Audit of Risk
Management
November 2, 2011
Key Dates
Opening conference date (launch memo)
Audit plan sent to management date
Closing conference date (exit debrief)
Audit report sent to management date
Management response received date
Penultimate draft report approved by Chief Audit
Executive (CAE) date
Audit committee recommended date
Deputy Minister approval date
July 2010
N/A
September 2011
October 2011
October 2011
October 2011
November 2011
January 2012
List of Acronyms
CRP - Corporate Risk Profile
EC - Environment Canada
EMC – Executive Management Committee
IRM - Integrated Risk Management
PAA – Program Activity Architecture
TB - Treasury Board
TBS - Treasury Board Secretariat
Prepared by the Audit and Evaluation Team
Acknowledgments
The audit team comprised of Dennis Malchuk, Audit Manager and Lise Gravel, Senior
Auditor, under the direction of Jean Leclerc, would like to thank those individuals who
contributed to this project and, particularly, employees who provided insights and
comments as part of this audit.
Audit of Risk Management
Table of Contents
1
INTRODUCTION...................................................................................................... 1
1.1
Background ....................................................................................................... 1
1.2
Objective and Scope ......................................................................................... 1
1.3
Methodology and Assurance ............................................................................. 2
2 FINDINGS AND RECOMMENDATIONS .................................................................. 3
2.1
Corporate Risk Profile ....................................................................................... 3
2.2
Establishing an Integrated Risk Management Function ..................................... 4
2.3
Practicing Integrated Risk Management............................................................ 4
3 CONCLUSION ......................................................................................................... 6
Annex 1 - Audit Criteria ................................................................................................... 7
Environment Canada
Audit of Risk Management
1 INTRODUCTION
This audit was included in the 2010-2011 Departmental Annual Risk-Based Audit and
Evaluation Plan, which was approved by the Deputy Minister in early spring 2010, as
recommended by the External Audit Advisory Committee.
1.1 Background
Risk Management is part of the Government of Canada’s vision for responsible
stewardship. The 2009 Treasury Board (TB) Policy on Internal Audit and the related
Directive on Departmental Audit Committees, identify risk management as one of the
key areas requiring the attention of Departmental Audit Committees.
Environment Canada (EC) is still in the early implementation stages for using an
integrated risk management approach. It has taken several measures, including
implementing a corporate governance structure, and developing and updating the 20102011 Corporate Risk Profile (CRP). It has also implemented, in the context of the 20112012 planning process, an approach to identify risks for all Program Activity Architecture
elements.
In addition, EC has developed a draft IRM framework. The framework is intended to be
« foundational document that formalizes the expected roles and responsibilities of risk
management for departmental official » and « provide guidance and assistance to
managers on the standardized or consistent approach needed to ensure that
information can be easily shared, aggregated and analyzed at all levels of the
organization ».
1.2 Objective and Scope
The objective of the audit was to provide reasonable assurance that effective
management controls are in place to support integrated risk management (IRM) across
the Department, in particular:
 the development of a corporate risk profile;
 the establishment of an integrated risk management function; and
 the practice of integrated risk management.
The bullets above are three of the key elements reflected in the 2004 Treasury Board
Secretariat (TBS) Integrated Risk Management Policy and Implementation Guide, and in
the new TBS IRM Framework released in August 2010. Audit criteria have been
developed for each of them (Annex 1).
The audit looked at the Department’s organizational risk management in the 2010/2011
fiscal year. Field work was completed in September 2011.
Environment Canada
1
Audit of Risk Management
The audit assessed the overall approach and process for integrated risk management at
Environment Canada (EC). It did not attempt to assess the adequacy and effectiveness
of risk assessment and mitigation measures contained in the Corporate Risk Profile
(CRP) or to identify and/or analyze the full complement of risk management practices
and processes across the Department.
In addition to this audit report, a management letter will be used to bring to the attention
of management other observations of lesser importance.
1.3 Methodology and Assurance
The audit work included:
1) an examination of documentation;
2) conducting interviews with managers; and
3) benchmarking of IRM approach with other departments.
This audit has been conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury
Board of Canada.
In our professional judgement, sufficient and appropriate audit procedures have been
conducted and evidence gathered to support the accuracy of the conclusions reached
and contained in this report. The conclusions were based on a comparison of the
situations, as they existed as the time, against the audit criteria.
Environment Canada
2
Audit of Risk Management
2 FINDINGS AND RECOMMENDATIONS
2.1 Corporate Risk Profile
The latest CRP (2010-2011) was approved by senior management in September 2010.
That CRP identifies corporate risks common to many programs in the department, and,
therefore focuses on “administrative” type of risks, mainly risks relating to financial
management or human resources management. However, that CRP did not include
risks specific to programs.
During the planning exercise for 2011-2012, the department implemented a formal
process to identify risks for all PAA elements. The process included an integrated risk
management toolkit that provided a consistent approach to identify risk in the
department. While this can be a useful source of information for program specific risks,
the results of this planning exercise have not yet been integrated into a revised version
of the CRP.
The 2010-2011 CRP also included only a limited external environmental scan. Such a
scan is important to ensure external factors such as the economic, social and technical
environments are taken into account when identifying risks.
Finally, an important element of senior management direction and communications for
integrated risk management is the concept of risk appetite or risk tolerance in the
Department. This is defined as the willingness throughout an organization to accept or
reject a given level of residual risk. Our audit work has confirmed that this has not been
formally integrated to the CRP.
Recommendation 1
The Chief Financial Officer / Assistant Deputy Minister, Finance Branch, in collaboration
with the Executive Management Committee should include in the next Corporate Risk
Profile: program risks, a complete external environmental scan and the notion of risk
tolerance.
Management Response
Management Concurs.
The 2011-13 CRP will aim to include the key, high level Program Activity risks in addition
to an environmental scan as it pertains to the risk environment, and the notion of risk
tolerance.
Environment Canada
3
Audit of Risk Management
2.2 Establishing an Integrated Risk Management Function
Senior management leadership and commitment for integrated risk management has
been demonstrated at the executive and corporate levels. A risk management function
has been established in the Corporate Management Directorate, Finance Branch. This
function is responsible for updating the CRP and providing functional IRM support to the
Department. Risk is also discussed at the Executive Management Committee (EMC)
that also reviews and approves the CRP.
From our interviews, EMC members seem to understand how risk is managed at the
corporate level and in their organization. Our interviews indicated that the concept of
integrated risk management was much less clear at lower management levels, including
the program level. IRM roles and responsibilities are still not well understood and/or
communicated through all levels of the Department.
A draft IRM Framework that includes roles and responsibilities for risk management has
been developed, but, as of mid-September 2011, has not yet been approved.
Without clear roles, responsibilities and accountabilities for integrated risk management,
there is risk that people may be “working in silos” and may not be working in an
organized and systematic manner; this can impact the quality, reliability and relevance
of risk information, to support management decision making and priorities.
Recommendation 2
The Chief Financial Officer / Assistant Deputy Minister Finance Branch, in consultation
with EMC, should complete the IRM Framework and communicate IRM roles,
responsibilities and accountabilities, across the Department.
Management Response
Management Concurs.
The IRM Framework (which includes IRM Roles and Responsibilities) was presented to
EMC on September 28, 2011. It is currently being revised to address final comments
from the DM.
Once signed by the DM and Associate DM, the Framework will be translated and posted
on the IRM intranet site and communicated to all employees via News@EC and the EC
Risk Management Community of Practice.
2.3 Practicing Integrated Risk Management
As mentioned above, the department has conducted a systematic risk assessment for
all PAA elements in the context of the 2011-2012 planning exercise. That risk
assessment included an identification of risks, its extent, the possible consequences and
the mitigation strategies. Our review indicated that the risk assessments were uneven
across the PAA elements.
Environment Canada
4
Audit of Risk Management
In addition, the 2011-2012 planning exercise did not include all elements of risk
management, in particular the active monitoring of risk and the accompanying mitigation
measures. Overall, we can conclude that, although EC has made progress in integrated
risk management, it lacks a cohesive and integrated process across the Department.
Finally, the 2010-2011 CRP includes risk mitigation measures, but lacks clear
responsibilities, accountabilities and timelines for these measures.
Recommendation 3
The Chief Financial Officer / Assistant Deputy Minister, Finance Branch should ensure
the Integrated Risk Management Framework provides a cohesive risk management
process for the department.
Management Response
Management Concurs.
The IRM Framework (which provides a cohesive risk management process for the
Department) was presented to EMC on September 28, 2011. It is currently being
revised to address final comments from the DM.
A more detailed process for developing and updating the corporate risks will be outlined
in the 2011-13 CRP.
Corporate Management Directorate will examine ways to ensure that risk management
is embedded in planning, reporting and decision-making processes throughout the
Department.
Environment Canada
5
Audit of Risk Management
3 CONCLUSION
Risk Management is part of the Government of Canada’s vision for responsible
stewardship. The audit confirmed that the Department is still in the early implementation
stages, of using an integrated risk management approach.
There is a governance structure in place at the corporate level and senior management
is engaged in the process. A draft IRM framework has been developed including roles
and responsibilities, but has not yet been approved. The CRP has been developed and
routinely updated, but still lacks some of the key elements , such as completing an
external assessment, identifying and communicating “risk tolerance”, active monitoring
and identifying (and/or incorporating significant) program risks.
Environment Canada
6
Audit of Risk Management
Annex 1 - Audit Criteria
Corporate Risk Profile
 EC has developed, approved, and made available its CRP.
 Organization’s risk are identified and adjusted through ongoing internal
and external environmental scans and analysis.
 Current status of risk management approach and process within the
organization is assessed and recognized in planning to manage
organization-wide risks.
 The organization’s risk profile is identified - key corporate risk areas,
stakeholders’ risk tolerance, ability and capacity to mitigate risk, and
learning needs.
Establishing an Integrated Risk Management Function
 Management direction on risk management is communicated, understood,
and applied - vision, policies, and operating principles.
 Integrated risk management is implemented through existing decisionmaking processes and reporting structures - governance, clear roles and
responsibilities, and performance reporting.
 Capacity is built through the development of learning plans and tools so
that risks are understood, managed, and communicated.
Practicing Integrated Risk Management
 A common risk management process is consistently applied at all levels
so that risks are understood, managed, and communicated.
 Results of risk management practices at all levels are integrated into
informed decision-making and priority setting - strategic, operational,
management, and performance reporting.
 Tools and methods are applied as aids to decision making
 Consultation and communication with stakeholders is ongoing - internal
and external.
Environment Canada
7