2018 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Auditor’s ReportReport of the Auditor General of Canada to the Board of Directors of Export Development Canada—Special Examination—2018

2018 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Board of Directors of Export Development Canada—Special Examination—2018

Independent Auditor’s Report

This report reproduces the special examination report that the Office of the Auditor General of Canada issued to Export Development Canada on 21 February 2018. The Office has not performed follow-up audit work on the matters raised in this reproduced report.

Introduction

Background

1. Export Development Canada (the Corporation) was established in 1969 to help Canadian companies benefit from international business opportunities. It reports to the Minister of International Trade. Its purposes and powers are established by the Export Development Act and the Export Development Canada Exercise of Certain Powers Regulations.

2. The Corporation takes on risk to help Canadian exporters, mainly by providing insurance and financing. The insurance protects exporters against losses incurred as a result of exporting (for example, if a foreign customer defaults on payment). Financing is provided through loans, loan guarantees, and investments, which are given to foreign buyers to help them buy Canadian products or to Canadian companies to help them develop their business abroad. The Corporation also offers information and advice to Canadian exporters.

3. Export Development Canada has approximately 1,500 employees working in 37 locations (18 in Canada and 19 abroad). Exhibit 1 provides some details of its business activities and income.

Exhibit 1—Export Development Canada’s business activities

Details of business activities 2014 2015 2016
Number of clients served 7,432 7,343 7,150
Total financing arrangements
(loans, investments, and guarantees)
($ billions)
21.6 25.4 28.1
Total insurance arrangements
($ billions)
77.3 78.8 74.0
Total business facilitated
($ billions)
99.9 104.2 102.0
Net financing and insurance income
($ billions)
1.5 1.6 1.5
Net income
($ billions)
1.1 0.9 1.1

Source: Export Development Canada’s 2014, 2015, and 2016 annual reports

4. The focus of the Corporation’s 2017–21 business strategy is to increase the number of Canadian companies that export and to support their diversification to new markets. The Corporation adjusts its business strategy to remain relevant to Canadian companies and explores new ways of addressing the challenges they face.

5. The Corporation is financially self-sustaining and does not receive government funding. To achieve its business objectives, it must price its products and services appropriately, manage its risks, and have the right people in place.

6. Since our last audit of the Corporation in 2009, it has begun carrying out several transformation initiatives. One of these is to transform its information technology systems to improve service delivery. Another is a multi-year transformation of its risk management practices to keep pace with evolving best practices in the financial services industry, informed by the review carried out by the Office of the Superintendent of Financial Institutions in 2014.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at Export Development Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, whether there was reasonable assurance there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. Based on our assessment of risks, we selected systems and practices in the following areas:

These systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Corporate management practices

In corporate governance, there was a significant deficiency related to the appointment of Board directors and a weakness in Board oversight

Overall message

11. Overall, we found that Export Development Canada had a significant deficiency in corporate governance related to the appointment of Board directors. The appointment of directors is the responsibility of the Governor in CouncilDefinition i and is thus outside the Corporation’s control. At the time of the audit, 1 position was vacant, and 8 of the 12 current Board members, while continuing to serve, had terms that had expired, putting the continuity of the Board’s oversight at risk.

12. We also found that the Board’s ability to oversee risk management could be hindered because the Board did not receive all the information it needed to fully understand some of the Corporation’s risks.

13. We found that the Corporation had some good corporate governance practices in place, and that it had good strategic planning and performance measurement and reporting processes.

14. These findings matter because vacancies on the Board, uncertainty about the appointments or terms of its directors, and insufficient risk information could hinder the effectiveness of the Board’s oversight of the Corporation.

15. For additional information, see Subsequent Event at the end of the report.

16. Our analysis supporting this finding discusses the following topics:

17. The Export Development Act provides for a Board of 13 directors, including the President and Chief Executive Officer.

18. In our 2009 audit, we found that the Corporation had to improve its approach to performance reporting. As of 2017, the Corporation was implementing a new approach to strategic planning and performance measurement and reporting, which will continue into 2018.

19. Our recommendations in this area of examination appear at paragraphs 26, 31, and 32.

20. Corporate governance. There was a significant deficiency related to the appointments of members to the Corporation’s Board of Directors and a weakness in Board oversight. The Corporation had in place good corporate governance practices in other areas (Exhibit 2).

Exhibit 2—Corporate governance—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Board independence

The Board functioned independently.

The Corporation had a Board Charter, a Conflict of Interest Policy, and a Code of Conduct Policy that required directors to be independent of management.

Conflicts of interest were declared at Board meetings and through an annual declaration.

The Board held regular in-camera meetings without management.

Check  mark in a green circle, meaning met the criteria

Setting strategic direction

The Board provided strategic direction.

The Board was active in setting the Corporation’s strategic direction.

The Board was active in setting the President and Chief Executive Officer’s objectives that were aligned with the strategic direction and in assessing the President and Chief Executive Officer’s performance against those objectives.

Check  mark in a green circle, meaning met the criteria

Board oversight

The Board carried out its oversight role over the Corporation.

Board members received the necessary information to challenge, direct, and make decisions.

Internal Audit conducted regular internal audits. The Chief Internal Auditor met in camera with the Audit Committee regularly.

The Chief Compliance and Ethics Officer met in camera with the Audit Committee and the Risk Management Committee regularly.

Weakness

The Board did not receive from management complete risk management information, which could hinder effective oversight of the Corporation’s operational risk management function.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Board appointments and competencies

The Board collectively had capacity and competencies to discharge its responsibilities.

The Board determined the skills and expertise it needed to be effective.

The Board periodically assessed whether its directors had the appropriate skills and knowledge to carry out their responsibilities.

Board members were provided orientation sessions and ongoing training.

The Board had access to outside expertise and used it when necessary to fill gaps in its skill and expertise profile.

The Board communicated with its Minister about Board appointments, renewals, and vacancies.

Significant deficiency

The terms of eight of the Corporation’s directors had expired, and one position was vacant.

For additional information, see Subsequent Event at the end of the report.

Weakness

The compensation range for the President and Chief Executive Officer had fallen behind the ranges for the senior vice-presidents.

Minus sign in a red circle, meaning did not meet the criteria

21. Weakness—Board oversight. We found a weakness in the Board’s oversight of the Corporation in operational risk management. The Board’s ability to oversee this area was hindered because comprehensive reporting on operational risk management was not in place (see paragraph 42). Furthermore, certain other key elements of risk management reporting to the Board were not in place, such as reporting the Corporation’s overall position against its risk appetite statement or having aggregated risk limits across business lines (see paragraphs 34 to 49).

22. This weakness matters because Board oversight of risk management helps ensure that an organization remains aligned with its strategic objectives and manages its risks in line with its risk tolerances.

23. Significant deficiency—Board appointments and competencies. Out of 12 directors (excluding the President and Chief Executive Officer), the Chairperson’s position was vacant and the terms of 8 other directors had expired. (In accordance with the Financial Administration Act, these directors continue to serve until their replacements are appointed.) In addition, the President and Chief Executive Officer’s term will expire in February 2019, and the Corporation may face challenges in attracting a qualified individual for this position (see paragraph 28).

24. The Corporation identified expiration dates of the terms of Board directors, as well as the skills and competencies needed to fill these positions. To initiate an appointment process, the Corporation communicated this information to its Minister in advance of the terms’ expiration. However, its actions did not result in timely appointments or reappointments to the Board of Directors. As these appointments are made by the Governor in Council, this was beyond the Corporation’s control.

25. This significant deficiency matters because if many director positions were filled by new appointments at about the same time, it could compromise continuity in the Board’s oversight. It could also undermine the Corporation’s ability to carry out its significant transformation initiatives and achieve its new strategic objectives.

26. Recommendation. The Corporation should continue to engage with its responsible Minister to help ensure that appropriate appointments to its Board of Directors are made in a timely and staggered manner.

The Corporation’s response. Agreed. The Corporation will continue to engage with our responsible Minister to request that appointments be made in a timely manner—and be staggered as to the number of Directors appointed in any one year—to ensure Board continuity and appropriate governance.

27. For additional information, see Subsequent Event at the end of the report.

28. Weakness—Board appointments and competencies. We found that the President and Chief Executive Officer’s compensation range—set by the Governor in Council and based on salary ranges established in 2012—had fallen behind the Senior Vice President’s compensation ranges, which were established by the Board of Directors based on market standards.

29. This weakness matters because this discrepancy could hinder the Corporation’s ability to attract qualified individuals to the President and Chief Executive Officer position, further putting at risk continuity in the oversight of the Corporation.

30. We also found that the Corporation did not publicly disclose executive compensation—in its annual report, for example. Compensation represents one of the Corporation’s largest operational expenditures. In addition, given the importance of appropriate compensation in attracting individuals with the proper qualifications, and the Corporation’s issue with the level of compensation of the President and Chief Executive Officer, disclosing executive compensation or salary structures would promote transparency, as it does elsewhere in government and in the financial services industry. It would also contribute to a better understanding by stakeholders at large of salary structures and inherent issues.

31. Recommendation. The Corporation should continue to engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.

The Corporation’s response. Agreed. The Corporation is very concerned that the total compensation structure of the President and Chief Executive Officer position is significantly below market as confirmed by a chief executive officer compensation benchmarking study conducted on behalf of the Board of Directors by external compensation consultants in August 2017. The Corporation will continue to engage with our responsible Minister and the Privy Council Office to request a review of the total compensation structure of the President and Chief Executive Officer position with the objective of ensuring that the Corporation continues to have the ability to attract, engage, and retain qualified candidates for this position going forward. This is particularly important and pressing, given that the current President and Chief Executive Officer’s term expires in early 2019.

32. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior management—for example, in its annual report—in line with government and financial services industry practices.

The Corporation’s response. Agreed. The Corporation is continuously improving disclosure and transparency in external reporting. A review of compensation related to annual report content will be conducted relative to industry peers and best practices over the course of 2018.

33. Strategic planning and performance measurement and reporting. The Corporation had good strategic planning and performance measurement and reporting processes (Exhibit 3).

Exhibit 3—Strategic planning and performance measurement and reporting—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Strategic planning processes

The Corporation had a framework to define its strategic plan and objectives.

The Corporation had good strategic planning processes in place.

The Corporation considered its internal and external environments, as well as its competitive strengths and weaknesses, threats, and opportunities.

The Corporation established measurable strategic objectives.

The strategic plan was well communicated and understood throughout the organization.

Check  mark in a green circle, meaning met the criteria

Performance measures

The Corporation established performance measures in support of achieving strategic objectives.

The strategic plan had objectives for measuring performance, which were aligned with the Corporation’s strategic direction.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on progress in achieving its strategic objectives.

The Corporation had good performance measurement and reporting processes in place.

The Corporation reported performance results monthly to senior management and quarterly to the Board of Directors.

The Corporation’s public 2016 annual report included results on its performance measures.

Check  mark in a green circle, meaning met the criteria

Risk management

A significant deficiency in the Corporation’s risk management practices was due to a number of weaknesses

Overall message

34. Overall, we found weaknesses in how the Corporation managed risk and in how the Corporation managed credit risk. Combined, these weaknesses amounted to a significant deficiency. The Corporation did not keep up with evolving industry practices in risk management. At the time of our audit, it did not have operational and strategic risk management frameworks in place, and it was developing and implementing credit risk management policies that were aligned with its risk appetite statement.

35. Some of the weaknesses in risk management were not new—we reported on the Corporation’s operational risk management practices in our 2009 special examination. These weaknesses will persist until the Corporation addresses them in its risk management transformation project, which is expected to be completed in 2019.

36. This finding matters because the Corporation’s business was to assume the risk of others, and it operated in an environment of changing risk. Keeping risk management practices in line with evolving industry practices would help manage these risks effectively. At the time of our audit, the Corporation had a risk management transformation project under way to update its practices.

37. Our analysis supporting this finding discusses the following topics:

38. According to the Corporation’s risk management framework, it should consider the following risks:

39. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement risk mitigation measures to reduce risk. An organization’s overall tolerance for losses is broken down into limits and targets, which are assigned to the different business areas of the organization. Examples can include obligor, country, and industry limits for financing and insurance transactions. Once the limits and targets are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate. Exhibit 4 provides a simplified overview of the Corporation’s intended risk management approach.

Exhibit 4—Simplified overview of Export Development Canada’s risk management framework

Chart showing a simplified overview of Export Development Canada’s enterprise risk management framework
Exhibit 4—text version

This chart shows a simplified overview of Export Development Canada’s enterprise risk management framework (including an overall risk appetite statement). The framework lists particular actions by the Corporation for managing three types of risk—strategic, operational, and financial.

Strategic risk management framework

  • State the risk appetite in this area.
  • Set risk tolerances and limits for each strategic risk.

Operational risk management framework

  • State the risk appetite in this area (for example, information technology and human resources).
  • Set risk tolerances and limits for each operational risk.

Financial risk management framework

  • State the risk appetite for each business line (for example, lending and insurance).
  • Set risk tolerances and limits for each business line.

Each of the three risk management frameworks includes supporting policies, guidelines, and procedures.

40. In our 2009 audit, we noted that the Corporation had not yet developed an operational risk management policy.

41. Our recommendations in this area of examination appear at paragraphs 44, 45, 46, and 49.

42. Risk management. We found that Export Development Canada had a framework to describe how it should manage risk across the Corporation. However, in some cases, it did not have comprehensive policies that implemented the framework. Where it did have policies, it had not yet implemented all of them (Exhibit 5).

Exhibit 5—Risk management—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Risk management framework

The Corporation has a risk management framework that provides for identification, measurement, mitigation, monitoring, and reporting of risks.

The Corporation had an overall risk management framework to describe the principles of its risk management practices.

Weakness

The Corporation did not have risk management frameworks in place for strategic and operational risk management modules.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Risk appetite statement

The Corporation developed an enterprise-wide risk appetite statement.

The Corporation had a risk appetite statement to set its risk tolerance and to guide the development of supporting policies.

The statement covered the three risk areas from the risk management framework (strategic, financial, and operational) and had been approved by the Board.

Weakness

The risk appetite statement was not fully operational because the Corporation did not have in place operational and strategic risk targets or complete supporting policies (including policies for business lines) that were aligned with the risk appetite statement.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Risk management roles and responsibilities

The Corporation defined and implemented risk management roles and responsibilities.

The Corporation defined risk management roles and responsibilities in the Risk Management Policy and Framework.

The Corporation aligned risk management roles and responsibilities with industry practices.

Check  mark in a green circle, meaning met the criteria

Risk identification and assessment

The Corporation identified and assessed risks to achieving strategic objectives.

The Corporation maintained an inventory of strategic, financial, and operational risk categories to help guide its risk identification process.

The Corporation surveyed senior management to identify its most significant risks, which the Board validated.

Weakness

The Corporation did not have a systematic process to gather risk information from its business units, such as a risk and control self-assessment process at the business unit level, to identify risks and establish risk mitigation plans.

The Corporation’s Enterprise Threat Risk Assessment conducted in 2016 did not include an inventory and classification of its key assets (information, technology, and physical assets).

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Risk mitigation

The Corporation defined and implemented risk responses.

The Corporation identified its most significant risks and assigned risk owners at the executive level to them.

Risk owners developed risk response plans for each of the significant risks identified.

Check  mark in a green circle, meaning met the criteria

Risk monitoring and reporting

The Corporation monitored the implementation of risk mitigation measures.

The Corporation monitored and reported on risk mitigation activities through a quarterly risk report, in which risk owners provided updates on the status of risk mitigation activities. This report was provided to the Board.

Management provided the Board with a detailed financial risk management report every quarter.

Weakness

The Corporation’s quarterly risk reports, which were based on reporting required under its existing risk management framework, had limited operational risk reporting because of the lack of an operational risk management framework.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

43. Weaknesses—Risk management. We found a number of weaknesses in the Corporation’s overall management of risk, including the lack of strategic and operational risk management frameworks. Although the Corporation had a significant project under way to renew its risk management framework and practices, we assessed the systems and practices in place at the time of our examination.

44. Recommendation. The Corporation should complete its risk management transformation project as planned, including the following activities:

The Corporation’s response. Agreed. The Corporation notes that work on its enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Notwithstanding that a more comprehensive policy framework and approach to manage risk will be addressed by the Project, the Corporation has in place and has periodically updated policies addressing certain operational risks, including information technology, human resources, corporate security and compliance and ethics, among others.

45. Recommendation. The Corporation should ensure that risk reporting includes comprehensive information about operational risk management.

The Corporation’s response. Agreed. The Corporation had developed work plans to enhance risk reporting to include comprehensive information about operational risk management as part of the risk management transformation project (the Project), referred to in the response to the recommendation in paragraph 44. Completion of the Project will address the elements noted within the recommendation. Completion dates for the various work streams of the Project range from the first quarter of 2018 to the last quarter of 2019, as prioritized on a risk basis.

46. Recommendation. The Corporation should develop an inventory and classification of key assets (including information and critical systems) and monitor and mitigate threats against these assets.

