HomeMy WebLinkAboutFCS-16-188 - Corporate Risk Profile_Staff Report
rR finance and Corporate Services Department www.kitchener.ca
REPORT TO: Audit Committee
DATE OF MEETING: December 12, 2016
SUBMITTED BY: Corina Tasker, Internal Auditor, 519-741-2200 ext. 7361
PREPARED BY: Corina Tasker, Internal Auditor, 519-741-2200 ext. 7361
WARD(S) INVOLVED: ALL
DATE OF REPORT: December 1, 2016
REPORT NO.: FCS -16-188
SUBJECT: Corporate Risk Profile
RECOMMENDATION:
No recommendation required. The following information is being provided as an
update and assurance on internal audit matters, in accordance with the Audit
Committee Terms of Reference.
BACKGROUND:
The process of gathering risk information in general helps an organization identify all of
the things that could potentially prevent it from meeting its goals and objectives. By
doing so, our organization can then determine how we would like to treat the risks
including the options of accepting, mitigating, transferring, or eliminating the risk.
Strategies and budgets can then be aligned to address the areas of highest risk to the
organization.
In June 2016, all divisions were asked to complete a risk assessment survey which
measured the division's relative risk in 22 common risk areas, grouped into the seven
corporate risk categories:
Risk Category
Risk Area
Financial risks
1
Adequacy of controls
2
Value of daily cash deposits
3
Condition of capital assets managed by the
division
4
Future revenue opportunities
Service delivery risks
5
Impact of service on citizens
6
State of innovation
7
Adequacy of business continuity Ian
8
Data quality and reliability
*** This information is available in accessible formats upon request. ***
Please call 519-741-2345 or TTY 1-866-969-9994 for assistance.
C=I
Risk Category
Risk Area
9
State of change within the division
Employee risks
10
Staff turnover in last 12 months
11
Staffing levels as a percentage of full
complement
12
Health and safety risks to staff
13
Number of staff grievances in last 12 months
14
Competency of staff
15
Intentions to remain (from 2016 employee
culture survey)
16
Growth requirements over next 5 years
Regulatory risks
17
Compliance with legislation and policy
Reputation risks
18
Image in the media and / or complaints from
citizens
19
Impact of claims against the City
20
Consequences of cyber security breach
Public risks
21
Public safety
Physical environment
risks
22
Potential for environmental damage
Overall risk
23
Considers all risks above and any unique risks
They were also asked to rate their overall risk based on the answers to the 22 questions
and any other unique risk factors affecting their division. Each question was rated on a
scale of 1 to 5, with 1 being low risk and 5 being high risk. Examples of each of the five
possible ratings were included in the survey to ensure consistency of responses across
divisions. All responses were validated by Internal Audit for reasonableness.
The data from these surveys has been analyzed and summarized in this report at the
corporate level. Further departmental reports have been shared with management.
This will allow Council and senior management to be aware of the most significant risks
affecting the departments and the corporation as a whole so that they may treat the
risks in an appropriate manner.
REPORT:
The following is a list of the six top areas where divisions rated the risk as high (4) or
extremely high (5):
• Impact of service (Service Delivery)
• Asset condition (Financial)
• Consequences of cyber security breach (Reputation)
• Business continuity (Service Delivery)
• Intentions to remain (Employee)
• Growth requirements (Employee)
4-2
80%
c 70%
60%
�n 50%
40%
c 30%
.� 20%
p 10%
0 0%
0
Corporate High Risk Areas
°z °�
�� a a
yet �a�
Impact of Service
68% of units felt that many or most citizens would be severely affected by a decrease or
cancellation of the service. This is not surprising given the nature of municipal services,
many of which are not available through other service providers, and many of which are
necessities which contribute to the quality of life in Kitchener. Continued commitment
from Council for funding and a focus on business continuity are key to mitigating this
risk.
Asset Condition
43% of units felt that either some or the majority of the capital assets that they manage
require moderate to significant repairs or replacement. Again, this is not surprising
given the vast network of aging infrastructure across the City. The Asset Management
plan will help to identify and prioritize the assets in most urgent need of replacement or
repair. It will hopefully also identify whether additional staff or financial resources are
required to adequately mitigate this risk.
Consequences of Cyber Security
43% of units felt that if the unit's information systems were compromised, it would have
major to significant negative consequences for the City. This is because many units
collect personal information from patrons such as address, phone number, email,
birthdate, credit card information, etc. There is an ongoing body of work and control
framework related to Payment Card Industry (PCI) compliance which aims to protect our
customers' credit card information. However, there is recognition that there are other
types of data stored in our information systems that could be at risk such as confidential
information relating to City business. Another area of high risk is any devices or sensors
which collect information electronically which drive business decisions and may be
targets for terrorist or sabotage activity. This has already been identified as an emerging
risk across all municipalities and is therefore the focus of an internal audit for 2017 to
assess vulnerabilities and recommend improvements to all of our information systems.
4-3
Business Continuity
39% of units felt that their business was considered critical but that their business
continuity plan was either non-existent or outdated. This is linked to the impact of
service risk above. This risk can be mitigated by ensuring that all critical processes and
services have business continuity plans in place and that they are updated and tested
on a regular basis. This will be a focus for the Business Continuity working group,
working under the leadership of the Corporate Emergency Management Committee.
Intentions to Remain
32% of units reported that they had 30% or more of their staff who would leave the
organization if a similar job opportunity became available elsewhere. In order to
mitigate the risk of turnover, as a corporation there needs to be continued focus on the
People Plan, making this a "place where we want to work". This issue should also be
looked at through the action planning around the Employee Culture Survey results at
the division level as some of the root causes are likely specific to the work unit, rather
than being something that can be fixed corporately. In conjunction with this, it becomes
important for business units to have operating procedures documented in the event of
turn over so that new hires can easily step into the role and minimize the unproductive
ramp up period or so that other staff can step into the role to cover the duties until a new
hire is made. This has been raised with the business continuity sub -committee and will
be looked at corporately through their work.
Growth Requirements
32% of units felt that they were understaffed to handle current service delivery demands
and that they would either be able to maintain current service levels in the face of
minimal growth (risk rating of 4), or would struggle to handle any future growth (risk
rating of 5). This speaks to the pressure to do more with the same amount of resources
and a recognition that the growth of the staff complement has not kept pace with the
rate of population growth in the city. In past years Council has expressed a preference
to maintain existing service levels at the rate of inflation. As a result, few new positions
have been authorized. In the short term staff can try to mitigate this by employing Lean
management techniques to streamline processes as much as possible and free up
capacity to handle future growth and employ vacancy management strategies. There
will come a point where the City's population expands enough that additional staff will
be required in multiple areas. Staff should continue to prioritize areas of greatest need
and bring them forward for Council consideration through budget.
CONCLUSION:
The preceding corporate risk information is being shared with Council in order to
provide awareness of the top risk areas that could potentially prevent the City from
meeting its goals and objectives. This will be useful background information for budget
deliberations and determining how to treat the risks including the options of accepting,
mitigating, transferring, or eliminating the risk. Strategies and budgets can then be
aligned to address the areas of highest risk to the organization.
CMI
ALIGNMENT WITH CITY OF KITCHENER STRATEGIC PLAN:
This report supports the achievement of the city's strategic vision through the delivery of core
service.
FINANCIAL IMPLICATIONS:
There are no financial implications related to this report.
COMMUNITY ENGAGEMENT:
INFORM — This report has been posted to the City's website with the agenda in
advance of the council / committee meeting.
ACKNOWLEDGED BY: Dan Chapman, Deputy CAO, Finance and Corporate Services
4-5
W
J
0
cca
4-6
C�0
•
6.�
Co
>
U
Co
O
•
:Tip
0,
•
C vwJ
a --j
C�
t/1
C�0
-0
•
C�0
•
6.�
Co
>
U
Co
O
•
:Tip
0,
•
C vwJ
cn
to
Co
c
O
Ln
Ca
� O
> -0
O
CL Ca
cn
>
Ero
CO }'
X ca
Lu 0
ow
OONmmft%
Ln
L
O
�
O
ca
4>
>
ca
-a
Q
V
cn
Er
-I
C�
O
+
U
Ln
O
O
Co
(D
0
-0
-0
(o
4-j
4-J
.O
O
}'
O
02
E
. to
E
C
i
>
cn
-
.0
Ln
-0
U
a
Ln
—
N
Ln
Q
N
M
W
0
0
0
cn
to
Co
c
O
Ln
Ca
� O
> -0
O
CL Ca
cn
>
Ero
CO }'
X ca
Lu 0
ow
cry
A-
0
•
0* -
•
40
VE
O
+-j
W
MO
0
•
4-9
•
EO
•
•
Ln
m
•
•
•
4-10
W
—0 .0
MO
UO .-
• N � � ca � ca
0 —
.V c
0L
Ln O
O — }' O
u a -J a --
U
}' - ° E v
U
E
U O •�
4-JU U U U
cn cn O
0 ago=
00 ago= O 0
QO cn 0 U LL
C= 111
i
cr
L
9
Co
Co
7a
UO
.N
O
0L
i
0L
L
O
4-12
U i bA
s C c
U •—
a--+
Q 0 V) +�-+
C— 0 " vi V
U Ov
ca U ca 0 O
.� E .0
U O_0
-0
0
u E
c E
•— •— U 0
•- a-' 0 0
C:
p 0
Q 0 _0 U SEEM O ca
o •0 i E -Wv
M O U .`�
E U o a_ oc
0 . 0 2 . .
4-13
to=V
4-15
N
p v
O N bA p
_ v O
bnc
O 'E +�-+
c _b.0
E -0 o (D
(1) N
N UD
N • (i) N
� CO =3 w Jc:
p a�
N
0
-0 N �� OL _0
+� p p O ca
' p a--+ v a--+
buo (D 3: •
4- J ��O
O
)
o v .— •—
N CO O - cn O
M _I- U -0
• • • • • •
4-16
C=WJ