This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.
In Section 2.1 the observation was made that LAC has reached the risk aware level of maturity in part because of a greater use of formal risk management practices. Figure 4 below illustrates examples of formal risk management practices from across the department.
A review of these practices revealed a range in the level of detailed risk analysis performed. While some incorporated a fairly general analysis (e.g., items 4 and 7 in Figure 4) and others a more detailed analysis (e.g., items 1 and 8), all were considered to reflect an appropriate level of analysis for the decision needs.
Figure 4: Formal Risk Management Practices
|Formal Risk Management Practices|
|Organization||Formal Risk Management Practice|
1. Initial Corporate Risk Profile
2. Innovation Fund Selection Analysis
3. Risk Management Framework to support LAC Loans/Exhibitions Policy and Procedures
4. Audiovisual Mitigation Strategy
|Government Records||5. Risk-based Approach for the Disposition of Legacy Records|
6. LAC Project Charter & Business Case Templates
7. The Governance Network (TGN) Preliminary Assessment of Risks
8. Amican Project Risk Management Plan
9. Risk Management Framework for Assessing ATIP Records
Most of the formal practices examined, incorporated a technique known as expert estimation based on criteria established for levels of Impact and Likelihood. The expert estimation technique fits very well in public sector decision making where data for more quantitative analysis are generally not available. Also, in the public sector, new initiatives are a regular part of evolving stakeholder expectations. The risks of these initiatives must be estimated given little prior data on which to conduct quantitative analysis.
Particular mention must be made that some of the formal tools incorporate fairly advanced techniques (in comparison to other departments and agencies) such as customized assessment criteria (item #3, Figure 4) and inclusion of stakeholder analysis (items # 1, 3, and 9, Figure 4).
There was also one example observed of the technique known as risk factoring. The risk factoring technique was used to assess the level of risk associated with projects proposed for the Innovation Fund using three (3) weighted risk factors as shown below in Figure 5.
This is an excellent method whenever there exists a finite universe of units to which a quick risk assessment is needed for each unit. The risk factoring technique generally has a wide scope of use as most parts of an organization have some sort of universe on which they could apply risk factoring to quickly establish a risk level for each unit.
The above examples represent an excellent start but there was no approach being used to understand which examples are the most critical risk exposure areas of the department where an effective balance of formal and informal risk management practices would be very important. These areas can be referred to as Priority Risk Areas (PRAs). The PRA approach would ensure that further investments in strengthening operational risk management is better calculated and addressed systematically.
A key criterion for attaining the risk aware level of maturity is the integration of risk into annual business planning. LAC started this integration last year and augmented it this year. The template used by all parts of the organization for planning 2009-2010 is set out in Figure 6 below.
Integrating risk and planning is a very natural concept because both risks and planning are future orientated. Risks are events and circumstances that may occur in the future. Risks are also characterized by uncertainty-in other words, they may occur fully as expected or they may occur to a lesser or a greater degree. Risks are critical to consider when setting plans in order to be proactive on those considered "high" so that plans can succeed.
Plans must address problems as well as risks-the difference being that problems describe existing issues to which the impact is fully known (if counter measures are not taken). There is no uncertainty with problems as there is with risks. In completing planning templates, many people mistakenly describe problems instead of risks. They describe a current issue, whereas the risk information being requested relates to future events that may happen over the planning horizon so that strategies can be devised to mitigate the risks and thereby avoid disruption of plans.
A review of the 2009-2010 completed planning templates indicated the expected range of some templates were done well, and some were needing improvement. Inclusion of problems instead of risks was a typical deficiency and items were not described in terms of its future orientation and uncertainty ("will likely" happen instead of "will" happen).
The opportunity to practice identifying and describing risks through the planning process is excellent given that stewardship requirements of risk management are expanding. The TBS Policy on Transfer Payments (October 2008) has specific risk management requirements as does the Policy on Financial Management Governance (April 2009). Through MAF assessments and other sources such as the Prime Minister's Advisory Committee on the Public Service, LAC is aware that strengthening risk management is a priority and an area where more specific accountabilities should be expected in all future policies from TBS.
Many of the staff members interviewed during the audit expressed that they had little, if any, risk management training and they recognized this as an important gap relative to the new formal processes they have noticed coming into force. Some risk management training was provided to planning network staff in 2005 and in 2008 there was an orientation session on risk management for selected managers. In addition, a risk management presentation was planned for the Management Forum in May 2009. Overall, the extent of risk management training has been quite limited and reflects the confusion between problems and risks in completing annual business plans.
Another point related to the planning process is reporting. As reporting against plans is further refined at LAC, there should be consideration as to how information on the progress of risk management can be reported. Reporting of progress on performance and risk should be integrated.
As risk assessment continues to become increasingly important to good management and policy compliance, it will be critical to establish a solid common understanding of risks and risk management. This can be addressed in part by training and hands-on practice but also by guidance documents, tools and information systems. During the audit it was noted that a Risk Management Guide had been drafted but had not been fully reviewed, translated, published and disseminated across the department. This guide is an important initiative in establishing common understanding. The guide was initiated before ISO 31000 was available. Accordingly, the document can be strengthened by another update to align it with ISO 31000. In addition, making the guide available electronically, via a risk management portal, would be effective for quick reference.
LAC has been active in strengthening its operational and support practices for risk management across all criteria areas examined. Formal approaches and procedures are being developed to complement informal risk management, inclusion of stakeholder interests in formal methods is being recognized, there is awareness of risk stewardship requirements reflected in TBS policies, and there has been some training and progress toward drafting guidance documents. However, these initiatives are not part of a coordinated overall strategy to develop and maintain appropriate capabilities, methods, tools and guidance.
Without further efforts to continue strengthening operational and support practices, key benefits such as timely and effective communications about risk and intelligent (information-based) risk taking may not accrue to LAC.