Risk and compliance process self-assessment of compliance and performance questions

Organizations participating in the Risk and Compliance Process (RCP) are required to respond to questions in specific areas of focus. Areas of focus represent management areas that are critical to effective public sector administration such that compliance and performance in these areas would have a significant impact on the functioning of an organization and potentially the enterprise.

Areas of focus are linked to legislative requirements or Treasury Board policy and seek to provide information not collected through other mechanisms. 

Areas of focus

Communications self-assessment questions

Question 1 of 1: Does the organization have a process in place to ensure that all communications products and activities are non-partisan?

Data self-assessment questions

Question 1 of 2: What is the maturity level of the organization’s data inventory management in supporting operations, service delivery and decision-making?

Question 2 of 2: Does the organization have a documented process in place to ensure that IT systems used to support digital initiatives have the data foundations for AI readiness?

Financial and expenditure management self-assessment questions

Question 1 of 4: Did the organization conduct a full risk assessment or environmental scan of its internal controls over financial management and internal controls over financial reporting in 2025–26 and use the results to inform its internal control monitoring strategy?

Question 2 of 4: What percentage of remediation actions for medium- and high-risk internal control gaps or weaknesses were fully implemented within the established timelines during fiscal years 2023–24 to 2025–26?

Question 3 of 4: What is the organization’s level of maturity in financial governance, particularly in ensuring effective oversight and integrating financial management into decision-making?

Question 4 of 4: What is the organization’s level of maturity in safeguarding financial resources against material loss due to fraud?

Grants and contributions self-assessment questions

Question 1 of 4: For each grant or contribution agreement issued in the past 12 months, did the organization make recipient monitoring and/or auditing proportionate to the assessed level of risk?

Question 2 of 4: What percentage of planned recipient audits were conducted during the 2024–25 fiscal year?

Question 3 of 4: What percentage of program terms and conditions, that were identified as needing amendments, have been amended to integrate the Buy Canadian Policy?

Question 4 of 4: What percentage of grant and contribution programs have operationally included the Buy Canadian Policy, compared to those that were planned and approved?

Performance management self-assessment questions

Question 1 of 2: What is the level of maturity of the organization’s executive performance management program?

Question 2 of 2: What is the level of maturity of the organization’s employee performance management program?

Procurement self-assessment questions

Question 1 of 7: How frequently does the deputy head meet with the senior designated official for procurement to discuss procurement matters?

Question 2 of 7: What is the level of maturity of the organization’s procurement performance monitoring regime for the procurement function as a whole?

Question 3 of 7: What is the level of maturity of the organization’s Procurement Management Framework?

Question 4 of 7: What is the level of maturity of the organization’s monitoring and control practices for individual procurement transactions?

Question 5 of 7: What is the level of maturity of the organization’s procurement planning?

Question 6 of 7: What is the level of maturity of the organization’s procurement governance?

Question 7 of 7: What is the level of maturity of the organization’s procurement resource competency and capacity?

Project management self-assessment questions

Question 1 of 2: Since the beginning of the last fiscal year to the present, has the organization completed and submitted to TBS for review and acknowledgement, a Project Complexity and Risk Assessment (PCRA) for every project with a total estimated cost over the organization’s PCRA threshold, before starting the project definition phase?

Question 2 of 2: What percentage of projects with significant scope changes, schedule delays, or increased cost estimates over the organization’s defined performance measures are brought to the appropriate approval authority and have a documented decision on how to proceed?

Real property self-assessment questions

Question 1 of 6: How frequently does the deputy head meet with the senior designated official for real property to discuss real property matters?

Question 2 of 6: For organizations whose real property portfolio shows a year over year decline in asset condition, does the organization's investment plan address this decline?

Question 3 of 6: For transactions completed by the organization in the last fiscal year, what proportion of these transactions have complete documentation to demonstrate compliance with relevant legal and policy requirements?

Question 4 of 6: What is the organization’s actual reinvestment rate for real property compared to its target reinvestment rate?

Question 5 of 6: What is the level of maturity of the organization’s real property management framework?

Question 6 of 6: What is the level of maturity of the organization’s management of its real property portfolio strategy?

Security self-assessment questions

Question 1 of 5: How frequently does the Chief Security Officer report to the Deputy Head on the progress in achieving the departmental security plan priorities?

Question 2 of 5: Does the organization have a documented process in place to track non-compliance with the Policy on Government Security and its related directives?

Question 3 of 5: What is the level of maturity of the organization’s security management governance?

Question 4 of 5: What is the level of maturity of the organization’s overall guidance and processes in security management?

Question 5 of 5: What is the level of maturity of the organization’s security awareness and training processes?

Service self-assessment questions

Question 1 of 2: What is the organization’s level of maturity in its mechanisms for reviewing and improving services based on client feedback, specifically for internal enterprise and external services?

Question 2 of 2: What is the organization’s level of maturity in managing its service performance, specifically for internal enterprise and external services?

Technology self-assessment questions

Question 1 of 2: What is the organization’s level of maturity of its annual forward-looking three-year departmental plan for the integrated management of service, information, data, IT and cyber security, which aligns with the Chief Information Officer of Canada’s enterprise-wide integrated plan?

Question 2 of 2: Has the organization’s designated official for cyber security informed the deputy head of the results of the organization’s Cyber Maturity Self-Assessment in the past 12 months?

Values and ethics self-assessment questions

Question 1 of 2: What is the organization’s level of maturity in fostering a positive culture of values and ethics?

Question 2 of 2: What is the organization’s level of maturity in providing employees with information, advice and assistance on identifying, preventing and resolving real, apparent or potential conflict of interest situations?

Workplace health self-assessment questions

Question 1 of 1: What is the organization’s level of maturity in developing and implementing measures to prevent workplace harassment, violence and discrimination?

Enquiries

For enquiries or to obtain methodologies for the self-assessment questions, contact the RCP team at RCP_PRC@tbs-sct.gc.ca.

Page details

2026-06-23