HomeMy WebLinkAboutFCS-14-109 - Risk Management UpdateStaff Report
rR finance and Corporate Services Department www.kitchener.ca
REPORT TO: Audit Committee
DATE OF MEETING: June 30, 2014
SUBMITTED BY: Corina Tasker, Internal Auditor, 519 - 741 -2200 Ext 7361
PREPARED BY: Corina Tasker, Internal Auditor, 519 - 741 -2200 Ext 7361
WARD(S) INVOLVED: ALL
DATE OF REPORT: June 5, 2014
REPORT NO.: FCS -14 -109
SUBJECT: Risk Management Update
RECOMMENDATION:
For information only.
BACKGROUND:
One of the responsibilities of the Audit Committee is to ensure that "management has
established and is maintaining a comprehensive risk framework ". This report provides an
update of the existing and planned activities related specifically to risk management to give the
Audit Committee assurance that management has fulfilled its duties in this regard.
REPORT:
What is risk management?
Enterprise risk management (ERM) is a method or process used by an organization to manage
risks and seize opportunities related to the achievement of their objectives. It is a process to
identify and proactively address risks and opportunities across the corporation. At its core is the
ability to identify potential risks to the business and then treat the risk by either accepting it,
transferring it, mitigating it, or eliminating it.
Benefits of Risk Management
By being aware of the many types of risks that could impact the obtainment of our goals, our
organization is in a better position to proactively mitigate or capitalize on risks before they
emerge. This helps to reduce costs, mitigate losses, protect City assets, and ensure project or
divisional success. It allows us to be proactive, not reactive.
3 -1
The City of Kitchener's ERM Journey
Back in 2008 when the Delta project began (comprising system installations of SAP Financials,
CityWorks, and RIVA) the project team decided that more rigor was required in project
management in order for the project to be a success. An independent third -party advisor was
retained to perform a risk assessment to try to identify all of the potential things that could go
wrong with the project. This would allow the project team to proactively address the issues.
The risk assessment helped identify a few high risks which were addressed which helped to
avoid project failure.
At the start of the Kitchener Operations Facility project a similar risk assessment process was
undertaken given the complex nature of the project. Several failure points were averted through
early detection in the risk assessment. The process was fully embraced by the project team and
integrated into the project management.
Through the course of these two projects internal resources were trained on the process to
create a risk assessment. It was recognized that this was a valuable process that should
continue in all large projects.
In 2009, Council approved policy I -16 which established a corporate risk management
framework, methodology, risk tolerance levels, and common terminology which should be used
across the corporation. The policy states that a risk assessment will be performed for any
project >$50,000 which requires a business case. Since that time several large projects and a
few divisions have completed risk assessments using the corporate framework. In addition, the
framework has been used as a basis for risk assessments for the "Violence in the Workplace"
assessment, for prioritizing service reviews based on relative risk, and for identifying the most
urgent business processes for business continuity planning.
Moving Forward — Embedding Risk Management Into the Culture
It is critical that the City work to embed risk management into the culture of the organization so
that it becomes a standard business practice that management and staff use every day in order
to achieve their goals and run their business. In order to do that, there are three levels which
must be addressed:
1. Governance
2. Processes and tools
3. Staff training and experience
Governance:
We need to ensure that risk management is part of the governance structure and reporting
framework. This will make us all accountable for using it. Having a risk management policy is
one important step in this area which has already been accomplished. The second step will take
the form of an annual report to Audit Committee from the Internal Auditor, such as this one. It
will provide an update on risk management activities and a review of the policy and framework
when required.
3 -2
Processes and Tools:
We need to incorporate risk management into our existing processes, tools and templates.
There are three main areas under this topic which we will be focussing on:
1. Project risk assessments: templates and instructions will be made available to all
project managers. Project managers of corporate and divisional projects will be
encouraged to create a risk assessment in order to manage their project.
2. Divisional level risk assessments: a lead from each department has been trained
on the importance of risk assessments and how to conduct a divisional level risk
assessment. Going forward all comprehensive reviews or audits will contain a risk
assessment for the division. This will assist in identifying and mitigating divisional
risks. These risk assessments will be stored in a central location which form the
basis for a risk library which senior management can utilize to view risk at the
corporate level.
3. Strategic and business planning: the business planning process should include an
identification of the risks that could affect the achievement of the goals in the
business plan. Whether these risks are shown in the formal business plan document
or remain just a part of the planning process is still to be determined. Work will
continue with the strategic planning team to establish how this could be
accomplished.
Staff Training and Experience:
Staff across the corporation needs to be trained in risk management concepts and techniques
and be provided with opportunities to apply the knowledge. The goal is that over time staff will
become more comfortable with risk management and it will become the way we do business.
There are two main methods of achieving this goal which are planned:
1. "CapaCity" course on risk management: A CapaCity course entitled "Risky
Business" will be added to the 2014 -15 course calendar and will be delivered by the
Internal Auditor. The course will be aimed at management and project managers but
will be open to any who want to take it. The course will cover the corporate policy
and framework, benefits of risk management, tools and techniques, and how to
conduct a project or division level risk assessment.
2. Hands -on experience: as risk assessments are built into all comprehensive audits
or reviews going forward, more and more staff will have the opportunity to participate
in risk assessment workshops relevant to their day to day work. They will help to
identify risks in their division as well as create mitigation strategies to address those
risks.
ALIGNMENT WITH CITY OF KITCHENER STRATEGIC PLAN:
Work relating to risk management falls under the Efficient and Effective Government foundation
within the Strategic Plan. Specifically the plan states that we will support [service] delivery
through a robust governance and management approach, including a close eye on risk
management and legislative compliance.
FINANCIAL IMPLICATIONS:
None
3 -3
COMMUNITY ENGAGEMENT:
Members of the community have been informed through the posting of this report on the internet
on June 25, 2014.
CONCLUSION:
Risk management is understood and supported at the senior management level. In addition,
seasoned project managers use risk management regularly as one of many tools to
successfully complete their projects. The City has a comprehensive risk management policy and
framework in place. Work is underway to further embed risk management concepts across the
corporation at all levels.
ACKNOWLEDGED BY: Dan Chapman, Deputy CAO, Finance and Corporate Services
3 -4
r"N1,06C
Jr
(D
E
CDc�
c�
in
ry
CDV
CD
c�
-t
0
Q.
N
ry
2-32
2 -33
N,,0C
m ,
Jr
N
N
D
N
N
(6
(6
♦c^^
V♦
cn
cn
n�
W
V
>
iii c
E O U ..
O �= O
E
a �o cn •-
cn O
'a p �>, � � to CU .�
cn
0
CU
� •N O cu
O� •� L I I I I
Ll
Ll
Ll
2 -34
N,,0C
m ,
Jr
cn
.L
E -4-, L U
.O .O
OL-
0-0-
O N
CD
N
N
� L
o O
'> C:
N
E
I cn
0o a)
CD cn
O cn
N M
cn
N
U
O
Q
N
O
N
cn
m
L-
a)
N
O
Q
Q
U
O
Q
N
E
N
CD
m
m
E
cn
.L
I
O
O
N
N
cn
O
a)
E
c�
H
2 -35
cn
cn
`
W
O
cn
' cn
'�
C:
O
U
O
c
Q
cn
cn
N
cn
N
N
0
cn
U)
CL
'>
N
N
�=
.a)
O
O
L
C:
O
U
Q
N
.L
v
O
N
�
O
U
a)
•—
0)
0) N
'N
U
'C:
O
N
N
N
•O
•�
C)
>
0-
O
I
I
I
I
2 -35
m ,
Jr
IIIIII)
IW liz
rz
II
r
..�IIIII�
IIIW k
M
L-
O
O
AM
O
9
06
O
N
U
O
W
U
N
.a)
Q
X
W
0)
.C:
2 -36
N,,0C
m ,
Jr
nW'
W
E
E
O
� U
Q
0 0
a� L
� o
CU
C: a)
m L
E
co C-
0� Q
. .
2 -37
N,,0C
m ,
Jr
K0J
W
'MID
O
L.
Q.
C/)
C:
O
•
A-Mo — to
U L
=3 O
0)
cn CU
C: C:
cn
a)
C� O
O
EL
O O
Ll
V
.C:
O
U
.C:
O
E
cn
cn
O
cn
cn
C�
cn
E
Ll
V
}+ cm
V
V
W
cn
• —
> to O � O C:
O a) cn
.% U
cn
C C:
a) C6 . —
Jc: -0 C: cn
O — O
L � •� to a)
E E — U
O 0 O
U �
Ll
2 -38
N,,0C
,' .
U
Q
W
06
ca
L
C�
A.-O
U
.O
O
� L
O Q.
� L
O
a
L C: C/)
0 A-i
O ,cn O
U •> E
cn
cn C: cn
cn • — �
o � .— o
C: c� C cn
L. . _ ca
m•— �cn
�C cu • V —
�_
If O
m >
V
U � a)
V —
Ll
Ll
2 -39
N,,0C
m ,
Jr
V
n�
nW'
W
� O
C� 42
� O
O .0
E O
O �
CY) O
CU
C: • s=
Ca ♦--�
O
.se U
cn —
•O
C: O
V
•cu C: O O
O U
C= cn O
0 =3 a)
4) V �
.0 O O cn
cn — C= cn
— O
to
O O CY) O
cr
C: L CU C-
a)
O
U. cn
O
2 -40
r"N1,06C
Jr
Cl*%m
(n
C�
0
i/�
(D
=3
`J
2-41