Audit of Risk Management



1 Introduction

This audit was included in the 2010–2011 Departmental Annual Risk-Based Audit and Evaluation Plan, which was approved by the Deputy Minister in early spring 2010, as recommended by the External Audit Advisory Committee.

1.1 Background

Risk Management is part of the Government of Canada’s vision for responsible stewardship. The 2009 Treasury Board (TB) Policy on Internal Audit and the related Directive on Departmental Audit Committees, identify risk management as one of the key areas requiring the attention of Departmental Audit Committees.

Environment Canada (EC) is still in the early implementation stages for using an integrated risk management approach.  It has taken several measures, including implementing a corporate governance structure, and developing and updating the 2010–2011 Corporate Risk Profile (CRP). It has also implemented, in the context of the 2011–2012 planning process, an approach to identify risks for all Program Activity Architecture elements.

In addition, EC has developed a draft IRM framework. The framework is intended to be « foundational document that formalizes the expected roles and responsibilities of risk management for departmental official » and « provide guidance and assistance to managers on the standardized or consistent approach needed to ensure that information can be easily shared, aggregated and analyzed at all levels of the organization ».

1.2 Objective and Scope

The objective of the audit was to provide reasonable assurance that effective management controls are in place to support integrated risk management (IRM) across the Department, in particular:

  • the development of a corporate risk profile;
  • the establishment of an integrated risk management function; and
  • the practice of integrated risk management.

The bullets above are three of the key elements reflected in the 2004 Treasury Board Secretariat (TBS) Integrated Risk Management Policy and Implementation Guide, and in the new TBS IRM Framework released in August 2010. Audit criteria have been developed for each of them (Annex 1).

The audit looked at the Department’s organizational risk management in the 2010–2011 fiscal year. Field work was completed in September 2011. 

The audit assessed the overall approach and process for integrated risk management at Environment Canada (EC). It did not attempt to assess the adequacy and effectiveness of risk assessment and mitigation measures contained in the Corporate Risk Profile (CRP) or to identify and/or analyze the full complement of risk management practices and processes across the Department.

In addition to this audit report, a management letter will be used to bring to the attention of management other observations of lesser importance.

1.3 Methodology and Assurance

The audit work included:

  1. an examination of documentation;
  2. conducting interviews with managers; and
  3. benchmarking of IRM approach with other departments.

This audit has been conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada. 

In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations, as they existed as the time, against the audit criteria.


Date modified: