Working together to strengthen risk management practices in the federal government

PPX

November 3, 2009

2

Overview of the presentation

? Evolving context of RM practice in the federal government

? Key areas of focus to respond to changing context and progress made to date

? Maintaining momentum in implementation of integrated RM

? Integrating RM into planning and reporting: Best practices

33

Changing context calls for a renewed approach to risk management

? Third Report of the Prime Minister’s Advisory Committee on the Public Service (February 2009)

“…the Public Service should adopt a principles-based approach to risk management in applying necessary rules and procedures”

? Addressing the ‘Web of Rules’

? Implementation of Canada’s Economic Action Plan

? International efforts to develop new RM guidelines (e.g., ISO 31000)

4

Key areas of focus of the Treasury Board Secretariat to respond to changing context

1. Adopting risk-based approaches to TBS activities (e.g., developing risk-sensitive policies)

2. Enabling effective RM approaches in departments and agencies (e.g., through guidance and tools specific to each sector)

3. Strengthening RM capacity at TBS and in departments and agencies (through renewed IRM guides and tools, etc.)

5

1. Adopting risk-based approaches to TBS activities

Progress has been made in implementing risk-based approaches in various areas, such as…

? Renewed policies– Policy on Transfer Payments– Policies on Investment Planning and Management of Projects– Policy on Internal Audit (e.g., risk-based audit plans)– Policy on Internal Control (e.g., risk-based assessment of

internal controls over financial reporting)

? Streamlined TB approval process in support of Budget 2009

? Implementation of a risk-based approach to assessing management performance through the Management Accountability Framework (MAF)

6

2. Enabling effective RM approaches in departments and agencies

Collaborative interdepartmental work completed or in progress to develop new guides, tools, such as …

? Guidance on the design and application of RM tools for grant and contribution projects

? Project complexity and risk assessment tool

? Methods and tools to conduct risk assessments to support the development of risk-based audit plans

? Guidance on how to report risk management activities in Parliamentary reports (e.g., Reports on Plans and Priorities)

? New guidance and tools to strengthen legal risk management and its integration with IRM (Department of Justice)

7

3. Strengthening RM capacity at TBS and in departments and agencies

Efforts to date to strengthen RM capacity include…

? Establishment of Departmental and Agency Audit Committees (DAACs), with RM as one key element of their mandate

? Creation of a TBS Centre of Expertise on Grants and Contributions and of a TBS Centre of Regulatory Expertise

? New TBS Centre of Excellence on Risk Management (established in fall 2008), with responsibility to support departments and agencies in implementing IRM

? Re-establishment of an IRM interdepartmental community of practice (1st interdepartmental session held in June 2009)

? New Web 2.0 tools to support exchange of best practices between organizations (e.g., IRM GCPedia site launched in spring 2009)

8

? Since 2001, the TBS IRM Framework has been a key tool to support IRM implementation in the federal government

Implementation of integrated risk management in the federal government

1) Developing the Corporate Risk Profile2) Establishing an Integrated Risk Management Function3) Practicing Integrated Risk Management4) Ensuring Continuous Risk Management Learning

Four key elements of the 2001 Framework

99

Current state of IRM implementation and areas for improvement

? Most departments and agencies have now established the basic foundations, including: § establishing processes for risk identification, assessment

and mitigation§ assigning senior accountability for key risks§ creating a focal point for IRM functions within the

organization

? Areas for improvement include: § addressing gaps in the effective implementation and

ongoing monitoring of IRM plans§ integration of risk into strategic and operational planning§ systematic use of risk information to inform and improve

the quality of decision-making

10

Results of IRM assessments –MAF Round VI

? 9.1. Senior management directs, participates in, and provides oversight of the organization’s risk management approach

? 9.2. The organization is implementing its risk management approach? 9.3. Risk management explicitly informs corporate decision-making, planning and reporting? 9.4. Quality assurance of risk information and continuous improvement in risk management

0%

20%

40%

60%

80%

100%

9.1 9.2 9.3 9.4Criteria

Org

aniz

atio

ns

0%

9.6%

75%

7.7% 11.5%

55.8%

19.2%

5.8% 7.7%

65.4%

1.9%5.8%

5.8%

76.9%

3.8%

17.3%

AttentionRequired

Opportunity forImprovement

Acceptable

Strong

11

Review of IRM toolkit

? An interdepartmental working group has been established in spring 09 to conduct this review and lead the development of new IRM guides and tools

? Broader IRM interdepartmental community will be consulted at various stages of the review process in fall/winter 09-10

? Expected start of roll-out of new IRM guides and tools in early 2010

12

Review of IRM toolkit (cont’d)

? The review and new IRM guides and tools will:

§ be informed by new international and national standards (e.g., ISO 31000, new CSA Q850)

§ leverage existing best practices from across the federal government for the benefit of the IRM community

§ address issues that were identified as common challenges by departments and agencies (e.g., integration of IRM with strategic planning)

§ provide practical tools and examples (including through regular postings to the GCPedia IRM site)

13

In an IRM approach, RM is integrated into existing business practices, e.g.:

? Priority-setting, resource allocation? Planning and reporting? Senior management decision-making,

Memoranda to Cabinet, TB submissions? Performance management? Audit and evaluation

14

Risk-informed planning: Best practices

? At the activity, division or regional level, risk identification and response are incorporated into local business plans

? At the corporate level, horizontal or high-impact risks and risk responses inform priority-setting and are incorporated into corporate plans and resource allocation

? Key corporate risks and planned risk responses are incorporated into RPP§ TBS guide to preparing RPPs includes guidelines on

risk section

15

Risk-informed monitoring and reporting: Best practices

? Tracking of progress on corporate plans coincides with tracking of progress on responses to key corporate risks

? Tracking of progress on operational plans coincides with tracking of progress on responses to operational risks

? DPR reports on status of risks and progress on risk responses that were reported in previous RPP§ TBS guide to preparing DPRs includes guidelines on

risk section

16

Risk “x”

Causes•••••

LikelihoodControls

(Pre-Event)

ConsequenceControls

(Post-Event)

Risk Identification/Assessment/Treatment

Impacts•••••

••

OwnerStrategies to Treat Risk

Risk Rating Prioritization

•••

•••

•••

•••

Trend / Outcome

Strategy to Treat

Risk

Related PAA

Activities

Key Risks

MAF AOM “X”

DM Dashboard (Quarterly)

TrendQ4Q3Q2Q1

Risk & TreatmentIndicatorResources

($)Expected OutcomesActivity

Improving••

••

••

••

3.1.1

Risk Profile

Operational Planning

Example of a risk-based planning and reporting model

17

For further information, please visitwww.gcpedia.gc.ca/wiki/Risk_Management_-

_Centre_of_Excellence_at_Treasury_Board_Secretariat

Or contact:riskmanagement-gestiondurisque@tbs-

sct.gc.ca