Audit of the Northern Contaminated Sites Program

Internal Audit Report
Prepared by: Audit and Assurance Services Branch

May 2023

PDF Version (538 KB, 25 Pages)

Acronyms
Executive Summary
1. Context
2. About the Audit
3. Key Findings and Recommendations
- 3.1 Risk Management
- 3.2 Roles, Responsibilities, and Authorities
4. Conclusion
5. Management Action Plan
Annex A: Audit Criteria

Acronyms

CIRNAC: Crown–Indigenous Relations and Northern Affairs Canada
CPGM: Corporate Procedures Guidance Manual
DWP: Detailed Work Plan
EHS: Environmental Health and Safety
HQ: Headquarters
IRM: NCSP Integrated Risk Management
MPDMR: NCSP Major Project Delivery Model Requirements
NCSPB: Northern Contaminated Sites Program Branch
NCSP: Northern Contaminated Sites Program
PIP: Performance Information Profile
PSPC: Public Services and Procurement Canada
RASCI: Responsible, Accountable, Support, Consult, Inform
RMNCS: Requirements for the Management of NCS
RR&A: Roles, Responsibilities and Authorities
WBS: Work Breakdown Structure

Executive Summary

The objective of the Northern Contaminated Sites Program (NCSP) is to manage contaminated sites in a cost-effective and consistent manner while trying maximizing socio-economic benefits for Indigenous Peoples and Northerners. As of March 31, 2022, the total environmental liability including all 163 sites in the NCSP inventory was $6.3 billion.

This audit of the NCSP was aimed at providing assurance that clear roles and responsibilities had been established and implemented for the NCSP. Additionally, the audit examined whether the program had an effective risk management process in place. These two elements covered by the audit contribute to successful project execution and improved decision making.

The audit found that the NCSP has established a risk management process at both the program and project levels and has defined roles, responsibilities and authorities (RR&A) (i.e., approval structure), which help manage the on-going projects of the program. Although the program has generally demonstrated successful implementation of the established requirements, opportunities for improvement were identified.

The audit found discrepancies between guidance documentation and operational practices, indicating a need to review the guidance information on both risk management and RR&A. The audit also found gaps in consistency of implementation of requirements and completeness of information as it relates to key risk management requirements such as the identification of risk owners and timelines for implementation of mitigation measures. The audit highlights a general need to review and update the existing guidance on risk management and roles and responsibilities in order to streamline information across the different documents for added clarity and to obtain the appropriate consultations and approvals.

For the effective and efficient management of the NCSP and its projects, it is crucial to consistently implement a robust risk management process and provide clear guidance on roles and responsibilities. To assist the program in improving the gaps identified in the audit, the following recommendations were made:

The Assistant Deputy Minister of Northern Affairs Organization should ensure consistent compliance and implementation of the established risk management framework and that the risk information is consistently and accurately captured in the risk registers. This information should be updated and reviewed at the appropriate level, and demonstrate that the NCSP Integrated Risk Management (IRM) requirements related to risk identification and risk mitigation are implemented.
The Assistant Deputy Minister of Northern Affairs Organization should:
1. Update the risk nomenclature on the NCSP Integrated Risk Management (IRM) Framework (and associated tools and templates) to facilitate alignment and integration between all risk processes and improve the accuracy of the roll up of the data for compilation into the NCSP Performance Information Profile (PIP) reporting; and
2. Implement a process to review the Environmental Health and Safety (EHS) Plans to ensure that:
  1. the scope and coverage of the plan includes key elements needed to ensure safeguard measures for any Indigenous communities surrounding the project site(s); and
  2. ensure consistent compliance with the requirements of Crown–Indigenous Relations and Northern Affairs Canada (CIRNAC) EHS Management System Manual and the Northern Contaminated Sites Program Branch (NCSPB) Project Technical Office (PTO) NCSP EHS Standard Operating Procedures (SOP) Manual.
The Assistant Deputy Minister of Northern Affairs Organization should ensure:
1. That all guidance material related to risk management and roles, responsibilities and authorities are up-to-date, reviewed and approved at the appropriate level. For future reference, there should be clear guidance when formal approval is required and at what level; and
2. That review and updating the guidance material should be on-going and the most up-to-date approved guidance should be communicated to all relevant personnel periodically. Updates should consider operational practices, so there is alignment between the nomenclature used in the NCSP Integrated Risk Management (IRM) Procedure and other guidance and procedural documents and operational practices of stakeholders at all level.
To ensure consistent implementation of both roles, responsibilities, and authorities, as well as the established risk management process, the Assistant Deputy Minister should implement a Quality Assurance and Improvement process that periodically reviews the implementation of key requirements. This process should inform future updates to all guidance documentation and risk processes, and should include a mechanism to take corrective action(s) when non-compliance is identified.

Statement of conformance

The audit conforms with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and the Government of Canada's Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Management's Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated into this report.

1. Context

The Government of Canada is responsible for managing a portfolio of contaminated sites in Yukon, the Northwest Territories and Nunavut. The contamination of these properties is the result of private sector mining and oil and gas activities, as well as government military activity that occurred more than 50 years ago, when environmental impacts were not fully understood. The sites became the responsibility of the Department as owner of last resort in the territories.

A contaminated site is one in which substances occur in the environment at concentrations that:

are above background levels and pose, or are likely to pose, an immediate or long-term hazard to human health or the environment; or
exceed the levels specified in policies and regulations.

The objective of the Northern Contaminated Sites Program (NCSP) is to manage contaminated sites in a cost-effective and consistent manner while maximizing socio-economic benefits for Indigenous peoples and northerners. The program aims to reduce or eliminate, where possible, risks to human and environmental health, and to decrease the federal environmental liability associated with contaminated sites in the north.

