Library and Archives Canada
Symbol of the Government of Canada

Institutional links


Archived Content

This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.

Risk Management

Audit Report
November 2009

Audits and Evaluations

Executive Summary


Since the late 1990s and early 2000s there has been growing attention to the practice of risk management that when applied effectively (by balancing formal and informal use) can tangibly strengthen the decision-making process in an ever changing and increasingly complex modern world. For Library and Archives Canada (LAC), managing the way forward for the evolution to digital is a prime example of how today's environment requires significant focus on management of risk.

In our current uncertain times, as was noted in the report by the Prime Minister's Advisory Committee on the Public Service (February 2009), there is a need to move toward a risk management approach. The Advisory Committee's recognition of the need for strengthening risk management will have a natural follow-up given that departmental audit committees must now have external members and have been given a clear role to advise deputy heads based on active oversight of core areas specifically including risk management. Furthermore, deputy heads, as accounting officers under revisions to the Financial Administration Act, now have a legal obligation to appear before committees of the Senate and House of Commons to answer questions about maintaining effective systems of internal control, of which risk management is of growing importance.

The objective of the audit was to determine the extent to which LAC's risk management practices: comply with policies and guidelines; help to ensure that risks are adequately, proactively and effectively managed in an integrated fashion organization-wide; and are adequately and sufficiently understood to support an internal audit function based on risk.

The audit was conducted between November 2008 and February 2009 and the scope of the audit included an examination of risk management practices throughout LAC as well as discussions with other federal government organizations regarding better practices. The audit was based on criteria developed from a LAC initiative to define the key components of risk management in the style of the Management Accountability Framework (MAF). This style was chosen given the strong common understanding of MAF components by managers. LAC's MAF-based framework for risk management was reviewed and validated by senior management.


Library and Archives Canada has become a "risk aware" organization. At this maturity level formal risk management practices are being established in key operational areas, analysis of risk is being integrated with annual and strategic planning and investments have been initiated to develop capacity through training and guidance documents. However, LAC does not have an adequate set of design and governance arrangements including a vision, framework and an implementation strategy outlining the pace, priority and governance of further investment to advance risk management maturity.

LAC has also been active in strengthening its operational and support practices for risk management. All operational and departmental groups had some examples of developing formal approaches and procedures for risk management of exposure areas. In addition, there has been some training and progress toward drafting guidance documents. However, these initiatives are not part of a coordinated overall strategy to identify priority exposure areas, develop and maintain appropriate capabilities including attention to stakeholder risk communication needs, and to provide appropriate tools and guidance.

Based on its current arrangements and practices, LAC will likely not be able to achieve additional tangible benefits of advanced maturity in risk management. Timely and effective communications about risk based on a developed common understanding, and intelligent (information-based) risk taking are two key future benefits. Advanced risk management maturity is particularly relevant to organizations needing to effectively balance and re-balance growing delivery needs and expectations with ongoing resource restraint.


The report identifies the following recommendations. Management has agreed with the recommendations and developed an action plan.

  1. LAC should develop and implement an overall strategy to strengthen risk management, specifically addressing design and governance arrangements by:
    1. Establishing a governance body to provide oversight of the development of risk management maturity based on a Risk Management Vision and MAF-based Framework;
    2. Establishing the position of Chief Risk Officer(CRO) to lead and coordinate the management of risk;
    3. Allocating additional human resources to support the CRO and the overall strategy to strengthen risk management;
    4. Arranging for training of senior management to ensure common understanding of risk management concepts, starts from the top; and
    5. Establishing a Risk Management Policy codifying the department's commitment to risk management and setting out key principles, roles, responsibilities, processes and common terminology.
  1. LAC should ensure that the strengthening of risk management operational and support practices are included in the overall strategy, including:
    1. Establishing a listing of priority risk areas identifying high exposure areas of the department as a means of focusing attention on the most critical areas that need an effective balance of formal and informal practices for risk management;
    2. Establishing and implementing a knowledge transfer plan incorporating training courses customized for LAC covering orientation to more advanced skills for those who will provide leadership and support roles;
    3. Ensuring the Risk Management Guide is updated in line with ISO 31000, translated and issued across the department (including electronic posting via a risk management portal);
    4. Establishing an approach for monitoring and reporting on progress in managing risk integrated with overall performance monitoring and reporting at LAC.

Statement of Assurance

The audit of risk management was conducted in accordance with the Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing. In our professional judgment, sufficient and appropriate audit procedures were conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report.

In our opinion, based on the audit criteria set out in Appendix A, LAC has clearly begun to strengthen its risk management foundations. However, risk management design and governance arrangements, as well as operational and support practices are not yet sufficient to provide the level of risk management maturity appropriate to the asset stewardship, service delivery, decision making, results and accountability needs of the department.

Table of Contents | Next