At a glance – Audit of ECCC risk management practices
The achievement of Environment and Climate Change Canada’s (ECCC) mandate and priorities is influenced by the dynamic environment in which it operates. The Department has experienced significant growth over the past few years with an ever-increasing number of new activities, unprecedented funding increases and a shift from its primarily regulatory and scientific mandate towards a more program-driven approach to supporting government priorities, including as it relates to climate change and sustainable development. As such, the risks are numerous and diverse, driven by events ranging from financial and human resource challenges to the obsolescence of assets, potential security breaches and cyberattacks, health and safety concerns and legal and reputational risks, to name a few. Effective risk management practices are important to enable the Department to deliver on its mandate, priorities and increasing domestic and international commitments.
ECCC’s integrated risk management approach is founded on 3 core elements: the Integrated Risk Management Framework, the Corporate Risk Profile and the Integrated Risk Monitoring Strategy.
What the audit found
Overall, a governance structure is in place to support an integrated risk management approach. Roles and responsibilities are defined, and oversight bodies are in place to support the integration of risk information in support of decision making. Individual risk management roles and responsibilities are generally understood.
Integrated risk management tools (Corporate Risk Profile, Integrated Risk Management Framework, Integrated Risk Monitoring Strategy) exist to support branches in managing risks; however, these tools are not well known or easy to locate. The Corporate Risk Profile is viewed as a relevant tool for understanding organizational risks. However, there is limited evidence of its use in branch planning and operational decision-making processes.
Several opportunities for improvement were identified. There is a need to increase awareness regarding specific responsibilities such as for the Corporate Risk Champion and risk action owner roles. The effectiveness of risk management oversight, particularly regarding the frequency of risk discussions and the monitoring of risk management strategies by the governance committees, could be strengthened. Furthermore, there is also a need for senior management to define and communicate the Department’s risk tolerance and appetite levels. Opportunities for improvement were also identified to strengthen the monitoring and reporting on Corporate Risk Profile risks and associated mitigation activities, as well as to enhance risk management knowledge and literacy through communication, guidance and awareness of training opportunities.
Recommendations and management response
Recommendation 1
The Assistant Deputy Minister (ADM), Corporate Services and Finance Branch, should strengthen the inclusion of integrated risk management into departmental governance deliberations by:
- Reviewing the terms of reference for the Executive Management Committee and Assistant Deputy Minister (ADM) Resources and Corporate Operations Committee to reflect their responsibilities for overseeing integrated risk management
- Developing a structured approach for discussing and monitoring horizontal risks at the executive committee meetings
- Establishing and communicating a clear risk tolerance level for the Department that is informed by the Department’s overall risk appetite and takes into account its capacity to manage risk
Management response
The Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
The Assistant Deputy Minister will strengthen the inclusion of integrated risk management into departmental governance by:
- Engaging both the secretariats of the Executive Management Committee and ADM Resources and Corporate Operations Committee to suggest revisions that would reflect their responsibilities for overseeing integrated risk management for the committees’ approval
- Developing a structured approach for discussing and monitoring horizontal risks at the executive committee meetings
- Proposing and communicating a clear risk tolerance level for the Department that is informed by the Department’s overall risk appetite and takes into account its capacity to manage risk
Recommendation 2
The Assistant Deputy Minister, Corporate Services and Finance Branch, should review the processes for developing, updating, maintaining and communicating the Corporate Risk Profile, to ensure that it remains an effective tool to support informed decision making; and strengthen monitoring and reporting on the Corporate Risk Profile
Management response
The Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
The Assistant Deputy Minister, Corporate Services and Finance Branch, will continue its review of the processes for developing and maintaining the Corporate Risk Profile, to ensure that it remains an effective tool to support informed decision making; and strengthen monitoring and reporting on the Corporate Risk Profile.
Recommendation 3
The Assistant Deputy Minister, Corporate Services and Finance Branch, should develop ways to increase awareness of the existing corporate integrated risk management tools and training opportunities.
Management response
The Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
The Assistant Deputy Minister, Corporate Services and Finance Branch, will develop ways to increase awareness of the existing corporate integrated risk management tools and training opportunities.
About the audit
The audit, conducted between October 2022 and March 2023, covered the period from January 2020 to March 2023, to include the 2020 to 2023 ECCC Corporate Risk Profile cycle. The audit objective was to assess the application and effectiveness of ECCC’s integrated risk management processes in supporting informed decision making. The audit focused on the governance, controls and risk monitoring and reporting activities in place to support the integration of risk management across the Department.
Page details
- Date modified: