the guidelines. It’s the first appendix. It’s kind of a full page. I can just read it out, if that’s helpful.

B. Ma: Maybe some key highlights.

J. White: Just key bullets? Essentially, we’re looking at things like the number of people that access the services. We’d be looking at the geographic reach of the program. We may be looking at whether we see alternate service providers within the same geographic jurisdiction. We may look at whether those organizations would recognize the specific organization as a regional or provincial service provider.

This is typically looked at from the public safety sector, but we may look at where that organization delivers services outside of its typical geographic jurisdiction. We may look at letters of support from other local organizations that speak to its reach beyond its local borders and any other relevant information that the organization wishes to provide. Sometimes they’ll provide us statistics that demonstrate how they’ve grown that program over the course of several years, or they may have merged with another organization that’s led to them providing a greater reach of their services. It’s that kind of thing.

B. Ma: Thank you. Some feedback — at least from the not-for-profits in my neck of the woods, the North Shore….

Thank you for reading that out. Those were the criteria, I guess, that I was familiar with, entering this meeting, as well. I’m still hearing a lot of feedback from organizations saying that they don’t understand what that means. They know that you look at, for instance, the geographic area of the distribution of their services, but there’s no concept of whether or not their geographic area of distribution of services is large enough or far too small.

[2:15 p.m.]

They know what it is that the ministry is looking at in terms of the application, but there’s still no clarity as to whether or not they even meet those guidelines. We don’t know, for instance, if you’re distributing services to 5,000 people…. Is that regional, or are you looking more at 10,000 or 50,000? The concept of scale is ambiguous to a lot of these organizations, and I know that many of them have expressed frustration with that as well.

My third question is in regards to…. Again, recognizing that there are improvements that have been made, I’d like to go back in history a little bit more. There’s a section of the Auditor General’s report, and I’m trying to find it right now.

On page 32, the Auditor General had identified that there were cases when organizations were awarded grants without providing complete applications, without demonstrating that they met funding eligibility. Now, in those cases, it strikes me that somebody is making a judgement call. If you don’t have all of the information in front of you, then somebody’s made a judgement call.

I’m wondering what level of government that judgement call is made at. Is it the analysts who are making it? Do they have supervisors who make it? When you have an incomplete application and it’s decided to be funded, who makes the call?

K. Volk: Under our current policies and procedures, we would not fund an incomplete application. This is one of the places where we think we’ve seen significant improvement over the last couple of years. In reflecting on some of the recommendations from the Auditor General, we feel that we have made progress there.

I can imagine a scenario in the past where work would have been done by an analyst and then reviewed by a manager. But under the current framework, we would not approve grants that didn’t meet the guidelines.

B. Ma: So prior to the new framework, then, it would have been a decision made more at the staff level, is what I’m hearing.

K. Volk: Yeah. I mean, we can only speak to the time that it’s been in our ministry.

B. Ma: Right, of course.

K. Volk: But within that, it’s always been at the staff level. That’s within the last two years.

B. Ma: All right. My final line of questioning is in regards to one-time grants. I’m sorry. There was so much information in your wonderful presentation.

I heard at one point that you said that one-time grants were no longer being offered through the community gaming grants, that it’s been separated into various ministries. Can you elaborate on that, please?

K. Volk: Sure, and then Jo can fill in. There were a couple of recurring special one-time grants. One was for insurance for search and rescue, and the other one was for the North American Indigenous Games. Is that true?

J. White: Actually, it was for regular programming for Aboriginal sport.

K. Volk: Correct. So in this year’s budget, what had historically been an annual special one-time grant is now included as a budget for those particular ministries and is no longer funded by the community gaming grant program. We are currently not funding any special one-time grants. Still on our to-do list is following up on the recommendation from the OAG to formalize our policy on that.

B. Ma: How were special one-time grants awarded in the past?

K. Volk: They would have been similar to what you were describing before: a decision being made to fund a program that did not meet the guidelines for a regular grant.

B. Ma: Recently in the news cycle, in particular…. I’ve noticed it quite a bit coming out of the Surrey-Delta area. There’s been a story about New Horizons Village. I take it you’re familiar with that story. The organization, which was awarded a $200,000 grant 16 days after it was incorporated, wasn’t registered as a charity — no paperwork as to why it was awarded that money in such short order. Was that a special one-time grant that came out of the community gaming grant program, or was that separate?

K. Volk: It was not. It did not come from the community gaming grant program.

B. Ma: Okay, thank you.

S. Bond (Chair): Anyone else? Any other MLAs?

[2:20 p.m.]

R. Sultan: The Auditor General did refer to some instances which were clear violations of policy, just isolated examples. Nevertheless, one organization — and I’m speaking from memory — received money, even though they had never really filed any report on how things went in the previous year. The money just kept on rolling for four or five years. And similar isolated cases — I’m sure you’re well aware of those instances pointed out in the Auditor General’s report. Do you have any comment on them?

K. Volk: Our approach in all of these has been on a go-forward basis. I mean, if organizations in the past received funding where they did not meet the guidelines or the documentation was not in place, those were noted in the Auditor General’s report.

On the one hand, there’s still an expectation that that money would’ve been delivered and services rendered to the community. But in terms of the focus of the branch right now, our focus is on the administration of the program, year to year, and delivering the grants to the communities.

There’s certainly an audit function. If complaints are received about money either being not spent or spent improperly, those are referred over to the audit branch for review. So in cases where it looks like funding was not spent appropriately or there’s a lack of accountability, there always is the opportunity to conduct an audit of the organization.

R. Sultan: Just to clarify a couple of other points. It’s my impression, over the years, that you definitely do not encourage or in fact pay any attention to MLA recommendations. Is that true?

K. Volk: What we do is establish the guidelines, and if agencies are in compliance with the guidelines, they will receive funding.

R. Sultan: The other point. I’m sure that from time to time, there are hints that maybe this is all a B.C. Liberal scheme and we will find all the money flowing to B.C. Liberal constituencies. Or now perhaps the flow will reverse in the other direction. I presume this is in fact not true.

K. Volk: It is certainly not true. I think our analysis has found that the distribution of community gaming grant money is pretty much bang on with the representation of population across the province. Any analysis we’ve done spatially has shown that there is pretty much an even distribution of money.

The second thing that’s done, which we implemented most recently, is that in addition to the not-for-profit agencies getting notification of their grant, the MLAs are also sent a notification of the grants being received in their ridings. That’s being done regardless of political party.

R. Sultan: A final question. There are suggestions and commentary about improving the process. It does strike me that $1 billion is a lot of money, but on the other hand, this does strike me as being kind of a bare-bones operation. You’re not really going in there and auditing people extensively to find out exactly where the money was spent and why, etc.

I can appreciate that it’s an attempt to disburse important funds to important organizations without a huge overhead. But there are alternative ways of doing it, I suppose. As you look around the country, or the continent even, do you find other jurisdictions that do it quite differently? And what alternative models are there out there?

J. White: Let me just pull it up so I’m not fibbing about anything. The cross-jurisdictional research that was done did find that most other gaming-funded programming across Canada — they didn’t look too far beyond Canada, to be honest — is done quite differently. This is the only one that is genuinely an access fund. It’s how I would describe it.

There does tend to be different kinds of reporting structures embedded within those programs. They do tend to speak to strategic objectives, which means that they can change, depending on the government of the day. In Ontario, they do run a gaming fund through a completely separate organization, another not-for-profit organization that runs the funding independently of government.

[2:25 p.m.]

There are a variety of different mechanisms by which these kinds of funds can be distributed. That will be part of our policy discussion that Kevin mentioned in a presentation, on a go-forward basis.

S. Bond (Chair): Thank you, Ralph.

Next up, actually, the Auditor General wanted to insert a comment. Go ahead.

C. Bellringer: It was on the previous question. We actually did take a quick look at the distribution of the grants. We ended up not including anything in the report. It wasn’t relevant to the material here. We did not see any inappropriate patterns. And there is very good disclosure of what is given out — public disclosure.

S. Bond (Chair): That’s an important public statement. I’m glad that you brought it up today. I think people do just imagine that government, whoever that might be, somehow determines where the funding flows. It’s not true. I think that’s an important thing that comes out of this meeting.

Next up will be Adam.

A. Olsen: I would say that, actually, we send out a letter to all of the successful gaming grant recipients. My hand is quite tired with the number of organizations. Either they’re quite active in my riding or what, but we have had quite a number — and thankful for the support that this fund provides.

I think back to my days in local government, and we had a community grant in a process which we always were troubled with. And to Ralph’s point, how to do this is a challenge we always struggled with at local government, taking property tax and putting it back and making the decisions. There were always more requests than money to be there.

I just have a couple of questions. One is around…. I notice the six sectors and then the breakout. Environmental organizations are at 3 percent or something like that, I think. Is that based on the number…? If an organization applies and they get it, that is not necessarily a decision that’s being made about one sector over another? Rather, it’s the number of organizations that are applying from that sector? Is that fair?

K. Volk: There are different intake periods. In the intake period where environment grant applications are being taken in, we evaluate all those based on the guidelines and award the grants. In terms of the representation between the sectors, we monitor about a three-year rolling average.

The amount of grants that you’re seeing going to environmental organizations are reflective of the applications that they’ve made over the course of the last three years. It’s lower than the human and social services, but it’s just a reflection of the number of organizations that are applying for grants.

A. Olsen: Fascinating. Interesting. If I may, perhaps you could maybe talk a little bit about balancing the accountability factor, which is something that’s really important, with the cost of applying, administering and reporting. I know that from my days working with organizations and then, as well, with two small children in elementary school…. You brought up the PACs, and what the PACs already do and how they operate and the stress of being on a PAC, dealing with that….

[2:30 p.m.]

There is this struggle that I have, which is that we need to be accountable for the money that we’re disbursing but also recognize the fact that there are often very small community groups that are doing really good things. In some cases, they’re investing in parts of the community that are under-resourced, and they spend an awful lot of the time with this and with as little resources, I guess, as possible, of this grant — applying for it and then administering it and then reporting out on it.

Can we do it better? Is there an easier way? Can you talk a little bit about that relationship and how we can maybe decrease the demand on people while increasing their accountability?

K. Volk: It’s something that we’re continually looking to improve. There are two parts. One is applying for the grant, and the second part is reporting back on how the money was spent.

In terms of applying, we’ve established a short-form, long-form system. There is some basic information that you need to provide when you’re applying for a grant for the first time so that we can ensure that you’re eligible and compliant and that you are a not-for-profit.

Once you’re in the system and you’ve received a grant, we do revert to a shorter-form system, I think, on a three-year cycle. So for the next three years, it’s a less onerous application program. You’re already in the system, and a lot of your information is already there. We feel it is our base amount of information that’s required to be able to establish that an agency is eligible.

On the reporting side, I think you could characterize it as…. All we’re really asking for is for them to tell us what they spent the money on, which, in a lot of cases, for a PAC, is probably just a list.

I don’t know, Jo, if you have anything to add.

We don’t feel that the requirements are onerous, especially once you’re in the program. There’s a bit of a hump to provide all the information, and we work with the agencies and the not-for-profits to make sure that information is in there. Once you’re in the system, the short-form application and then the reporting, we feel, are pretty straightforward.

J. White: The only thing I would add to that is we do understand that the nature of the program means that many of the organizations have volunteers providing us with the application and the reporting and that there is turnover in those volunteers, especially in the PACs. Part of the community outreach function has been to provide a more detailed level of assistance so those organizations that might be struggling with that component of the process….

The reporting is, literally, just telling us what you spent the money on. So from our perspective, if you are maintaining your records, as you really should be as a viable organization, it’s really just telling us about it. We have made efforts to be as helpful as we can be with organizations, but I don’t think we could ask for less than we do right now.

A. Olsen: If I may, one more question. With respect to many of the organizations that I’m seeing and that I’m signing letters for congratulating them on their success, they were also organizations that were making application to one if not multiple municipalities that they operate in or serve. Has there ever been any desire to look at, perhaps, working, in Municipal Affairs and Housing…?

There seems to be some level of duplication here. Both programs exist, frankly. That doesn’t mean that the organizations, the non-profits, can’t express the need. Is there an opportunity to maybe work with the UBCM and to work with the municipalities to try to consolidate these so that we’re not…? I mean, part of the reporting piece is that these organizations are applying for so many different grants from so many different areas. Again, big question.

K. Volk: I think the answer is yes. There are local governments out there…. I think Richmond is a good example. They proactively come to the branch and look forward in terms of having discussions. In a lot of cases, there are limitations on how much public funding there can be, that an agency is getting. But in some cases where you’re leveraging, potentially, public infrastructure with a program that’s being delivered there, there are opportunities.

Like I said, there have been some proactive cities, but I think there is an opportunity to go back and engage agencies like UBCM on more coordination.

J. White: One thing I would add to that piece around municipal funding, which I think is important, is that there is, in the community gaming grant program, a threshold of 75 percent government funding that we can provide to an organization.

[2:35 p.m.]

We do not count municipal funding as government funding in this program. We would count the municipal funding as part of the community support for the program. I think that’s an important distinction for a lot of organizations. They are leveraging money that’s available through their municipality to assist them in delivering their programs.

I agree with Kevin that there are definitely opportunities for collaboration, but I think that is an important distinction for this program — that the threshold for government funding is federal and provincial.

B. Ma: I also wanted to make another comment in regard to incentivizing the kinds of behaviour that we might want from the not-for-profits. For instance, I’ve heard feedback from some not-for-profits on the North Shore about how the current gaming program actually disincentivizes smaller organizations from merging into a larger, more effective organization.

Sometimes we have many very, very small organizations, and their overhead for applying for a grant, not just the community gaming grant but all other grants as well, is actually very high. Maybe they’re a very small organization, but they have their own executive director, communications person, grant writer, and so forth. It would make a lot of sense organizationally for them to merge with a medium-sized group or another larger group. But because of the thresholds for a gaming grant award, it actually doesn’t make a lot of sense for them. Two smaller organizations can each apply for…. Is $25,000 the usual threshold for…?

J. White: It’s $100,000. For a local organization, the maximum is $100,000.

B. Ma: Thank you so much. So $100,000 per organization — that’s their threshold. If they merge, it’s still $100,000, but they only get it once. I was wondering whether you’ve heard that feedback yourself and whether you’ve considered ways to incentivize positive mergers rather than disincentivize them.

K. Volk: We have heard that. I mean, it all works in the context of, as we were discussing before, the local-regional-provincial framework and where the programs are being delivered. The current policy of the program is that if a program is being delivered locally, we do have a $100,000 threshold.

I think, going forward and in the context of acting on recommendations 1 and 2 and doing the program review, that’s exactly the type of feedback that we would be expecting and the type of policy issue that could be reviewed. It’s balancing the efficiencies you get from merging the organizations with the fact that you now have a larger organization that requires more funding.

B. Ma: Yeah, with access to less of it, seemingly. All right. Thank you.

S. Bond (Chair): A follow-up from Ralph.

R. Sultan: I find it a bit startling to find the home of this apparatus has been the Ministry of Finance. I mean, I view the Ministry of Finance as dealing with huge sums of money, balance sheets, tax policy, carbon — all those big things. Now we find very teeny, tiny, by government standards, community grants lodged within a department of the Ministry of Finance. Is this merely a historical accident, or are there good, logical reasons to leave it right where it is?

K. Volk: Currently the administration of the program is through the Ministry of Municipal Affairs and Housing. One of the actions that was taken a couple of years ago was to move it out of Finance and into a smaller ministry where you get away from the billion-dollar programs and more of a focus on community service delivery. The linkages to Finance — it’s now over at Attorney General — are primarily on the audit and the payment function, but the actual administration of the program is now being done through Municipal Affairs and Housing.

R. Sultan: But no more so than the Ministry of Finance is in charge of all the money going to hospitals and highways and every other thing. It seems to me — correct me if I’m wrong — that we have a specific organizational unit here that’s been identified. It just strikes me as being peculiar. Is it just a historical accident, or is there some really compelling ongoing reason to have divided responsibility, as I would see it?

[2:40 p.m.]

J. Mazure: Perhaps I could speak to that. I joined the gaming policy and enforcement branch in 2013, so just shortly after the previous election. The administration of the program was divided then. Largely the area that Kevin is now responsible for had responsibility for policy and the big sorts of decisions, program decisions, and GPEB was left to administer the program.

I know that it was an issue for both myself and Kevin’s predecessor in terms of managing a program like that where neither one of us really had full responsibility for the program. I’m not sure of the rationale or the decisions that led to the split. There were always discussions with Kevin’s predecessor about that, and, obviously, through the course of discussions with the Auditor General about how we thought the program was working, there was a decision to then move it into one ministry.

It was just something that we found ourselves in, in that situation. I don’t know what led to that decision. Like Kevin says, now it’s really a situation where, in terms of the payment of the funds and system support — that type of thing — we continue to provide that. That’s, I think, simply a matter of…. At some point in time, perhaps that responsibility moves over, but at this point in time, it’s the smartest decision in terms of continuing to support the program with the resources we have.

S. Bond (Chair): I just wanted to pursue that for a moment. It was one of my questions as well. The Auditor General’s report actually comments on the arrangement that was in place previously and highlights the fact that that changed at the completion of the report.

Does the Auditor General’s office have an opinion on whether the current arrangement or having two ministries with some degree of responsibility…? Is that something that the Auditor General’s audit looked at, thought about? Is it an issue of concern?

It would be good to know whether the Auditor General has an opinion on either the current configuration or whether future consideration should be given to the fact that we have two ministries sitting here today. To be honest, I’m not quite sure…. Obviously, Municipal Affairs has provided the presentation, so I’m not sure what GPEB’s physical role is. But does the Auditor General have an opinion about the current configuration?

C. Bellringer: Laurie can answer the history and where we landed with the report. But the element of it that is, if you will, an oversight component being elsewhere doesn’t bother me.

L. Selwood: Yes, I share Carol’s comments. The current way it’s set up seems to make sense. I know the system that is used to support the Ministry of Municipal Affairs and Housing is already used by GPEB, so it makes sense that that continues to provide support. And the audit function, of course, also has purposes to be in GPEB, so the current organization seems to make sense.

At the time of our audit, management was very open about the fact that the dual management and administration did cause some difficulties. So they expressed concerns, and we shared their concerns, because it did seem to not be perhaps the most efficient and effective management of the process.

J. Mazure: If I may, I’d just like to clarify that, really, when I was talking about the transfer of the program, I was talking about those elements that we used to have responsibility for that move over. We still retain authority under the act for audit. I think that’s appropriate given that our mandate deals with the integrity of gaming in the province. So I think that’s an appropriate place for it.

S. Bond (Chair): Yes, and I appreciate both comments made by the Auditor General’s office. I think that clarifies for us the need for or the acceptability of having that function in a separate place.

M. Dean (Deputy Chair): Thanks for all your work on this. It does sound like there’s been a lot of work on rigorously reviewing the policies and procedures and making sure that there’s an increase in transparency and maybe even accessibility.

[2:45 p.m.]

I just want to echo some of the comments that we’ve already discussed as well, and then I do have a question. I think it’s really important that there is some clarity around the purpose and intent of the whole program, because without that, then there won’t be clarity around what information is being collected and how to manage that information, how to evaluate that information as well.

I’m a real fan of key performance indicators. I think outcomes measures are really beneficial for communities to have. I also acknowledge that we don’t want to overburden these associations with too much administrative reporting as well. I get it that there’s a fine balance there.

I do still think that there are different mythologies in communities across the province and different histories and different experiences of how this money flows into communities — whatever lens you want to put on that. I think there’s a real opportunity here, given the amount of work that has been done, where, in the new ministry, this program could be repositioned and celebrated and revitalized, perhaps, in the community.

I’m really interested in whether that is something that has been considered, whether you have a communications plan once you’ve completed your survey with stakeholders and communities. Is that something that’s part of your completion of your work in response to the Auditor General’s report?

K. Volk: I would say yes. We don’t have a communications plan yet because we don’t know what the outcomes will be. But our view is that this survey…. It will engage every not-for-profit that’s received a community gaming grant and those that haven’t, to ask them why. That information comes in. We compile that. Out of that, we get a better understanding across the province of what the issues are and what the opportunities are.

There’s then an opportunity for discussion within government as to how the program wants to be either changed or kept the same — or modifications made. Then out of that could potentially come a rebranded program. But we’re really looking forward to the survey. We think it’s going to be very comprehensive. We anticipate, if the not-for-profits are willing to participate and give us their time to fill out the survey, that we will get a broad swath of information and suggestions about changes that could be made to the program.

S. Bond (Chair): I’ll ask a few things. Then if anyone else has anything else, they can certainly pop their hand up, and we can go back to that. I guess I want to start with, probably, comments somewhat similar to Adam’s.

We review the report, and we talk about applications and criteria and eligibility. These are people-based organizations that are made up of volunteers. I don’t know. I guess Ralph and I have probably the longest — and, well, John — tenure. This is one of the issues that MLAs deal with all the time. It’s not because we want to…. We do advocate, because they are great organizations. These are people, so the system has to be transparent, but it also has to manageable for them to manoeuvre.

We have organizations who are made up…. I’ll just give you a recent experience. One of the organizations in my community — ironically, they would have no idea that I’m doing this today about this report — received a letter that explained why their grant had been reduced. Very professionally done, but it was three pages long. It said: “You’ve got to address this, this, this, this and this.” Where is their first call? It was to my office to say: “Please help us figure out how to seek reconsideration.”

Some of my questions are going to be related to some of the things that you’ve added in terms of support. But I think we always have to remember these are not professional grant writers. These are people, sitting and trying to figure out how to keep their organization going, whatever it happens to be. Some are far more sophisticated than others, which is why when Bowinn’s question about first come, first serve….

If you are a large organization who is receiving a regional grant, you probably have your application in the day after the period opens, and then you just wait and hope your grant shows up. We get people in our office — I’m sure other MLAs do too — two weeks before the deadline. It’s closing, and here they are running around, trying to figure out how to fill in the forms or whatever they do.

[2:50 p.m.]

We’ve become semi-professional in our office. Word gets out. Sure enough, they come in, and we try to help them. In fact, I got an email yesterday saying: “Thanks a lot.” We just tried to help them articulate how you don’t have to write a manuscript. You just need to answer the questions.

I hope that as we think about redesign, we remember who these organizations are. They are not big corporations or big, sophisticated…. Some of them are organizations with a lot of clout behind them, paid staff. There are a lot of these folks who don’t have that skill set. It always bothers me, because much of this is about core funding. It’s about money that keeps organizations running.

I think looking at the program is important, but I think we always need to remember who it is we’re…. I am unabashedly an advocate. That’s what I was elected to do, and I will continue to do that, even if it has zero influence. At least they know I care about what they’re doing, and it matters to them.

I want to pursue, just for a moment, the principle that if you are eligible, you get money. There’s a pretty basic mathematical assumption around that — that if new entrants are getting into the program, everybody gets money. Somebody is either not getting as much or managing a fixed pot of money and suggesting that if you’re eligible, you’re going to get funding.

How does the ministry grapple with that tension? We sure hear about it afterwards, because what happens is so-and-so gets a little bit carved off. And the next organization….

How do you manage a program if everyone who’s eligible gets funding? I’m not advocating to suddenly start cutting people off. Please don’t take it that way, or I will be…. It will not be good to go home.

How do you grapple with that tension? You have a fixed pot of money. You have new organizations — organizations that have longevity and have probably been getting the grants for a very long time. How does everyone get money, and how do you manage that?

K. Volk: To date, we have not been in a situation where the notional allocation out of the $135 million for a particular sector has not been enough to cover the applications for that sector. In that case, within a fixed budget, we probably would have to take an approach where you scanned the number of applicants and tried to ensure that there was fairness within the sector, and perhaps they would all get their amounts reduced. That hasn’t happened to date, and we’ve been thankful for that.

Last year we landed right on a dime — on $135 million. The year previous to that I think we were within our budget and able to provide funding.

We are very aware of the situation that you’re describing, and we keep a very close eye on it. We’re getting close to end of fiscal again this year. There’s uncertainty every year. The applications are now in for the last sector — for health and social services — but as we go through the applications, you’re not sure until the very end exactly who’s going to be eligible and for what. It’s a situation that we have to go through every year, and we’ve been very thankful that, to date, we haven’t had to make the tough decisions that you’re describing.

I think the opportunity and the way to work around that is, again…. The question that the Auditor General has put to us is: are the sectors appropriate? Is the budget appropriate? To date, the budget has been appropriate.

As the number of organizations grows, if our outreach is successful when we’re out visiting communities and explaining the program to people, and it’s giving organizations either comfort to apply or the information they need to submit a successful application, there could be pressure on the program, and we need to provide information to government to consider whether they want to amend the size of the budget.

It’s certainly a challenge, and there is uncertainty, because unlike a lot of programs, you can’t just say: “Here’s the amount of funding, and we’re going to cut people off.” Our goal is to ensure that everyone does receive funding.

S. Bond (Chair): We certainly are not advocating for that to happen. Having said that, though, an ask and a grant are often different. Is that correct?

K. Volk: That’s correct.

S. Bond (Chair): That is one of the ways you manage to suggest everyone gets funding. It’s really important to clarify they don’t all get the funding they’ve asked for — sitting at home or if anyone happened to be watching this. Many of them get a fraction and sometimes a significant portion. In a regional case, they will get the $100,000 or whatever they happen to get. They don’t get what they ask for all the time, and I’m sure there are reasons for that. Maybe if you could explain to us, just so I understand it.

[2:55 p.m.]

You’ve talked about additional outreach that is being done. You’ve listed a number of communities where workshops have been presented and those kinds of things. Is that an intentionally designed program, where you look across B.C.? Is it a request-based program?

What does the community outreach, the intentional outreach, that’s now been added into the work that’s done…? How does it operate? How do you get out to those organizations? How does that work?

K. Volk: Our goal in 2017 was to have at least one workshop in every economic region of the province. We achieved that. We also held workshops if invited. There are a number of MLAs that invited staff to come and provide presentations in their communities. We did that.

Then we worked closely with the B.C. Association for Charitable Gaming. They will also hold workshops. It was kind of a dual role where we wanted to make sure there was coverage across the province, but also we’d be responsive to any community group or MLA that invited us into their community to provide a presentation.

Jo, I’m not sure if you wanted to add to that.

J. White: I think that pretty much covers it. The 22 presentations that we referenced in this material were delivered by our staff. There were additional workshops held by either the BCACG or the local community charitable gaming associations, as well, which we didn’t build into our presentation because that’s additional to the presentations that we deliver.

As Kevin said, in 2017, we targeted specific regions, and then the remaining presentations were ones that we were invited to, either by, typically, an MLA or by a kind of umbrella organization. The B.C. Search and Rescue Association, for example, will invite us to do a presentation where all the search and rescue groups are attending a meeting. Those can be a really efficient mechanism for us to deliver outreach.

S. Bond (Chair): Can you tell us how the assistance referral system works? It’s part of the outreach component you’ve described. How does that work?

J. White: Essentially, it’s an escalation mechanism. If an analyst receives a call from an organization that requires assistance, and it’s going to take up a lot of their time on the…. We have a duty line, so an analyst is manning the duty line every day between 8:30 and 4:30. If it’s going to take too much time, they’ll refer them to the outreach manager so that they can spend more time with them.

Another mechanism might be, quite often, through the reconsideration process. If I feel an organization is struggling to get to compliance, I’ll make a referral within the reconsideration letter to encourage them to reach out to the manager. I’ll also request that the manager reach out to that organization.

Typically, it’s just managed within our branch, in terms of an analyst, team leader, director or myself identifying an organization that we feel could do with additional assistance to bring them into compliance with the program.

S. Bond (Chair): Thank you for that.

The Auditor General’s report does talk a little bit about the use of technology. The team has been increased in terms of the number of people. How much of the process remains paper-based, and how much of it is done using technology? Is there a way to streamline and enhance the use of technology, or do you feel like you’re at the optimum there? Can you just sort of describe for us that process and how that fits in the ministry’s thinking?

K. Volk: The application process is on line. That being said, there are always opportunities for systems improvements. We work closely with GPEB in terms of an integrated system linking back to the money coming in through gaming and then out to the organizations. I think there are always opportunities for improvements to the system.

It is on line, but we do foresee the need for technology improvements in terms of the customer interface as well as the in-behind payment processes over the next few years.

There are opportunities, as well, with a number of grant organizations within the provincial government, such as the Arts Council, where you could pursue opportunities for one-stop shops — an integrated on-line system where someone could go and see a number of grants that are available from the government and potentially use their information to apply for numerous grants at the same time.

[3:00 p.m.]

S. Bond (Chair): Will that be part of the work that’s being done in terms of strategic thinking and how the program is going to evolve from a content perspective but also the most important user? I mean, obviously analysts matter, but the most important consumers are the people sitting at home or in their little non-profit office trying to figure out how to do this. Is that kind of thinking part of the discussion that’s taking place over the next number of months?

K. Volk: We have no doubt that one of the pieces of feedback that we will hear will be about the on-line application system and improvements that can be made.

S. Bond (Chair): Yes. We certainly hear about it. Other MLAs around the room are nodding. I think, again, it goes back to the customer we’re serving and how we manage that.

I guess my last comments…. Then I’ll obviously check to see if anyone else has anything other than that. There’s a lot of work being done now to consult with the people who have received grants and to talk to everyone. Then comes the moment of truth, which is when recommendations will be provided to government.

Do you have any sense, at this point in time, of the magnitude of that change? I just know that this is a very emotional file for many people in our communities, and I would hope that as we think about change, we also think about the ongoing management of organizations that have, frankly, developed quite a dependence on this funding.

On paper, looking at strategies and renovating and doing all these new things can bring a lot of energy. It can also bring a lot of angst. How do we…? Do you have, as part of that “let’s make recommendations to government,” a plan that works directly with the consumers who are going to be very nervous about where this leads in the months and years ahead?

K. Volk: We’ve worked very closely with the B.C. Association of Charitable Gaming, as well as the B.C. Association of Aboriginal Friendship Centres, throughout. I mean, during my tenure in this position, we’ve had regular meetings with both groups, and we’ve signed a partnership agreement with the BCACG that we meet monthly to discuss all issues and take a no-surprises approach to things.

We think that really the only path to success is to work with the sector — as the BCACG is kind of the broad organization representing this sector — but also through surveys and through the outreach that we’re doing, having one-on-one contact with the sectors as well.

We understand very clearly that even things that we might think are minor policy adjustments result in big shocks to some groups. That’s why we’ve been very careful, as we described, in sort of a staged approach to any changes that have been made and also in recognizing that there is a bit of a policy cycle and that we do have a small two-month window at the beginning of each year where nobody is active in applying for grants. If we are going to make changes, we need to make sure that there is strong engagement, that the entire sector is able to see the changes that are being made and is able to adjust to those.

You can believe that the BCACG will let us know very quickly if any policy change that government is considering, or that we’re discussing with them, would have impacts or cause angst among their members.

S. Bond (Chair): We can assure you that we will also be letting and hearing about that, should that happen.

My final comment. I apologize for adding one more, but it really is important to me, and Bowinn had mentioned it earlier. I think the whole issue of clarity or definition around regional or provincial service, I would just really argue, is not about the number of people or the geography.

There are very unique circumstances where I live. You may have a small organization that is serving a geography the size of Belgium, with very few other service providers in that region. I think that as you think about who and what defines regional or provincial service, there is a very different perspective, depending upon where you live in British Columbia. So I think that there does need to be some flexibility around that determination.

[3:05 p.m.]

Where I live, we have small organizations punching way above their weight because they have to reach out to communities that are 500 miles away. It may not have 50,000 people, but the impact on that organization serving those people is very, very expensive and very significant.

Those are my final comments. Anyone else? Any other closing comments from MLAs?

J. Yap: Having attended a session where you’ve gone to the community, I can tell you, affirming what the Chair said, that this is a very emotional area for a lot of people because the work that you do in delivering this funding touches people out in all the communities around the province.

There are 5,000 applications, and beyond the 5,000 are the tens of thousands of families and neighbourhoods that are enriched and supported and given the chance to flourish, whether it’s for a $20,000 grant or a $100,000 grant. The amounts can be relatively small but have a big impact. Something like the outreach, the community sessions really were well received.

If that’s part of your planning to continue to do that, I would commend that, especially the smaller groups that may not have the resources or a professional level of staff and that really struggle with even your streamlined applications. It’s important to keep in mind, as you get through the survey and are trying to transform, re-engineer and improve gaming grants, that it really has become a very critical component of communities in our province.

S. Bond (Chair): All right. With those concluding comments, we want to thank you very much, to you and your team, from both ministries, for the presentation and for the work that’s been done. We look forward to the outcomes of the surveys and any steps that might be taken.

Once again, thank you to the Auditor General and her team. I think it was a really good discussion. We can see that the audits are actually resulting in change, and gaps are being closed. I think that’s really an important part of this process.

I just want to remind the committee, and obviously the Auditor General and her team, that tomorrow morning we reconvene at 9 a.m. Today we had a bit of a later start, at ten. Tomorrow morning it’s at nine. Three important reports to consider tomorrow, and I want to thank the committee for doing their homework. It’s been a lot of reading and a lot of work, but it’s obvious in your participation. We’ll adjourn this meeting and look forward to reconvening tomorrow morning at nine.

The committee adjourned at 3:07 p.m.