As of March 31, 2022, the total environmental liability including all 163 sites in the NCSP inventory was $6.31 billion. Approximately 92% of the liability is associated with the "big 8" which includes Faro Mine, Giant Mine, and the six other large abandoned mine projects.

The NCSP works closely with Public Services and Procurement Canada (PSPC), Indigenous partners, territorial governments, and the private sector to manage its sites to ensure successful remediation of contaminated sites.

Core Activities Related to Contaminated Sites

The NCSP conducts the following core activities as it relates to contaminated sites:

Investigation and assessment of suspected contaminated sites;
Development of remediation or risk management plans;
Implementation of remediation;
Care and maintenance of sites during or in advance of remediation;
Securing regulatory approvals for remediation activities;
Long-term monitoring and adaptive management of remediated sites and permanent infrastructure;
Consultation and engagement with Indigenous communities;
Intergovernmental relationships with territorial partners; and
Management of insolvencies and re-commercialization of abandoned mines.

Policies and Guidance Documents

The Program is subject to a variety of policies and guidance documents. A summary of the five governing documents is as follows:

The Department's Contaminated Sites Management Policy, effective August 21, 2002, provides direction to meet the requirements of the Treasury Board while supporting the principles of the Sustainable Development Strategy. This policy is a key component of the Department's environmental management regime.
The 2018 Requirements for the Management of Northern Contaminated Sites (RMNCS) outlines the requirements for managing the NCSP. The NCSP also requires that supporting partners (e.g., PSPC, territorial governments, consultants, contractors, etc.) be familiar with these requirements and support their implementation as outlined through negotiated agreements and contracts.
The 2018 Corporate Procedures Guidance Manual (CPGM) provides a set of procedures related to the program and project activities undertaken by the NCSP. It includes guidance on recommended approaches, such as the Major Projects Office Standards and Guidance Manual which applies also to the NCSP project management.
The NCSP Integrated Risk Management (IRM) (2018) is the framework followed by the NCSP to identify, analyze, evaluate, treat and communicate about risks to the Program Headquarters (HQ) and to projects. The framework provides guidance to facilitate and coordinate the end-to-end risk management processes supporting the annual planning cycle.
The NCSP Major Project Delivery Model Requirements (2018) (MPDMR) outline the Project Delivery Model for major sites. It was developed to address the specific needs of large projects, which have numerous stakeholders and span extensive durations.

2. About the Audit

The Audit of the Northern Contaminated Sites Program was included in the Crown–Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada's (ISC) Risk-Based Audit Plan for 2022-23 to 2023-24, which was presented to the Departmental Audit Committee and approved by the Deputy Ministers in June 2022.

2.1 Why it is important

The NCSP represents a significant liability to the federal government as well as a significant risk to environmental health and safety and the safety of the surrounding First Nations communities. This is further complicated by the scale of the program which has led to a highly decentralized project management structure. These conditions present an opportunity to:

provide assurance over as well as strengthen the risk management process, which directly affects the size of the liability and health and safety; and
assess the adequacy of the defined and implemented roles, responsibilities, and authorities which span multiple projects and geographies.

2.2 Audit Objective

The objective of the audit was to provide assurance that clear roles and responsibilities had been established and implemented for the program and the projects. The audit also examined whether the program had an effective risk management process to identify, assess, mitigate, monitor and communicate risks to the program level.

2.3 Audit Scope

The scope of the audit included the assessment of NCSP lines of authority at the program and project levels, including the formal establishment of roles, responsibilities, and authorities. The scope also included an assessment of the NCSP's risk management processes.

The audit did not assess governance from the perspective of program oversight and did not examine areas outside the responsibility of CIRNAC, such as procurement processes and certain aspects of project management, which were the responsibility of PSPC. Although the audit looked at the NCSP's risk management process, it did not assess the outcomes/effectiveness of risk mitigation measures previously identified.

The audit examined contaminated site project files of different sizes for each region in the NCSP portfolio, including two of the large projects and one of the medium projects in the NCSP portfolio.

2.4 Audit Approach and Methodology

The audit was conducted in accordance with the requirements of the Treasury Board Policy on Internal Audit and followed the International Standards for the Professional Practice of Internal Auditing. The audit examined sufficient, relevant evidence and obtained sufficient information to provide a reasonable level of assurance in support of the audit conclusion.

The Audit work was conducted from May 2022 to February 2023 and consisted of three distinct phases, planning, conduct, and reporting. The main audit techniques used included:

Interviews with different stakeholders from NCSP at Program (HQ) and regional offices;
Review of relevant documentation related to contaminated site management, including policies, operational procedures, and guidelines;
Testing of the effectiveness and integration of the risk management processes; and
Testing of the implementation of established roles, responsibilities and authorities.
- In selecting which projects to examine for this audit, the audit team utilized a judgmental sampling approach and assessed project details including the size of the project, percentage complete at the time of the audit, recorded delays to the project timeline, changes in project costs during the life of the project, and location (i.e., which CIRNAC region is managing the project).

The approach used to address the audit objective included the development of audit criteria, against which observations and conclusions were drawn. The audit criteria can be found in Annex A.

3. Key Findings and Recommendations

3.1 Risk Management

Background

Risk management encompasses the identification, analysis, and response to risk factors that form part of the life of a business or organization. Effective risk management aims to control, as much as possible, future outcomes by acting proactively rather than reactively.

The NCSP aims to reduce or eliminate risks to human and environmental health through remediation projects of contaminated sites in a cost effective manner. Due to the complex nature of the projects, which involve various stakeholders, regulatory requirements, and environmental considerations, a sound risk management process helps in identifying, assessing, and mitigating potential risks and uncertainties associated with these projects.

As such, Internal Audit expected to find that:

the NCSP had established a risk framework to define, guide and standardize the risk management activities;
risk management processes were implemented to identify, assess, mitigate, and monitor the NCSP risks; and
risk processes were integrated within the program level and the projects level (i.e., risk information from the project level was reviewed rolled up at the program level to help inform decision-making).

Risk

There was a risk that a risk management framework was not established and implemented to help identify, assess, mitigate, and monitor key risks.

Findings

3.1.1 The Risk management Framework

The Northern Contaminated Sites Program (NCSP) established and relies on a comprehensive risk management guideline and procedures, which are outlined in the Requirements for the Management of Northern Contaminated Sites (RMNCS). A key component of the RMNCS is the Corporate Procedures Guidance Manual (CPGM), which emphasizes the Integrated Risk Management Procedure as the principal document that facilitates the risk management processes across both project and program activities.

The Integrated Risk Management Procedure was developed in order to identify, analyze, evaluate, address, and communicate risks at all levels. This framework enables end-to-end risk management processes for the NCSP and bolsters the annual planning cycle. The document also outlines the requirements for implementing the IRM procedures and offers guidance to users that aims to assist in the execution of these requirements.

Although a general framework for risk management has been established, opportunities for improvement were identified.

The original IRM document was introduced in 2015-16, prior to the dissolution of the former department of Indigenous and Northern Affairs Canada. Subsequently, it underwent an update in 2018; however, the revised 2018 version of the IRM:

did not receive formal approval;
contained an incomplete section; and
featured outdated or inactive links to supporting documents stored in a system (i.e., the Comprehensive Integrated Document Management system) that was replaced in 2019 by a new system and is no longer in use.

The IRM mandates a formal update at five-year intervals, or sooner if circumstances necessitate it, and a lessons learned exercise, as part of the continuous improvement cycle, is required. However, the 2018 update of the IRM did not include a lessons learned exercise, which is a key element in continuous improvement requirements specified in the IRM.

The program regarded the 2018 framework updates as minimal and, therefore, did not believe they necessitated Committee level approval. Consequently, the framework did not undergo the formal update process, which includes incorporating the lessons learned exercise, finalizing all sections of the report, and obtaining final approvals. There was no clear guidance and/or criteria found on what constitutes a minimal update versus an update that requires Committee level approval and documentation of lessons learned.

Since the IRM is important for the program's effective risk management, it is essential to provide clear guidance and criteria for the approval process, and to ensure adherence to this guidance for consistent compliance. This prevents employees from potentially assuming that the absence of formal approval signifies non-finalized requirements, which may lead them to rely on previous iterations of the framework and/or guidance information.

See Recommendation Number 3 in Section 3.2.2 below to address the gaps in updating program and project guidance documentation.

3.1.2 Risk Management Implementation

For the NCSP, risk management is an on-going process for which the program has developed processes and guidance, although there is opportunity to ensure the continued relevance of the framework and clarity of the associated guidance documentation that was in place at the time of audit.

At the program level, a risk exercise is carried out every fiscal year, which involves identifying and assessing program-level risks. Mitigating treatments and action owners are assigned during this exercise. This annual exercise manages risks that:

could adversely affect the achievement of the NCSP strategic plan, as well as key performance indicators (i.e., Northern Abandoned Mine Reclamation Program (NAMRP) and Federal Contaminated Sites Action Plan (FCSAP)); and
considers project risks from the different projects sites.

The exercise occurs in Q1 of the year following the project-level risk exercise and the review of the NCSP Strategic Plan. The output of the program risk exercise is an updated risk register and risk profile.

The project-level risk exercise is conducted every fiscal year for all funded projects or those in the process of obtaining funding. The annual exercise includes the identification and assessment of respective project-level risks, with mitigating treatments and risk owners being assigned as part of the exercise. Mitigating treatments are then incorporated into the project-level Detailed Work Plan (DWP) in order to secure funding for the mitigation activity (i.e., treatment). The regular monitoring and reporting activities to measure progress against the mitigations are also outlined. These project-level risk exercises occur in Q3 and are finalized in Q4 to inform the program-level risk exercise. The output of the project risk exercise is an updated project risk register and project risk profile.

As part of the audit, the requirements pertaining to risk identification, assessment, mitigation, monitoring, and communication were examined based on files from the sampled projects and the key observations are highlighted below.

Risk Identification

To assess whether risks were identified as required in the IRM, documentation illustrating the identification of risks, including clear risk statements, risk owners, risk sources^{Footnote 1}, and likelihood and impact, was requested. For the projects selected, the associated risk registers, which all contained information on the purpose of the risk register, instructions on how to complete the risk register, version control information, site information that was unique to each project, risk history and risk criteria were provided and reviewed. The documents examined contained risk statements, identification of the category of risk (e.g., general health and safety, governance, engagement, etc.) and the source of the risk among other relevant details.

The team also reviewed presentation decks and meeting minutes from annual risk management workshops held during the period under review which illustrated efforts undertaken by the program in the risk identification process. Due to the nature of the contaminated site projects, the audit was not able to determine the relevance of certain risks; risks related to governance, community concerns, and access were deemed to be in-line with the expected challenges on these types of projects.

Although the risk register documents reviewed contained relevant information and clearly outlined the risk associated with the respective projects, there were instances where the registers did not fully align with the expectations outlined in the IRM. In particular, information related to the 'Risk ID' and/or 'Risk source' was not always completed. The '2021-2022 Combined All Regions Risk Register', which is a roll-up of the relevant risks, contained 762 risks and 261 did not have a risk source identified.

Examination of the project level risk documents found similar completion and/or non-compliance issues. For the period under review, four out of the six sampled projects demonstrated several instances where the risk source was not identified as required. For 2021-22, the Tundra project had 7 out of 15 active risks with no source identified, the Jericho project had 11 out of 28, and Colomac had 2 out of 62 active risks with no source identified. For 2020-21, Resolution Island project had 1 out of 18 active risks with no risk sources identified. Additionally, for two out of six projects there instances where the risk owner(s) was not indicated for active risks on the 2021-22 risk registers. This included the Giant project where 6 out of 112 active risks had not owner identified and the Faro project where 11 out of 82 active risks did not have a risk owner identified.

It was noted from interviews that incompleteness of the risk registers was due to the lack of review and enforcement of the requirements, post risk exercise. The audit also noted that risk information was entered manually and there was clear procedure to control access to the document and the potential manipulation of the information contained in the risk registers. It is essential to the overall risk management process to ensure the completeness and accuracy of the information associated with identified risks.

Risk Assessment

As per IRM, risk workshops are a tool used to identify and assess risks with updated risk registers being a key output of such workshops. The workshops and the updated risk registers showed assessment of risks, including criteria and determination of likelihood and consequence (i.e., impact) and the risk rating for each. The audit found that the risk assessment was performed. The assessment broke the consequence into several categories such as legal, financial, or environmental consequence, etc., and defined what the risk rating (i.e., low, moderate, etc.) meant under each category. Although, the established process was followed and no major issues were noted, it was unclear to the audit team how the criteria were developed and what review of the criteria takes places as the nature of the risks facing the NCSP may evolve over time.

Risk Mitigation

Risk mitigation involves selecting and implementing measures to address a risk. The IRM mandates that risk treatment (i.e., mitigation) information is recorded and updated in the risk register, which includes a brief description of the treatment action, a risk treatment owner, the due date, and the relevant Work Breakdown Structure (WBS) identification number.

To assess whether risks were mitigated in accordance with the risk framework, the audit verified if:

risk treatment actions were identified, including the assignment of risk treatment owners and due dates;
risk registers were updated considering the risk treatment information and reviewed by the Regional Director (for Regional Projects) or by the Major Project Director (for Major Projects);
contingency plans were developed for program and project risks classified as "moderately high" to "intolerable"; and
risk treatment actions were integrated into DWPs and Change Orders.

It is important to note that while the execution of risk treatment actions is part of the risk mitigation phase, the execution/efficiency of risk treatment actions was not tested because it was outside the scope of this audit.

The audit found the following in relation to the four areas (i.e., Risk Treatment, Update of Risk Information, Contingency Planning and the Detailed Work Plans) of review mentioned above.

Risk Treatment: Treatment actions were identified through various methods, such as workshops, internal brainstorming sessions. The risk registers were subsequently updated to reflect the risk treatment information for the files reviewed and the risk treatment information reviewed did align with the risks identified. However, the audit noted instances where risk treatment actions were not assigned an owner, or a due date was not established. For example, in 2021-22, 32 of the 53 risk treatment actions for the Faro project did not include due dates. In the other five sites tested, the due date columns were entirely empty.

Update of Risk Information: For the period under review, there was not sufficient evidence to conclude that the assignment of risk treatment actions was reviewed by the Regional Director (for Regional Projects) or by the Major Project Director as expected. Program representatives informed the audit team that while there was no formal evidence available to demonstrate review, the Project Technical Office and Project Management Directors review the project risks several times a year via the DWP review, and through participation at the Project Advisory Committees and Governance Committees.

Contingency Planning: For the period under review, the audit did not find evidence of the development of contingency plans and noted 6 Program Risks and 496 project risks with "moderately high" to "intolerable" classifications without the expected Contingency Plan. The 2018 IRM guidance document included a section titled "Contingency Plan – Development" however, the section was left blank and was still in draft at the time of the audit. Through interviews with representatives from the sector, the audit team found that risk owners interpreted IRM 4.3 requirement as a "should" and not a "must". Based on this information, the audit team requested one sample of a Contingency Plan drafted in response to the 496 eligible risks, but at the time of the audit there were no examples of a contingency plan available.

Detailed Work Plan: For the period under review, the audit was unable to find evidence to confirm whether the adopted mitigation actions were integrated into DWPs and change orders, as DWP/Change order references and WBS identification numbers were missing from the risk registers for the risk treatment actions presented for all the sites tested. For instance, at project level in 2021-22, the instances where the audit noted missing information in the files examined were as follows: Faro 180 of 255, Giant 29 of 29, Tundra 11 of 11, Colomac Mine 33 of 35, Jericho 32 of 32, and Resolution Island 8 of 14. Interviews with representatives from the sector revealed that missing WBS numbers could result from new risks identified during the fall project risk sessions before the DWP update cycle (which links WBS' to risk) or because some risks are more general and thus apply to many WBS elements. Additionally, project site representatives for Tundra and Colomac explained that due dates were not included in the treatments, but their notes indicated when the risk might be observed or when potential mitigative measures might be implemented.

As it relates to the implementation of the requirements outlined in the NCSP risk management framework, the audit found that the incompleteness of the risk owner, due dates, DWP, and missing change order references on the risk registers was due in large part to the high level of complexity associated with the risk treatment actions, coupled with the lack of review and enforcement of the requirements post risk exercise. The incompleteness of the contingency plans requirement was linked to inconsistent understanding of the requirement and highlights an opportunity to improve communication around all of the requirements. Clear understanding of the value of the risk management exercise(s) and requirements is essential to the long-term success of the NCSP at the project and program level as it supports readiness to manage and effectively respond to a disruptive event that may arise.

Risk Monitoring and Communication

The audit observed that risk monitoring and communication was conducted throughout the year via the Quarterly Report, the Annual Risk Management Exercises as well as the Departmental Results Report. As part of the annual Risk Monitoring and communication process, both program level and project level Risk Profiles outlining existing risks, relevant themes, and key messages as an output of the project risk exercise, were developed and reviewed. Although the audit noted the occurrence of monitoring and communication, there is potential for data input gaps noted earlier (i.e., issues with populating the risk registers) and inconsistent application of the risk management requirements may impact the quality of the information when rolled up and communicated.

Recommendation

The Assistant Deputy Minister of Northern Affairs Organization should ensure consistent compliance and implementation of the established risk management framework and that the risk information is consistently and accurately captured in the risk registers. This information should be updated and reviewed at the appropriate level, and demonstrate that the NCSP Integrated Risk Management (IRM) requirements related to risk identification and risk mitigation are implemented.

3.1.3 Horizontal Integration of the Risk Management Processes

The integration between risk management processes across the program is fundamental to the overall success and effectiveness of NCSP risk management. This integration takes place through distinct processes and tools, which are expected to be coordinated to allow for risk prioritization and encourage a synergic and optimized approach in the use of resources. In addition to the risk assessment process conducted at the Program and Project site levels, which was discussed in the preceding section (3.1.2), there are risk reports at the Sector and Departmental level, which include and consider risks related to the NCSP.

Integration and Alignment of Risk Documents

The Program Performance Information Profile (PIP) is a management tool used to organize and coordinate performance information relevant to the NCSP. Section 8 of the PIP presented the Program Risks and correlated the identified risks with a specific program output/outcome. The risks in the PIP are reviewed and updated on an annual basis.

The audit reviewed the NCSP PIP and found that it included program outcomes, with defined thresholds and key performance indicators (KPI's) assigned to each outcome. The audit noted that some of the "outcomes" were related to risks to human health and the environment. However, it was not clear how the program would be able to obtain the data to report on the outcomes / risks identified in the PIP as there was no linkage between the language and nomenclature used in the PIP versus the risk registers and tools used to the project site level. More specifically, the PIP stated that the project risk registers would be used to assess the performance of the "risks to human health and safety" outcome. However, review of the project-level risk registers found that there are risks impacting environmental health and safety (EHS) not named or categorized as "Health & Safety" risks, making it difficult to assess:

the linkages between the documents; and
performance against this risk-based outcome.

According to the information provided to the audit team, the Policy and Program Management Directorate is responsible for extracting data from the regional databases to report against the KPI PIP. However, as noted previously, the data available from the risk registers is not always complete nor did it align with the risk terminology used to track the PIP Program output/outcomes. As a result, the possibility for inaccurate information to be extracted from the database (see finding in section 3.1.2 of the report) and reported up does exist, which could have impacts on planning and priority setting, and/or cause reputational harm.

Environmental Health and Safety Plans

As part of the audit, the team reviewed the environmental health and safety (EHS) plans for the sites in scope for the period under review. These plans were reviewed for compliance with internal CIRNAC guidance and to assess the level of consideration given to EHS risks that could potentially impact First Nations communities.

EHS plans were developed and provided for all 6 sites in scope. Review of the plans found they were missing some of the expected elements, including the specification of risks and hazards of potential impact to any communities in proximity of the sites, comprehensive emergency procedures for the risks aligned to their project risk registers, communication protocols (e.g.: how to trigger the evacuation of First Nations communities in case of an issue) and actions undertaken to mitigate EHS risks. These elements are both EHS best practices and expectations documented in the CIRNAC EHS Management System Manual (e.g.: Interested Parties & Communication Plan - Table 2) as well as NCSPB Project Technical Office (PTO) NCSP EHS Standard Operating Procedures (SOP) Manual (e.g.: Corrective and Preventive Action Plan (CPAP) for NCSP Hazardous Occurrences).

It was noted that the EHS plans were developed by either the contractors on site who were hired as site managers, or an external consulting firm. While EHS plans were in place, they were largely tailored to occupational health and safety risks for individuals on site. Internal audit reviewed the EHS Plans against the requirements of CIRNAC EHS Management System Manual and the EHS Standard Operating Procedures (SOP) Manual and found that the scope of the plans did not include or consider EHS risk to the Indigenous communities. Further, the EHS plans were not fully compliant with the requirements of CIRNAC EHS Management System Manual.

Recommendations

The Assistant Deputy Minister of Northern Affairs Organization should:
1. Update the risk nomenclature on the NCSP Integrated Risk Management (IRM) Framework (and associated tools and templates) to facilitate alignment and integration between all risk processes and improve the accuracy of the roll up of the data for compilation into the NCSP PIP reporting; and
2. Implement a process to review the EHS Plans to ensure that:
  1. the scope and coverage of the plan includes key elements needed to ensure safeguard measures for any Indigenous communities surrounding the project site(s); and
  2. ensure consistent compliance with the requirements of CIRNAC EHS Management System Manual and the NCSPB Project Technical Office (PTO) NCSP EHS Standard Operating Procedures (SOP) Manual.

3.2 Roles, Responsibilities, and Authorities

Background

Roles and responsibilities that are clearly defined and implemented facilitate efficiency and effectiveness. In addition to roles and responsibilities, defining authorities prescribes which roles are authorized to perform certain tasks and/or provide approvals. Authorization is established as part of the definition of roles and responsibilities.

There are several stakeholders involved in the operations of the NCSP and, as such, well defined roles and responsibilities are of particular importance. The NCSP is a decentralized program that has several sites located in different regions and completion of projects requires collaboration within CIRNAC (i.e., between regions and HQ) and with other government departments (e.g., PSPC). The responsibilities of headquarters included communication with the regions and the program's delivery partners, strategic planning, policy making, securing resources and oversight, and supporting the direction of major projects. The three regions (Yukon, Nunavut, and the Northwest Territories) are responsible for the implementation of program direction and plans at the different contaminated sites. The Regional Offices oversee the implementation of program requirements for sites within their region.

The audit expected to find that the NCSP had established and consistently implemented roles, responsibilities, and authorities.

Risks

There was a risk that the program had not clearly defined and implemented roles, responsibilities and authorities across the NCSP, resulting in ineffective operations and inefficient processes, which may result in cost overruns and increased health safety risks due to delays in remediation activities.

Findings

3.2.1 Establishment and Implementation of NCSP Roles, Responsibilities and Authorities (RR&A)

To describe roles and responsibilities, the Program (HQ) developed the RMNCS (2018). This requirements document is further supplemented by four primary guidance documents. A summary of the requirements and the associated guidance is described as follows:

The RMNCS outlined the requirements for managing the NCSP as a whole. The requirements were organized into three sections:
1. Project Lifecycle Requirements;
2. Project Annual and Ongoing Requirements; and
3. Portfolio Management Requirements.
Roles, responsibilities, and authorities were defined within the description of the various requirements.
The Corporate Procedures Guidance Manual (2018) (CPGM) included a comprehensive set of procedures related to the program and project activities undertaken by the NCSP. Roles, responsibilities, and authorities were defined for governance bodies, key roles, and other key organizations. Roles and responsibilities were identified for each procedure and authorities were defined where applicable.
The IRM (2018) defined key Roles and assigned recommended actions across the phases of the IRM. Authorities were defined through a Responsible, Accountable, Support, Consult, Inform (RASCI) chart, accountability was assigned to specific roles for each procedure.
The NCSP Major Project Delivery Model Requirements (2018) (MPDMR) outlined the Project Delivery Model for major sites. The model was broken out into four components, requirements for major projects, major project life cycle model, process map for major projects, and guidelines for major projects.

While documented roles and responsibilities were found at all levels, the documents were not always up-to-date. The RMNCS indicated that the requirements and supporting guidance should be updated and reviewed regularly (i.e., at a minimum every two years) to ensure applicability, adapt to changing conditions (e.g. funding sources) and to drive continual improvement. Despite this requirement, some of the documents provided were old (replaced) but were found to be in circulation and/or some of the old (replaced) documents were referenced in current guidance documents or key project artifacts. The Major Project Standards and Guidance Manual (2015) superseded by the MPDMR (2018) was referenced in the Tundra Project Charter (2017), in the RMNCS (2018), and the IRM (2018). The CPGM references rescinded TBS policies and directives.

Although the development of a clear roles, responsibility and authorities structure (RR&A) for appropriate approvals is essential for effective project management, it is just as important to ensure consistent implementation RR&A. Successful implementation of RR&A requires alignment between the expectations of management (i.e. documented roles, responsibilities and authorities) and day-to-day operations of the organization. To assess implementation of RR&A the audit examined:

the annual risk profile development;
the Project charter development and approval;
the DWP development and approval; and
change request recommendation and approval.

These are four key items and they were selected for examination because:

The development of the Annual Risk Profile is an essential part of the risk management cycle;
Project Charters define roles, responsibilities, approvals, and authorities in accordance with program guidance, and are key to project success;
DWP development and approval, following program guidance, served as the primary operational document to guide projects year-to-year; and
Clear guidelines and defined authorities for change requests mitigate the risk of unnecessary cost increases and potential fraud.

Development of the Annual Risk Profile: The IRM prescribed the duties of management and staff through a RASCI chart. A RASCI chart is a common project management tool used to allocate responsibilities. The IRM defined roles and responsibilities via RASCI chart, which provided clarity on expectations that could be reviewed and tested during the audit.

Testing results found that RR&A were implemented as defined in the IRM RASCI chart for the development of the annual risk profile. The audit team reviewed committee meeting minutes, dashboards and attendance records to determine implementation of the RR&A requirements for the development of the Annual Risk Profile.

Development and approval of charters: Charters include key RR&A information and should be established and maintained as the relevance of the information contained in the charter is important to ensure clarity on RR&A. The RMNCS and CPGM required that charters be developed by a project manager, indicated by a "recommendation" sign off, and authorized by the regional director, indicated by an "approval" sign off. Testing was conducted to validate the implementation and compliance with authorities.

Charters examined demonstrated partial implementation of established RR&A. Charter recommendations were signed off by individuals either in the role of project manager or a position of higher authority and charter approvals were signed off by either individuals in the role of regional director or a position of higher authority. Only one project inspected had sign offs from individuals with the exact titles of project manager and regional director. While the approval of a higher-level authority is still appropriate approval, it may demonstrate that the roles and responsibilities documentation should be updated and realigned with operational practices.

Although charters were prepared and approved at the appropriate level, the project charters examined as part of this audit were more than two years old and two of them were more than five years old. The audit did not find evidence of periodic review to update charter information in the charters and re-approve them as project life cycles are lengthy. For the FARO project, which had one of the more recent project charters, the audit team was informed that the RASCI chart included in their project charter was outdated and, as such, was no longer in use.

Development and approval of DWPs: The establishment of RR&A for the creation, review, and approval of the DWP were described in both the RMNCS and CPGM guidance document. However, the audit found that RR&A documented for the development, review and approval of the DWP differed in certain areas between the two guidance documents (i.e., the RMNCS and CPGM). For example, the RMNCS required each DWP package be developed, reviewed and approved as follows:

Development (Project Manager);
Review (Program Management Directorate, Project Technical Office, & Financial Management Authority); and
Approval (Regional Director General & Executive Director).

However, based on the CGPM guidance document, each DWP package was expected to be developed, reviewed and approved as follows:

Development (Project Manager);
Review (HQ staff); and
Approval (Regional Director & Regional Director General).

The audit team reviewed DWPs associated with the projects sampled and found the RR&A outlined in the RMNCS and the CPGM were generally implemented. There were instances were approval was provided by someone in a position higher than the one identified in either the RMNCS and/or CPGM. Although this was not a risk, it does illustrate some variance between operational practices and guidance provided. This may be due to the variation in language and the level of specificity as it relates to development, review and approval. Any variations in guidance may result in on-going inconsistencies.

Recommendation and approval of change requests: The change request process, which involves alterations to elements of the original project plan (e.g., changes to resources, costs, etc.), require clear RR&A as changes may have material impacts on the project. The audit found that RR&A for change requests were not prescribed or defined in a guidance document. Instead, project-specific templates established change request RR&A by indicating the required reviews and approvals directly on the template. Due to the absence of overarching guidance, variations in RR&A related to change requests were observed among different projects. However, as long as approval authorities continue to be respected, the flexibility provided by not enforcing strict horizontal guidance across all projects in this area allows for modified approaches that may improve efficiency.

To assess the implementation of the RR&A associate with change requests, the audit team examined a sample of change requests to verify that RR&A were functioning as described within the project-specific templates that outline the RR&A for change requests. In particular, each change request had to show sign-offs for the recommendation, endorsement, and approval of the request, as stipulated by the templates.

The audit found that for the FARO, Resolution Island, and Tundra projects, there were absent or incomplete sign-offs on the change requests when compared to the requirements of the change request templates. The samples examined for Giant mine found one instance where a member of the 'controls team' reviewed and endorsed their own change request. No issues were identified at the Colomac or Jericho projects for the period under review.

The compliance issues noted in reviewing the change requests were not related to guidance as the templates offer clear direction; however, there should be greater enforcement of the requirements to ensure consistent application of the requirements. Change requests not being reviewed and approved at the appropriate level may affect the timeliness and cost efficiency of projects.

Overall, RR&A were outlined by the NCSP, however, there is an opportunity to streamline the guidance to ensure alignment with operational practices and remove any potential duplication. There is also an opportunity to improve overall implementation of the direction/guidance outlined in the respective guidance documents to limit inconsistencies and ensure RR&A are respected across the board.

Recommendations

The Assistant Deputy Minister of Northern Affairs Organization should ensure:
1. That all guidance material related to risk management and roles, responsibilities and authorities are up-to-date, reviewed and approved at the appropriate level. For future reference, there should be clear guidance when formal approval is required and at what level.
2. That review and updating the guidance material should be on-going and the most up-to-date approved guidance should be communicated to all relevant personnel periodically. Updates should consider operational practices, so there is alignment between the nomenclature used in the NCSP Integrated Risk Management (IRM) and other guidance and procedural documents and operational practices of stakeholders at all level.
To ensure consistent implementation of both roles, responsibilities, and authorities, as well as the established risk management process, the Assistant Deputy Minister should implement a Quality Assurance and Improvement process that periodically reviews the implementation of key requirements. This process should inform future updates to all guidance documentation and risk processes, and should include a mechanism to take corrective action(s) when non-compliance is identified.

4. Conclusion

The NCSP has established a guidance framework for risk management and roles and responsibilities, which are essential to ensuring large projects spread across the north are managed efficiently and effectively. For the most part, the program has demonstrated successful implementation of the established requirements; however, opportunities for improvement exist. The audit revealed that guidance documentation did not always align with operational practices, and there is an opportunity to review the guidance information on both risk management and RR&A to ensure relevance, improve clarity, and align with operational needs at different project sites. The audit also identified gaps in the implementation of existing guidance and requirements concerning both risk management and roles and responsibilities.

For the effective and efficient management of the program and its projects, it is crucial to implement a robust risk management process and provide clear guidance on roles and responsibilities, which the program has attempted to do and should continue to improve.

5. Management Action Plan

Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) manages the Northern Contaminated Sites Program (NCSP; the Program), a key driver of the department's commitment to reconciliation in the North. The Program focuses on the management of contaminated sites in the territories to reduce risk to human and environmental health and safety for all Northern communities through site assessments, care, maintenance, remediation, and monitoring. The Program supports addressing the legacy impacts of the contaminated sites while also addressing the current environmental concerns. This work fosters the development and maintenance of long-term partnerships with Indigenous and Northern communities including co-developed and co-management governance models.

The Program is supportive of the audit which focused on program roles and responsibilities. The roles and responsibilities of the program include concretely demonstrating the Department's commitment to self-determination and economic reconciliation through Indigenous partner's participation in project governance and the creation of socio-economic benefits. Decisions on how to advance the projects incorporate feedback from engagement activities with Indigenous communities to ensure that community needs are met. Working with our partners at PSPC, the Program adopts creative procurement solutions that support capacity development for Indigenous communities.

The audit also focused on the Program's risk management practices. The current practices include the consideration of risks that could impact advancing remediation as well as reconciliation such as procurement risks, capacity development risks, risks related to the creation of socio-economic risks and more.

Recommendations	Management Response / Actions	Responsible (Title)	Planned Implementation Date
The Assistant Deputy Minister of Northern Affairs Organization (NAO) should ensure consistent compliance and implementation of the established risk management framework and that the risk information is consistently and accurately captured in the risk registers. This information should be updated and reviewed at the appropriate level, and demonstrate that the NCSP Integrated Risk Management (IRM) requirements related to risk identification and risk mitigation are implemented.	The Northern Contaminated Sites Program (NCSP) will undertake a review of the existing Integrated Risk Management Framework to ensure risk information is consistently and accurately captured in the risk registers and approved at the appropriate level. The NCSP is taking steps to enhance its reporting by annually documenting risk identification and mitigation efforts through the Assistant Deputy Minister and Deputy Minister committees. The program will facilitate the flow of information from the Assistant Deputy Minister (ADM) and Deputy Minister (DM) committees to project managers. They, in turn, will communicate transparently and collaboratively with the impacted Indigenous communities through their regular channels to ensure transparency and effective engagement.	Director, Program & Policy with support from the Manager, Quality Assurance Compliance	October 31, 2024
The Assistant Deputy Minister of Northern Affairs Organization should: Update the risk nomenclature on the NCSP Integrated Risk Management (IRM) Framework (and associated tools and templates) to facilitate alignment and integration between all risk processes and improve the accuracy of the roll up of the data for compilation into the NCSP Performance Information Profile (PIP) reporting; and Implement a process to review the Environmental Health and Safety (EHS) Plans to ensure that: the scope and coverage of the plan includes key elements needed to ensure safeguard measures for any Indigenous communities surrounding the project site(s); and ensure consistent compliance with the requirements of CIRNAC EHS Management System Manual and the Northern Contaminated Sites Program Branch (NCSPB) Project Technical Office (PTO) NCSP EHS Standard Operating Procedures (SOP) Manual.	The NCSP will update risk nomenclature in the Integrated Risk Management Framework (and associated tools and templates) to ensure alignment and integration between all risk processes and improve the accuracy of the roll up of the data for compilation into the NCSP Performance Information Profile reporting. The NCSP will update the EHS Manual so that existing process are clarified to ensure that, where necessary, projects provide information to authorities having jurisdiction to establish safeguard measures for Indigenous communities and to engage in respectful consultation and communication throughout the process. Since the audit started, the NCSP has hired a dedicated Health & Safety analyst to oversee the implementation of the EHS Manual. The NCSP will update existing audit processes, outlined in the EHS Manual, to ensure they are clearly defined in order to evaluate compliance with the NCSP manuals.	Director, Program & Policy with support from the Manager, Quality Assurance Compliance and Manager, Policy Director, Program & Policy with support from the Manager, Quality Assurance Compliance	October 31, 2024 October 31, 2024
The Assistant Deputy Minister of Northern Affairs Organization should ensure: That all guidance material related to risk management and roles, responsibilities and authorities are up-to-date, reviewed and approved at the appropriate level. For future reference, there should be clear guidance when formal approval is required and at what level. That review and updating the guidance material should be on-going and the most up-to-date approved guidance should be communicated to all relevant personnel periodically. Updates should consider operational practices, so there is alignment between the nomenclature used in the NCSP Integrated Risk Management (IRM) Procedure and other guidance and procedural documents and operational practices of stakeholders at all level.	The NCSP will undertake a review of all risk guidance material and update, as necessary, to ensure that they are up-to-date and approved at the appropriate level, including guidance on the level of approval required for any changes and with Indigenous communities where applicable. The NCSP is in the process of implementing a formal schedule to ensure regular review and updates to the guidance material are completed and the roll out of all revised guidance material is provided to relevant personnel periodically.	Director, Program & Policy with support from the Manager, Quality Assurance Compliance Director, Program & Policy with support from the Manager, Quality Assurance Compliance	October 31, 2024 October 31, 2024
To ensure consistent implementation of both roles, responsibilities, and authorities, as well as the established risk management process, the Assistant Deputy Minister should implement a Quality Assurance and Improvement process that periodically reviews the implementation of key requirements. This process should inform future updates to all guidance documentation and risk processes, and should include a mechanism to take corrective action(s) when non-compliance is identified.	Since the audit started, the NCSP has established a Quality Assurance Compliance team that will update the NCSP Quality Assurance Manual to include a Quality Assurance and Improvement process that will ensure the periodic review of the implementation of key requirements, including a corrective action process, and inform future updates to all guidance documentation and risk processes.	Director, Program & Policy with support from the Manager, Quality Assurance Compliance	October 31, 2024

Annex A: Audit Criteria

To ensure an appropriate level of assurance to meet the audit objectives, the following audit criteria were developed to address the objectives.

Audit Criteria	Sub-criteria
Risk management processes related to NCSP are established and implemented at the program and project levels.	1.1 Risk management processes for program and projects are supported by an established risk management framework. 1.2 Risks to the program and to projects are identified, assessed, mitigated, monitored, and communicated in alignment with the established risk framework. 1.3 Risk management processes and activities are integrated between the program and the projects.
The NCSP has established and implemented clear roles, responsibilities, and authorities, for the Program and at the project level.	2.1 CIRNAC's roles, responsibilities and authorities are clearly established at the program and project levels. 2.2 Established roles, responsibilities and authorities are implemented for the Program and at the project level.

Audit Criteria

Sub-criteria

Risk management processes related to NCSP are established and implemented at the program and project levels.

1.1 Risk management processes for program and projects are supported by an established risk management framework.

1.2 Risks to the program and to projects are identified, assessed, mitigated, monitored, and communicated in alignment with the established risk framework.

1.3 Risk management processes and activities are integrated between the program and the projects.

The NCSP has established and implemented clear roles, responsibilities, and authorities, for the Program and at the project level.

2.1 CIRNAC's roles, responsibilities and authorities are clearly established at the program and project levels.

2.2 Established roles, responsibilities and authorities are implemented for the Program and at the project level.

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2024-09-06