Search
Top Links
Home
Vision and Mission
Charter
Policies and Guidelines
Risk Management
Risk Matrix

Annual Reports
Definitions
Related Links
Audit Work - Reports
Project
Business Systems and Controls
Enterprise Risk Management

Introduction:

Everyday managers and employees practice risk management by making decisions on what to do, how to do it and when to do it. In both our personal and business lives our decisions are based on a variety of factors. Do I have the time? or Do I have the money? or Do I need help to accomplish this? Enterprise risk management is a change in philosophical focus from the "I" to the "we." Does the organization have the capacity? Has the organization set aside the funds? Will this impact on other business units?

Enterprise risk management is not just a passing trend. It is here to stay and is being driven by both governance issues and the demands of the citizen. Public sector organizations such as Human Resources and Development Canada, the Auditor General of Canada, Treasury Secretariat Board and ACOA have successfully embraced enterprise risk management.

Risk management does not have to be complex or a heavy resource user. It can be tailored to meet the needs of the organization in its early stages and modified as the level of sophistication and comfort with the process grows.

It is a systematic and proactive approach to managing risk. This means that high risk exposure areas are understood, managed and controlled to an acceptable level of exposure so that the organization is properly protected to minimize negative consequences. It allows the organization to focus on what is important to control versus what is easy to control.

What gets in the way of an effective risk management process:

  • Too narrow a focus on risk -
    • Extend focus from financial risk to include non-financial risk at the strategic, business, process and "control-culture" levels
    • Don’t just focus on the "comfortable" areas

  • Failure to manage risk complexity and materiality
    • Support enterprise-wide consistency, yet provide opportunity for local customization
    • Set parameters to ensure focus is on the most critical risks rather than every risk
    • Use materiality factors based on risk tolerance

  • Complex reporting and communications
    • Develop a communication plan early in process
    • Use simple, colour-coded charts

  • Unclear accountability for risk
    • Allocation of accountability usually performed after the "event"
    • Establish accountability (ownership) for risk management to appropriate operational managers
    • Create linkages to compensation
    • Ensure appropriate executive sponsorship
    • Need one clear owner (at executive level)

  • Undefined roles and responsibilities
    • Executive committee must set direction and strategy
    • Executive management must accept residual risk
    • Senior management must accept ownership of risk
    • Risk Policy & support through the development of guidelines, tools and measurement
    • Operations management responsible for identifying, assessing, mitigating and monitoring and asserting.
    • Business Systems and Control must perform periodic assessment and assurance

Integration with Business Planning, HRM Scorecard:

A fully integrated risk management program is an effective program. It can "enable managers at key levels to identify, assess and manage risk inherent in their strategies, businesses and processes through a learning cycle of scanning, looking ahead, assessment and action." The following slide from the 2003 Atlantic Conference put on by Deloitte & Touche captures the extent of the integration available through an effective enterprise risk management program.

The Importance of Integration

Benefits of an integrated risk management approach includes:

  • alignment of risk at all levels to strategic objectives
  • accountability for and ownership of risk management
  • an ability to foresee and predict risk occurrence, and take preventative action - minimize costly time "fighting fires."
  • optimize risk taking by the organization
  • addresses control culture issues
  • the capability to aggregate and correlate information about the current state of risk exposure at strategic, operating and process levels.

Direct Benefits of Risk Management includes:

No Surprises - Early Warning Systems

  • Identify, assess and prioritize risks
  • Install appropriate control processes and information
  • Promote organizational learning and knowledge transfer

Effective Responses - Good Reactions

  • Integrate risks into planning and decision-making
  • Strategically reduce exposure levels to acceptable levels
  • Rapidly respond to issues and reduce negative impacts

Greater Chance of Success - Better Outcomes

  • Maximize chances of achieving objectives
  • Improve ability to anticipate and prepare for change

Risk Management Levels:

Current practitioners have quantified five levels of risk management in an organization.

Risk Management Levels

For the business planning year 2003/04, the Business Systems and Control Group will be applying a risk assessment tool to the issues and goals identified during the business planning process. However, this is only one step on the path to an integrated risk management approach.

Applying the Methodology:

  1. Conduct a diagnostic which measures the extent to which the organization has implemented risk management by comparison to best practices.
    • The organization has identified important risks and risk management priorities
    • The organization has established roles and responsibilities for risk management
    • The organization is applying an integrated approach for risk management
    • The organization develops an integrated approach for risk management

    The Business Systems and Control Group used HRM's 2003/04 business planning process to determine the general level of understanding of "risk management" across the organization. Managers tended to focus on outcomes rather than the events when considering the element of risk and as a result, most likely define risk differently. Best practice recommends a common definition of risk, defined risk tolerances, regular scanning of the environment, formal assessment and monitoring. Currently, the HRM does not practice a formal risk management program.

  2. Assess organizational culture

    Best practice suggests using the Criteria of Control Framework (COCO) of CICA. This includes identification and measuring the organization's attributes of purpose, commitment, capability and learning and monitoring.

  3. Develop a risk profile which involves the identification, analysis, assessment and prioritization of risk and determining if risk exposures should be further reduced.

    The risk assessment tool and approach developed by Business Systems and Control will provide a basic framework for completing a risk profile. It has been designed to assess environmental, process and decision-making risk factors under the umbrella of the Corporate Goals of Excellence in Governance, Excellence in Service Delivery, Safe Communities and Health, Vibrant & Sustainable Communities.

  4. Design an Integrated Risk Management Model which must involve all elements of risk and the managing stakeholders. Risk factors extend beyond financial issues as can be seen in the Corporate Goals categories.

Design an Integrated Risk Management Model

Pilot and implement the model in one business unit prior to full roll-out across the organization is the best practice approach.

At this time, the risk assessment tool will be used across the organization prior to developing a full risk management model. This exercise will introduce the subject of enterprise risk management and develop the link between the HRM Scorecard and risk management. It will provide further information on the level of familiarization of the participants with risk management which can be used to design and implement an appropriate risk management model for the HRM.

Vision For The Future:

Preliminary Identification of Potential Risk Category and Training Areas:

  1. Legal Issues
    • Governance structure - Nova Scotia Municipal Government Act, Fed, By-laws, Policies
    • Conflict of Interest
    • Personal Liability, culpability
    • Organizational Liability, culpability
  2. Property Issues
    • Self- insurance
    • Claims
    • Tangible Assets
  3. Human Resources
    • Due Diligence (Safety)
    • Duty to Accommodate
    • Case Management
    • Knowledge Capital
  4. Stewardship
    • Mis-appropriation
    • Effectiveness - performance
    • Efficiency measures (HRM Scorecard)
  5. Opportunities
    • Identification
    • Measurement model (cost/benefit)
    • Establishment of risk tolerance policy

The preferred approach would be to establish a cross-functional team composed of experts in the identified topics. Business Unit involvement would be requested from:

  • Legal Services
  • Police Services
  • Fire Services
  • Human Resources
  • Health and Safety, Organizational Development, Total Compensation
  • Financial Services
  • Business Planning, Business Systems and Control, Accounting, Procurement Services
  • Real Property and Asset Management Services
  • Governance Services

Over a period of one to two years, the cross-functional team would:

  • Identify the specific training needs and prioritize these needs based on greater residual risk to the organization's objectives
  • Develop topic specific training modules
  • Develop an implementation plan which may include the coordination and/or direct provision of training
  • Develop on-going monitoring structure to ensure all new employees receive appropriate risk management training

 

Back to top