Review of Integrated Risk Management
November 2017
1850-3-012 (ADM(RS))
Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED
Table of Contents
Acronyms
Statement of Conformance
Purpose of Review
Review Rationale, Objective and Scope
Review Criteria and Methodology
Review Approach
Case Studies in the DND/CAF
Background─Definitions
Background─RM Guidance
Context─Overview of IRM in the DND/CAF
Observations
1. Governance, Leadership and Accountability
2. Priority Setting and Decision Making
3. Monitoring Performance and Outcomes
4. Training and Continuous Learning
5. Stakeholder Engagement and Communications
Recommendation
Conclusion
Annex A─Management Action Plan
Annex B─TB RM Capability Model Assessment
Annex C─Case Studies Overview
Annex C─Case Study: SUBSAFE
Annex C─Case Study: MALA
Annex C─Case Study: MSVS
Alternate Formats
Assistant Deputy Minister (Review Services)
- ADM(Mat)
Assistant Deputy Minister (Materiel)
- ADM(RS)
Assistant Deputy Minister (Review Services)
- CAF
Canadian Armed Forces
- DND
Department of National Defence
- FY
Fiscal Year
- IRM
Integrated Risk Management
- MALA
Mission Acceptance and Launch Authorization
- MSVS
Medium Support Vehicle System
- OPI
Office of Primary Interest
- RCAF
Royal Canadian Air Force
- RCN
Royal Canadian Navy
- RM
Risk Management
- SUBSAFE
Submarine Safety
- TB
Treasury Board
Statement of Conformance
The review findings and conclusions contained in this report are based on sufficient and appropriate evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Professional Practices Framework, for a review level of assurance. The review thus conforms to the International Standards for the Professional Practice of Internal Auditing as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the review and apply only to the entity examined.
Purpose of Review
The purpose of this review was to do the following:
- assess how the Department develops, communicates and implements Integrated Risk Management (IRM); and
- generate discussion and engage with senior managers as the Department establishes the way forward for IRM.
Review Rationale, Objective and Scope
- Previous audits have observed shortcomings in the integration of risk management (RM) information in departmental processes.
- IRM review engagement was included in the Assistant Deputy Minister (Review Services) (ADM(RS)) Risk-Based Internal Audit Plan for fiscal years (FY) 2015/16 to 2017/18.
- Mature integration of RM ensures any organization considers risks in its priorities, plans and decision making.
Objective
- To assess the status of IRM practices that are in place in the Department of National Defence and the Canadian Armed Forces (DND/CAF); more specifically, their alignment with central agency guidance and opportunities for improvement in the DND/CAF context.
Scope
- The primary focus of this review was on the Vice Chief of the Defence Staff team’s coordination of IRM with regard to corporate risk mitigation, and how risk information is communicated within the DND/CAF.
- The scope included project/initiative success stories and their alignment to the Treasury Board (TB) RM Capability Model.
- The conduct phase of the review was performed in two stages. The corporate IRM practices were reviewed during the period from February 2016 to August 2016. The project/initiative case studies were reviewed from September 2016 to January 2017.
Review Criteria and Methodology
- IRM policy takes a principles-based approach. The TB RM Capability Model provides a diagnostic tool that allows departments to benchmark their current risk capability, and it has been used as the basis for establishing the following criteria:
- Governance, accountability, communication and dedicated resources1 are in place to integrate RM.
- Risk information is integrated into priority setting and decision making.
- Risk responses are monitored for improved outcomes.
- RM training is promoted for all staff with informal best-practices networks for continuous improvement.
- External and internal stakeholders are consulted across the Department to enhance the organization’s risk culture.
Methodology
- Analyzed applicable IRM policies, guidance and other key documents.
- Interviewed and surveyed Level 12 representatives.
- Assessed DND/CAF IRM status against the TB RM Capability Model.
- Benchmarked IRM practices with four other government departments.
- Interviewed staff of two other government departments that are implementing leading IRM practices.
- Consulted with five Level 1s on potential RM case studies and analysed three cases.
Review Approach
The TB RM Capability Model was used to assess current DND/CAF practice at the corporate level and to understand DND/CAF practices at the project and operational level.
Figure 1. Review Approach. This figure shows the three aspects of the review
Figure 1. Review Approach.
This figure shows the three aspects of the review. It consists of three ovals placed next to each other. The middle oval is smaller and overlaps the other two ovals. The left-most oval has a solid line around it. It is titled IRM Practice and states: “Review current state of IRM practice in the DND/CAF at the corporate level.” The middle oval has a dotted line around it. It is titled Criteria: RM Capability Model. The right-most oval also has a solid line around it. It is titled Case Studies in DND/CAF (operational/project level) and lists Description, Top Success Factors and Benefits/Observations.
This review engagement used the criteria derived from the TB RM Capability Model. However, it is recognized that TB IRM policy takes a principle-based approach, and that departments have flexibility in how they adapt TB policy and guidance to their operating context and strategy. Additionally, evolving corporate culture plays an important role in risk-informed decision making. A summary assessment of the current state of IRM practice in the DND/CAF at the corporate level can be found in Annex B.
Case Studies in the DND/CAF
- Initiatives/projects were analyzed as case studies that portray good RM practices with the intent to share those examples across the organization.
- Five Level 1s identified a total of 12 initiatives/projects. Three of those initiatives/projects were selected.
- The subject matter experts of the selected initiatives/projects identified the factors that contribute to effective RM within their initiatives/projects.
- Detailed information on the case studies reviewed can be found in Annex C.
Figure 2. Case Study Selection. This figure shows the three case studies chosen for assessment and illustrates the type of information that was gathered.3 4 5
Figure 2. Case Study Selection.
This figure shows a triangle subdivided into four smaller triangles: three exterior triangles and one reversed inner triangle. The three exterior triangles identify the three selected case studies. The top exterior triangle is titled Royal Canadian Navy: Submarine Safe (SUBSAFE) Program. The bottom left exterior triangle is titled Royal Canadian Air Force: Mission Acceptance and Launch Authorization (MALA). The bottom right triangle is titled Assistant Deputy Minister (Materiel): Medium Support Vehicle System (MSVS) Project. The inner triangle specifies the gathered information from each of the selected case studies: Description, Top Success Factors, and Benefits and Observations.
Background─Definitions
Risk: The effect of uncertainty on objectives. It is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization's objectives.
Risk Management: A systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on and communicating risk issues.
Integrated Risk Management: A continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives.
Source: TB Secretariat. The Framework for the Management of Risk, August 2010.
Background─RM Guidance
The DND/CAF IRM policy has not been updated since 2007 to align with the current TB framework and the standards from the International Organization for Standardization.
Figure 3. RM Guidance. This figure shows the evolution of IRM guidance and policies since 2001.
Figure 3. RM Guidance.
This figure consists of a timeline that shows the evolution of IRM guidance and policies since 2001. The timeline is a long blue horizontal line that stretches from left to right. A year is indicated above each marker. Underneath each marker, the stage of IRM guidance and policy evolution is indicated. The first marker indicates 2001 when the TB IRM Framework was established, followed by the TB IRM Implementation Guide in 2004. Next, the DND/CAF IRM Policy and Guidelines were created in 2007. Then, in 2009, the International Organization for Standardization were developed Standards 31000: RM – Principles and Guidelines. Finally, 2010 is the final marker and shows the development of the TB Framework for the Management of Risk.
Context─Overview of IRM in the DND/CAF
- The Defence Plan considers bottom-up risk when assigning top-down mitigation tasks that ensure DND/CAF priorities are achieved.
- At the strategic level, eight corporate risks (including one opportunity) have been identified.
- At the operational level, Level 1s are tracking and mitigating business plan risks and capitalizing on opportunities.
Figure 4. Risk Identification and Response. This figure illustrates linkages between the Defence Plan priorities, the strategic level risks and the operational level risks.
Figure 4. Risk Identification and Response.
This figure illustrates linkages between the Defence Plan priorities, the strategic-level risks and the operational-level risks. The figure is a hierarchal triangle segmented into three levels with arrows on both sides. The bottom level of the triangle’s hierarchy is the Operational Level (Level 1s), which states “Business Plan Risks and Opportunities.” The second level of the triangle is the Strategic Level, which states “Eight Corporate Risks.” The top level of the triangle is titled DM/CDS Defense Plan Four Priorities and states “Defence tasks – more than half are related to corporate risks.” The arrow on the left-side of the triangle begins at the bottom and points towards the top of the triangle and is labelled Bottom-Up – Environmental Scan. The arrow on the right-side of the triangle begins at the top and points towards the bottom of the triangle and is labelled Top-Down – Mitigation Direction.
Observations
Figure 5. Review of IRM Observations. This figure represents the five observation themes and the summarized overall observation.
Figure 5. Review of IRM Observations.
This figure represents the five observation themes and the summarized overall observation. There is a large oval in the centre with arrows pointing to five surrounding circles. The centre oval is labelled Overall Observation and states “There are significant opportunities for improvement in IRM in the DND/CAF. By leveraging the RM practices that are being successfully implemented in the reviewed case studies, corporate IRM practices can be enhanced.” The surrounding circles list the specific observations in a clockwise manner. The circle directly above the centre oval is labelled Governance, Leadership and Accountability, followed by circle 2: Priority Setting and Decision Making. Next, circle 3: Monitoring Performance and Outcomes. Circle 4 is labelled Training and Continuous Learning. Circle 5, the final circle, is labelled Stakeholder Engagement and Communications.
At the corporate level, some RM practices are in place, but DND/CAF IRM policy and guidelines need to be updated, and a shared vision for corporate IRM needs to be articulated. |
Good Practices
- Terms of reference for some senior management committees include IRM roles.
- There are three formal risk awareness briefings per year. Briefings to Level 1s are available upon request.
Observations
- DND/CAF IRM policy and guidelines (2007) do not completely reflect the 2010 TB Framework for the Management of Risk.
- Benchmarking with four other departments noted that dedicated DND/CAF corporate IRM staff size was lower relative to other departments. In addition, at the time of review, only one out of four dedicated positions was filled.
- The process for the Deputy Minister / Chief of the Defence Staff to set corporate risk tolerance levels is not included in IRM policy. Most departments are struggling with determining and communicating tolerance levels, as has the DND/CAF.
- There has been no formal communication of risk tolerances since the last approved Corporate Risk Profile in 2014.
Lesson from Case Studies
- Case studies revealed that governance and leadership play a key role in effective RM, both in terms of support and oversight as well as awareness of RM practices (e.g., board and town halls to impart direction).
At the corporate level, consistent use of sound and proven risk analysis techniques and information is not visible in the departmental decision-making process. |
Observations
- Of the Defence Management Committee and Program Management Board briefings reviewed, only half included references to risks or challenges.
- Most Level 1 business plan briefs to the Investment and Resource Management Committee did not include the level of risk.
- More than half of the business plans reviewed made no explicit linkage to corporate risks.
Lesson from Case Studies
- The case studies indicated that sound risk assessment techniques and tools play an important role in risk analysis and contribute to decision making.
With some inconsistencies, corporate-level risk monitoring of risk responses6 used to take place. However, there are no indications that monitoring is still taking place. |
Observations
- The audit team reviewed the monitoring efforts, which were in place from FY 2014/15 to FY 2015/16, and noted that the staff within Chief of Programme were tracking the action plans linked to corporate risks at that time.
- In the Annual Performance Report 2014-15, more than half of corporate risk mitigation plans were not on target.
- More than half of the initiatives in the Level 1 business plans for FY 2016/17 were missing performance indicators, targets or thresholds.
- Turnover of staff and a pending revision of the Defence Plan has since negatively impacted corporate monitoring activities.
Lesson from Case Studies
- In some cases, monitoring through tracking of risk responses was identified as a key success factor.
Best practices are exchanged at the IRM Interdepartmental Working Group. However, the review found no evidence of sharing best practices within the Department. |
Good Practices
Best practices are exchanged with other government departments.
Observations
- The review found no evidence that best practices were shared between Level 1 organizations at the monthly continuous improvement meetings organized by Chief of Programme personnel and attended by Level 1 risk points of contact.
- RM training, when mandatory, is not being tracked.
- The Defence Learning Network website states that all managers and supervisors should take a specific IRM training course. However, only 4.1 percent of all DND/CAF personnel were identified as having recently received the specified IRM training course. It is possible that many staff have received alternative IRM training
Lesson from Case Studies
- The case studies indicated that strong reporting mechanisms contributed to effective communications of RM lessons learned, which support improvements in RM.
The DND/CAF would benefit from discussions and inclusion of comprehensive risk information in Level 1 business plans and in briefings to senior stakeholders. |
Good Practices
Corporate risk owners and the Deputy Minister are engaged with other government departments.
Observations
- Most Level 1 business plans did not document the probability of risk or distinguish between inherent or residual risk.
- There is no evidence of risk tolerance levels in Level 1 business plans for FY 2016/17.
- Some of the interviewees suggested that there is insufficient horizontal discussion of risks among Level 1 organizations.
Lesson from Case Studies
- The case studies showed that documentation and communication are considered crucial for successfully managing risks.
ADM(RS) Recommendation
OPI: Vice Chief of the Defence Staff / Chief of Programme |
Conclusion
There are notable opportunities for improvement in the development and implementation of the DND/CAF IRM framework. There are also opportunities for fostering a risk-aware culture, which would facilitate risk-informed decision making. Several key RM success factors were identified at the project/initiative level. Leveraging these success factors at the corporate level could significantly strengthen corporate IRM capabilities. It would also bring the DND/CAF in closer alignment with central agency guidance.
ADM(RS) Recommendation
|
Management Action Plan | Target Completion Date |
---|---|
Vice Chief of the Defence Staff accepts ADM(RS)’s recommendation. The DND/CAF IRM policy and guidelines will be written in consultation with Level 1 principals. This policy will reflect the current TB Framework for the management of risk. It will provide direction and guidance to Level 1s regarding the methodology for establishing and communicating risk tolerance levels, risk metrics and reporting and IRM training. The policy will reinforce the requirement that Level 1 business plans and presentations to governance committees (Programme Management Board, Investment and Resource Management Committee) contain information on RM. The policy will also contain the results of a review of the Level 0 resources available to implement it. This will take the form of personnel requirements. Lastly, the policy will provide guidance on mandatory training and the mechanism with which to deliver and monitor results. The draft policy document will be refined in June 2017. It will be promulgated to Level 1s for comments in July 2017 and submitted to the Deputy Minister / Chief of the Defence Staff for approval in September 2017. Consultation with Level 1 IRM staff was reinvigorated on May 29, 2017 with the reintroduction of the monthly IRM coordination meeting. This meeting will ensure Level 1 IRM staff share best practices and develop a robust IRM community within the DND/CAF. The DND/CAF Departmental Results Framework will be presented for approval in October 2017. The Departmental Results Framework will facilitate measuring and reporting on IRM along programs within the Department using the Risk Chapter of the Performance Information Profile. The programme official will review the Performance Information Profile annually, at a minimum, and Chief of Programme will collect the data. Part of the data in the Performance Information Profile is the official’s assessment of the risk(s) to their program. This will form the basis of the Corporate Risk Survey, which will inform the Corporate Risk Profile. This will be briefed annually to the Deputy Minister / Chief of the Defence Staff, who in turn will issue direction and guidance on risk tolerance and risk mitigation to program officials. Program officials will implement this direction and guidance with a view towards reducing the risk to their program and in turn to the Department. The Defence Plan will be written once Defence Policy Review is released and analyzed. The Defence Plan will articulate the way ahead for IRM. The latest iteration of the Defence Plan is expected to be completed to inform the final stages of the FY 2018/19 business planning process. The end state is that IRM within DND/CAF will have measureable targets that are monitored and reported to the Programme Management Board bi-annually and to the Defence Strategic Executive Committee annually to better support decision making at all levels. The first brief to Defence Strategic Executive Committee will occur in March 2018. The DND/CAF IRM Policy and Guidelines document will be issued in September 2017. The draft plan will be briefed to Level 1 staff on May 29, 2017, and they will have the opportunity to contribute to its development while sharing current and past best practices. OPI: Vice Chief of the Defence Staff / Chief of Programme |
March 2018 |
Areas of RM Excellence | Initiated | Developing | Systematic | |||
---|---|---|---|---|---|---|
Governance, Leadership and Accountability | RM is a result of necessity and not continuous. | A | RM is encouraged | A | RM is a priority for the organization. | NI |
Roles and accountabilities for RM are clear. | NI | |||||
Tolerance at individual level. | A | Some accountability for RM on projects and governance processes include risk information. | A | Dedicated RM personnel is available, and risk awareness is promoted. | NI | |
Some staff are risk aware, while remaining staff may regard RM as a process burden. | A | Senior management communicates risk tolerance levels. | NI | |||
Priority Setting and Decision Making | Risk information is informally noted and occasionally considered. | A | Risk information occasionally considered for corporate and operational processes. | A | Consistent and coherent risk information integrated in operational and corporate processes. | NI |
Decisions may be based on inconsistent understanding of risk. | A | Consistent understanding of risk to support decision-making. | NI | Corporate Risk Profile or a similar risk tool enables decisions and priority setting and the seizing of opportunities. | NI | |
Monitoring, Performance and Outcomes | Limited monitoring of risk responses. | A | Some risk response monitoring. | A | Routine monitoring of risk responses with clear evidence demonstrates improved outcomes due to RM. | NI |
Informal monitoring of RM practice as a result of individual inquiry. | A | Occasional RM reviews occur to improve the process; reviews not always communicated. | A | Routine RM performance assessment to incorporate improvements and lessons learned - reviews communicated across organization; performance indicators embedded in RM activities. | NI | |
RM practice may need tailoring in order to reflect the size and mandate of the organization. | A | Developing indicators to measure performance of risk responses which shows RM is improving outcomes. | A | |||
Training and Continuous Learning | Training based on individual interest and self directed learning. | A | RM training targeted to some staff with limited learning resources. | A | RM training is promoted to all staff and in Personal Learning Plans, including senior management. | NI |
Informal networks in place to support best practices and continuous learning. | NI | |||||
Stakeholder Engagement and Communication | Limited department wide risk communication and rare external stakeholders engagement. | A | Occasional department-wide risk communication. | A | Proactive engagement on cross-sector risks internally and with external partners on interdepartmental risks. | NI |
Engage external partners on interdepartmental risks; Developing risk communication plan. | A | Communication to develop risk culture. | NI |
Table B-1. Summary of the Review Results. This table shows the review’s assessment of current DND/CAF IRM practices against the TB RM Capability Model.
A – Acceptable NI – Needs some improvement |
Table B-1. Summary of the Review Results.
This table shows the review’s assessment of current DND/CAF IRM practices against the TB RM Capability Model. It has seven columns and six rows. The left-most column lists the five Areas of RM Excellence. Columns two, four and six list the sub-criteria applicable to the Initiated, Developing and Systematic levels of RM capability, respectively. Following each coloured IRM practices category column is an assessment column that provides an acceptable (A) or Needs Improvement (NI) rating to each related IRM sub-criteria. Read across the row for the assessment of the IRM practices compared to the sub-criteria for each Area of RM Excellence.
Title | Case Study 1 – Submarine Safety (RCN) |
Case Study 2 – Mission Acceptance and Launch Authorization (RCAF) |
Case Study 3 – Medium Support Vehicle System (ADM(Mat)) |
---|---|---|---|
Description | SUBSAFE is a risk-based safety management system for the RCN that supports submarine operations. SUBSAFE was launched in 2001, with the latest update in October 2014 as part of the update to the submarine licensing and certification management system. | The MALA tool is used within the RCAF operational RM process to assess aviation mission risks. The MALA tool has been used in tactical aviation since approximately 2004. The MALA is completed prior to the mission launch. It is the final confirmation that flying activity risk is being accepted at the appropriate level of authority. | The MSVS project uses a risk- based methodology and analysis to determine the feasibility of achieving contractor-identified delivery milestones. Mathematical modelling, statistical tools and project management experience are used to better understand risks that impact project milestones, which affect financial forecasting. |
Benefits/ Observations |
|
|
|
Table C-1. Overview of Case Studies. This table summarizes the key aspects of three projects/initiatives that were reviewed to determine top RM success factors.
Table C-1. Overview of Case Studies.
This table summarizes the key aspects of the three projects/initiatives that were reviewed to determine top RM success factors. It has four columns and three rows. The top row lists the three case studies (SUBSAFE, MALA and MSVS). For each case study, read down each column for a description and a summary of the benefits and observations.
Title | SUBSAFE Program |
---|---|
Important Success Factors | Senior management involvement in monitoring RM approach, governance and leadership
Reporting mechanisms to communicate lessons learned
Documentation and communication
Sound risk assessment techniques
|
Table C-2. Case Study: SUBSAFE. This table lists the important success factors of the SUBSAFE Program.
Table C-2. Case Study: SUBSAFE.
This table lists the important success factors of the SUBSAFE Program. The table has two columns and two rows. The left column, which only contains the title Important Success Factors, and the second column, which lists the Important Success Factors of the SUBSAFE Program. Read down the second column for details on each of the Important Success Factors of the SUBSAFE Program.
Title | MALA |
---|---|
Important Success Factors | Governance and leadership MALA is driven from the top (Commander RCAF) down to the fleets. For example, the Commander wants MALA to align to the pilot fatigue RM initiative. The leadership monitors the development and implementation of MALA. Timing of monitoring reviews of RM approach A baseline for MALA is currently being developed. For domestic and regular missions (normal circumstances), there will be a baseline MALA. MALA will change if there is a change in rules or regulations or if an incident occurs and areas for improvement are identified. For specific operations, there will be a specific theatre MALA. This deployed MALA will be based on the baseline MALA. When an incident occurs, the flight safety system is robust enough to handle it. As part of the process, improvements to avoid future incidents will be considered as well. Documentation, communication and clear understanding of risk tolerance levels MALA is an excellent tool for communicating risk information upwards and sideways. All documentation is kept as pre-flight documentation (similar to flight plans).There is better awareness of tolerance levels in the RCAF, which are expressed through authorization levels. RM training MALA is still in its infancy, and it is not yet entirely understood and accepted. It has been introduced in mandatory training (part of supervisory courses). The intent is to convince users of the effectiveness of the tool and not just see it as a paper exercise. Reporting mechanisms to communicate lessons learned MALA has aided in the communication of lessons learned. For example, when an incident occurs, subsequent improvements needed to avoid future incidents are considered through the flight safety system. |
Table C-3. Case Study: MALA. This table lists the important success factors of the MALA tool.
Table C-3. Case Study: MALA.
This table lists the important success factors of the MALA tool. The table has two columns and two rows. The left column, which only contains the title Important Success Factors, and the second column, which lists the Important Success Factors of MALA. Read down the second column for details on each of the Important Success Factors of the MALA tool.
Title | MSVS Project – Schedule Risk Analysis |
---|---|
Important Success Factors | Cross sector risk engagement
Integration of risk priorities and risk responses in business plans / corporate processes
Effective risk mitigation treatment / mitigation
Documentation and communication
Governance and leadership
Sound risk assessment techniques
|
Table C-4. Case Study: MSVS. This table lists the important success factors of the MSVS Project.
Table C-4. Case Study: MSVS.
This table lists the important success factors of the MSVS Project. The table has two columns and two rows (and is split over two slides). The left column, which only contains the title Important Success Factors, and the second column, which lists the Important Success Factors of the MSVS Project – Schedule Risk Analysis. Read down the second column for details on each of the Important Success Factors of the MSVS Project.
Footnote 1 The dedicated resources stated in the criteria refer to staff dedicated to IRM within Chief of Programme.
Footnote 2 Level 1 usually represents Assistant Deputy Minister and Environmental Chiefs of Staff level.
Footnote 3 RCN = Royal Canadian Navy
Footnote 4 RCAF = Royal Canadian Air Force
Footnote 5 ADM(Mat) = Assistant Deputy Minister (Materiel)
Footnote 6 This refers to action plan responses provided by the Level 1s on how they plan to mitigate the corporate risks used to be monitored by Vice Chief of the Defence Staff at the corporate level.
Page details
- Date modified: