HomeMy WebLinkAboutCAO-09-015 - Corporate Risk Management Policy
J
db
KITCHENER
Chief Administrator's
Office
Report To:
Mayor Carl Zehr, Chair
and members of the Audit Committee
April 6, 2009
Date of Meeti ng :
Submitted By:
Prepared By:
Loretta Alonzo, Performance Measurement and Internal
Auditor
Loretta Alonzo, Performance Measurement and Internal
Auditor
All
Ward(s) Involved:
Date of Report:
Report No.:
Subject:
March 20,2009
CAO-09-015
Corporate Risk Management Policy
RECOMMENDATION:
That the Corporate Risk Management Policy and Framework as outlined in Chief
Administrator's Office report CAO-09-015 be approved.
EXECUTIVE SUMMARY:
The City of Kitchener is committed to identifying, assessing, and mitigating risks to ensure that
corporate objectives are achieved. To this end, The Corporation will maintain a long-term,
robust Corporate Risk Management Policy based on an established framework that categorizes
risks by type, impact and likelihood. The overall risk strategy is part of an Enterprise Risk
Management implementation which will be introduced in phases throughout the Corporation
over the next two years.
BACKGROUND:
In February 2007 KPMG consultants were retained to deliver a workshop for senior
management introducing the concept of Enterprise Risk Management. Since that time, the
Internal Auditors have continued to expand risk management services including the
development of risk assessments and monitoring risk registers for major projects such as Delta,
CMF and King Street Streetscape.
REPORT:
Enterprise risk management (ERM) is a method or process used by an organization to manage
risks and seize opportunities related to the achievement of their objectives. ERM provides a
framework for risk management, which typically involves identifying particular risks and
opportunities, assessing them in terms of likelihood and magnitude of impact, determining a
response strategy, and monitoring progress. By identifying and proactively addressing risks and
opportunities the City of Kitchener will protect the interests of the public and create value for all
stakeholders.
Risk management is an integral part of management across the Corporation. It forms part of
strategic planning, business planning and project approval procedures. In addition, the policy
assists in decision-making processes that will allocate resources to areas of highest risk.
Identifying and managing risk is everyone's responsibility and is one component of good
corporate governance.
The internal audit division has been developing and expanding its risk management services
over the last couple of years to include creation of major project risk assessments and ongoing
oversight of the risk registers maintained by the project director or team. We have also refined
our risk framework and now use a consistent approach to define risk categories, impacts and
likelihood.
The City of Kitchener has adopted a risk rating matrix that quantifies the impact and likelihood
criteria and assigns a numerical value to the resulting score. All risk registers should use this
terminology to ensure consistency in understanding across the corporation.
The categories of risk are:
· Risk of not meeting customer expectations
· - Risk that employees, contractors or other people at the City will be
negatively impacted by a policy, program, process or project including physical harm
· - Risk that the policy, program or action will have a negative impact on the
citizens of Kitchener
· - Risk that natural capital will be damaged
· Reoutation - Risk associated with anything that can damage the reputation of the City or
undermine confidence in the City of Kitchener
· - Risk related to decisions about assets, liabilities, income and expenses
including asset management, capital and operational funding, economic development,
theft or fraud
· Risk related to the consequences of non-compliance with laws, regulations,
policies or other rules
Impact is Quantified as:
Likelihood is Quantified as:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Catastrophic
Major
Moderate
Minor
Scale 5:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Almost Certain
Likely
Somewhat likely
Unlikely
Rare
When impact and likelihood are assessed, a risk rating is calculated by multiplying the impact
scale times the likelihood scale.
The current City of Kitchener risk matrix assigns colours to the resulting score based on the
City's risk tolerance as set out below.
Impact Scale
~
Likelihood Scale
Risk Tolerance is defined as the level of risk the City is willing to accept in pursuit of its
objectives. This can be measured qualitatively with categories such as major, moderate, or
minor. The level of risk acceptable is directly related to the nature and scope of the project or
work.
The proposed policy sets out the following guidelines for the Corporation's risk tolerance level.
· As a general guideline any identified risk rated as a ten (10) or higher and in the red grid
of the matrix must have a mitigation plan and the ongoing status will be monitored in the
risk reg ister.
· A risk rating falling within the yellow grid of the matrix will require an action but resolution
may be deferred until more urgent risks have been dealt with.
· A risk rating falling within the green grid of the matrix should be noted but no action plan
is required.
Our current risk management practice requires all capital projects requiring a business case
(currently defined as greater than $50,000) or those with potential exposure greater than
$50,000) to have a Project Risk Register developed and maintained by the Project Director or
project team. The register is updated regularly by the Project Director to document actions taken
and identify new or emerging risks. The register is reviewed on a monthly basis with the Internal
Auditor who provides oversight and assistance in developing mitigation strategies and in
identifying emerging risks.
A Corporate Risk Register is maintained by the Internal Auditor identifying risks that could
potentially affect the entire Corporation. Presently, these risks are listed on an ad-hoc basis but
will be developed further to include risks affecting all high-level objectives in the City's strategic
plan. The risk register is reviewed with the CAO on a bi-weekly basis and with the General
Managers on a monthly basis.
The proposed new policy is intended to formalize our current risk management practices and
provide the foundation for increased risk awareness throughout the Corporation. We propose to
expand our Enterprise Risk Management initiative over the next two years to include:
· Deliver risk management workshops for managers and directors of areas where risk
assessments (project or operations based) will be most relevant and constructive to
increase risk awareness and enhance staff skill levels in risk management. (May to
December 2009)
· Incorporate risk management analysis into the business planning and strategic planning
processes. (Begin January 2010)
· Add a risk component to all major reports to Council indicating that all required risk
assessments have been completed in compliance with the Corporate Risk Management
Policy. (September 2009)
FINANCIAL IMPLICATIONS:
None
COMMUNICATIONS:
In addition to presenting this report to the Audit Committee on April 6, 2009 it will be
communicated through the following channels:
· Posted on the internet home page and on the "Publications" page
· Already presented to Corporate Management Team, Legal division, Insurance
Management
· Training sessions will be scheduled by the Internal Auditor for all Directors and
Managers as appropriate
_Signed and reviewed by:
Loretta Alonzo, Performance Measurement and Internal Auditor
APPENDIX - A
ENTERPRISE RISK MANAGEMENT FRAMEWORK
Enterprise risk management (ERM) includes the methods and processes used by an
organization to manage risks and seize opportunities related to the achievement of their
objectives. ERM provides a framework for risk management, which typically involves identifying
particular risks and opportunities, assessing them in terms of likelihood and magnitude of
impact, determining a response strategy, and monitoring progress. By identifying and
proactively addressing risks and opportunities the City of Kitchener will protect the interests of
the public and create value for all stakeholders.
This Framework is designed to advance the development and implementation of Enterprise
Risk Management throughout the City of Kitchener. It provides a comprehensive approach to
better integrate risk management into strategic decision-making and internal controls.
The purpose of the Framework is to:
· Provide guidance to advance the use of a more corporate and systematic approach to
risk management
· Contribute to building a risk-smart workforce and environment that allows for responsible
risk-taking while ensuring legitimate precautions are taken to protect the Corporation,
ensure due diligence and maintain the public trust
· Establish a set of risk management practices that departments can adopt to their specific
circumstances or mandate
Step 1
Step 2
Step 3
Define and clarify the
objectives
Identify the risks
What are the primary
objectives of the project
or work being
undertaken?
c=)
Review the risk categories
and ask the question "What
things could happen that
might affect our objectives?
y
Analyze and evaluate
the risks
(Likelihood and Impact)
Ask "How likely is this to
happen and what would the
consequences be if it does
haooen ?"
Step 4
Step 5
Step 6
Create the
Risk Register
Accept, manage or
mitigate the risks
Monitor, update, report
c=)
Identify the actions to be
taken to minimize the effect
of the risk or to avoid the
risk entirely
c=)
Continuously monitor
the status of risks and
adjust the risk ratings as
situations change
Page 1 of 6
Categories of risk for the City of Kitchener are defined as:
· Service delivery - Risk of not meeting customer expectations
· Employees - Risk that employees, contractors or other people at the City will be
negatively impacted by a policy, program, process or project including physical harm
· Public - Risk that the policy, program or action will have a negative impact on the
citizens of Kitchener
· Physical Environment- Risk that natural capital will be damaged
· Reputation - Risk associated with anything that can damage the reputation of the City
or undermine confidence in the City of Kitchener
· Financial- Risk related to decisions about assets, liabilities, income and expenses
including asset management, capital and operational funding, economic development,
theft or fraud
· Regulatory - Risk related to the consequences of non-compliance with laws,
regulations, policies or other rules
Impact is auantified as:
Likelihood is auantified as:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Catastrophic
Major
Moderate
Minor
Scale 5:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Almost Certain
Likely
Somewhat likely
Unlikely
Rare
When impact and likelihood are assessed, a risk rating is calculated by multiplying the
impact scale times the likelihood scale.
When the Category, Impact, and Likelihood are presented in a chart format, they create a chart
referred to as the "Risk Matrix".
The current City of Kitchener risk matrix assigns colours to the resulting score based on the
City's risk tolerance as set out below.
Impact Scale
For example: A specific risk has been assessed as having an impact described as
"Major", with a scale of 3. The likelihood of this risk occurring has been assessed as "somewhat
likely", with a scale of 3. The risk rating total is impact multiplied by likelihood, or a total score of
9. This risk would fall within the yellow grid of the matrix. The following "Risk Criteria Matrix"
provides detailed descriptions of the impact and likelihood status.
Page 2 of 6
Risks falling within the red grid of the matrix are those with the most serious impact and the
highest likelihood of occurring. These risks require a mitigation strategy and should be
addressed with the highest priority while those in the yellow grid have lesser impacts but still
require a mitigation strategy. Risks falling within the green grid are relatively minor and may not
require a mitigation strategy but should be tracked to ensure they do not increase in severity.
Current Enterprise Risk Management Processes:
All capital projects requiring a business case (currently defined as greater than $50,000) or
those with potential exposure greater than $50,000 are required to have a Project Risk
Register developed and maintained by the Project Director or project team. The register is
updated regularly by the Project Director to document actions taken and identify new or
emerging risks. The register is reviewed on a monthly basis with the Internal Auditor who
provides oversight and assistance in developing mitigation strategies and in identifying
emerging risks.
A Corporate Risk Register is maintained by the Internal Auditor identifying risks that could
potentially affect the entire Corporation. Presently, these risks are listed on an ad-hoc basis but
will be developed further to include risks affecting all high-level objectives in the City's strategic
plan. The risk register is reviewed with the CAO on a bi-weekly basis and with the General
Managers on a monthly basis.
Future Enterprise Risk Management Initiatives:
· Deliver risk management workshops for managers and directors of areas where risk
assessments (project or operations based) will be most relevant and constructive to
increase risk awareness and enhance staff skill levels in risk management. (May to
December 2009)
· Incorporate risk management analysis into the business planning and strategic planning
processes. (Begin January 2010)
· Add a risk component to all major reports to Council indicating that all required risk
assessments have been completed in compliance with the Corporate Risk Management
Policy. (September 2009)
Page 3 of 6
Cit
Scale
5
4
3
2
1
LIKELIHOOD SCALE
Numeric Probabilit
> 90%
of Kitchener 50 - 90%
20 - 50%
5 - 20%
<5%
C.
moact ntena IS ateaorv atnx
Risk y Service Physical
Category Delivery Employees Public Environment Reputation Financial Regulatory
Impact Risk of not meeting customer expectations Risk that employees, Risk that the policy, Risk that natural capital will Risk associated with Risk related to decisions Risk related to the
contractors or other people at program or action has a be damaged anything that can damage about assets, liabilities, consequences of
Scale the City will be negatively negative result on specified the reputation of the City or income, expenses including non-compliance
Scale D impacted by a policy, target groups of citizens in undermine public asset management, capital with laws,
program, process or project, Kitchener confidence in it and operational funding, regulations,
including physical harm economic development, theft policies, or other
and fraud rules
- Unable to perform one or more - Death in the workplace - Death of member of - Potential to cause long - Public/media outcry for - Uninsured loss> $1 OM - Legal judgment
essential services and no alternatives - Significant loss of the public due to City term environmental change in administration or - Insured loss >$1 OM against the City
exist. employee knowledge actions or inactions damage with lasting Council - Fines or loss> $1 OM - Loss of license
- Unrecoverable loss of information - External exposure of - Cancellation of a consequences - Public or senior officials - File for bankruptcy to operate
from critical system confidential employee program that supports - Consequences of not criminally charged or - Failure to maintain financial (CVOR, other)
convicted capacity to support current
- Unrecoverable facility loss information equitable access, social including environmental - Fraud >$500,000 demands - Imprisonment of
4 Catastrophic - External exposures of critical - Strike justice or quality of life considerations has - Integrity breach resulting - Decrease in Kitchener staff
confidential information - No amount of existing or and no alternatives are potential to create long in decreased trust in City economic condition greater - Other sanctions
-Project end product is essentially additional resources can available term environmental Councilor Administration than a 20% decrease in imposed by
useless address the event damage - Recurring negative media assessment base regulatory bodies
- Project cancellation coverage on national - Project cost> 100% overrun
- Project deadlines overrun >75% and/or international stage
- Underachievement of business unit - Employee injury, critical - Critical injury to - Potential to cause - Complaints elevated to - Significantly - 2nd warning
goals (50-75% achieved) - No improvement in member of the public short term repairable CAG / City Council level decreased usefulness of from regulatory
- Unable to perform non-essential employee satisfaction because of City action / environmental damage - Public outcry for removal infrastructure bodies
service - Increase in the number inaction impacting a large area of employee - Fines <$1 M - Internal
- Significant negative
- Disclosure of non-confidential but union grievances (> 10%) - Major decrease in media coverage or editorial - Inefficient processes compliance
embarrassing information - Short term additional social programs (>50%) comment - Reduced revenues for reporting
- Project scope: major changes resources required to fix - 5+ negative media many businesses deficiencies in
3 Major required the situation stories and / or editorials - Significantly reduced multiple divisions
- Project deadlines overrun spanning multiple days, economic development or depts.
>50%<75% from local media - Project cost >50<100%
- Negative media overrun
coverage on provincial or
national stage.
Page 4 of 6
Risk cJ Service Physical
Category Delivery Employees Public Environment Reputation Financial Regulatory
Impact Risk of not meeting customer expectations Risk that employees, Risk that the policy, Risk that natural capital will Risk associated with Risk related to decisions Risk related to the
contractors or other people at program or action has a be damaged anything that can damage about assets, liabilities, consequences of
Level the City will be negatively negative result on specified the reputation of the City or income, expenses including non-compliance
Scale impacted by a policy, target groups of citizens in undermine public asset management, capital with laws,
program, process or project, Kitchener confidence in it and operational funding, regulations,
D including physical harm economic development, theft policies, or other
and fraud rules
- Underachievement of business unit - Employee injury, non- - Non-life-Threatening - Potential to cause - Complaints elevated to - Some decreased - 1 st warning
goals (50-75% achieved) life-threatening injury to member of the short term repairable Director / GM level usefulness of from regulatory
- Unable to perform non-essential - Significant increase in public because of City environmental damage - Moderate media infrastructure bodies
service number of errors (> 10%) action / inaction impacting a small area coverage or editorial - Fines <$100K - Internal
- Disclosure of non-confidential but - Increase in the number - Loss of privacy, safety comment - Reduced revenues for compliance
2 Moderate embarrassing information union grievances (>5%) or quiet in a - 3-4 negative media some businesses reporting
- Project scope: moderate changes - Short term extra neighbourhood stories and/or editorials - Some reduced economic deficiencies in
required resources required to fix - Moderate decrease in spanning multiple days, development one division or
- Project deadlines overrun the situation social programs (>20%) from 2+ local media - Project cost> 10<50% dept.
>25%<50% outlets overrun
- Some business unit goals not met - Minor reportable - Minor decrease in - Potential to cause - Small amount of - loss of replaceable asset - Isolated non-
(75-90% achieved) employee injury social programs (>5%) non-lasting damage to negative media - Project cost >5<10% compliance to
- Project scope: scope change is - Short term additional environmental assets coverage or complaints overrun policy or rules by
1 Minor barely noticeable >Project deadlines effort required by existing to the City few employees
overrun >5%<25% staff to fix the situation - 1 negative media
story from 1-2 local
media outlets
Page 5 of 6
Sample Risk Register:
The lack of a project charter has already resulted in
considerable ambiguity about roles and responsibilities of
the team members, consultants, and stakeholders. A lack of
clearly defined roles, responsibilities, and authority
levels may result in conflict within the team, duplication
of efforts (costs), inappropriate level of authority for
decision-making, and lack of clear leadership.
2
There are likely to be data ownership disputes in terms of
who can update reference tables in the new system (e.g.
vendor table). Lack of a clearly defined hierarchy may
result in duplication of records and data integrity issues.
3
The team has differing opinions about the importance of
Quality, Budget, and Scheduling of the project. Risk that
lack of agreement on the ranking of these constraints
will create conflict or confusion when making decisions.
3.00
2
2.00
Page 6 of 6
5.00
3
5.00
Team to discuss
and resolve
M. Brown
Assign ownership
of specific
reference tables D. Roberts
to specific
individuals
Team to have
discussion and
reach consensus S. Smith
on priorities for
entire project
City of Kitchener - Draft - Corporate Risk Management Policy
Page 1
COUNCIL POLICY RESOLUTION
POLICY NUMBER: 1-
DATE:
POLICY TYPE:
COUNCIL
SUBJECT:
CORPORATE RISK MANAGEMENT POLICY
PURPOSE:
To outline the Corporation's
responsibilities related to risk
regard to riskrTlanagement including roles and
ister standards and risk tolerance level.
mitigating risks to ensure that
n will maintain a long-term, robust
he "Risk Management Framework"
POLICY:
"Risk" - refers to the
of the likelihood .and impact
Corporation's objectives.
that surrounds future events and outcomes. It is the expression
an event with the potential to influence the achievement of the
"Risk Management"-isa systematic approach to setting the best course of action by identifying,
assessing and managing risk issues.
"Enterprise Risk Management" - is a continuous, proactive and systematic process to
understand, manage and communicate risk from an organization-wide perspective. It is about
making strategic decisions that limit risk and contribute to the achievement of the Corporation's
overall objectives.
"Risk Tolerance" - is defined as level of risk the City is willing to accept in pursuit of its objectives.
This can be measured qualitatively, with categories such as major, moderate, or minor. The level of
risk acceptable is directly related to the nature and scope of the project or work.
City of Kitchener
lof3
4/3/2009
City of Kitchener - Draft - Corporate Risk Management Policy
Page 2
"Risk Register" - is a document listing all of the risks associated with a project or activity where
the impact and likelihood of the risk is assessed, resulting in a numerical risk rating. It also
includes actions and the names of individuals assigned to manage that specific risk.
Roles and Responsibilities:
Risk management is an integral part of management across the Corporation. It forms part of
strategic planning, business planning and project approval procedures. In addition, the policy
assists in decision-making processes that will allocate resourcesrtoareas of highest risk.
Identifying and managing risk is everyone's responsibility and is onercomponent of good corporate
governance.
Risk management shall be considered in the early phases
appropriate to the nature and scope of th~. project.
r developing a risk
n $50,000) or
assist in the
itigation
The Director or Manager undertaking the work or project wil
register for all projects requiring a business case (current
on-going work where risks have been identified. The I nal uditor is availa
creation of the risk register and provide guidance in essing t
of risks.
The Internal Auditor will monitor risk management activities acros
registers, where appropriate, for input in prepgringari~krbased aud
rporation and use the risk
n.
The City of Kitchene
criteria and assigns a n
terminology to ensure con
optedgfisk rating matrix that quantifies the impact and likelihood
. al ValtJE3 to the resulting score. All risk registers should use this
cyinunderstanding across the corporation.
.
.
.
· Risk that natural capital will be damaged
· ciated with anything that can damage the reputation of the City or
ce in the City of Kitchener
· - Ris elated to decisions about assets, liabilities, income and expenses
including asset management, capital and operational funding, economic development, theft
or fraud
· Risk related to the consequences of non-compliance with laws, regulations,
policies or other rules
City of Kitchener
2of3
4/3/2009
City of Kitchener - Draft - Corporate Risk Management Policy
Page 3
Impact is auantified as:
Likelihood is auantified as:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Catastrophic
Major
Moderate
Minor
Scale 5:
Scale 4:
Scale 3:
Scale 2:
Scale 1 :
Almost Certain
Likely
Somewhat likely
Unlikely
Rare
When impact and likelihood are assessed, a risk rating is calculated by m
times the likelihood scale.
The current City of Kitchener risk matrix assigns colours to the re
risk tolerance as set out below.
Impact Scale
~
Risk Tolerance:
The Corporation's risk tolerance w'
purposes as it aligns its people,
The Corporat' ' . toleranc
political c
anagement for resource allocation
re to effectively respond to identified risks.
ver time, subject to economic, social or
As a al guideline entifl rated as a ten (10) or higher and in the red grid of
the matrix must have a mitigation plan and the ongoing status will be monitored in the risk
register.
A risk rating falling within the yellow grid of the matrix will require an action but resolution
may be deferred until more urgent risks have been dealt with.
A risk rating falling within the green grid of the matrix should be noted but no action plan is
required.
Related Documents: Enterprise Risk Management Framework
City of Kitchener
3of3
4/3/2009