CEG recommendations to Infrastructure Canada, 2004-12-21

These urban mandate recommendations were made to Infrastructure Canada via Minister John Godfrey on 2004-12-21 by Dan King of the Civic Efficiency Group, based on this original by Craig Hubley. Though this version focuses on how to create transparent municipalities, it's part of a body of work that recommends resilient networks be created to deal with urban emergencies and enable a radically enhanced municipal role in emergency response in anticipation of situations like pandemic influenza in which all centralized 'hub' emergency response functions will be overwhelmed.

Item 2 below is focused especially on the emergency and risk management questions, and how to correctly assess "cost". Appendix M and N to this recommendation are also appended at the end, using terms introduced by Efficient Civics Guild thus this entire document is CC-by-nc-sa.

The Green Party of Canada incorporated some of this material into the Green Party of Canada Living Platform. Item 7 was taken up when the Federation of Canadian Municipalities structured a series of grant-only, grant-and-loan, and loan-only programs with only the most environmentally desirable and efficiency-oriented programs getting grant money, the more questionable projects getting loans, and useless/dangerous projects (like the "Death Pipe") getting nothing except federal delays, as CEG recommended. An open letter to Ralph Goodale from Civic Efficiency Group two months later integrated all recommendations and went to the federal Cabinet ministers responsible for PSEPC, Treasury Board Secretariat, Public Works.

The original document with two of its appendices:


CEG recommendations to Infrastructure Canada, 2004-12-21

The Civic Efficiency Group recommends to the Canadian federal government that it take an insurance-like approach to managing the many and varied risks associated with municipal infrastructure affected by federal mandates. There are many simple requirements and standards that can be reliably applied to affect the outcome of all upgrades for the better. Our main recommendations are that:

1. Federal assistance to municipal 311 services should be conditional on cities specifying distributed, scalable, continuously available network infrastructure to support mobile operations & disabled teleworkers. (see Appendix T: "telework" for a best-practice checklist applying to such workers - this demonstrates some high standards to apply.)

Given the maturity of telework practice, the common use of distributed call centres in non-government applications, and the ease with which a distributed workforce can be supported and controlled with modern tools, there is no excuse in 2005 to be tying such a vital service to one building; Nor to exclude workers who for whatever reason cannot commute to that space. (Toronto's 311 service was actually shelved due to expenses associated with equipping a single non-scalable call centre) .

2. Wherever possible, address routine and emergency needs together, regardless whose mandate they fall under: As noted in the December 8 letter to the Minister, everyday emergencies handled already by cities on their own initiative - see Appendix A. City IT services for detailed treatment of one class of these - can be addressed alongside federal mandates at great savings while achieving even better results, but only under certain conditions:

Federal standards for municipal infrastructure must specify that only bona fide functional requirements and real interoperability tests appear in specifications and RFP's, and are answered to in bids and evaluations:

Make contracts reflect these tests, terms & distinctions exactly. eg. in acceptance tests. At present, municipal officials often issue inane or self-contradictory specifications, e.g. for complex equipment to be both assessed and accepted by an ordinary employee at the moment of delivery.

In particular, a federal agency should formally name & specify all functional elements and interfaces of a municipal network infrastructure, schedule audits & stress tests of each element depending on the level of risk associated with each one. In most cases the municipal officials do not have these skills and require federal intervention to set standards on audits and activity- based costing of their network-related activities. (see Appendix O. "Toronto operations" for a way to approach these problems in one large city).

3. To ensure that the functional distinctions remain valid for all well-known near-future changes in technology and procedures, the federal government should study where else routine operations savings and emergency preparedness can be achieved by the same best practices: improved work processes, streamlined authentication, physical key and login management, less reliance on single points of failure such as power supply, longer equipment life-cycles, anti-virus anti-spam and anti-phishing measures (which can affect government and mission-critical corporate employees too), thin clients, diskless operations, virtualization and utility computing, more generic and reusable & interchangeable hardware and software, mobile operations, wireless devices, telework community emergency response teams, simple English, open content, collaborative editing at stable human-readable web addresses, Free Software and "share-alike" consortium licensing. (see Appendix E, F, G, H, I for a start to this analysis and W, X, Y for a sketch of the management accounting issues).

3a. Such functional distinctions must become public sector accounting standards; If it is called by one name in the network design, it must also be called by that name on the balance sheet, else accountability fails:

Without such clear tests and terms, there can be no firm accounting, no performance auditing, nor any comparison of performance even just among Canada's large cities. If these cannot be steered and supported in the same way, there is no hope at all for emergency preparedness in smaller centres with fewer resources to expend on specifications, standards, stress tests and so on. (see Appendix N for more detail on these issues and a start towards a risk analysis, accounting and performance auditing scheme to cover these)

3b. Eventually, PSAB (CICA) must require only these named elements to appear in municipal asset statements & operating budgets & accounting, and must require very strict accounting for total costs of ownership and operations as well as which obligations are met or opportunities pursued with an expenditure (see Appendix D. re: Costs of ownership, operations, obligations - and lost opportunities) - (see also Appendix C re: frameworks that may apply).

3c. A single process of auditing large city operations and large city capital assets and the robustness of each under significant stress, e.g. the impact of a major blackout on the social capital and social economy of that city, should be agreed on to contribute to the debate on "ecological and social indicators" already being developed by the Ministry of Finance.

3d. Active lateral exchange of best practices in actual use (see Appendix P re: Best Practices 2004 below) by North American* municipal governments must be strongly encouraged, perhaps by federally-hosted conferences that both prepare and followup using an online forum for continuous improvement. For instance, York Region has been particularly successful with thin client virtualization of desktop services, in part to support telework. Cases like this could be reliably reported to existing e-government best practice exchanges to allow municipalities to research "what has been done" before decisions are made. Another alternative is to create an Intergovernment Panel on Emergency Preparedness for each aspect of municipal infrastructure, starting with IT whose issues are always global - see Appendix B: Emergency Preparedness: Information Technology - to share costs beyond Canada's cities and borders.

4. The federal government should mandate very clear formulae for calculation of risk, e.g. the Dembo formula "upside minus aversion times regret" across many scenarios that "should include extremes and those that contradict popular opinion" (a quote from Dembo's Algorithmics).

Applying such formulae correctly yields much more than a "cost-benefit analysis": previously unidentified opportunities emerge as potential upsides, failures to meet obligations are uniformly handled as regrets, which helps limit the irrational tendency to vary risk aversion wildly across situations, often based on what has just happened or what is very familiar or very frightening. It also integrates perfectly with ordinary accounting - a "cost" is simply a well-known or recurring regret based on a scenario with a probability of 1.0 (payment is certain) with an aversion of 1.0 (since losing access to the money that one paid is the standard against which we measure).

When properly accounted for, CEG is confident the above will save vast sums: The recommendations above are all well-known practices that reduce many small potential regrets to zero, and so simplify the major decisions by letting them focus on underexplored risks. In particular, scenarios of low probability high-regret situations, against which governments "self-insure" - a risk aversion of zero that ignores the actual magnitude of all regrets. (see Appendix R: scenarios of possible low-probability high-regret situations)

While PSAB may not be capable of such scenario analysis, they certainly must deal with the problem of payments to anticipate and prevent crises. This is the main business of government, but it is not performed equally well by all levels of government: Canada's cities are notoriously poor at anticipation though they are often good at reaction after the fact.

PSAB should be required to deal directly with these issues and help to unify "insurance thinking" about risk, e.g. Dembo, with management accounting for activities ("activity-based costing") with process improvement methods and an enhanced understanding of intangible capital assets, at least in cities. (see Appendix C below re: "Accounting for operations before, after, in and for emergencies") for frameworks that apply to all such efforts to save time, energy, materials and future risk. Some of these are already being studied by PSAB, GAAP in particular, which requires separation of capital and operating accounts. To assist this:

5. The federal government should construct its own scenarios for cities; (see Appendix B, "Emergency Preparedness - Information Technology" for a sketch of an organization that could share the expense among governments).

One main reason for doing this centrally is to set clear planning periods: Serious scenarios analysis, such as undertaken already in some federal departments, requires one to pick fixed time horizons (like "before 2008" and "before 2012" and "before 2020") to focus effort on serious technology roadmaps and potential threat analysis for these periods. (see Appendix J re: "Elaborated example of combining multiple horizons in risk analysis").

6. The federal government also makes industrial strategy decisions that require analysis, foresight and many complex tradeoffs. There are many immediate and directly-implied opportunities arising from recommendations above, e.g. vending services and products overseas in e-government (which Canada has already been lauded for at the UN), working closer to home in North American consortium efforts, or to provide certification and accounting and audit services relevant to the above. (see Appendix U: healthy telecom, regarding an industry Canada can own).

But, more importantly, there are whole industries that rely absolutely on having a very responsive municipal infrastructure, and some communities of citizens whose well-being depends absolutely on services that fit their capacities and tolerances. (see Appendix S re: services that may provide strategic industrial opportunity; sensitive events that may cost cities entire industries)

The world is not waiting. Canada seems very much behind some Asian cities in some major technology areas and may need to close the gap to remain one of the world's great finance, software, insurance and telecommunications leaders. (see Appendix K re: /infra/ vision).

There are amazing opportunities certainly in the longer term (2012 to 2020) if certain strategic decisions are made federally now. (again, see Appendix U. for direct follow-ons to these recommendations)

It is better to make industrial strategy decisions before an industry is lost, than after. This will always remain a key federal responsibility.

7. Finally, as previously proposed to the Minister of State (Communities and Infrastructure) and also as proposed to the City of Toronto, we recommend that federal loans repayable out of routine savings (if any) be the preferred instrument for funding improvements that can or may result in both emergency preparedness and routine savings. (the advantages of this approach have already been listed but are in Appendix L for completeness).

  • European cities are already actively engaged in such exchange via the Metropole program. The UK has led in researching e-government efforts, where Canada has actually developed a reputation for leadership abroad, though it's own cities do not necessarily use the techniques advised for foreign governments. The UK's London Health Observatory has also led in the development of "methods in social capital" and prioritizing upgrades based on the likely impact they would have on social exclusion and total social support available to residents, especially of poorer neighbourhoods.


(The following are only two of the appendices to the above, all of which were at roughly this level of detail. These are the most relevant to emergency response problems. Another regarded the cost of actually supporting people doing telework from home, and debunked many assertions regarding this being "too hard" - it isn't, if you actually know how to do it, it just costs more.)

Appendix M

M. Federal standards for municipal infrastructure

(Restating CEG's recommendation 2 from above:)

"2. Federal standards for municipal infrastructure must specify that only
bonafide functional requirements and real interoperability tests appear in
specifications, RFP's, bids and evaluations.

Make contracts reflect these tests, terms & distinctions exactly. eg. in
acceptance tests.

In particular a federal agency should formally name & specify all elements
of a municipal network infrastructure, schedule audits & stress tests of
each distinct element depending on the level of risk associated with each

Standards must reflect functionality requirements for IT in the City over
a fixed time period, e.g. 2005-2010 or 2006-2012 or even 2005-2015 (it is
not impossible to forsee technological changes over ten years, given that
it takes a very long time for network standards to be set and taken up -
and that they are quite visible to experts all the while this is ongoing).

No City can create the standards on their own - it is not their mandate.
City is a "lowest cost" operator without a significant security mandate:
this becomes dangerous when operational cutbacks or specification errors
render a City unable to cope, forcing it to rely on "emergency" help by
surprise. At that time coordination difficulties can make problems even
more difficult to solve. Perception may be of a malcoordinated City, as
in the SARS crisis, after which 40% of Toronto's film business was lost.
Could better public health preparedness have contained SARS at the first
outbreak? If so, then this lack was extremely expensive and dangerous.

A few well-defined municipal infrastructure standards create value in
Canadian cities and may prevent major shocks to the Canadian economy.

Efficient use of standards can have a transformative effect on the Canadian
economy, starting with its cities. Strategic technologies and processes in
public health, computer networks, telecommuncations infrastructure, and the
support of first responders (including community emergency response teams),
even e-government, are all exportable, and add to Canadian prestige after
a series of embarassments ranging from SARS to Nortel to the 2003 blackout.

Looking specifically at the problem of computer network infrstructure,
many identical desktops all served with the same robust boot image is an
achievable goal, and would solve many routine operational problems inside
cities. However it would not be achieved by relying on present city RFP
or even present provincial or federal standards. They are not strict enough
and do not encourage "best practices" of multiple vendors to be combined:

Federal standards must be more durable than the current commercial lifecyle
of four years - six is reasonable, and even eight to nine years achieveable
with a reasonable amount of scenario-based planning and expert foresight to
anticipate what network computing interfaces will still be in use by 2012.

Federal standards must be designed to cut the Total Cost of Operations for
all Canadian cities, and must be to some degree normative (encouraging the
adoption of useful standards early so they will have a long time in use
before being superceded). At present only Emergency Operations Centres
(EOCs) qualify for federal funding and even these are not well specified:

The cities that are building the EOCs, and their ordinary infrastructure,
use RFP's issued according to industry biases and buzzwords not founded
in fundamental operational requirements needed to support the national
interest. Not only are federal mandates being ignored, cities often can't
even identify when their own obligations (to disabled workers, under Kyoto,
or for waste diversion) are not being met, or their own standards (avoiding
sole-source solutions, making a level playing field for all bidders) are
ignored. Simply put, cities do not know how to specify and buy computers
and at least one scandals has arisen regarding leasing company exploitation
of this vulnerability.

Municipalities are more vulnerable than provinces, which presumably have
enough scale and expertise to make major purchases efficiently. But even
a city the size and complexity of a province, like Toronto, allows silos
to develop that may lack expertise but nonetheless make decisions that in
the ideal case they would not, e.g. a department can choose to purchase a
computer with a different video card or network card that requires a boot
image "patch" which makes the support situation considerably more complex.

Provincial governments do not have the incentive or mandate to require
standards for routine operations of municipal cost centres. Federal
government has that mandate, the financing, and the incentive. A strong
nation is built on strong municipalities, especially strong cities. The
provincial level is the wrong level to set standards in such globally-
marketed items as computers, that are subject to global competition and
phenomena like outsourcing and offshoring. To compete, Canada must have
a single strategy and work to help its cities to work together on it -
if only during emergencies.

Threats to municipalities have tended to increase in scale recently:
SARS, blackout, terrorism are examples of dangers that spread quickly.
Even extreme weather events like ice storms, snowstorms and floods are
now affecting a much more vulnerable infrastructure, e.g. a city with
a subway is more vulnerable to flooding, one that relies on its airport
is more likely to lose serious economic opportunity if a snowstorm or
ice storm is not quickly and effectively managed.

Response will always start at a municipal level. First responders are
almost by definition municipal employees or working closely with them.

Standards can be improved at various levels: wider investigations,
more effective expert consultations, expert consensus, e.g. by using
collaborative editing technology, and final specifications in the form
of stress tests, acceptance tests, performance audits and cost limits.

Standards are ultimately about tests: how do you know something meets
a standard? With a test, and only with a test. Only if something has
passed the test can it be said to actually "be" a thing of the type the
standard applies to. For instance, a diskless computer or "box" is not
actually acceptable as such until it proves it can run a "boot" that is
prepared for another of its type. It is the acceptance test that makes
it a piece of equipment and not a pile of parts.

Total Cost of Operations can be cut drastically by following some strict
standards principles - these savings can be repaid to federal government
initially and then (once repaid) continue to improve municipal financial
position. In the meantime they fulfill the federal mandate - for free.

Hardware specifications required include at least:
- driver interoperability - one driver for a whole product line
- removable disk interfaces

OS specifications required include at least:
- the requirement to handle certain data formats, not certain programs
- the flexibility to allow Free Software at least to be proposed and
integrated as part of a larger solution
- compatibility and support requirements, well-specified and demanding,
in the form of test suites
- for proprietary systems, specific guarantees of ongoing support for
well beyond the anticipated lifecycle of the hardware it runs on

Software specifications required include at least:
- functional specifications, not proprietary buzzwords or trademarked names
stated in RFPs
- consider Open Source and Share Alike software on a competitive level
with proprietary software; do not bias against it by demanding some
inapplicable service guarantees (which in these regimes can be bought
from many partie, not just the original vendor/author of the software)

All specifications:
- functional requirements that meet the specific performance goals ONLY
- focus on support, interoperability, modularity, re-use, interchange
- consider misuse and ill-conceived fixes by end users as a major risk


Appendix N

N. Applying regret analysis and insurance thinking to municipal infrastructure


The federal government is in the business of providing "self-insurance" to
its communities for floods, catastrophic fires, power outages, health and
many other emergencies.

The federal government is mandated to provide security and the muncipality
is madated to provide the services, but without "national-level" security.

The insurance function may be defined as providing a cash benefit so as to
create a state of indifference to a disaster. For City equipment and
facilities, insurance means replacement of hardware and systems.

For computers, standardization makes replacement cost much lower and more
reliable. Standardization reduces regret by increasing the likelihood of an
effective replacement.

Shorter equipment life cycles introduce more uncertainties into the city's
operations, more risk, less value in the competitive market for urban
business locations. Increased risk leads to increased regret.

Effective replacement means that disruptions are reduced, reducing outage
costs and lowering the cost of operations. Effective replacement in an
extended emergency reduces the risk that a catastophe will produce
long-term, major regret.

An effective recovery can contain the consequences of a tragedy. A bad
recovery can have very very severe consequences for a city. it can lead to
the loss of large segments of the economy, leading to unemployment and
long-term depopulation of the community. It can result in the loss of
viability of the economic base. In essence, the City can "go out of

The business of the city is to attract investors by its effectiveness in
reducing business risk by creating a reliable infrastructure on which
business and its staff can depend. "Recovery Viability" is a proper target
to justify businesses investing in the City.

Making security decisions for a City is an ongoing battle to balance risk
vs the cost of insuring those risks, primarily through emergency
preparedness. The consequences of self-insurance is regret.

To calculate regret we must calculate potential large costs of a disaster
from unpredectable sources.

Savings - % probability X regret level X cost of disaster

Regret level would be an extra factor applied to the value/cost calculation.
It expresses how badly you feel about not having such an event take place.
It increases the extra amount you are prepared to pay over an above the
actual cost x probability in order to make sure something does not happen.

Operations costs risk

If the City's operating costs are not well controlled or are not
predictable there is a risk that the City's support costs will spiral out
of control. There is a risk that portions of the City's service levels may
collapse resulting in a dysfunction of city services.
This will lead to an increasing risk that the city will lose a portion of
its commercial base to areas that offer a more efficient operation.

Bad practices increase risks. The City is operating well below optimum
levels, increasing operations risks. Lack of cost control may increase
total cost of operations to levels that are unsupportable by the City's
economic base or at least impair efforts to balance the City's budget,
drawing badly needed resources from other areas.