Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of Corporate Risk Profiles in Large Departments and Agencies
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Executive Summary
The objective of the audit was to determine whether systems and practices for corporate risk management ― specifically, those associated with corporate risk profiles (CRPs) ― are in place to ensure that strategies exist for identifying and mitigating corporate risks within large departments and agencies (LDAs). We examined how corporate risk management processes are governed, what systems and practices are used to develop them, how they are incorporated into business planning, and how LDAs report on corporate risk management performance.
Why this is important
A CRP helps a department or agency develop an over-arching strategy for managing risk. It contains a list of the highest priority corporate-level risks for the organization and strategies to help ensure these risks are well managed – risk can never be eliminated, it can only be managed. It is therefore important for an organization to regularly identify activities or threats that may prevent it from achieving its objectives. More importantly, an organization needs to develop strategies to mitigate those risks. Corporate risk management enables an organization to realign its resources or priorities to help ensure its continued success. Risk management has been identified as one of the key management areas to be assessed by the Treasury Board of Canada Secretariat, government-wide, on an annual basis.
Overall assessment
Governance models for corporate risk management have been established in most LDAs. In addition, most LDAs have assigned risk management duties to individuals or committees at the senior management level, and generally, LDAs have senior management support for developing and implementing CRPs.
Across the LDA community, corporate risk management systems and practices are still under development. Although many LDAs have invested significant human resources to develop CRPs and their systems and practices, further development is required to address all aspects of effective risk management.
Most LDAs have not fully integrated corporate risk management into their business and strategic planning processes. Some LDAs have only recently developed their CRPs and have not yet completed the implementation process. The integration of risk management into business and strategic planning remains the next step for most LDAs.
Although reporting on the success of corporate risk management activities is critical in determining whether CRP activities have been effective, few departments have had a formal CRP process in place long enough to integrate it into their departmental performance-reporting activities. Consequently, most LDAs are not able to report on how effectively their CRPs are helping them achieve their strategic objectives.
Conclusion
Overall, while LDAs have made a concerted effort to develop CRPs, their corporate risk identification and mitigation efforts are not yet aligned. Most LDAs have established governance models for corporate risk management, which will enable a coordinated and consistent approach to risk management. The systems and practices in place used to develop corporate risk management in LDAs are still maturing and will require further development. Most LDAs still need to integrate their CRPs into their business and strategic plans to achieve full implementation. Performance reporting on corporate risk management remains a future activity for most LDAs.
The Internal Audit Sector of the Office of the Comptroller General has asked chief audit executives to ensure management in their respective departments and agencies prepare detailed Management Action Plans and to have these plans endorsed by their department and agency audit committees. There were strong indications that improvements would be pursued. The department and agency audit committees will periodically receive reports from management on the actions taken where Management Action Plans are in place.
Statement of Assurance
In my professional judgment as Assistant Comptroller General, Internal Audit Sector, sufficient and appropriate procedures and evidence gathering were performed to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of September 9, 2009, in the departments reviewed, against pre-established audit criteria. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.[1]
Brian M. Aiken
Assistant Comptroller General
Internal Audit Sector, Office of the Comptroller General
Background
The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in large departments and agencies (LDAs). Horizontal audits are designed to address risks that transcend individual departments in order to report on the state of governance, controls and risk management across the Government of Canada. This report presents the results of the horizontal audit on corporate risk profiles (CRPs).
Risk management is about identifying uncertainties or threats that could prevent an organization from achieving its objectives. More importantly, it is also about developing and implementing strategies to minimize and manage risks. These risks can range from the obvious (fire damage or computer failures) to the more hypothetical (missed opportunities from ineffective resource allocation).
In 2001, risk management was identified as a key government priority that promised Canadians more accountability from government. The Integrated Risk Management Framework (IRMF) developed by the Treasury Board of Canada Secretariat (the Secretariat) shortly thereafter provided guidance for departments and agencies in developing a targeted risk management strategy. The IRMF remains the foundation for risk management in the Government of Canada, and LDA performance in risk management is one of the 10 key management areas annually assessed by the Secretariat.
