Library and Archives Canada
Symbol of the Government of Canada

Institutional links


Archived Content

This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.

Risk Management

Audit Report
November 2009

Audits and Evaluations


1.1 Background

Since the late 1990s and early 2000s there has been growing attention to the practice of risk management that when applied effectively (by balancing formal and informal use) can tangibly strengthen the decision-making process in an ever changing and increasingly complex modern world. For Library and Archives Canada (LAC), managing well the way forward for the evolution to digital is a prime example of how today's environment requires significant focus on management of risk.

Unfortunately, the pace of change and growing complexity necessitating improved risk management practice has come at the same time as the need to improve most other management practices such as integrated planning, performance measurement, and internal audit, to meet escalating expectations regarding accountability, transparency and stewardship. LAC, like most organizations, both public and private, have started initiatives to strengthen its key management practices including risk management. Of the key management practice areas, risk management has been one of the most difficult to improve. In part, because there is a clear awareness that risk is always managed at least informally (often referred to as intuitively), which has proven to work well in the past. With historical reliance on informal risk management, most organizations have not built up their knowledge and capacity on formal practices so the challenge of now blending the formal and informal more effectively is naturally difficult.

Managing risk more effectively in the public sector is compounded by cultural norms for prudence and minimal risk on the one hand, and escalating demands for results within restrained resources on the other. While continuing to respect historical norms for prudence, LAC has started to necessarily evolve from minimal risk in selected areas toward managed risk taking (e.g., delegations of authority, partnership arrangements) in order meet result expectations within existing resources.

The direction on the requirement to strengthen risk management came with issuance of the Integrated Risk Management Framework (IRM Framework) in 2001, and in 2003 with the Management Accountability Framework (MAF) both developed by the Treasury Board of Canada Secretariat (TBS). These frameworks and a Collections Risk Assessment in 2004 (following a 2003 recommendation for such by the Office of the Auditor General) led to a departmental commitment to establish a LAC framework as the foundation for strengthening the management of risk organization-wide.

LAC has always responded actively to its significant risk exposure establishing measures such as policies and procedures for proper document management, security arrangements, internal audits, and even capital infrastructure such as the preservation building in Gatineau, Quebec. Since 2004, LAC has been working on developing and implementing an integrated risk management approach which has seen the delivery of training, the drafting of a Risk Management Guide, and the integration of risk management analysis in annual business planning. In addition, LAC documented its strategic risks in its Initial Corporate Risk Profile in 2007. Examples of formal methods for managing operational risk have always existed at LAC. However, with the clearer priority to strengthen risk management in recent years, more examples of formal approaches to managing risk have begun to appear. The risk management plans and risk logs used on major IT projects and the new Risk Management Framework to support LAC Loans/Exhibitions Policy and Procedures are two key examples. For these elements of integrated risk management progress, LAC was given an "acceptable" rating for risk management in the 2007 (Round V) and 2008 (Round VI) MAF Assessments.

This audit of risk management has been initiated in part because the recent MAF assessments were very general in nature (risk management is only one of 21 areas covered) and required minimal practice levels to meet the criteria for an "acceptable" rating. In addition, risk management is one of three priority areas which Internal Audit must examine and report on according to the TBS Policy on Internal Audit (July 2009) and the Professional Practices Framework of the Institute of Internal Auditors. The other two priority areas Internal Audit must examine and report on are governance and controls.

In our current uncertain times, as was noted in the third report of the Prime Minister's Advisory Committee on the Public Service (February 2009), there is a need to move toward a risk management approach. The Advisory Committee's recognition of the need for strengthening risk management will have a natural follow-up given that departmental audit committees must now have external members and have been given a clear role to advise deputy heads based on active oversight of core areas specifically including risk management. Furthermore, deputy heads, as accounting officers under revisions to the Financial Administration Act, now have a legal obligation to appear before committees of the Senate and House of Commons to answer questions about maintaining effective systems of internal control, of which risk management is of growing importance.

1.2 Audit Objectives

The objective of the audit was to determine the extent to which LAC's risk management practices:

  • comply with the policies and guidelines of both the Treasury Board of Canada Secretariat and the Office of the Comptroller General;
  • help to ensure that risks are adequately, proactively and effectively managed in an integrated fashion organization-wide; and
  • are adequately and sufficiently understood to support an internal audit function based on risk.

1.3 Audit Scope and Approach

The scope of the audit included an examination of governance and risk management practices and controls in place, throughout LAC including the roles for managing and leading the function assigned to planning groups.

In addition, the scope included discussions with LAC senior management and managers as well as other federal government organizations regarding better practices and expectations.

The audit was conducted in accordance with both the TBS Policy on Internal Audit and the Institute of Internal Auditors' International Standards for the Practice of Internal Auditing. During the planning phase of the audit, the scope and objectives were confirmed based on documentation reviews and interviews with key individuals. A detailed audit program was developed that outlined specific criteria and audit tests aimed at assessing the adequacy and effectiveness of risk management practices and controls. During the conduct phase of the audit, the audit program was systematically administered through a wide range of interviews and further documentation reviews.

The audit was based on criteria developed from a LAC initiative to define the key components of risk management in the style of the Management Accountability Framework (MAF). This style was chosen given the strong common understanding of MAF components by managers. LAC's MAF-based framework for risk management was reviewed and validated with senior management.

The audit was conducted using the ten (10) MAF areas as lines of inquiry arranged in two groups. Criteria for each of these lines of inquiry are set out in Appendix A

Design and Governance Arrangements

  1. Governance & Strategic Direction — Senior management sets the vision for an integrated approach (horizontal, vertical, functional), provides oversight and direction on risk tolerance, and ensures risk management is integrated into the planning, policy-making, service delivery, and decision-making process.

  2. Public Service Values — Departmental culture recognizes risk in all activities as well as the need to explicitly manage it

  3. Policy & Programs — Commitment to risk management and roles are formally set out in a policy, and annual planning for risk management is conducted through a Corporate Risk Profile and Risk Universe.

  4. Results & Performance — Progress toward risk management maturity is measured and risk reporting and disclosure to senior management, central agencies, Parliament and the public are transparent, balanced and easy to understand.

  5. Accountability — Risk management roles and accountabilities are integrated into the departmental accountability mechanisms (job descriptions, performance reviews).

Operational and Support Practices

  1. Risk Management — There is an effective balance between informal and formal risk management and risk is mitigated to acceptable level (not absolute minimum as a general rule). Also, is risk is viewed/used for taking advantage of an opportunity.

  2. Citizen-focused Service — Stakeholder engagement is carried out to ensure their risk perceptions and misperceptions are included in risk analysis.

  3. Stewardship — Risk-related requirements of relevant authorities are incorporated e.g., risk of non-compliance to the Library and Archives of Canada Act, Copyright Act or other authorities (Federal Accountability Act, Financial Administration Act, TBS policies, etc.).

  4. People — Risk management competency and resource needs are determined and addressed, and risk is communicated in a timely manner.

  5. Learning, Innovation & Change Management — Risk management is implemented based on ongoing learning and change management principles (including sufficient resources).

Previous | Table of Contents | Next