2019 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Auditors’ ReportReport of the Joint Auditors to the Board of Directors or the Business Development Bank of Canada—Special Examination—2018

2019 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Joint Auditors to the Board of Directors of the Business Development Bank of Canada—Special Examination—2018

Independent Auditors’ Report

This report reproduces the special examination report that the joint auditors issued to the Business Development Bank of Canada on 3 December 2018. The Office has not performed follow-up audit work on the matters raised in this reproduced report.

Introduction

Background

1. The Business Development Bank of Canada was established in 1974 to support Canadian entrepreneurship. The Corporation focuses particularly on small and medium-sized businesses. It reports to Parliament through the Minister of Small Business and Export Promotion.

2. The Corporation is a financially self-sustaining federal Crown corporation serving more than 56,000 entrepreneurs of small and medium-sized businesses. It has three main types of business activities:

Exhibit 1 provides some details of the Corporation’s business activities and income.

Exhibit 1—The Business Development Bank of Canada’s main business activities

Exhibit 1—The Business Development Bank of Canada’s main business activities
Business activity details Value (in millions of dollars)
2016 2017 2018
Total financing committed to clients 23,818 26,711 28,532
Total investment services committed to clients 1,995 2,184 2,460
Revenues from advisory services 17 20 20
Consolidated net income 538 465 818

Source: The Business Development Bank of Canada’s 2018 Annual Report

3. In response to the Government of Canada’s request to increase investments in clean technology (cleantech), the Corporation launched its Cleantech Scale Up Initiative in December 2017. The initiative provides support to promising clean technology firms. It has a budget of $700 million, including contributions of $600 million from the government and $100 million from the Corporation between 2018 and 2022.

4. In 2015, the Office of the Superintendent of Financial Institutions completed a review of the Corporation and made a number of recommendations. The Corporation responded by developing a multi-year action plan and has been carrying it out. The plan deals mainly with governance and risk management policies and practices. The Corporation expects to fully implement the action plan by 31 March 2019.

5. In recent years, the Corporation has also undertaken change initiatives to enhance its service delivery, particularly through the use of new technologies.

6. To fulfill its mandate and successfully implement changes, the Corporation depends largely on the quality of its human resources, its ability to attract and retain skilled and experienced personnel, and its career development programs for employees.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Business Development Bank of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. Based on our assessment of risks, we selected systems and practices in the following areas:

The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Overall message

11. Overall, we found no significant deficiencies in the Corporation’s systems and practices. We found that the Corporation had systems and practices in place to deliver financing, investment, and advisory services to small and medium-sized businesses. We noted, however, that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions. We also found that the Corporation was working to address the recommendations in the 2015 review conducted by the Office of the Superintendent of Financial Institutions. The recommendations concerned the Corporation’s risk management practices, including in the areas of validating financial and risk models and managing information technology risks.

Corporate management practices

12. The Corporation is governed by a Board of Directors composed of 13 members. The Board is supported by the following six committees:

13. Strategic planning is an ongoing corporate responsibility, essential for setting long-term and short-term objectives, and for identifying key risks and indicators of the results to be achieved. In Budget 2017, the Government of Canada allocated $600 million of new funding for the Corporation’s Cleantech Scale Up Initiative, which the Corporation needed to integrate into its most recent planning exercise. This funding was in addition to the $100 million provided by the Corporation.

14. Risk management systems and practices are essential for the Corporation to ensure its sustainability and to fulfill its mandate. A strong corporate risk function should play a challenge role for the business lines and contribute to robust risk management and decision making. Good risk management practices support the achievement of the Corporation’s objectives. The Corporation is exposed to strategic, reputational, and credit risks, as well as various types of operational and other financial risks. Operational risk management includes addressing technology risks—for example, business continuity planning, planning for management of disruptive events, and measures to ensure information technology (IT) security.

15. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement measures to mitigate or reduce risk. An organization’s overall tolerance for losses is broken down into thresholds and limits, which are assigned to the different business areas of the organization. The types of risk include strategic risk, operational risk, and risks related to business activities (for example, risks related to the Corporation’s lending and venture capital investing). Once the thresholds and limits are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate.

Compensation for the President and Chief Executive Officer was lower than the compensation for some senior executive positions, and the Corporation had weaknesses in its management of risk

16. We found that the Corporation had good corporate governance, strategic planning, and performance measurement and reporting practices. However, we found that the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions of the Corporation. We also found weaknesses in the way the Corporation managed risk: It had not yet completed the validation of its financial and risk models, and it did not have a formal risk management plan in place for IT.

17. Our analysis supporting this finding discusses the following topics:

18. Our recommendations in this area of examination appear at paragraphs 23, 24, 29, and 32.

19. Analysis. We found that the Corporation had good corporate governance practices in place. However, the total compensation range for the President and Chief Executive Officer was lower than the total compensation ranges for some of the senior executive positions (Exhibit 2).

Exhibit 2—Corporate governance—key findings and assessment

Exhibit 2—Corporate governance—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Board independence

The Board functioned independently.

The Corporation had Board and committee charters, procedures for managing conflicts of interest, and a code of conduct for Board members that required directors to be independent of management.

Board members declared conflicts of interest at Board meetings and in an annual statement.

The Board and its committees held regular meetings in private without management.

Check  mark in a green circle, meaning met the criteria

Providing strategic direction

The Board provided strategic direction.

The Board was active in setting the Corporation’s strategic direction.

The Board set objectives for the President and Chief Executive Officer, which aligned with the strategic direction. The Board also assessed the President and Chief Executive Officer’s performance against those objectives.

The Board worked with management to define the governance and management framework for transactions and operations of the new Cleantech Scale Up Initiative.

Check  mark in a green circle, meaning met the criteria

Board oversight (including succession planning for the President and executives, and oversight of transformation initiatives)

The Board carried out its oversight role over the Corporation.

The organizational structure of the Board reflected the nature and complexity of its business and responsibilities.

The Board’s structure was recently updated to include a new committee on the Cleantech Scale Up Initiative, reflecting the Corporation’s new responsibilities.

Board members received the necessary information to challenge, direct, and make decisions.

Internal audits were conducted and reported to the Audit Committee regularly.

The Board undertook succession planning for the President and Chief Executive Officer and executive positions.

Check  mark in a green circle, meaning met the criteria

Board appointments and competencies

The Board collectively had capacity and competencies to discharge its responsibilities.

The Board determined the skills and expertise it needed to be effective and assessed whether its members had appropriate skills and knowledge to carry out their responsibilities.

Board members were provided orientation sessions and were offered training opportunities.

The Board had access to outside expertise and used it when necessary to fill gaps in the Board’s skills and expertise.

The Board communicated with its responsible Minister about Board appointments, renewals, and vacancies.

The Board had a full complement of members, whose terms were staggered to help support continuity.

Weakness

The total compensation range for the President and Chief Executive Officer had fallen behind the total compensation ranges for some of the senior executive positions.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

20. Weakness—Board appointments and competencies. We found that the total compensation range for the President and Chief Executive Officer had fallen behind the total compensation ranges for some of the senior executive positions. The Governor in CouncilDefinition i sets the total compensation range for the President and Chief Executive Officer, on the basis of salary ranges established in 2012. The Board of Directors established the total compensation ranges for senior executive positions, on the basis of market standards.

21. This weakness matters because the discrepancy could limit the Corporation’s ability to attract and retain qualified individuals to the President and Chief Executive Officer position, putting at risk the management of the Corporation.

22. We also found that the Corporation did not publicly disclose executive compensation—for example, in its annual report. Compensation is one of the Corporation’s largest operational expenditures. Disclosing executive compensation or salary structures would promote transparency and be in accordance with the practice in government and the financial industry. Disclosure would also help stakeholders better understand salary structures and issues related to them.

23. Recommendation. The Corporation should engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.

The Corporation’s response. Agreed. The Corporation will review this issue and engage with the responsible Minister and the Privy Council Office as appropriate. The objective will be to ensure the ability to attract and retain qualified individuals for the President and Chief Executive Officer position.

24. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior executive positions (for example, in its annual report), to be in line with the practice in government and the financial industry.

The Corporation’s response. Agreed. The Corporation will conduct a review of the annual disclosures of both the compensation framework and the total compensation for senior executive positions.

25. Analysis. We found that the Corporation had good strategic planning practices and good performance measurement and reporting practices (Exhibit 3).

Exhibit 3—Strategic planning, and performance measurement and reporting—key findings and assessment

Exhibit 3—Strategic planning, and performance measurement and reporting—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Strategic planning process

The Corporation established its strategic plan and strategic objectives aligned with its mandate.

The Corporation had strategic planning processes in place.

The Corporation considered its internal and external environments, its competitive strengths and weaknesses, and its key risks.

The Corporation developed strategic objectives that aligned with its legislative mandate, public policy mandate, and government priorities.

The corporate plan was communicated throughout the organization.

Check  mark in a green circle, meaning met the criteria

Performance measurement

The Corporation established performance indicators in support of achieving strategic objectives.

The Corporation established performance measurements (key performance indicators and targets). It used these to assess ongoing progress toward its strategic objectives and to monitor its operations.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on progress in achieving its strategic objectives.

The Corporation reported on its performance internally to the Board and senior management and externally through its annual report.

The Corporation’s monitoring of progress toward strategic objectives supported timely decision making.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

26. Analysis. During our examination, the Corporation was working to update its risk management policies and practices to address the recommendations of the Office of the Superintendent of Financial Institutions. We found weaknesses in the validation of financial and risk mitigation models and in IT risk management (Exhibit 4).

Exhibit 4—Corporate risk management—key findings and assessment

Exhibit 4—Corporate risk management—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Risk management governance, and risk identification and assessment

The Corporation identified and assessed risks to achieving strategic objectives.

The Corporation had an Enterprise Risk Management Policy, which defined risk principles, roles and responsibilities, risk appetites, and risk management activities.

The Corporation had in place a governance structure that provided for risk management committees reporting to both the Board and senior management.

The Corporation recently implemented a risk register that documented risks, assessed them in terms of impact and likelihood, and documented mitigation measures for each risk.

Check  mark in a green circle, meaning met the criteria

Risk mitigation

The Corporation defined and implemented risk mitigation measures.

The Corporation had a risk appetite statement in place for its key risk categories. This set risk tolerance (thresholds and risk limits) and provided guidance for the development of mitigation strategies.

The Corporation recently implemented an enhanced Internal Capital Adequacy Assessment Process, which assessed capital requirements.

The Corporation had a process for communicating the corporate risk appetite statement broadly within the organization.

Weakness

The Corporation had not yet subjected all of its financial and risk models to validation, to ensure that they were reliable.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Risk monitoring and reporting

The Corporation monitored and reported on the implementation of risk mitigation measures.

Quarterly integrated risk management reports were provided to the Board’s and the Corporation’s risk management committees, as well as to the Senior Management Committee.

The reports provided detailed information on key risks. They identified the list of risks, including operational risks, and measured these against approved risk appetite thresholds and limits.

Senior management and the Board of Directors used the Internal Capital Adequacy Assessment Process report to monitor capital requirements and capital sufficiency.

Check  mark in a green circle, meaning met the criteria

Business continuity, disruptive events management plan, recovery plan, resiliency plan, and IT security

The Corporation had information systems that were available and accessible when needed, and that resisted attack and recovered from failures.

The Corporation developed an overall business continuity plan, as well as specific plans for key business processes and locations. In addition, an IT continuity plan was developed for the Corporation’s data centres. The plans were updated and tested regularly.

The Corporation conducted various IT security assessments, including vulnerability assessments for mobile applications, cloud solution assessments, IT general control assessments, email phishing awareness campaigns, and cyber-attack simulations.

Weakness

The Corporation did not yet have a formal IT risk management plan that listed all IT systems, processes, and data, and that identified those that were critical or of highest risk.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Loan portfolio risk management

The Corporation had a risk management framework that provided for identification, measurement, mitigation, monitoring, and reporting of loan portfolio risk.

Policies for managing credit risk were documented, communicated, and aligned with the Corporation’s established risk appetite.

For its loan portfolio, the Corporation had a risk appetite statement that set qualitative measurements and quantitative thresholds and limits. The Corporation had due diligence processes for identifying and measuring risk before granting loans.

Credit and investment decisions were based on due diligence, risk evaluation, and risk-adjusted pricing.

The Corporation monitored and reported on loan portfolio risks to senior management monthly and quarterly.

Check  mark in a green circle, meaning met the criteria

Venture capital investment portfolio risk management

The Corporation had a risk management framework that provided for identification, measurement, mitigation, monitoring, and reporting of venture capital investment portfolio risk.

For its venture capital investment portfolio, the Corporation had a risk appetite statement that set qualitative measurements and quantitative thresholds and limits. The Corporation had due diligence processes for identifying and measuring risk before making investments.

There was sufficient information to support implementation of the risk appetite statement.

The Corporation identified, assessed, managed, and monitored venture capital portfolio risks. It reported on these risks to senior management quarterly.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

27. Weakness—Risk mitigation. We found that, in accordance with industry practice, the Corporation relied on financial and risk models when making decisions. It used these models to measure and manage risk by calculating borrowers’ credit ratings. It also used the models to determine the values of loans and to calculate potential losses and establish capital reserves. Models are supposed to be subjected to regular validation, during which they are verified to ensure that they are reliable. The Corporation had recently approved a Model Risk Corporate Directive, including an inventory of models used. It had begun validation as scheduled under the directive. However, the Corporation had not yet completed validation of all of its financial and risk models.

28. This weakness matters because models that have not been subjected to validation could have the unintended effect of producing unreliable information for decision making. This could expose the Corporation to unexpected losses or a shortage of capital.

29. Recommendation. The Corporation should proceed with model validation in accordance with its Model Risk Corporate Directive.

The Corporation’s response. Agreed. As noted in this audit report, the Corporation has in place a Model Risk Corporate Directive. The directive includes an inventory of all the Corporation’s models, a model risk rating assessment process (based on complexity and materiality criteria), and a model validation schedule (based on the aforementioned risk rating). Validations of the applicable models are ongoing, and the Corporation is on track to complete these validations according to the schedule within the directive.

30. Weakness—Business continuity, disruptive events management plan, recovery plan, resiliency plan, and IT security. We found that the Corporation did not yet have a formal IT risk management plan with the risk mitigation measures that focused on the most critical systems, processes, and data, and that ensured security, business resumption, or continuity.

31. This weakness matters because without a formal IT risk management plan, strategies to protect, recover, or resume operations might not be tailored to the importance or relative risk of the key systems, processes, and data concerned. The strategies might therefore not be effective in mitigating IT business continuity or security risks within the Corporation’s expressed risk appetite. This situation could expose the Corporation to operational and financial loss.

32. Recommendation. The Corporation should implement a formal IT risk management plan that lists and assesses all IT processes, systems, and data, and identifies required risk mitigation activities.

The Corporation’s response. Agreed. After the period covered by the audit, the Corporation finalized and approved an IT Risk Management Corporate Directive, which includes an IT Risk Management Framework to address the points raised by this audit. The directive was reviewed by the Audit Committee and the Board Risk Committee. The Corporation is committed to implementing the directive and components of the framework. The Corporation currently has in place a number of documented processes and controls to ensure the mitigation of IT risk.

Management of operations

33. Financing services. Lending to businesses is the largest part of the Corporation’s loan portfolio. Its Financing business line provides term loans and specialized solutions designed to support business creation and business growth, market development and expansion, investment in business growth, the acquisition and modernization of facilities and equipment, and business ownership transition.

34. For one segment of its lending to businesses, the Corporation has begun using new technological and online interfaces to offer clients faster and more convenient access to services. The Corporation plans to broaden use of these new technologies to other segments of its commercial lending as their effectiveness is proven.

35. Investment services (venture capital and other investments). Through its Venture Capital business line and other investment activities, the Corporation offers entrepreneurs various debt and equity solutions. Its investment services offer significant support to Canadian entrepreneurs of small and medium-sized businesses.

36. In 2017, the government mandated the Corporation to play a larger role in supporting clean technology companies. In December 2017, the Corporation responded by launching its Cleantech Scale Up Initiative. During the period covered by the audit, the Corporation was in the process of formalizing the initiative’s governance framework, internal controls, and procedures. The initiative had begun to deploy funds and develop its portfolio. It will rely on good governance and management practices to ensure that its operations help achieve the Corporation’s mandate while remaining within its stated risk appetite. During implementation of these practices, the Board has been involved in reviewing and approving investments under the initiative and has received detailed information on activities.

37. Advisory services. The Corporation’s Advisory Services business line helps entrepreneurs grow and develop their business. Although the business line does not currently generate net income, it provides valuable support to entrepreneurs. In recent years, to enhance its services, the Corporation segmented its clientele by size and tailored its advisory offerings to each segment. Further, the Financing business line’s account managers are becoming more involved in managing client relationships as well as the advisory services offered and delivered.

The Corporation had good practices for managing its operations

38. We found that the Corporation had good practices for managing its operations.

39. Our analysis supporting this finding discusses the following topics:

40. We made no recommendations in this area of examination.

41. Analysis. We found that the Corporation had good practices in place to manage its financing services (Exhibit 5).

Exhibit 5—Management of financing—key findings and assessment

Exhibit 5—Management of financing—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Operational planning

The Corporation defined operational plans that were aligned with strategic plans and the mandate.

The Financing business line’s operational planning aligned with the objectives of the corporate plan and strategy.

A process was in place to ensure that operational planning incorporated the requirements of key stakeholders.

The business line had a formal process for managing the risks that it faced when performing strategic planning, setting priorities, and allocating resources.

Check  mark in a green circle, meaning met the criteria

Operational plan implementation

Management implemented the operational plan to deliver results in accordance with the expected output of the business line.

The business line had processes and systems in place to implement and monitor its operational plan.

The business line developed key performance indicators to measure the output of its operations and updated them regularly.

Policies, procedures, and controls were in place to govern lending activities within the scope of the Corporation’s established risk appetite.

The Corporation formally communicated information to employees about its current performance objectives and performance indicators.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on its operational results.

The business line provided monthly and quarterly reports to the Board and management. Reports included key performance indicators and compared key operational results with set expectations.

Check  mark in a green circle, meaning met the criteria

Change management: training and human resource development

The Corporation had in place change management methodology, systems, and practices necessary to the organization and its people.

The Corporation had a standardized orientation process for new employees, with specific training for the business line’s employees.

The business line had a learning and development process in place to ensure that employees had the right skills to fulfill their roles and responsibilities.

The Corporation had a performance evaluation system in place. The system used key indicators for the business line to assess progress toward individual and corporate objectives.

The Corporation had an organizational effectiveness team to support workforce planning.

The Corporation performed a workforce planning exercise to better align its human resource plan with clients’ needs and human resource priorities.

The Corporation reviewed its inventory of competencies and began updating human resource programs to align them with required competencies.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

42. Analysis. We found that the Corporation had good practices in place to manage its venture capital and other investments (Exhibit 6).

Exhibit 6—Management of venture capital and other investments—key findings and assessment

Exhibit 6—Management of venture capital and other investments—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Operational planning

The Corporation defined operational plans that were aligned with strategic plans and the mandate.

The operational plan for venture capital and for growth and transition capital aligned with the Corporation’s strategic priorities, objectives, and initiatives.

The Corporation developed its venture capital strategy on the basis of current market conditions (for example, gaps and emerging technology trends).

The Corporation considered key and emerging risks related to venture capital in its corporate plan, as well as in capital management, risk monitoring, and stress testing programs.

Check  mark in a green circle, meaning met the criteria

Operational plan implementation

Management implemented the operational plan to deliver results in accordance with the expected output of the business line.

Key performance indicators were in place for venture capital and other investment activities.

Investment strategies, policies, and procedures were documented and communicated. They aligned with the Corporation’s strategic direction and established risk appetite.

The Corporation formally communicated information to employees about its current performance objectives and performance indicators.

Processes and systems were in place to implement the operational plan for venture capital and other investment activities.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on its operational results.

Processes and systems were in place to monitor results against the operational plan for venture capital and other investment activities.

Key performance indicators were reported quarterly to the Senior Management Committee and the Board.

Check  mark in a green circle, meaning met the criteria

Cleantech Scale Up Initiative—Operational planning, operational plan implementation, and performance monitoring and reporting

The Corporation defined operational plans that were aligned with strategic plans and the mandate.

Management implemented the operational plan to deliver results in accordance with the expected output of the business line.

The Corporation monitored and reported on its operational results.

The Cleantech Scale Up Initiative team developed a strategic plan for the initiative. The plan considered financial and operational risks, as well as stakeholder needs. It aligned with the corporate plan and mandate.

The team developed a risk appetite statement specifically for the initiative, to ensure that major risks for investments under the initiative were identified and analyzed.

The initiative had well-established criteria for investment eligibility, which had been approved by the Board.

While processes were being developed and implemented, senior management, the Chief Risk Officer, and the Board of Directors were closely involved in approving transactions.

The initiative team was in the process of implementing the necessary governance, monitoring, and reporting processes for the initiative, including key performance indicators and key risk indicators.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

43. Analysis. We found that the Corporation had good practices in place to manage its advisory services (Exhibit 7).

Exhibit 7—Management of advisory services—key findings and assessment

Exhibit 7—Management of advisory services—key findings and assessment
Systems and practices Criteria used Key findings Assessment against the criteria

Operational planning

The Corporation defined operational plans that were aligned with strategic plans and the mandate.

The Advisory Services business line’s three-year strategic plan aligned with the Corporation’s corporate plan, and with its principal objectives and priorities.

The operational plan included key strategic initiatives, a detailed timeline of activities, identification of risks and mitigating activities, and identification of the level of support needed from corporate functions to achieve objectives.

The business line put in place key performance indicators and budgets to monitor its performance against the operational plan.

Check  mark in a green circle, meaning met the criteria

Operational plan implementation

Management implemented the operational plan to deliver results in accordance with the expected output of the business line.

The corporate plan and business unit plans were published internally and communicated throughout the organization to achieve established objectives.

The business line’s policies, directives, and process flow were up to date, reflected current practices, and were made available to all employees on the corporate intranet.

Individual performance objectives aligned with the achievement of the strategic plan.

Check  mark in a green circle, meaning met the criteria

Performance monitoring and reporting

The Corporation monitored and reported on its operational results.

The business line reported key performance indicators quarterly to the Senior Management Committee and the Board.

A formal process for monitoring key risk indicators was set out in the business line’s risk appetite statement.

The Corporation made use of independent client satisfaction surveys to monitor performance.

Check  mark in a green circle, meaning met the criteria

Advisory services management

The Corporation had in place systems and practices to support the delivery of advisory services.

The Corporation established processes for performing due diligence on external consultants before allowing them to begin working with the business line.

Contracts to provide consulting services to clients were clearly defined, with stipulated timelines, deliverables, and fees.

Check  mark in a green circle, meaning met the criteria

Change management: training and human resource development

The Corporation had in place change management methodology, systems, and practices necessary to the organization and its people.

The Corporation had a standardized orientation process for new employees, with specific training and development opportunities for the business line’s employees.

The Corporation had a performance evaluation system in place. The system used key indicators for the business line to assess progress toward individual and corporate objectives.

The Human Resources team was involved extensively in the workforce planning process to support ongoing initiatives.

The inventory of competencies was reviewed and updated to reflect the Corporation’s requirements.

Check  mark in a green circle, meaning met the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Conclusion

44. In our opinion, based on the criteria established, there was reasonable assurance that there were no significant deficiencies in the Business Development Bank of Canada’s systems and practices that we examined. We concluded that the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada (the Office) and Deloitte Limited Liability PartnershipLLPFootnote 1 on the Business Development Bank of Canada. Our responsibility was to express

Under section 131 of the Financial Administration Act (FAA), the Business Development Bank of Canada is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that

In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office and Deloitte LLP apply Canadian Standard on Quality Control 1 and, accordingly, each maintain a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from the Corporation’s management:

Audit objective

The objective of this audit was to determine whether the systems and practices we selected for examination at the Business Development Bank of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

Scope and approach

Our audit work examined the Business Development Bank of Canada. The scope of the special examination was based on our assessment of the risks the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.

In performing our work, we reviewed key documents related to the systems and practices selected for examination. We interviewed members of the Board of Directors, senior management, and other employees of the Corporation. We also tested the systems and practices in place to obtain the required level of audit assurance.

The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.

In carrying out the special examination, we did not rely on any internal audits. We did, however, consider the findings of a review conducted by the Office of the Superintendent of Financial Institutions in 2015.

Sources of criteria

The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.

Corporate governance

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Performance Management Program for Chief Executive Officers of Crown Corporations—Guidelines, Privy Council Office, 2016

Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014

Strategic planning, and performance measurement and reporting

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Corporate risk management

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

Control Objectives for Information and related TechnologyCOBIT 5 Framework—APO13 (Manage Security), BAI10 (Manage Configuration), DSS05 (Manage Security Services), MEA03 (Monitor, Evaluate and Assess Compliance with External Requirements), Information Systems Audit and Control AssociationISACA

Management of financing

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute IncorporatedInc., 2008

COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA

Plan-Do-Check-Act management model adapted from the Deming Cycle

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996

Policy on Learning, Training, and Development, Treasury Board, 2006

Ultimate Human ResourceHR Manual, Human Resource Professionals Association and Commerce Clearing HouseCCH

Management of venture capital and other investments

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute Inc., 2008

COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA

Plan-Do-Check-Act management model adapted from the Deming Cycle

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board of Canada, 1996

Management of advisory services

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute Inc., 2008

COBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), ISACA

Plan-Do-Check-Act management model adapted from the Deming Cycle

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

COBIT 5 Framework—EDM02 (Ensure Benefits Delivery), ISACA

Policy on Learning, Training, and Development, Treasury Board, 2006

Ultimate HR Manual, Human Resource Professionals Association and CCH

Period covered by the audit

The special examination covered the period between 25 September 2017 and 23 July 2018. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of this period.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 25 October 2018 in Ottawa and Montréal, Canada.

Audit team

Office of the Auditor General of Canada:

Principal: Lissa Lamarche
Director: Patrick Polan
Geneviève Hivon
Kim Villeneuve

Deloitte LLP:

Partners: Umberto Delucilla and Normand Favreau
Managers: Mariama Zhouri and Julie Retik

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Corporate management practices
Recommendation Response

23. The Corporation should engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation. (20 to 22)

The Corporation’s response. Agreed. The Corporation will review this issue and engage with the responsible Minister and the Privy Council Office as appropriate. The objective will be to ensure the ability to attract and retain qualified individuals for the President and Chief Executive Officer position.

24. The Corporation should consider disclosing its compensation framework as well as total compensation for senior executive positions (for example, in its annual report), to be in line with the practice in government and the financial industry. (20 to 22)

The Corporation’s response. Agreed. The Corporation will conduct a review of the annual disclosures of both the compensation framework and the total compensation for senior executive positions.

29. The Corporation should proceed with model validation in accordance with its Model Risk Corporate Directive. (27 to 28)

The Corporation’s response. Agreed. As noted in this audit report, the Corporation has in place a Model Risk Corporate Directive. The directive includes an inventory of all the Corporation’s models, a model risk rating assessment process (based on complexity and materiality criteria), and a model validation schedule (based on the aforementioned risk rating). Validations of the applicable models are ongoing, and the Corporation is on track to complete these validations according to the schedule within the directive.

32. The Corporation should implement a formal IT risk management plan that lists and assesses all IT processes, systems, and data, and identifies required risk mitigation activities. (30 to 31)

The Corporation’s response. Agreed. After the period covered by the audit, the Corporation finalized and approved an IT Risk Management Corporate Directive, which includes an IT Risk Management Framework to address the points raised by this audit. The directive was reviewed by the Audit Committee and the Board Risk Committee. The Corporation is committed to implementing the directive and components of the framework. The Corporation currently has in place a number of documented processes and controls to ensure the mitigation of IT risk.