The Corporation’s response. Agreed. Although the Corporation has an inventory of technology assets and physical assets, it does not have a comprehensive inventory and classification of information assets. The Corporation will develop and maintain an inventory and classification of all key assets by 30 September 2018 and will monitor and mitigate threats against these assets. The 2018 biannual Enterprise Threat Risk Assessment will use this inventory to complete its internal and external threat risk assessment by 31 December 2018.

47. Credit risk management for financing and insurance. Given the nature of its business, the Corporation is exposed to significant financial risk. We found that it had not yet fully implemented all of its renewed credit risk management systems and practices that were aligned with its updated risk appetite statement (Exhibit 6).

Exhibit 6—Credit risk management for financing and insurance—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Policies, procedures, roles, and responsibilities

Policies, procedures, roles, and responsibilities for managing credit risk were aligned with the enterprise-wide risk appetite framework.

The Corporation had credit risk management policies and procedures in place.

The Corporation had a comprehensive approach to credit risk management, including establishing management roles and responsibilities in line with industry practices.

Check  mark in a green circle, meaning met the criteria

Credit risk appetite

The Corporation developed risk tolerances for financing and insurance credit risk.

The Corporation operated within its credit risk limits framework, which set transaction limits by obligor, country, and industry and established actions to take when limits were exceeded.

Weakness

The credit risk component of the risk appetite statement had not yet been fully implemented through aligned credit risk management policies and limits.

The risk limits did not combine credit exposure across all lines of business.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Credit risk identification and measurement

The Corporation identified and measured credit risk.

The Corporation had processes to identify and measure credit risk in lending and insurance transactions.

Weakness

The Corporation had not subjected its financial risk models to validation.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Monitoring and reporting

The Corporation monitored and reported credit risk in accordance with its framework.

Management provided the Board with a detailed financial risk management report every quarter. This report included information about credit risk, including when set tolerances were exceeded.

Check  mark in a green circle, meaning met the criteria

Responsive action

Responsive actions were taken when credit risk exceeded defined risk tolerances.

Policies defined when limits were exceeded and when formal action plans were required for Board review and approval.

Check  mark in a green circle, meaning met the criteria

48. Weaknesses—Credit risk management for financing and insurance. We found a number of weaknesses in how the Corporation managed its credit risk for financing and insurance.

49. Recommendation. The Corporation should complete its risk management transformation project as planned, with prompt consideration of the following items:

The Corporation’s response. Agreed. The Corporation notes that work on our enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015.

Regarding the element of the recommendation pertaining to model risk management, a Model Risk Management team is now established and reports directly to the Chief Risk Officer. To support the recently approved Model Risk Management Policy, all related guidelines and procedures are now complete. Also, an enterprise-wide model inventory and a plan to validate high-impact models are now substantially complete.

Organizational transformation

The Corporation was managing its organizational transformations well, but improvement was needed in oversight

Overall message

50. Overall, we found that Export Development Canada was doing well in managing its two major transformation initiatives—the transformation of its risk management framework and of its credit insurance systems. However, the Board and senior management did not have consolidated reporting of how the initiatives had an impact on the Corporation as a whole.

51. This finding matters because without consolidated reporting of the initiatives’ impacts, senior management and Board members may not understand the collective effects of these impacts and may not prioritize efforts and resources where needed.

52. Our analysis supporting this finding discusses the following topic:

53. The Corporation is renewing its risk management framework and developing a new service delivery model for credit insurance. These are both significant initiatives.

54. Our recommendation in this area of examination appears at paragraph 58.

55. Management of organizational transformations. The Corporation had systems and practices in place to oversee and report on its transformation initiatives. However, it did not have consolidated reporting on these initiatives and their overall impact on the Corporation (Exhibit 7).

Exhibit 7—Management of organizational transformations—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Transformation program and project oversight

The Corporation had the program and project management structure necessary to oversee, monitor, and report on multiple transformation projects.

The Corporation had an Enterprise Portfolio Management Office to manage and monitor its significant initiatives.

The Corporation had a Strategy Execution Committee that oversaw transformation management (resources, risks, priorities, and dependencies).

There were well-defined roles, responsibilities, and accountabilities.

Weakness

The Corporation did not have consolidated reporting on its transformation initiatives and their overall impact on the Corporation.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Program and project management

The Corporation had in place a project management framework to plan, implement, and monitor transformation programs and projects.

The Corporation had a project management methodology that it applied to all initiatives.

Check  mark in a green circle, meaning met the criteria

Change management

The Corporation had in place the change management methodology, systems, and practices necessary to carry out its transformation projects.

The Corporation had a change management team and assigned change management advisers to the major transformation teams to ensure change management practices were applied.

For each major transformation initiative we reviewed, the Corporation communicated the plans and expected outcomes of the transformations.

The Corporation incorporated change management practices into all phases of its transformation initiatives.

Check  mark in a green circle, meaning met the criteria

56. Weakness—Transformation program and project oversight. We found that management reported to the Board on the progress of its two transformation initiatives separately. This meant that neither the Corporation nor the Board had consolidated reporting of these initiatives and how they had an impact on the Corporation as a whole.

57. This weakness matters because without this reporting, it was difficult for senior management and Board members to understand the collective risks and impacts the initiatives were having on the Corporation. The Board could not oversee effective prioritization of initiatives, or that conflicts or resourcing issues (for example, where many initiatives affected one area at the same time) were identified and addressed in a timely manner.

58. Recommendation. The Corporation should implement reporting that enables it to understand and monitor the consolidated impacts of its transformation initiatives.

The Corporation’s response. Agreed. Although the overall impact of the corporate transformation projects has been reflected at the specific initiative level and is understood by the Board members, the Corporation will develop enhanced reporting to management and the Board, which will enable better understanding and monitoring of the consolidated impacts of significant transformation initiatives. This reporting will be implemented by the end of the first quarter of 2018.

Conclusion

59. In our opinion, based on the criteria established, there were significant deficiencies in the Corporation’s Board appointment process and in its risk management processes, but there was reasonable assurance that there were no significant deficiencies in the other systems and practices that we examined. We concluded that, except for these significant deficiencies, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Subsequent Event

60. The corporate governance section of this report discusses the significant deficiency that we found in the board appointments for Export Development Canada’s Board of Directors. In November 2017, 9 of the 12 Board members’ terms had expired, and the Chairperson’s position was vacant.

61. On 28 November 2017, the Minister of International Trade announced the appointment of a new Chairperson to the Board of Directors. This new appointment will contribute to the Corporation’s oversight.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada on Export Development Canada. Our responsibility was to express

Under section 131 of the Financial Administration Act (FAA), Export Development Canada is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that

In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from the Corporation’s management:

Audit objective

The objective of this audit was to determine whether the systems and practices we selected for examination at Export Development Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

Scope and approach

Our audit work examined Export Development Canada. The scope of the special examination was based on our assessment of the risks the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.

As part of our examination, we interviewed Board members, senior management, and other individuals throughout the Corporation to gain insights into its systems and practices. We selected and tested samples of items, such as transactions, process control activities, risk mitigation strategies, projects, and reporting, to determine whether systems and practices were in place and functioned as intended.

The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.

In carrying out the special examination, we did not rely on any internal audits. We did, however, consider the findings of a review conducted by the Office of the Superintendent of Financial Institutions in 2014–2015.

Sources of criteria

The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.

Corporate governance

Organisation for Economic Co-operation and DevelopmentOECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015

20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007

Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises: Guidelines, Department of Finance and Treasury Board, 1996

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014

Strategic planning and performance measurement and reporting

OECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015

20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007

Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

Recommended Practice Guideline: Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Risk management

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Review of the Governance Framework for Canada’s Crown Corporations—Report to Parliament, Treasury Board Secretariat, 2005

20 Questions Directors Should Ask about Strategy, Chartered Professional Accountants of Canada, 2012

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Framework for the Management of Risk, Treasury Board Secretariat, 2010

Enterprise Risk Management—Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2004

Credit risk management for financing and insurance

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Framework for the Management of Risk, Treasury Board Secretariat, 2010

Enterprise Risk Management—Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, 2004

Corporate Governance Guideline, Office of the Superintendent of Financial Institutions, January 2013

Operational Risk Management Guideline, Office of the Superintendent of Financial Institutions, June 2016

Organizational transformation

Project Management Body of Knowledge (PMBOK) Guide, fourth edition, Project Management Institute IncorporatedInc., 2008

Policy on the Management of Projects, Treasury Board, 2013

Standard for Project Complexity and Risk, Treasury Board Secretariat, 2013

8-Step Process for Leading Change, doctorDr. John Kotter, 2012

Period covered by the audit

The special examination covered the period between 1 August 2016 and 30 June 2017. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of the special examination. We also noted a subsequent event on 28 November 2017.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 8 January 2018, in Ottawa, Canada.

