2nd Session - 43rd Legislature, Public Accounts 9, Nov 17, 2025

TIME – 4 p.m.

LOCATION – Winnipeg, Manitoba

CHAIRPERSON – Mr. Kelvin Goertzen (Steinbach)

VICE-CHAIRPERSON – MLA Jim Maloway (Elmwood)

ATTENDANCE – 9 — QUORUM – 6

Members of the committee present:

Mr. Brar, MLAs Chen, Compton, Devgan, Messrs. Ewasko, Goertzen, MLA Maloway, Messrs. Oxenham, Perchotte

Substitutions:

Mr. Perchotte for Mrs. Stone

APPEARING:

Tyson Shtykalo, Auditor General of Manitoba

WITNESSES:

Maurice Bouvier, Deputy Minister of Municipal and Northern Relations

Kevin McPike, Assistant Deputy Minister of Municipal and Northern Relations, Municipal and Northern Support Services

MATTERS UNDER CONSIDERATION:

Auditor General's Investigations Report, dated August 2021

Municipal Development Corporations

Auditor General's Report – Follow Up of Previously Issued Recommendations, dated February 2024

Investigations Report: Municipal Development Corporations

Auditor General's Investigation Report – Manitoba Municipalities and the Department of Municipal and Northern Relations, dated August 2025

Auditor General's Report – Follow-Up of Previously Issued Audit Recommendations, dated April 2022

Rural Municipality of De Salaberry: Audit of Financial Irregularities

* * *

The Chairperson: Good afternoon. Will the Standing Committee on Public Accounts please come to order.

Committee Substitution

The Chairperson: Before we begin our business today, I'd like to inform the committee that we received the following membership substitution for this meeting only: MLA Perchotte for MLA Stone.

* * *

The Chairperson: This meeting has been called to consider the following reports: the Auditor General's Investigations Report, dated August 2021, Municipal Development Corporations; the Auditor General's Report–Follow Up of Previously Issued Recommendations, dated February 2024, Investigations Report: Municipal Development Corporations; the Auditor General's Investigation Report–Manitoba Municipalities and the Department of Municipal and Northern Relations, dated August 2025; the Auditor General's Report–Follow-Up of Previously Issued Audit Recommendations, dated April 2022, Rural Municipality of De Salaberry: Audit of Financial Irregularities.

Before we begin, are there any suggestions from the committee as to how long we should sit this afternoon?

MLA Jim Maloway (Elmwood): I recommend that we follow the reports in the order they appear on the agenda and the second point is that we meet for an hour and revisit at that time.

The Chairperson: So we'll deal with the first–or, the second suggestion first. MLA Maloway suggested that we sit for an hour and then reconsider at that time.

Is that the will of the committee? [Agreed]

I will deal with another issue first. I believe that there was prior agreement that this committee complete consideration of the following chapter without further discussion: the Auditor General's Report–Follow-Up of Previously Issued Audit Recommendations, dated April 2022, Rural Municipality of De Salaberry: Audit of Financial Irregularities.

Does the committee agree to complete consideration of this chapter? [Agreed]

And there is a standing recommendation from MLA Maloway that we consider the reports as listed on the notice, which would be the MDC report first, followed by the WestLake municipality, I believe.

Is there agreement on that? [Agreed]

At this time, I would ask the committee if there is leave for all the witnesses in attendance to speak and answer questions on the record, if desired. Is that agreed? [Agreed]

I'd also like to remind everyone that questions and comments must be put through the Chair using third person as opposed to directly to members and witnesses.

Before we proceed, I'd like to inform all in attendance of the process that is undertaken with regard to outstanding questions. At the end of every meeting, the research clerk reviews the Hansard for any outstanding questions and the witness commits to provide an answer to and will draft a questions-pending-response document to be sent to the deputy minister or other witnesses. Upon receipt of the answers to those questions, the research clerk then forwards the responses to every PAC member and to every other member recorded as having attended that meeting.

With those issues dispensed, I will now move on to the order as agreed upon: the Municipal Development Corporations, and we'll consider the chapters of that report.

Does the Auditor General wish to make an opening statement?

Mr. Tyson Shtykalo (Auditor General): First, I'd like to introduce the staff members I have with me today. I'm joined by Jeff Gilbert, assistant auditor general; Ryan Riddell, audit principal; and James Wright, audit principal.

Mr. Chair, municipal development corporations are created by municipalities to support local economic development. These entities can take various forms, including community development corporations, regional development corporations and other municipally controlled organizations.

This investigation was initiated in response to numerous concerns raised through our citizen concern line regarding the lack of oversight and information available on municipal development corporations. Our examination assessed whether municipal 'accouncils'–whether municipal councils receive sufficient information to oversee these corporations. We also assessed whether the public has reasonable access to basic information about the activities, revenues and expenditures of municipal development corporations.

We found that municipal councils were not consistently receiving financial documentation from their development corporations, needed to provide effective oversight. In many cases, documentation was unaudited and annual reports was rarely reduced–rarely produced.

Development corporations also provided limited public information; financial statements and board minutes were not consistently available to the public or did not contain sufficient detail to identify revenues and expenditures of the development corporation. Some governing municipalities were not completing their audited consolidated financial statements on time in accordance with legislation, and some municipalities were not posting financial statements onto their websites.

We also found councils were not consistently providing strategic direction to their development corporations; only one of the 15 municipalities in our sample annually reviewed a strategic plan with its development corporation.

In addition, we found management and governance structure of development corporations to be unclear. Many councils, municipal staff and board members had differing understandings of how their roles and responsibilities in managing the development corporation.

This report includes five recommendations aimed at improving oversight, transparency and governance of municipal development corporations. Of the five recommendations, management has implemented one and has indicated it does not intend to implement the other four.

I'd like to thank municipal officials, development corporation representatives and staff who shared their perspectives during our examination. Would also like to thank staff of the department, and to all Manitobans who brought their concerns to the attention of my office through the citizen concern team.

I want to acknowledge my audit team for their diligence and professionalism in completing this report, and I look forward to discussing the findings and recommendations with the committee today.

The Chairperson: Thank the Auditor General for his comments, and for the work of his office and the staff that were involved in this report.

Does the deputy minister wish to make an opening statement, and would you please introduce your staff?

Mr. Maurice Bouvier (Deputy Minister of Municipal and Northern Relations): Yes, yes, I do, Mr. Chair.

Beside me is the assistant deputy minister for Municipal and Northern Relations with responsibilities for the division called municipal, northern support services, Mr. Kevin McPike.

All right. And thank you, Mr. Chair, for the opportunity for an opening statement. I'd like to thank the committee for the opportunity to provide an update on the Department of Municipal and Northern Relations' actions to implement the recommendations directed to the department.

Today this committee will be dealing with a few reports on audits of the department and municipalities. What I'd like to do is provide some context and speak to the committee about the provincial-municipal relationship in Manitoba, the Province's municipal legislative framework and our department's role within that relationship and framework.

This provides some context for our work: the legislative framework that enables municipalities to govern and operate is established by The Municipal Act and other provincial legislation for municipalities. The legislation considers municipalities to be mature, responsible and democratically accountable governments. It's–it is important to recognize that municipalities are not extensions of the Province or provincial reporting entities, and that they are treated by Manitoba's legislation as independent democratic governments within their own legislative and corporate powers.

Manitoba's legislation provides municipalities with considerable autonomy and flexibility to manage their own internal affairs, and to make decisions on public policy, infrastructure, services, bylaws and other matters that they think will be–will best meet the needs of their citizens.

* (16:10)

In return, the legislation imposes various obligations on municipalities, including for public accountability on specific subjects. The intent of the act is to provide the lines that locally elected councils may colour within, recognizing that the council will be democratically responsible to its electorate for how the picture turns out.

Manitoba's municipalities are very diverse in terms of their population, geography, resources and types of communities. Municipalities range from large urban centres to small, rural or northern communities.

Likewise, the issues that municipalities experience are very diverse. Municipalities have varying capacity to govern, administer and operate their municipalities and to respond to issues that may arise. Manitoba's legislation and its requirements must be sensitive to the reality that, without even considering Winnipeg, municipalities vary by approximately two orders of magnitude in the size of their populations and budgets. The largest municipality outside Winnipeg is roughly 100 times the size of the smallest.

One of the department's primary roles is to build the capacity of municipalities to operate within the legislative framework so that they can be effective and viable into the future. Capacity building includes education and training; development of resources and supports; and provision of tools in education to enable municipalities to respond to issues and govern appropriately.

The department also provides on-demand responses to questions and counts–and concerns raised by municipal administrators, elected officials and the general public. I will be updating the committee on the Auditor General's recommendations directed to department and note that the Auditor General has also directed recommendations to individual municipalities.

Regarding the examination of municipal development corporations report and subsequent follow-up, the department was assessed as having implemented one recommendation and having chosen not to implement four recommendations.

Generally, the department is of the view that it has implemented the recommendations to the extent that was reasonable or possible when considering Manitoba's legislative and public policy framework for municipalities and the department's role within that framework. While the department's responses are clear as to the department's rationale, it is worth noting or reiterating that some key contextual considerations be made for the committee.

It's important to note that while the audit is generally directed to the department and concerns the relationship of municipalities to community development corporations, these CDCs are not established under the department's legislation.

I would like to thank staff from the Companies Office and from the then-Department of Economic Development and Jobs. These areas provided important assistance and information to the department in developing guidance for municipalities and who held policy expertise–and who, rather, held policy expertise specifically related to the CDCs.

The department's view is generally that most of the recommendations in this report were fundamentally of a public policy nature, as there was limited existing legislative or regulatory authority for the department to implement the recommendations.

I would note that the general tenor of the recommendations was that Manitoba should intervene in or prescribe requirements for how another government was to conduct its internal affairs, communicate with its electorate, plan its priorities or relate to other legal entities. The recommendations were largely contradictory to the scope, purpose and intent of Manitoba's legislative framework for municipalities.

As important context, I'd like to note that these recommendations were made only a couple of years after Manitoba's Legislature had already considered the legislative requirement for financial reporting by municipally controlled entities, including CDCs.

Through The Red Tape Reduction and Government Efficiency Act, 2018, the Legislature actually repealed the existing legal requirements for municipally controlled entities to obtain their own audits, in part over concerns about their cost and timeliness. Therefore, as a public policy matter, at that time the recommendations in the report appeared to also be contradictory to the general direction of the provincial public policy for municipalities on these matters.

However, the department did implement the recommendations to the extent that was possible within the department's role of providing advice and guidance to municipalities. The guidebook provided to municipalities on CDCs was responsive to the issues highlighted in the Auditor General's report. The guidebook provided information for municipal councils and administrators to consider how existing legislative requirements, and for matters not covered by legislation, the suggested best practice on these subjects.

Thank you for the opportunity to provide an introduction, and I look forward to addressing the committee's questions.

The Chairperson: Thank the deputy minister for the opening statement and for appearing with staff before the committee this afternoon.

Are there questions from committee members?

MLA Carla Compton (Tuxedo): I have a question just kind of to the last thing that was said by the presenter.

What are the best practices that are recommended? Because if I understood correctly, in 2018, it sounds like there was a repeal made by the government at the time to the audit requirement.

So now I'm curious: Is that actually a best practice? Is that not a best practice? Is there something else that, you know, perhaps the current government should be reflecting on whether or not legislation needs to be adjusted or not?

I guess maybe that was a few things.

Mr. Bouvier: The guidebook, which is called the Community Development Corporations: Guidance for Municipal Accountability, is available on our website–on the provincial website–and our Municipal and Northern Relations subsite.

Topics covered in the guide include municipal roles in community economic development, best practices: strategic planning and annual reporting on goals, governance for community development corporations and promoting financial transparency in community development corporations.

So to your question–to the question from the member, certainly there are best practices out there. They're at the–you know, at the discretion of each individual municipality to look at those best practices and determine what their approach is going to be to community development corporations. What we've provided are, you know, really a list of best practices for them to consider.

You know, in terms of audited financial statements, that's something that a municipality could consider, but it would be voluntary to do that. But I think what's really important is financial reporting, you know, from a community development corporation to a municipality or to their stakeholders.

The Chairperson: Follow-up, MLA Compton?

MLA Compton: I'm wondering if the deputy minister could let folks here know how many municipalities seem to be following these best practice guidelines of transparency in reporting financial–well, their own–their financial dealings with their constituents or in their municipality.

Mr. Bouvier: The department issued a bulletin, 2022‑23, on August 5, 2022 to introduce the Community Development Corporations: Guidance for Municipal Accountability handbook. The guide was attached to the bulletin.

The guide was mentioned several times during monthly call delivered by the municipal services officers to senior municipal administrative officials. Municipalities are empowered and have the full authority to determine their policy priorities, including the use of the department's resources and tools.

But, certainly, when questions are asked of our department and generally answered by our municipal services officers, we refer to this guide. And if they are looking for advice, we again talk about best practices and don't say what you must do, but here are some things to really consider to–you know, to ensure that proper planning, reporting and transparency are contained in that relationship between the municipality and the community development corporation.

The Chairperson: Thank you, deputy.

Further questions?

Mr. Logan Oxenham (Kirkfield Park): I heard the words follow-up several times. And I'm just curious, given the findings of insufficient follow-up on complaints regarding–you know, about municipal compliance, I'm just wondering what specific changes will be implemented to ensure that complaints are addressed in a timely manner and also effectively.

* (16:20)

Mr. Bouvier: The–certainly, the information is provided, you know, on best practices to all the municipalities. As far as the specific municipalities and their intent to, you know, to take up those best practices, that really is to their own discretion.

However, we certainly do continue to promote these best practices to all the municipalities to ensure that they understand, really, policies and standard operating procedures that they can take on in order to ensure that there is that strong relationship between the community development corporations as well as the municipalities that work with them.

The Chairperson: Follow-up, MLA Oxenham?

Mr. Oxenham: Yes, I'm just hearing about–talking about relationships and just curious from the department's perspective of where they see themselves relationship-wise with municipalities, and is there any room for improvement with communication between the department and the municipalities?

Mr. Bouvier: The–certainly, the relationship with municipalities can vary based on topics, but overall, it's a strong relationship that we have with municipalities, especially, you know, as–at our department level to municipal administrators to councils when they're, you know, when they're having difficulty or if they're, asking for advice in terms of our legislation, we see that the relationship is very strong.

We don't agree on everything, on every issue, but at the same time, we certainly work with them proactively in order to, you know, to address issues so that they don't get to be much bigger issues and that management and practice at a municipal level is really as strong as it can be.

MLA Jennifer Chen (Fort Richmond): Of the five recommendations that the department basically–with some of the recommendations and they chose not to implement four of the recommendations–so my question is actually toward the Auditor General.

Does the Auditor General have any comments regarding those–regarding the department's response related to the recommendations that are not–chose not to complete?

Mr. Shtykalo: So not sure if I caught the whole question but I think it was to do with my response to the department's response of not implementing four of the five recommendations.

Yes, certainly, the department talks about the municipalities being sovereign and democratically elected, and certainly we are aware of that and we took care in our recommendations to ensure that they were not imposing. It wasn't the recommendation to impose rules or decisions or to set 'pariety'–set priorities for municipalities.

However, our recommendations speak to things like working collaboratively, identifying appropriate financial items to be reported. You know, the perspective of my office is that we saw a large gap between–or, a missing piece between what's–the work that's being done by the CDCs and the information that the municipalities were providing, and that was pervasive across the province and in all the municipalities that we looked at to one–to varying degrees.

So on behalf of Manitobans, we would look to the department of municipal relations to assist in ensuring that the municipalities are equipped to receive that information and are doing the appropriate thing with the information in providing taking a role in the safeguarding of the assets that have been entrusted to the development corporations.

So I think I'll leave it at that.

The Chairperson: Follow-up, MLA Chen?

MLA Chen: Yes. My follow-up question is towards the department. So in the department's response, it seems like the department is or was expecting at that time to address these recommendations in the guide, so since 2021 or 2022.

So now, three years later, in 2025, I'm wondering, does the department still expect all the recommendations to be addressed by the guide, and if the–could the department elaborate upon how it is expected to address those recommendations, especially those that are not completed?

Mr. Bouvier: The department believes the guide responds to all of the issues raised in the Auditor General report to the extent that is possible and appropriate within Manitoba's legislative framework for municipalities.

But getting back to our relationship with municipalities, we do work closely with them and we believe that the guide does provide, you know, a comprehensive series of best practices that municipalities can adopt. And we don't foresee substantive changes to the governing legislation for municipalities or the CDCs.

So we do not have an expectation that the content will require, you know, updates in the future. We think it's a solid document, and it's–and our additional offer to municipalities to, you know, to get advice about those recommendations in the guide is–remains open and we continue to get questions on it and respond accordingly.

The Chairperson: Thank you.

Further questions?

I might ask–I want to make sure I'm characterizing your comments, deputy, correctly.

Is your view that the department's role then is to establish best practices–a minimum threshold, perhaps, if you'd say–and then to maybe monitor or assist municipalities in meeting that minimum practice or threshold? Or is it the view of the department that they have no role at all in ensuring that those minimum standards are met when it comes to financial reporting and responsibility?

Floor Comment: Mr. Chair, can I ask–

The Chairperson: Deputy, yes, go ahead.

Mr. Bouvier: Oh, sorry. Mr. Chair, can I ask clarification in terms of the minimum financial responsibility as related to the community development corporations?

The Chairperson: Yes. And, if you want to opine on reporting–financial reporting generally for municipalities, I'd be interested in your perspective.

Mr. Bouvier: At page 8 and 9, the guide provides municipalities with clear direction on minimum reporting requirements under The Corporations Act, under which the community development corporations are created. This statute requires reporting to shareholders on an annual basis, which would include the municipalities. It does not require public reporting, and I'll note again that Manitoba's Red Tape Reduction and Government Efficiency Act, 2018 eliminated the requirement for CDCs to have their financial statements audited.

That being said, the–certainly we are–we continue to want to support municipalities, you know, to adopt best practices and to adopt practices that will strengthen their ability to work with their own community development corporation or corporations that they work with.

We see our role as providing advice and guidance as The Municipal Act doesn't have, you know, any specific reporting requirements around community development corporations.

The Chairperson: So would that–would the role essentially be reactive or do you proactively reach out to municipalities to see if they need assistance on their reporting or is it just–or, are ensuring that there's financial responsibility if there was reporting–or is it just if there's a complaint or a concern that's raised? Is it proactive or is it reactive?

* (16:30)

Mr. Bouvier: Under The Municipal Act, municipal councillors–councils are fundamentally responsible to ensure that their administration fulfills its responsibilities to provide financial reporting to the council and to make the municipality's audited financial statements available to the public.

The–I would go back to say that we have been proactive to develop a guide for community development corporations for the use of councils and also to promote that guide.

The Chairperson: And one last follow-up question.

So I'm understanding and I'm accepting sort of the premise of the department that, you know, these are elected bodies and they have to respond and report to their own constituents, and I do respect that.

But we often talk as elected officials about municipalities being creatures of the provincial government and, you know, to what extent we feel that means that there should be a greater oversight, that maybe depends on the individuals' experiences or their perspectives.

But is it your view that because, outside of Winnipeg, there are some municipalities who have a significant tax base and they have significant resources–25,000 maybe in the RM of Hanover–and others who have significantly less.

Are all of those–are all of the municipalities, whether they're big or small in terms of their tax base, able to meet what you believe to be best practices from a financial reporting perspective, either for the MDCs or generally?

Mr. Bouvier: Certainly the capacity of municipalities does vary based on expertise, based on, you know, financial resources available to them.

And our approach within The Municipal Act is, you know, is to look at what are their legislative requirements in terms of reporting, and are they having difficulties, whether that's reporting a deficit or wanting to borrow for capital works.

Those sort of pieces, we do, you know, certainly appreciate that each municipality may have–or many municipalities have varying degrees of capacity. Our approach with the municipalities for their legislative requirements under The Municipal Act is to certainly work with them so that they can meet the minimum requirements of The Municipal Act.

With respect to community development corporations, being that they fall outside of The Municipal Act, they have certain responsibilities to meet with–under The Corporations Act, which they–if they don't meet, they certainly would, you know, could be taken to task for that.

The Chairperson: Thank you, Deputy.

Mr. Richard Perchotte (Selkirk): In this day and age, with transparency and having accountability with the RMs reporting the financial audited statements to the public, how can an RM like St. Clements go now five years without an audited financial statement given to the public? And in addition to that, what can the department do to ensure that it's done in a timely fashion moving forward?

Mr. Bouvier: I'll start the answer and then I'll also ask my colleague to fill in some of the details on it.

But we certainly are aware of, you know, when municipalities have not met their requirements under The Municipal Act. And what we do is to contact their municipal administrators. We often meet with council depending on this–on how far behind they may be. And we also provide guidance through various guides and bulletins that help municipalities build that capacity to meet their requirements under The Municipal Act.

And I'll just turn over to my assistant deputy minister for further detail.

Mr. Kevin McPike (Assistant Deputy Minister, Municipal and Northern Relations, Municipal and Northern Support Services): So while the department doesn't have a direct role in assisting other orders of government in preparing financial statements, we recognize that we have a role to play in ensuring that they have adequate access to the right tools to be able to prepare their reporting in a timely and effective manner.

So some of the things that we've looked at is, how can we ensure that municipalities have access to the procurement of auditors? So we are exploring ways to open up a department that oversees procurement to have–to gain access to a pool of auditors so that they can do that on a timely basis to achieve value for money.

We also work with them to ensure that we have the timely appointment of auditors so that reports are being completed on time; they're also being reviewed by council. And we also provide templates and other supports to ensure that the audited financial statements are being developed appropriately.

The Chairperson: Thank you, deputy–Assistant Deputy.

Follow-up, Mr. Perchotte?

Mr. Perchotte: Based on the information provided by the department, what is the assurance to the public that the audited financial statements are going to be released at any time? It's been five years; people would like to know, is it going to be another five years or 10 years, 15 years?

Mr. Bouvier: Well, I can't speak to specific examples immediately in front of me, but I certainly know that when we do see that there are–when municipalities are not meeting their requirements, that, you know, that we do contact them and we do try to help them move through that process, and we also are, you know, are certainly available to talk with them, to help them find auditors, as my colleague had suggested.

The–it is difficult sometimes for municipalities to find auditors. I don't use that as an excuse for municipalities to not report on time, so–and I think the second Auditor General's report that we'll be talking about today also kind of relates to municipal requirements that we can speak further to.

The Chairperson: Thank you.

MLA JD Devgan (McPhillips): Yes, I don't know if this has been answered already, but what, if any, relationship does the department have with the association–or the organization of chief administrative officers in Manitoba, specifically with respect to creating or strengthening that knowledge base, specifically with the administration side of municipalities?

Councils come and go, change, but you'd want the public service and municipalities to be strong in their understanding of the fiscal responsibility or whatever you want to call it. But is there a relationship, and what does that look like with the department?

The Chairperson: Thank you, MLA Devlan [phonetic].

Mr. Bouvier: The department works regularly with the Association of Manitoba Municipalities as well as the Manitoba municipal administrators group. We meet bimonthly with the municipal administrators group and we talk about things like this. So we talk about, you know, about strengthening capacity, about meeting requirements, about tools that would be useful for municipalities to be able to meet their requirements.

We–as I alluded to, we work with the Association of Manitoba Municipalities as well on issues that, you know, that are more than one or two municipalities, and that gives us opportunity as well to talk about and strategize around how to increase the capacity of those municipalities.

The Chairperson: Thank you.

MLA Devlan [phonetic], do you have a follow-up?

MLA Devgan: I do, yes.

Just on that: what feedback does the department get from–or administrative officers and the administrative side of municipalities? What feedback do you get from folks in terms of maybe the competency level that exists across all municipalities in Manitoba?

Mr. Bouvier: We do get feedback about capacity of administrations, including councils. They do vary and, you know, when new councillors come on, it's important that they get oriented to their responsibilities, and the same is true with municipal administrators.

So when there are changes, there's, you know, there's need for education. And that's done in a few different ways. The first is the Association of Manitoba Municipalities works to provide that orientation to new councils, new councillors. And we work at the department level, as well, to support training in that regard. We also work directly with the Municipal Administrators' Association to, you know, again, to help strengthen their ability to do their job as the administrative component of a municipality.

* (16:40)

The Chairperson: Thank you.

Other questions?

Mr. Wayne Ewasko (Lac du Bonnet): So to the department: so we've seen–we've got one recommendation that's been completed, we've got a guide that's gone out to municipalities, we've heard the ongoing collaboration of working with the municipalities and also the municipal administrators.

I guess since the guide has gone out and the other recommendations, really, the department has disagreed with just due to the fact that municipalities are their own democratically elected entities. So I'm not sure if this is going to the department or the Auditor General, maybe.

Since that guide has gone out, have we seen these various complaints, the number of allegations as far as not being transparent to the public, are those numbers going down?

The Chairperson: So it was a bit of a dealer's choice there in terms of the question. I'm going to allow the deputy minister to respond and then I'll seek guidance from the Auditor if he'd like to weigh in as well.

Mr. Bouvier: We don't have any specific information since the release of the best practice guide to indicate that they've gone up or necessarily gone down.

What we do believe is happening, though, that they're being seriously considered by municipalities as to how they strengthen their ability to work with their community development corporation as they do have a responsibility to report on the financial side and their own financial statement on any related organizations.

The Chairperson: Thank you, Deputy Minister.

Mr. Shtykalo: As I'd mentioned in my opening remarks, this report was initiated in response to numerous concerns that were raised to us through our citizen concern line.

Now I don't have numbers for you like we produced in the report or like we sampled in the report; we haven't resampled it. But I can confirm that we still receive concerns from individuals through our citizen concern line about the lack of transparency and accounting–or sorry, accountability concerning municipal development corporations.

The Chairperson: Thank you for that response, to both the deputy and the Auditor.

MLA Ewasko, on a follow-up.

Mr. Ewasko: Thanks to the AG and the department for their answers. I guess that's sort of where we're getting to, right? I mean, so then where does the public then–where do they get to go with further complaints besides waiting the four years for election cycle and then bringing that up? Because as the department–as the deputy has mentioned, they have those ongoing bimonthly meetings with municipal administration, but then also a good working relationship with AMM.

The Auditor General did the report, the recommendations are there. I would hope that, you know, again, that that good relationship continues and it's sort of one of those–not quite a temperature check happening, but sort of where the municipalities are at, where they see that they're at themselves, and then asking the department for the help as the deputy and the assistant deputy had mentioned in regards to the tools that they can supply those municipalities to help rectify or be a little more transparent or accountable to their constituents or their electorates.

So I'd just like a couple comments on that, and I appreciated the AG saying that, you know, that the complaints are still coming in. And so how maybe can we as legislators, in opposition and in government, maybe help move something forward to help municipalities with their electorate as well, or do we just sort of hang back, pump out an updated guide as a reminder and hope for the best.

Mr. Bouvier: Thank you for the question. The–certainly, we receive complaints, you know, directly from the public on various issues, and when it's not in the sphere of the department to be able to control the response of a municipality, which is something we talk about regularly about those organizations being independent and accountable to the electorate.

We also do, you know, make suggestions such as making representation to the council as a delegation to writing the council, raising those concerns and then taking into account what–holding–asking them, so what are you doing about that? So I think that's the right of every citizen, to be able to do that, and we do give that advice often when we do get complaints.

Now, I'm not suggesting that we get a lot of complaints about CDCs, but, you know, we get complaints about various pieces that members of the public want us to do something about, and sometimes those are outside of our scope. But that's the kind of advice that we give to make sure that they know they have options to talk with their municipality.

The Chairperson: Further questions?

All right. Seeing no further questions, put the question on the Municipal Development Corporation chapters to the committee: Does the committee agree to complete consideration of the chapter Municipal Development Corporations within the Auditor General's Investigations Report, dated August, 2021?

I'm open to a yes or a no. Agreed? [Agreed]

This chapter is accordingly completed for consideration.

Does the committee agree to complete consideration of the chapter Investigations Report, Municipal Development Corporations within the Auditor General's Report–Follow‑Up of Previously Issued Recommendations, dated February, 2024?

Agreed? [Agreed]

This chapter is accordingly completed for consideration.

I will move on to our final report of the afternoon. We'll consider the report of the Department of Municipal and Northern Relations. I'm reminded that we had a robust discussion on the last report and might anticipate a robust discussion again.

Mr. Maloway has suggested the committee sit for an hour and then revisit at that time. I'm wondering if, because we're 13 minutes away from the end of that time, if someone on the committee, perhaps Mr. Maloway, would like to offer a suggestion?

An Honourable Member: Yes, I would suggest–

The Chairperson: Mr. Maloway.

MLA Maloway: I would suggest we sit for another hour and then revisit at that time.

The Chairperson: Mr. Maloway has suggested that the time be extended for an additional hour and then we can reconsider at that time.

Is that the agreement of the committee? [Agreed]

So we will now consider the report on municipalities and the Department of Municipal and Northern Relations.

Does the Auditor General wish to make an opening statement?

Mr. Shtykalo: This report was initiated in response to a special request from the Minister of Finance (MLA Sala) under section 16 of The Auditor General Act. It came following a cybersecurity incident involving the municipality of WestLake-Gladstone.

I took this opportunity to also examine six allegations involving municipalities which originated from two sources: tips submitted through our stakeholder concern line, and referrals from the department itself.

Finally, we also examined the Department of Municipal and Northern Relations' oversight of municipalities. Specifically, we looked at how the department handled complaints and managed risks associated with municipal grants.

I will first address the cybersecurity incident. Between December 19, 2019 and January 5, 2020, an unknown actor made 48 unauthorized withdrawals, each under $10,000, from a credit union account held by the municipality of WestLake-Gladstone, totalling $472,377.

The municipality detected the withdrawals in January, 2020, and notified both the credit union and the RCMP. The RCMP was unable to identify the perpetrator or recover the funds. We found the municipality did not conduct a root cause investigation determine–to determine how the breach occurred, missing an opportunity to strengthen its defences and prevent further–future incidents.

This incident underscores the urgent need for all municipalities to implement baseline cybersecurity controls, such as those recommended by the Canadian Centre for Cyber Security. These include incident response planning and multifactor authentication for key accounts.

Of the six allegations we investigated, three were substantiated. These incidents revealed improper procurement practices, unauthorized expenditures and governance failures, each of which raises serious concerns about accountability and internal controls.

* (16:50)

With respect to departmental oversight, the Province provides substantial funding to municipalities to support governance, infrastructure and services. With this funding comes a shared responsibility to ensure effective stewardship of public resources. We found some issues with the department's oversight: specifically, it does not consistently follow up on complaints about municipalities; it lacks sufficient oversight of how municipalities use government grants.

In addition, the department does not review financial information submitted by municipalities to ensure the financial plan is complete, a full operating and capital budget is included or a five-year capital expenditure program plan is provided.

This report includes five recommendations based at strengthening cybersecurity and enhancing risk-based oversight of public funds provided to municipalities.

I want to thank municipal officials and the department staff for their co-operation throughout the investigation and acknowledge the hard work of my audit team.

Looking forward to the discussion today on the findings.

The Chairperson: I thank the Auditor General and his staff for his comments and his work on this report.

Does the deputy minister wish to make an opening statement, and if you have any additional or new staff that you have not previously introduced, you are welcome to do so at this time.

Mr. Bouvier: I do not have other staff to introduce, but regarding the investigation report on Manitoba municipalities and the Department of Municipal and Northern Relations, this report was initially requested regarding concerns in WestLake-Gladstone and other municipalities.

The scope of the report also includes findings and recommendations for the department regarding programs and other matters within the department's core responsibilities.

I would like to thank the Auditor General for the investigation and findings regarding concerns about several municipalities that were brought to their attention. The department recognizes that the Auditor General and other independent bodies, such as the Ombudsman, play a very important role in the sphere of municipal accountability.

Their investigatory expertise and credible reportings of findings is a key mechanism that enables members of the public to evaluate their elected representatives' performance and hold them to account.

This report is quite recent. In fact, we provided our official response to the committee late last week–Friday, actually–and the department is now acting where there is a clear course to implement the recommendations and otherwise keenly working to determine the best path forward to implement other recommendations.

I would like to assure the committee that these recommendations are taken seriously and accepted by the department and will be actioned by the department.

Most of these relate to the programs or existing legislation that is directly within the department's control and there will be results on key issues such as strengthening oversight of grant programs and enforcing the existing legislative requirements for municipalities regarding the completeness and timeliness of their financial reporting.

I can advise the committee and the–that the department has been acting to strengthen enforcement in key areas of municipal financial reporting. A firmer line has and will continue to be taken with municipalities that incur operating deficits contrary to The Municipal Act's requirements for balanced budgets.

The department is also working to develop a compliance framework for municipalities. While this is still very much under development, I anticipate that this will include escalating enforcement actions that move beyond capacity building and into serious consequences such as withholding or denying funding, requiring additional audits and even orders of supervision or administration.

The department has also finalized enhancements to its process to review municipalities' 2026 financial plans. As a key initial document to the municipal financial reporting cycle, the department will be reviewing these documents for completeness, significant variances or other red flags.

These reviews will be prioritized so that municipalities will have time to adjust their financial plans and re-hold public hearings if councils determine that changes are advisable.

The department will also continue to offer preliminary reviews of financial plans to municipalities and will be providing training to municipal financial staff on budgeting, and that will occur this December.

Regarding cybersecurity, this is a serious and evolving issue. While the internal operations of municipalities remain outside the department's scope of authority, we have advised all municipalities of the Auditor General's recommendations. The department has also engaged with subject matter experts in Manitoba Department of Innovation and New Technology to begin preparing a survey to assess municipalities' baseline state for cybersecurity controls. This is a complex task, given the diversity of municipalities in terms of size, information technology, hardware and software, administrative and technical capacities and financial resources.

We anticipate that there will be a significant variance between municipalities and the survey will enable our department, with assistance from MINT, to understand municipalities' baseline security state and assess the gaps and associated risks. Our information and guidance to municipalities can then be targeted to address the most significant gaps and sources of risk.

Subsequently, we anticipate that municipalities will be resurveyed to monitor whether cybersecurity controls have improved and inform subsequent resources or programs. The department anticipates that encouraging improvements in cybersecurity in municipalities will very much be an iterative process, given their very capacities and interest and the evolving nature of the information technology space generally, and the new risks that come along.

Thank you for the opportunity to provide an introduction and I look forward to addressing the committee's questions on this report.

The Chairperson: I thank the deputy for his opening comments.

Any questions from the floor?

MLA Compton: First, I want to say I appreciate the promptness in terms of response and seriousness that I feel–my interpretation that has come from the department.

One of the things I'm curious about, perhaps, honourable Chair, that the deputy minister can shed some light on: Is there any initial thought on what the compliance framework might look like or what it what include? I'm curious around that.

Mr. Bouvier: Certainly the compliance framework will focus on–No. 1 on what requirements The Municipal Act imposes on municipalities for reporting, so that will be really the–you know, the outline of what we do in that regard.

I would ask as well my assistant deputy minister to provide any further comments.

Mr. McPike: Yes, when it comes to municipal financial plans, it would be to sort of ensure that they're aligned with legislative requirements under The Municipal Act.

So that would be ensuring that they have an operating budget, capital budget, they're following year estimates and they have a five-year capital plan. So we would undertake comprehensive review for completeness, ensuring that council's been signing off. We would also work to develop measures for use in variance analyses to be able to determine any red flags, to be able to do that proactively so that that information can be brought back to council's attention in a timely manner.

So that would be to–but the focus would be to sort of focus on levels of overall taxation and core expenditure categories as well as the ratio between things like current and future years' capital plans. So that would likely to include a review of any apparent errors or omissions on pages that don't correctly balance, for example. You know, in–yes, you know, the accuracy of calculations for taxes as well as other reviews for compliance with the reporting.

So that would be sort of the approach that we would take in terms of the financial compliance.

MLA Compton: Kind of a follow-up to that is I see there's a lot of–maybe ambitious, or maybe not ambitious. But I'm curious what your confidence is in the–because I see you have a deadline of December 26–2026 for implementation.

So I'm curious–because it sounds like it's a very involved process. So what's the confidence in the department in completing these tasks? Because I'm learning a one-year deadline for something can sometimes be quite ambitious.

* (17:00)

Mr. Bouvier: The–we're confident in being able to deliver on that timeline because we're building off of existing processes that we have. I think we'll–we look at a continuous improvement kind of approach to, you know, to looking at various documents that require compliance with the act. And I could also defer to my colleague for more information.

Mr. McPike: And I would just note as well that there's a general municipal election that's slated for October 28, 2026. And so we're also very mindful of that. We want to ensure that we have resources and materials for incoming and new council members so that they have the resources that they need to effectively govern.

So it is ambitious, but it is also with that, you know, key milestone in mind that we want to accomplish as much as we can.

The Chairperson: Further questions?

MLA Maloway: I have a general question, I guess, to both the deputy and the Auditor General, and it has to do with this whole cybersecurity question.

Back in the early '90s when we brought in the new SAP system throughout the government, we had–OIT had a security system which they claimed was like the best in the world, right, at that time, and they could show us there that there was denial-of-service attacks and stuff when we were over there, like, doing–with presentation with them.

And this is at a time when the British government was shut down for a day or two–like entire governments were shut down. And this was like 25 years ago. And it's really sad when I hear–have to hear responses on this issue about, well, we're going to take a look at doing cybersecurity, when just in the last 24, 48 hours, a state actor was found to be using AI–AI programs–to bust into systems in the United States–not military or whatever, but busting into systems.

So we've got people now having identity theft issues, and the bureaucracy just walks away. You know, they–people have been–and I think it's in BC–big, big issue with identity theft there. And the government or the authorities in charge here basically just walk away; they just pretend it didn't happen, you know: you must've dreamed this up that you had your identity stolen.

So, you know, this is very serious. We've got to come to grips with this. We can't be passing the buck on this, right? And I'm not saying that you can say, well, it's not my responsibility because it's not covered by my legislation, but we got to get–work together because this is deteriorating at a faster rate and money is disappearing big time. It doesn't take–it takes matter of–used to be like days and stuff like that; now it just takes a matter of hours when you're using these AI programs.

Here we are implementing all kinds of new IT in the government; we don't know how it's going to work. And, probably, the AI programs that are busting into these systems are already, like, ahead. We haven't even got–we're already outdated. By the time we sign the contract with whoever we're signing contracts with, the security's already broken, right? So this is a serious issue.

We got to deal with it, and we just can't be walking away and letting our citizens lose money, and you see this over and over again, right, you know. And the weakest link is at the municipal level.

So I'd like to hear what you have to say about that.

Mr. Bouvier: So, this is a serious issue, there's no question about it. And it's dynamic because it changes the–you know, the method of attacks change and it's difficult to keep up with. And even pretty, I want to say, simple things inside a municipal office like sharing of passwords and things, are under the direct control of the individuals in that office, so that even at that level is an important level, but it–certainly systems are a different, because they're–they can be complex and complex for individual municipalities to understand because they're not IT experts.

That's why we want to–we will work with, you know, with the department inside of government here, MINT, to ensure that we're working with municipalities through the Association of Manitoba Municipalities to talk about not only what the current state of protection is, but also what needs to be done in the future and what needs to be regular practice of municipalities to be able to protect their systems.

So that's our starting point. We–you know, we're surveying to discover where municipalities are at on an individual basis and what some of the common needs are. And we will be working with municipalities to help them strengthen their cybersecurity practices as a result. It's difficult for me to talk about specifics without–well, when I talk generalities, it–you know, I don't want to put the impression upon the committee that we don't take this seriously because we certainly do.

So I appreciate the comments of the member.

The Chairperson: Does the Auditor General have a comment on the question as well?

Mr. Shtykalo: Yes, cybersecurity, certainly, a forefront on everyone's minds, when–especially in our line of work when it comes to, you know, assessing risks, cybersecurity risks are at the top of the list. And they are dynamic, they are changing; I mean, that's the thing about things like AI and technology in general. It keeps–just when you think you've got it figured out, it changes.

I mean, that's part of the reason why our recommendation was that the municipalities adopt a strong cybersecurity control framework, a recognized framework such as the one by Canadian Centre for Cyber Security. Those–that–those types of frameworks contain not only, you know, guidance and requirements for controls but also what to do in response to when an incident occurs.

We saw in the case at WestLake, with part of appropriate cybersecurity framework involves investigation–investigating incidents for a root cause, learning from that and helping that protect going forward. Speaking from our office, as I mentioned, we identify this as a significant risk. Our IT audit area in the office has recently issued a couple of reports in this area, one on privileged access to IT systems in the government and another one on cybersecurity incident response at Shared Health.

So in response, I agree, certainly, with the premise of the question.

MLA Maloway: The–I guess the point is that when the governments across Canada and across the world went with their–choosing their ERPs, there was like a number of competitors, right? And I don't know who they all are now, but there was Oracle and SAP, and this is a big cost, you know, and very involved to implement these programs. And in the old day, we did try to get the City of Winnipeg on–I mean, in Nova Scotia, for example, SAP got the hospital, the government, the City of Halifax, and they cut their costs tremendously when they did that.

And we tried the same thing here, and we got the government online, but the City of Winnipeg went off and bought Oracle, so now they're off in their own world, right? So the question is, when we finally get a handle on all this stuff, at least we're going to have like a common platform here, so that all the municipalities–are they–do they have the ability to go out and buy their own program? Is that what happens? I don't know. I just am wondering that.

But I know that OAT group, they've been like moved around, got in almost every department in the government; I don't even know where they are now. Physically, I know where they are, but I don't know which department they're under.

But that–we should get to the bottom of that, decide on a program that all the municipalities have to follow, right, so that we don't allow them to go off on their own. Steinbach buys its own, you know, Selkirk buys a different one, so–anyway, if you have any comments about that, please do.

* (17:10)

Mr. Bouvier: The–certainly, the–in collecting information and surveying the municipalities, we get that kind of baseline information about, you know, what current practices are, what systems are they using, are they following the Canadian Centre for Cyber Security best practices as well.

So I think that helps to create a foundation for what the action plan–how the action plan is built out on that. You–certainly the member has made a good point as far as the use of different systems and, you know, are there ways to collaborate that can strengthen the municipal cybersecurity protection.

And I would also like to defer to my ADM colleague to provide some more information as well.

Mr. McPike: Yes, these questions get at a lot of the same conversations that we've begun to have internally, particularly with our partners in the Department of Innovation and New Technology. Our staff has met a couple of times now with the chief information security officer to talk about tools, common resources. So these are the things that we're now currently turning our minds to.

We also know that there's the Manitoba education resource learning and information network's special operating agency that provides similar resources to school divisions, and so that provides us with a common template to work off of and a–also a broader community of practice dealing with other orders of government in terms of looking at information technology and issues of cybersecurity that we can also build off of and look at how we might apply that to the municipal lens as well.

MLA Chen: So in the Auditor General's report, on page 21, it indicates that withholding government grant payments has little effect on the non-compliant municipalities when they fail to submit financial statements sometimes.

So I'm curious to know the department's opinion on this statement, first of all. And, secondly, what alternative or stronger consequences is the department considering to ensure that municipalities submit financial statements on time?

Mr. Bouvier: I–we certainly, in building out our action plan, we've provided, you know, what we were committing to look at, how we can strengthen our–or when do we use the tools, the enforcement tools, to gain compliance. I will say that we typically take an escalating enforcement kind of approach, that we want to ensure that the municipalities have the capacity first, if they have–and then that they are complying with requirements.

And if they aren't require–complying with requirements, our own internal policies need to kick it up, you know, to what the next level is. And that could involve withholding grants for–depending on the severity of the municipality's failure to provide what they need to provide under The Municipal Act.

So those are–that's the approach that we would take. We're building–you know, we're going to talk with the Manitoba municipal administrators; we're going to talk as well with the Association of Manitoba Municipalities around this approach because we do recognize that escalating enforcement needs to happen and to have that in policy is important. We just don't want to overreact to things that can be corrected at a lower level versus those that really need that enhanced, sort of, approach to getting compliance.

MLA Chen: Yes, on a follow-up.

So the example that is stated in–on page 21 is for some municipalities that were saying that they will just manage without payment–without the remaining payment. So I'm just wondering, for those cases, those situations, what the department is considering. And I certainly understand those escalating steps that need to be taken and–however, for the situations that indicates in the report, what is the department considering doing?

Mr. Bouvier: The tools available to the department that have been talked about are withholding funds or denying access to program funding. The compliance framework that we talked about earlier in this hearing, you know, will really take a three-pronged approach. So we'll talk about scoping what those requirements that we need to pay attention to, what the compliance mechanisms are as far as the potential to withhold funding and then how do we help the municipalities with their capacity to meet the requirements.

But, certainly, you know, the intent is to identify why municipalities are unable to meet these requirements and help build capacity and explore supports if legitimate barriers exist for them to meet those requirements.

So we're–we certainly want to be open-minded on this, but we also recognize that we also need to have an internal process, you know, so that we can be consistent in working through these difficulties with whether it's financial reporting or otherwise.

The Chairperson: So when it comes to cybersecurity, I mean, and this has happened in government before when it comes to information–so freedom of information for personal health information. It's a well-established process now if there's a leak of personal health information, what the response to that is. And it doesn't happen infrequently, but the response is usually fairly robust, and I think there is a pretty good process in place.

In a situation like this with cybersecurity, it's inevitable that they're going to happen, that the attacks are going to happen. You're doing everything or hopefully will be doing everything you can when it comes to the protocols to prevent them from happening, but when they happen, how robust is the department going to be to ensure that there is a response–a critical incident response when it's happening?

So when we've seen it with, personally, WestJet, right, when they lose their information, everything sort of shuts down immediately. You don't get access to your account, maybe, for a little while, but they're dealing with the problem behind the scenes to ensure that there's not critical information that's being taken, your credit card information.

How active is the department going to be to ensure that there are critical response 'mechanims' in place, and will the department itself play a role in that if a breach happens–security breach happens at a municipal level?

Mr. Bouvier: Certainly, at a minimum, we will, you know, keep an eye out for any incidents that are–that get reported. But we hope that, you know, our actions and the actions of municipalities will prevent those. We know that there is risk out there. So what we will look at as well is that municipalities are undertaking that next step if they have had an attack–a cybersecurity attack, and looking at what those root causes are.

So it's important for us to–you know, to work with municipalities to ensure that they are undertaking that. And, as I mentioned earlier about the ability to work together, you know, as municipalities, we certainly want to have that discussion as to how that will help increase the resilience of municipalities towards cybersecurity incidents.

The Chairperson: No–and I appreciate that. And I know that this is, I'm sure, contained in what the department is doing, but I want it on the record and for my own assurance that if an attack happens–or when an attack happens, because it will happen–that there are clear protocols in terms of what happens next.

So this is before looking at root causes, probably, but what happens immediately? Are ratepayers advised that an attack has happened? Are they provided some sort of support?

I know, in the past, some companies have offered free credit monitoring systems for six months or a year when there has been an attack on–not to cite WestJet too much, I'm neither trying to downgrade them or to give them free advertising–but, you know, they offered free credit rating monitoring for six months or a year after the attack.

Will there be clear protocols, as well, when an attack happens in terms of notifying ratepayers? What other steps can be taken after that has happened–and information, in terms of what information has been potentially violated and breached?

Mr. Bouvier: The department notes that the baseline cybersecurity controls recommended by the Canadian Centre for Cyber Security include development of incident response plans which may include root cause analysis.

And again, No. 1, we need to ensure that municipalities have this information, that they are looking at it in their own context of their municipality and that they have a plan as to, you know, what happens if we have this cybersecurity incident.

* (17:20)

We also know that, you know, every organization needs to be proactive in terms of assessing their own cybersecurity risk, and we certainly are promoting that and will do that through our action plan.

Mr. Ewasko: Thanks to the deputy for his responses, and the assistant deputy.

So cybersecurity, this is really, as has been mentioned–and many of us read the news and see what's going on, whether it's in school divisions or big corporations or in governments. We saw that you sent out a bulletin–the department sent out a bulletin–early this October, so I guess I've got a couple questions wrapped up in one. Hopefully I won't have to do a follow-up.

Canadian Centre for Cyber Security–their web page and then with the good work that the RCMP is doing as well across Canada, we know that Canada is probably, out of some of the major countries, probably hanging out last on dealing with cybersecurity, and this has been going on for years and years and years.

So I guess my question is, how many municipalities already have been thinking about this? How many things do they–how many of them already have a process in place as to if this happens, when this happens–because, of course, it's happening–what are the processes?

How many–what is the percentage of municipalities, I guess, that are already working quite closely on this, and then working with the department and then, again, for those smaller municipalities, to maybe not have to recreate the wheel on how to basically go on this. How many–what's the percentage that are already embarking on this and teaming up with other municipalities?

And I guess the additional question to this, will save me for the follow-up–or from doing a follow-up–is, do we have a professional development? Does AMM, in their upcoming get-together, have a professional development specifically on cybersecurity since we're seeing how important this is moving forward? And is the department helping them out with that one?

Mr. Bouvier: We know that municipalities are at different stages of readiness, and part of our action plan is to survey them so that we understand where they're at and then that's the point where, in working with Manitoba Innovation and New Technology, we will be working on, you know, on both advice–and we've worked on this survey with that department so that we have their expertise and we can utilize our own relationships with the municipalities to receive the information, take it seriously, implement it.

And so that's the starting point for us. And then we need to build on that, and that's–what are the specific actions after that to ensure that municipalities, No. 1, take this seriously. If they, you know, are looking at their own systems, if they do experience an attack, a cyberattack, how are they responding to it and how are they ensuring that they don't–that that doesn't happen again. And we know that there's a lot of risk out there, and so we take that very seriously.

If I may defer as well to–

The Chairperson: Of course. Assistant Deputy Minister.

Mr. McPike: Just to add to that, so we have to do the baseline survey but we don't expect just to do one survey and stop there. Our intention would be to do a follow up within one year to monitor the adoption of the CCS baseline recommendations and controls and monitor their implementation across municipalities to understand where they might be finding barriers and also to explore the opportunities to better support them.

So we do expect that this is going to be an iterative process and a learning opportunity, both for us as the department and for municipalities on best practices forward.

The Chairperson: Follow-up, MLA Ewasko?

Mr. Ewasko: Just to follow up, I know it's not your conference that the department is holding coming up with AMM, but has there been conversations with the department about the various different tools, also giving AMM, all the municipalities, a heads-up that this survey is coming out? Is there some professional development that's being arranged or organized for the upcoming conference?

Mr. Bouvier: At this point, the department has met twice with both the Association of Manitoba Municipalities as well as the Municipal Administrators' Association to discuss the approach to develop guidance for cybersecurity controls.

So our staff will continue to meet with both of those organizations and share documents to ensure that they're useful for a municipal audience. We want to make sure that they hit the mark and that they're relevant to municipalities. For example, the survey will be shared for feedback before it's finalized and distributed, and we're in that process right now.

The Chairperson: Secondary follow-up, MLA Ewasko?

Mr. Ewasko: So–okay, so we haven't quite got the answer on the whole professional development in the upcoming conference.

I know that in eastern Manitoba, we have 12 municipalities that get together every four months and talk about various different issues. And I know that cybersecurity had come up and they've done a professional development within their own group, having the RCMP in, and I thought that was very beneficial and I think that sort of opened the eyes to many of the elected municipal councillors.

And I'm just wondering if, again, you know, even though there's been a couple conversations and about some of the tools being used, if that is in the works. I know it's not the department's conference, but just to see–just to make sure that it's highlighted, that it is something that they're–even though everybody's taking it seriously, words are words and action is action. So I'm just wondering if those conversations have happened to suggest that at the conference, cybersecurity is a topic.

Mr. Bouvier: I'll defer to my ADM colleague for some details, but I do want to say that certainly, you know, we have been discussing with the Manitoba Municipal Administrators the topic of cybersecurity and the approach to how we raise awareness of that.

Mr. McPike: So the–one of the focuses for next week's convention is actually going to be more on the financial side and emphasis on that and what that means because that's another key component of the report and one that we're a little more prepared to speak to.

It's also timely because of the–you know, the upcoming October general elections next year and getting councils to start thinking about that, how to make the next less than 12 months really count as a council. So that is the emphasis.

And then of course, the AMM also hosts a spring convention meeting. And the thinking–and although it's not our meeting to determine–would be that discussions around cybersecurity would be better timed for that spring convention, also with the benefit of that survey having gone out and more of that messaging being out there to be able to talk more concretely about what that might look like.

The Chairperson: The Province has a chief information security officer. Does–do municipalities have, as a collective, have an equivalent position?

Mr. Bouvier: Not to my knowledge do they–you know, is there one overall chief of a security officer. Some municipalities would have responsibilities with staff to, you know–and oversight on systems, but it's–I'm not sure to what extent, at this point, without digging into the details of a–of the survey that we're undertaking.

The Chairperson: Would it be helpful if, in your opinion–I know we're hypothesizing a bit, but if there was one chief information security officer for municipalities, would it be easier to implement recommendations for dealing with one individual who then is working with municipalities as opposed to dealing with every independent municipality individually? And if you do, would you think that would be a viable suggestion or a legislative change?

Mr. Bouvier: Certainly, as municipalities are–you know, are–we've talked about being independent organizations. I think it's best that we talk with them about, you know, what options will help them to manage their cybersecurity risk. We do know, certainly, that we wanted–that in our work on this action plan that we're going to be looking at other best practices from other jurisdictions so that we can look at that as options. But I don't have a specific recommendation, Mr. Chair, at this point.

* (17:30)

The Chairperson: Thank you.