Audit of Emergency Planning and Preparedness

Prepared by: Office of Audit and Evaluation

This report was endorsed for approval by the NRC Departmental Audit Committee on April 26, 2021.

This report was approved by the NRC's President on May 11, 2021.

Cat. No.: NR16‑357/2021E‑PDF

ISBN: ISBN 978‑0660‑38899‑1

Executive Summary and Conclusion

Background

The Emergency Management Act (2007) requires all federal departments and agencies to prepare plans that identify emergency management (EM) risks along with their respective mitigation strategies. The ultimate purpose of EM is to save lives, preserve the environment and protect property and the economy, using an all‑hazards approach to plan for and address both natural and human‑induced hazards and disasters.Footnote 1

All federal institutions are responsible for developing, maintaining, testing and exercising EM plans to address risks in their area of responsibility. EM refers to the management of all hazards, including activities and risk management measures related to elements found under the four pillars of EM (prevention and mitigation, preparedness, response and recovery).

As part of the 2019‑2022 risk‑based annual planning process, the National Research Council's (NRC) Office of Audit and Evaluation identified the Audit of Emergency Planning and Preparedness as a high priority. This assessment was based on the inherent risks and the need for assurance that the NRC is prepared in the event of an emergency. The objective of this audit was to provide assurance that NRC has comprehensive emergency planning in place to support a coordinated and effective response in the event of an emergency. Based on Treasury Board policies and guidance as well as all Public Safety requirements, this audit assessed the adequacy and application of emergency planning and preparedness, as well as how results are considered to ensure key risks are mitigated. In short, the scope of this audit focused solely on prevention and mitigation and preparedness, the first two of four pillars of EM.

Audit Opinion and Conclusion

In my opinion as Chief Audit Executive, while EM planning and preparedness is well aligned with legislative and policy requirements, there is a need to strengthen the risk assessment model for EM planning to better reflect NRC's risk operating environment. The audit also identified opportunities to improve training, drills and exercises to ensure staff awareness for continuous improvement.

Key Takeaways

Overall, the audit found that the NRC had implemented all necessary elements to run an effective EM program based on the guidelines in the Emergency Management Planning Guide. In terms of governance, NRC's EM team has increased in size and ability. The EM program's accountability and responsibility matrix (RASCI) has been reviewed by all stakeholders. This has enabled clarity and the proper execution of roles and responsibilities by members of the Security Management Committee (SMC), the Chief Building Emergency Officers (CBEOs), the Building Authorities (BAs), the EM Program Coordinator and members of the Emergency Operations Centre.

A Security Management Committee (SMC) has been established to provide advice to the President through NRC's Senior Executive Committee in matters relating to the emergency management program. In addition, it was observed that the NRC Security Branch has appointed an NRC EM Program Coordinator to coordinate NRC's overall EM program.

While the EM program possesses the necessary resources to support its EM activities, opportunities for improvement were identified with regards to the development of an official information management (IM) system and repository to provide timely access to documentation to those with a role in EM, including NRC's All‑Hazard Risk Assessments (AHRAs) and Building Emergency Response Plans (BERPs) for all regions.

The audit found the Crisis Communication Plan (CCP), the Cyber Security Event Management Plan and the Strategic Emergency Management Plan (SEMP) in place and functioning as intended. The SEMP was updated and reviewed in 2020. Although BERPs were available for all occupied buildings, we found that not all BERPs had been reviewed and updated on an annual basis. BERPs narrow down the hazards associated to specific buildings and are therefore essential to complement the overarching SEMP.

The procedures outlined in the above‑noted plans place the EM team in a sound position to quickly assess the size and scope of an incident and establish proportional internal and external communications to address the issues. Internal communication tools such as NRC ALERT texts and emails have been developed to contact employees in the case of emergency. These tools have been proven to function during drills and are effective in promoting public awareness/education of EM through a range of activities and initiatives during themed weeks (e.g., Security Week).

Employees with EM‑specific roles receive specialized training per the requirements outlined in the SEMP. Opportunities for improvement have been identified to build a more consistent approach to train BAs and members of the Incident Command Team. This would address the risk of turnover and high degree of interdependencies and delegated tasks that takes place across these roles.

The audit found that the NRC had developed an AHRA standard template and plans to conduct annual site evaluations, the first round of which took place throughout 2019. While the risks listed in the template reflect the risk taxonomy provided in the EM guide, opportunities for improvement exist to strengthen the model and review process of AHRAs as well as to enhance the process for challenging the consistency and relevance of the AHRA data submitted. Greater clarity is also needed on the ownership of the recommendations and their implementation status.

Recommendations

  1. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in updating Building Emergency Response Plans as required.

    [Priority: Moderate]

  2. The VP, Corporate Services and Chief Financial Officer should ensure that the all‑hazard risk assessment model is strengthened to ensure a consistent and documented approach is followed for risk identification, analysis, and justifications surrounding approvals of risk ranking.

    [Priority: Moderate]

  3. The VP, Corporate Services and Chief Financial Officer in consultation with the Senior Executive Committee should determine the risk ownership, monitoring and follow‑up processes related to the implementation of action plans identified in the EM risk register.

    [Priority: Moderate]

  4. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in the following areas:

    1. Developing consistent training aligned with the SEMP;
    2. Strengthening the approach to monitoring training and exercises; and,
    3. Adopting the use of NRC's official IM system and repository.

    [Priority: Moderate]

Statement of Conformance

This audit engagement was conducted in conformance with the Institute on Internal Auditors' International Standards for the Professional Practice of Internal Auditing and Code of Ethics, as supported by the results of the NRC Quality Assurance and Improvement Program.

Alexandra Dagger, CIA, Chief Audit Executive

Acknowledgements

The audit team would like to thank those who collaborated in this effort to highlight NRC's strengths and opportunities for improvement as they relate to this audit project.

1.0 Introduction

The 2007 Emergency Management (EM) Act requires all federal departments and agencies to prepare plans that identify EM risks and mitigation strategies. EM refers to the management of emergencies concerning all hazards, including those related to natural and man‑made events. It includes all activities and risk management measures related to specific elements under the four pillars (prevention and mitigation, preparedness, response and recovery). Under the Emergency Management Act, federal institutions are responsible for developing, maintaining, testing and exercising EM plans to address risks in their area of responsibility.

To assist federal officials, managers and coordinators responsible for EM planning, an Emergency Management Planning Guide 2010‑2011 was developed by Public Safety Canada. The Guide includes the EM activities workflow, a Strategic Emergency Management Plan (SEMP) template, step‑by‑step instructions, tools, and tips to develop and maintain a comprehensive SEMP. According to the Guide, EM refers to the management of emergencies concerning all hazards, including all activities and risk management measures related to the four pillars. (Figure 1)

Figure 1. Emergency Management Continuum

 
Figure 1 - Text version

The Emergency Management Continuum is depicted in a wheel diagram where all four risk-based functions of emergency management are interconnected and interdependent in a system from prevention and mitigation to preparedness, response, and recovery. This system shows that an effective emergency management system ensures that prevention and preparedness efforts are in place to respond to and recover from an incident.

In the center of the wheel are the main elements that influence the development of a Strategic Emergency Management Plan (SEMP). Those elements are as follows: Environmental Scan, Leadership Engagement, All-Hazards Risk Assessment, Training, Exercise, Capability Improvement Process, and Performance Assessment.

 

Why Is This Audit Important?

Threats and risks to Canadians and Canada are becoming increasingly complex due to the diversity of natural hazards affecting our country. Emergencies in the current environment stem from natural events such as floods, earthquakes, ice storms, or infectious disease outbreaks, as well as from man‑made disasters such as hazardous materials spills, cyber‑attacks, or terrorist acts. As part of the 2019‑20 risk‑based annual planning process, the NRC's Office of Audit and Evaluation identified the Audit of Emergency Planning and Preparedness as high‑priority due to the inherent risks and the need for assurance that NRC is prepared in the event of an emergency.

2.0 About the audit

Objective

The objective of this audit was to provide assurance that the NRC has comprehensive emergency planning and preparedness mechanisms in place to support a coordinated and effective response in the event of an emergency.

Specifically, internal audit examined whether NRC has:

  • Developed a SEMP that is in alignment with policy requirements and that promotes a common approach to EM
  • Established programs, measures & directions for preparation and maintenance of EM activities
  • Allocated sufficient resources with the necessary capabilities to support emergency planning and preparedness.

Scope

The audit was limited to the assessment of the two elements of NRC's Emergency Management Framework and its implementation: Prevention and Mitigation and Preparedness. These two elements are the first two pillars of EM depicted in Figure 1 above.

Approach and Methodology

The audit was conducted in accordance with the Institute of Internal Auditors (IIA) Standards and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board Policy on Internal Audit.

Risk based audit procedures and tests were developed and set out within a formal audit program and were used to assess NRC's practices against legislative requirements and guidelines.

Procedures in the audit program included the following:

  • Conducting interviews with key stakeholders
  • Reviewing relevant documentation including framework documents, policies, directives, procedures, reports, training programs and records, committee terms of reference and meeting minutes
  • Identifying and reviewing key information systems in place
  • Reviewing and Analyzing NRC's hazards assessment methodology and selection (e.g. hazardous occurrence inspection and reporting)
  • Conducting site visits.

The detailed audit criteria can be found in Appendix A.

3.0 Audit findings and recommendations

Each section below provides a summary of findings supported by detailed observations, a description of the risk and impact, and recommendations to address areas for improvement.

3.1 Governance and strategy

Summary Findings

The audit found that the NRC has a clearly defined EM governance structure in place, which sets out respective EM stakeholder accountabilities and responsibilities. This governance structure has been well communicated and effectively supports the coordinated approach to NRC's EM activities and allows for the information and advice necessary to be provided to the President and the NRC as a whole in an emergency situation.

The audit found that the program has identified and communicated key accountabilities and responsibilities for NRC employees with EM‑specific roles. A Security Management Committee (SMC) has been established which provides advice to the President through the Senior Executive Committee. This committee operates based on a strategic and operational framework developed in accordance with the EM Guide and the EM Act. Its members meet regularly to ensure that timely strategic and operational guidance for emergency management is provided at both the departmental level as well as at the regional/local level.

The audit found that there is a proper representation of all EM stakeholders' interests and accountabilities on the committee and that the EM program's accountability and responsibility matrix (RASCI) has been reviewed and accepted by all of EM stakeholders. It was noted that this has recently enabled clarity and the proper execution of roles and responsibilities by: the Security Management Committee (SMC), the Chief Building Emergency Officers (CBEOs), the Building Authorities (BAs), the EM Program Coordinator and members of the Emergency Operations Centre.

A best practice was observed in that the SMC has assigned an EM Program Coordinator who is mandated to actively support the holistic administration and coordination of the NRC's emergency program activities, both strategically and operationally, including communications before (if foreseen) and during an emergency event. This includes, ensuring that NRC employees assigned with EM responsibilities are adequately trained and that Center/Branch/IRAP (CBI) site emergency plans are routinely exercised in order to ensure that NRC employees are prepared and equipped for an emergency event. The audit also noted a newly formed EM working group undertaking a lessons learned exercise to review and enable continuous improvement for the effectiveness of the EM program, including key stakeholder responses, based on recent events.

Recommendation

No recommendation.

3.2 Strategic emergency management plan

Summary Findings

A Strategic Emergency Management Plan (SEMP) containing all of the required elements of the Treasury Board Secretariat's Emergency Management Planning Guide, is up to date, approved, and has been operationalized across the NRC.

NRC's SEMP sets out the organization's overarching plan for a comprehensive and coordinated approach for NRC EM activities. The SEMP is based on almost up to date Building Emergency Response Plans (BERP) developed for each of NRC's buildings, which have been integrated for optimal coordination of NRC's EM activities. The SEMP contains the requisite Crisis Communication Plan (CCP) and the requisite Cyber Security Event Management Plan.

NRC's Strategic Emergency Management Plan (SEMP) was found to reflect NRC's existing organizational structure and operating environment. The SEMP provides up to date strategic and operational guidance at both the regional and horizontal levels to address possible emergency‑related issues (e.g. All Hazards Risk Assessment approach). It includes the requisite Crisis Communication Plan (CCP), which is intended to support the activation of SEMP activities by providing direction on how to quickly coordinate and disseminate information to NRC and stakeholders. The CCP was approved in 2019 and is aligned with the SEMP in terms of its ranking of the severity of possible incidents that the NRC could face.

In addition to being aligned with the SEMP, the CCP defines the crisis level classification and response framework that would allow the Crisis Communications Team to quickly assess the size and scope of an incident and establish proportional internal and external communications. An up to date Crisis Communication Team Contact List is included in the plan as well as external stakeholder contact information (e.g. media, and partner contacts), to support effective communication in the event of an emergency.

The audit also assessed key inputs to the development of the SEMP, including NRC's BERPs and Cyber Security Event Management Plan. It was observed that while BERPs were present for all occupied buildings across NRC, not all had been reviewed and updated on an annual basis. BERPs are critical to ensure key personnel remain aware of the risks to which their buildings are exposed along with the operational procedures expected to be implemented and followed. With regards to the requisite Cyber Security Event Management Plan (CSEMP), it was observed that this plan is in place and supports the SEMP with a focus specifically on response to a cyber event. In general, the audit found that a process exists for regular review of the SEMP along with key inputs to the plan, allowing for a comprehensive and coordinated approach to NRC's EM activities.

Recommendation

1. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in updating the Building Emergency Response Plans on an annual basis, as required.

[Priority: Moderate]

3.3 Operational communications

Summary Findings

An operational communication plan exists in the CCP. As such, communication practices, mechanisms, and systems are in place to support NRC's EM activities and maintain open lines of communication and relationships with all key stakeholders.

In the event of an emergency, timely communication is crucial to ensure that correct mitigation measures are taken. It was observed that the NRC has implemented the use of a communication system, known as NRC ALERT. This system allows for communication with all staff during events where a coordinated response and prompt actions are required.

The NRC has also established a central Emergency Operation Centre for the NRC in order to support the coordination of information sharing with regards to overall departmental and local responses. It was observed that the NRC has made arrangements with key stakeholders, partners and suppliers to support the effective coordination of efforts in the delivery of key emergency services. At the time of the audit, it was noted that service agreements with key external stakeholders were at varied stages, with most provincial and emergency services stakeholders having entered into some form of agreement with the NRC. The established communication mechanisms / systems, key internal and external stakeholders have access to relevant and sufficient information in support of their roles and for informed decision making.

In addition, formalized internal communication and coordination mechanisms are in place to ensure development of harmonized EM measures that maximize situational awareness and the use of available resources across the NRC. The audit also noted that the NRC is proactive in promoting EM awareness and education through a range of activities and initiatives during its annual security awareness campaigns known as Security Awareness Week, Emergency Preparedness Week, and Fire Safety Week.

Recommendation

No recommendation

3.4 Hazard identification and risk management

Summary Findings

An all hazards risk assessment (AHRA) approach along with supporting processes have been formalized and implemented to ensure hazards and risks are prioritized across the NRC, as required. However, opportunities for improvement were observed with regards to the hazard risk assessment process.

The purpose of the all hazards risk assessment (AHRA) approach is to enable NRC Building Authorities (BA) and Chief Building Emergency Officers (CBEO) to consistently perform risk assessments, in a structured fashion. These assessments are intended to be used to inform the development of mitigation measures that foster resilience. The approach and processes are expected to enable an optimal balance to be struck between risk and control and should enable a whole‑of‑NRC risk representation in support of emergency management planning. The AHRA processFootnote 2 is comprised of the following:

  1. Setting the Context – The process of articulating an institution's objectives and defining its external and internal parameters to be taken into consideration when managing risks.
  2. Risk Identification – The process of finding, recognizing, and recording risks.
  3. Risk Analysis – The process of understanding the nature and level of risk, in terms of its impacts and likelihood.
  4. Risk Evaluation – The process of comparing the results of Risk Analysis with risk criteria to determine whether a risk and/or its magnitude is acceptable or tolerable.
  5. Risk Treatment – The process of identifying and recommending risk control or Risk Treatment options.

It was observed that an AHRA standard template has been developed and that the NRC had completed initial site evaluations in 2019. A second wave of site evaluations and the updating of AHRAs was performed in early 2021. The outputs from the AHRA process (site evaluations) are intended to provide decision‑makers with a complete understanding of the relevant risks, including the likelihood and the consequence of specific hazards or threats being realized, that could affect the achievement of objectives. The AHRA process also requires the identification of indicators for measuring the effectiveness of established risk treatment measures, as well as an acknowledgement and documentation around the relevant inherent uncertainties for all key aspects of the risk assessment process.

It was noted that a risk tolerance taxonomy for EM hazards has been established and included in the NRC AHRA template required to be completed for all of NRC's buildings. Setting the risk tolerance, and formally communicating the risk assessment model through a standard template, is critical in promoting consistency for identification of EM hazards and risks. It is also critical for prioritizing the development and documentation of risk mitigation measures in Building Emergency Response Plans. The audit examined a sample of 5 AHRAs and noted that 2 of the 5 examined were incomplete, such as an empty preparedness questionnaire, indicating that there are opportunities for improvement with respect to this aspect of the overall process.

One of the critical elements in risk management is the requirement to establish clearly defined responsibilities for ongoing monitoring, challenging and confirming the effectiveness of the risk assessment process, while accounting for inherent changes due to evolving circumstances. This ensures that a comprehensive risk management process is in place, so that assumptions, methods, data sources, results and rationale for decisions are subject to regular checks. While the key elements of the AHRA process have been established, opportunities for improvement were observed with regards to the analysis and the linkages (i.e., audit trail) between the ranking of risks within the AHRAs and those contained within NRC's EM Risk Register. As such, there is a risk that the current risk register is not completely representative and consistent with risks identified at various locations, and as a result the NRC may lack a holistic view of the current and emerging emergency hazards and risks and may impede the ability to develop required mitigation measures.

It was observed that not all AHRAs included risk mitigation strategies and that not all risks identified for each occupied building were incorporated into EM planning. The audit found that there is a lack of clarity around the development of risk treatment options and mitigation strategies. The audit also found that information on risk ownership recommendations had not been developed and that the status of implementation of risk mitigations measures were not being captured. Without a centrally managed risk register that contains a complete account of all the NRC's identified EM risk, hazards, risk mitigation strategies, and risk mitigation ownership, with up to date status information, SMC cannot ensure risk assessments and mitigation strategies are being performed consistently across the NRC.

Recommendation

2. The VP, Corporate Services and Chief Financial Officer should ensure that the all‑hazard risk assessment model is strengthened to ensure a consistent and documented approach is followed for risk identification, analysis, and justifications surrounding approvals of risk ranking.

[Priority: Moderate]

3. The VP, Corporate Services and Chief Financial Officer in consultation with the Senior Executive Committee should determine and document the risk ownership, monitoring and follow‑up processes related to the implementation of action plans identified in the risk register.

[Priority: Moderate]

3.5 Logistical support, monitoring and capacity

Expectations and Summary Findings

EM‑related training is provided to all Building Emergency Organization members and drills as well as exercises are conducted on a regular basis to keep employees informed and prepared in the face of emergencies. However, it was observed that not all sites are conducting exercises in accordance with the SEMP and that opportunities for improvement exist to ensure all staff involved in EM activities (including their delegates) receive adequate training.

The SMC coordinates regular exercises to familiarize emergency operation centre staff with their assigned roles and tasks.

Key EM positions are in the process of being filled in order to ensure that the NRC has sufficient resources and expertise going forward.

While the NRC prioritizes EM training, it was observed that more a fulsome and consistent approach is needed to train BAs, CBEOs and members of the Incident Command Team. This due to the high turn‑over in EM staff assignments, as well as the high number of designates that are involved to EM related activities. Having insufficient knowledge of emergency procedures and being unaware of roles and responsibilities of various parties could impact the successful achievement of EM related activities and goals for the reduction of risks related loss of life, property damage, environmental damage, as well as the risk of financial loss.

The audit found that the SMC coordinates regular exercises to familiarize emergency operation centre staff with their assigned roles and tasks. The EM coordinator defines emergency exercises and schedules these with key response partners and stakeholders and holds debriefing sessions. However, it was observed that not all sites are conducting exercises in accordance with the SEMP and there is a need to monitor the execution of mandatory emergency drills and exercises in a consistent manner. The SEMP includes the requirement for the training of all employees in emergency procedures to be followed in the event of an emergency and requires that emergency drills are held on a regular basis. Drills, table top exercises, full‑scale exercises and functional exercises are key to identifying gaps and identifying lessons learned to continually improve EM measures. Without drills and exercises, the Security Branch and Building Emergency Organizations (BEO) within each building will not be able to systematically assess NRC's EM readiness, nor can it increase effectiveness and improve emergency management practices and processes, or reduce recurrence of issues that arise.

In an effort to continuously improve and to ensure that the NRC adequately addresses EM risks, monitoring mechanisms and key performance indicators should be in place and data collected to enable the assessment of EM activity performance and progress. With this in mind, the audit found that there is a need to implement information management practices in accordance with NRC's policy and guidance. While a central document repository was being developed at the time of the audit, it did not include all necessary information (i.e., guidance, tools, templates, as well as the SEMP, the CCP, CSEMP, AHRAs and all regional BERPs) to support staff with EM accountabilities and responsibilities.

In terms of EM resourcing and capacity, while the EM program has at least one delegate for every key position, ensuring redundancy, these positions are, for the most part, filled by volunteers. However, the audit found that four full time EM positions were in the process of being filled with a goal of ensuring that the NRC has sufficient resources and expertise to support NRC's EM activities going forward.

Recommendation

4. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in the following areas:

  1. Developing consistent training aligned with the SEMP;
  2. Strengthening the approach to monitoring training and exercises; and,
  3. Adopting the use of NRC's official IM system and repository.

[Priority: Moderate]

Appendix A: Audit criteria

The following criteria were used to evaluate EM management at NRC:

Line of Enquiry 1 - Governance and Strategy: Governance structures and processes have been established and implemented to enable the effective design and delivery of the emergency management activities

  1. The NRC Strategic Emergency Management Plan has been formally documented in alignment with the policy requirements, NRC mandate and priorities, and adjusted based on changes to NRC's internal and external operational environments
  2. Building Emergency Response Plans have been formally documented in alignment with the NRC Strategic Emergency Management Plan and adjusted based on operational environment
  3. The governance function in relation to emergency management is able to provide sufficient guidance, and to review, approve and prioritize NRC emergency management activities
  4. Partnerships and collaborations with key external stakeholders are formalized and communicated
  5. Accountabilities, roles and responsibilities of key internal stakeholders for emergency management are defined, documented, updated and communicated

Line of Enquiry 2 - All‑Hazards Risk Management: The design and delivery of emergency management activities is risk based

  1. A formal risk‑based methodology should be used to assess NRC's vulnerability to all hazards, including establishment of risk tolerance, performance indicators and measures, has been developed, documented, approved, and distributed to all key stakeholders
  2. The NRC Strategic Emergency Management Plan and the Building Emergency Response Plans apply the defined risk‑based methodology, which is evident through the assessment of risks and the development and prioritization of mitigation measures

Line of Enquiry 3 - Logistical Support and Process Refinement: Appropriate systems, guidance and resources are provided to support emergency management activities

  1. Mechanisms and processes are defined and implemented for ongoing communication to all key stakeholders
  2. Mechanisms and processes are defined and implemented for capacity and resource allocation to support NRC emergency management activities
  3. Key stakeholder groups and respective skillsets are identified and processes are in place to ensure that the corporate knowledge is retained
  4. Employees are provided with the proper training, tools, resources, and support to carry out their emergency management responsibilities
  5. Information Management/Information Technology systems are in place to store Building Emergency Response Plans, information related to existing and new hazards and security incidents, and analysis of historical occurrence and impact
  6. Critical information and reports required for awareness and decision making are identified and communicated to key stakeholders

Line of Enquiry 4 - Testing, Monitoring and Reporting: Emergency management activities and results are reported in a timely manner to support decision making and effective oversight

  1. Emergency exercises and drills are carried out on a regular basis or as needed to assess the emergency management plans for their effectiveness (against the established performance measures), as well as to determine the readiness of staff to respond to an emergency
  2. Management Action Plans and lessons learned are developed for gaps or weaknesses identified, and are monitored and shared with key stakeholders in a timely manner
  3. Corrective actions identified in the review are prioritized and implemented in a timely manner to address identified gaps

Appendix B: Management Action Plan

Table 1
Definition of Priority of Recommendations
High

Implementation is recommended within six months to reduce the risk of potential high likelihood and/or high impact events that may adversely affect the integrity of NRC's governance, risk management and control processes.

Moderate

Implementation is recommended within one year to reduce the risk of potential events that may adversely affect the integrity of NRC's governance, risk management and control processes.

Low

Implementation is recommended within one year to adopt best practices and/or strengthen the integrity of NRC's governance, risk management and control processes.

Tableau 2
Recommendation Corrective Management Action Plan Expected Implementation Date and Responsible NRC Contact

1. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in updating the Building Emergency Response Plans on an annual basis, as required.

[Priority: Moderate]

The responsibility of having an updated Building Emergency Response Plan (BERP) belongs to the Building Authority for their assigned buildings.

The Security Branch, specifically the EM Program, has been proactive in discussing, promoting awareness, and providing information to both the Building Authority and Chief Building Emergency Officer on the requirement to review their BERP yearly, as well as resources available to them to update their plan.

In addition, in the spring and summer 2021, as part of the site evaluations and all hazard risk assessment process, EM Analysts will be proactive in updating various BERPs in collaboration with local CBEOs.

DATE: Ongoing

Contact: Chief Security Officer

2. The VP, Corporate Services and Chief Financial Officer should ensure that the all‑hazard risk assessment model is strengthened to ensure a consistent and documented approach is followed for risk identification, analysis, and justifications surrounding approvals of risk ranking.

[Priority: Moderate]

The Security Branch is currently consulting with a Planning and Management Officer to strengthen the EM risk assessment model, to align with other risk assessment models at NRC.

As well, we are consulting with other science based departments on their risk assessment models to verify if efficiencies can be identified for the NRC.

This exercise will include reviewing our various templates for site evaluations (environmental scans), all hazard risk assessment, and the NRC risk register.

With this new model in place, the Security Branch EM team will proceed with individual site evaluations and all‑hazard risk assessments for each of NRC site. With this data in hand, the NRC risk register can be further completed and assessed, so that the appropriate mitigation strategies are put in place.

1 October 2021

Contact: Chief Security Officer

3. The VP, Corporate Services and Chief Financial Officer in consultation with the Senior Executive Committee should determine and document the risk ownership, monitoring and follow‑up processes related to the implementation of action plans identified in the risk register.

[Priority: Moderate]

All EM risks will be properly documented in the risk register, as well as identifying risk ownership. The risk register will include mitigation measures, ensure they are assigned to the appropriate stakeholder and that actions plans are put in place and completed.

1 October 2021

Contact: Chief Security Officer

4. The VP, Corporate Services and Chief Financial Officer should ensure that efforts continue in the following areas:

  1. Developing consistent training aligned with the SEMP;
  2. Strengthening the approach to monitoring training and exercises; and,
  3. Adopting the use of NRC's official IM system and repository

[Priority: Moderate]

  1. The Security Branch is continuously developing and updating training for various SEMP stakeholders. The first priority was to ensure that Chief Building Emergency Officers received the necessary training to conduct their duties.
  2. The Security Branch has increased the staffing of the EM program to ensure there are sufficient resources to monitor training and provide support to deliver more EM type exercises.
  3. The Security Branch has consulted with their IM Officer to put in place a strategy to ensure alignment with NRC's official IM system and repository. This project should be completed by summer 2021.

1 October 2021

Contact: Chief Security Officer