Audit of the Management Control Framework (MCF)—Canadian Intellectual Property Office (CIPO)

Audit and Evaluation Branch
Industry Canada
March 2005

Report and management response approved by DAEC on December 8, 2005

Table of Contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Overall Assessment
  • 1.3 Main Findings, conclusion and Recommendations
    • 1.3.1 Governance & Strategic Direction
    • 1.3.2 Public Service Values
    • 1.3.3 Results and Performance
    • 1.3.4 Policy and Programs
    • 1.3.5 People
    • 1.3.6 Citizen Focused Service
    • 1.3.7 Risk Management
    • 1.3.8 Stewardship
    • 1.3.9 Accountability
    • 1.3.10 Learning, Innovation and Change Management

• 2.0 Introduction
  • 2.1 Background
  • 2.2 Audit Objectives
  • 2.3 Audit Scope
  • 2.4 Audit Approach
  • 2.5 AuditCriteria
  • 2.6 Appreciation

• 3.0 Detailed Audit Findings and Recommendations
  • 3.1 Governance & Strategic Direction
  • 3.2 Public Service Values
  • 3.3 Results and Performance
    • 3.3.1 CIPO Executive Dashboard
    • 3.3.2 Operational Management Information
  • 3.4 Policy and Programs
  • 3.5 People
  • 3.6 Citizen Focused Service
  • 3.7 Risk Management
  • 3.8 Stewardship
    • 3.8.1 Financial Integrity Controls
    • 3.8.2 Information Technology Controls
    • 3.8.3 Business Continuity Plans/Disaster Recovery Plans
  • 3.9 Accountability
  • 3.10 Learning, Innovation and Change Management

• Appendix A: Risk Management Approach
• Appendix B: CIPO – ManagementResponse

Audit and Evaluation Branch
Industry Canada
March 2005

1.0 Executive Summary

1.1 Introduction

The Canadian Intellectual Property Office (CIPO), a Special Operating Agency of Industry Canada, administers Canada's Intellectual Property (IP) systems comprising patents, trade-marks, copyrights, industrial designs and integrated circuit topographies. CIPO's primary clients include: applicants for IP protection, agents representing applicants, users of IP systems and the Canadian business community. CIPO partners with provincial research councils, universities and other federal government agencies to build awareness of its products and services and increase the effective use of IP by Canadians.

In 2000, CIPO undertook a Baldrige Assessment. This systematic and independent examination of the organization, led to change initiatives to improve CIPO's ability to define and address its business objectives and priorities.

The objective of the audit was to assess whether CIPO has an effective management control framework in place. The audit covered the management processes in place at CIPO - January - March 2005.

1.2 Overall Assessment

Overall, auditors found that the CIPO Management Control Framework (MCF) is adequate and effective. The MCF provides reasonable assurance that the organization is well positioned to manage risk and achieve stated objectives.

1.3 Main Findings, Conclusion and Recommendations

Auditors determined that CIPO is a highly citizen-focused organization, with a very well structured strategic and operational planning environment. Since 2000, CIPO has charted a path of continuous self-assessment and improvement and has implemented, or is in the process of implementing, all aspects of Treasury Board Secretariat's (TBS) Management Accountability Framework (MAF).

1.3.1 Governance & Strategic Direction (See Section 3.1)

CIPO has a corporate management framework aligned to strategic outcomes; results-focused corporate priorities; a strategic resource allocation/reallocation process based on performance; an integrated agenda for management excellence; and a cyclical scanning of its environment (Domestic and International factors, including client satisfaction and relationships).

The annual strategic planning process includes a review and updating of the CIPO Business and Financial Plan, the Long-term Capital Plan and the Strategic Information Technology Plan. Human resource strategies are aligned with priorities defined in the Annual Business and Financial Plan, as are the allocation of Information Technology (IT) resources. The CIPO Executive Dashboard, produced monthly, supports the monitoring of performance on key priorities and indicators and the timely reallocation of resources, if necessary.

Conclusion

The essential conditions of governance and strategic direction are in place for providing effective strategic planning and support to the Minister and Parliament, as well as for the delivery of results.

1.3.2 Public Service Values (See Section 3.2)

CIPO senior managers continually reinforce the importance of values and ethics in the delivery of services and products. While CIPO has not developed a unique values and ethics program, the organization does operate in alignment with ethics and values policies of both the Government of Canada and Industry Canada. The adequacy or effectiveness of ethics and values activities, in a CIPO context, has not been evaluated to date.

Conclusion

The ethics and values policies that CIPO relies on reflect those used in many government departments and agencies. However, it may be that existing practices do not adequately address the risk of inappropriate use of information derived from business activities, such as the processing of Patent applications.

Recommendation

The CIPO CEO / Commissioner should ensure that an evaluation of the adequacy of the ethics and values program of CIPO be undertaken and, if necessary, a unique CIPO Values and Ethics Program should be developed and implemented.

1.3.3 Results and Performance (See Section 3.3)

The CIPO Executive Dashboard is produced for use by CIPO management. It integrates financial and non-financial performance information pertaining to Operations, Finance, Human Resources and client feedback. While some of the current performance measures support decision-making relevant to the achievement of the organization's objectives, it is recognized that there is room for improvement (Follow-up to Baldrige Assessment 2004 – see Section 1.3.10). Performance is monitored against client expectations and is compared to other Intellectual Property (IP) Offices.

Conclusion

Relevant information on results is gathered and used to make departmental decisions. Public reporting is balanced, transparent, and easy to understand. The CIPO continuous innovation and transformation process and the annual strategic planning process provide opportunities for improvements in the definition, collection and use of results and performance information.

1.3.4 Policy and Programs (See Section 3.4)

IP policy responsibilities are divided between the Industry Canada Policy Sector and CIPO Corporate Strategies Branch (CSB). Industry Canada has the mandate to implement IP Policy, looking at the significant policy issues and changes. CSB focuses on a small group of technical policy changes resulting from court decisions and regulatory changes to definitions. CSB is also building expertise to allow it to undertake economic analysis and policy research projects. This expertise will enable CIPO to benchmark against other IP Offices, enter into joint projects with organizations and universities, better understand and influence innovation, and increase citizen engagement.

Conclusion

CIPO has, or is in the process of developing, a sustainable research and analytical capacity to provide a high level of quality assurance in the areas of developing policy options, designing programs, and providing advice to Ministers.

1.3.5 People (See Section 3.5)

Each CIPO Director acts as the champion for a specific Human Resource (HR) objective and is required to report to the CIPO Executive Committee on a quarterly basis. HR Champions have been established for the following functions:

• Employment Equity;
• Official Languages;
• Learning;
• Recruitment and Retention; and
• Workplace Well-Being.

The monthly CIPO Executive Dashboard provides statistics on performance against HR targets in each of the above categories. Models are used to determine operational resource requirements. The recruitment process includes a structured training program. There is an awareness of the HR issues facing CIPO at all organizational levels.

Conclusion

CIPO leaders demonstrate a commitment to maintaining a positive work environment, and a focus on building capacity and leadership to assure future success.

1.3.6 Citizen Focused Service (See Section 3.6)

CIPO is a client-driven organization. It has established organizational units with responsibilities for client communication and outreach programs; and works with its clients to monitor and continuously improve its service. CIPO uses the Internet to assist in delivering services, communicating with clients and obtaining client feedback. CIPO has introduced incentives for clients to submit applications in an electronic format.

CIPO works with both Canadian and international Intellectual Property organizations to promote services, improve quality, and achieve its mission.

Conclusion

CIPO has clearly addressed, and is committed to, all aspects of providing client-focused services.

1.3.7 Risk Management (See Section 3.7)

Operational and product line risks are formally addressed within the strategic and operational planning process. Risks that affect the delivery of services such as Patents and Trade-marks are monitored and analyzed. As required, mitigation strategies and activities are implemented. Corporate and horizontal risks are identified, discussed and addressed. However CIPO does not have an enterprise-level risk management system to clearly define the corporate context and the practices for proactively managing organizational and strategic risks.

To illustrate the above, the patent officer annual terminable allowance (bonus) of $5,138 to $12,216 is scheduled to end on September 30, 2005 and there is concern that it will not be renewed. While some discussions have taken place with respect to the impact to CIPO, there has been no formal and systematic approach to managing this potential risk to employee morale and to CIPO's ability to achieve its Human Resources objectives.

Conclusion

There is evidence that risk is considered in strategic planning activities, and that key risks are identified and managed. CIPO could, however, improve corporate risk management, communication and coordination activities, thereby becoming more effective at identifying opportunities and minimizing negative outcomes.

Recommendation

The CIPO CEO / Commissioner should ensure a review and improvement of CIPO Corporate Risk Management strategies and practices.

1.3.8 Stewardship (See Section 3.8)

CIPO makes use of Industry Canada financial and Human Resources systems. Revenue information is captured in the CIPO Financial Integrated Transaction Tracking (FITT) system. Operational support systems feed data into management information systems that are used to track operational performance. Financial delegations are monitored and controlled. There is an awareness of policies, regulations and legislation.

The CIPO Finance Operations Unit verifies expenditures over $2000 against supporting documentation prior to approval for payment. Expenditures under $2000 are batched and are to be randomly reviewed after payment by Industry Canada. However, there is evidence that the transactions under $2000 are not being audited at present, and, within the CIPO Finance group, concerns were expressed with respect to the monitoring of credit card bulk payments.

CIPO has a Business Continuity Plan (BCP) in place. A BCP Coordinator is responsible for maintaining the plan and for ensuring that contact lists are up-to-date. The auditors found that the:

• BCP was being revised to make it easier to use, update and disseminate;
• BCP has not, as yet, been subjected to formal review or testing; and
• Disaster Recovery Plan (DRC), prepared by the Informatics Services Branch (ISB), was in the early stages of development.

Conclusion

Overall, CIPO's control regime is integrated and effective and the underlying principles are clear to all staff. However, the lack of the oversight of financial transactions under $2000, as well as those processed in bulk, increases the risk that an inappropriate expenditure will go undetected. In addition, without a fully tested BCP, CIPO lacks the assurance that it can effectively continue critical business functions in the event of a critical incident.

Recommendations

The Director, Planning, Finance and Administration Branch, should ensure that expenditures of less than $2000 and credit card transactions processed in bulk are appropriately sampled and monitored.

The CIPO CEO/Commissioner should ensure that priority is given to establishing fully tested Business Continuity and Disaster Recovery Plans, and that such plans are kept up-to-date over time.

1.3.9 Accountability (See Section 3.9)

CIPO accountabilities and responsibilities for due process and results are well defined. Organizational units tend to have unity of objectives and product lines which facilitates the assignment of accountability for operational results and resources.

Performance and Management Accords contain cascading operational commitments. Commitments for other corporate and strategic priorities such as HR objectives are less well defined.

The committee structure reflects CIPO's corporate priorities and objectives and the major components of its Integrated Strategic Framework. Many of the committees have been created recently and the mandates of existing committees have changed. At the time of the audit, Terms of Reference for various corporate committees were not available or, if they were available, require revision.

Conclusion

CIPO accountabilities for results are clearly assigned and are consistent with resources. Delegations are appropriate to capabilities. While adequate, the CIPO accountability framework could be improved to promote a greater common understanding and alignment of individual and corporate commitments by:

• Ensuring that current corporate Terms of Reference are in place that define:
  • Membership;
  • Authority, purpose;
  • Scope and mandate;
  • Frequency; and
  • Expected results and time-frames.
• An integrated approach is taken to establishing Performance Accords with cascading strategic and operational commitments (such as HR priorities) for all employees; and
• Improving internal communication practices and processes.

Recommendation

The CIPO CEO / Commissioner should ensure that:

• Terms of Reference for Committees are current and are communicated across CIPO;
• The performance review process is revised to better address strategic priorities and objectives (at all levels); and
• Priority is given to an initiative to improve internal communications.

1.3.10 Learning, Innovation and Change Management (See Section 3.10)

In the year 2000, CIPO commenced a program of continuous improvement. A Baldrige Assessment was performed to provide a baseline of where CIPO was at this time against a standard (a detailed evaluation) and to provide recommendations (at a higher level) of actions to be undertaken. CIPO continues to use the Baldrige methodology to evaluate strengths and weaknesses, to measure progress in its transformation, and to develop or adjust action plans (Baldrige Follow-up Survey; October 2004).

Conclusion

CIPO manages in an open and transparent manner within an environment of continuous innovation and transformation, learning from its past performance.

The CIPO executive management team recognizes that it has made progress in establishing a culture of learning, innovation and change management. It also recognizes that there is still work to be done.

Recommendation

The CIPO CEO / Commissioner should ensure that CIPO continues to address the Baldrige Assessment recommendations and action plan.

2.0 Introduction

2.1 Background

The Canadian Intellectual Property Office (CIPO), a Special Operating Agency of Industry Canada, is responsible for administering Canada's Intellectual Property (IP) rights, namely: patents, trade-marks, copyrights, industrial designs and integrated circuit topographies. The key functions of CIPO include: assessing and granting requests forIP rights; disseminating the technical information underlying these creations to allow other inventors to build on existing innovations; encouraging invention, innovation and creativity in Canada; providing expert advice on IP administration to other countries; and promoting Canada's IP interests internationally.

CIPO's primary clients are applicants for IP protection, agents representing applicants, users of IPsystems and the Canadian business community.

CIPO providesIP information (guides, bulletins, reports and news releases) via its web site (www.cipo.ic.gc.ca) and through publicly accessible databases. It is responsible for publishing the Trade-marks Journal and the Canadian Patent Office Record.

Since April 1994, CIPO has been financed by a revolving fund based entirely on client fees for Canadian IP services. The increased financial, human resources management and administrative flexibilities gained through the use of its revolving fund allow CIPO to focus more attention on service quality and responsiveness in an environment of evolving client needs (both domestically and abroad), and in a competitive labour market.

2.2 Audit Objectives

The objective of the audit was to assess whether CIPO has an effective management control framework in place. More specifically, the audit involved:

• Conducting an assessment of the effectiveness of the management control framework in place at CIPO;
• Identifying key residual risks to the objectives of CIPO stemming from weaknesses in the management control framework; and
• Identifying recommended actions for improvement.

2.3 Audit Scope

The audit covered the management processes in place at CIPO – January–March 2005.

2.4 Audit Approach

The audit was performed following a standard audit process based on professional standards that are in compliance with Standards for the Professional Practice of Internal Auditing (Institute of Internal Audit).

2.5 AuditCriteria

Detailed audit criteria used during this audit were drawn from authoritative sources and internationally recognized control models. The audit findings were then mapped against the Treasury Board Secretariat Management Accountability Framework.

2.6 Appreciation

The audit team wishes to express their appreciation to the CIPO managers and staff. They ensured they were available for interviews as required, and provided requested documentation to auditors in a timely manner.

3.0 Detailed Audit Findings and Recommendations

3.1 Governance & Strategic Direction

CIPO has a corporate management framework aligned to strategic outcomes, results-focused corporate priorities, a strategic resource allocation/reallocation process based on performance, an integrated agenda for management excellence and a cyclical scanning of its environment (Domestic and international factors, including client satisfaction and relationships).

An Integrated Strategic Framework has been developed to assist in organizing strategic operational objectives, management and fiscal objectives and strategic asset readiness objectives (people and culture, information and technology). The Strategic Framework is carried forward into the CIPO Business and Financial Plan where objectives are defined, performance measures identified and expected outcomes documented. A mid-year review of the Business Plan is performed and is used in the strategic planning process.

The planning process includes consideration of Government of Canada priorities, Industry Canada Plans and Priorities, current TBS policies, and domestic factors such as the economic environment, the political environment and demographics. International factors are also taken into account including globalization, relationships with other Intellectual Property Offices (IPOs) and new international services. Environmental scanning includes an assessment of CIPO challenges.

Conclusion

The essential conditions of governance and strategic direction are in place for providing effective strategic planning and support to the Minister and Parliament, as well as for the delivery of results.

3.2 Public Service Values

CIPO senior managers continually reinforce the importance of values and ethics in the delivery of services and products. While CIPO has not developed a unique values and ethics program, the organization does operate in alignment with ethics and values policies of both the Government of Canada and Industry Canada. The adequacy or effectiveness of ethics and values activities, in a CIPO context, has not been evaluated to date.

Conclusion

The ethics and values policies that CIPO relies on reflect those used in many government departments and agencies. However, it may be that existing practices do not adequately address the risk of inappropriate use of information derived from business activities, such as the processing of Patent applications.

Recommendation

The CIPO CEO / Commissioner should ensure that an evaluation of the adequacy of the ethics and values program of CIPO be undertaken and, if necessary, a unique CIPO Values and Ethics Program should be developed and implemented.

3.3 Results and Performance

3.3.1 CIPO Executive Dashboard

The CIPO Executive Dashboard integrates financial and non-financial performance information pertaining to Operations, Finance, Human Resources and client feedback for the use of CIPO management. While some of the current performance measures support decision making relevant to the achievement of the organization's objectives, it is recognized that there is room for improvement (Follow-up to Baldrige Assessment 2004 – see Section 3.10). Performance is monitored against client expectations and is compared to other Intellectual Property (IP) Offices.

Graphs and charts are included in the CIPO Executive Dashboard to display and compare performance against expectations for the fiscal year. Detailed and summary information covered includes operational indicators (demand, disposals, inventories and turn-around-times); financial data (revenues, expenditures and net income); Human Resources activities (related to five HR priorities/initiatives); and client activities (electronic usage and client complaints management information).

The CIPO Executive Dashboard is scheduled to be revised early in FY 2005–2006. The format and structure will be modified in order that the revised version has the same look, and contains the same elements, as the Integrated Strategic Framework used in the strategic planning process. This will ensure better alignment between this report and the planning process and strategic objectives.

3.3.2 Operational Management Information

Both the Patents Branch and Trade-mark Branch have systems which support the processing of IP applications and other business activities. Extracts from these systems provide data to the management information system and spreadsheet applications, from which management reports are produced.

The management information systems and spreadsheets support Branch managers (Directors) in a number of operational, planning and forecasting activities. Detailed management reports are used to identify, set, and monitor performance targets for individual employees and to perform workload analysis for each division, section and specialization. Summary productivity information is fed into the CIPO Executive Dashboard.

CIPO managers have created a complex series of models from historical and current information. This allows managers to forecast demand for service and productivity, as well as to determine a sustainable recruitment level—the measurement, monitoring and control of the impact of recruitment on productivity and the balance between resources and productivity (inventories and turn-around-times).

Conclusion

Relevant information on results is gathered and used to make departmental decisions. Public reports are balanced, transparent, and easy to understand. The CIPO continuous innovation and transformation process and the annual strategic planning process provide opportunities for improvements in the definition, collection and use of results and performance information.

3.4 Policy and Programs

IP policy responsibilities are divided between the Industry Canada Policy Sector and CIPO Corporate Strategies Branch (CSB). Industry Canada has the mandate to implement IP Policy, looking at the significant policy issues and changes. CSB focuses on a small group of technical policy changes resulting from court decisions and regulatory changes to definitions. CSB is also building expertise to allow it to undertake economic analysis and policy research projects. This expertise will enable CIPO to benchmark against other IP Offices, enter into joint projects with organizations and universities, better understand and influence innovation, and increase citizen engagement.

Conclusion

CIPO has, or is in the process of developing, a sustainable research and analytical capacity to provide a high level of quality assurance in the areas of developing policy options, designing programs, and providing advice to Ministers.

3.5 People

Each CIPO Director acts as the champion for a specific Human Resource (HR) objective and is required to report to the CIPO Executive Committee on a quarterly basis. HR Champions have been established for the following functions:

• Employment Equity;
• Official Languages;
• Learning;
• Recruitment and Retention; and
• Workplace Well-Being.

The monthly CIPO Executive Dashboard provides statistics on performance against HR targets in each of the above categories. There is an awareness of the HR issues facing CIPO at all organizational levels.

Training and learning plans are prepared as part of the annual performance review process. Employees are given the opportunity to identify career expectations and to request developmental training. Training is provided through a variety of mechanisms including formal classroom training; on-the-job training; assigning coaches/mentors; and attending conferences and other training events.

There is evidence that CIPO priorities include providing a supportive workplace and improving employee engagement.

Conclusion

CIPO leaders demonstrate a commitment to maintaining a positive work environment, and a focus on building capacity and leadership to assure future success.

3.6 Citizen Focused Service

CIPO is a client-driven organization. It has established organizational units with responsibilities for client communication and outreach programs; and works with clients to monitor and continuously improve its service. CIPO uses the Internet to assist in delivering services, communicating with clients, and obtaining client feedback. It has introduced incentives for clients to submit their applications in an electronic format.

CIPO works with both Canadian and international Intellectual Property organizations to promote services, improve quality, and achieve its mission.

Client feedback is gathered throughout the year through periodic, ongoing and transactional (point of delivery) surveys and through topic-specific focus groups. Starting in April 2002, the following surveys were undertaken:

• Website Evaluation Survey (Apr. 2002);
• CIPO Client Satisfaction Survey (September 2003);
• Copyright Branch Business Reply Mail Survey (August–October 2003);
• Copyright Branch On-line Filing Survey (January–June 2004);
• Client Service Centre (CSC) Client Satisfaction Survey (Ongoing July 2003);
• Trade-marks On-line Filing Survey (Agents only. September 2004);
• CSC Client Satisfaction – Business Reply Mail Survey (September 2004); and
• Patent Branch Tools Web Survey.

In the period from February 2003 to October 2004, 13 focus groups were held. to gather existing and future client needs and requirements. A Quarterly Client Feedback Report is produced. Client feedback is consolidated into "themes" for each product line and considered in the strategic planning process.

In 2004–04, CIPO's Outreach Program activities included the development and enhancements of IP publications; the production of success stories; focus group sessions with IP practitioners and the business community; and promotion and awareness building activities with partner organizations. Innovative approaches and technology are used to achieve program objectives.

Conclusion

CIPO has clearly addressed, and is committed to, all aspects of providing client-focused services.

3.7 Risk Management

Operational and product line risks are formally addressed within the strategic and operational planning process. Risks that affect the delivery of services such as Patents and Trade-marks are monitored and analyzed. As required, mitigation strategies and activities are implemented. Corporate and horizontal risks are identified, discussed and addressed. However CIPO does not have an enterprise-level risk management system to clearly define the corporate context and the practices for proactively managing organizational and strategic risks.

For example, the patent officer annual terminable allowance (bonus) of $5,138 to $12,216 is scheduled to end on September 30, 2005 and there is concern that it will not be renewed. While some discussions have taken place with respect to the impact to CIPO, there has been no formal and systematic approach to managing this potential risk to employee morale and to CIPO's ability to achieve its HR objectives.

Another illustration of the above, it was identified that some common services provided by CIPO's Human Resources and Informatics Services branches were to be moved to Industry Canada. Managers who were interviewed during the audit expressed various levels of concern about the potential migration of these services. They differed in their understanding of what was to be moved, the analysis that had taken place, and how CIPO intended to mitigate any risks resulting from changes to be implemented.

Refer to Appendix A for an approach to risk management.

Conclusion

There is evidence that risk is considered in strategic planning activities, and that key risks are identified and managed. CIPO could, however, improve corporate risk management, communication and coordination activities, thereby becoming more effective at identifying opportunities and minimizing negative outcomes.

Recommendation

The CIPO CEO / Commissioner should ensure a review and improvement of CIPO Corporate Risk Management strategies and practices.

3.8 Stewardship

3.8.1 Financial Integrity Controls

Working within the Industry Canada delegation of authority, CIPO established a table of equivalencies for the organization, and a CIPO delegation chart of authority for positions and individuals. Delegations are added or changed for acting assignments using e-mail correspondence that is routed through the Office of the CEO/Commissioner to obtain approvals.

Expenditures under $2000 are batched and are to be randomly reviewed after payment by Industry Canada (IC). However, there is evidence that transactions under $2000 are not being audited and, within the Finance group, concerns were expressed with respect to the monitoring of credit card bulk payments.

All transactions over $2000 are fully audited against relevant documentation and authorities by the Finance Unit prior to authorizing payment (FAA, section 33). In line with Government of Canada policies, certain transactions, such as hospitality, membership fees and conference attendance are monitored more closely. Compliance is enhanced and the risk of error reduced by the small size of CIPO and the fact that all managers are co-located with the Finance group, and are known to the financial officers. A limited third party review of the financial practices and transactions processed by CIPO managers is carried out as a part of the annual attest audit conducted by KPMG.

Managers are reminded of their authority and responsibility for such items as contracts through written procedures and documentation. All contracts for more than $25K must be processed by a central unit. Managers are informed of issues associated with low dollar and single source contracts.

CIPO uses the IC human resource leave system to electronically approve and monitor employee leave status.

Recommendation

The Director, Planning, Finance and Administration Branch, should ensure that expenditures of less than $2000, and credit card transactions processed in bulk, are appropriately sampled and monitored.

3.8.2 Information Technology Controls

CIPO's IT environment is supported by two organizations: the Computer and Network Services (CNS) group in the Informatics Services Branch (ISB), and the Industry Canada Chief Information Office (IC CIO). These groups have unique and overlapping responsibilities and services. The IC CIO provides overall direction and standards. There is a great deal of coordination between CIPO ISB and IC CIO to ensure the infrastructure is maintained and there is continuity of service.

There is a system of controls and management practices within ISB to ensure that IT problems are given appropriate attention, and that changes to IT infrastructure are implemented in a timely, systematic and integrated manner.

IT projects are controlled through a complex structure of standard development practices, processes, forms and documentation requirements. The project approval process, the Project Steering Committee (PSC) and the Project Management Office (PMO) of ISB ensure adequate oversight, quality assurance and quality control. Resource requirements and assignments for IT projects are based on priorities identified through the strategic and operational planning process.

3.8.3 Business Continuity Plans/Disaster Recovery Plans

A Business Impact Assessment was performed which identified two critical functions: date stamping of the registration, renewal, appeals and fee payments; and revenue validation.

The current Business Continuity Plan (BCP) defines roles and responsibilities, procedures and communication requirements for these two critical functions. A BCP Coordinator is responsible for maintaining the BCP, and ensures that all employees identified as having primary or back-up BCP responsibilities are informed and are kept involved. While the current BCP appears to be complete and addresses all requirements, a formal review has not been undertaken, and a complete test of the plan has not been performed. As well, at the time of the audit, the Informatics Services Branch Disaster Recovery Plan (DRP) was in the very early stages of development.

Conclusion

Overall, CIPO's control regime is integrated and effective and its underlying principles are clear to all staff. However, the lack of the oversight of financial transactions under $2000 and those processed in bulk increases the risk that an inappropriate expenditure will go undetected. In addition, without a fully tested business continuity plan, CIPO lacks the assurance that it can effectively continue critical business functions in the event of an incident.

Recommendation

The CIPO CEO/Commissioner should ensure that priority is given to establishing fully tested Business Continuity and Disaster Recovery Plans, and that such plans are kept up-to-date over time.

3.9 Accountability

CIPO accountability for results is clearly assigned and consistent with resources, and delegations are appropriate to capabilities. CIPO organizational units tend to have unity of objective and product lines which facilitates the assignment of accountability for operational results and resources.

The committee structure reflects CIPO corporate priorities and objectives as well as the major components of its Integrated Strategic Framework. There are five senior manager committees:

• CIPO Weekly Executive Committee;
• Information Technology (IT) Investment Committee;
• International Committee;
• Policy Committee and Performance; and
• Activity Based Costing Committee.

Many of these committees have been created recently, and the mandates of existing committees have changed. At the time of the audit, Terms of Reference for corporate committees were not available or, if they were available, required revision.

Responsibility for overseeing Human Resource priorities and objectives has been assigned to "Champions" – individual members of the CIPO executive. Champions are in place for the following functions:

• Workplace Well-being;
• Recruitment and Retention;
• Employment Equity; and
• Official Languages and Learning.

The accountability of HR Champions is defined in their performance accords and they are responsible, with the assistance of Human Resources Branch, for monitoring and reporting progress to the CIPO Executive Committee and the Executive Dashboard.

Business Branch and ISB Directors and managers were aware of IT projects under development, their roles in the development process and the dynamics of managing scarce resources based on organizational priorities. However, there were differing perceptions with respect to the commitment of business clients to IT projects, the availability of scarce resources such as qualified programmers, the time taken to develop systems and the extensive use of IT contractors. The initiative to improve internal communication, commenced by Corporate Strategies Branch, will provide a forum for addressing differing perceptions through more open dialogue.

Conclusion

CIPO accountabilities for results are clearly assigned and consistent with resources. Delegations are appropriate to capabilities. While adequate, the CIPO accountability framework could be improved to promote a greater common understanding and alignment of individual and corporate commitments by:

• Ensuring that current corporate Terms of Reference are in place that define:
  • Membership;
  • Authority, purpose;
  • Scope and mandate;
  • Frequency; and
  • Expected results and time-frames;
• An integrated approach is taken to establishing Performance Accords with cascading strategic and operational commitments (such as HR priorities) for all employees; and
• Improving internal communication practices and processes.

Recommendation

The CIPO CEO / Commissioner should ensure that:

• Terms of Reference for Committees are kept current and are communicated across CIPO;
• The performance review process is revised to better address strategic priorities and objectives (at all levels); and
• Priority is given to an initiative to improve internal communications.

3.10 Learning, Innovation and Change Management

In the year 2000, CIPO commenced a program of continuous improvement. A Baldrige Assessment was performed to provide a baseline of where CIPO was against a standard (a detailed evaluation) and to provide recommendations (at a higher level) of actions to be undertaken. Seven recommendations were made in October 2000:

1. Define and clarify the roles and responsibilities of the CIPO executive team and each of its members;
2. Establish a process to develop and implement CIPO's vision, mission, values, strategic priorities and long-term objectives and ensure that these are understood by all employees;
3. Develop, implement and maintain a formal CIPO planning process for the development of a business plan and related long and short-term action plans;
4. Identify, document and measure performance of key processes for CIPO;
5. Develop and implement a comprehensive performance measurement strategy and analysis capability for CIPO;
6. Develop a regime for understanding clients' needs and formal methods for understanding their levels of satisfaction; and
7. Develop a CIPO HR plan to enhance the recruitment, retention and development of employees.

The purpose of Follow-up Survey (undertaken in October, 2004) was to identify CIPO strengths and areas for improvement, and to elaborate an action plan to move ahead. The Follow-up Survey identified that CIPO has largely addressed all of the original recommendations and has made progress in establishing a culture of learning, innovation and change management. It also recognizes that there is still much work to be done.

In almost every case, CIPO analysis / discussions include evaluation or analysis of how other relevant groups perform the activity or task under discussion. As well there is a component of "learning from others" included in most CIPO management planning and operations activities. The annual executive retreat, for example, is used as an opportunity to present and discuss best practices and areas for improvement.

Conclusion

CIPO manages in an open and transparent manner within an environment of continuous innovation and transformation, learning from past performance. The CIPO executive management team recognizes that it has made progress in establishing a culture of learning, innovation and change management. It also recognizes that there is still work to be done.

Recommendation

The CIPO CEO / Commissioner should ensure that CIPO continues to address the Baldrige Assessment recommendations and action plan.

Appendix A: Risk Management Approach

The approach for any risk assessment includes the following main elements (refer to the risk management graph below):

• understanding the objectives of the area,
• identifying the risks the organization faces in achieving those objectives (i.e., what can go wrong?),
• assessing how well the organization is managing those risks currently (e.g., what controls are in place to manage those risks?),
• based on that assessment, defining the level of residual risk to the organization (normally defined based on likelihood of the risk occurring and impact to the organization if the risk were to materialize),
• developing an understanding of management's tolerance to its risks; and
• where needed, defining risk mitigation strategies and action plans to address those risks that exceed management's tolerance.

Integrated risk management (also known as enterprise risk management) seeks to establish a risk management approach that is embedded throughout the organization. Typical goals for instituting integrated risk management are to:

• Recognize that understanding and managing risk is integral to achieving business objectives and effective governance;
• Establish the discipline of risk management as an organizational strength that is integrated with other management practices;
• Promote horizontal collaboration and pro-active management of key risks (e.g., strategic, operational, socio-economic) to support a consistent and unified organizational approach to the achievement of objectives; and
• Consistently and explicitly apply risk management in decision-making.

Approaches for implementing integrated risk management vary. Options include developing a corporate risk profile through a top-down approach, conducting operational risk assessments using a bottom-up approach, or some combination of both. Treasury Board Secretariat (TBS) has developed an Integrated Risk Management Framework (Rescinded [2010-08-27]—Integrated Risk Management Framework) to assist Government of Canada organizations in establishing "an overall approach to manage strategic risks by creating the means to discuss, compare and evaluate substantially different risks (e.g., policy, operational, human resources, financial, legal, health and safety, environment, reputational) on the same page". The TBS website also provides links to best practices in enterprise risk management in the public and private sectors.

Figure 1: Risk Tolerance Concept

[Description of Figure 1]
Source: Canadian Intellectual Property Office (CIPO) – Risk Tolerance Concept

Appendix B: Management Response to the March 2005 Report on the Audit of CIPO's Management Control Framework

Comments

CIPO agrees with the overall assessment that its Management Control Framework (MCF) is adequate and effective, providing reasonable assurance that the agency is well-positioned to manage risk and achieve stated objectives. The agency's continuous improvement approach to business planning and operations is reflected in its on-going implementation of all aspects of the government's Management Accountability Framework (MAF). Certain of these elements are being refined, consistent with the recommendations of this report.

Management Response to Recommendations

Recommendation 1

The CIPO CEO/Commissioner should ensure that an evaluation of the adequacy of the ethics and values program of CIPO be undertaken and, if necessary, a unique CIPO Values and Ethics Program should be developed and implemented.

Response:

CIPO agrees with the observation and will continue to adhere to the government-wide Values and Ethics Framework and actively promote employee participation in Values and Ethics programs and training. Thus far, management has not identified a need for a unique CIPO Values and Ethics Program. This is reviewed on an annual basis by the Workplace Well-being Champions within the context of CIPO's HR Strategy.

Recommendation 2

The CIPO CEO/Commissioner should ensure a review and improvement of CIPO Corporate Risk Management strategies and practices.

Response:

CIPO agrees with the observation. As risks are identified, appropriate mitigation strategies to address these risks are developed within CIPO's Business Plan. They are reviewed on an annual basis within the context of CIPO's strategic planning process. In this regard, CIPO will conduct a formal review of its risk management strategies and processes including a follow-up action plan before the end of this calendar year. In addition, the Business Continuity Plan will continue to be reviewed and updated monthly. Furthermore, an IT Disaster Recovery Plan is being developed to reflect the latest operational practices.

Recommendation 3

The Director, Planning, Finance and Administration Branch, should ensure that expenditures of less than $2000 and credit card transactions processed in bulk are appropriately sampled and monitored.

Response:

CIPO agrees with the observation. Industry Canada (Financial & Materiel Management) has taken appropriate action to ensure credit card transactions and expenditures under $2000 from CIPO are appropriately sampled and monitored.

Recommendation 4

The CIPO/Commissioner should ensure that priority is given to establishing fully tested Business Continuity and Disaster Recovery Plans, and that such plans are kept up-to-date over time.

Response:

CIPO agrees with the observation. CIPO has in place a Business Continuity Plan, which has undergone trial runs and been shown to be effective. Updating is an ongoing process performed by the Planning, Finance & Administration Branch. The Disaster Recovery Plan is being updated to reflect the latest operational practices.

Recommendation 5

The CIPO CEO/Commissioner should ensure that:

• Terms of Reference for Committees are current and are communicated across CIPO;
• The performance review process is revised to better address strategic priorities and objectives at all levels; and
• Priority is given to an initiative to improve internal communications.

Response:

CIPO agrees with the observations. Terms of Reference exist for CIPO's Executive Committee and its sub-committees and will be updated and communicated to employees as required by November 2005. The corporate dashboard, which provides a monthly performance review of key indicators, is continuously being revised to more effectively represent progress toward achieving strategic priorities and objectives. CIPO is committed to improving internal communications and has taken measures to enhance the intranet (the primary employee communication tool) in an effort to engage and inform employees while responding to their needs.

Recommendation 6

The CIPO CEO/Commissioner should ensure that CIPO continues to address the Baldrige Assessment recommendations and action plan.

Response:

CIPO agrees with the observation. CIPO has made significant progress in a number of areas addressed by the Baldrige assessment. Within CIPO's Business Plan, a Strategy Map helps to focus our efforts on service quality and timeliness improvements. The Baldrige Assessment recommendations are reviewed annually within the context of CIPO's strategic planning process. An ongoing client consultation program, including extensive bi-annual client surveys, is used to keep the organization focussed on client needs and continuous improvement.

Figure 1: Risk Tolerance Concept

The risk tolerance concept diagram is a square divided into five by five mini-squares identifying the risk exposure. The columns show the likelihood (rare, unlikely, moderate, likely and almost certain). The rows show the impact on business objective (negligible, low, medium, very high and extreme). The bottom left portion of the square is coloured in green and identifies "assume", the middle is coloured in yellow and identifies "mitigate/monitor" and the top right portion of the square is coloured in red and identifies "mitigate".

Back to Figure 1