ARCHITECTURE CONTRIBUTION TO RISK & EVIDENCE INFORMED DECISION MAKING WITHIN THE CANADIAN SAFETY AND SECURITY PROGRAM (CSSP)

Transcription

1 ARCHITECTURE CONTRIBUTION TO RISK & EVIDENCE INFORMED DECISION MAKING WITHIN THE CANADIAN SAFETY AND SECURITY PROGRAM (CSSP) Geneviève Dubé CAE Inc. Prepared By: CAE Inc. Senior Capability Engineering and Architecture SME, Defence & Security 1135 Innovation Drive, Ottawa, ON K2K 3G7 Contractor's Document Number: Version 01 PWGSC Contract Number: W Technical Authority: Shaye K. Friesen, Risk Assessment Analyst Disclaimer: The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada. Contract Report DRDC-RDDC-2017-C085 March 2017

2 Défense nationale, 2017

3 CAE Inc Innovation Drive Ottawa, Ont., K2K 3G7 Canada Tel: Fax: ARCHITECTURE CONTRIBUTION TO RISK & EVIDENCE INFORMED DECISION MAKING WITHIN THE CANADIAN SAFETY AND SECURITY PROGRAM (CSSP) CONTRACT #: W FOR DEFENCE RESEARCH AND DEVELOPMENT CANADA CENTRE FOR SECURITY SCIENCE 222 Nepean Street, Ottawa, Ontario, K1A 0K2 31 March 2017 Document No Version 01

4 CAE Inc Innovation Drive Ottawa, Ont., K2K 3G7 Canada Tel: Fax:

5 APPROVAL SHEET Document No Version 01 Document Name: ARCHITECTURE CONTRIBUTION TO RISK & EVIDENCE INFORMED DECISION MAKING WITHIN THE CANADIAN SAFETY AND SECURITY PROGRAM (CSSP) Primary Author Name Position Dr. Geneviève Dubé Intermediate Test and Evaluation SME, Defence & Security, CAE Canada Reviewer Name for Ian Bayne 31 March 2017 iii Version 01

6 Position Senior Capability Engineering and Architecture SME, Defence & Security, CAE Canada Approval Name Position Damon Gamble Project Manager, Defence & Security, CAE Canada 31 March 2017 iv Version 01

7 REVISION HISTORY Revision Reason for Change Origin Date Version 01 Initial document issued 31 March March 2017 v Version 01

8 TABLE OF CONTENTS 1 INTRODUCTION Background Objective Scope This Document ENTERPRISE ARCHITECTURE Framework QualiWare METHOD Phase 1 Literature Review Data Collection Plan Phase 2 High Level Structure Development Phase 3 Architecture Development Strategic Views Functional Decomposition Diagrams (OV5a) RA Methodologies/ Process (OV-5b) Taxonomy Phase 4 External Validation and Final Architecture March 2017 vi Version 01

9 4 HTML REPORT Strategic View and Functional Decomposition RA Methodologies Taxonomy RECOMMENDATIONS AND NEXT STEPS Strategic Level Program Level Focus Area Seamless Borders Discussion CONCLUSIONS Expected Benefits Limitations REFERENCES APPENDIX A DATA COLLECTION PLAN... A-1 A.1 Key References... A-1 APPENDIX B ARCHITECTURE... B-1 B.1 CSSP Planning Cycle... B-1 B.2 Call for Proposal... B-2 B.3 Focus Area Narratives... B-4 B.4 SPG... B March 2017 vii Version 01

10 B.5 S&T Challenges... B-11 B.6 Evidence-Based Analysis... B-14 B.7 Performance Measurement... B-17 B.8 Community Engagement... B-19 B.8.1 Biological Hazard Portfolio... B-20 B.8.2 Border and transportation Security Portfolio... B-23 B.8.3 Critical Infrastructure... B-36 B.8.4 E-Security Portfolio... B-40 B.8.5 Emergency Management, Systems and Interoperability Portfolio... B-42 B.8.6 Explosives Portfolio... B-43 B.8.7 Fire Services Portfolio... B-52 B.8.8 Natural Hazard Portfolio... B-58 B.8.9 Paramedic Services Portfolio... B-63 B.8.10 Radiological and Nuclear Portfolio... B-72 B.8.11 Police Law Enforcement Portfolio... B-76 B.8.12 Surveillance, Intelligence and Interdiction Portfolio... B-85 B.8.13 Psycho-Social Portfolio... B-88 APPENDIX C RA METHODOLOGIES... C-1 C.1 AHRA... C-1 C.2 National Risk Assessment... C-4 31 March 2017 viii Version 01

11 APPENDIX D TAXONOMY... D-1 LIST OF FIGURES Figure 2-1: DNDAF... 5 Figure 2-2: QualiWare System (from: Instruction slides for DNDAF Course )... 8 Figure 3-1: Overview of the Methodology Figure 3-2: High-Level Structure Development Cycle Figure 3-3: Data Collection Approach (1) Figure 3-4: Data Collection Approach (2) Figure 3-5: Architecture Development Process Figure 3-6: CSS Strategic View (1) Figure 3-7: Final Strategic View Figure 3-8: Example of a Functional Model Diagram Figure 3-9: Decomposition of a Business Function Figure 3-10: Architecture Example Level Figure 3-11: Architecture Example Level Figure 3-12: Architecture Example Level Figure 3-13: Architecture Example Level Figure 3-14: Architecture Example Level March 2017 ix Version 01

12 Figure 3-15: Architecture Example Level Figure 3-16: Interrelations between Processes Figure 3-17: RA Placeholders/Gaps Figure 3-18:AHRA Methodology Figure 3-19: AHRA Risk Event Taxonomy [Public Security Technical Program Planning Scenario Final Report] Figure B-1: CSSP Planning Cycle... B-1 Figure B-2: Call for Proposal (CFP)... B-2 Figure B-3: CFP CSSP Funding... B-2 Figure B-4: CFP Process... B-3 Figure B-5: CFP Notice of Proposed Procurement... B-3 Figure B-6: CFP Process Phase 1... B-4 Figure B-7: Focus Area Narratives... B-4 Figure B-8: Seamless Borders (SB) Narrative... B-5 Figure B-9: SB - Portfolio Activities... B-5 Figure B-10: SB Gaps... B-6 Figure B-11: SB Priorities... B-6 Figure B-12: SB De-risk... B-7 Figure B-13: SB Risk-Informed Delivery Cycle... B-7 31 March 2017 x Version 01

13 Figure B-14: SB Establish Clients Priorities... B-8 Figure B-15: SB Formulate Program... B-8 Figure B-16: SB Generate Evidence through Projects... B-9 Figure B-17: SB Provide Advice... B-9 Figure B-18: SPG... B-10 Figure B-19: Focus Area Priorities... B-10 Figure B-20: S&T Challenges... B-11 Figure B-21: S&T Use Action Research or Similar Methodology... B-11 Figure B-22: S&T Strengthen Capacity of Emergency Responders... B-12 Figure B-23: S&T Use Broadband Wireless Technologies to Provide Next-Generation Reliable Communications... B-12 Figure B-24: S&T Make Use of Nano and/or Synthetic Biological Technology... B-13 Figure B-25: S&T Enhance Ability of Maritime Operators and Partners to Accomplish Public Safety and Security Objectives... B-13 Figure B-26: S&T Develop and Assess Options for Next-Generation Surveillance of Canada's Northern Waters and Approaches... B-14 Figure B-27: Evidence-Based Analysis (EBA)... B-14 Figure B-28: EBA Risk Assessment Framework... B-15 Figure B-29: EBA Enable and Inform CSSP Decision Making... B-15 Figure B-30: EBA Risk Assessment in Targeted Domains... B-16 Figure B-31: EBA National Risk Assessment... B March 2017 xi Version 01

14 Figure B-32: Performance Measurement (PM)... B-17 Figure B-33: PM CSSP Performance Measurement Strategy... B-17 Figure B-34: PM Strategy Principles... B-18 Figure B-35: PM Key Performance Indicators... B-18 Figure B-36: PM Performance Evaluation... B-19 Figure B-37: Community Engagement (CE)... B-19 Figure B-38: CE Portfolios/CoP Management... B-20 Figure B-39: Biological Hazards (BH) Portfolio... B-20 Figure B-40: BH Program of Work... B-21 Figure B-41: BH Rapid Diagnostics and Situational Awareness... B-21 Figure B-42: BH Containment and Decontamination... B-22 Figure B-43: BH Medical Countermeasures... B-22 Figure B-44: Border and Transportation Security (BTS) Portfolio... B-23 Figure B-45: BTS Policy/Operational Context... B-23 Figure B-46: BTS Partners... B-24 Figure B-47: BTS Program of Work... B-24 Figure B-48: BTS Biometrics and Passenger Screening... B-25 Figure B-49: BTS Biometrics Existing Projects... B-25 Figure B-50: BTS Biometrics Activities for 2014/15... B-26 Figure B-51: BTS Biometrics Remaining Challenges... B March 2017 xii Version 01

15 Figure B-52: BST Technologies to Increase Passenger Safety... B-27 Figure B-53: BTS Passenger Safety Existing Projects... B-27 Figure B-54: BTS Passenger Safety Activities for 2014/ B-28 Figure B-55: BTS Passenger Safety Remaining Challenges... B-28 Figure B-56: BTS Technologies Supporting Fast Screening of Containers... B-29 Figure B-57: BTS Technologies Remaining Challenges... B-29 Figure B-58: BTS Technologies Pilots for Efficient Container Management... B-30 Figure B-59: BTS Assessing Cyber Vulnerabilities... B-30 Figure B-60: BTS Biometrics Existing Projects... B-31 Figure B-61: BTS Cyber Vulnerabilities Activities for 2014/ B-31 Figure B-62: BTS Cyber Vulnerabilities Remaining Challenges... B-32 Figure B-63: BTS Arctic Security... B-32 Figure B-64: BTS Arctic Security Existing Projects... B-33 Figure B-65: BTS Arctic Security Activities for 2014/ B-33 Figure B-66: BTS Arctic Security Remaining Challenges... B-34 Figure B-67: BTS Integration and Analysis... B-34 Figure B-68: BTS Integration and Analysis Existing Projects... B-35 Figure B-69: BTS Integration and Analysis Activities for 2014/ B-35 Figure B-70: BTS Integration and Analysis Remaining Challenges... B-36 Figure B-71: Critical Infrastructure (CI) Portfolio... B March 2017 xiii Version 01

16 Figure B-72: CI Focus... B-37 Figure B-73: CI Program of Work... B-37 Figure B-74: CI Call for Proposals (CFP) Projects... B-38 Figure B-75: CI Targeted Investments... B-38 Figure B-76: CI Technology Acquisition... B-39 Figure B-77: CI Community Development Workshops... B-39 Figure B-78: E-Security (E-S) Portfolio... B-40 Figure B-79: E-S Operation Capabilities... B-40 Figure B-80: E-S Policy/Operational Context... B-41 Figure B-81: E-S Program of Work... B-41 Figure B-82: Emergency Management, Systems and Interoperability (EMSI) Portfolio... B-42 Figure B-83: EMSI Policy/Operational Context... B-42 Figure B-84: EMSI Program of Work... B-43 Figure B-85: Explosives (Exp) Portfolio... B-43 Figure B-86: Exp Specific S&T Areas... B-44 Figure B-87: Exp Policy and Operational Context... B-44 Figure B-88: Exp Metric Based on Resilience Four Pillars... B-45 Figure B-89: Exp Program of Work... B-45 Figure B-90: Exp Scenarios... B-46 Figure B-91: Exp Analyze Scenarios... B March 2017 xiv Version 01

17 Figure B-92: Exp Projects... B-47 Figure B-93: Exp Prevention... B-47 Figure B-94: Exp Prevention Existing Programs... B-48 Figure B-95: Exp Prevention Planned Activities... B-48 Figure B-96: Exp Prevention Remaining Challenges... B-49 Figure B-97: Exp Preparedness... B-49 Figure B-98: Exp Preparedness Existing Projects... B-50 Figure B-99: Exp Preparedness Planned Activities... B-50 Figure B-100: Exp Preparedness Remaining Challenges... B-51 Figure B-101: Exp Preparedness- Existing Projects... B-51 Figure B-102: Fire Services (FS) Portfolio... B-52 Figure B-103: FS Primary Functions (PMS)... B-52 Figure B-104: FS Assess Impact of CSSP Output Upon Community... B-53 Figure B-105: FS Program of Work... B-53 Figure B-106: FS Evidence-Based Decision Making... B-54 Figure B-107: FS Evidence-Based Decision Making Existing Work... B-54 Figure B-108: FS Evidence-Based Decision Making Remaining Challenges... B-55 Figure B-109: FS Dangerous Hazardous Goods... B-55 Figure B-110: FS Dangerous Hazardous Goods Existing Work... B-56 Figure B-111: FS Dangerous Hazardous Goods Remaining Challenges... B March 2017 xv Version 01

18 Figure B-112: FS Smart Firefighting... B-57 Figure B-113: FS Smart Firefighting Existing Work... B-57 Figure B-114: FS Smart Firefighting Remaining Challenges... B-58 Figure B-115: Natural Hazard (NH) Portfolio... B-58 Figure B-116: NH Priorities... B-59 Figure B-117: NH Policy/Operational Context... B-59 Figure B-118: NH Program of Work... B-60 Figure B-119: NH Consolidated Priorities... B-60 Figure B-120: NH Priorities for Disaster Risk Reduction Type of Work... B-61 Figure B-121: NH Social Change... B-61 Figure B-122: NH Social Change Type of Work... B-62 Figure B-123: NH Social Change Planned Activities... B-62 Figure B-124: Paramedic Services (PMS) Portfolio... B-63 Figure B-125: PMS Primary Functions... B-63 Figure B-126: PMS Assess the Impact of CSSP Outputs Upon Community... B-64 Figure B-127: PMS Policy/Operational Context... B-64 Figure B-128: PMS Operational Context Priority Domains... B-65 Figure B-129: PMS Program of work... B-65 Figure B-130: PMS Mobilising Health Care... B-66 Figure B-131: PMS Mobilising Health Care Existing Work... B March 2017 xvi Version 01

19 Figure B-132: PMS Mobilising Health Care Remaining Challenges... B-67 Figure B-133: PMS Evidence-Based Decision Making... B-67 Figure B-134: PMS Evidence-Based Decision Making Existing Work... B-68 Figure B-135: PMS Evidence-Based Decision Making Remaining Challenges... B-68 Figure B-136: PMS Standards Development... B-69 Figure B-137: PMS Standards Development Existing Work... B-69 Figure B-138: PMS Standards Development Remaining Challenges... B-70 Figure B-139: PMS Practitioner Well-Being... B-70 Figure B-140: PMS Practitioner Well-Being Existing Work... B-71 Figure B-141: PMS Practitioner Well-Being Remaining Challenges... B-71 Figure B-142: Radiological and Nuclear (RN) Portfolio... B-72 Figure B-143: RN Vulnerabilities... B-72 Figure B-144: RN Investment Strategy... B-73 Figure B-145: RN Policy/Operational Context... B-73 Figure B-146: RN Program of Work... B-74 Figure B-147: RN Quantitative and Qualitative Threat Assessment... B-74 Figure B-148: RN Quantitative and Qualitative Threat Assessment Run Scenarios... B-75 Figure B-149: RN Projects List... B-75 Figure B-150: Police Law Enforcement (PLE) Portfolio... B-76 Figure B-151: PLE Policy/Operational Context... B March 2017 xvii Version 01

20 Figure B-152: PLE - Program of Work... B-77 Figure B-153: PLE Priorities Areas... B-77 Figure B-153: PLE Priorities Areas Improving Economics... B-78 Figure B-154: PLE Priorities Areas Improving Economics Existing Work... B-78 Figure B-155: PLE Priorities Areas Improving Economics Remaining Challenges... B-79 Figure B-156: PLE Priorities Areas Employing Emerging Technology... B-79 Figure B-157: PLE Priorities Areas Employing Emerging Technology Existing Work... B-80 Figure B-158: PLE Priorities Areas Employing Emerging Technology Remaining Challenges... B-80 Figure B-159: PLE Priorities Areas Reducing the Cost and Time of Investigation... B-81 Figure B-160: PLE Priorities Areas Reducing the Cost and Time of Investigation Existing Work... B-81 Figure B-161: PLE Priorities Areas Evidence-Based Decision Making... B-82 Figure B-162: PLE Priorities Areas Evidence-Based Decision Making Existing Work... B-82 Figure B-163: PLE Priorities Areas Evidence-Based Decision Making Remaining Challenges... B-83 Figure B-164: PLE Priorities Areas Employing Emerging Technology... B-83 Figure B-165: PLE Priorities Areas Employing Emerging Technology Existing Work... B-84 Figure B-166: PLE Priorities Areas Employing Emerging Technology Remaining Challenges... B-84 Figure B-167: Surveillance, Intelligence and Interdiction (SII) Portfolio... B-85 Figure B-168: SII Objectives... B-85 Figure B-169: SII Policy/Operational Context... B-86 Figure B-170: SII Program of Work... B March 2017 xviii Version 01

21 Figure B-171: SII Action Plan... B-87 Figure B-172: SII Canada s Counter-Terrorism Strategy... B-87 Figure B-173: SII DSO Readiness Committee Priorities... B-88 Figure B-174: Psycho-Social (PS) Portfolio... B-88 Figure B-175: PS Capability Gaps... B-89 Figure B-176: PS Partners... B-89 Figure B-177: PS Policy/Operational Context... B-90 Figure B-178: PS Emerging Issues... B-90 Figure B-179: PS Program of Work... B-91 Figure B-180: PS Counter-Violent Extremism... B-91 Figure B-181: PS Counter-Violent Extremism Existing Work... B-92 Figure B-182: PS Counter-Violent Extremism Remaining Challenges... B-92 Figure B-183: PS Support to First Responders and Public... B-93 Figure B-184: PS Support to First Responders and Public Existing Work... B-93 Figure B-185: PS Support to First Responders and Public Remaining Challenges... B-94 Figure B-186: PS Community Resilience Existing Work... B-94 Figure B-187: PS Community Resilience Remaining Challenges... B-95 Figure B-188: PS Community Resilience Better Understand Behavioural Implications of Effective Communications... B-95 Figure B-189: PS Develop Effective Whole-of-Community Approaches for Building Community Resilience... B March 2017 xix Version 01

22 Figure B-190: PS Cross-Cutting Challenge Areas... B-96 Figure C-1: Threat/Hazard Based Analysis... C-1 Figure C-2: Step 1 Setting the Context... C-1 Figure C-3: Step 2 Risk Identification... C-2 Figure C-4: Step 3 Risk Analysis... C-2 Figure C-5: Step 4 Risk Evaluation... C-3 Figure C-6: Step 5 Risk Treatment... C-3 Figure C-7: National Risk Assessment... C-4 Figure D-1: Threat Taxonomy... D-1 Figure D-2: Capability Taxonomy... D-1 Figure D-3: Impact Category... D-2 Figure D-4: Target Taxonomy... D-2 Figure D-5: DHS State Geographic State Analysis... D-3 Figure D-6: Consequence Categories (DHS)... D-4 LIST OF TABLES Table A-1: Preliminary Planning Tool... A-1 31 March 2017 xx Version 01

23 LIST OF ACRONYMS AND DEFINITIONS AF AHRA ARCHITECTURE FRAMEWORK ALL HAZARD RISK ASSESSMENT BH BTS BIOLOGICAL HAZARD BORDER AND TRANSPORTATION SECURITY CAPV CBP CBRNE CBSA CFP CE CI COP CRA CSS CSSP CV CAPABILITY VIEW CUSTOM BORDERS PROTECTION CHEMICAL, BIOLOGICAL, RADIOLOGICAL, NUCLEAR AND EXPLOSIVES CANADA BORDER SERVICES AGENCY CALL FOR PROPOSALS COMMUNITY ENGAGEMENT CRITICAL INFRASTRUCTURE COMMUNITY OF PRACTICE CONSOLIDATED RISK ASSESSMENT CENTER FOR SECURITY SCIENCE CANADIAN SAFETY AND SECURITY PROGRAM COMMON VIEW 31 March 2017 xxi Version 01

24 DEA DHS DND DNDAF DRR DIRECTOR OF ENTERPRISE ARCHITECTURE DEPARTMENT OF HOMELAND SECURITY DEPARTMENT OF NATIONAL DEFENSE DND ARCHITECTURE FRAMEWORK DISASTER RISK REDUCTION EA EBA EMSI E-S EXP ENTERPRISE ARCHITECTURE EVIDENCE-BASED ANALYSIS EMERGENCY MANAGEMENT, SYSTEM AND INTEROPERABILITY E-SECURITY EXPLOSIVES FS FIRE SERVICES GC GOVERNMENT OF CANADA HIRA HTRA HAZARD IDENTIFICATION RISK ASSESSMENT HARMONIZED THREAT AND RISK ASSESSMENT 31 March 2017 xxii Version 01

25 IV INFORMATION VIEW NH NRP NATURAL HAZARD NATIONAL RISK PROFILE OV OPERATIONAL VIEW PLE PM PMS POW PS PS POLICE LAW ENFORCEMENT PERFORMANCE MEASURE PARAMEDIC SERVICES PROGRAM OF WORK PSYCHO-SOCIAL PUBLIC SAFETY QW QUALIWARE RA RN RRAP RISK ASSESSMENT RADIOLOGICAL AND NUCLEAR RESILIENCE ASSESSMENT PROGRAM 31 March 2017 xxiii Version 01

26 S&T SB SECV SII SME SPG SRA STRATV SV SCIENCE AND TECHNOLOGY SEAMLESS BORDER SECURITY VIEW SURVEILLANCE, INTELLIGENCE AND INTERDICTION SUBJECT MATTER EXPERT STRATEGIC PLANNING GUIDANCE SOCIETY FOR RISK ANALYSIS STRATEGIC VIEW SYSTEM VIEW TA TBA THIRA TV TASK AUTHORITY THEORY-BASED APPROACH THREAT AND HAZARD IDENTIFICATION AND RISK ASSESSMENT TECHNICAL VIEW US UNITED STATES 31 March 2017 xxiv Version 01

27 EXECUTIVE SUMMARY Defence Research and Development Canada s (DRDC) Centre for Security Science (CSS) wants to demonstrate that their distribution of investments is based on evidence, and that it considers risks and other factors in a systematic manner. This project aims to support the development and/or improvement the internal risk assessment (RA) capabilities. The Architecture Framework (AF) is intended to support the CSS Annual Planning Process, and to improve communication and comparison of risk results across Focus Areas and Portfolios. The AF identifies where RA supports decision-making and Science and Technology (S&T) investment prioritization in each portfolio s processes. The results serve as a template for adopting a more systematic and traceable approach to evidence-based assessments with risk being one decision factor. The concept is that improved visibility of risk information would contribute to increasing its value through more internal engagement and leveraging the experience of CSS staff, which would foster a culture of risk-informed decision making that is an integral part of CSS management processes. The architecture report presents the CSS strategic views and functions that were developed using a model-based method to visualize important factors for RA and risk-informed decision support. AF products are easy to maintain and update using the relatively intuitive user interface. The architecture helps diverse user groups to visualize the relations between functions, objectives, requirements and other objects, and to identify gaps and redundancies in the views. The architecture can also help to clarify the evidence base related to the S&T distribution of investments. The architecture may also guide data collection plans and analysis, and support requirements definition for future collaborative approaches to gap analysis, selection of program risk treatment strategies and investment distribution. It can support operational and risk scenario planning and management processes by developing the complementary architecture views. In addition, the architecture can provide a single window on operational and risk scenarios that o support the convergence of strategic planning, capability-based planning and risk assessments in support of CSSP, portfolios and Communities of Practice. 31 March 2017 xxv Version 01

28 31 March 2017 xxvi Version 01

29 1 INTRODUCTION This document is one deliverable for Project W The report describes the methodology used to develop a demonstration architecture as part of a Risk Assessment (RA) framework project. The architecture is intended to support further development of an RA framework and other tools to support decision making within the Canadian Safety and Security Program (CSSP). An html version is also provided. 1.1 Background The Centre for Security Science (CSS) wants to demonstrate that their distribution of investments is based on evidence, and that it considers risk and other factors in a systematic manner. This project aims at developing and improving CSS RA capabilities to support the Annual Planning Process, to enable the CSSP to consolidate RA products, and to improve communication of risk information across focus areas and Portfolios. An Architecture Framework (AF) was used to identify where RA is or should be integrated into strategic planning and decision making to prioritize Science and Technology (S&T) investments. The AF serves as a template for adopting a more systematic and sustainable approach to RA to support a culture of evidence-based and risk-informed decision making. 1.2 Objective The objective of the architecture project is to provide a demonstration AF that models some of the relevant views of the CSSP analytic framework to show how risk information contributes to program alignment. The objective is not to rank specific risks, but to present information to decision makers in a way that supports an evidence-based approach, which includes evidence that partners and CSS manager have considered risk in the identification and prioritization of investments. At a higher level, the goal of this work is to demonstrate the benefits of using AF support for the visualization and evaluation of evidence, and alignment of capability-based assessments to support decision making on multiple levels. 31 March Version 01

30 1.3 Scope To satisfactorily attain the objectives presented above, the following assumptions guided the development of the architecture technology demonstrator: This project demonstrates the benefits of using AF for the visualization of RA information across the program. The Architecture Views are customized to satisfy the objective of the project. They do not represent traditional DNDAF architecture views. The architecture focuses on RA within CSS processes, not on CSS processes themselves, which would be part of an Enterprise Architecture (EA). The work focuses on the methodologies and processes. People and technology are not included. It was anticipated that the architecture views would include specific information on risk, and threat scenarios including values and broader scope (e.g., national, regional and local views); however, this information was not identified during data collection. The views developed in the architecture model are driven by CSS requirements. The Technical Authority (TA) requested specific hierarchical graphical views. 1.4 This Document This document is organized into the following sections: Section 1 Introduction: Describes the background and objectives for this document; Section 2 Enterprise Architecture: Defines the EA and how it could be used and developed further; Section 3 Method: Outlines the methodology; Section 4 HTML Report: Presents links to the.html architecture views; Section 5 Recommendations and Next Steps: Presents recommendations for exploiting the AF to support visualization and evaluation of RA and the processes it supports; 31 March Version 01

31 Section 6 Conclusions: Presents some benefits and limitations of the study that may influence the results or further work; Section 7 References: Identifies documents that guided the work; and Appendices: Describe the architecture views and representative taxonomy. 31 March Version 01

32 2 ENTERPRISE ARCHITECTURE Enterprise architecture (EA) uses a holistic approach to conduct analysis of an enterprise s related information. EA "applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilise the various aspects of an enterprise to identify, motivate, and achieve these changes" (Federation of Enterprise Architecture Professional Organisations, 2013). EA can be used to describe an organisation as it currently is ( As-is ), using a predefined framework that organises the capabilities of an organisation in a logical manner. EA can also be used to present the future state of an organization ( To-be ), provided by pragmatic artifacts (e.g. requirements, specifications, guiding principles, and conceptual models). Then, EA follows a system-of-systems perspective that helps to identify and fill gaps. Gaps between the As-is and the To-be state can be identified and a road map can be proposed to close those gaps and help the enterprise achieve its Tobe state. EA is particularly useful for: finding flaws in a method; linking documents and reports templates in the framework to facilitate access; identifying tasks inputs and outputs; standardising terminology and provide description; identifying information and resources required to produce outputs; standardising taxonomy; and using a system of system perspective that helps identify and fill gaps. For this specific project, the EA was used to find out what DRDC CSS processes, if any, involve RA. Once a review of how RA was conducted within DRDC CSS, the EA was used to identify the gaps (i.e., the need 31 March Version 01

33 to include RA in certain processes) to eventually be able to close the gaps and show risks in an objective and comprehensive way that is consistent across portfolios. 2.1 Framework A framework is the structure that supports the collection of processes, techniques, artifact descriptions, reference models and guidance for the development and organisation of a specific EA. The Department of National Defence (DND) has developed its own framework to provide a standard approach for all DND organizations; the DND Architecture Framework (DNDAF). DNDAF is an amalgamation of frameworks, from various public, private and defence sources and represents a unique DND/CF perspective (Department of National Defence and the Canadian Forces Architecture Framework (DNDAF) Volume 1, 2012). The DNDAF is comprised of eight views that are intertwined with one another, as depicted in Figure 2-1 (from Department of National Defence and the Canadian Forces Architecture Framework (DNDAF) Volume 2, 2012). The eight views (Figure 2-1) are: Figure 2-1: DNDAF 31 March Version 01

34 1. the Common View (CV) 2. the Strategic View (StratV) 3. the Capability View (CapV) 4. the Operational View (OV) 5. the System View (SV) 6. the Technical View (TV) 7. the Information View (IV) 8. the Security View (SecV). Each view can be decomposed into a set of sub-views that are interrelated within and across views. Architecture sub-views are those graphical, textual, and tabular items that are developed in the course of gathering architecture data, identifying their composition into related architecture components, and modelling the relationships among those components (Department of National Defence and the Canadian Forces Architecture Framework (DNDAF) Volume 2, 2012). The DNDAF was used in this project as a framework for the development of the architecture, but was not used as prescribed by the Department of National Defence and the Canadian Forces Architecture Framework (DNDAF) Volume 2, (2012). This project is a proof-of-concept study, where the architecture was used to demonstrate the benefits of using visualization of risk assessment for decision making. The StratV and OV5a of the DNDAF framework were customized to answer this need and to correspond to the requirements of DRDC CSS. 2.2 QualiWare The architecture was developed using DND EA tool called QualiWare (QW), a global consulting services and business modeling software provider. QW is comprised of QLM diagram templates (i.e., process models, workflows, organization, strategy models, etc.) that are used to populate the DNDAF views. Each view has a pre-determined set of diagram templates (in QW) that can be used by the QW Lifecycle 31 March Version 01

35 Manager (the user). For each template, a set of objects and relations are offered to the user. The interactions between the objects of a template are regulated by a set of strict rules (e.g., an object can be related only to certain type of objects, by a predefined set of relations). This limits the flexibility of QW, but ensures a degree of stability in what can be expected in one particular view. Each QW license connects to the repository, where all models and model objects created by a QW Lifecycle Manager are stored (see Figure 2-2). The repository is available to all users, so objects can be reused from one architecture to another for more consistency across models. In other words, the repository is a common corporate model to which all QW users contribute (see Figure 2-2). The repository is managed by the Repository Administrator, the Director of Enterprise Architecture (DEA). The DEA is responsible for implementing the DND EA Programme, and for integrating models and model objects developed by a QW Lifecycle Manager to the appropriate registry or repository. The usage of QW is restricted to DNDs employees or DND s contractors. However, as shown in Figure 2-2, an EA model can be published on the intranet and made available to people who do not have access to the software. 31 March Version 01

36 Figure 2-2: QualiWare System (from: Instruction slides for DNDAF Course ) 31 March Version 01

37 3 METHOD This section describes the overall methodology used to develop DRDC CSS RA architecture. The methodology consists of four phases, including literature review, development of high-level structure, architecture development, and validation and verification. Figure 3-1 presents a road map of the four main phases. Figure 3-1 aligns with the structure of this section, as follows: Section 3.1 Phase 1: Presents the rationale behind the selection of the literature and documentation that were reviewed and the data collection plan that served as the basis for the architecture development. Section 3.2 Phase 2: Describes the iterative cycle of the development of the high-level structure. Different versions of the Structure were developed based on the literature, input from Subject Matter Experts (SMEs) and comments and requirements from the TA. This high-level structure was used to provide the scope for the architecture development in the following Phase. Section 3.3 Phase 3: Presents the development of the architecture views based on the literature review, data collection and input from SMEs. Once populated, the architecture views were validated by the TA. Section 3.4 Phase 4: Presents the validation and verification of the architecture by stakeholders; update of the architecture based on their comments and requirements, and the final approval by the TA. 31 March Version 01

38 Method Phase 1 Literature Review Section 3.1 Phase 2 High Level Structure Development Section 3.2 Phase 3 Architecture Development Section 3.3 Phase 4 Validation and Verification Section 3.4 Documents provided by client High Level Structure Draft Validation with Client Data Collection External Validation Internal Validation Population Revision Review Documents Client Acceptation Client Validation Final Architecture 31 March Version 01

39 Figure 3-1: Overview of the Methodology 31 March Version 01

40 3.1 Phase 1 Literature Review This section presents the method underlying the literature review and data collection that later informed the development of the High-Level Structure (refer to Section 3.2) and the development of the architecture views (refer to Section 3.3). The documents relevant to this project were provided by DRDC CSS at the beginning and all along the progression of the project. As the amount of documentation provided was considerable, literature review was prioritized in collaboration with DRDC CSS. The priorities were established based on the relevance of the document for the development of the architecture views as follow: narratives (Seamless Border); strategic planning process including a Strategic Risk Assessment (SRA) methodology; management framework; Performance Measurement Strategy and performance indicators workbook; environmental scan (process, criteria and most recent example); Portfolio/Community of Practice (CoP); terms of reference for Governance bodies; and Defence & Security S&T Strategy. The CAE team developed a data collection plan based on the initial reading of the documentation as described below (Section 3.1.1) Data Collection Plan To identify how risk fits within the overall management system, the data collection effort focused on three key areas governance, decision making and objectives. Strategic outcomes (i.e., the CSSP Logic Model) were mapped to program, strategic planning, focus area, and portfolio and CoP objectives. Then, 31 March Version 01

41 misalignment or opportunities to make risk more visible/useful were identified. To support this process, a list of key references was consulted, which raised some questions from the CAE team. A list of key references and related questions was developed and presented to DRDC CSS (refer to Appendix A). Answers were provided by SMEs and DRDC CSS during a subsequent meeting. In addition to the identification of key references and questions, a data collection structure was developed. This structure was intended to provide guideline for the type of data that needs to be collected for the development of the architecture views. This table represents the main areas of concerns within CSS and the information resources that are used in those areas. 3.2 Phase 2 High Level Structure Development The creation of an integrated architecture requires information related to the processes, people, and technologies. Identifying these elements can prove challenging. Often, intermediate steps are required whereby architects and SMEs work together to talk-through situations and scenarios relevant to the problem space. In this context, the CAE team worked with DRDC CSS TA to come up with the high-level structure for data collection and architecture development that satisfy the projects objectives. This section describes the approach that was used to develop the high-level structure customized for this project (see Figure 3-2). Figure 3-2: High-Level Structure Development Cycle 31 March Version 01

42 As depicted in Figure 3-2, the development of the high-level structure for data collection and architecture development was an iterative process. Following the review of some key documents (previously identified with the help of the CSS TA, refer to Section 3.1), the CAE team developed a data collection approach based on their understanding of DRDCCSS processes. Figure 3-3 depicts the original framework built for this purpose. Figure 3-3: Data Collection Approach (1) After review and refinement with the CSS TA, it was decided to concentrate on the Strategic Level, and to include only Strategic Visions, Goals, Objectives and Business Functions in the architecture. The data collection approach was modified accordingly. Figure 3-4 depicts the resulting approach that was taken for this project. The area depicted by a purple circle represents the scope of this project. 31 March Version 01

43 Figure 3-4: Data Collection Approach (2) 3.3 Phase 3 Architecture Development This section describes the methodology used to develop the architecture views that supported DRDC CSS in mapping out how RA contributes decision making within the CSSP. The population of the architecture was an iterative process, as illustrated in Figure 3-5 (see also Phase 3 in Figure 3-1). A series of views were developed, based on the data collected from the literature. The views were validated by SMEs and changes were made according the recommendations. This cycle was repeated until a satisfactory version of the architecture was obtained and presented to DRDC CSS for review and approval. The following sections describe the development of StratV (Section 3.3.1), functional decomposition (Section 3.3.2), RA methodologies and processes (Section 3.3.3) and taxonomy (Section 3.3.4) in more details. 31 March Version 01

44 Figure 3-5: Architecture Development Process Strategic Views Once the scope of the architecture was established, StratVs were proposed to DRDC CSS. The first StratV proposed was developed based on CAE s understanding of the Strategic Planning Guidance for (SPG) and is presented in Figure 3-6. After discussion with DRDC CSS TA, it was decided that this view did not fairly represent all the strategic functions of DRDC CSS. Further discussion led to the decision to use the DRDC CSS Planning Cycle illustrated in the SPG as a StratV. The DRDC CSS Planning Cycle was reproduced in QW and is presented in (Figure 3-7). The StratV was presented to DRDC CSS for approval, after which it was decomposed into a series of Functional Decomposition diagrams OV5a (refer to Section 3.3.2). 31 March Version 01

45 Figure 3-6: CSS Strategic View (1) 31 March Version 01

46 Figure 3-7: Final Strategic View Functional Decomposition Diagrams (OV5a) The architecture is composed of Business Process Networks (StratV; Architecture Level 1) and a series of Functional Model Diagrams (OV-5a s; Architecture Level 2 and below). The OV-5a s are decomposed using QW s Functional Model Diagrams. Figure 3-8 presents an example of a Functional Model Diagram. Each function and sub-function in the OV5a is represented by a Business Function. Relations between functions and sub-functions are represented by links inside each function. The type of connections is mandatory in QW and could not be replaced by any other type of relation. 31 March Version 01

47 Figure 3-8: Example of a Functional Model Diagram The architecture is comprised of up to seven levels of decomposition. To simplify the graphics, each graph is comprised of only two levels of decomposition. All subsequent levels of decomposition are illustrated in a separate graph. The link between a parent Business Function and its child Business Functions is represented in QW by a dark blue square icon at the bottom or beside the function. When one clicks on the icon beside the parent Business Function, QW automatically open the graph representing its decomposition, as illustrated in Figure March Version 01

48 Figure 3-9: Decomposition of a Business Function The StratV described in the previous section (refer to Section 3.3.1) serves as the highest level of the architecture (Level 1) to which all the OV-5a s are linked (see Figure 3-10). Each Business Function of the StratV represents a process of the CSSP Planning Cycle and is decomposed into sub-processes, also represented by Business Functions (see Figure 3-11). The decomposition continues until no more subprocesses can be identified. For example, the Community Engagement process in Figure 3-10, Architecture Level 1, is decomposed into an Architecture Level 2 comprised of one sub-process, Portfolio/CoP Management (Figure 3-11). The Level 2 Portfolio/CoP Management can also be decomposed into an Architecture Level 3 that is comprised of a set of sub-functions (see Figure 3-12). All the sub-functions listed in Figure 3-12 are decomposed into an Architecture Level 4. Figure 3-13 shows the decomposition of Level 3 Border and Transportation Security Portfolio into a Level 4 (see Figure 3-13). In this example, only three of the four sub-functions are decomposed into a fifth level of architecture (represented by a purple square icon). 31 March Version 01

49 Figure 3-14 illustrates the decomposition of Level 4 Border and Transportation Security Policy/Operational Context into four Level 5 sub-functions. Here again, only two out of four subfunctions are decomposed into Level 6. Figure 3-15 shows the decomposition of Level 5 Seamless Borders Gaps into two Level 6 sub-processes. As illustrated in Figure 3-15, the two sub-functions are not decomposed any further, which ends this branch of the architecture. The same function was used for each business function and sub-functions decomposition. Figure 3-10: Architecture Example Level 1 31 March Version 01

50 Figure 3-11: Architecture Example Level 2 Figure 3-12: Architecture Example Level 3 31 March Version 01

51 Figure 3-13: Architecture Example Level 4 Figure 3-14: Architecture Example Level 5 Figure 3-15: Architecture Example Level 6 31 March Version 01

52 To better represent the CSSP Planning Cycle, some functions and/or sub-functions were linked together to illustrate their relationship and interdependencies. Links between functions are represented in the architecture by an additional dark blue square icon, as illustrated in Figure The difference between a functional decomposition and a link between functions is not readily available. One must open the related diagram and identify the first level functions. If the first level function is the same as the parent function that was just opened, it is a decomposition. If the first level function is not the same, then this is a link between two different functions. For example, in Figure 3-16, the functions Seamless Border Gaps presents two icons. The left-handed icon opens the decomposition of Seamless Border Gaps into two sub-functions. Therefore, the first level process of the child graphic is the same: Seamless Border Gaps. The right-handed icon opens a related graphic, therefore, the function at the first level of the child graphic is different, here, it represents a relation with the S&T Challenges function. Figure 3-16: Interrelations between Processes 31 March Version 01

53 In this project, the AF was used to show risks in an objective and comprehensive way that is consistent across portfolios. However, in the literature that was reviewed, little mention is made regarding RA in the CSSP Annual Planning processes. To illustrate this gap and facilitate comparison across Portfolios, SMEs identified where, in the business functions, RA should be included. A placeholder was added to the diagrams to represent this gap. Missing RA processes are represented by a pink Business Functions, as depicted in Figure RA Methodologies/ Process (OV-5b) Figure 3-17: RA Placeholders/Gaps The CAE team used the architecture views to illustrate the RA methodologies that are used within DRDC CSS, the Portfolios and the CoPs. A Business Process Network was used to illustrate the relation between the RA processes and sub-processes. The objective of this phase was to document the RA s steps, information requirements and sub-processes. The models developed here can be used as an instructional guideline to support the users following the RA s steps properly and to ensure that all the requirements are satisfied. The models can also be used as a tool for analysis and comparison between different RA methodologies. Analysis could include the commonality, gaps, and overlaps. The models can also demonstrate what criteria were used to identify Risks in each RA methodology. Examples of these methodologies include but are not limited to: 31 March Version 01

54 Harmonized Threat and Risk Assessment (HTRA), Threat and Hazard Identification and Risk Assessment (THIRA), Hazard and Identification Risk Assessment (HIRA), Vulnerability assessment, resiliency assessment; all Hazards Risk Assessment (AHRA), scenario and capability base planning; and Chemical, Biological, Radiological/Nuclear and Explosive (CBRNE) Consolidated Risk Assessment (CRA). Figure 3-18 depicts the high-level steps that are taken in the AHRA Taxonomy Figure 3-18:AHRA Methodology AF provides a standard way to organize the information related to RA. Using the AF tool, the risks taxonomy can be translated into an IV diagram (IV-1). Using the Taxonomy, risks can be linked to capabilities, which are decomposed into people, processes and technologies. These capabilities can be illustrated as factors that can reduce the likelihood and impact of the risks. Figure 3-19 is an example of Risk Event Taxonomy for AHRA: 31 March Version 01

55 Figure 3-19: AHRA Risk Event Taxonomy [Public Security Technical Program Planning Scenario Final Report] 3.4 Phase 4 External Validation and Final Architecture Once the architecture was populated and validated by SMEs and DRDC CSS, it was presented to stakeholders for further comments and validation. The architecture was presented and explained, starting from the StratV and going down to the lowest level of decomposition. Due to time contraints, part of the architecture could not be validated by the stakeholders. During the validation session, the stakeholders provided comments and additional information regarding DRDC CSS RA processes. The comments were noted and modifications were made to the architecture to better reflect the CSS RA processes. Finally, final approval from DRDC CSS was obtained. 31 March Version 01

56 4 HTML REPORT This section provides the links to architecture views. 4.1 Strategic View and Functional Decomposition Combined together, the Strategic View and the Functional Decomposition form the chore of the architecture. They can be accessed using the following html link: Architecture Screenshots from the architecture are presented in Appendix B. The.qrp file will be provided separately. 4.2 RA Methodologies The graphics illustrating the RA Methodologies can be accessed using the following html link: RA Methodologies Screenshots from the RA Methodologies are presented in Appendix C. The.qrp file will be provided separately. 4.3 Taxonomy Screenshots from the Taxonomy are presented in Appendix D. The.qrp file will be provided separately. 31 March Version 01

57 5 RECOMMENDATIONS AND NEXT STEPS This section presents the recommendations and outlines a potential way forward. The recommendations that are made here are based on the architecture work and inputs from the Seamless Borders SRA literature scan. 5.1 Strategic Level At the strategic level, CAE recommends to link the Seamless Borders prototype to the program level. This involves incorporating the three Focus Area Narratives that were not included in this study (i.e., Critical Infrastructure Resilience, Operator Capabilities and Resilient Communities) and linking them to key enablers. Once a complete architecture is available, the product should be used to establish a common risk lexicon and a list of acronyms to be included in the existing Taxonomy (refer to Appendix B). The architecture product should then be used to review options for consolidating portfolio resources. CAE also recommends linking the Focus Area Narratives to: The Performance Measurement Strategic Plan (i.e., CSSP indicators). CSSP dashboards or trend analysis (risk exposure; investment history; case studies; typologies, etc.). CSSP governance. DRDC S&T Strategic objectives. Public Safety (PS) strategies and action plans (e.g., critical infrastructure, cybersecurity). The architecture views demonstrated that little mention is made regarding RA in the CSSP Annual Planning processes. With the help of SMEs, placeholders were included in the architecture views to identify where, in the processes, RA should be involved. CAE recommends that DRDC CSS uses the architecture views to identified the gaps and modify the existing processes to include RA where applicable. Ideally, RA processes would be related to the RA methodologies presented in Section March Version 01

58 5.2 Program Level At the program level, CAE recommends extending the Seamless Borders prototype (decomposition of the Seamless Border Focus Area as a whole) included in the existing architecture product to the other Focus Areas (Critical Infrastructure Resilience, Operator Capability and Resilient Community). As for the Focus Area Narratives mentioned above (refer to Section 5.1), links between the Focus Areas and enablers should be identified. In addition, Threat and Hazard Mitigation should be expanded and linked to the evidence-based assessments component of the CSSP Annual Planning Process. Finally, key partners should be identified for each Focus Area. Then, a partners dependency matrix should be developed. 5.3 Focus Area Seamless Borders Depending on what CSS decides to do with EA (and QW); there are several opportunities to build on the Seamless Borders AF work including: Incorporate an inventory of the different types of high-level risk scenarios and supporting threat and hazard-specific scenarios and vignettes to evaluate the architecture as a scenario management tool. Incorporate stakeholders RA practices and the most current RA outputs to provide evidence that partners considered risk in their identification of gaps and investment priorities, and use the AF to complement portfolios and CoP managers understanding of the operational risk environment. Incorporate an inventory of partners impact categories and assessment approaches, and support investigation of a unifying framework to support comparison of assessments across Seamless Borders risk domains. Include process flow diagrams to illustrate general and specific RA processes (i.e., risk; threat / hazard, vulnerability; criticality; resilience; etc.) and link them to RA placeholders included in the architecture views. This would support the use of standardised RA methodologies; and contribute to data collection, evidence gathering, and performance measurement; and facilitate knowledge management within CSS. 31 March Version 01

59 5.4 Discussion In the light of the results and recommendations (Sections 5.1 to 5.4) proposed above, some issues and line of thoughts arise which will have an influence on the way forward for CSS. The first issue that arises is in relation with the continuity of the architecture. It is not clear whether DRDC CSS wants to implement the EA (e.g., using QW) at the enterprise or program level. Some limiting factors include having personnel dedicated in maintaining the EA on a regular basis. If it is the case, then the recommendations proposed at the strategic and program levels remain relevant. If DRDC CSS decides to go forward with keeping the architecture alive, a set of scoping questions need to be answered: Is DRDC implementing QW (and/or other tools)? If so, are there interoperability requirements? What partners are using the same or similar approaches)? What is the DRDC CSS total cost of ownership and resource commitment? Another issue raised by the results and recommendations concerns the capability assessment: does DRDC CSS want to link capability-based assessment to risk assessment as primary inputs to decision making? If so, then the recommendations proposed at the Focus Area level are essential to streamline and test the concept. If DRDC CSS considers this option, then the following information need to be gathered: Status of Canada and US Core Capabilities Lists; criteria, history; trends; and how is risk used on assessment process. Performance measurement (indicators). 31 March Version 01

60 6 CONCLUSIONS This section presents the expected benefits of the architecture product and the limitations of this project. 6.1 Expected Benefits The architecture developed for this project may be beneficial for CSS. The RA architecture presents the DRDC CSS strategic views and functions using a mode-based method to visualize all the important factors for RA. Architecture products are intuitive and easy to maintain and update the interface. The architecture visualises the relations between all the required functions and requirements and makes it easy to identify gaps and redundancy in the processes. The architecture can also help to clarify the evidence base in relation to the Portfolios and S&T Challenges. The architecture developed in this project may also guide data collection plan and analysis and support requirements definition for future collaboration environment. It can support operational and risk scenario planning and management processes by developing the related architecture views. Finally, the architecture may be used to get an inventory of strategic and complex risk scenarios and existing specific threat and hazard scenarios (i.e., All Hazards Risk Assessment (AHRA), Consolidated Risk Assessment (CRA), and the National Risk Profile (NRP) for Canada). 6.2 Limitations Some factors have limited the scope of this study and influenced the results. First, there was no interview performed to support data collection; the technical content of the architecture was validated by SMEs (the TA and another SME), and two stakeholders from the DRDC CSS Policy and Planning team. Therefore, the gaps identified in the architecture represent only the opinion of the SMEs consulted. In addition, the architecture presented in Appendix A is limited to the documentation provided by DRDC CSS. In addition, due to time and budget constraints, not all the documentation could be included in the architecture at this point. The list of references that constitute the architecture is provided in Section 7. It is also important to note that the only Focus Area Narrative considered in this study is the Seamless Border Narrative; the other three narratives were not available. 31 March Version 01

61 7 REFERENCES Bayne, I. (2016). Comprehensive scan for CSSP risk assessment framework: Establishing a method and process for assessing the distribution of CSSP investments. Document No Version 06. Bayne, I., Duncan, J., Mills, B., Friesen, S., & Goudreau, A. (2013). The Federal All Hazards Risk Assessment Framework Body of Knowledge Volume1: Establishing an Information Baseline and Way Forward. Call for Proposals under the Canadian Safety and Security Program Bidder s Guidebook for (2016). Canadian Safety and Security Program Environmental Scan. (2013). Department of National Defence and the Canadian Forces Architecture Framework (DNDAF) Volume 1: Overview and Definitions. (2012). Version Federation of EA Professional Organizations. (2013). Common Perspectives on Enterprise Architecture. Architecture and Governance Magazine, 9(4) Gobeil, R. & Godsoe, M. (2015). Canadian Safety and Security Program Environmental Scan. Hubbard, P. (2014). Border and Transportation Security (BTS). CSSP-2014-BTSCOP-Z27 Management Framework Review of the Canadian Safety and Security Program. (2015). New CSSP Logic Model. (April 2015). Performance Measurement Strategy. (January, 2016). Performance Measurement Strategy Implementation Guide. (May, 2016). Policy on Governement Security Glossary. (2015). Treasury Board. Risk Taxonomy (O-RT) Version 2.0. (2013). The Open Group. 31 March Version 01

62 Seamless Border Focus Area Narrative Strategic Planning Guidance for (2016) Theory-Based Approaches to Evaluation: Concepts and Practices. (2012). ISBN March Version 01

63 APPENDIX A DATA COLLECTION PLAN A.1 Key References Table A-1 is a preliminary planning tool. It identifies questions, potential data sources and reference material to support the architecture work. The team did not maintain or update the tool during the project. The tool does not include GC partners or DHS S&T Directorate references, in the SRA and other projects identified. Table A-1: Preliminary Planning Tool References Questions / Discussion Points GC and DND priorities (and strategic outcomes) especially related to S&T / R&D PS priorities (strategies, programs, policies, action plans, MOUs) Program Alignment Architecture (sub-sub program of DND PAA 3 outcomes (1.3, PM Strategy) Sources? How are these priorities evaluated and included in the planning process? TB oversight instruments (do not need to review, but they are an input, and they drive the level of effort to administer the program) Delivery agent priorities; are risk assessment techniques; risk assessments visible in partners prioritization processes? No standard for capability gap analysis? PS performance measurement approach PS role policy advice to CSSP? (PM Strategic Plan, 1.6 Governance) PAA process (part of SPG development) How is PAA used (logic model, performance measurement) Performance Measurement (PM) Strategic Plan, Oct 15 (Draft) Strategic risks and external factors (2.5) Annual Performance Report Management Guide (SOP for strategic risk assessment) What documentation is there for capability gap analysis (and prioritization)? Performance indicator workbook - status? (Draft, Oct 15 - to be implemented in FY16/17) Management action plan (process?) 31 March 2017 A Version 01

64 References Logic Model (program is evidence-based, interconnected and resilient ; PM Strategy, 2.4) Immediate outcomes Intermediate outcomes Ultimate outcomes Management Framework Review, WindReach, Apr Governance 1.4 Risk factors ( complexity = inherent risk ) Of greatest concern are the risks that may lead to an unclear or inconsistent set of federal priorities for the program and, downstream of this, a misalignment of scarce federal resources to the pre-defined priorities. In other words, for programs such as these, there is a high degree of inherent risk that priorities will not be clearly defined, will diverge from the federal mandate or will be inappropriately funded Questions / Discussion Points DRDC Performance Management Strategy, Mar 14 Criteria for success; measures of effectiveness; feedback loops to capture evidence? implications for program design and/or operations (Performance Measurement Strategic Plan, 2.3, bullet 3) A Framework for Public Safety and Security S&T 2012/13, DRDC, June 2012 (current version?) Program review process? Criteria? Ranking system? Governance terms of reference; standard agenda; risk register / action items? o Steering Committee (SC) o Program Management Board (PMB) o Advisory Board (AB) Issue key player in PS is EM & Programs Branch? focus is not on security Policy decision budget allocation; procurement method breakdown? Internal capability #/%. Malicious vs nonmalicious? Ration of budget spent on management overhead compared to delivery? Small budget for scope. Frequency of strategic planning cycle currently annual too frequent? Too much time spend on reporting and program administration too many controls for size of program risk areas (not identified) 2.0, net risk facing the program Strategic Planning Guidance Risk section Procurement mechanisms Environmental scan methodology, process, recent example? Foresight and futures studies are these inputs? How doe scan deal with safety and security S&T Value of program? Vision statement? Risk appetite / tolerance statement? 31 March 2017 A Version 01

65 References Technology Acquisition Targeted Investment Community Development Calls for Innovation Narratives (Focus Areas) Seamless Borders Critical Infrastructure Resilience Threat & Hazards Mitigation Safer Communities Portfolios / CoPs, networks Performance reports Performance indicators Risk indicators Capability gap analysis reports Questions / Discussion Points Planning process documented, timing, validation; risk and issue identification? Performance indicators / metrics for procurement? o Budget allocation & trends for procurement modalities. Effort per vehicle (ROI/benefit, risks) Canada s S&T Strategy, Seizing Canada s moment: Moving Forward in Science, Technology & Innovation, 2014 Defence & Security S&T Strategy, 2013 Provided Seamless Borders only (due to sensitivity of the information at the time) What is meant by threats & hazards mitigation (protection of responders / security practitioners ) partners / delivery agents responsibility (ROI) who defines protection levels? Risk input? Capability gap analysis process? Status of portfolio / CoP narratives (last ones 2014/15 See Risk Scan) Performance reports from portfolios / CoPs? Theory-Based Approaches to Evaluation: Concepts & Practices, TB, 2012 Does T/H Mitigation scan international practices (e.g., NRAs, EM lessons) Narratives? Capability gap analysis standard / SOP How do communities scan lessons from real events, exercises, intelligence reports, open source intelligence? How are network scans amalgamated and rolled up? What guides and tools exist for threat, hazard, vulnerability, criticality, impact and risk assessments for domains (security and CIP; Health, safety and environment; natural hazards and resilience) 31 March 2017 A Version 01

66 APPENDIX B ARCHITECTURE B.1 CSSP Planning Cycle Figure B-1: CSSP Planning Cycle 31 March 2017 B Version 01

67 B.2 Call for Proposal Figure B-2: Call for Proposal (CFP) Figure B-3: CFP CSSP Funding 31 March 2017 B Version 01

68 Figure B-4: CFP Process Figure B-5: CFP Notice of Proposed Procurement 31 March 2017 B Version 01

69 Figure B-6: CFP Process Phase 1 B.3 Focus Area Narratives Figure B-7: Focus Area Narratives 31 March 2017 B Version 01

70 Figure B-8: Seamless Borders (SB) Narrative Figure B-9: SB - Portfolio Activities 31 March 2017 B Version 01

71 Figure B-10: SB Gaps Figure B-11: SB Priorities 31 March 2017 B Version 01

72 Figure B-12: SB De-risk Figure B-13: SB Risk-Informed Delivery Cycle 31 March 2017 B Version 01

73 Figure B-14: SB Establish Clients Priorities Figure B-15: SB Formulate Program 31 March 2017 B Version 01

74 Figure B-16: SB Generate Evidence through Projects Figure B-17: SB Provide Advice 31 March 2017 B Version 01

75 B.4 SPG Figure B-18: SPG Figure B-19: Focus Area Priorities 31 March 2017 B Version 01

76 B.5 S&T Challenges Figure B-20: S&T Challenges Figure B-21: S&T Use Action Research or Similar Methodology 31 March 2017 B Version 01

77 Figure B-22: S&T Strengthen Capacity of Emergency Responders Figure B-23: S&T Use Broadband Wireless Technologies to Provide Next-Generation Reliable Communications 31 March 2017 B Version 01

78 Figure B-24: S&T Make Use of Nano and/or Synthetic Biological Technology Figure B-25: S&T Enhance Ability of Maritime Operators and Partners to Accomplish Public Safety and Security Objectives 31 March 2017 B Version 01

79 Figure B-26: S&T Develop and Assess Options for Next-Generation Surveillance of Canada's Northern Waters and Approaches B.6 Evidence-Based Analysis Figure B-27: Evidence-Based Analysis (EBA) 31 March 2017 B Version 01

80 Figure B-28: EBA Risk Assessment Framework Figure B-29: EBA Enable and Inform CSSP Decision Making 31 March 2017 B Version 01

81 Figure B-30: EBA Risk Assessment in Targeted Domains Figure B-31: EBA National Risk Assessment 31 March 2017 B Version 01

82 B.7 Performance Measurement Figure B-32: Performance Measurement (PM) Figure B-33: PM CSSP Performance Measurement Strategy 31 March 2017 B Version 01

83 Figure B-34: PM Strategy Principles Figure B-35: PM Key Performance Indicators 31 March 2017 B Version 01

84 Figure B-36: PM Performance Evaluation B.8 Community Engagement Figure B-37: Community Engagement (CE) 31 March 2017 B Version 01

85 Figure B-38: CE Portfolios/CoP Management B.8.1 Biological Hazard Portfolio Figure B-39: Biological Hazards (BH) Portfolio 31 March 2017 B Version 01

86 Figure B-40: BH Program of Work Figure B-41: BH Rapid Diagnostics and Situational Awareness 31 March 2017 B Version 01

87 Figure B-42: BH Containment and Decontamination Figure B-43: BH Medical Countermeasures 31 March 2017 B Version 01

88 B.8.2 Border and transportation Security Portfolio Figure B-44: Border and Transportation Security (BTS) Portfolio Figure B-45: BTS Policy/Operational Context 31 March 2017 B Version 01

89 Figure B-46: BTS Partners Figure B-47: BTS Program of Work 31 March 2017 B Version 01

90 Figure B-48: BTS Biometrics and Passenger Screening Figure B-49: BTS Biometrics Existing Projects 31 March 2017 B Version 01

91 Figure B-50: BTS Biometrics Activities for 2014/15 Figure B-51: BTS Biometrics Remaining Challenges 31 March 2017 B Version 01

92 Figure B-52: BST Technologies to Increase Passenger Safety Figure B-53: BTS Passenger Safety Existing Projects 31 March 2017 B Version 01

93 Figure B-54: BTS Passenger Safety Activities for 2014/2015 Figure B-55: BTS Passenger Safety Remaining Challenges 31 March 2017 B Version 01

94 Figure B-56: BTS Technologies Supporting Fast Screening of Containers Figure B-57: BTS Technologies Remaining Challenges 31 March 2017 B Version 01

95 Figure B-58: BTS Technologies Pilots for Efficient Container Management Figure B-59: BTS Assessing Cyber Vulnerabilities 31 March 2017 B Version 01

96 Figure B-60: BTS Biometrics Existing Projects Figure B-61: BTS Cyber Vulnerabilities Activities for 2014/ March 2017 B Version 01

97 Figure B-62: BTS Cyber Vulnerabilities Remaining Challenges Figure B-63: BTS Arctic Security 31 March 2017 B Version 01

98 Figure B-64: BTS Arctic Security Existing Projects Figure B-65: BTS Arctic Security Activities for 2014/ March 2017 B Version 01

99 Figure B-66: BTS Arctic Security Remaining Challenges Figure B-67: BTS Integration and Analysis 31 March 2017 B Version 01

100 Figure B-68: BTS Integration and Analysis Existing Projects Figure B-69: BTS Integration and Analysis Activities for 2014/ March 2017 B Version 01

101 Figure B-70: BTS Integration and Analysis Remaining Challenges B.8.3 Critical Infrastructure Figure B-71: Critical Infrastructure (CI) Portfolio 31 March 2017 B Version 01

102 Figure B-72: CI Focus Figure B-73: CI Program of Work 31 March 2017 B Version 01

103 Figure B-74: CI Call for Proposals (CFP) Projects Figure B-75: CI Targeted Investments 31 March 2017 B Version 01

104 Figure B-76: CI Technology Acquisition Figure B-77: CI Community Development Workshops 31 March 2017 B Version 01

105 B.8.4 E-Security Portfolio Figure B-78: E-Security (E-S) Portfolio Figure B-79: E-S Operation Capabilities 31 March 2017 B Version 01

106 Figure B-80: E-S Policy/Operational Context Figure B-81: E-S Program of Work 31 March 2017 B Version 01

107 B.8.5 Emergency Management, Systems and Interoperability Portfolio Figure B-82: Emergency Management, Systems and Interoperability (EMSI) Portfolio Figure B-83: EMSI Policy/Operational Context 31 March 2017 B Version 01

108 Figure B-84: EMSI Program of Work B.8.6 Explosives Portfolio Figure B-85: Explosives (Exp) Portfolio 31 March 2017 B Version 01

109 Figure B-86: Exp Specific S&T Areas Figure B-87: Exp Policy and Operational Context 31 March 2017 B Version 01

110 Figure B-88: Exp Metric Based on Resilience Four Pillars Figure B-89: Exp Program of Work 31 March 2017 B Version 01

111 Figure B-90: Exp Scenarios Figure B-91: Exp Analyze Scenarios 31 March 2017 B Version 01

112 Figure B-92: Exp Projects Figure B-93: Exp Prevention 31 March 2017 B Version 01

113 Figure B-94: Exp Prevention Existing Programs Figure B-95: Exp Prevention Planned Activities 31 March 2017 B Version 01

114 Figure B-96: Exp Prevention Remaining Challenges Figure B-97: Exp Preparedness 31 March 2017 B Version 01

115 Figure B-98: Exp Preparedness Existing Projects Figure B-99: Exp Preparedness Planned Activities 31 March 2017 B Version 01

116 Figure B-100: Exp Preparedness Remaining Challenges Figure B-101: Exp Preparedness- Existing Projects 31 March 2017 B Version 01

117 B.8.7 Fire Services Portfolio Figure B-102: Fire Services (FS) Portfolio Figure B-103: FS Primary Functions (PMS) 31 March 2017 B Version 01

118 Figure B-104: FS Assess Impact of CSSP Output Upon Community Figure B-105: FS Program of Work 31 March 2017 B Version 01

119 Figure B-106: FS Evidence-Based Decision Making Figure B-107: FS Evidence-Based Decision Making Existing Work 31 March 2017 B Version 01

120 Figure B-108: FS Evidence-Based Decision Making Remaining Challenges Figure B-109: FS Dangerous Hazardous Goods 31 March 2017 B Version 01

121 Figure B-110: FS Dangerous Hazardous Goods Existing Work Figure B-111: FS Dangerous Hazardous Goods Remaining Challenges 31 March 2017 B Version 01

122 Figure B-112: FS Smart Firefighting Figure B-113: FS Smart Firefighting Existing Work 31 March 2017 B Version 01

123 Figure B-114: FS Smart Firefighting Remaining Challenges B.8.8 Natural Hazard Portfolio Figure B-115: Natural Hazard (NH) Portfolio 31 March 2017 B Version 01

124 Figure B-116: NH Priorities Figure B-117: NH Policy/Operational Context 31 March 2017 B Version 01

125 Figure B-118: NH Program of Work Figure B-119: NH Consolidated Priorities 31 March 2017 B Version 01

126 Figure B-120: NH Priorities for Disaster Risk Reduction Type of Work Figure B-121: NH Social Change 31 March 2017 B Version 01

127 Figure B-122: NH Social Change Type of Work Figure B-123: NH Social Change Planned Activities 31 March 2017 B Version 01

128 B.8.9 Paramedic Services Portfolio Figure B-124: Paramedic Services (PMS) Portfolio Figure B-125: PMS Primary Functions 31 March 2017 B Version 01

129 Figure B-126: PMS Assess the Impact of CSSP Outputs Upon Community Figure B-127: PMS Policy/Operational Context 31 March 2017 B Version 01

130 Figure B-128: PMS Operational Context Priority Domains Figure B-129: PMS Program of work 31 March 2017 B Version 01

131 Figure B-130: PMS Mobilising Health Care Figure B-131: PMS Mobilising Health Care Existing Work 31 March 2017 B Version 01

132 Figure B-132: PMS Mobilising Health Care Remaining Challenges Figure B-133: PMS Evidence-Based Decision Making 31 March 2017 B Version 01

133 Figure B-134: PMS Evidence-Based Decision Making Existing Work Figure B-135: PMS Evidence-Based Decision Making Remaining Challenges 31 March 2017 B Version 01

134 Figure B-136: PMS Standards Development Figure B-137: PMS Standards Development Existing Work 31 March 2017 B Version 01

135 Figure B-138: PMS Standards Development Remaining Challenges Figure B-139: PMS Practitioner Well-Being 31 March 2017 B Version 01

136 Figure B-140: PMS Practitioner Well-Being Existing Work Figure B-141: PMS Practitioner Well-Being Remaining Challenges 31 March 2017 B Version 01

137 B.8.10 Radiological and Nuclear Portfolio Figure B-142: Radiological and Nuclear (RN) Portfolio Figure B-143: RN Vulnerabilities 31 March 2017 B Version 01

138 Figure B-144: RN Investment Strategy Figure B-145: RN Policy/Operational Context 31 March 2017 B Version 01

139 Figure B-146: RN Program of Work Figure B-147: RN Quantitative and Qualitative Threat Assessment 31 March 2017 B Version 01

140 Figure B-148: RN Quantitative and Qualitative Threat Assessment Run Scenarios Figure B-149: RN Projects List 31 March 2017 B Version 01

141 B.8.11 Police Law Enforcement Portfolio Figure B-150: Police Law Enforcement (PLE) Portfolio Figure B-151: PLE Policy/Operational Context 31 March 2017 B Version 01

142 Figure B-152: PLE - Program of Work Figure B-153: PLE Priorities Areas 31 March 2017 B Version 01

143 Figure B-154: PLE Priorities Areas Improving Economics Figure B-155: PLE Priorities Areas Improving Economics Existing Work 31 March 2017 B Version 01

144 Figure B-156: PLE Priorities Areas Improving Economics Remaining Challenges Figure B-157: PLE Priorities Areas Employing Emerging Technology 31 March 2017 B Version 01

145 Figure B-158: PLE Priorities Areas Employing Emerging Technology Existing Work Figure B-159: PLE Priorities Areas Employing Emerging Technology Remaining Challenges 31 March 2017 B Version 01

146 Figure B-160: PLE Priorities Areas Reducing the Cost and Time of Investigation Figure B-161: PLE Priorities Areas Reducing the Cost and Time of Investigation Existing Work 31 March 2017 B Version 01

147 Figure B-162: PLE Priorities Areas Evidence-Based Decision Making Figure B-163: PLE Priorities Areas Evidence-Based Decision Making Existing Work 31 March 2017 B Version 01

148 Figure B-164: PLE Priorities Areas Evidence-Based Decision Making Remaining Challenges Figure B-165: PLE Priorities Areas Employing Emerging Technology 31 March 2017 B Version 01

149 Figure B-166: PLE Priorities Areas Employing Emerging Technology Existing Work Figure B-167: PLE Priorities Areas Employing Emerging Technology Remaining Challenges 31 March 2017 B Version 01

150 B.8.12 Surveillance, Intelligence and Interdiction Portfolio Figure B-168: Surveillance, Intelligence and Interdiction (SII) Portfolio Figure B-169: SII Objectives 31 March 2017 B Version 01

151 Figure B-170: SII Policy/Operational Context Figure B-171: SII Program of Work 31 March 2017 B Version 01

152 Figure B-172: SII Action Plan Figure B-173: SII Canada s Counter-Terrorism Strategy 31 March 2017 B Version 01

153 Figure B-174: SII DSO Readiness Committee Priorities B.8.13 Psycho-Social Portfolio Figure B-175: Psycho-Social (PS) Portfolio 31 March 2017 B Version 01

154 Figure B-176: PS Capability Gaps Figure B-177: PS Partners 31 March 2017 B Version 01

155 Figure B-178: PS Policy/Operational Context Figure B-179: PS Emerging Issues 31 March 2017 B Version 01

156 Figure B-180: PS Program of Work Figure B-181: PS Counter-Violent Extremism 31 March 2017 B Version 01

157 Figure B-182: PS Counter-Violent Extremism Existing Work Figure B-183: PS Counter-Violent Extremism Remaining Challenges 31 March 2017 B Version 01

158 Figure B-184: PS Support to First Responders and Public Figure B-185: PS Support to First Responders and Public Existing Work 31 March 2017 B Version 01

159 Figure B-186: PS Support to First Responders and Public Remaining Challenges Figure B-187: PS Community Resilience Existing Work 31 March 2017 B Version 01