Audit team

Principal: Lissa Lamarche
Project Leader: Daniel Spagnolo
Project Leader: Geneviève Hivon

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Corporate management practices

Recommendation Response

26. The Corporation should continue to engage with its responsible Minister to help ensure that appropriate appointments to its Board of Directors are made in a timely and staggered manner. (21 to 25)

The Corporation’s response. Agreed. The Corporation will continue to engage with our responsible Minister to request that appointments be made in a timely manner—and be staggered as to the number of Directors appointed in any one year—to ensure Board continuity and appropriate governance.

31. The Corporation should continue to engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation. (28 to 30)

The Corporation’s response. Agreed. The Corporation is very concerned that the total compensation structure of the President and Chief Executive Officer position is significantly below market as confirmed by a chief executive officer compensation benchmarking study conducted on behalf of the Board of Directors by external compensation consultants in August 2017. The Corporation will continue to engage with our responsible Minister and the Privy Council Office to request a review of the total compensation structure of the President and Chief Executive Officer position with the objective of ensuring that the Corporation continues to have the ability to attract, engage, and retain qualified candidates for this position going forward. This is particularly important and pressing, given that the current President and Chief Executive Officer’s term expires in early 2019.

32. The Corporation should consider disclosing its compensation framework as well as total compensation for senior management—for example, in its annual report—in line with government and financial services industry practices. (28 to 30)

The Corporation’s response. Agreed. The Corporation is continuously improving disclosure and transparency in external reporting. A review of compensation related to annual report content will be conducted relative to industry peers and best practices over the course of 2018.

Risk management

Recommendation Response

44. The Corporation should complete its risk management transformation project as planned, including the following activities:

  • developing and implementing policies to support its risk management framework in each of the three risk modules (strategic, operational, and financial);
  • completing its risk appetite statement by developing the remaining supporting policies, training, and risk limits; and
  • implementing risk identification and control assessment processes within all business units. (43)

The Corporation’s response. Agreed. The Corporation notes that work on its enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Notwithstanding that a more comprehensive policy framework and approach to manage risk will be addressed by the Project, the Corporation has in place and has periodically updated policies addressing certain operational risks, including information technology, human resources, corporate security and compliance and ethics, among others.

45. The Corporation should ensure that risk reporting includes comprehensive information about operational risk management. (43)

The Corporation’s response. Agreed. The Corporation had developed work plans to enhance risk reporting to include comprehensive information about operational risk management as part of the risk management transformation project (the Project), referred to in the response to the recommendation in paragraph 44. Completion of the Project will address the elements noted within the recommendation. Completion dates for the various work streams of the Project range from the first quarter of 2018 to the last quarter of 2019, as prioritized on a risk basis.

46. The Corporation should develop an inventory and classification of key assets (including information and critical systems) and monitor and mitigate threats against these assets. (43)

The Corporation’s response. Agreed. Although the Corporation has an inventory of technology assets and physical assets, it does not have a comprehensive inventory and classification of information assets. The Corporation will develop and maintain an inventory and classification of all key assets by 30 September 2018 and will monitor and mitigate threats against these assets. The 2018 biannual Enterprise Threat Risk Assessment will use this inventory to complete its internal and external threat risk assessment by 31 December 2018.

49. The Corporation should complete its risk management transformation project as planned, with prompt consideration of the following items:

  • aligning credit risk policies and procedures with its risk appetite statement;
  • implementing the Model Risk Management Policy by completing guidelines and standards, and ensuring that models are subjected to validation according to plan, with higher-impact models being prioritized; and
  • developing risk limits that combine risk exposures across all business lines. (48)

The Corporation’s response. Agreed. The Corporation notes that work on our enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015.

Regarding the element of the recommendation pertaining to model risk management, a Model Risk Management team is now established and reports directly to the Chief Risk Officer. To support the recently approved Model Risk Management Policy, all related guidelines and procedures are now complete. Also, an enterprise-wide model inventory and a plan to validate high-impact models are now substantially complete.

Organizational transformation

Recommendation Response

58. The Corporation should implement reporting that enables it to understand and monitor the consolidated impacts of its transformation initiatives. (56 to 57)

The Corporation’s response. Agreed. Although the overall impact of the corporate transformation projects has been reflected at the specific initiative level and is understood by the Board members, the Corporation will develop enhanced reporting to management and the Board, which will enable better understanding and monitoring of the consolidated impacts of significant transformation initiatives. This reporting will be implemented by the end of the first quarter of 2018.