Common menu bar links
Breadcrumb Trail
ARCHIVED - Risk Management Guide (Review Guide) - November 1, 1994
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
INTRODUCTION
Background
Stated simply, risk management is a process whereby potential threats to an organization, its staff, or its materiel are examined and minimized in a rational and clearly documented fashion. Risk management slowly emerged as an approach to reducing organizational costs during the 1970's. From its beginning, there were strong arguments in favour of using the risk management approach in organizational operations. However, only more recently have the knowledge, the tools and the data needed for risk management become available to practitioners.
The analyses used in risk management convert possible events and their outcomes into dollars and cents. This creates a common standard that allows comparisons between options and therefore a rational selection process. It is important to note that these analytical techniques can be applied equally to risks and opportunities. Therefore, risk management, as a tool, can be used to select between alternative risks, alternative opportunities and between reducing a risk versus selecting an opportunity.
Treasury Board has had a risk management policy in place since 1978. However, the growing maturation of the field and a government increasingly concerned about reducing costs has spurred interest in this aspect of management. Risk management is especially useful to those facing difficult tradeoffs stemming from budget cuts. The process allows managers to assess and compare the potential costs and benefits of various options and to select the best alternative. Further, as the process is clearly documented, it reduces the time required by those reviewing a decision to understand influencing factors.
Purpose
This guide is written with the review function in mind. While not exclusively for the use of this group, the manual's purpose is to provide internal auditors and review officers with the understanding and the tools necessary to audit their organization's management of risk. The guide seeks to expand their understanding of risk, explain its importance to government organizations, to show how risk can be managed, and to provide some of the more general tools which auditors can use in the audit of risk management.
Organization of the Guide
The guide is organized in the following manner. Chapter One provides a simple overview to risk management. Chapter Two discusses the audit of risk management and more formally outlines the objectives, criteria, detailed criteria and audit procedures to be used.
CHAPTER ONE RISK MANAGEMENT OVERVIEW
Introduction
The government's approach to risk management is based on six policies. The most important of these policies is the Risk Management Policy. It provides the framework for risk management (See Figure 1 at the end of this chapter) by defining the following four types of function:
(1) risk identification;
(2) risk minimization;
(3) containment of a peril (once it occurs in order to reduce its impact); and
(4) compensation or restoration and recovery (after an incident has occurred).
A management function is also implied through the existence of a "feedback" loop. This general framework is also augmented by five relatively specific policies: (5) indemnification of servants of the Crown; (6) volunteers; (7) claims and ex gratia payments; (8) fire protection, investigation and reporting; and (9) provision of legal assistance to Crown servants. Each of these deals with a relatively specific sub-area related to risk management.
Within each of the four functions noted above there are any number of activities. Specific activities are dependent on the particulars of the peril under consideration and the organization's relationship to or interest in this peril.
Risk analysis is not a hard science. By definition, every risk analysis involves assumptions and is to some degree the product of the person(s) conducting the analysis. Consequently, expertise in the area being considered is important to ensuring the accuracy of an analysis. Further, every situation is, to some extent, unique. Therefore, each risk management solution can be expected to differ in some respects from all other solutions. In other words, there is no standard solution. While the same principles and approach can be applied generally, each situation will call for a unique solution and different practitioners are likely to arrive at similar rather than identical conclusions. However, the key consideration is that a pro-active approach is taken towards managing risks, thereby reducing the government's unnecessary exposure to potential losses.
Roles and Responsibilities
Treasury Board
Treasury Board is responsible for three aspects of risk management:
(1) the government's general policy on risk management;
(2) communicating the policy; and
(3) monitoring and assessing the general policy effectiveness.
The government's general policy on risk management can be found in Risk Management Policy (Chapter 2-1 of the Treasury Board Manual). This is a publication of the Material and Risk Management Section of the Administrative Policy Branch of the Treasury Board Secretariat. The guidelines for auditing the Risk Management Policy as well as the indemnification of servants of the Crown, volunteers, claims and ex gratia payments, fire protection, investigation and reporting and provision of legal assistance to Crown servants policies are found in Chapter Two of this guide.
Departments
Each government department is accountable through its deputy head for the implementation of the Treasury Board policy on risk management. The department should designate someone responsible for risk management or at least have various focal points of functional responsibility identified with provision for liaison between them. The participation of other personnel is also important, since all employees are to some degree responsible for the effective management of risk. Risk management should be considered as an integral part of the planning process.
Staff Engaged in Risk Management
Risk management is far more than an appendage to operations. Ideally, the management of risk should be used in conjunction with opportunity management to maximize the benefits of a department to its clients, its employees and its employers. The key to risk management earning this position rests in the accuracy of its risk assessments, the usefulness of assessments to decision-makers and the willingness of senior staff to regularly apply this type of analysis.
The effective management of risk requires that a department goes through a process of assessing the level of risk and determining the appropriate level of resources to be devoted to managing that risk. Government departments, in particular, need to use the risk management approach because of the ever-present restrictions on available resources and the dynamic nature of modern society, the ongoing changes in personnel, the introduction of new technologies and shifts in public interest. Each of the conditions listed here act to change a department's risks over time.
To be effective, risk management requires that the organizational structure allows and, ideally, encourages a dialogue between those who have the expertise in risk management and those who are most knowledgeable about a particular area or field. The responsibility for managing risks should belong with those who are most knowledgeable in the area being examined. Those with expertise in risk assessment techniques or risk management practices best contribute by assisting those with a deep knowledge of an area to convert their knowledge into risk probabilities and dollar figures which can be used in risk analysis. This relationship suggests how risk management should be structured in an organization and the roles to be played by the different actors.
The expertise in risk management should be used as a support to the line management which has been assigned the responsibility for developing and maintaining expertise in the specific area or field in question. The expertise required by risk management personnel is in being able to help the organization's personnel understand the nature of risk analysis and risk management and to assist the systematic development of risk assessments and contingency plans. In addition, risk management staff must be able and willing to quickly notify senior management in the organization about any significant threat which they believe is not being dealt with appropriately.
CHAPTER TWO PERFORMING THE AUDIT
Introduction
This chapter presents some suggested criteria and procedures for conducting an audit of risk management. Generally, risk analysis requires specialized expertise which the auditor is not expected to have available. This expertise usually lies elsewhere within the organization or with outside experts. Consequently, the auditor is not expected to examine and comment on the risk analysis itself. Rather, the auditor's primary role is to ascertain whether or not the methods and procedures used were appropriate and conform to the policies and guidelines which make up the government's approach to risk management. The auditor's secondary role is to ensure that any identified deficiencies are dealt with and that follow-up takes place.
Issues should be raised with the expectation that apparent problems can be dealt with and opportunities can be fully pursued. The auditor's role is less to report on the deficiencies in risk management than to ensure that any deficiencies identified are dealt with. Auditors should also ensure that good practices are being shared within the organization and with other government organizations.
In many situations, the auditor will identify apparent problems when determining whether or not the various procedures have been followed correctly. It is important to recognize that it may not be cost-effective nor efficient for staff to exactly follow a given procedure. Staff must be allowed to exercise their discretion and to weigh the associated costs and benefits of following a given procedure and, on the basis of this analysis, make a decision on the degree to which a procedure is followed.
Organization of the Audit Procedure Section
The Audit Procedure section is broken into nine sections. The first four sections deal with Chapter 2-1 of the government's Risk Management Policy. This is referred to herein as the "general framework for risk management." It consists of four phases, including provision for feedback from each phase, as shown in Figure 1. These are:
(1) risk identification
(2) risk minimization
(3) containment
(4) compensation or restoration and recovery
These sections lay out the procedure to be followed in general when conducting an audit of risk management. Following these four sections are a series of five sections which discuss the audit of the more specific policies which, together with the Risk Management Policy stated in Chapter 2-1, make up the government's approach to risk management. The five additional sections cover the audit of policies on:
(5) indemnification of servants;
(6) volunteers;
(7) claims and ex gratia payments;
(8) fire protection, investigation and reporting; and
(9) provision of legal assistance to Crown servants.
Each of these specific policies deals with one aspect of risk management. These policies work in combination with the Risk Management Policy to augment the risk management framework. Depending on the scope of the audit, auditors may only need to apply some of the criteria and detailed criteria found in sections five through nine when performing an audit of risk management.
If auditors encounter any difficulty or need further assistance in the interpretation of the risk Management Policy, they should contact the Materiel and Risk Management Group for policy interpretation and the Evaluation, Audit and Review Group of the Administrative Policy Branch of Treasury Board for audit questions.
(1) RISK IDENTIFICATION
1.0 To ensure that the organization has identified key perils, factors and types of risk to which its assets, program activities, clients and interests are exposed and for which the organization bears some responsibility.
Criteria
1.1 Managers understand the concept of risk identification and have identified key risks facing their organization.
Detailed Criteria/Audit Procedures
1.1.1 Verify that all managers are aware of the key perils facing their group in accordance with Treasury Board's Risk Management Policy.
1.1.2 Assess the depth of the manager's understanding of the risk identification process based on his or her awareness.
1.1.3 Verify that managers have assessed the key risks to the organization resulting from the various perils identified.
1.1.4 Assess the completeness and accuracy of the managers' risk assessment.
(2) RISK MINIMIZATION
2.0 To ensure that the organization has analyzed and assessed the risks identified and that it has selected cost-effective risk-control options.
Criteria
2.1 Program managers have performed valid risk assessments.
Detailed Criteria/Audit Procedures
2.1.1 Verify that program managers have documented risk assessments for each of the significant risks identified.
Criteria
2.2 Managers have selected and implemented cost-effective risk control measures. (See Figure 2, Risk Management Decision Matrix, at the end of Section 2.)
Detailed Criteria/Audit Procedures
2.2.1 Verify that managers have developed a series of risk-minimization, cost-effective options.
2.2.2 Verify that managers, when advised of key risks, have designed and implemented cost-effective control measures.
Criteria
2.3 As a result of implementing control measures, the overall risk to the organization has declined.
Detailed Criteria/Audit Procedures
2.3.1 Assess whether or not the control measures introduced have managed the threat from the peril as intended.
Criteria
2.4 The control measures introduced were cost-effective.
Detailed Criteria/Audit Procedures
2.4.1 Assess whether or not the control measures introduced were cost-effective. Some thought should be given to alternative uses of the resources expended and, in particular, beneficial opportunities which may have existed during the same time period.
Criteria:
2.5 The risk analysis took into consideration political and diplomatic implications.
Detailed Criteria/Audit Procedures
2.5.1 Verify that the analysis addressed possible political or diplomatic implications.
2.5.2 Where there were political or diplomatic implications, assess whether or not they were sufficiently considered.
Criteria
2.6 Where applicable, the underwriting analysis was thorough and complete.
Detailed Criteria/Audit Procedures
2.6.1 Determine whether or not the underwriting analysis should have been undertaken. If so, then:
a) determine that underwriting analysis was undertaken; and
b) assess whether or not the underwriting analysis was sufficiently thorough and complete.
(3) CONTAINMENT
3.0 To ensure that the organization or program has developed and activated emergency organizations, systems and contingency plans and initiated disaster recovery measures which are appropriate.
Criteria
3.1 The various contingency plans are appropriate.
Detailed Criteria/Audit Procedures
3.1.1 Determine whether or not there are possible impacts of incidents that have not been taken into account by the contingency plan(s) and the associated probability of that impact occurring.
3.1.2 Determine whether or not the objectives of the contingency plans would be the most appropriate response(s) to an incident.
3.1.3 Determine whether or not there are potential impacts for which there are no contingency plans and why.
3.1.4 Determine whether or not the contingency plans are feasible and assess whether or not they would achieve their stated objectives.
Criteria
3.2 The various contingency plans are workable.
Detailed Criteria/Audit Procedures
3.2.1 Verify that staff designated for implementing contingency plans understand those plans and expect to be able to carry them out.
3.2.2 Where rehearsals have occurred, determine whether or not the rehearsal evaluations identified problems with the contingency plans and assess whether or not these problems have been addressed effectively.
3.2.3 Verify that past experiences have been documented and used as a basis for improvements.
Criteria
3.3 The organization has developed the capacity of the emergency organizations and systems sufficiently to meet the emergencies anticipated by the contingency plans and has done so in a cost-effective manner.
Detailed Criteria/Audit Procedures
3.3.1 Identify the emergency organizations and systems which the organization plans to activate in the case of an emergency.
3.3.2 Determine the roles to be played by the various organizations and systems in the case of an emergency, the training which staff would require to fulfil these roles and assess whether or not the systems are in place and the staff have been trained sufficiently.
3.3.3 Determine whether or not the organization has the capacity to contact and activate emergency organizations and systems during a real emergency, e.g. where power outages and communication lines may be damaged.
3.3.4 Determine whether or not there are other means (alternative emergency plans, organizations, system, etc.) which would be more cost-effective.
Criteria
3.4 The disaster recovery measures are appropriate.
Detailed Criteria/Audit Procedures
3.4.1 Determine whether or not the documentation describing the disaster recovery measures is complete and is regularly updated.
3.4.2 Assess whether or not staff who would be involved in a disaster recovery understand the disaster recovery measures.
3.4.3 Determine whether or not the personnel who would be involved in a disaster recovery have been trained in accordance with the disaster recovery measures.
3.4.4 Assess whether or not the measures could be implemented in the case of a disaster. Where rehearsals have been held, determine whether or not the rehearsal evaluations identified problems and, if so, whether or not these problems have been addressed.
3.4.5 Assess the cost-effectiveness of the disaster recovery measures
relative to alternatives.