The IRMF was designed to help define the key elements that an organization should consider in order to manage its risks effectively. It provides guidelines on what an organization should expect from a risk management function and which key components or activities should be included in the process.
A corporate risk profile builds on the IRMF by compiling all corporate risk management information into one strategic document and provides a clear direction for risk management. Ideally, a CRP should feed into an organization's business and strategic planning process. Before finalizing budgets and human resource plans, organizations often step back from their day-to-day business activities to identify threats to organizational goals. The CRP expands on this discussion and provides a guide for managing risks. Once the organization has a clear understanding of the uncertainties that it faces and how to deal with them, the organization can then proceed with its regular business planning and will be more confident of its chances for success.
Risk management has been an important part of operations in all departments and agencies for many years. In order to deliver services and programs to Canadians, organizations must consider any risks that will threaten their operations. Risks at the operational level reflect day-to-day activities, and, as such, may differ from region to region.
Where a corporate risk differs from an operational risk is in the scope; corporate risk management may not directly impact day-to-day operations, but rather the organizational programs as a whole. Much as operational offices and corporate offices may develop their own unique – but equally important – business plans, a corporate risk profile identifies those risks that threaten overall organizational objectives. Some operational risks may be identified locally, but without organizational planning, the resources needed to manage those risks may not be suitably deployed.
An organization that is successful in risk management will integrate risks at both the operational and the corporate levels. This audit, however, focuses on only corporate risk management.
Audit Objectives, Scope and Approach
Objectives and scope
The objective of the audit was to determine whether systems and practices for corporate risk management ― specifically, those associated with CRPs ― are in place to ensure that strategies exist for identifying and mitigating risks within the operations of LDAs. We examined how corporate risk management processes are governed, what systems and practices are used to develop them, how they are incorporated into business planning, and how LDAs report on corporate risk management performance.
The scope of this audit engagement included CRP-related activities in place in a sample of LDAs as of September 9, 2009. It focused on systems, processes and practices used in the development, refinement, communication and implementation of CRPs.
Audit approach
The audit was conducted in two phases. Consultants were engaged to support the Office of the Comptroller General audit team in both phases.
Phase 1
To select the LDAs to be included in the audit, we performed an analysis of risk management practices in all LDAs using government-wide assessments of effective corporate risk management as well as a preliminary review of key corporate risk documents. We ensured that our selection captured a spectrum of performance levels for corporate risk management. On the basis of this analysis, we chose the 13 LDAs listed in Appendix 1.
Phase 2
The audit consisted of three methods of examination, each equally weighted in the final results. First, we had the 13 LDAs complete a self-assessment survey about their interpretation of risk management. We then carried out an extensive document review to assess the CRPs and the processes that feed them. Documents that we examined included business plans, performance-reporting documents and the CRP itself. Finally, we interviewed personnel representing all areas of corporate risk management, from planning to implementation. The results of all three examinations were then compiled to ensure consistent and balanced assessments.
Detailed Findings and Recommendations
Finding 1: Governance and continuous improvement
Most LDAs have senior management support in developing and implementing CRPs.
We examined the governance models that LDAs have established for developing CRPs. We examined how effectively the risk management strategies were being communicated throughout the organization and whether required training was being provided to assist managers and employees in practising risk management. Finally, we examined how the LDAs assessed the continued relevance of the CRP, ensuring its applicability in a changing environment.
We expected that LDAs would have clearly defined governance structures for risk management and for the development and maintenance of CRPs. An effective governance process typically involves a senior management body that is responsible for coordinating all stages of CRP development, from designating persons responsible for each task to coordinating each activity. Once developed, the strategy should be communicated to as many managers and employees as is deemed appropriate. The risk management strategy should also be periodically reviewed and updated to ensure that it continues to meet the organization's requirements.
Risk management should be applied consistently within an LDA to ensure a common understanding of priorities; because it is an organizational initiative, the over-arching national strategy for risk management should be uniform from branch to branch. Management at the highest level must be involved to ensure that the same approach to risk management will be used in all areas of the organization. Senior management's communication to managers and staff is necessary to ensure that risk management is consistently applied throughout the organization. Risk management strategies must also be regularly updated; a strategy that remains unchanged for an extended time permits newer-developing risks to threaten the organization if a mitigation strategy has not been developed.
LDAs have developed risk management governance structures supported by departmental policies. Generally, LDAs have assigned the governance of risk management to senior management. Some departments have created the position of chief risk officer, with responsibility for addressing risk management on a full-time basis; other LDAs have tasked senior management committees to develop risk management strategies. Most departments are also using their established governance structures to coordinate CRP development, with defined expectations and timelines. However, a few LDAs have not yet defined their governance structures for risk management, resulting in lack of accountability for risk management activity.
The levels of risk management-related communications and training vary across LDAs. The effectiveness of communications on risk management from senior management to the rest of the organization varies. Most LDAs rely on regional or operational groups to communicate their risk management strategies; a few LDAs have ensured that communications and activities are consistent with the organizational goals for risk management. Most LDAs provide training on risk management: some forms of training consist of general discussions about the concept of risk management; others are designed to be practical tools for implementing the organization's risk management strategies.
LDAs plan to conduct annual reviews of their risk management practices. We found evidence that LDAs have begun to examine the continued relevance of their CRPs on a regular basis. In fact, most LDAs have committed to reviewing their CRPs annually. However, because most LDAs have only recently developed their CRP, evidence of this review cycle was not yet available.
With senior management support for risk management, the potential exists for LDAs to achieve long-term success in implementing risk management strategies. Best practice suggests that an organization develop a policy detailing which positions within the organization will be responsible for risk management and what the roles and responsibilities (broken down by subactivity) will be. Some LDAs have their external audit committees assist with reviews of their risk management processes or the performance of their CRPs. Some LDAs have also established regular annual schedules for the audit committee to discuss risk management.
Recommendations
1. While the majority of LDAs have established governance structures for corporate risk management, those who have not should assign roles and responsibilities for corporate risk management to an individual or group of individuals at the senior management level.
2. LDAs should annually review their corporate risk profiles to ensure that they continue to address relevant and current risks.
Finding 2: Systems and practices
Corporate risk management systems and practices in LDAs are in the early stages of development and implementation.
We examined the risk identification processes used by LDAs and the tools supporting risk management. One risk identification tool typically used is an environmental scan, which is a series of extensive assessments of external and internal threats and opportunities. We examined whether this tool was designed to incorporate organization‑wide feedback to ensure that information from all business lines was included in the development of risk identification and risk management. Another risk identification tool is the likelihood and impact scale, which rates the likelihood that a risk will take place and how deeply its impact would be felt by the organization. Likelihood and impact scales should be further refined to determine an organization's risk tolerance. Organizations may determine that they cannot tolerate risks that would have a major impact, even if these risks are unlikely, and therefore may need to design mitigation efforts in these areas. Risk tolerance will vary from organization to organization. However, risk tolerance must be defined and consistently understood so that mitigation efforts can be applied in every sector.
We expected that existing tools, such as environmental scans, would be used to collect information on risk throughout an LDA. These tools would incorporate information from all branches and all business lines, with links to the objectives of the LDA. We also expected that defined processes would be in place for conducting risk identification exercises to ensure that the processes were complete and could be applied in a consistent manner. Methods for devising a risk management strategy should be developed and understood by all participants involved in the exercise.
Corporate risk management systems and processes are important because risks come from all areas of an LDA, and all areas should be involved in identifying risks and developing a risk management strategy. All managers and employees across the organization should be able to easily understand the identified risks and to apply the risk mitigation strategies to their business lines. Furthermore, risk identification should amalgamate all risks into one cohesive strategy. While risks from all areas of the organization should be identified and addressed, without centralized coordination it is more likely that the national-level strategy will become fragmented and fail. Furthermore, risk tolerance needs to be clearly understood and communicated throughout the organization to ensure that all managers are operating under the same risk management assumptions, and that they are deploying their resources accordingly.
Integration of branch risks with organizational risks varies across LDAs. While most LDAs ensure that broad consultations across their organizations are used to incorporate a significant number of risks, some LDAs place a greater emphasis on branch and day-to-day risks than on the medium- to long-term risks that affect the organization as a whole. As a result, many risk identification exercises lack a coordinated vision and concern internal risks only. Furthermore, few LDAs address external risks in their mitigation strategies. Some departments are using formal environmental scans to ensure that all risks, internal and external, are identified.
Risk tolerance in LDAs is not well understood. Most LDAs have developed likelihood and impact scales to help prioritize their risk mitigation efforts. However, the use of risk tolerance to determine the threshold for risks that are not acceptable and that therefore require immediate attention has generally not been defined. Without commonly understood risk tolerance throughout the organization, managers and employees have to determine risk tolerance individually which may not be aligned with corporate risk management or Canadian values. Some LDAs have requested further guidance in this area, as there has been little coordination community-wide.
Recommendations
3. LDAs should ensure that the process used to identify corporate risks integrates branch risks and overall organizational risks and that it identifies external risks. This process should be formalized in their risk-scanning tools, such as environmental scans.
4. LDAs should ensure risk tolerance is commonly understood and communicated throughout the organization.
Finding 3: Business and strategic planning
Corporate risk management is not directly integrated into business and strategic planning.
We examined the LDAs' business and strategic plans to determine whether risk management was being integrated into business activities and planning. We expected that risk management strategies would be developed in advance of the annual business planning cycle to ensure that they were reflected in the business plan. The development of the CRP should be included in a pre-established business cycle, integral to the overall process. Linking the CRP to an organization's business and strategic objectives will ensure that the organization's risk management strategy is aligned with its business activities.
Since the CRP is designed to aid the achievement of corporate objectives, it is an important element of an organization's annual business plan. If the CRP is developed before implementation of the business plan, risk mitigation strategies can be incorporated into the year's planned activities. Having a CRP fully integrated with business planning helps ensure that risk mitigation strategies become operational and that resources are effectively distributed to implement the strategies. This integration increases the chances that risk management will evolve from a strategy into a practice used by managers and employees throughout the organization.
Most LDAs develop their CRPs too late in the year to integrate them with their corporate business plans. Although most LDAs stated that they wished to integrate their CRPs with their business plans, to date, few have succeeded. Only a few CRPs were developed in time for the 2009–10 business planning cycle, preventing risk management strategies from being incorporated into business activities. Many LDAs declared their intentions to fully integrate both processes in the near future.
Recommendation
5. LDAs should develop, finalize and approve their corporate risk profiles early in the fiscal year and incorporate them into the business planning process.
Finding 4: Monitoring and performance
LDAs have not yet established formal processes for performance reporting on corporate risk management.
We examined the processes that LDAs have established to monitor performance in managing risk. These included annual business planning processes, evidence of periodic reviews by those responsible for governance over risk management, and annual Departmental Performance Reports (DPRs). Typically, monitoring represents the final stage of a mature risk management process; once the risk management strategy has been developed and implemented, the performance of the risk management strategy is assessed to ensure that it meets the needs of the organization.
We expected that performance reporting would clearly address an organization's performance of risk management related to its business and strategic objectives. We also expected that performance reporting would determine whether risk mitigation strategies helped an organization achieve its objectives.
Without measurable performance, it is not possible to determine how well an organization is mitigating the risks that threaten its business objectives. It is also important to formalize and document the performance measurement requirements and processes so that the entire organization is aware of expectations and results.
LDAs are not reporting on the performance of their risk management strategies. While the underlying CRPs are often directly linked to an organization's strategic objectives, DPRs generally do not provide details on the success of risk management strategies. A few LDAs include risk management performance in their DPRs, while a few also mention risk management but do not provide a detailed description of their performance. Most LDAs do not mention risk management in their DPRs in a meaningful manner. Because most LDAs develop risk management strategies independently of their business plans, performance reporting generally reflects the outcomes of the business activities, but not the risk management activities that contributed to these outcomes.
Few departments have had a formal CRP process in place long enough to integrate it into departmental performance-reporting activities. Less than half of the LDAs included in this audit had an updated and approved CRP by December 31, 2008. While LDAs are generally committed to the development of a CRP, progress in performance reporting on the effectiveness of their risk management is not yet evident.
Recommendation
6. LDAs should integrate performance of corporate risk management into the Departmental Performance Report to ensure reporting against the corporate risk profile's effectiveness.
Conclusion
Overall, while LDAs have made a concerted effort to develop CRPs, their corporate risk identification and mitigation efforts are not yet aligned. Most LDAs have established governance models for corporate risk management, which will enable a coordinated and consistent approach to risk management. The systems and practices in place used to develop corporate risk management in LDAs are still maturing and will require further development. Most LDAs still need to integrate their CRPs into their business and strategic plans to achieve full implementation. Performance reporting on corporate risk management remains a future activity for most LDAs.
Management Action Plans
The findings and recommendations of this audit were presented to each department and agency included in the scope of the audit. The audit results and recommendations received positive reactions from responsible officials within LDAs. The Internal Audit Sector of the Office of the Comptroller General has asked chief audit executives to ensure management in their respective departments and agencies prepare detailed Management Action Plans and to have these plans endorsed by their department and agency audit committees. There were strong indications that improvements would be pursued. The department and agency audit committees will periodically receive reports from management on the actions taken where Management Action Plans are in place.
Deputy heads of LDAs not included in the scope of this audit will take into account the results of this horizontal internal audit and develop Management Action Plans as necessary. They may also choose to brief their department and agency audit committees on this audit.
Appendix 1: Departments and Agencies Included in the Audit Engagement
- Canadian Food Inspection Agency
- Canadian International Development Agency
- Canadian Space Agency
- Economic Development Agency of Canada for the Regions of Quebec
- Fisheries and Oceans Canada
- Foreign Affairs and International Trade Canada
- Human Resources and Skills Development Canada
- Indian and Northern Affairs Canada
- Parks Canada
- Public Works and Government Services Canada
- Royal Canadian Mounted Police
- Statistics Canada
- Transport Canada
Appendix 2: Objectives and Related Criteria
The objective of the audit was to determine whether systems and practices for organizational risk management — specifically, those associated with corporate risk profiles (CRPs) — are in place to ensure that strategies exist to identify and mitigate risks within the operations of large departments and agencies (LDAs).
| Objectives | Criteria |
|---|---|
|
To determine whether effective and efficient systems and processes are in place to support the development of CRPs, including risk identification, assessment and prioritization |
|
|
To determine whether systems and processes are in place that effectively respond to the changing risk environment |
|
|
To determine whether effective interfaces exist between CRPs, business objectives and performance measurement |
|
Appendix 3: Risk Ranking of Recommendations
The following table presents the recommendations and assigns risk rankings of high, medium or low. Risk rankings were determined based on the relative priorities of the recommendations and the extent to which the recommendations indicate non-adherence to the principles of the Integrated Risk Management Framework (IRMF).
| Recommendations | Priority |
|---|---|
|
1. While the majority of LDAs have established governance structures for corporate risk management, those who have not should assign roles and responsibilities for corporate risk management to an individual or group of individuals at the senior management level. |
High |
2. LDAs should annually review their corporate risk profiles to ensure that they continue to address relevant and current risks. |
Medium |
3. LDAs should ensure that the process used to identify corporate risks integrates branch risks and overall organizational risks and that it identifies external risks. This process should be formalized in their risk-scanning tools, such as environmental scans. |
Medium |
4. LDAs should ensure risk tolerance is commonly understood and communicated throughout the organization. |
Medium |
5. LDAs should develop, finalize and approve their corporate risk profiles early in the fiscal year and incorporate them into the business planning process. |
High |
6. LDAs should integrate performance of corporate risk management into the Departmental Performance Report to ensure reporting against the corporate risk profile's effectiveness. |
Medium |
Appendix 4: Links to Applicable Policies, Management Frameworks, Standards and Guidance
- Integrated Risk Management Framework
- Integrated Risk Management Implementation Guide
- Risk Management Policy
- Management Accountability Framework
- ISO 31000 ― Risk management — Principles and guidelines (This standard is under development.)
[1] This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. However, the Office of the Comptroller General has not undergone an external assessment at least once in the past five years or been subject to ongoing monitoring or to periodic internal assessments of its horizontal internal audit activity that would confirm its compliance with these standards.