ARCHIVED - Risk Management Guide (Review Guide) - November 1, 1994
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Review Guide to an Audit of Risk Management
November 1994
Table of Contents
CHAPTER ONE -- RISK MANAGEMENT OVERVIEW
CHAPTER TWO -- PERFORMING THE AUDIT
(5) INDEMNIFICATION OF SERVANTS OF THE CROWN
(7) CLAIMS AND EX GRATIA PAYMENTS
(8) FIRE PROTECTION, INVESTIGATION AND REPORTING
(9) PROVISION OF LEGAL ASSISTANCE TO CROWN SERVANTS
INTRODUCTION
Background
Stated simply, risk management is a process whereby potential threats to an organization, its staff, or its materiel are examined and minimized in a rational and clearly documented fashion. Risk management slowly emerged as an approach to reducing organizational costs during the 1970's. From its beginning, there were strong arguments in favour of using the risk management approach in organizational operations. However, only more recently have the knowledge, the tools and the data needed for risk management become available to practitioners.
The analyses used in risk management convert possible events and their outcomes into dollars and cents. This creates a common standard that allows comparisons between options and therefore a rational selection process. It is important to note that these analytical techniques can be applied equally to risks and opportunities. Therefore, risk management, as a tool, can be used to select between alternative risks, alternative opportunities and between reducing a risk versus selecting an opportunity.
Treasury Board has had a risk management policy in place since 1978. However, the growing maturation of the field and a government increasingly concerned about reducing costs has spurred interest in this aspect of management. Risk management is especially useful to those facing difficult tradeoffs stemming from budget cuts. The process allows managers to assess and compare the potential costs and benefits of various options and to select the best alternative. Further, as the process is clearly documented, it reduces the time required by those reviewing a decision to understand influencing factors.
Purpose
This guide is written with the review function in mind. While not exclusively for the use of this group, the manual's purpose is to provide internal auditors and review officers with the understanding and the tools necessary to audit their organization's management of risk. The guide seeks to expand their understanding of risk, explain its importance to government organizations, to show how risk can be managed, and to provide some of the more general tools which auditors can use in the audit of risk management.
Organization of the Guide
The guide is organized in the following manner. Chapter One provides a simple overview to risk management. Chapter Two discusses the audit of risk management and more formally outlines the objectives, criteria, detailed criteria and audit procedures to be used.
CHAPTER ONE RISK MANAGEMENT OVERVIEW
Introduction
The government's approach to risk management is based on six policies. The most important of these policies is the Risk Management Policy. It provides the framework for risk management (See Figure 1 at the end of this chapter) by defining the following four types of function:
(1) risk identification;
(2) risk minimization;
(3) containment of a peril (once it occurs in order to reduce its impact); and
(4) compensation or restoration and recovery (after an incident has occurred).
A management function is also implied through the existence of a "feedback" loop. This general framework is also augmented by five relatively specific policies: (5) indemnification of servants of the Crown; (6) volunteers; (7) claims and ex gratia payments; (8) fire protection, investigation and reporting; and (9) provision of legal assistance to Crown servants. Each of these deals with a relatively specific sub-area related to risk management.
Within each of the four functions noted above there are any number of activities. Specific activities are dependent on the particulars of the peril under consideration and the organization's relationship to or interest in this peril.
Risk analysis is not a hard science. By definition, every risk analysis involves assumptions and is to some degree the product of the person(s) conducting the analysis. Consequently, expertise in the area being considered is important to ensuring the accuracy of an analysis. Further, every situation is, to some extent, unique. Therefore, each risk management solution can be expected to differ in some respects from all other solutions. In other words, there is no standard solution. While the same principles and approach can be applied generally, each situation will call for a unique solution and different practitioners are likely to arrive at similar rather than identical conclusions. However, the key consideration is that a pro-active approach is taken towards managing risks, thereby reducing the government's unnecessary exposure to potential losses.
Roles and Responsibilities
Treasury Board
Treasury Board is responsible for three aspects of risk management:
(1) the government's general policy on risk management;
(2) communicating the policy; and
(3) monitoring and assessing the general policy effectiveness.
The government's general policy on risk management can be found in Risk Management Policy (Chapter 2-1 of the Treasury Board Manual). This is a publication of the Material and Risk Management Section of the Administrative Policy Branch of the Treasury Board Secretariat. The guidelines for auditing the Risk Management Policy as well as the indemnification of servants of the Crown, volunteers, claims and ex gratia payments, fire protection, investigation and reporting and provision of legal assistance to Crown servants policies are found in Chapter Two of this guide.
Departments
Each government department is accountable through its deputy head for the implementation of the Treasury Board policy on risk management. The department should designate someone responsible for risk management or at least have various focal points of functional responsibility identified with provision for liaison between them. The participation of other personnel is also important, since all employees are to some degree responsible for the effective management of risk. Risk management should be considered as an integral part of the planning process.
Staff Engaged in Risk Management
Risk management is far more than an appendage to operations. Ideally, the management of risk should be used in conjunction with opportunity management to maximize the benefits of a department to its clients, its employees and its employers. The key to risk management earning this position rests in the accuracy of its risk assessments, the usefulness of assessments to decision-makers and the willingness of senior staff to regularly apply this type of analysis.
The effective management of risk requires that a department goes through a process of assessing the level of risk and determining the appropriate level of resources to be devoted to managing that risk. Government departments, in particular, need to use the risk management approach because of the ever-present restrictions on available resources and the dynamic nature of modern society, the ongoing changes in personnel, the introduction of new technologies and shifts in public interest. Each of the conditions listed here act to change a department's risks over time.
To be effective, risk management requires that the organizational structure allows and, ideally, encourages a dialogue between those who have the expertise in risk management and those who are most knowledgeable about a particular area or field. The responsibility for managing risks should belong with those who are most knowledgeable in the area being examined. Those with expertise in risk assessment techniques or risk management practices best contribute by assisting those with a deep knowledge of an area to convert their knowledge into risk probabilities and dollar figures which can be used in risk analysis. This relationship suggests how risk management should be structured in an organization and the roles to be played by the different actors.
The expertise in risk management should be used as a support to the line management which has been assigned the responsibility for developing and maintaining expertise in the specific area or field in question. The expertise required by risk management personnel is in being able to help the organization's personnel understand the nature of risk analysis and risk management and to assist the systematic development of risk assessments and contingency plans. In addition, risk management staff must be able and willing to quickly notify senior management in the organization about any significant threat which they believe is not being dealt with appropriately.
CHAPTER TWO PERFORMING THE AUDIT
Introduction
This chapter presents some suggested criteria and procedures for conducting an audit of risk management. Generally, risk analysis requires specialized expertise which the auditor is not expected to have available. This expertise usually lies elsewhere within the organization or with outside experts. Consequently, the auditor is not expected to examine and comment on the risk analysis itself. Rather, the auditor's primary role is to ascertain whether or not the methods and procedures used were appropriate and conform to the policies and guidelines which make up the government's approach to risk management. The auditor's secondary role is to ensure that any identified deficiencies are dealt with and that follow-up takes place.
Issues should be raised with the expectation that apparent problems can be dealt with and opportunities can be fully pursued. The auditor's role is less to report on the deficiencies in risk management than to ensure that any deficiencies identified are dealt with. Auditors should also ensure that good practices are being shared within the organization and with other government organizations.
In many situations, the auditor will identify apparent problems when determining whether or not the various procedures have been followed correctly. It is important to recognize that it may not be cost-effective nor efficient for staff to exactly follow a given procedure. Staff must be allowed to exercise their discretion and to weigh the associated costs and benefits of following a given procedure and, on the basis of this analysis, make a decision on the degree to which a procedure is followed.
Organization of the Audit Procedure Section
The Audit Procedure section is broken into nine sections. The first four sections deal with Chapter 2-1 of the government's Risk Management Policy. This is referred to herein as the "general framework for risk management." It consists of four phases, including provision for feedback from each phase, as shown in Figure 1. These are:
(1) risk identification
(2) risk minimization
(3) containment
(4) compensation or restoration and recovery
These sections lay out the procedure to be followed in general when conducting an audit of risk management. Following these four sections are a series of five sections which discuss the audit of the more specific policies which, together with the Risk Management Policy stated in Chapter 2-1, make up the government's approach to risk management. The five additional sections cover the audit of policies on:
(5) indemnification of servants;
(6) volunteers;
(7) claims and ex gratia payments;
(8) fire protection, investigation and reporting; and
(9) provision of legal assistance to Crown servants.
Each of these specific policies deals with one aspect of risk management. These policies work in combination with the Risk Management Policy to augment the risk management framework. Depending on the scope of the audit, auditors may only need to apply some of the criteria and detailed criteria found in sections five through nine when performing an audit of risk management.
If auditors encounter any difficulty or need further assistance in the interpretation of the risk Management Policy, they should contact the Materiel and Risk Management Group for policy interpretation and the Evaluation, Audit and Review Group of the Administrative Policy Branch of Treasury Board for audit questions.
(1) RISK IDENTIFICATION
1.0 To ensure that the organization has identified key perils, factors and types of risk to which its assets, program activities, clients and interests are exposed and for which the organization bears some responsibility.
Criteria
1.1 Managers understand the concept of risk identification and have identified key risks facing their organization.
Detailed Criteria/Audit Procedures
1.1.1 Verify that all managers are aware of the key perils facing their group in accordance with Treasury Board's Risk Management Policy.
1.1.2 Assess the depth of the manager's understanding of the risk identification process based on his or her awareness.
1.1.3 Verify that managers have assessed the key risks to the organization resulting from the various perils identified.
1.1.4 Assess the completeness and accuracy of the managers' risk assessment.
(2) RISK MINIMIZATION
2.0 To ensure that the organization has analyzed and assessed the risks identified and that it has selected cost-effective risk-control options.
Criteria
2.1 Program managers have performed valid risk assessments.
Detailed Criteria/Audit Procedures
2.1.1 Verify that program managers have documented risk assessments for each of the significant risks identified.
Criteria
2.2 Managers have selected and implemented cost-effective risk control measures. (See Figure 2, Risk Management Decision Matrix, at the end of Section 2.)
Detailed Criteria/Audit Procedures
2.2.1 Verify that managers have developed a series of risk-minimization, cost-effective options.
2.2.2 Verify that managers, when advised of key risks, have designed and implemented cost-effective control measures.
Criteria
2.3 As a result of implementing control measures, the overall risk to the organization has declined.
Detailed Criteria/Audit Procedures
2.3.1 Assess whether or not the control measures introduced have managed the threat from the peril as intended.
Criteria
2.4 The control measures introduced were cost-effective.
Detailed Criteria/Audit Procedures
2.4.1 Assess whether or not the control measures introduced were cost-effective. Some thought should be given to alternative uses of the resources expended and, in particular, beneficial opportunities which may have existed during the same time period.
Criteria:
2.5 The risk analysis took into consideration political and diplomatic implications.
Detailed Criteria/Audit Procedures
2.5.1 Verify that the analysis addressed possible political or diplomatic implications.
2.5.2 Where there were political or diplomatic implications, assess whether or not they were sufficiently considered.
Criteria
2.6 Where applicable, the underwriting analysis was thorough and complete.
Detailed Criteria/Audit Procedures
2.6.1 Determine whether or not the underwriting analysis should have been undertaken. If so, then:
a) determine that underwriting analysis was undertaken; and
b) assess whether or not the underwriting analysis was sufficiently thorough and complete.
(3) CONTAINMENT
3.0 To ensure that the organization or program has developed and activated emergency organizations, systems and contingency plans and initiated disaster recovery measures which are appropriate.
Criteria
3.1 The various contingency plans are appropriate.
Detailed Criteria/Audit Procedures
3.1.1 Determine whether or not there are possible impacts of incidents that have not been taken into account by the contingency plan(s) and the associated probability of that impact occurring.
3.1.2 Determine whether or not the objectives of the contingency plans would be the most appropriate response(s) to an incident.
3.1.3 Determine whether or not there are potential impacts for which there are no contingency plans and why.
3.1.4 Determine whether or not the contingency plans are feasible and assess whether or not they would achieve their stated objectives.
Criteria
3.2 The various contingency plans are workable.
Detailed Criteria/Audit Procedures
3.2.1 Verify that staff designated for implementing contingency plans understand those plans and expect to be able to carry them out.
3.2.2 Where rehearsals have occurred, determine whether or not the rehearsal evaluations identified problems with the contingency plans and assess whether or not these problems have been addressed effectively.
3.2.3 Verify that past experiences have been documented and used as a basis for improvements.
Criteria
3.3 The organization has developed the capacity of the emergency organizations and systems sufficiently to meet the emergencies anticipated by the contingency plans and has done so in a cost-effective manner.
Detailed Criteria/Audit Procedures
3.3.1 Identify the emergency organizations and systems which the organization plans to activate in the case of an emergency.
3.3.2 Determine the roles to be played by the various organizations and systems in the case of an emergency, the training which staff would require to fulfil these roles and assess whether or not the systems are in place and the staff have been trained sufficiently.
3.3.3 Determine whether or not the organization has the capacity to contact and activate emergency organizations and systems during a real emergency, e.g. where power outages and communication lines may be damaged.
3.3.4 Determine whether or not there are other means (alternative emergency plans, organizations, system, etc.) which would be more cost-effective.
Criteria
3.4 The disaster recovery measures are appropriate.
Detailed Criteria/Audit Procedures
3.4.1 Determine whether or not the documentation describing the disaster recovery measures is complete and is regularly updated.
3.4.2 Assess whether or not staff who would be involved in a disaster recovery understand the disaster recovery measures.
3.4.3 Determine whether or not the personnel who would be involved in a disaster recovery have been trained in accordance with the disaster recovery measures.
3.4.4 Assess whether or not the measures could be implemented in the case of a disaster. Where rehearsals have been held, determine whether or not the rehearsal evaluations identified problems and, if so, whether or not these problems have been addressed.
3.4.5 Assess the cost-effectiveness of the disaster recovery measures
relative to alternatives.
(4) COMPENSATION OR RESTORATION AND RECOVERY
Objective
4.0 To ensure that the organization has developed its capacity; to investigate incidents to determine their causes; to assess the extent and value of damages and determine potential legal liability; to learn from incidents which have occurred in order to prevent similar occurrences; and to develop and maintain appropriate systems for effectively handling claims and for compensating those who have suffered as a result of government operations.
Note: Refer to sections 5 through 9 for more specific criteria and audit procedures.
Criteria
4.1 The organization has the capacity to investigate incidents, assess the extent of damages and determine their causes and potential liability.
Detailed Criteria/Audit Procedures
4.1.1 Determine whether or not the organization has investigated incidents in the past and if the investigations were carried out appropriately and in a timely manner.
4.1.2 Assess whether the staff has the capacity and has been properly trained and informed to assess damages and determine causes and potential liability.
4.1.3 Determine whether or not the organization has assessed the extent and value of damages.
4.1.4 Determine whether or not the organization has determined legal liability for an incident or has plans to do so should the need arise.
4.1.5 Where possible, identify legal determinations of responsibility which have been made by the staff and assess whether or not these determinations have been carried out appropriately and in accordance with government policy. (See the section on claims and ex gratia payments below for more detailed criteria.)
4.1.6 Determine whether or not the staff are accessing those with legal responsibility and that the services being provided satisfy the questions being asked.
4.1.7 Assess whether or not the legal services are being provided in a cost-effective manner relative to other alternatives.
Criteria
4.2 The results of investigations are being used in a manner which prevents recurrence.
Detailed Criteria/Audit Procedures
4.2.1 Determine whether or not the results of investigations and recommendations for the nature of payments or claims are being made available to decision-makers.
4.2.2 Determine whether or not the results of investigations and recommendations for the nature of payments or claims are being used by decision-makers.
4.2.3 Assess whether or not there are recurrence of similar claims.
Criteria
4.3 Employees and/or volunteers who qualify for legal assistance have received it.
Detailed Criteria/Audit Procedures
4.3.1 Determine whether or not legal assistance was provided in accordance with the Policy on the Provision of Legal Assistance to Crown Servants and that advice was provided to the employee or volunteer in a timely manner.
4.3.2 Ensure that the documentation in support of a request for legal assistance was complete ( including the employee's or volunteer's report, appointment of legal counsel and advice received from the Department of Justice).
4.3.3 Ensure that the amounts authorized for legal assistance are within policy limits.
4.3.4 Ascertain whether or not the organization has considered possible conflicts of interest and dealt with them appropriately.
Criteria
4.4 The organization has the capacity to develop and maintain appropriate systems for effectively handling claims and compensating those who have suffered as a result of government operations.
Detailed Criteria/Audit Procedures
4.4.1 Determine if staff involved in the process is properly trained and informed to develop and maintain the system.
4.4.2 Determine what the demands are (or will be) on the system.
4.4.3 Determine the cost of developing the system.
4.4.4 Determine the cost of maintaining the system once it is developed.
4.4.5 Determine whether or not other organizations have already developed such a system and assess whether or not it would be more economical to acquire such a system from one of these organizations.
4.4.6 Determine whether or not it would be cost-effective to use systems operated by other organizations.
Criteria
4.5 The organization can effectively handle claims and compensate those who have suffered as a result of government operations.
Detailed Criteria/Audit Procedures
4.5.1 Determine whether or not the applicable policy guidelines on reporting have been followed and that the report(s) are complete.
4.5.2 Determine whether or not the applicable policy guidelines on investigation have been followed and that the level of investigation is commensurate with the amounts involved.
4.5.3 Verify that the procedures specified in the Policy have been followed as appropriate and in a manner which served the government in a cost-effective and responsible manner.
4.5.4 Assess whether or not recommendations made at the end of an investigation have been carried out and determine whether or not they were carried out in a cost-effective manner.
4.5.5 Determine whether or not the compensation procedures outlined in government policy have been followed appropriately when applicable, and determine if they were in accordance with legal advice and government policy.
4.5.6 Verify that documentation exists to justify payment and that a release has been obtained except where it would not be administratively expedient.
4.5.7 Verify that documentation explains the reasoning behind an ex gratia payment.
4.5.8 Verify that where employees or volunteers are the recipients of ex gratia payments, reference is made to their duties at the time of the loss.
4.5.9 Verify that the documentation related to ex gratia payments includes the failed search for other reasonable means of compensation under other statutes or regulatory schemes.
4.5.10 Ensure that the organization has made a reasonable effort to satisfy claims by the Crown, taking into account administrative expediency and cost-effectiveness.
a) Verify that a legal opinion has been sought where large sums of money are involved.
b) Verify that the procedures to retain or off-set monies due to the servant have been followed when a claim is against a servant.
c) Verify that the releases signed were in accordance with the procedures and forms outlined in the policy on claims and ex gratia payments.
Criteria
4.6 Ensure that the maintenance of records relevant to the risk management process is managed economically, efficiently and effectively.
Detailed Criteria/Audit Procedures
4.6.1 Verify that there is a clear and well-understood procedure for recording, keying, filing, maintaining and reporting on data sources, risk analyses, occurrence of incidents, responses to incidents and evaluations of those responses, contingency plans and rehearsal reports and emergency personnel.
4.6.2 Determine whether or not procedures associated with risk management activities are carried out in an effective, economical and efficient fashion. (Identify any problems within these procedures or their associated systems which might prevent accurate and complete reporting.)
a) Verify that the procedure(s) used to record, key, file and report information used in risk analyses is effective, economical and efficient.
b) Verify that the filing system allows for quick identification and access to data sources.
c) Verify that the reporting system allows access to all of the data recorded and that it is relatively easy and inexpensive to produce customized reports.
d) Verify that there is an effective backup system for storing information.
4.6.3 Assess whether or not all occurrences of risk-related incidents have been reported. Verify that the database reporting system can export data on incidents to statistical programs for analysis.
4.6.4 Verify that all responses to incidents have been recorded in accordance with the Risk Management Policy; that evaluations of the responses to incidents are performed; and that the procedures established to ensure follow-up of recommendations made have been followed.
4.6.5 Verify that all contingency plans have been filed in accordance with the Risk Management Policy and that they can be easily identified and quickly accessed through either manual or electronic database systems.
4.6.6 Verify that the records on emergency personnel are secure, up-to-date, complete and accurate and allow for the quick and easy reporting of all emergency personnel who meet given sets of criteria.
Criteria
4.7 Risk analysis is being carried out accurately, efficiently, effectively, economically and in a timely fashion.
Detailed Criteria/Audit Procedures
4.7.1 Verify that there are clear procedures and guidelines for making risk analyses.
4.7.2 Assess whether the guidelines and procedures for making risk analyses are understood and are being followed.
4.7.3 Verify that risk analyses are reviewed on a regular basis to ensure that the analysis is current and/or invalid.
4.7.4 Verify that there is a system in place for identifying, recording and validating sources of the probability values used in making risk assessments, and verify that there is a system in place for updating the probability values in use as a result of changes in either sources of probability values or assessment of their validity.
4.7.5 Verify that the staff are able to access and extract information from the database of risk incidents effectively and efficiently.
4.7.6 Using incident reports and response evaluation reports, assess the overall accuracy of the risk analyses. (The auditor may wish to compare different groups when making this assessment.)
Criteria
4.8 Risks are perceived and responded to in a coordinated and comprehensive fashion (risks must be compared to opportunities lost as a result of using scarce resources to address risks rather than opportunities).
Detailed Criteria/Audit Procedures
4.8.1 Assess whether or not there is evidence that the organization has identified all of the significant opportunities as well as risks and established priorities which guide the allocation of resources between risks and opportunities.
4.8.2 Assess whether or not similar risks are being recognized as such by the organization and, as a consequence, common contingency plans have been developed. Determine whether or not these common responses exploit whatever economies of scale are available (common insurance policies, common response team, etc.).
4.8.3 Determine whether or not all risks facing the organization have been brought together and compared in order to identify the highest risk perils.
4.8.4 Assess whether or not the resources spent by the organization to minimize risk have been appropriately focussed on the higher risk perils. Determine the correlation between the organization's expenditure and the reduction of overall risk. Determine the variance in risk for all identified threats both before and after, taking into consideration efforts which have been made to minimize those threats. The reduction of inter-threat variance should indicate that the organization is reducing its highest cost risks.
4.8.5 Determine whether or not the organization's expenditure for compensation has changed over time. Assess whether or not the changes noted are indicative of improving risk management.
(5) INDEMNIFICATION OF SERVANTS OF THE CROWN
Objective
5.0 To protect the interests of servants of the Crown respecting their liability to the Crown and to third parties, and to protect the interests of the Crown respecting its potential or actual liability arising from the acts or omissions of its servants.
Note: Specific areas of risk management, such as indemnification of servants of the Crown, are implied and referred to as part of the general framework for risk management. In this sense, they are covered in sections one through four of this guide. This section contains the criteria which are specific to auditing the policy on indemnification of servants of the Crown. When auditing risk management it is necessary to refer to sections one through four above and, in addition, those sections between five and nine which are applicable to the particular audit being undertaken.
Criteria
5.1 The organization has indemnified its employees and/or volunteers in accordance with government policy.
Detailed Criteria/Audit Procedures
5.1.1 Determine whether or not the servant or volunteer informed his or her employer or department at the earliest reasonable opportunity after becoming aware of a possible or actual claim or preceding resulting from an alleged act or omission.
5.1.2 Determine whether or not the appropriate authorization forms were completed.
5.1.3 Where there has been any claim or preceding, assess whether or not the counsel selected by the Attorney General of Canada has treated all communications with the servant in confidence consistent with counsel's obligation to protect the interests of the Crown.
5.1.4 Where there has been any disciplinary or civil action by the Crown against the servant, ensure that the Crown has not used information which was disclosed in confidence by the servant to the selected counsel.
5.1.5 Where there has been the possibility of conflict of interest and the Attorney General has declined to appoint counsel to act on behalf of a servant or instructed counsel to discontinue so acting, verify that the organization has ensured that the servant was informed of their entitlement to apply for assistance under the Legal Assistance Policy.
5.1.6 a) Determine whether or not the organization has maintained adequate records of the actual amounts of damage claims and of territorial, provincial and federal court awards paid by the Crown in application of this policy.
b) Determine whether the organization is in a position to provide accurate and timely information each year to the Public Accounts (damage claims, ex gratia payments, court awards and losses of property).
c) For property reports, verify that within the department a constant
definition of items and basis of cost is being used.
(6) VOLUNTEERS
Objective
6.0 To ensure that volunteers, the Crown and third parties are protected against financial and other risks resulting from activities engaged in by volunteers acting within volunteer programs.
Note: Specific areas of risk management such as the activities of volunteers, are implied and referred to as part of the general framework for risk management. In this sense, they are covered in sections one through four of this guide. This section contains the criteria which are specific to auditing the policy on volunteers. When auditing risk management it is necessary to refer to sections one through four above and, in addition, to those sections between five and nine which are applicable to the particular audit being undertaken.
Criteria
6.1 The organization has used volunteers appropriately and has undertaken measures to reduce the risks associated with the use of volunteers.
Detailed Criteria/Audit Procedures
6.1.1 Determine whether or not the organization evaluated the potential liability that volunteer activity could place upon the Crown.
6.1.2 Assess whether or not the organization determined what would be adequate materiel and support for volunteers consistent with the cost-effective use of government resources, the needs of the task and attendant risks.
6.1.3 Determine whether or not the organization selected the most appropriate means of underwriting volunteer risks and provided for related costs in its appropriations.
6.1.4 Verify that the organization assessed the potential for being vicariously liable for the actions of volunteers.
6.1.5 Determine whether or not the organization has held volunteers responsible for acting honestly and without malice and has not absolved them from exercising due caution and care of any Crown property entrusted to them.
Criteria
6.2 The organization has underwritten the volunteers' third party liability risks.
Detailed Criteria/Audit Procedures
6.2.1 Where an organization has chosen to allow the volunteers' personal insurance to cover liability, verify that the organization has assessed whether or not the existing insurance coverage of volunteers was adequate in relation to the risks of the volunteer activity.
6.2.2 Where an organization has determined that it will defray volunteers' insurance expenses, assess whether or not the additional insurance paid for was reasonable within the scope of the identified project and was purchased in a cost-effective manner.
6.2.3 Where an organization has determined that it would purchase the insurance for volunteers, verify that the insurance purchased was in conformity with the Contracting Policy and that the level and type of protection provided was similar to that in place for departmental employees facing comparable risks.
6.2.4 Where an organization has chosen to self-underwrite the volunteers' third party liability risks, determine whether or not the criteria specified in the policy on volunteers was met.
a) Determine that there was effective risk management.
b) Verify that there was an agreement between the organization and the volunteers. Verify that, except in unforeseen or emergency conditions, this agreement was in writing and that it described the volunteer activity, risk management (including insurance) provisions and the related conditions under which organizational resources were made available. Verify that preparations have been made for cases where volunteers can be called to respond to emergency situations promptly and without benefit of prior documentation.
c) Determine that the risks involved were within the organization's control.
d) Verify that the volunteers had the necessary qualifications and training.
e) Determine that, where relevant, the work environment met safety and health
6.3 The organization maintains records of actual costs of insurance premiums and deductions, claims and court awards paid by the Crown or to third parties.
6.3.1 Verify that the minimum level of recording incidents has been undertaken. This minimum level includes the name(s) of volunteer(s), name(s) of other parties involved, the official language used, type of claim, date of incident, dollar amount claimed, date of payment, legal opinion, authority for payment and any other information required for investigation and assessment of incidents.
(7) CLAIMS AND EX GRATIA PAYMENTS
Objective
7.0 To ensure the efficient and effective resolution of claims by and against the Crown arising from government operations.
Note: Specific areas of risk management, such as claims and ex gratia payments, are implied and referred to as part of the general framework for risk management. In this sense, they are covered in sections one through four of this guide. This section contains the criteria which are specific to auditing the policy on claims and ex gratia payments. When auditing risk management it is necessary to refer to sections one through four above and, in addition, to those sections between five and nine which are applicable to the particular audit being undertaken.
Criteria
7.1 The organization has undertaken investigations of incidents which could lead to a claim against the Crown or against a servant as soon as the organization became aware of an incident.
Detailed Criteria/Audit Procedures
7.1.1 Determine whether or not the investigation was conducted as soon as the organization became aware of the incident.
7.1.2 Determine whether or not the level of spending on investigations was commensurate with the amount involved in the claims.
7.1.3 Verify that the investigators collected the information required for a legal opinion to be obtained. The investigation report should include:
a) a full statement of the duties of any servants or volunteers involved;
b) where Crown property was involved, detailed information on that property;
c) statements from servants and other persons who had any knowledge of the circumstances surrounding the claim;
d) reports made to the police in connection with the incident;
e) a description of the incident including such plans, sketches or photographs as might have been required to understand the exact nature of the incident; and
f) any further information and material as might be required for a legal opinion.
Criteria
7.2 The organization has responded to a claim against the Crown in a manner which follows the procedures and dollar-threshold levels set out in the Policy.
Detailed Criteria/Audit Procedures
7.2.1 Verify that claims have been referred to the Justice Department as appropriate.
7.2.2 Determine whether or not the organization has followed the general guidelines specified in the policy for the various types of claim (i.e. claims in tort, claims associated with a contract, claims against servants of the Crown, claims between Crown organizations and claims under the Canadian Human Rights Act).
a) Verify that the documentation required was complete.
b) Verify that the activities specified for claims which exceeded specified dollar-thresholds have been carried out.
c) Where legal opinions are to be obtained, verify that they are obtained from the appropriate source.
7.2.3 Determine whether or not all claims against the Crown were supported by detailed statements of fact and copies of supporting documents.
7.2.4 Verify that the legal opinions obtained addressed the liability of the Crown, what steps should be taken to resolve the claim and the terms and conditions on which it would be advisable to resolve the claim.
a) Determine whether or not legal opinions addressed the cost-effectiveness of taking a selected course of action.
7.2.5 Assess whether or not, in deciding to make a liability payment, deputy heads considered the legal and other merits of the claim and the administrative expediency and cost-effectiveness of making the payment. Verify that a release was obtained when payment was made.
7.2.6 Assess whether or not, in deciding to make an ex gratia payment, deputy heads considered any other reasonable means of compensation.
7.2.7 Verify that compensation for loss servants' effects was based on the full cost of replacing the effects or the reasonable cost to repair them and that the payment(s) covered only those items related to the servants' duties at the time of the incident.
7.2.8 Verify that the monies used to make payment of claims against the Crown were taken from the appropriate fund and that the organization against which the claim was made has been required to account for these funds.
7.2.9 Verify that the expenses associated with defending an organization against a claim were charged to the appropriation of that organization.
Criteria
7.3 The organization has acted on claims by the Crown in a manner which follows the procedures and dollar-threshold levels set out in the Policy.
Detailed Criteria/Audit Procedures
7.3.1 Assess whether or not the deputy head made every reasonable effort to obtain satisfaction of claims by the Crown while taking into account administrative expediency and cost-effectiveness.
7.3.2 Verify that the deputy head sought a legal opinion where substantial sums are at stake or where there is uncertainty as to the relevant facts or applicable legal principles.
7.3.3 Where the Crown has a claim against a servant and the deputy head intends to authorize retaining the amount of the claim by deduction from, or set-off against, any money that may be due or payable by the Crown to the servant, verify that the deputy head has notified the servant of the proposed retention his or her right to make representation to the deputy head within 30 days of such notification and that the servant's representation, if any, was considered before making a final decision.
7.3.4 Verify that monies collected from a claim by the Crown were deposited to the credit of the Receiver General and were not credited back to an appropriation.
Note: There are exceptions to this general rule as in the case of insurance proceeds arising from construction contracts.
Criteria
7.4 Claims under the Canadian Human Rights Act are dealt with in accordance with provisions in the policy on claims and ex gratia payments.
Detailed Criteria/Audit Procedures
7.4.1 Assess whether or not the organization respects the investigation and conciliation procedures set out in the Canadian Human Rights Act.
7.4.2 Verify that the organization has treated a complaint of discriminatory practices lodged under the Canadian Human Rights Act as if it were a tort.
7.4.3 Verify that payments for Tribunal Orders which were made Federal Court Orders were treated as a statutory charge against the Consolidated Revenue Fund.
7.4.4 Where deputy heads have designated payment approval authorities within their departments, determine whether or not this was done with discretion and whether or not it was done in a manner that was consistent with departmental practices and the sensitive nature of human rights issues.
Criteria
7.5 Claims within and between Crown organizations are dealt with in accordance with provisions in the policy on claims and ex gratia payments.
Detailed Criteria/Audit Procedures
7.5.1 Where no other Crown organization or non-government organization was involved in an incident resulting in damage to public property, verify that the compensation and restoration were dealt with by the organization responsible.
7.5.2 Where there were claims between Crown organizations, verify that damages were dealt with on a basis of mutual forbearance of claims.
7.5.3 Where there were claims between departments and Crown corporations:
a) determine whether or not the parties voluntarily supplied each other with all of the information in their possession;
b) assess whether or not the parties attempted to come to a negotiated settlement either through correspondence or through the use of their legal officers; and
c) where negotiation failed, determine whether or not the issues of fact and law on which there is disagreement were submitted to the Deputy Attorney General of Canada, and verify that arbitrators were appointed in conformity with the policy on claims and ex gratia payments.
(8) FIRE PROTECTION, INVESTIGATION AND REPORTING
Objective
8.0 To ensure that the Crown's employees and property are protected from fire risks.
Note: Specific areas of risk management such as fire protection, investigation and reporting are implied and referred to as part of the general framework for risk management. In this sense, they are covered in sections one through four of this guide. This section contains the criteria which are specific to auditing the policy on fire protection, investigation and reporting. When auditing risk management it is necessary to refer to sections one through four above and, in addition, to those sections between five and nine which are applicable to the particular audit being undertaken.
Criteria
8.1 The organization has conformed to the fire safety standards issued under the authority of the Treasury Board's personnel policies on occupational safety and health, and the provisions for fire investigations and the reporting of fires.
Detailed Criteria/Audit Procedures
8.1.1 Determine whether or not the organization has advised, within 12 hours, the Fire Commissioner of every fire meeting any of the following criteria:
a) involving a fire death or fire injury
b) of suspicious origin
c) causing a loss of $250,000 or more
d) causing a significant interruption of essential federal services
e) necessitating immediate action to prevent a recurrence
f) Involving a prestige or heritage building
8.1.2 Determine whether or not the organization has performed the following actions within 14 days of the occurrence of a fire or alarm:
a) conducted a preliminary examination of the fire and submitted a report to the applicable Labour Canada regional or district office;
b) submitted a fire casualty report for every fire death or injury;
c) submitted reports of any formal fire investigations undertaken subsequent to the preliminary examination stage; and
d) investigated and recorded fire alarms not triggered by fire.
8.1.3 Verify that the organization co-operated with and assisted authorized fire investigators in performing their duties associated with this policy.
8.1.4 Determine whether or not the organization implemented any recommendations resulting from fire investigations.
8.1.5 Verify that the organization estimated any fire losses in accordance with policy guidelines.
8.1.6 Verify that the organization consulted with the fire commissioner's office regarding the need for a building inspection after a fire.
Criteria
8.2 The Fire Commissioner of Canada has administered and enforced the provisions of this policy. (This criteria applies only to the Department of Labour.)
Detailed Criteria/Audit Procedures
8.2.1 Verify that the fire commissioner has made suitable arrangements with other authorities regarding investigations and reporting of fire losses including:
a) Investigating or ensuring investigation by qualified fire investigators, of the cause, origin and circumstances of any fire.
b) Reviewing and processing all fire reports.
c) Monitoring and reporting to organizations on the implementation of recommendations contained in reports such as those on fire investigations and coroners, and reporting to the Treasury Board Secretariat instances of non-compliance that are deemed in conflict with Treasury Board's fire-protection policy or standards. Comments of the organizations concerned should be attached to reports to the Treasury Board.
d) Assessing and applying the qualification criteria for fire investigators and determining the need to undertake formal fire investigations.
e) Correlating and disseminating national and federal fire-loss statistics.
f) Submitting to Treasury Board Secretariat within 90 days of the fiscal year end, a consolidated fiscal-year summary report of Fire Losses in Government of Canada Properties indicating:
- any perceivable major trends in fire losses;
- fire prevention measures recommended to minimize such losses in future years;
- the total number of fires, deaths and injuries and total property-loss values; and
- a summary of major fire losses, including the locations and descriptions of the properties, the dates and causes of the fires and the estimated losses.
(9) PROVISION OF LEGAL ASSISTANCE TO CROWN SERVANTS
Objective
9.0 To ensure that servants, if they have acted within the scope of their duties and have met reasonable departmental expectations, receive legal assistance in any of the following circumstances:
a) they are required to appear before, or be interviewed in connection with, a judicial, investigative or other inquest or inquiry;
b) they are sued or threatened with a suit;
c) they are charged or likely to be charged with an offense; or
d) they are faced with other circumstances that are sufficiently serious as to require legal assistance.
Note: Specific areas of risk management such as the provision of legal assistance to Crown servants are implied and referred to as part of the general framework for risk management. In this sense, they are covered in sections one through four of this guide. This section contains the criteria which are specific to auditing the policy on provision of legal assistance to Crown servants. When auditing risk management it is necessary to refer to sections one through four above and, in addition, to those sections between five and nine which are applicable to the particular audit being undertaken.
Criteria
9.1 The organization has followed the procedure outlined in the Policy when determining whether or not to provide legal assistance and the type of legal assistance to be provided.
Detailed Criteria/Audit Procedures
9.1.1 Verify that servants requesting legal assistance have made a complete report to the organization's management of the incident leading to the requirement.
9.1.2 Verify that servants have informed their supervisors whenever an incident took place that could give rise to the need for legal counsel or which might occasion a claim against the Crown.
9.1.3 Verify that the organization has ensured that servants received timely advice on their possible entitlements under this policy.
9.1.4 Verify that the deputy head or the deputy head's delegate sought the advice of the Department of Justice on the need for legal counsel and the appropriateness of a Department of Justice agent, or if required, private counsel to provide the legal assistance.
9.1.5 Verify that servants who have been denied legal assistance have been informed that they may ask for reconsideration of the request at subsequent stages of the legal proceedings.
9.1.6 Where private counsel has been engaged, verify that the payment of legal fees and disbursements had been authorized in accordance with the policy's dollar thresholds.
Criteria
9.2 The payment of any judgment has been made in accordance with the Policy.
Detailed Criteria/Audit Procedures
9.2.1 Verify that servants for whom payments were made were eligible for indemnification under the policy for indemnification of servants of the Crown.
9.2.2 Verify that the payment on a claim and the costs associated with defending a servant of the Crown were taken from appropriate accounts.
9.2.3 Verify that the organization has not reimbursed legal fees and expenses where a servant has been denied legal assistance regardless of whether or not there has been an acquittal or dismissal of the case.
9.2.4 Where a servant has engaged private counsel prior to receiving approval by the deputy head, verify that consideration has been given to having the servant pay for the resulting legal fees. As a new request for payment of legal fees must be made and assessed at each stage of the judicial process, such consideration may occur several times in one case.
9.2.5 Where a servant has engaged private counsel when, in the opinion of the Department of Justice, there was no conflict of interest or other factors preventing the conduct of the defence by the Department of Justice, then verify that the payment of legal fees, costs and of any judgment were made by the servant unless the employing organization had submitted a request for partial or full reimbursement.
9.2.6 Where a servant has engaged private counsel and the deputy head has not been satisfied that the choice of counsel was reasonable and the servant has decided to retain this counsel, verify that the servant has been made personally responsible for any part of the fee deemed excessive.
9.2.7 Where a servant has been given leave to engage private counsel, verify that the organization has informed the servant and the counsel in writing of the limits of the Crown's commitment in terms of both total expenditures and approved fee schedules and of the requirement for the reviewing of accounts by the Department of Justice.
9.2.8 Where a case involved offences, verify that payments by the Crown did not include any fine or costs of prosecution.
9.2.9 As a new request for payment of legal fees must be made and assessed for each stage of the judicial process, ensure that such requests are being made.
Criteria
9.3 The organization has provided counsel in accordance with the Policy.
Detailed Criteria/Audit Procedures
9.3.1 Where there have been civil cases and the Department of Justice has assumed the provision of legal assistance including the conduct of the litigation, verify that the Department rather than the servant has selected and instructed counsel.
9.3.2 Where the Department of Justice has determined that there is a conflict of interest and the servant is given leave to engage his or her own private counsel, verify that the name and fee schedule of the private counsel have been approved by the deputy head before the servant engaged counsel.
Criteria
9.4 The organization has maintained records of the actual amounts paid in legal fees and related expenses.
Detailed Criteria/Audit Procedures
9.4.1 Ensure that the organization has maintained an
appropriate set of records documenting the amounts paid in legal
fees, related expenses, cases involved and any lessons learned
which will prevent recurrence.