http://biviumconsulting.com/blog/ Biviun Blog en-us Nucleus CMS v3.50 © Weblog http://backend.userland.com/rss http://biviumconsulting.com/blog//nucleus/nucleus2.gif http://biviumconsulting.com/blog/ xml-rss2.php?itemid=256 COBIT 5, a generic, “comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.”

The previous version of COBIT was so popular that it got downloaded more than 100,000 times. What makes then COBIT 5 better? Before we talk about the improvements, let us look at the environment this updated version appeared in. According to the IT Governance Institute's 2011 Global Status Report on the Governance of Enterprise IT, business leaders reported facing the following IT-related issues in the past year:
• Increasing IT costs — 42%
• Insufficient IT skills — 33%
• Problems implementing new IT systems — 30%
• Problems with external IT service providers — 29%
• Serious operational IT incidents — 21%
• Return on investment not as expected — 19%
• IT security or privacy incidents — 18%

According to the 2012 Governance of Enterprise IT (GEIT) Survey of more than 3,700 IT professionals who are members of ISACA, in the past 12 months:
• 48% of responding enterprises experienced project overruns
• 41% experienced a high cost of IT with a low or unknown return on investment
• 38% said there was a disconnect between business and IT strategies
• 22% experienced a security breach
• 21% reported challenges related to mobile device security

Also, 44 percent of the survey respondents are planning to increase their IT-related investments selectively in the next 12 months, based on expected contribution to business value. The survey also showed that 74 percent of executive teams consider information and technology to be very important to the delivery of the enterprise’s strategy and vision.

(It is to be noted that, during the public exposure period for the draft design paper of COBIT 5, ISACA received nearly 3,000 comments from more than 600 business and IT professionals. More than 92% of respondents reported that the proposed updates to COBIT would be valuable or very valuable.)

The answer to the above question can be answered with a couple major points taken directly from COBIT 5 and the ISACA website:

First of all, COBIT 5 was built to integrate all major ISACA frameworks and guidance, with a primary focus on COBIT, Val IT, and Risk IT, but also considering the Business Model for Information Security (BMIS), the IT Assurance Framework (ITAF), the publication titled Board Briefing on IT Governance, and the Taking Governance Forward (TGF) resource.

Secondly, it connects to, and, where relevant, aligns with other major frameworks and standards in the marketplace such as, the Information Technology Infrastructure Library (ITIL®), The Open Group Architecture Forum (TOGAF®), Project Management Body of Knowledge (PMBOK®), PRojects IN Controlled Environments 2 (PRINCE2®), Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization and the International Organization for Standardization (ISO) standards.

Finally, COBIT 5 can be tailored for all business models, technology environments, industries, locations and corporate cultures. It can be applied to:
• Information security
• Risk management
• Governance and management of enterprise IT
• Assurance activities
• Legislative and regulatory compliance
• Financial processing or CSR reporting

The important question is: Depending on the maturity level of your organization’s processes and practices for the management and governance of information technology, should you “upgrade” to COBIT 5? If yes, what would think you would need to do to get your organizations' processes aligned with the newest version of the ISACA governance of enterprise IT framework? (Note: COBIT 5 will be supported by a new process capability assessment approach based on ISO/IEC 15504; in order to move to the new COBIT Assessment Programme approach you will need to realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach.)

Additional information:
• COBIT 5 related infographic, full survey results and spokesperson video are available here
• To see what's new, you could also download here a PowerPoint presentation about the comparison between COBIT 4.1 and COBIT 5.0]]> Audit xml-rss2.php?itemid=256 Fri, 13 Apr 2012 17:05:00 -0400 xml-rss2.php?itemid=219 Inside Government of Canada Procurement: What’s happening today, where are we headed, what can you do to get ready? The keynote speaker was Shereen Benzvy Miller, (M.A., LL.B), Director General for the Office of Small and Medium Enterprises (OSME), and Acting Director General of Client Engagement with Public Works and Government Services Canada (PWGSC).

This post will provide you with information about what has been presented last week, including the changes that are currently going on in the Canadian federal government on the procurement side, and with some pointers regarding where you need to go to get valuable information prior to putting together a proposal.Fair and open access to government procurement opportunities have been the quintessential issues for all those small and medium Canadian enterprises (SMEs) – out of a total of approximately 2.3 million – wanting to get a piece of federal government procurement pie, which was sitting, in 2008-2009, at about $5.5 billion (for more details, see my previous post here).

Ms. Benzvy Miller shared her ideas on how one can access opportunities today and in the future, via a presentation that was, at times at least, too focused on contract law and on what SMEs and the federal government can or cannot within the existing framework.

When talking about the future, Ms. Benzvy Miller made references to various goals, such as streamlined services; better alignment to the market place; better integration into the Government of Canada Planning cycle; improving clarity and consistency of service delivery; standardization and simplification of the contracting process; etc.

As part of the mandate to support SMEs success in Canada, federal government procurements staff is also encouraged to "find innovations not yet available in the marketplace to fill specific departmental challenges and needs, and to increase efficiency." While I find this a very laudable initiative, and while such a move would complement very well the existing government programs (more about this in a future blog post), I am personally very sceptical with regards to the future success of such an initiative. The main reason being that when the federal government is already facing (in some cases, major) issues with procuring goods and services that are widely available and well know (e.g., commoditized), I do not see how this would work in terms of "testing and using the latest Canadian innovations?" Furthermore, especially these days when they face severely constrained budgets, while would any of the organizations that are part of the federal government accept to become a "test department", i.e., a department that would agree to test innovations that qualify, and to provide the supplier with feedback on the innovation’s performance?

While Ms. Benzvy Miller talked a lot about how OSME is working on reducing procurement barriers for suppliers and clients; simplifying the contracting process; etc. – all potential solutions geared towards resolving sore points brought forward by numerous SMEs dealing day in and day out with the existing system anomalies - she also acknowledged that many issues remain still unresolved and that it will take some time until certain existing practices are going to change.

As some of you probably remember, on October 19th the federal government granted a contract with Irving Shipbuilding Inc. of Halifax, Nova Scotia and Vancouver-based Seaspan Marine Corp., the winning bidders in a C$33-billion procurement project to build ships for the Canadian Navy and Coast Guard, the biggest government procurement in Canada’s history. According to her, on the same day, Ms. Benzvy Miller was trying to get her staff to provide cookies and refreshments for over a hundred delegates attending a conference, an expense she needed approval for from the same authority that was behind the billion dollars shipbuilding decision, Deputy Minister of PWGSC, Mr. Francois Guimont.

It is a well know fact that, according to the Treasury Board Secretariat’s (TBS’s) Hospitality Policy, all hospitality requests over $1,500 and under $5,000 require the Deputy Minister's authorization and that all requests over $5,000 require the Minister's authorization . Obviously, this is just one of the issues with the current federal procurement system. Future posts will highlight other issues.

For now, however, I would like to point out a few very useful pieces of information that came out as a result of Ms. Benzvy Miller’s presentation:
• It looks like the PWGSC’s Acquisition Branch is going to be doing the purchasing for the Shared Services Canada.
• PWGSC will continue with its past approach to procurement, i.e., pre-qualifying suppliers. Businesses who are interested in participating in bids in response to Requests for Proposals (RFPs) coming out under specific Supplier Arrangements (SAs) and Standing Offers (SOs) (for more details, see my previous post here), that their company has not been qualified under, are well advised to visit the Buyandsell.gc.ca website to access Pre-Qualified Supplier Data in order to find potential partners from a pool of pre-qualified suppliers. The information listed on the website will also help them to enhance their planning by knowing the end dates of SAs and SOs.

Should you wish to review the actual presentation slides, they are available on the CMC Canada website in both English and French.

As a final note, given that it is related to Ms. Benzvy Miller's presentation, I would like to highlight the fact that on October 13th PWGSC, under the leadership of Associate Deputy Minister Andrew Treusch, hosted the inaugural Suppliers Summit in Gatineau with the main goal of “enhancing communications with the supplier community and on breaking down barriers faced by small and medium enterprises seeking to do business with the Government of Canada.”

In conclusion, while there are still issues (some would say: major issues) with how federal government procurement works, there is some light at the end of the tunnel, and having driven, energetic, and change oriented people, such as Ms. Benzvy Miller - a self-described “heretic” with her mantra of "don't tell me how I can't, tell me how I can" - at the helm of institutions such as OSME, that has as one of its mandates the simplification of the contracting process, gives some hope to all SMEs competing for a share of the spending from the public purse.

What is your opinion about the current situation in the federal government, vis-à-vis procurement from private sector organizations?]]> Contracting xml-rss2.php?itemid=219 Fri, 9 Dec 2011 11:59:29 -0500 xml-rss2.php?itemid=173
This blog post takes a critical look at what is being proposed, and discusses Canada's lag behind other countries in terms of its successes in commercializing new, innovative products and services.At this point in time a federal election is imminent; however, it is still probably worthwhile to comment on the federal budget, mainly because many of its measures are likely to be re-introduced later by the future governing party.

With their obvious focus on job creation and deficit reduction, both budgets presented recently were relatively “low key” when it comes to “goodies” offered up to businesses, and also in terms of significant initiatives with long-term impact.

2011 Ontario Budget
The budget mostly rehashes the Liberal government's accomplishments over the last few years in the area of innovation. A disappointing statistic is that nearly 80 per cent of this funding went to R&D performed by universities, colleges and hospitals, leaving only 20% (i.e., of the $3.6 billion spent by the government on research and development since 2003–04) for institutions such as the Ontario Network of Excellence with its network of 14 regional innovation centres that brought more than 700 new products and services to market, and other minor initiatives, such as the co-investments made through the Ontario Emerging Technologies Fund help expand the private sector in the Province.

The only comment to be found in the 2011 budget regarding the Liberal government’s future plans in this area is that the Ministry of Research and Innovation is renewing the Ontario Innovation Agenda. No details were provided about what this would entail.

It is to be noted though that the reduction of the general corporate tax rate, as announced initially in the 2009 budget, will proceed on schedule, which in turn would mean more money available to Canadian businesses to invest in promising ideas and innovations that would see them move new products and services into the market. There were no proposed changes to the $500,000 small-business income limit.

2011 Federal Budget
The federal budget, tabled at a time of great political and economic uncertainty, stayed in line with the precepts of its main policy framework, the 2007 Federal S&T Strategy, Mobilizing Science and Technology to Canada’s Advantage. Although it contained more promises, overall, did not move the needle by much when it comes to promoting innovation in this country. Basically, the proposed measures would fall in three categories:
a) Useful, such as:
• A two-year, $50-million Agricultural Innovation Initiative to support knowledge creation and transfer and increased commercialization of agricultural innovations;
• $20 million over two years to enable the Canadian Youth Business Foundation to continue its important support for young entrepreneurs;
• $80 million in new funding over three years through the Industrial Research Assistance Program to help small and medium-sized businesses accelerate their adoption of key information and communications technologies through collaborative projects with colleges; and
• Funding of $100 million per year to the Canada Media Fund for investments in the creation of digital content across multiple platforms.
b) Unclear as to their usefulness in terms of helping with the commercialization of ideas and new jobs creation, such as:
• $97 million over two years to renew funding for technology and innovation in the areas of clean energy and energy efficiency, and $8 million over two years to renew funding to promote the deployment of clean energy technologies in Aboriginal and Northern communities (see here for an interesting study of the direct, indirect and induced effects of Ontario’s investment in clean energy on the expansion of employment within the Province); and
• $12 million over five years, starting in 2011–12, through the Idea to Innovation program to support joint college-university commercialization projects.
c) Useless:
• The Government declaring 2011 the Year of the Entrepreneur, in order to help increase public awareness of the important role played by small businesses.

The 2012 general federal corporate tax rate of 15%, i.e., the tax rate reduction enacted on December 14, 2007, might be retained by the next federal government, due to similar measures being taken in other developed countries that continue to drive those rates towards very low levels.

In terms of commonality of agendas, the 2011 Ontario budget talks about the Provincial Government working with the Federal Government “to improve the effectiveness of federal R&D tax support by strengthening administration, enhancing collaboration between the business and education sectors, and making the system fairer for small businesses that perform R&D.”

We should also expect some other initiatives for the new fiscal year, such as the Federal Government’s review of its support for business innovation, including both direct support of research and development (R&D) and the scientific research and experimental development (SR&ED) tax program.

Even with all these measures in place though, it seems to that in Ontario, and in Canada in general, we find it difficult to make the leap from subsidizing the creation of major research hubs (e.g., in the area of life sciences) to shaping enterprises that are part of the most productive sectors of our economy into innovative, profit making, job creating organizations.

In addition, unfortunately, as the OECD Science, Technology and Industry Outlook 2010 study shows, Canadian gross expenditures on R&D continue to stay below the average for the member countries. More specifically, contrary to very innovation oriented picture that both the Ontario and the federal government are portraying in the recaps of their most recent budgets, according to OECD the gross expenditure on R&D (GERD) has declined as a share of Canada's GDP since 2005 when it used to be 2.1% to 1.8% in 2008.

Conclusion
Both budgets tend to talk a lot about the need to encourage growth and innovation through investments in research and education, streamlined regulations and free trade agreements with advanced and emerging economies, etc., but very few of the measures proposed, and a disproportionally small portion of the funds allocated are directed towards improving private sector innovation performance and the commercialization of academic research.

Given that Canada already has one of the most highly educated workforce in the world, supported by leading-edge research infrastructure, and producing – according to the above-mentioned study – 2.7% of the world’s scientific publications, ranking our country the sixth highest in OECD, it is probably time to capitalize on this solid foundation and increase investments in finding ways to make more and better products and services available to consumers while, at the same time. This would lead, eventually, to lower prices (e.g., due to lower cost of manufacturing; increases in productivity, which, by the way, continues to lag behind the U.S.; etc.), and to economic growth and greater individual wealth overall. Staying on course, when it comes to the transition to a “knowledge-based” economy that emphasises the commercialization of new ideas, would result in boosting the general standard of living and per capita income.

However, we should not forget that government investment in R&D, in improving higher education in Canada, and in public and private partnerships supporting innovation is just one aspect of implementing a progressive policy in this area. The other important aspect is measuring the outcomes in terms of benefits, and the effectiveness of channelling public funds into such measures, and making corrections to the policy based on those results. I would like, therefore, to defer the addressing the difficulties and the benefits of measuring public spending performance in the area of innovation to one of my future blog posts. Stay tuned!

What do you think about the status of provincial and federal governments’ investments into innovation in Ontario/Canada, and the direction they were going with it over the last few years?]]> Economy xml-rss2.php?itemid=173 Wed, 30 Mar 2011 10:27:00 -0400 xml-rss2.php?itemid=195
This blog post discusses a very specific aspect of your future relationship as a consultant with the Canada Revenue Agency: How does the CRA determine your status as a self-employed individual versus an employee, when it comes to establishing your tax liability?Before you start marketing your skills and search for potential clients, you'll have to take a closer look at the cost of doing business by considering things such as: rent and utilities; automobile related expenses; telephone and fax; office supplies and equipment; training courses and seminars; not getting 50% of your Canada Pension Plan premiums paid by an employer; no benefits or severance pay; not being eligible for employment insurance (exception: if you decide to pay EI premiums on a voluntary basis, in order to qualify for special EI benefits); marketing expenses; record keeping and the impact of various taxes (i.e., income tax; HST; dividend tax; etc.); and so on. To estimate the operating costs for your new business and to see how it measures up to comparably sized firms (i.e., compare yourself with Small Business Profiles compiled by Statistics Canada) you should consider using the Industry Canada’s SME Benchmarking Tool.

In particular, in advance of “hanging out your shingle”, an important step to consider is determining your potential tax liability and the various other payments you’ll need to make.

Although there is no universal test to determine whether a person is an employee or an independent contractor, the central question is whether the person who has been engaged to perform the services is performing them as a person in business on his own account or as an employee?

Since the CRA looks at a series of factors/indicators to determine if the worker may be an employee or a self-employed individual, you’ll need to establish your status at the start of your work contract.

According to the CRA, if the worker is an employee (employer-employee relationship), the payer is considered an employer responsible for deducting Canada Pension Plan (CPP) contributions, Employment Insurance (EI) premiums, and income tax from remuneration or other amounts it pays to its employees, and for remitting these deductions along with their share of CPP contributions and EI premiums. IMPORTANT: An employer who fails to deduct the required CPP contributions and EI premiums has to pay both the employer's share and the employee's share of any contributions and premiums owing, plus penalties and interest.

The CRA may not consider the individual as self-employed if there is evidence of an employer-employee relationship. Below are some of the questions asked by the CRA reps with a view to determine a worker's employment status in a province or territory (other than Quebec):
1. Did the two parties intend to enter into a contract of service (employer-employee relationship) or did they intend to enter into a contract for services (business relationship)?
2. Other questions being asked to determine whether or not they reflect the stated intention (see 1. above):
• the level of control the payer has over the worker;
• whether or not the worker provides the tools and equipment;
• whether the worker can subcontract the work or hire assistants;
• the degree of financial risk taken by the worker;
• the degree of responsibility for investment and management held by the worker;
• the worker's opportunity for profit; and
• any other relevant factors, such as written contracts.

As you can imagine, when it comes to establishing your own and/or your consulting company’s tax liability, things could get very complicated. Therefore, before you make any major decision, you should consult professionals in the field (see also the disclaimer below) and check out the CRA Guide RC4110 Employee or Self-employed? Also, if you’re interested in reviewing additional information, such as transcripts of various court cases on this subject, please leave me a comment or a question and I’ll point you to the appropriate websites.

Disclaimer
The information in this blog post is current as of February 22, 2011. Although it has been carefully prepared, this blog post has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact your tax accountant or tax lawyer to discuss these matters in the context of your particular circumstances. Bivium Executive Consulting Ltd., its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.
]]> Consulting xml-rss2.php?itemid=195 Tue, 22 Feb 2011 07:27:00 -0500 xml-rss2.php?itemid=156 announcement of the results made by Brian Brown, Chair of Canadian Council on November 1, 2010, only one third of Canada’s members voted, out of which 94% in favour of creating a Canadian Institute. The Ottawa IIA Chapter results were similar to those at the national level: over 36% of Chapter members voted, slightly higher than the Canadian Chapter average.

This post will take you through the transition plan, the expected benefits, and the challenges that lay ahead for the new entity.On September 23, 2010 I had the opportunity to take part of a Townhall Information Session organized by the IIA Ottawa Chapter as part of the campaign of informing their membership about the Canadian Institute proposal. The following information was shared at that time: The Canadian Council of the Institute of Internal Auditors (IIA), together with IIA Global, has developed a proposal to establish a Canadian Institute of the IIA, with the Ottawa IIA Chapter submitting a resolution in support of establishing a Canadian Institute.

According to the timeline presented to the audience, initially, a resolution in support of proceeding was sought from Chapter Boards with 75% of chapters (i.e. 9 of 12) representing at least 85% of the membership base were required for approval. During the September 2010 – October 2010 period an individual membership vote was held over a one month period facilitated by electronic voting mechanism and, where that was not possible, by written ballot. Of the members who cast ballots, 2/3 had to be in favour to approve the proposal with a minimum of 1,000 favourable votes. Beginning in July 2011, during membership renewal, Canadian members will be asked to affirm their desire to join IIA Canada.

After more than 10 years of discussing about the possibility of creating a national Institute, those spearheading this particular initiative decided to put it up for a vote to the membership promising, among other things, a series of benefits that would come with such a choice. They also put together a vision and mission and explained in somewhat detailed manner what kind of services will be provided, the funding sources and the future structure of the IIA-Canada (for more information click here).

A closer look at the future of this “Canadianized” version of the IIA reveals, however, a series of challenges the newly proposed Institute (i.e., the actual approval from the North American Board (NAB), Executive, & Global Board Approval to become formal Institute is due in June of 2012) is faced with.

Let us start with looking at the vote results. Only one third of the Canadian members of the IIA voted, out of which 94% were in favour. Although it would be difficult to conclude that those who didn’t vote are against the initiative, it is crystal clear that those who were in favour were also the ones who took the time to vote. This means that if a only a minor portion of those who have not expressed their opinion regarding the proposal decide next year, during membership renewal, to declare their allegiance with the North American Institute (i.e., U.S. now that IIA-Canada is on its way of becoming independent), in spite of the expected “punishment” of no longer receiving services from IIA-Canada (note: these still need to be defined), the financial plan – “prepared with conservative mindset” – would suffer significantly, as would all the benefits promised to IIA-Canada members. That because membership revenues are expected to cover 60% of the following costs:
• An anticipated staff complement of 5 to 6 individuals by the end of 2012, including and Executive Director, one Operations Manager, and four project leaders. This is quite low, in my opinion, given the large number of “electoral promises” made before the vote, and it does not include additional supporting staff (e.g., admin);
• Significant number of translations of IIA material into French language for which a quite low estimate was provided;
• Handling of the relationship with The IIA, including continuing to purchase best-practice materials developed by the international organization, handling of the membership fees and services during the transition period, etc.;
• The new “simplified, streamlined, focused and coordinated” governance structure composed in fact by a 12-member Board of Directors, including a Chief Staff Officer, with its seven committees (note that the current Council exists as a sub-committee of the NAB with only one vote on a board of 10, i.e., we have only one representative on the NAB, which means that - as members of the IIA-Canada - we will now have to pay for another eleven new Board members);
• Travel and marketing costs;
• One-time costs, such as website development; accounting software; etc.

What should members expect? According to the CI Team’s financial analysis, membership dues will increase by 9% in 2013 (i.e., as a “welcome gift” to members in the new official entity). You’ll have to excuse my scepticism, but, in light of the above-listed factors, this will potentially be the bare minimum, in terms of the additional “financial burden” for the IIA-Canada members. This also because the model assumes that revenues from training seminar weeks, onsite training, and conferences will magically almost double starting 2013. The presupposition is that “if you build it they will come”, i.e., if you offer more of them – now that they are “pure Canadian” – suddenly, the financial barriers will disappear (e.g., lack of funding for training) and internal auditors will fight for the opportunity to participate in these events.

This is why I think that, in spite of being rated as “medium” by the CI Team, the residual financial risk is actually “high”.

It is hard to understand why, in a world that is moving more and more towards globalization/convergence (see, for example, the rollout of IFRS), IIA-Canada is seekeing to reaffirm its “national identity”. Let us take a look at one of the proposed benefits: (in addition to the local Chapters continuing “to play a vital role in providing local educational opportunities to members”) “IIA-Canada will focus on designing educational materials and programs specifically for Canadian internal auditors, and those offerings may be delivered on either a chapter or national level”. What is it so Canadian-specific when it comes to internal auditing that it requires “special” Canadian programs when, for example, according to the IIA-Canada, the International Standards for the Professional Practice of Internal Auditing (Standards) “will continue to be the standards followed by Canadian internal auditors”, the global certifications (CIA, CGAP, CCSA, CFSA) will “continue to be the standard of excellence for internal auditing in Canada”, etc. Another example is the fourth activity listed as supporting the mission of the IIA-Canada: “Linking internal auditors from all Canadian sectors, industries and geographic areas to share information and experiences.” Although this represents an ambitious goal, I’m just wondering if striving to improve the links between internal audit practitioners all over the world wouldn’t be more of a benefit for Canadian IIA members, than trying to restrict those links only to a Canadian base, therefore, reducing the potential for sharing great ideas, best practices, etc.?

Fortunately, or unfortunately – depending on how you look at it – one can now say: Alea iacta est. The “deed” has been done. We are now at the point where we will have to rely on the wisdom of the newly appointed Canadian Council (i.e., IIA Canada Interim Board starting with January 1, 2011) over the two-year transition period while the IIA-Canada will operate as a separate entity within The IIA and provide that singular "voice for advocacy, marketing and representation of the profession" (note that the true “operational independence”, will “kick in” on January 1, 2013). This does not mean, however, that we should stop identifying the challenges and potential solutions, and just wait for our Canadian leaders to decide for us, for example, what kind of services we should be getting in the future, what is key to our profession and the IIA members’ “well being”, etc. Therefore, I gladly look forward to your input into the discussion.]]> Audit xml-rss2.php?itemid=156 Wed, 10 Nov 2010 17:18:00 -0500 xml-rss2.php?itemid=136 Part II I discussed in detail the ISACA Risk IT Framework for Management of IT Related Business Risks .

In this final part, I am going to explain why I think IT risk analysis is feasible and necessary for any enterprise making investments in IT, and I’ll be looking at the pitfalls of not having a risk management framework in place for information technology (IT) development and implementation.The Riskit method emphasizes something that it is considered too much of a common sense today and, therefore, it is not given the appropriate attention: without a reference point (i.e., a clearly defined goal – objective, driver, limitations) one cannot properly define the risks associated with it, categorize and prioritize them, and appropriately react to those risks. Considering that goals drive business decisions, without estimating the risk associated with each decision, management could end up taking too much (i.e., risk) which would result in missed deadlines, additional project costs, and eventually – if serious enough – in project failure, or too little, foregoing various opportunities to support the business in its new endeavours.

However, without well-defined risk management processes and proper training the successful implementation of any model or framework will be hampered by the lack of “buy in” from senior management, inconsistent application of key elements and inappropriate allocation of resources towards mitigating potential key issues encountered by the business.

Having a detailed training plan in place with emphasis on continuous learning that would start with a more general, introductory course and would continue to build on existing knowledge, including the sharing of best practices and lessons learned and better risk management tools and processes, would eventually close the gaps in the capacity needed to manage both current and anticipated enterprise risk and result in a culture shift towards a more risk-aware and organization.

Given its importance for improving the quality of decision making, encouraging risk management learning should become the focal point in any enterprise, with communication and application of best practices and lessons learned at the center of its learning strategy.

Therefore, is IT risk analysis feasible and necessary? Given that, in the last two decades, a large amount of research has been done in the area of risk management in general, and IT risk management is special, and given that new and comprehensive tools are at management's disposal requiring only careful planning in terms of their implementation, and adapting to the concrete realities of their own enterprise (i.e., with a view towards the development of a risk-smart culture and responsible risk taking) the answer to the first part of the above questions is a resounding "Yes!". As for the second part, the answer is the same, and that becomes much clearer once one reviews the following series of pitfalls of not having a risk management framework in place for IT development and implementation are as follows:
• By not taking into consideration the context for IT risk management, including strategic and business objectives, organizational considerations, market and competition, etc., investments in IT could become disconnected with what the enterprise is all about and, in addition, bring with them unnecessary risks that would jeopardize the achievement of stated goals.
• Lack of necessary “top brass” support for IT risk management and, consequently, a spotty implementation record would result in significant waste of resources due to IT projects/ investments falling short of delivering the expected results, or the enterprise itself not being able to identify and capitalize on business opportunities brought about the advent of a new technology.
• Without a systematic approach to IT risk management only a portion of the existing relevant risks are going to be identified and evaluated, with the final decisions, including those related to risk mitigation, being based on an incomplete picture.
• Not encouraging an open discussion and communication about IT risks and their consequences could mean that once they materialize, the enterprise is inadequately prepared to deal with them and will suffer losses as a result.

In my opinion, the key to success remains the commitment of senior management to the implementation and continuous improvement of enterprise risk management, and its subcomponents, including IT risk management.

As we all know, ignoring risks or dealing with them only half-heartedly does not make them go away. What do you think? Should companies pay more attention today to the riskiness of what they invest in from IT perspective and how they bring it to fruition, or implementing IT risk management would take away valuable resources and time without producing the expected results (i.e., Is IT risk analysis feasible and necessary?).

Additional sources of information:
Kontio J. and V. R. Basili, “Riskit: Increasing Confidence in Risk Management”, Software Tech News, 1998
Kontio J., “The Riskit Method for Software Risk Management, version 1.00”, Computer Science Technical Report, University of Maryland, 1997
Risk IT Framework for Management of IT Related Business Risks - http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx
The Risk IT Practitioner Guide - http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Practitioner-Guide.aspx
COBIT Framework for IT Governance and Control - http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Val IT Framework for Business Technology Management - http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx

]]> Risk Management xml-rss2.php?itemid=136 Thu, 29 Jul 2010 10:27:00 -0400 xml-rss2.php?itemid=118 Part I of this post I examined Dr. Jyrki Kontio's Riskit method and how he connected the achievement of business goals to the concept of estimated utility loss and to decision making based on risk.

In Part II of this post I will examine how the model evolved over time, specifically the improvements brought about by the ISACA Risk IT Framework for Management of IT Related Business Risks .Although, over time, a significant number of standards and frameworks in the area of IT-related risk management have been developed (e.g., ISO/IEC 27005:2008; ISO/IEC, ISO/FDIC 31000: 2009; AS/NZS 4360: 2004; etc.), for a more in-depth review, I selected ISACA's Risk IT Framework instead because I consider it – in conjunction with the COBIT Framework for IT Governance and Control – one of the more comprehensive models out there that emphasizes the effective enterprise governance and management of IT risk and also considers business risk as they relate to the use of IT.

First of all, let us take a look at the six guiding principles for effective management of IT risk that the ISACA framework was built upon:
• Always connect to business objectives;
• Alight the management of IT-related business risk with overall Enterprise Risk Management (ERM);
• Balance the costs and benefits of managing IT risk;
• Promote fair and open communication of IT risk;
• Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels; and
• Are a continuous process and part of daily activities.

Although, the Riskit method presented in Part I of this post touched on the importance of linking back to business goals, given its more narrow focus (i.e. to give project managers a tool they can work with to record, analyze and mitigate risks ensuring that they manage the latter in a systematic and consistent way) the connection back to the “big picture” was quite sketchy. Not so with the ISACA framework. Building on COBIT, which provides a “comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services” Risk IT not only is designed to assist in management of IT-related risk (i.e., use, ownership, operation, involvement, influence and adoption of IT within an enterprise) but it also integrates with IT governance, IT strategy and, last but not least, with the enterprise strategy. More so, as described in the first two principles listed above, it emphasizes the need for a constant connection with business values and objectives, and it aligns with major ERM frameworks applying their principles to the IT domain. I would like to also mention that, although it is not specifically part of the subject of this post, the Val IT Framework for Business Technology Management developed by ISACA, completes the circle by describing how to progress and maximise the return on IT investment (Note: this subject will be addressed in a future post to Crossroads Blog).

One of the key premises of the Risk IT process model and good practice guidance is the fact that IT risk is a component of the overall risk universe of the enterprise. More specifically, that “it is a business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise”.

In addition, it makes it clear that IT exists to support the business and, therefore, business management become implicitly the key stakeholders for any IT initiative meant to support specific business objectives (e.g., improve efficiency and access to relevant information, reduce costs, increase quality, reduce project delivery times, etc.).

Without listing here the details of the Risk IT Framework, I would like to mention a couple key “ingredients” that differentiate it from previously developed models, guidance, methods, etc. The Risk IT Framework:
• Integrates IT risk management with other risk management processes within the enterprise;
• Emphasizes the importance of studying the dependencies between various IT projects, and between IT and non-IT projects;
• Defines clearly stakeholders’ risk appetite and risk tolerance;
• Clarifies the role IT controls play in managing IT risk and why a proper cost-benefit analysis is necessary before investing in building a control framework;
• Includes periodical monitoring and testing of IT controls as key elements determining the quality and effectiveness of risk mitigation in the organization; and
• Explains why it is essential to define clear responsibilities and accountability for IT risk management, ensure continuous and appropriate communication, and provide adequate training for the IT risk processes to run smoothly and allow for further progress on the risk management maturity scale.

Besides being very “systematic” about describing the Risk IT process model (i.e., three domains, each with a domain goal and its process; and each of the nine processes with their process goals and key activities) one the major contributions that this particular framework brings to IT risk management is a significant improvement in terms of a detailed approach to IT risk scenario analysis (see Chapter 5 of The Risk IT Practitioner Guide) and the link back to business objectives.

By applying the IT risk management practices described in the Risk IT framework both private sector and public organizations will be able to generate a series of tangible business benefits from it such as, “fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and innovative applications supporting new business initiatives.” Also, by balancing the risk and rewards of a specific opportunity, the use of the framework helps management to make risk-aware decisions with its positive consequences in terms of the bottom line.

In Part III, the last one of this post I will be answering the question “Is IT risk analysis feasible and necessary?”, and I’ll be looking at the pitfalls of not having a risk management framework in place for information technology (IT) development and implementation.
]]> Risk Management xml-rss2.php?itemid=118 Fri, 9 Jul 2010 09:28:00 -0400 xml-rss2.php?itemid=105 "Ignorance more frequently begets confidence than does knowledge…" (Charles Darwin)

Way back in 1997, Jyrki Kontio proposed a very novel- at the time - software risk management model in his seminal work, The Riskit Method for Software Risk Management, version 1.00.

This post examines some the model’s basic elements and how they relate to a more modern version issued by ISACA's Risk IT Framework for Management of IT Related Business Risks. It also provides for an analysis of the pitfalls of not having a risk management framework in place for information technology (IT) development and implementation. In short, it answers the question: Is IT risk analysis feasible and necessary?
At the time when he wrote the above-mentioned paper, Dr. Kontio used to work at the Nokia Research Center. However, before he finished it, he became a senior researcher at the Experimental Software Engineering Group at University of Maryland (1994-1996) where he worked closely with his doctoral dissertation advisor, Professor Victor R. Basili of the Department of Computer Science, University of Maryland. Dr. Kontio later became a professor of Software Product Business at Helsinki University of Technology. According to his website, overall, he spent over 20 years in software and telecommunications industry, including 15 years at Nokia Corporation in research and managerial positions, where he had the opportunity to improve risk management processes using the concepts of the Riskit method, which brought clarity, preciseness, and simplicity to the IT risk management world together with an increased emphasis on the goals and risk relationship, and the qualitative assessment of risks.

In fact, the Riskit method for software engineering risk management focused on “qualitative understanding of risks before their possible quantification” and “provides a defined process for conducting risk management”. More importantly, the theoretical model has also been empirically evaluated. One of the earlier studies done in 1996 that looked at three organizations, Daimler-Benz, Nokia Telecommunication, and NASA (Software Engineering Laboratory), had the following main objectives:
1. The evaluation of the feasibility and usefulness of the Riskit method in industrial projects; and
2. Improvement of the method based on a better understanding of the issues, including helping understand how should it be used and what kind of risk management “infrastructure” needs to be in place for it to succeed.

Before I continue, I would like to emphasize the fact that the Riskit method, although it was developed with a view towards software development risk management, can be very easily adapted to any kind of IT development projects and, in fact, it can be applied to any scenario where there is risk involved.

The document takes a very systematic approach to describing the Riskit method. It starts off with the terminology – risk; risk element (factor; even; outcome; reaction; effect and utility loss); risk scenario; risk controlling action; stakeholder; goal; etc. – then it continues with the Riskit analysis graph describing the possible relationship between risk elements using specific examples. It then proceeds to the key part of the paper which contains the description of the Riskit risk management process/cycle, including its sub-processes, inputs and outputs, artefacts used, information flows, resources used, and their behaviour, the scope of risk management in a project, how often and on what level of detail should risks be managed. Finally, it talks about the process of risk identification; risk analysis and risk items “clustering” and risk scenario development; risk prioritization and the Riskit Pareto ranking technique; risk control planning and risk monitoring.

One interesting observation that I would like to mention here is Dr. Kontio’s assertion that, although risk scenario prioritization requires probability and utility loss estimates, neither of the two can be precisely evaluated. On one hand, the probability estimate tends to be inaccurate because of lack of historical data available, and of specific event probabilities, given their significant variations. On the other hand, utility loss is hard to estimate because of the multitude of factors involved and the fact that not all information is available, e.g., it is difficult to plot with precision the stakeholders’ utility loss as a function of the expectations regarding the achievement of their goals. To complicate matters, the expected utility loss used in risk prioritization of risk scenarios can be calculated by the following formula, which involves both of the above-mentioned inexact factors:

Expected utility loss= Probability * Utility loss

One would note that the entire method revolves around the concept of “goal” (i.e., expectations that have been recognized and clearly defined), the stakeholders whose expectations need to be met, and the concept of utility and the decision making as a result of expected utility loss.

The key statement that defines the importance of goals is as follows: “Risks do not exist without a reference to goals, expectations or constraints that are associated with a project.”

In Part II of this post I will examine how the model evolved over time, specifically the improvements brought about by the ISACA Risk IT Framework.]]> Risk Management xml-rss2.php?itemid=105 Thu, 24 Jun 2010 16:30:00 -0400 xml-rss2.php?itemid=90 El Dorado for many gullible and unfortunate customers. If such a thing would exist, companies running the above-mentioned scams would be able to employ various strategies that would have no downside, i.e., without risk.

This post is going to explore the paradoxical situation where numerous companies recognize that risk is just another “face” of opportunity while, at the same time, refuse to develop and pursue strategies that have at heart a systematic approach to risk management.Interestingly enough, when it comes to risk management, a significant number of companies from the non-profit world, and private and public sector, develop some sort of apprehension towards it, very similar to individuals having to admit to their own mortality. When talking to them about risks, managers at all levels in these organizations become extremely uncomfortable and react in a similar fashion to the individual who is presented face-to-face with a life insurance salesman uttering the following dreadful words in Latin: "Memento mori"! Somehow finding risks related to one’s organization at various levels (i.e., strategic, operational; project/program; etc.) gets equated with having problems. And who wants to have problems, or admit that has them? Nobody. The most typical response is: We cover all our bases, therefore, have no risks (to speak of, that is)!

These organizations prefer to continue doing what they do best (e.g., create great products; serve customers; serve the public interest; cater to the needy in the community; etc.) assuming that either those risks do not exists or, at minimum, they have been taken care of during the day-to-day business by experienced workers and managers who know the business and their own customer base all too well.

Let me ask you something: Assuming that is publicly traded, and based on what you know about one of these companies, if your investment broker would approach you with a suggestion to buy a large quantity of their “totally risk-free stock”, would you do it? Of course not! As a rational investor, what would do then instead? You would try to reduce your potential risk exposure by researching the company, its market, its competitors, etc.; by trying to find out as much as you can about their current management; their future plans, etc. And once you know what the risks are and, consequently, where the opportunities lie, you would decide in favour or against the investment into that particular company. Why would you do that? For the simple reason that you do not believe that this company – no matter its size, its current competitive position, its “darling of the market” product, etc. – is without risks.

Then the next logical question that comes to mind is: Why would the same company’s executives think that they are “risk free”? All right, lets say they do know that their business is a risky one, just like any other business, but they “laugh in the face of danger”, metaphorically speaking, i.e., they refuse to take a systematic approach to identifying, quantifying and responding to risks. Moreover, they see it as a burden added to their daily operations without any upside to it.

With so many types of risks facing companies today - regulatory, reputation, technology (including here IT specific risks), market, credit/financing, environmental, market, currency, people, complexity terrorism and natural disasters, etc., just to name a few – it is hard to understand why organizations like the ones described above do not want to engage in effective risk management?
Risks, expressed as the impact they can have on the achievement of business objectives or strategy, are part of daily life of an organization, and only by practising sound risk management can they become part of the annual planning and budgeting process and, eventually, support the realization of the higher-level goals of the organization.

As proven by numerous successful companies, having a streamlined, highly efficient system for managing their risks, can minimise costs, maximise efficiency, and reduce their risk exposure.

At the opposite pole, refusing to talk about the risks and their impact could have “unexpected” (i.e., and they are only unexpected because they were not discussed/analyzed beforehand) consequences. As proven by the recent British energy company BP Plc’s Gulf of Mexico oil spill, anticipating the risks and preparing for them could prevent major disasters from happening. Apparently, the company said it was "unlikely that an accidental surface or subsurface oil spill would occur" (read more here), however, if it did, "due to the distance to shore and the response capabilities that would be implemented, no significant adverse impacts are expected." After the fact assurances from their Chairman and CEO that BP will meet its obligations in the Gulf Of Mexico and actions taken to mitigate the damage from the oil spill are tardily at best at this point…

Why do you think convincing certain executives and company boards of the usefulness of enterprise risk management (ERM) is as hard, if not harder, then selling them life insurance? What would you do to change their views on it and have them start taking the necessary steps for implementing the framework, as part of their decision making structure and methodology?]]> Risk Management xml-rss2.php?itemid=90 Sat, 5 Jun 2010 17:38:24 -0400 xml-rss2.php?itemid=69 Canada Business, the Government of Canada spends about $12B a year on goods and services.

As the largest federal government purchaser, Public Works and Government Services Canada (PWGSC) purchases goods and services using a competitive procurement process whenever possible.

Given that a large majority of the solicitations are posted on the Government Electronic Tendering Service (GETS), hosted on MERX™, this post is mainly intended to provide the Small and Medium Enterprises (SMEs) with information that will help demystify the Federal Government procurement process, provide information about how to access Government Business Opportunities (GBO) posted on MERX™, and supplement all that with links to additional valuable sources of information, for sole entrepreneurs and large organizations alike, regarding the above-mentioned topics.Government Procurement Contracting
The Department of Public Works and Government Services Act (1996, c. 16) gives the Minister of Public Works and Government Services exclusive responsibility for the procurement of all goods as described in the Act. Other departments and agencies may only procure goods either when their own legislation specifically permits or when an appropriate delegation of authority has been made by the Minister of Public Works and Government Services.

Section 8 of the Act allows the Minister to delegate any of the Minister's powers, duties or functions under the Act to an appropriate minister, within the meaning of the Financial Administration Act (R.S., 1985, c. F-11), for any period and under any terms and conditions that the Minister considers suitable.

Individual departments award contracts within their own authorities for services, and within certain authorities for goods and construction delegated by the Minister of PWGSC. They make a considerable number of lower dollar value purchases through the use of these authorities, as well as purchases through their authorized use of standing offers put in place by PWGSC.

Departments may enter into contracts for services under their own authorities, up to the limits contained in Appendix C of the Treasury Board Contracts Directive ; however, they may still choose to have these contracts for services done by PWGSC. In addition to the contracting limits in Part I of the Appendix C, in Part II are listed a series of special contracting limits and other related authorities that have been approved by the Treasury Board. These exceptional limits are to be used in conjunction with the use of mandatory PWGSC instruments as a first consideration to the extent practicable. Finally, Part III of the same Appendix provides information about emergency contracting limits.

In the case of PWGSC, the Acquisitions Branch is the one providing departments and agencies with expert assistance at each stage of the supply cycle. The key steps that the contracting authority and the procurement officers go through are as follows:
1. Identify the goods or services to be purchased;
2. Select the most effective procurement approach;
3. Develop appropriate evaluation criteria;
4. Call for, receive and evaluate bids;
5. Negotiate contracts;
6. Debrief unsuccessful bidders; and
7. Administer contracts.

Bids Solicitation and MERX™
The approved national electronic bidding and information service is the Government Electronic Tendering System (GETS). GETS affords supplier subscribers access to Government Business Opportunities (GBO) which advertises domestic and international procurement opportunities.

The approved national electronic bidding and information service is the MERX™ system, owned and operated by Mediagrif Interactive Technologies Inc. It is currently available through the Department of Public Works and Government Services, and is provided under contract to supplier subscribers, and affords them access to all government procurement opportunities. In addition, MERX™ provides access to Government of Canada procurement-related announcements.

It is to be noted that Trade Agreements (e.g., NAFTA) require competition for tenders over a certain threshold and, in effect, they drive what must be posted on MERX™.

Using MERX™ for Finding Federal Government Business Opportunities

The Registration Process
If you have already registered please jump to the next section of this post. If not, do not worry. Registration is very easy. All you have to do is go to MERX™’s website, click on the red Register button at the top and follow the 4-step registration process:
1. Accept the MERX™ Terms & Conditions
2. Enter your organization's and contact information. Where they ask you for Preferred Contact Method, choose "HTML E-mail" or "Plain Text E-mail".
3. For now register for Basic Tenders subscription only (i.e., uncheck "select Pay as You Go for $25/opportunity"; choose "No" when asked to register to the U.S. Tenders service, or the the Private Construction service, or for the Automatic Transmission of Amendments service)
4. Enter your credit card information. (MERX™ also provides you with the option of registering without having to provide a credit card number by using a Procurement Business Number (PBN), however, the registration will give you access to free Government of Canada tender information only).

If you gave them your e-mail as part of step 2 above, you will be receiving a MERX™ registration confirmation e-mail with a user name and a password. As a new registered user, you will be prompted to change your password.

Note that, unless you request items that you need to pay for (e.g., private tender documents), your MERX™ subscription is free, i.e., the federal government pays for it on your behalf.

Searching for Opportunities
Whether you are registered with MERX™ or not, you can search their database for Open Canadian opportunities by category. However, if you are registered can also download documents for free (i.e., Canadian federal government posting related only).

All you have to do is go to their main page click on a link corresponding to a particular category, e.g., Professional, Administrative and Management Support Services, and start browsing. You can choose to view the opportunities posted that day, that week, or all active opportunities for a particular category. You can also execute an advanced search by categories; GSIN group; region of opportunity; region of delivery; tender type; published or revised date, closing date; etc. Note that posting on MERX™ is usually for 40 days.

You can also include in your search ACAN opportunities. An Advance Contract Award Notice (ACAN) allows departments and agencies to post a notice, for no less than 15 calendar days, indicating to the supplier that it intends to award a good, service or construction contract to a pre-identified contractor.

An ACAN is basically a public notice indicating to the supplier community that a department or agency intends to award a contract for goods, services or construction to a pre-identified supplier, thereby allowing other suppliers to signal their interest in bidding, by submitting a statement of capabilities. If no supplier submits a statement of capabilities that meets the requirements set out in the ACAN, on or before the closing date stated in the ACAN, the contracting officer may then proceed with the award.

ACAN opportunities come up in your search results mixed with the other, unless you narrow it down just to those opportunities. They usually have the ACAN acronym in the title.

Once you found the opportunity you were looking for, you click on it, read the summary, and then click on the "Order" link and download the documents for free. When you download them, you are asked to make a selection regarding notifications of future amendments. You have to choose one option before you are allowed to download the documents, so you should select "Receive Notifications", which will results in you receiving notification e-mails with links back to MERX™ every time a new amendment is published.

Finally, you can also set up your profile and create up to a maximum of nine Opportunity Matching profiles, only one of which is free. However, when you run the free profile, you will be able to see the result online only. Note that it is highly recommended that you use the opportunity matching profile in conjunction with regular – simple or detailed - searches to ensure that you are not missing any Opportunity Notices.

The next step is to review the documents in detail and respond to the requirements.

Checking Out the Competition
There are a couple things you can do to find out who is intending to bid on a particular opportunity and what is their history in terms of past contracts awarded by the government in the same or a different field of expertise.

First of all, once you got to the page where you see the summary description of the business opportunity you are after, you can click on top of the page on the "View" link next to the Document Request List to get to a webpage that lists the basic contact information for all independent contractors and companies who downloaded the documents, and the time and day of when that happened. It is recommended that you come back to this webpage a few times before the proposal submission deadline to see what has changed, if anything.

You can also search, on the same page we talked about above, based on key words for Former Canadian Opportunities (see the drop down list next to the search box). This will allow you to pull up summary information about past postings on MERX™ and access the following two "View" links: one next to the Document Request List (see above for details) and one next to Awards. The latter will take you to a webpage which lists the company information for the one the contract has been awarded to, and the value of the contract. Similarly, you can search by Canadian Awards, to get to the same information.

Supplementing MERX™ Searches
You can use Contract Canada’s website find information on contracts awarded by Public Works and Government Services Canada (PWGSC) on behalf of all federal government departments and agencies for the last three years. You can perform simple and expert searches for information in three subject areas: Commodity, Customer or Vendor. All you have to do is to go to the Contract History webpage, enter a key word and search for it. The disclaimer on the webpage says that “Although this historical data may assist you in your market research, it is not an indicator of future opportunities.” Very true! That being said though, when trying to get information about the competitive landscape in your area of expertise (e.g., IT consulting services) you are well-advised to use this tool to get more details about past contracts and who they got awarded to.

Contracts Awarded to SMEs
According to the Office of Small and Medium Enterprises (OSME), in 2008-2009, the value of contracts awarded by Public Works and Government Services Canada (PWGSC ) PWGSC to SMEs located in Canada increased by 14.5% to $5.5 billion ($4.8B in 2007-2008). Since 2006-2007, PWGSC has awarded, on average, more than 43% of the total value of contracts concluded with businesses located in Canada to SMEs.

Finally, you should note that the guiding principle in contractor selection is “the best value for Canada”, which could mean:
• Lowest-priced compliant technical offer;
• Lowest-cost per point compliant technical offer;
• Highest-rated proposal for combination of technical merit and price; or
• Highest-rated compliant technical offer, with a specified maximum funding budget.

Please let us know if you have any questions or comments. We would especially like to hear about your thoughts regarding the Canadian Federal Government’s current procurement processes.

Disclaimer: Please note that some of the "current" information has changed since the time of writing this post. Therefore, it is recommended that the reader consults federal government sources for more up-to-date information.

Additional sources of information:
About selling to the Government of Canada - http://www.canadabusiness.ca/eng/90/1036/890/
Standard Acquisition Clauses and Conditions Manual - http://ccua-sacc.tpsgc-pwgsc.gc.ca/pub/acho-eng.jsp
TBS Contracting Policy - http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?evttoc=C&id=14494§ion=text
PWGSC Information for Businesses - http://www.tpsgc-pwgsc.gc.ca/app-acq/entreprises-business2-eng.html
PWGSC - Supply Arrangements & Other Services - http://www.tpsgc-pwgsc.gc.ca/app-acq/aa-sa-eng.html
PWGSC - Standing Offers - http://www.tpsgc-pwgsc.gc.ca/app-acq/oc-so-eng.html
Contracts Canada - http://contractscanada.gc.ca/index-eng.html
Office of Small and Medium Enterprises (OSME) – http://www.tpsgc-pwgsc.gc.ca/app-acq/pme-sme/index-eng.html
Public Works and Government Services Canada - http://www.tpsgc-pwgsc.gc.ca/comm/index-eng.html
Supplier Registration Information - http://contratscanada-contractscanada.gc.ca/index-eng.html
Professional Services Online (PS Online) and SELECT - http://contractscanada.gc.ca/index-eng.html
Procurement Allocations Directory (PAD) – Contracts - http://pad.contractscanada.gc.ca/index-eng.cfm?af=ZnVzZWFjdGlvbj1pbmZvLmludHJvJmlkPTM=&lang=eng
Materiel Managers Directory - http://contratscanada-contractscanada.gc.ca/gmm-dmm-eng.html
Government Electronic Directory Service (GEDS) - http://sage-geds.tpsgc-pwgsc.gc.ca/cgi-bin/direct500/eng/TE?FN=index.htm
Proactive Disclosure Treasury Board of Canada Secretariat - http://www.tbs-sct.gc.ca/pd-dp/gr-rg/index-eng.asp
]]> Contracting xml-rss2.php?itemid=69 Wed, 12 May 2010 21:12:23 -0400