Canada’s “as is” Contract Security Program and the Aggregate Risk Profile of the Nation

One of the challenges for large bureaucracies is identifying second and third order effects of risk mitigation postures across the enterprise. In the article Public Service Culture, Risk Management and Governance: The Prerequisite of Effective Strategic Governance to Realizing Our Digital Ambition, the concept of an aggregate risk profile was introduced to highlight the potential adverse implications of such postures. The example used in the article was the requirement to amend the classification framework of the nation because in its current construct, it represents an over-mitigation of a lower risk that accrues significant real-world risk. The article also points to the Contract Security Program (CSP) as another example of an “as is” risk mitigation posture that is accruing real-world risk to Canada. In Canada, there has been a lot of focus put on improving the Contract Security Program to accelerate procurement while concurrently ensuring the security of protected and classified information, assets and access to work sites. The importance of this program is underscored by the 2007 Report of the Auditor General of Canada to the House of Commons, it’s subsequent Status Report on Security in Contracting published in the spring of 2013 and the Evaluation of the Contract Security Program conducted by Public Services and Procurement Canada’s (PSPC) Office of Program Evaluation for the period 2011-2017. Although all three documents observed shortcomings and provided recommendations to improve the CSP, they were all in the context of preserving the status quo policy paradigm. Although they are responsible for the delivery of the CSP, the PSPC must do so within the policy constraints articulated by Treasury Board. As such, implementation of the “tactical” recommendations identified in these reports may alleviate many of the problematic symptoms associated with the CSP. However, absent diagnosing and resolving the strategic problems associated with higher level policies, Canada’s aggregate risk will continue to increase.