ARCHIVED - About Us

Risk Management

Audit Report
November 2009

Audits and Evaluations

Findings

2.1 Design and Governance Arrangements

Our examination determined that LAC has fully advanced in its management of risk to the risk aware level of maturity. As set out in Figure 1 below, this level of maturity is characterized by the emergence of formal methods to manage more significant risks to complement the effective use of informal methods to manage day-to-day minor and moderate risks. Distinct examples of development of formal processes to match areas of significant exposure include the Risk-based Approach for Disposition of Unmanaged Legacy Records and the Risk Management Framework to be embedded in the revised Risk Management Framework to support LAC Loans/Exhibitions Policy and Procedures. Examples of such key formal processes are just finishing development and effective implementation is yet to come. The recognition of the need and benefit for formal processes is a clear trait of risk awareness.

The push to integrate risk analysis into annual business planning activities also demonstrates LAC is at the risk aware level on the risk management maturity model (See Figure 1). Given this process has just started, the efficacy of the information provided by operational branches was mixed (and averaging moderate quality overall). However, the planners in charge of the initiative are reviewing the details provided with each branch in an effort to help branches develop skills in risk analysis and provide information that is overall higher in quality and consistency.

Figure 1: Risk Management Maturity Model

[D]

LAC attained the "risk aware" level when it allocated corporate resources for a part-time employee (equivalent to 50% FTE) to work, since 2004, on developing an Initial Corporate Risk Profile. The profile identifies the key risks at the strategic level and how they are managed. The employee also invested time in developing a Risk Management Guide. In addition, a financial investment in capacity building was given to selected managers and staff members in 2005 and 2008 on risk management training. All these initiatives illustrate risk awareness; however, there is a clear need to continue capacity building, to further improve the Initial Corporate Risk Profile and to finalize and disseminate the Risk Management Guide.

The risk maturity scale illustrated in Figure 1 provides a basic and clear path on which LAC can advance its practice of risk management. It provides an understanding of the next levels—Risk Attentive and Risk Mature. Organizations at the risk attentive level are able to be more attentive to risk because they have establish a Risk Universe mapping out the areas of the organization where significant risks are managed but where the methods used to manage risk are not effectively balancing the use of informal and formal approaches—generally, there is too much reliance on traditional informal methods creating imprudent high risk exposure for the organization. Mapping out the Risk Universe enables plans to be established and investment directed at appropriately strengthening risk management practices in identified priority areas. Risk attentive is also typified by an overall higher level of risk management capacity (through training and practice) such that managers and staff members can be more deliberate in taking intelligent risks to seize opportunities or terminate low-risk activities based on their degree of comfort with information provided through risk analysis and the freedom to act in such a manner clearly delegated by management.

The highest level of maturity can be simply referred to as Risk Mature. At this level staff members, managers and senior management can be even more proactive in managing risk because predictive information about risk is provided by risk indicators. In addition, at this level there is a clear expression of risk tolerance that is well understood by all employees and managers. Typically, the organization would have multiple tolerance models reflecting that there are areas in the organization where there must be very low tolerances to risk, and other areas where there can be more tolerance.

Our examination revealed that LAC would have difficulty advancing beyond risk aware because it lacks a modern set of arrangements for further investing in risk management. A vision statement, such as the sample shown in the text box, would be the arrangement that articulates where LAC would like to be at some future point-this enables the development of strategies, priorities and plans to achieve the vision.

LAC risk management arrangements are also lacking an overall framework and an implementation strategy. As part of this audit, a table of 21 framework components was prepared as a detailed set of strategies for becoming risk mature. Figure 2 below (and in Appendix B) illustrates a Risk Management Framework in the style of the Management Accountability Framework (MAF). This style is relevant today because the ten (10) management areas of MAF are well understood by managers and senior management across departments and agencies. If LAC can achieve most or all of the 21 framework components over the next five years, it will become risk mature.

Figure 2: MAF-Based Risk Management Framework

[D]

Likely the most important components of the MAF-based Risk Management Framework is the strategy of establishing a Risk Management Policy which defines the principles, roles, responsibilities, processes, and terms. The policy is a key feature in the department's risk management arrangements. The Risk Management Policy affirms strong commitment of senior management to the risk management arrangements including senior management's key role of Senior-level Oversight of: the management of risks at all levels, effectiveness of risk management arrangements, and adherence to Risk Management Policy.

In 2008, the International Standards Organization (ISO) published Risk Management-Principles and Guidelines on Implementation numbered ISO 31000. Formal issuance of ISO 31000 is expected in 2009. This study has received broad international support including from the Treasury Board of Canada Secretariat (TBS) which has clearly indicated its intention to update its 2001 Integrated Risk Management Framework to be aligned with ISO 31000.

The Risk Management Framework component of ISO 31000 is rather straightforward and it reconciles easily to the MAF-based approach as shown in the crosswalk in Figure 3.

Figure 3: ISO/MAF Crosswalk

Risk Management Framework Components
ISO 31000	MAF-Based
Mandate & Commitment	Governance & Strategic Direction Public Service Values
Design	Policy & Programs Citizen-focused Service Accountability
Implementation	Risk Management People Stewardship
Monitoring and Review	Results & Performance
Continual Improvement	Learning, Innovation & Change Management

Critical points in both ISO 31000 and the MAF-based frameworks are the need to establish Senior-level Oversight, a Risk Management Policy and to invest Resources in people and information systems.

Senior-level Oversight is treated as critical by both frameworks because growing in maturity in any new management practice generally requires a culture change. Such a change must occur across all levels of the organization. Senior-level Oversight allows senior management to be better in touch with the plans and strategies established in order to advance risk management and to be aware of the results. From time to time, risk management as a priority will have to be balanced and re-balanced with other priorities. Senior management is uniquely positioned to direct the development of risk management based on being aware of the progress through periodic oversight.

Knowing there will be Senior-level Oversight ensures everyone in the organization understands the importance of risk management. It is important to understand that consistent and effective risk management is a key public service value. During interviews, most staff members believed LAC to be averse to risk while others pointed to examples where LAC is willing to tolerate higher levels of risk such as in establishing partnership arrangements and delegating procurement responsibilities. In the February 2009 Public Service Report of the Prime Minister's Advisory Committee, a key recommendation was the need to embrace the taking of informed risks.

Providing strategic direction to steer toward a more consistent cultural position on risk is a complex area that requires leadership. Currently, LAC does not have a Risk Management Policy which can be an excellent vehicle for explicitly expressing commitment to managing risk well, including intelligent (information-based) risk taking, as a key public service value of LAC.

Everyone in the organization also needs to understand their own roles and responsibilities in risk management, as well as the roles and responsibilities of those who will provide support and oversight. Clarifying the vision for risk management in the organization and associated roles and responsibilities is very effectively done in a Risk Management Policy.

The resources issue has been addressed over the past several years by the allocation of a part-time employee (equivalent to 50% FTE) to support the planning group. This level of resource has been able to help LAC develop its Initial Corporate Risk Profile (2007), assist some operational groups adopt more formal risk management practices and develop a draft Risk Management Guide. While this level of investment has enabled LAC to advance to the risk aware level, it is unlikely to be able to take the organization further. Additional resources will be needed to make further meaningful advancement.

Additional resources for supporting the organization in its overall risk management arrangements are not the only key investment to consider. LAC's progress on risk management has been limited by the lack of leadership in establishing risk management arrangements. Accordingly, LAC should consider investing in a Corporate Risk Officer (CRO) position. For LAC, this would only require a small investment of resources , but this position would be a strategic enabler in strengthening risk management arrangements and supporting the information needs of the management body responsible for senior management oversight responsibilities. Large organizations like Canada Revenue Agency use the CRO as a key implementation strategy to advance risk management maturity. Their large size is only part of the reason for the CRO strategy, the other reason is the significant challenge of developing common understanding across all branches and levels of the organization-this is a challenge for organizations of all sizes. Smaller organizations such as Passport Canada have invested in the CRO strategy recognizing the complexity of the common understanding challenge and the need for leadership.

Conclusion

Through conscious efforts LAC has become a risk aware organization, as demonstrated in its formalizing risk management practices in key operational areas, integrating risk into planning, and by investing in capacity development through training and guidance documents. However, it will likely be difficult for LAC to grow further in risk management maturity as it does not yet have an adequate set of risk management design and governance arrangements including a vision, framework and an implementation strategy to guide further investment toward risk management maturity. Key elements to more advanced maturity levels are yet missing, including assigned leadership, an oversight arrangement, sufficient support resources, and a policy clearly establishing the department's commitment to risk management (a key public service value) and setting out key principles, roles, responsibilities, processes and common terminology.

Without strengthening design and governance arrangements for management of risk, LAC will likely not be able to access key tangible risk management benefits such as ensuring the allocation of resources is proportionate to the level of risk and stakeholder perceptions and misperceptions about risks being effectively understood. These types of benefits are particularly relevant to organizations needing to effectively balance and re-balance growing delivery requirements and expectations with ongoing resource restraint.

Recommendation

Previous | Table of Contents | Next