This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.
Since the late 1990s and early 2000s there has been growing attention to the practice of risk management that when applied effectively (by balancing formal and informal use) can tangibly strengthen the decision-making process in an ever changing and increasingly complex modern world. For Library and Archives Canada (LAC), managing the way forward for the evolution to digital is a prime example of how today's environment requires significant focus on management of risk.
In our current uncertain times, as was noted in the report by the Prime Minister's Advisory Committee on the Public Service (February 2009), there is a need to move toward a risk management approach. The Advisory Committee's recognition of the need for strengthening risk management will have a natural follow-up given that departmental audit committees must now have external members and have been given a clear role to advise deputy heads based on active oversight of core areas specifically including risk management. Furthermore, deputy heads, as accounting officers under revisions to the Financial Administration Act, now have a legal obligation to appear before committees of the Senate and House of Commons to answer questions about maintaining effective systems of internal control, of which risk management is of growing importance.
The objective of the audit was to determine the extent to which LAC's risk management practices: comply with policies and guidelines; help to ensure that risks are adequately, proactively and effectively managed in an integrated fashion organization-wide; and are adequately and sufficiently understood to support an internal audit function based on risk.
The audit was conducted between November 2008 and February 2009 and the scope of the audit included an examination of risk management practices throughout LAC as well as discussions with other federal government organizations regarding better practices. The audit was based on criteria developed from a LAC initiative to define the key components of risk management in the style of the Management Accountability Framework (MAF). This style was chosen given the strong common understanding of MAF components by managers. LAC's MAF-based framework for risk management was reviewed and validated by senior management.
Library and Archives Canada has become a "risk aware" organization. At this maturity level formal risk management practices are being established in key operational areas, analysis of risk is being integrated with annual and strategic planning and investments have been initiated to develop capacity through training and guidance documents. However, LAC does not have an adequate set of design and governance arrangements including a vision, framework and an implementation strategy outlining the pace, priority and governance of further investment to advance risk management maturity.
LAC has also been active in strengthening its operational and support practices for risk management. All operational and departmental groups had some examples of developing formal approaches and procedures for risk management of exposure areas. In addition, there has been some training and progress toward drafting guidance documents. However, these initiatives are not part of a coordinated overall strategy to identify priority exposure areas, develop and maintain appropriate capabilities including attention to stakeholder risk communication needs, and to provide appropriate tools and guidance.
Based on its current arrangements and practices, LAC will likely not be able to achieve additional tangible benefits of advanced maturity in risk management. Timely and effective communications about risk based on a developed common understanding, and intelligent (information-based) risk taking are two key future benefits. Advanced risk management maturity is particularly relevant to organizations needing to effectively balance and re-balance growing delivery needs and expectations with ongoing resource restraint.
The report identifies the following recommendations. Management has agreed with the recommendations and developed an action plan.
The audit of risk management was conducted in accordance with the Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing. In our professional judgment, sufficient and appropriate audit procedures were conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report.
In our opinion, based on the audit criteria set out in Appendix A, LAC has clearly begun to strengthen its risk management foundations. However, risk management design and governance arrangements, as well as operational and support practices are not yet sufficient to provide the level of risk management maturity appropriate to the asset stewardship, service delivery, decision making, results and accountability needs of the department.