Introduction

Background

1. The Business Development Bank of Canada was established in 1974 to support Canadian entrepreneurship. The Corporation focuses particularly on small and medium-sized businesses. It reports to Parliament through the Minister of Small Business and Export Promotion.

2. The Corporation is a financially self-sustaining federal Crown corporation serving more than 56,000 entrepreneurs of small and medium-sized businesses. It has three main types of business activities:

• financing services, which consist mainly of various lending solutions;
• investment services (including venture capital and other investments), which provide debt and equity solutions; and
• advisory services, which help entrepreneurs grow and develop their business.

Exhibit 1 provides some details of the Corporation’s business activities and income.

3. In response to the Government of Canada’s request to increase investments in clean technology (cleantech), the Corporation launched its Cleantech Scale Up Initiative in December 2017. The initiative provides support to promising clean technology firms. It has a budget of $700 million, including contributions of $600 million from the government and $100 million from the Corporation between 2018 and 2022.

4. In 2015, the Office of the Superintendent of Financial Institutions completed a review of the Corporation and made a number of recommendations. The Corporation responded by developing a multi-year action plan and has been carrying it out. The plan deals mainly with governance and risk management policies and practices. The Corporation expects to fully implement the action plan by 31 March 2019.

5. In recent years, the Corporation has also undertaken change initiatives to enhance its service delivery, particularly through the use of new technologies.

6. To fulfill its mandate and successfully implement changes, the Corporation depends largely on the quality of its human resources, its ability to attract and retain skilled and experienced personnel, and its career development programs for employees.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Business Development Bank of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. Based on our assessment of risks, we selected systems and practices in the following areas:

• corporate management practices, and
• management of operations.

The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Overall message

11. Overall, we found no significant deficiencies in the Corporation’s systems and practices. We found that the Corporation had systems and practices in place to deliver financing, investment, and advisory services to small and medium-sized businesses. We noted, however, that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions. We also found that the Corporation was working to address the recommendations in the 2015 review conducted by the Office of the Superintendent of Financial Institutions. The recommendations concerned the Corporation’s risk management practices, including in the areas of validating financial and risk models and managing information technology risks.

Corporate management practices

12. The Corporation is governed by a Board of Directors composed of 13 members. The Board is supported by the following six committees:

• Audit Committee,
• Governance/Nominating Committee,
• Board Risk Committee,
• Board Investment Committee,
• Clean Technology Special Committee, and
• Human Resources Committee.

13. Strategic planning is an ongoing corporate responsibility, essential for setting long-term and short-term objectives, and for identifying key risks and indicators of the results to be achieved. In Budget 2017, the Government of Canada allocated $600 million of new funding for the Corporation’s Cleantech Scale Up Initiative, which the Corporation needed to integrate into its most recent planning exercise. This funding was in addition to the $100 million provided by the Corporation.

14. Risk management systems and practices are essential for the Corporation to ensure its sustainability and to fulfill its mandate. A strong corporate risk function should play a challenge role for the business lines and contribute to robust risk management and decision making. Good risk management practices support the achievement of the Corporation’s objectives. The Corporation is exposed to strategic, reputational, and credit risks, as well as various types of operational and other financial risks. Operational risk management includes addressing technology risks—for example, business continuity planning, planning for management of disruptive events, and measures to ensure information technology (IT) security.

15. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement measures to mitigate or reduce risk. An organization’s overall tolerance for losses is broken down into thresholds and limits, which are assigned to the different business areas of the organization. The types of risk include strategic risk, operational risk, and risks related to business activities (for example, risks related to the Corporation’s lending and venture capital investing). Once the thresholds and limits are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate.

Compensation for the President and Chief Executive Officer was lower than the compensation for some senior executive positions, and the Corporation had weaknesses in its management of risk

16. We found that the Corporation had good corporate governance, strategic planning, and performance measurement and reporting practices. However, we found that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions of the Corporation. We also found weaknesses in the way the Corporation managed risk: It had not yet completed the validation of its financial and risk models, and it did not have a formal risk management plan in place for IT.

17. Our analysis supporting this finding discusses the following topics:

• Corporate governance
• Strategic planning, and performance measurement and reporting
• Corporate risk management

18. Our recommendations in this area of examination appear at paragraphs 23, 24, 29, and 32.

19. Analysis. We found that the Corporation had good corporate governance practices in place. However, the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions (Exhibit 2).

20. Weakness—Board appointments and competencies. We found that the total compensation range for the President and Chief Executive Officer had fallen behind the total compensation ranges for some of the senior executive positions. The Governor in Council^{Definition i} sets the total compensation range for the President and Chief Executive Officer, on the basis of salary ranges established in 2012. The Board of Directors established the total compensation ranges for senior executive positions, on the basis of market standards.

21. This weakness matters because the discrepancy could limit the Corporation’s ability to attract and retain qualified individuals to the President and Chief Executive Officer position, putting at risk the management of the Corporation.

22. We also found that the Corporation did not publicly disclose executive compensation—for example, in its annual report. Compensation is one of the Corporation’s largest operational expenditures. Disclosing executive compensation or salary structures would promote transparency and be in accordance with the practice in government and the financial industry. Disclosure would also help stakeholders better understand salary structures and issues related to them.

23. Recommendation. The Corporation should engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.

The Corporation’s response. Agreed. The Corporation will review this issue and engage with the responsible Minister and the Privy Council Office as appropriate. The objective will be to ensure the ability to attract and retain qualified individuals for the President and Chief Executive Officer position.

24. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior executive positions (for example, in its annual report), to be in line with the practice in government and the financial industry.

The Corporation’s response. Agreed. The Corporation will conduct a review of the annual disclosures of both the compensation framework and the total compensation for senior executive positions.

25. Analysis. We found that the Corporation had good strategic planning practices and good performance measurement and reporting practices (Exhibit 3).

26. Analysis. During our examination, the Corporation was working to update its risk management policies and practices to address the recommendations of the Office of the Superintendent of Financial Institutions. We found weaknesses in the validation of financial and risk mitigation models and in IT risk management (Exhibit 4).

27. Weakness—Risk mitigation. We found that, in accordance with industry practice, the Corporation relied on financial and risk models when making decisions. It used these models to measure and manage risk by calculating borrowers’ credit ratings. It also used the models to determine the values of loans and to calculate potential losses and establish capital reserves. Models are supposed to be subjected to regular validation, during which they are verified to ensure that they are reliable. The Corporation had recently approved a Model Risk Corporate Directive, including an inventory of models used. It had begun validation as scheduled under the directive. However, the Corporation had not yet completed validation of all of its financial and risk models.

28. This weakness matters because models that have not been subjected to validation could have the unintended effect of producing unreliable information for decision making. This could expose the Corporation to unexpected losses or a shortage of capital.

29. Recommendation. The Corporation should proceed with model validation in accordance with its Model Risk Corporate Directive.

The Corporation’s response. Agreed. As noted in this audit report, the Corporation has in place a Model Risk Corporate Directive. The directive includes an inventory of all the Corporation’s models, a model risk rating assessment process (based on complexity and materiality criteria), and a model validation schedule (based on the aforementioned risk rating). Validations of the applicable models are ongoing, and the Corporation is on track to complete these validations according to the schedule within the directive.

30. Weakness—Business continuity, disruptive events management plan, recovery plan, resiliency plan, and IT security. We found that the Corporation did not yet have a formal IT risk management plan with the risk mitigation measures that focused on the most critical systems, processes, and data, and that ensured security, business resumption, or continuity.

31. This weakness matters because without a formal IT risk management plan, strategies to protect, recover, or resume operations might not be tailored to the importance or relative risk of the key systems, processes, and data concerned. The strategies might therefore not be effective in mitigating IT business continuity or security risks within the Corporation’s expressed risk appetite. This situation could expose the Corporation to operational and financial loss.

32. Recommendation. The Corporation should implement a formal IT risk management plan that lists and assesses all IT processes, systems, and data, and identifies required risk mitigation activities.

The Corporation’s response. Agreed. After the period covered by the audit, the Corporation finalized and approved an IT Risk Management Corporate Directive, which includes an IT Risk Management Framework to address the points raised by this audit. The directive was reviewed by the Audit Committee and the Board Risk Committee. The Corporation is committed to implementing the directive and components of the framework. The Corporation currently has in place a number of documented processes and controls to ensure the mitigation of IT risk.

Management of operations

33. Financing services. Lending to businesses is the largest part of the Corporation’s loan portfolio. Its Financing business line provides term loans and specialized solutions designed to support business creation and business growth, market development and expansion, investment in business growth, the acquisition and modernization of facilities and equipment, and business ownership transition.

34. For one segment of its lending to businesses, the Corporation has begun using new technological and online interfaces to offer clients faster and more convenient access to services. The Corporation plans to broaden use of these new technologies to other segments of its commercial lending as their effectiveness is proven.

35. Investment services (venture capital and other investments). Through its Venture Capital business line and other investment activities, the Corporation offers entrepreneurs various debt and equity solutions. Its investment services offer significant support to Canadian entrepreneurs of small and medium-sized businesses.

36. In 2017, the government mandated the Corporation to play a larger role in supporting clean technology companies. In December 2017, the Corporation responded by launching its Cleantech Scale Up Initiative. During the period covered by the audit, the Corporation was in the process of formalizing the initiative’s governance framework, internal controls, and procedures. The initiative had begun to deploy funds and develop its portfolio. It will rely on good governance and management practices to ensure that its operations help achieve the Corporation’s mandate while remaining within its stated risk appetite. During implementation of these practices, the Board has been involved in reviewing and approving investments under the initiative and has received detailed information on activities.

37. Advisory services. The Corporation’s Advisory Services business line helps entrepreneurs grow and develop their business. Although the business line does not currently generate net income, it provides valuable support to entrepreneurs. In recent years, to enhance its services, the Corporation segmented its clientele by size and tailored its advisory offerings to each segment. Further, the Financing business line’s account managers are becoming more involved in managing client relationships as well as the advisory services offered and delivered.

The Corporation had good practices for managing its operations

38. We found that the Corporation had good practices for managing its operations.

39. Our analysis supporting this finding discusses the following topics:

• Management of financing
• Management of venture capital and other investments
• Management of advisory services

40. We made no recommendations in this area of examination.

41. Analysis. We found that the Corporation had good practices in place to manage its financing services (Exhibit 5).

42. Analysis. We found that the Corporation had good practices in place to manage its venture capital and other investments (Exhibit 6).

43. Analysis. We found that the Corporation had good practices in place to manage its advisory services (Exhibit 7).

Conclusion

44. In our opinion, based on the criteria established, there was reasonable assurance that there were no significant deficiencies in the Business Development Bank of Canada’s systems and practices that we examined. We concluded that the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.