Audit of Risk Management

2 Findings and Recommendations

2.1 Corporate Risk Profile

The latest CRP (2010–2011) was approved by senior management in September 2010. That CRP identifies corporate risks common to many programs in the department, and, therefore focuses on “administrative” type of risks, mainly risks relating to financial management or human resources management. However, that CRP did not include risks specific to programs.

During the planning exercise for 2011–2012, the department implemented a formal process to identify risks for all PAA elements. The process included an integrated risk management toolkit that provided a consistent approach to identify risk in the department. While this can be a useful source of information for program specific risks, the results of this planning exercise have not yet been integrated into a revised version of the CRP.

The 2010–2011 CRP also included only a limited external environmental scan. Such a scan is important to ensure external factors such as the economic, social and technical environments are taken into account when identifying risks.

Finally, an important element of senior management direction and communications for integrated risk management is the concept of risk appetite or risk tolerance in the Department. This is defined as the willingness throughout an organization to accept or reject a given level of residual risk. Our audit work has confirmed that this has not been formally integrated to the CRP

Recommendation 1

The Chief Financial Officer / Assistant Deputy Minister, Finance Branch, in collaboration with the Executive Management Committee should include in the next Corporate Risk Profile: program risks, a complete external environmental scan and the notion of risk tolerance.

Management Response

Management Concurs.

The 2011–2013 CRP will aim to include the key, high level Program Activity risks in addition to an environmental scan as it pertains to the risk environment, and the notion of risk tolerance.

2.2 Establishing an Integrated Risk Management Function

Senior management leadership and commitment for integrated risk management has been demonstrated at the executive and corporate levels.  A risk management function has been established in the Corporate Management Directorate, Finance Branch. This function is responsible for updating the CRP and providing functional IRM support to the Department. Risk is also discussed at the Executive Management Committee (EMC) that also reviews and approves the CRP.

From our interviews, EMC members seem to understand how risk is managed at the corporate level and in their organization. Our interviews indicated that the concept of integrated risk management was much less clear at lower management levels, including the program level. IRM roles and responsibilities are still not well understood and/or communicated through all levels of the Department.

A draft IRM Framework that includes roles and responsibilities for risk management has been developed, but, as of mid-September 2011, has not yet been approved.

Without clear roles, responsibilities and accountabilities for integrated risk management, there is risk that people may be “working in silos” and may not be working in an organized and systematic manner; this can impact the quality, reliability and relevance of risk information, to support management decision making and priorities.

Recommendation 2

The Chief Financial Officer / Assistant Deputy Minister Finance Branch, in consultation with EMC, should complete the IRM Framework and communicate IRM roles, responsibilities and accountabilities, across the Department.

Management Response

Management Concurs.

The IRM Framework (which includes IRM Roles and Responsibilities) was presented to EMC on September 28, 2011. It is currently being revised to address final comments from the DM.

Once signed by the DM and Associate DM, the Framework will be translated and posted on the IRM intranet site and communicated to all employees via News@EC and the EC Risk Management Community of Practice.

2.3 Practicing Integrated Risk Management

As mentioned above, the department has conducted a systematic risk assessment for all PAA elements in the context of the 2011–2012 planning exercise. That risk assessment included an identification of risks, its extent, the possible consequences and the mitigation strategies. Our review indicated that the risk assessments were uneven across the PAA elements.

In addition, the 2011–2012 planning exercise did not include all elements of risk management, in particular the active monitoring of risk and the accompanying mitigation measures. Overall, we can conclude that, although EC has made progress in integrated risk management, it lacks a cohesive and integrated process across the Department. 

Finally, the 2010–2011 CRP includes risk mitigation measures, but lacks clear responsibilities, accountabilities and timelines for these measures.

Recommendation 3

The Chief Financial Officer / Assistant Deputy Minister, Finance Branch should ensure the Integrated Risk Management Framework provides a cohesive risk management process for the department. 

Management Response

Management Concurs.

The IRM Framework (which provides a cohesive risk management process for the Department) was presented to EMC on September 28, 2011. It is currently being revised to address final comments from the DM.

A more detailed process for developing and updating the corporate risks will be outlined in the 2011–2013 CRP.

Corporate Management Directorate will examine ways to ensure that risk management is embedded in planning, reporting and decision-making processes throughout the Department.

Date modified: