Audit of Integrated Risk Management Framework AU1417

Table of Contents

EXECUTIVE SUMMARY

INTRODUCTION

Natural Resources Canada (NRCan) prepares for and manages a wide range of risks and opportunities. NRCan’s Integrated Risk Management (IRM) Policy framework sets out the department’s approach to risk management, which includes a broad range of instruments and tools to support the Department to manage risks at both the Corporate and Sector levels.

The Audit of Integrated Risk Management framework was approved by the Deputy Minister as part of the Risk-Based Audit Plan for 2013-14.

The objective of the audit was to provide reasonable assurance that the Department’s Integrated Risk Management framework and its practices are adequateFootnote 1 and being implemented.

The scope of the audit included NRCan’s Integrated Risk Management policy framework, systems, processes and practices used in the identification, mitigation and reporting of risk, including the 2012-13 and 2013-14 Corporate and Sector Risk Profiles.

STRENGTHS

The Department’s Integrated Risk Management framework provides foundational elements needed to outline the manner in which risk information is to inform decision-making. A Risk Management Centre of Expertise (CoE) exists, providing a central point of contact for the function. In addition to providing tools and guidance materials for the function, the CoE provides systematic support to program managers when developing Treasury Board submissions. Also, risk management training is available to departmental staff, including senior management. Established networks within NRCan and with other government departments promote continuous learning and sharing of good risk management practices.

AREAS FOR IMPROVEMENT

The audit identified opportunities for improvement in the following areas:

  • Clarification of the roles, responsibilities and authorities;
  • Improvement of the consistency of processes across Sectors;
  • A more systemic integration of Sector risk information in the Corporate Risk Profile; and
  • Development of a formal risk management performance measurement framework.

AUDIT CONCLUSION AND OPINION

Overall, the Audit Branch can provide reasonable assurance that the Department’s Integrated Risk Management framework and its practices are adequate and being implemented.

In my opinion, NRCan’s IRM is satisfactory, however, some enhancements have been recommended to further strengthen this function.

STATEMENT OF CONFORMANCE

In my professional judgement as Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the internal Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

INTRODUCTION

Risk management is recognized as a core element of effective public administration. In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making, better allocation of resources and, ultimately, better results for Canadians.

The Treasury Board Secretariat’s Framework for the Management of Risk is a key policy instrument that outlines a principles-based approach to risk management for all federal organizations. The Framework reaffirms the Deputy Head’s responsibility in the effective management of his/her respective organizations in all areas, including risk management, and describes the expectations for an effective risk management practice. In keeping with the business and policy imperatives, NRCan has adopted Integrated Risk Management (IRM). As a large and diverse organization, NRCan must prepare for and manage a wide range of risks and opportunities. NRCan’s IRM Policy Framework, implemented in 2011, sets out the department’s expected results and high-level approach to risk management. The framework establishes the premise that:

  • An enterprise-wide risk-management approach is integrated with strategic priority setting, decision-making, policy development, project management, business planning, resource allocation, financial stewardship, operations, performance reporting, and external requirements.
  • Risk management practices are embedded into organizational structures, and a “risk smart” organizational culture is cultivated in which employees, managers and senior leaders engage in ongoing conversations on risks and risk management.
  • Risk identification, assessment and response processes are effective, continuous, and consistent across the organization, and are clearly communicated to internal offices, committees and employees as well as external partners and stakeholders.
  • Senior management is regularly advised on new and ongoing risks and risk responses, and consulted on actions that could be taken to better manage risks and prepare for the consequences should risk events occur.

The Science and Policy Integration (SPI) Sector within NRCan coordinates various processes supporting the identification and management of corporate risks (which, among other things, lead to the preparation of the Department’s Corporate Risk Profile (CRP)). In addition, SPI collaborates with other functional authorities housed in CMSS that also have risk-related corporate functions. Finally, it provides NRCan employees with information, tools and resources related to risk management through its “Risk Management Centre of Expertise” (CoE).

The CRP outlines the Department’s main strategic, external and operational risks, as well as mitigation strategies and key accountabilities. The Department has had a Corporate Risk Profile in place since 2009. This document, which is updated at least on an annual basis but quite often twice a year, provides an overview of the most pressing risks NRCan faces, as well as the actions taken to mitigate them. The most recent Corporate Risk Profile was updated in November 2013 and identified 12 risks and related mitigation strategies.

At the Sector level, each Sector is responsible for preparing a Sector Risk Profile which outlines their respective risks and mitigation strategies. This document forms part of each Sector’s Integrated Business Plan, identifying risks that are important inputs to Sector planning and decision-making.

IRM at NRCan has received an “acceptable” rating as part of the TBS Management Accountability Framework (MAF) for the last three years. Although NRCan has generally performed well in this area of management, TBS identified in its 2012-13 assessment opportunities for improvement related to clarifying accountabilities and further strengthening the clarity, measurement and reporting of risk and risk responses.

AUDIT PURPOSE AND OBJECTIVES

The objective of the audit was to provide reasonable assurance that the Department’s Integrated Risk Management framework and its practices are adequateFootnote 2 and being implemented.

DEPARTMENTAL RISK

An internal audit of the IRM framework was included in NRCan’s 2013-14 Risk-Based Audit Plan and was approved by the Deputy Minister. There had been no previous Department-wide audits on risk management.

A risk-based approach was used in establishing the objectives, scope and approach to this audit engagement. A summary of the key underlying risks that were taken into consideration are:

  • Risk that accountabilities with respect to risk management are not clear;
  • Risk that there are minimal linkages between sector and corporate risks;
  • Risk that there are minimal performance measures in place to determine the effectiveness of risk management mitigation strategies and/or processes; and
  • Risk that lessons learned on risk management are not rigorously identified or implemented.

SCOPE

The scope of the audit included NRCan’s IRM Policy framework, systems, processes and practices used in the identification, mitigation and reporting of risks, and the 2012-13 and 2013-14 Corporate and Sector Risk Profiles.

The audit scope excluded the following: An assessment of the appropriateness of the risks identified in the Corporate or Sector Risk Profiles; the appropriateness of the actual risk levels/ratings determined by management; and the Emergency Management, Security, Business Continuity (ESBC) Committee. The ESBC will be included in the Audit of Emergency and Disaster Management Framework, identified in the 2013-16 Risk-Based Audit Plan.

APPROACH AND METHODOLOGY

The approach and methodology followed the Internal Auditing Standards for the Government of Canada, which incorporates the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved.

The audit included various tests to provide such assurance. Internal auditors performed the audit with independence and objectivity, as defined by the Internal Auditing Standards for the Government of Canada.

The audit methodology was based on internal auditing guidelines and included:

  • A review of  applicable TB and departmental policies, directives and/or frameworks related to risk management;
  • A review and analysis of documentation related to risk considerations in the decision-making process at the senior management level;
  • A review and analysis of documentation to assess processes related to Corporate and Sector risk management activities; and
  • Interviews with representatives involved in risk management from all Sectors, including SPI.

In addition, the Audit Branch ensured coordination between the audit team and other Branch staff while developing the 2014-17 Risk-Based Audit Plan to avoid duplication of effort, whenever possible.

CRITERIA

Audit criteria used in the audit were derived from the following sources: TBS Guide to Integrated Risk Management, TBS Risk Management Capability Model, Office of the Comptroller General Audit Criteria related to the MAF: A Tool for Internal Auditors and the Institute of Internal Auditors’ International Professional Practices Framework - Practice Guide on Assessing the Adequacy of Risk Management using ISO 31000. The criteria were approved by management, prior to the commencement of the audit and are described in Appendix A.

FINDINGS AND RECOMMENDATIONS

GOVERNANCE

Summary Finding

NRCan has key foundational elements in place for Integrated Risk Management. However, the audit identified the need to clarify: 1) the role of the CoE as the primary functional authority for risk management; 2) its relationship with other functional authorities responsible for specific risk areas; and 3) the roles and accountabilities of the Sector Management Teams on risk management.

Supporting Observations

Roles and Responsibilities

NRCan is a complex and multi-faceted organization requiring risk management to be practiced by various parties. Risk management is essential to support decision-making for a wide range of issues including decisions related to business planning, transfer payment management and resource allocation. The achievement of the department’s risk management objectives requires that roles and responsibilities of parties involved are well defined and clearly understood.

The audit examined whether an effective governance framework was in place with respect to risk management, including clear roles, responsibilities and appropriate oversight mechanisms at both the Corporate and Sector levels.

At the Corporate level, the audit found that the Department’s IRM Policy framework outlines the roles of most of the key players with responsibilities for risk management. For example, it provides a description of the roles of the Deputy Minister, Senior Executives and Managers. It also provides an overview of the roles of the key senior management committees.

It also indicates that the Executive Committee has integral oversight roles with regards to risk management. This DM-chaired committee, which includes all Sector ADMs, sets the Department’s strategic directions, priorities and oversees coordination with portfolio agencies, including decisions related to corporate risk management. The roles of other committees responsible for specific functions, such as Human Resources Renewal, Business Transformation or Emergency Management, are also specified.

At the Sector level, the IRM policy framework specifies that Senior Executives are responsible for assessing and managing the strategic and operational risks associated with the plans, programs and projects of their branches and/or regions. The audit found however that the IRM Policy framework lacks clarity on the performance expectations and on the role played by Sector Management Teams in meeting these expectations in their respective areas. Subsequently, the audit also found inconsistencies across Sectors in how Sectors oversee risk management. Clarity on the expected results would ensure consistency on the performance achieved across sectors and allow for better alignment of risk management practices.

Furthermore, the audit found that the IRM Policy Framework does not clearly articulate the role of SPI as the primary functional authority on risk management within the Department. SPI coordinates various processes supporting the identification and management of corporate risks leading to the preparation of the CRP and provides NRCan employees with information, tools and resources related to risk management through its “Risk Management Centre of Expertise” (CoE).

Responsibilities for specific corporate risk areas are distributed between two sectors, namely SPI and the Corporate Management Services Sector. CMSS is responsible for corporate risk matters related to some functional areas such as emergency management, security, values and ethics, Similarly, SPI is responsible for other functional areas such as strategic policy and management. Specifically, these include the preparation of Cabinet documents such as Memoranda to Cabinet, Treasury Board submissions, investment plans and Parliamentary documents such as reports on plans and priorities, departmental performance reports.

The responsibility of a functional authority could include, for example, the development and communication of risk policy, establishment of standards and common practices, as well as the coordination of risk management efforts. The functional authority could also provide a challenge and quality control role to help identify the most significant risks to the Department.

The existence of a CoE is an important asset, as it establishes a single point of contact for risk management in the Department. However, a lack of clarity in its role as a functional authority reduces its ability to effectively play a quality control role and require Sectors and other functional authorities to implement consistent risk management practices.

It should be noted that the CoE has advised the audit team that it will be reviewing the IRM Policy framework in the coming months with the goal of clarifying roles, responsibilities and accountabilities, as required.

Consideration of Risk for Decision-Making

The department’s IRM Policy Framework specifies the objectives and expected results for risk management and outlines the broad direction of the Department’s overall approach to risk management. By necessity, it focusses primarily on fundamentals rather than providing detailed or prescriptive direction. It also clearly outlines, at a high level, the manner in which risk information is to inform decision-making. Specifically, the policy objective states that risk should be “integrated with strategic priority setting, decision-making, policy development, project management, business planning, resource allocation, financial stewardship, operations, performance reporting, and external requirements.” This objective establishes the foundation for risk-informed decision-making. In order to ascertain whether this policy objective is being adhered to, the audit team examined recent program and funding-based actions to determine if risk was indeed being considered as part of the decision-making process.

The audit found evidence that risk considerations were embedded in specific management deliberations supporting the decision-making process. Specifically, risk was considered for decisions related to the allocation of resources from the departmental reserve fund to address emerging issues, as well as decisions related to program delivery. Each of the Treasury Board Submissions reviewed also included a specific section pertaining to risks as per TBS requirements. The CoE provides systematic support to program managers when developing Treasury Board submissions.

Furthermore, as part of the Audit Branch’s annual risk-based audit planning exercise, each Sector ADM was interviewed for feedback on audits being considered for the 2014-17 period. It was evident during these interviews that ADMs had a sound understanding of their risk environment and how the Audit Branch could support them towards mitigating some of these risks through specific audit projects.

RISK AND IMPACT

The IRM Policy Framework and related governance structure is important to ensure risk management objectives are clear and that risk information is scrutinized and used to support decision-making. While these provide important foundations, the lack of clarity surrounding the roles and responsibilities of sector management committees may have an impact on the effectiveness of risk management at the Corporate and the Sector levels.

Furthermore, a lack of clarity surrounding the CoE’s role as the primary functional authority could reduce its ability to ensure that appropriate risk management practices are being consistently implemented. It could also have an impact on the quality control mechanisms in place, potentially impacting the effectiveness of risk management within the Department.

RECOMMENDATIONS

1. It is recommended that the Assistant Deputy Minister (ADM) Science and Policy Integration Sector (SPI), in consultation with relevant stakeholders, update the Integrated Risk Management (IRM) Policy Framework to further clarify the roles, responsibilities and authorities of the Centre of Expertise (CoE) and those of the Sector Management Teams in relation to risk management.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees.

In consultation with sector ADMs and other functional authorities for risk in Natural Resources Canada (NRCan), the ADM SPI and Director General Planning, Performance Management and Reporting (PPMR) will update the Integrated Risk Management Policy Framework to clarify SPI’s roles, responsibilities and authorities as well as those of the sectors and other functional authorities in relation to risk management; they will seek the endorsement of the revised policy by the Planning and Reporting Committee and its approval by the Executive Committee.

Timing: September 30, 2014

INTEGRATED APPROACH

Summary Finding

NRCan’s approach to risk management demonstrates a collaborative approach for engaging all Sectors within the Department. The CoE provides risk management tools and guidance and works closely with Sectors to prepare key risk management documents, such as the Corporate Risk Profile. However, opportunities were identified to strengthen risk management processes across Sectors, notably by further integrating Sector risk-related input into the corporate documents (such as the Corporate Risk Profile) supporting department priority-setting, planning and reporting processes.

Supporting Observations

Risk Management Guidance and Processes

An essential component to deploying IRM in a consistent and cohesive fashion is the existence and application of a common set of tools, practices and methods for all aspects of the risk management cycle. The consistent use of such tools enhances an organization’s ability to effectively integrate risks and mitigation strategies both horizontally and vertically, as well as creating efficiencies in processes through standardized practices and templates.

Alignment of risk management practices horizontally across the Department’s sectors is essential to ensure that consistent approaches are used for consideration of risk in decision-making. It is also critical to ensure the appropriate sharing of risk information across sectors, which ultimately allows for more informed decision-making. This approach will maximise efficiencies and avoid duplication.

Furthermore, consistency across sectors is critical to effective vertical integration of risk management practices. Vertical integration allows for risk information generated at lower levels to be aggregated and escalated up to senior management, in a consistent manner. This ensures that senior decision makers are provided with the necessary information in support of their governance and decision-making responsibilities.  

The audit found that various tools exist at the Corporate and Sector levels to support risk management activities. At the Corporate level, tools exist for the development of key Corporate documents, such as the Corporate Risk Profile. For example, these include various scales, risk rating approaches and other standard elements of the CRP. At the Sector level, the CoE has developed a Sector Risk Profile Guide, which outlines the general approach and template for the preparation of Sector Risk Profiles. Also, the CoE provides additional guidance and assistance to Sectors, as requested, in the development of the Corporate Risk Profile as well as their respective Sector Risk Profiles.

Although tools and guidance documents are provided, the audit noted that opportunities exist to improve consistency in the development of Sector Risk Profiles. For example, the audit found inconsistent practices and processes between Sectors in areas such as:

  • The level of rigour applied in updating Sector Risk Profiles (e.g., some conducted detailed environmental scans, while others appear to have based risk profile updates on the previous year’s information);  
  • The use of oversight bodies in the development and scrutiny of Sector Risk Profiles (e.g., some do not have a formal oversight body); and
  • The application of risk rating/ranking methodologies (e.g., risk rankings were not included in all SRPs).

At the departmental level, Corporate risks are determined based on several factors. These include a regular ‘refresh’ of the previous year’s corporate risks, risks identified by senior management, including discussions undertaken by the Executive Committee at their semi-annual retreat, and through a review of risks identified at the Sector level. Consultation with senior management is also conducted through discussions with ADMs and through the oversight committees previously identified.

Although none of these approaches are considered inappropriate, a “bottom up approach” to CRP development, whereby the CRP is informed primarily by Sector level exposures, would be considered a good practice. The current approach may miss opportunities to consider a more complete picture of the risk information derived from the Department’s operations, and possibly have an adverse impact on the overall corporate risk landscape. 

Within this context, greater consistency across Sectors could further improve the Department’s ability to effectively integrate and align risk management and risk information. This could enable more informed decision-making at both the Sector and Corporate levels.

Interdependencies

Another critical component of effective risk management requires organizations to work with relevant partners and stakeholders to address common threats and risks. This is true not only when considering risks impacting multiple Sectors within a Department, but also for inter-Departmental risks affecting multiple organizations. 

The audit found that NRCan is working with specific partners to deal with such joint risks; and that Sectors also work collaboratively on key risk areas.

At the Corporate level, for example, NRCan works collaboratively with other departments that share risks that impact itself and its partners. For instance, with respect to the Atomic Energy of Canada Limited (AECL) restructuring project, NRCan works with partners such as the Canadian Nuclear Safety Commission, Justice Canada and Health Canada to jointly mitigate risks related to the restructuring exercise. Similarly, NRCan is also an active member of the Inter-departmental Working Group on Risk Management. This group of risk management professionals representing multiple departments across government work together to benefit from each other’s knowledge and experience, as well as share best practices and tools.  

The audit noted the existence of a number of department-wide networks representing all Sectors and groups where collaborative deliberations take place. These include the Emergency Management Working Group, Hazards Working Group, Business Continuity Planning Group and the Business Transformation Committee. These bodies enable the establishment of risk statements, provision of necessary oversight and/or development of mitigation strategies for relevant Corporate Risks. For example, part of the role of the Emergency Management Working Group, represented by senior managers from all sectors, is to determine whether the Department has the right risks identified, whether such risks are properly aligned to the corporate or sector risks profiles and whether there are appropriate emergency response plans in place and are workingFootnote 3. In addition, working groups such as the Corporate Planning Network provide the necessary forum to share good practices and exchange ideas across Sectors. 

RISK AND IMPACT

The conditions noted have an impact on the consistency of risk management processes across the department. This may have an adverse impact on the quality and comprehensiveness of the information in the Corporate and Sector risk profiles. The cumulative net effect is that management may not have all of the necessary information for decision-making thereby possibly reducing their ability to adequately prepare for specific risks.

RECOMMENDATIONS

2. It is recommended that the Director General Planning, Performance Management and Reporting-Science and Policy Integration Sector (PPMR-SPI) establish and implement mechanisms to better ensure:

  • All sectors meet common performance expectations as well as implement approaches for identifying, assessing and responding to risks that are tailored to their realities.
  • Risk information from the Sectors is further leveraged in corporate management documents.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees.

As part of the implementation of the revised Integrated Risk Management Policy Framework, the Assistant Deputy Minister (ADM) SPI and Director General PPMR will communicate to sectors the expectations for integrated risk management.

Timing: October 30, 2014

Building on the practice of sector ADMs’ ownership of various risks in the Corporate Risk Profile, which facilitates the inclusion of sector risk information in this corporate document, the DG PPMR will engage the Planning and Reporting Committee to identify opportunities to further leverage sector risk information corporately.

Timing: October 31, 2014

MEASURING PERFORMANCE

Summary Finding

Although progress reports on risk mitigation strategies are provided to senior management on a regular basis, opportunities exist to further improve oversight through the development of more formal performance measurement.

Supporting Observations

Monitoring and Reporting on the performance of IRM

An integral part of any program or function is the set of processes and practices in place to monitor and measure performance. This allows management to determine whether the program or function is achieving its intended objectives and expected results. Accordingly, the audit assessed whether the Department monitors performance of its risk management approach and regularly reports on risk management activities.

The audit found that the Department has several mechanisms in place to monitor progress against mitigation plans and regularly report on the Department’s risk management activities, such as:

  • Annual management reviews of the corporate risk profile, including updates to risks and mitigation strategies;
  • Periodic updates to senior management on corporate risk management activities monitored through the reporting process, notably quarterly financial and non-financial reviews. Results are reviewed by the Planning and Reporting Committee and Executive Committee;
  • Updates at various Senior Management Committees related to risks and mitigation strategies, as relevant (e.g., HR Renewal Committee, Emergency Management Committee, Departmental Audit Committee);
  • The review of NRCan’s approach to risk management by the Departmental Audit Committee; and
  • The publication of the Departmental Performance Report and the Report on Plans and Priorities.

Furthermore, as part of the Treasury Board Secretariat’s (TBS) Management Accountability Framework Assessment, the Department’s integrated risk management function is assessed on an annual basis. The Department has received a rating of ‘Acceptable’ for three years in a row, indicating that it is meeting TBS expectations.

Although the Department has mechanisms in place to monitor its risk management activities, the audit did not find evidence of a formal performance measurement framework to evaluate the effectiveness of various areas of risk management, particularly surrounding the effectiveness of risk responses. 

Quarterly Financial and Non-Financial Review Reports and other periodic reports to senior management are used to determine if the Department is on track in meeting its performance targets; however, more formal performance metrics would enable the Department to better determine actual performance.

RISK AND IMPACT

Performance measurement and monitoring of progress is a key accountability mechanism that supports those responsible for risk management to learn, improve and account for the departmental investments in this area. The absence of formal performance metrics limits the department’s ability to determine whether their objectives have been met and whether risk mitigation strategies and responses are effective.

RECOMMENDATIONS

3. It is recommended that the Director General Planning, Performance Management and Reporting-Science and Policy Integration Sector (PPMR-SPI) should establish a formal performance measurement framework to evaluate the effectiveness of various areas of risk management at Natural Resources Canada (NRCan), particularly surrounding the effectiveness of risk responses.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees.

In consultation with sectors, the DG PPMR will develop an approach for assessing the effectiveness of risk responses in mitigating risks.

Timing: September 30, 2014

As part of the update of the Integrated Risk Management Policy Framework and in consultation with sectors, the DG PPMR will identify an approach to assess the effectiveness of the overall risk management function.

Timing: September 30, 2014

CONTINUOUS LEARNING AND IMPROVEMENT

Summary Finding

Risk management training is actively promoted to NRCan staff, including senior management through a variety of both required and optional training. Furthermore, NRCan promotes continuous learning through established networks, within the Department and with other government departments, to share good risk management practices and lessons learned.

Supporting Observations

In order for risk management to remain effective and relevant in any organization, the organization must be committed to a culture of continuous improvement and learning. This includes providing opportunities for training, sharing of best practices and knowledge, as well as applying lessons learned.

Although courses focussing specifically on risk management were not identified as part of the audit, the audit found that training related to risk management is actively promoted within the Department. For example, in accordance with GoC’s Policy on Learning, Training and Development, all newly appointed first-time managers are required to go through specific training programs, including financial and people management courses, with the Canada School of Public Service. The audit team confirmed that mandatory training was indeed promoted to management and that an integral part of the courses themselves focused on risk awareness and risk management. 

Furthermore, the audit team also found evidence of risk management related training at the employee level. For example, all NRCan employees are required to undertake mandatory security training, which includes aspects of risk management within certain areas, such as:

  • Information Management Security;
  • Personnel Security;
  • Physical Security; and  
  • IT Security. 

In addition to formal training provided, the CoE provides workshop presentations to inform and educate NRCan staff and management on risk management. Also, publications such as “The Role of the Manager in The Public Service Today - The Essentials of Managing Finances, People, Results and Information” which includes the role of risk management in integrated planning are made available to staff through the Department’s internal wiki. 

The audit team conducted interviews with representatives from all Sectors who confirmed that they were satisfied with the training and support tools provided by the CoE.

Another important element of continuous improvement is the existence of formal networks to share information on risks, mitigation strategies, as well as best practices. As previously discussed, several formal committees play a role in the risk management process. For example, in addition to senior management committees, the Corporate Planning Network (CPN) specifically provides a means for Sectors to share information and best practices for integrated business planning, including risk management. This working-level committee is represented by all Sectors within the Department and works collaboratively on corporate planning and reporting initiatives, including risk management activities.

Furthermore, the audit found that the Department actively participates in inter-departmental working groups to share good practices and lessons learned with their colleagues in other Departments. For example, NRCan is an active member of the Inter-departmental Working Group on Risk Management, which includes representatives from 25 departments and agencies.  The purpose of this group is to share knowledge and good practices, as well as discuss trends for managing risks across the government. 

APPENDIX A – AUDIT CRITERIA

The criteria were derived from the following sources: TBS Guide to Integrated Risk Management, TBS Risk Management Capability Model, Office of the Comptroller General Audit Criteria related to the MAF: A Tool for Internal Auditors and the Institute of Internal Auditors’ International Professional Practices Framework - Practice Guide on Assessing the Adequacy of Risk Management using ISO 31000.

The objective of the audit was to provide reasonable assurance that the Department’s Integrated Risk Management framework and its practices are adequate and being implemented.

The following audit criteria were used to conduct the audit:

Sub-Objectives Audit Criteria
1.0 The Department’s RMF is supported by an effective governance structure with clear accountabilities (or roles and responsibilities).
1.1 Roles, responsibilities and accountabilities related to risk management are clearly defined at both the Sector and Corporate levels.
1.2 Appropriate oversight bodies are established at both the sector and corporate levels to provide guidance, direction and recommend the approval of risk profiles.
1.3 The Department considers risk management as part of its decision-making process.
2.0 The Department has an effective integrated approach to risk management.
2.1 SPI provides clear guidance to ensure consistency for the identification, assessment and mitigation of risks.
2.2 Clear linkages exist between the Corporate Risk Profile and the Sector Risk Profiles.
2.3 The risk management process is integrated within the Department’s business planning process.
2.4 Sector Risk Profiles consider internal and external interdependencies.
2.5 The Corporate Risk Profile considers interdependencies with external stakeholders.
3.0 The Department monitors performance of its risk management approach (i.e. its effectiveness in managing risks) and regularly reports on risk management activities.
3.1 Performance indicators are embedded in key risk management activities.
3.2 Performance of risk responses are measured on a regular basis and risks are updated to reflect changes, as required.
3.3 The Department assesses performance of the organization's risk management approach to incorporate improvements and lessons learned.
3.4 Progress of mitigating actions and overall performance on the Department’s Risk Management approach is presented to senior management in a timely manner.
4.0 The Department promotes awareness of risk management through an active commitment towards continuous learning and improvement.
4.1 Risk management training is actively promoted to all staff within the organization, including senior management.
4.2 Risk management training provided to Sectors meets Sector needs.
4.3 Informal networks within the Department are in place to support good practices and continuous learning.
4.4 The Department actively participates in inter-departmental working groups to share good practices and lessons learned.