Management Response and Action Plan - Audit of Enterprise Risk Management
Recommendation 1
The CFO should ensure that the Agency's Integrated Risk Management Policy and related Guideline currently under development:
- Clearly establishes baseline risk management expectations and deliverables for branches and functional units; and
- Clarifies the roles and responsibilities for ongoing monitoring and reporting on Agency risk management practices and adherence to Policy expectations.
Management response
Management agrees with the recommendation.
| Planned management action | Deliverables | Expected completion date | Responsibility |
|---|---|---|---|
The branch will ensure that the recently developed Integrated Risk Management Guidelines clearly establish minimum expectations for branches and internal service functional units regarding ERM processes and related outputs. |
1.1 Establish a suggested approach, process, principles, and risk assessment criteria via the Integrated Risk Management Guidelines to conduct a risk assessment not related to public health. |
Completed |
VP CFOCMB DG CMD |
The branch will ensure that the recently updated Integrated Risk Management Policy establish the roles and responsibilities of governance committees, senior management and employees in regard to risk management. |
1.2 Establish the roles and responsibilities of governance committees, senior management, and employees in regard to risk management, including the ongoing monitoring, assessment and reporting of ERM. |
Completed |
VP CFOCMB DG CMD |
Obtain timely approval of the CRP Q4 of 2022-23. |
1.3 Obtain President approval of the CRP and Policy and CFOCMB VP concurrence of Guidelines. |
Completed |
VP CFOCMB DG CMD |
The branch will communicate the new ERM CRP, IRM Policy and IRM Guidelines to allow Agency-wide access. |
1.4 Post approved CRP, Policy, and Guidelines to the Risk Management Intranet page for PHAC employees to access. |
Q1 of 2023-24 |
VP CFOCMB DG CMD |
Recommendation 2
The CFO, in consultation with branch heads and functional area leads, should develop and provide guidance for establishing more robust risk monitoring and reporting processes, including the following:
- ongoing assessment and consideration of the impact of risk responses on underlying risks;
- aligning monitoring and reporting activities with the severity of risks and established tolerance levels; and
- defining risk information requirements in support of the monitoring and reporting plans and processes.
Management response
Management agrees with the recommendation.
| Planned management action | Deliverables | Expected completion date | Responsibility |
|---|---|---|---|
The branch will ensure that a process is established to identify, assess, and discuss the impact of risk responses on underlying risks, as well as aligning the monitoring and reporting activities with the severity of risks. |
2.1 Establish an annual Agency Risk Register process to review current controls, mitigation strategies and accountabilities related to risks in the CRP. |
Q2 of 2023-24 |
VP CFOCMB DG CMD |
2.2 Update the CRP annually to review relevance and status of risk responses. |
Q3 of 2023-24 |
VP CFOCMB DG CMD |
|
Ensure that risk information and requirements are defined in support of the monitoring and reporting plans and processes. |
2.3 Make training available to all PHAC employees that provides definitions of risk information on the PHAC risk assessment, monitoring and reporting process |
Q2 of 2023-24 |
VP CFOCMB DG CMD |
Page details
- Date modified: