Summary of the 2016-2017 Evaluation of the Regional Resilience Assessment Program (RRAP) and the Virtual Risk Analysis Cell (VRAC)
What We Examined
- The RRAP and the VRAC were launched under the 2011 Canada-U.S. Beyond The Border Action Plan.
- The RRAP conducts site assessments designed to help critical infrastructure (CI) owners and operators identify and measure vulnerabilities and interdependencies, as well as improve CI resilience.
- The VRAC provides risk-based analysis and analytical support for CI sectors, identifying potential impacts caused by disruptions.
- The evaluation assessed the continued need for the programs, their alignment with Government priorities, roles and responsibilities and the achievement of their expected outcomes.
- The evaluation covered the period from 2011-2012 to 2016-2017 with a primary focus on the programs’ domestic Canadian work.
- Total program expenditures covered by this evaluation amounted to $7.3 million over five years, averaging $1.4 million in annual funding.
Why is this important
- The Beyond the Border Action Plan jointly committed Canada and the US to implementing measures to improve national security and emergency management cooperation.
- Building CI resilience contributes to cross-border economic stability as well as cyber and national security.
- There is a continued need for these programs:
- Site assessments are proving to be useful in identifying CI strengths and weaknesses and in leveraging new CI investments.
- Requests for assessments from CI owners and operators have increased and could soon outpace RRAP capacity.
- VRAC plays an important role in supporting the Government Operations Centre (GOC), which has no in-house CI capacity.
- Both programs have contributed to improving the security and resiliency of Canada’s CI, as well as enhancing PS and stakeholders’ understanding of cross-sector dependencies and linkages.
- They have played a significant role in developing and sharing best practices throughout the CI community as well as understanding of risks and threats to their assets and organizations:
- RRAP reports provide specific and actionable physical risk information to support CI resiliency;
- VRAC has facilitated GOC and stakeholder understanding of CI supply chain interdependencies, risks and threats.
- The lack of a defined and measurable strategy for collaboration and outreach meant that impacts and results of such activities could not be accurately assessed.
Efficiency and Economy
- RRAP and VRAC performed effectively and efficiently over their inaugural phase. However program expenditures exceeded the forecasted budgets due, primarily, to additional resources required to meet demand and workload.
- Recent governance changes have strengthened coordination and resource sharing between the two programs which represent important steps towards resource optimization.
The Senior ADM of the National and Cyber Security Branch should consider:
- Developing RRAP site assessment selection processes, and VRAC products, that consider risks and priorities.
- Leveraging CI community engagement and targeted outreach activities to support achievement of RRAP and VRAC program objectives.
- Ensuring appropriate resources to support the scope of activities outlined in annual RRAP and VRAC workplans.
- Exploring options to support owners and operators to address improvements identified through site assessments that will increase the resilience of CI sites across Canada.
- Date modified: