Audit of ECCC risk management practices
Executive summary
Why it is important
Risk management is recognized as a core element of effective public administration. In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision making, better allocation of resources and, ultimately, better results for Canadians.
The achievement of ECCC’s mandate and priorities is influenced by the dynamic environment in which it operates. The Department has experienced significant growth over the past few years with an ever-increasing number of new activities, unprecedented funding increases and a shift from its primarily regulatory and scientific mandate towards a more program-driven approach to supporting government priorities, including as it relates to climate change and sustainable development. As such, the risks are numerous and diverse, including financial and human resource risks, obsolescence of assets, potential security breaches and cyberattacks, health and safety concerns and legal and reputational risks, to name a few. Effective risk management practices are important to enable the Department to deliver on its mandate, priorities and increasing domestic and international commitments.
The key risk management factors that support decision making at all levels within the Department include the proactive identification of risks affecting its mandate, program delivery, operations within all branches and their analysis leading to mitigation measures, as well as their communication and reporting.
Objective
The audit objective was to assess the application and effectiveness of ECCC’s integrated risk management processes in supporting informed decision making. The audit focused on the governance, controls and risk monitoring and reporting activities in place to support the integration of risk management across the Department.
What we found
Governance. A governance structure is in place to support an integrated risk management approach. Roles and responsibilities are defined, and oversight bodies are in place to support the integration of risk information in support of decision making. Individual risk management roles and responsibilities are generally understood.
A few opportunities for improvement were identified. There is a need to increase awareness regarding specific responsibilities such as for the Corporate Risk Champion and risk action owner roles. The effectiveness of risk management oversight, particularly regarding the frequency of risk discussions and the monitoring of risk management strategies by the governance committees, could be strengthened. Furthermore, there is a need for senior management to formally define and communicate the Department’s risk tolerance and appetite levels.
Risk management processes. Integrated risk management tools (Corporate Risk Profile, Integrated Risk Management Framework and Integrated Risk Monitoring Strategy) exist to support branches in managing risks; however, these tools are not well known or easy to locate.
The Corporate Risk Profile is viewed as a relevant tool for understanding organizational risks. However, there is limited evidence of its use in branch planning and operational decision-making processes.
Opportunities for improvement were identified to strengthen the monitoring and reporting on the risks and associated mitigation activities set out in the Corporate Risk Profile, as well as to enhance risk management knowledge and literacy through communication, guidance and awareness of training opportunities.
Recommendations
In response to these findings, 3 recommendations were developed to address the opportunities for improvement identified in this report.
- The Assistant Deputy Minister, Corporate Services and Finance Branch, should strengthen the inclusion of integrated risk management into departmental governance deliberations by:
- Reviewing the terms of reference for the Executive Management Committee and ADM Resources and Corporate Operations Committee to reflect their responsibilities for overseeing integrated risk management
- Developing a structured approach for discussing and monitoring horizontal risks at the executive committee meetings
- Establishing and communicating a clear risk tolerance level for the Department that is informed by the Department’s overall risk appetite and takes into account its capacity to manage risk
- The Assistant Deputy Minister, Corporate Services and Finance Branch, should review and strengthen the processes for developing, updating, maintaining and communicating the Corporate Risk Profile, to ensure that it remains an effective tool to support informed decision making; and strengthen monitoring and reporting on the Corporate Risk Profile.
- The Assistant Deputy Minister, Corporate Services and Finance Branch, should develop ways to increase awareness of the existing corporate integrated risk management tools and training opportunities.
1. Background
The 2010 Treasury Board Secretariat (TBS) Framework for the Management of Risk provides guidance to deputy heads on the implementation of effective risk management practices at all levels of their organization. Effective risk management practices equip federal government organizations to respond to change and uncertainty by using data, information and analyses to support decision making.
The achievement of ECCC’s mandate and priorities is influenced by the dynamic environment in which it operates. The Department has experienced significant growth over the past few years with an ever-increasing number of new activities, unprecedented funding increases and a shift from its primarily regulatory and scientific mandate towards a more program-driven approach to supporting government priorities, including as it relates to climate change and sustainable development. As such, the risks are numerous and diverse, driven by events ranging from financial and human resource challenges to the obsolescence of assets, potential security breaches and cyberattacks, health and safety concerns and legal and reputational risks, to name a few. Effective risk management practices are important to enable the Department to deliver on its mandate, priorities and increasing domestic and international commitments.
1.1 Integrated risk management at ECCC
Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. In this way, risk can be considered for decision making, priority setting, business planning, resource allocation and operational management.
The Department’s integrated risk management approach is founded on 3 core elements, which were approved by the departmental Executive Management Committee (see table 1): the Integrated Risk Management Framework, the Corporate Risk Profile and the Integrated Risk Monitoring Strategy.
Element | Description |
---|---|
Integrated Risk Management Framework |
Sets common expectations and guidance on the effective and coherent management of risks across the Department, including key roles and management expectations for how risk information should inform decision making. A core component is ECCC’s Integrated Risk Management Policy that supports the achievement of the Department’s objectives and mandate. |
Corporate Risk Profile |
The Corporate Risk Profile is a point-in-time risk analysis. It outlines:
The Corporate Risk Profile is approved by senior management and is intended to support and improve risk awareness, so that all employees are informed of the key risks that may affect ECCC in delivering its mandate. |
Integrated Risk Monitoring Strategy |
The strategy outlines the broad principles and strategies for risk monitoring and reporting, which:
It aims to ensure the currency and relevance of key risks in an ever‑changing operational context, enhance the Department’s capacity to communicate and consolidate risk information from various internal sources and reduce the potential for redundant or conflicting risk analysis and reporting from different sources. |
Corporate risks 2020-2023
The Corporate Risk Profile 2020-2023 identified the following key corporate risks:
- Strategic partnerships
- Indigenous relationships
- Information for decision making
- Human resources
- Capital and technology infrastructure
- Change management
- Operational resiliency
Accountabilities, roles and responsibilities
The Deputy Minister is accountable for the implementation of risk management practices within the Department, although managing risk remains a shared responsibility across all levels and areas of ECCC. The Corporate Management Directorate, Corporate Services and Finance Branch, is responsible for developing, establishing, implementing and maintaining a departmental Integrated Risk Management approach.
The Integrated Risk Management Framework outlines the roles and responsibilities of the various stakeholders in the Department with respect to overseeing and managing risk.
- The Corporate Management Directorate leads the development and maintenance of the Corporate Risk Profile; supports the ongoing identification and management of administrative and operational risks across programs; monitors and reports on risks identified in the Corporate Risk Profile; acts as a Centre of Expertise with respect to risk management practices within ECCC; and is the corporate support function for the development of tools and training on risk management.
- The Chief Financial Officer is accountable for ensuring that financial allocation decisions consider risks.
- Branch heads are accountable for integrating risk management activities within their respective areas, including incorporating risk analysis and discussions into the branch governance structures, priority setting, planning, strategic decision making and resource allocation; leading integrated risk management and assigning related accountabilities within the branch for the development and implementation of risk management strategies, the identification, assessment, prioritizing, treatment and monitoring of key branch risks; and for the monitoring of risks identified in the Corporate Risk Profile.
- The Corporate Risk Champions are designated to provide oversight over each of the risks in the Corporate Risk Profile, including monitoring progress on implementing planned mitigation strategies; they are also responsible for the implementation of specific risk mitigation actions.
- Executives and managers are accountable for ensuring that the Integrated Risk Management Framework is respected and put into practice in a manner that is appropriate for their area of responsibility.
- The Chief Audit Executive and Head of Evaluation supports the Deputy Minister, the Executive Management Committee and the Departmental Audit Committee by providing independent and objective assurance and advice on the effectiveness of governance, risk management and internal controls across the Department.
- All employees have a role in practicing integrated risk management by considering risk as part of every business activity and decision, managing risk within tolerance levels and communicating risk-related information to management as required.
Several formal governance committees exist to oversee horizontal risks and related issues, including the Executive Management Committee (EMC) and the ADM Resources and Corporate Operations Committee (ADM Ops). Furthermore, at least once per year, risk information is provided to the Departmental Audit Committee as part of their advisory role to the Deputy Minister.
2. Objective, scope and methodology
2.1 Objective
The audit objective was to assess the application and effectiveness of ECCC’s integrated risk management processes in supporting informed decision making.
2.2 Scope
The audit focused on the governance, controls and risk monitoring and reporting activities in place to support the integration of risk management across the Department, including:
- integrated risk management activities and the use of risk information as part of planning and decision making
- communication of risk-related information including, but not limited to, risk-related policies, directives, procedures and tools available, the risk management process and the Corporate Risk Profile 2020-2023
The audit excluded:
- risk management activities in the context of the ECCC project management framework, since an audit of project management was completed in 2020
- risk management practices related to grants and contributions programs, since a separate audit on the administration of grants and contributions programs at ECCC is currently underway
The Corporate Services and Finance Branch led its own maturity assessment of ECCC risk and results-based management, concurrently with this internal audit. Results are complementary to the audit work.
The audit lines of enquiry and criteria are provided in Appendix A. These criteria were developed based on the results of a risk assessment conducted during the planning phase of the audit.
The audit covered the period from January 2020 to March 2023, to include the 2020 to 2023 ECCC Corporate Risk Profile cycle.
2.3 Methodology
The audit was conducted and completed using the following methods:
- a review of relevant documentation, including policies, guidelines, procedures and communication materials
- file reviews
- walk-throughs of risk management processes in place
- 44 interviews with employees (mostly executives at director level and above) within all ECCC branches
- the administration of a questionnaire to 884 ECCC employees (which included a mix of workers, Section 34 managers at the EX-minus 1 level and executives at all levels from director to assistant deputy minister), with a response rate of 36% (318 respondents)
2.4 Statement of conformance
The audit conforms to the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.
3. Findings, recommendations and management response
The key audit findings are presented under the following themes: governance and risk management processes.
3.1 Governance
Conclusion: A governance structure is in place to support an integrated risk management approach. Roles and responsibilities are defined, and oversight bodies are in place to support the integration of risk information in support of decision making. Individual risk management roles and responsibilities are generally understood.
A few opportunities for improvement were identified. There is a need to clarify and to increase awareness regarding specific responsibilities such as for the Corporate Risk Champion and risk action owner roles. The effectiveness of risk management oversight, particularly regarding the frequency of risk discussions and the monitoring of risk management strategies by the governance committees, could be strengthened. Furthermore, there is a need for senior management to define and communicate the Department’s risk tolerance and appetite levels.
What we examined
The audit sought to determine the extent to which the governance mechanisms in place are effective in supporting integrated risk management across the Department. Specifically, whether:
- oversight bodies were in place to support the integration of risk management information in support of decision making
- risk management roles and responsibilities were clearly defined, documented, communicated and understood
What we found
Oversight bodies
The Integrated Risk Management Framework (IRMF) documents the roles of the EMC and ADM Ops as the main governance bodies overseeing horizontal risks. It also outlines specific responsibilities for each committee with respect to integrated risk management. The roles and responsibilities identified in the IRMF do not directly align with the responsibilities set out in each committee’s formal Terms of Reference.
According to the IRMF, the EMC’s role is to provide a vehicle to review and reach broad agreement on corporate risks. Its responsibilities include:
- monitoring and overseeing corporate risks
- setting strategic directions and determining accompanying resource allocations for the Department
- reviewing and approving risk management frameworks and plans
- setting departmental risk tolerance levels for key risks identified in the Corporate Risk Profile and ensuring that risks are prioritized and have appropriate risk management strategies
- demonstrating that risk management principles are integrated into the Department’s activities to achieve outcomes.
While the IRMF lists 4 areas of responsibilities relating to risk, the EMC Terms of Reference do not explicitly identify accountabilities with respect to overseeing risk. Related accountabilities can be inferred from its mandate, which is to provide overall governance, strategic direction and evidence-based decision making in support of the Deputy Minister’s accountabilities and delegated authorities in the delivery of ECCC’s mandate.
Similarly, according to the IRMF, ADM Ops is responsible for overseeing risk management and supporting the Deputy Minister by identifying, analyzing and evaluating corporate risks and establishing risk mitigation strategies to enhance the achievement of objectives. The committee is also responsible for ensuring that the departmental risks identified in the Corporate Risk Profile have appropriate accountabilities for monitoring and oversight assigned to them and that resources assigned to manage risks are achieving expected results. Additionally, it is responsible for ensuring that potential risks are considered in any proposals presented to the committee, to monitor and assess risk mitigation for specific programs, branches or regions as required and to report risk exposures to the EMC and the Deputy Minister, as relevant.
The role of the ADM Ops is also defined in the 2020-2023 Corporate Risk Profile, which states that the committee is responsible for validating the Corporate Risk Profile and monitoring corporate risks and the corresponding risk mitigation strategies on a periodic basis, as part of their regular oversight duties related to risk and performance, in support to the Deputy Minister and the EMC.
While the IRMF lists a number of responsibilities relating to risk, the terms of reference for ADM Ops makes little mention of risk management as an area of responsibility, except to say that the committee is to provide oversight over financial resources and risk controls and that the committee has a responsibility for endorsing corporate products related to risk and governance.
A review of meeting minutes, agendas and presentations for these 2 governance committees for the period reviewed observed that risks are discussed in the context of the specific topics presented rather than as a recurring agenda item. A review of materials and meeting notes from 88 EMC meetings confirmed the discussion and approval of the 2020-2023 Corporate Risk Profile, the Integrated Risk Management Framework and the Integrated Risk Monitoring Strategy. It was also noted that risks were mentioned during 13 other meetings. Discussions on risk mainly pertained to corporate themes related to the departmental financial situation, human resources, Indigenous reconciliation, ECCC regulatory priorities and initiatives, grants and contributions and procurement.
Records of decisions for ADM Ops demonstrated that risks were discussed during presentations on specific topics such as quarterly financial reviews, the Departmental Results Framework, integrated planning, human resources (training, workforce planning), cybersecurity and grants and contributions. They also confirmed discussions on the Integrated Risk Management Framework, the Integrated Risk Monitoring Strategy and updates on the 2020-2023 Corporate Risk Profile action plans.
Besides discussions on the Corporate Risk Profile and the Integrated Risk Management Framework and Monitoring Strategy, it is unclear if the discussions on risks at the EMC and ADM Ops had any impact or change on the corporate risk profile, monitoring strategy or mitigation measures. During audit interviews with a select number of senior managers regarding the role of these committees, the necessity for more structured discussions on horizontal risks was raised several times. It was also mentioned that there may be a general lack of awareness regarding the responsibilities of these 2 committees to provide risk oversight, as outlined in the IRMF.
In addition, there are several other ADM and Director General committees in the ECCC governance structure (see Appendix B). These committees provide direction and feedback on specific departmental areas such as information management and information technology, emergency and security management, project management, human resources, allocation and use of departmental operating and capital resources, corporate policies, grants and contributions, Indigenous and interdepartmental priorities and engagement, environmental assessment and regulatory and performance and results.
While the Terms of Reference for each of these committees do not explicitly assign risk management responsibilities, their broad scope of activities has the potential to collectively support an integrated risk management approach in the Department. 43% of questionnaire respondents agreed or strongly agreed that the departmental governance structure effectively oversees departmental integrated risk management practices, and 11% disagreed or strongly disagreed. Similarly, 40% of questionnaire respondents agreed or strongly agreed that the departmental governance structure effectively applies departmental integrated risk management practices, and 13% disagreed and strongly disagreed. A significant percentage did not know (45% and 46% respectively). The results demonstrate that the governance structure is supporting elements of integrating risk management into decision making and that there is room for improvement in this area.
A review of these committee meeting minutes, agendas and presentations revealed that most of the discussions on risk occurred in the context of specific topics on an ad hoc basis. Meeting highlights from the Director General (DG) committees are shared at the ADM committees that oversee them, thus encouraging information-sharing across the governance chain.
Good practice. The DG Investment Management Committee stood out as an example of a good practice regarding the effective oversight for integrating risk management practices to support informed decision making. Reporting to ADM Ops, its mandate is to provide advice on the allocation and use of departmental operating and capital resources in support of organizational priorities. A review of committee minutes showed regular discussions on financial risks and mitigation measures. We also observed that risk tolerance was discussed as part of committee deliberations.
Roles and responsibilities
Roles, responsibilities and accountabilities are defined in the Integrated Risk Management Framework, which is described in the Background section of this report.
The 2020-2023 Corporate Risk Profile also defines roles and responsibilities, and introduces the role of risk action owner, which is not formally defined in the Integrated Risk Management Framework. According to the Corporate Risk Profile, in contrast to the Risk Champions, the Risk action owners are the individuals who are designated to implement the planned mitigation measures that are deemed necessary to better manage the risk. Typically these are director and DG-level personnel who have subject-matter expertise in the relevant area and who may already be responsible for existing mitigation measures. Risk action owners are proposed by the Corporate Management Directorate risk team, in consultation with the Risk Champions and other stakeholders, as appropriate.
The questionnaire results revealed that most respondents (74%) agreed or strongly agreed with the statement “I understand my roles and responsibilities with respect to applying risk management practices within the department”. Only 16% disagreed or strongly disagreed, and 10% did not know. In addition, over half of the respondents (57%) were familiar with accountabilities assigned to their branch or area for the development and implementation of risk management practices, including mitigation strategies.
Similarly, most interviewees mentioned understanding their roles and responsibilities with respect to risk management and how it applies in the context of their functions. However, we observed a lack of awareness regarding specific roles such as Corporate Risk Champions and risk action owners. Among the senior managers interviewed, new executives hired within the last 2 years were not aware of their role as a risk action owners. As well, many executives were not aware of the Corporate Risk Profile and therefore, of their specific role as a risk action owner.
Risk tolerance and appetite
Risk tolerance is the level of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite is the level of risk that the Department is willing to withstand in pursuit of its objectives. The audit sought to determine the extent to which the Department has defined and communicated its risk tolerance and risk appetite.
We found that departmental risk tolerance levels were set for the key risks identified in the 2020-2023 ECCC Corporate Risk Profile. The document also outlines the process to develop formal responses to the strategic risks identified during the corporate risk assessment exercise, during which tolerance for individual risks was discussed and debated. According to the Corporate Risk Profile, for those risks that were deemed to be unacceptable (that is, beyond management’s tolerance) additional mitigation strategies were proposed. A combination of facilitated discussions with the Associate Deputy Minister and one-on-one discussions with designated Corporate Risk Champions were used to develop the risk responses and action plans. It was noted that for all 7 key strategic risks in the 2020-2023 Corporate Risk Profile, the tolerance level was set as ‘Unacceptable’, with the overall response set as ‘Reduce’ (that is, reduce the level of risk). It is unclear whether the ‘Unacceptable’ level for the risk tolerance defined in the Corporate Risk Profile drives decision making at the operational levels within the Department, because the concept of risk tolerance and risk appetite have not been defined outside of the Corporate Risk Profile.
The audit team conducted interviews with senior managers to get their views on risk tolerance and acceptable level of risk. Interviewees were asked whether risk tolerance is defined within their branches, and what is considered an acceptable level of risk. A significant portion of interviewees perceive the risk culture within the Department to be risk averse, with a lack of clarity around risk tolerance and appetite. The interviewees expressed that risk management is a key priority for the Department and emphasized the importance of creating a culture of risk awareness and ownership. There was no clear consensus on what constitutes an acceptable level of risk, but it was generally agreed that it depends on the specific context and circumstances. Finally, some executives mentioned the need to balance risk management with innovation and the pursuit of business opportunities, while others emphasized the need for caution and prudence when considering potential risks and uncertainties.
As part of the questionnaire administered, the audit team asked similar questions around the concepts of risk, risk tolerance and risk appetite.
- Results show that 44% of respondents thought that the concept of risk is well defined and understood in the Department, while 35% disagreed and 21% were unsure. The fact that a majority of respondents either disagreed or did not know suggests that there is work to be done to improve a common understanding of risk across the Department.
- With respect to risk appetite and tolerance, 52% of respondents disagreed or strongly disagreed that these concepts are defined and communicated. The remaining respondents agreed or strongly agreed (29%) or were unsure (19%).
44% of respondents indicated that both successes and failures are considered equally when reviewing lessons learned in instances where risks were taken to innovate, while 23% disagreed or strongly disagreed with the statement. Approximately 33% were unsure. The sharing of successes and failures is considered a good practice in terms of supporting an organizational culture of learning and innovation. The fact that most respondents either disagreed or were unsure suggests that there may be a need to further embed a culture of learning and improvement, where failures are viewed as opportunities to learn and support a corporate culture of innovation, growth and development.
Those who disagreed or strongly disagreed provided additional comments to support their response. The main theme was a perception that the Department is risk averse and has a low tolerance for failure. Some respondents felt that there was little communication or guidance on risk tolerance and appetite, and that failures and successes were not considered equally. There were also concerns about micro-management and a lack of subject-matter expertise among executives. Some respondents felt that they were capable of managing risks within their work practices but lacked guidance on the Department’s risk tolerance. Overall, respondents felt that there was a need for more communication and guidance on risk management and a more consistent approach to gathering feedback and lessons learned.
Clear and well-communicated risk tolerance and risk appetite statements support effective risk management practices because they help to make sure that risk management practices are optimally supportive of the Department’s strategic objectives. Risk tolerance may differ within and across branches based on various factors such as their operating environment and stakeholder engagement. That said, it must be clearly understood by the individuals making risk-related decisions on a given issue. Clarity on risk tolerance at all levels of the organization is necessary to support risk-informed decision making and foster risk-informed approaches.
Recommendation 1
The Assistant Deputy Minister, Corporate Services and Finance Branch should strengthen the inclusion of integrated risk management into departmental governance deliberations by:
- Reviewing the terms of reference for the Executive Management Committee and ADM Resources and Corporate Operations Committee to reflect their responsibilities for overseeing integrated risk management
- Developing a structured approach for discussing and monitoring horizontal risks at the executive committee meetings
- Establishing and communicating a clear risk tolerance level for the Department that is informed by the Department’s overall risk appetite and takes into account its capacity to manage risk
Management response
Management agrees with the recommendation.
The Assistant Deputy Minister will strengthen the inclusion of integrated risk management into departmental governance by:
- Engaging both the secretariats of the Executive Management Committee and ADM Resources and Corporate Operations Committee to suggest revisions that would reflect their responsibilities for overseeing integrated risk management for the committees’ approval
- Developing a structured approach for discussing and monitoring horizontal risks at the executive committee meetings
- Proposing and communicating a clear risk tolerance level for the Department that is informed by the Department’s overall risk appetite and takes into account its capacity to manage risk
3.2 Risk management processes
Conclusion: Integrated risk management tools (Corporate Risk Profile, Integrated Risk Management Framework and Integrated Risk Monitoring Strategy) exist to support branches in managing risks; however, these tools are not well known or easy to locate.
The Corporate Risk Profile is viewed as a relevant tool for understanding organizational risks. However, there is limited evidence of its use in branch planning and operational decision-making processes.
Opportunities for improvement were identified to strengthen the monitoring and reporting on Corporate Risk Profile risks and associated mitigation activities, as well as to enhance risk management knowledge and literacy through communication, guidance and awareness of training opportunities.
What we examined
The audit assessed the extent to which risk management processes are effective in supporting decision making. Specifically, the audit examined whether:
- guidance and tools were in place to enable effective management of risks
- risk information and mitigation measures were being tracked, analyzed and updated as necessary, and whether they were being used to inform planning and decision making
What we found
The Corporate Risk Profile and strategic risk management
The Treasury Board of Canada Secretariat (TBS) developed the Framework for the Management of Risk to assist departments in managing risks. It provides a set of principles to apply in all areas of work, including policy and program implementation. TBS also developed a Guide to Integrated Risk Management, which contains a recommended approach for developing a corporate risk profile. It is these foundational elements that ECCC uses to maintain the Corporate Risk Profile, which is developed on a 3-year cycle. The Corporate Risk Profile identifies the most significant strategic risks that may impact the Department in the delivery of its mandate and services. The last comprehensive corporate risk assessment exercise was completed in FY 2020 to 2021, with yearly updates until the next iteration of the profile, which is planned in FY 2023 to 2024.
The audit sought to assess the extent to which the Corporate Risk Profile is useful in enhancing senior management’s analysis and decision making related to priority setting and resource allocation. The audit found that the recently adopted departmental integrated planning approach led by the Corporate Services and Finance Branch embeds considerations for the key strategic risks from the Corporate Risk Profile. The 2022-2023 Notional Budget Allocation and Integrated Planning exercise was completed and a recommended strategy for operating, capital financial pressures and grants and contributions was presented at ADM Ops in April 2022. It was noted that the pressures were linked to the key risks identified in the Corporate Risk Profile. Recommendations were informed by risks identified in consultation with branches for the purpose of the integrated planning exercise.
The audit found little evidence that corporate risk information feeds back into branch planning and operational decision making. Furthermore, interview and questionnaire results point to relatively limited awareness of the Corporate Risk Profile at various levels of the Department, beyond the scope of the departmental integrated planning exercise. Concerns were also raised about the Corporate Risk Profile’s timeliness, and thus its usefulness, for making operational-level decisions.
Discussions with senior management on the Corporate Risk Profile suggest that it is viewed as a relevant tool for understanding organizational risks and that its usefulness may vary depending on factors such as ease of access to the document and relevance to specific program areas. In fact, a few interviewees knew of the existence of the Corporate Risk Profile and associated Integrated Risk Management Framework and Integrated Risk Monitoring Strategy, but were not familiar with their content.
As well, some interviewees mentioned that they are not actively using the Corporate Risk Profile in their day-to-day management of risks. Based on the results of our discussions, more guidance and support may be needed to integrate it into existing management processes. Additionally, some interviewees mentioned a need for a coordinated effort to resolve or mitigate identified risks rather than simply raising them and moving on to the next item on the list.
The questionnaire results indicate that 35% of the respondents agreed or strongly agreed that the integrated risk management approach allows for the effective roll-up of branch-related risks to inform overall corporate risks. The remaining respondents were either unsure or disagreed or strongly disagreed with these statements.
Monitoring and reporting on the Corporate Risk Profile risks
The ECCC Integrated Risk Monitoring Strategy and associated Corporate Risk Monitoring Approach define the foundational principles that should guide monitoring and reporting processes at all levels. They also provide guidance on how to apply these principles to the provision of strategic guidance and tools for monitoring and reporting on those corporate risks identified in ECCC’s Corporate Risk Profile. According to the risk monitoring approach, monitoring and reporting of these risks and associated mitigation activities are to be led by ECCC’s Integrated Risk Management Centre within the Corporate Services and Finance Branch, in collaboration with the Corporate Risk Profile risk action owners.
We were informed that risk action owners are not reporting on progress to the Risk Champions identified in the Corporate Risk Profile. Instead, updates are provided on a yearly basis as part of the Corporate Risk Profile refresh exercise. After completing templates provided by the Corporate Management Directorate, risk action owners or branch planners indicated that they had no further interaction with the Corporate Management Directorate in relation to the Corporate Risk Profile updates. This is consistent with our questionnaire results. 63% of respondents remarked that they do not receive regular updates on the status of risks and their associated mitigation measures identified in the Corporate Risk Profile.
A review of the most recent update on the Action Plans associated with the Corporate Risk Profile showed that 20 (57%) of the 35 mitigating measures or actions were ongoing, without a specific implementation date. Additionally, 31 (89%) indicated that the action owners would continue with the existing mitigations, regardless of whether the perceived level of risk increased or decreased. Notably, 2 action plans to mitigate risks identified in the Corporate Risk Profile lacked any response. There seemed to be no repercussions for failing to implement a risk action plan, leading to a potential lack of accountability. This highlights the need to review the monitoring exercise and adjust its administration as appropriate.
Guidance, tools and training
Interview and questionnaire results suggest that employees at all levels may lack awareness of the tools developed by the Corporate Management Directorate to support integrated risk management. While they are available on the ECCC intranet, the tools are difficult to find and have not been effectively promoted within the Department beyond their presentation and approval at governance committees. Interviewees and questionnaire respondents who were aware of the tools mentioned that they were not using them because they were too general to be useful in their daily management of risks.
Questionnaire respondents were invited to rate their level of familiarity with the listed roles and responsibilities of the Corporate Management Directorate as it relates to risk management. Results indicate that there is a lack of familiarity among respondents. The majority of respondents either had little or no familiarity at all. For example, 9% of respondents were very familiar with the role of the directorate as a corporate support function that leads the development of the ECCC Corporate Risk Profile, while 25% were not familiar with this role. Similarly, 7% of respondents were very familiar with the role of the directorate as a corporate support function for the development of tools and training on risk management, while 32% were not.
Review of documentation provided by the Corporate Management Directorate showed efforts to provide guidance and advice to branches on risk management practices, such as presentations on how to create branch risk profiles, guidance on how to create branch level risk management frameworks and information to help program leads to include an assessment of risk in Memorandums to Cabinet and Treasury Board Submissions. The Corporate Management Directorate acknowledged the need to adopt a more proactive approach to supporting and providing guidance on risk management and recognized that efforts are hindered by a lack of capacity and resources.
Training on risk management was mentioned in interviews and in questionnaire responses, particularly as it relates to general literacy levels on risk management. Several respondents pointed to a need to obtain training and tools that could assist them in identifying risks, assessing impact and likelihood probabilities and determining how to develop mitigation measures. The Corporate Management Directorate does not provide in-house training. However, in ECCC News in April 2022, they promoted awareness of several existing risk management courses offered by the Canada School of Public Service.
The questionnaire results demonstrate that there is room for improvement around risk management training. While 35% of respondents strongly agreed or agreed that risk management training opportunities are available, 53% were unsure or did not know about the availability of such opportunities and 11% disagreed or strongly disagreed.
Furthermore, 24% of respondents strongly agreed or agreed that they regularly update their knowledge of risk management practices through available training, while 53% disagreed or strongly disagreed; the remaining 23% were unsure or did not know. This indicates a potential gap in risk management knowledge and suggests that there may be a need for more communication and outreach to raise awareness about available training options.
Communication of risk information
The audit noted various risk management practices across different branches. As such, the approach to analyzing, tracking, monitoring, reporting and communicating risks varied depending on the branch or area. It was observed that some branches maintained a well‑structured system and used risk registries and trackers to discuss risks with counterparts from other departments. Conversely, other branches were in the process of developing tools to track and document risks. The audit team was informed that various communication channels are used to disseminate risk information within a given branch or area, including retreats, team meetings, bilateral meetings and ad hoc informal discussions. Bilateral meetings are often used as an initial step to escalate risks to senior management.
Questionnaire results indicate that there are some areas for improvement related to the communication of risk information. For instance, 28% of respondents strongly agreed or agreed that they receive regular updates on the status of risks identified within their branch or area, while 55% disagreed and strongly disagreed. Similarly, 28% of respondents strongly agreed or agreed that they receive regular updates on the status of mitigation measures related to the risks identified within their branch or area, while 55% disagreed or strongly disagreed.
At the departmental level, 16% of respondents strongly agreed or agreed that they receive regular updates on the status of risks and their associated mitigation measures identified in the Corporate Risk Profile, while 63% disagreed or strongly disagreed.
The results also suggest that many respondents feel they are not adequately informed of key risks and their associated mitigation measures when making decisions. While 41% of respondents strongly agreed or agreed that they are informed of key risks and their associated mitigation measures, 46% disagreed or strongly disagreed.
On a positive note, many respondents reported that they share risk information with colleagues and peers within the organization. 60% of respondents strongly agreed or agreed that they share risk information with colleagues and peers within their branch, while 48% agreed or strongly agreed that they shared risk information with colleagues and peers in other branches in ECCC.
Based on the results, there are opportunities to strengthen the consistency in approaches in risk management used throughout the Department and to increase staff awareness of the development, implementation and ongoing monitoring of corporate risks and mitigation measures identified in the Corporate Risk Profile.
Recommendation 2
The Assistant Deputy Minister, Corporate Services and Finance Branch, should review the processes for developing, updating, maintaining and communicating the Corporate Risk Profile, to ensure that it remains an effective tool to support informed decision making; and strengthen monitoring and reporting on the Corporate Risk Profile.
Management response
Management agrees with the recommendation.
The Assistant Deputy Minister, Corporate Services and Finance Branch, will continue its review of the processes for developing and maintaining the Corporate Risk Profile, to ensure that it remains an effective tool to support informed decision making; and strengthen monitoring and reporting on the Corporate Risk Profile.
Recommendation 3
The Assistant Deputy Minister, Corporate Services and Finance Branch, should develop ways to increase awareness of the existing corporate integrated risk management tools and training opportunities.
Management response
Management agrees with the recommendation.
The Assistant Deputy Minister, Corporate Services and Finance Branch, will develop ways to increase awareness of the existing corporate integrated risk management tools and training opportunities.
4. Conclusion
Overall, a governance structure is in place to support an integrated risk management approach. Roles and responsibilities are defined and oversight bodies are in place to support the integration of risk information in support of decision making. Individual risk management roles and responsibilities are generally understood. Integrated risk management tools (Corporate Risk Profile, Integrated Risk Management Framework and Integrated Risk Monitoring Strategy) exist to support branches in managing risks; however, these tools are not well known or easy to locate. The Corporate Risk Profile is viewed as a relevant tool for understanding organizational risks. However, there is limited evidence of its use in branch planning and operational decision-making processes.
Several opportunities for improvement were identified. There is a need to increase awareness regarding specific responsibilities such as for the Corporate Risk Champion and risk action owner roles. The effectiveness of risk management oversight, particularly regarding the frequency of risk discussions and the monitoring of risk management strategies by the governance committees, could be strengthened. Furthermore, there is a need for senior management to define and communicate the Department’s risk tolerance and appetite levels. Opportunities for improvement were also identified to strengthen the monitoring and reporting on Corporate Risk Profile risks and associated mitigation activities, as well as to enhance risk management knowledge and literacy through communication, guidance and awareness of training opportunities.
Appendix A: Audit lines of enquiry and criteria
Line of enquiry 1: Departmental governance is used effectively to support the integration of risk management across the organization.
- 1.1 Oversight bodies are in place to support the integration of risk management information in support of decision making.
- 1.2 Risk management roles, responsibilities and accountabilities are clearly defined, documented, communicated and understood by stakeholders throughout the Department.
Line of enquiry 2: Effective processes are in place to facilitate the consistent and timely identification, analysis, assessment and communication of key risks to support decision making.
- 2.1 Processes, guidance and tools are in place to assist branches in identifying, analyzing, assessing and communicating risk in a consistent manner.
- 2.2 Risk information and mitigation measures are tracked, analyzed, updated, monitored, reported on and used as part of planning and decision making.
Appendix B: ECCC governance structure
Text description
The diagram depicts the various committees and how they relate to each other. The departmental governance is led by two DM-chaired committees: the Executive Management Committee, and the Performance Measurement, Evaluation and Results Committee (PMERC). The Deputy Minister also receives independent advice and support on ECCC operations from the Departmental Audit Committee.
The Executive Management Committee is in turn supported by committees chaired by branch heads. These are the:
- Legal Issues Management Committee
- EX Human Resources Advisory Committee to the Deputy Ministers
- Human Resources Management Committee, which is supported by the:
- Accessibility Advisory Committee
- Labour Management Consultation Committees
- Leadership Council on Diversity and Inclusion
- Mental Health Advisory Committee
- National Joint Occupational Health & Safety Committee (to which Regional OHS Committees report)
The ADM Policy and Science Committee, which is supported by the:
- DG Policy Committee
- DG Regulatory Planning and Priorities Committee
- DG Environmental Assessment Committee
- DG Committee on Indigenous and Intergovernmental Priorities and Engagement
The ADM Resources and Corporate Operations Committee, which is supported by the:
- Digital Modernization Steering Committee
- DG Investment Management Committee
- DG G&C Management Committee
- DG Security and Emergency Management Committee
- DG Planning, Performance and Results Committee
Page details
- Date modified: