4.5.1 Risk Management Approach
In today's environment, the need for effective risk management, to promote good governance and demonstrate accountability, is critical. There is an expectation that AANDC regional offices understand their key risks and have appropriate mitigation plans in place. Having a documented approach to risk management enables management to better identify, articulate and understand the potential risks to the achievement of the organization's objectives and to determine the exposure to these risks given controls and/or mitigation activities. In this area, the audit focused on risk management at the regional level; other risk management activities conducted in the Region (e.g. recipient risk assessments, intervention and financial monitoring) were not included in the scope of this audit.
The Saskatchewan Region does not have a regional risk profile, and has yet to establish a formal process to: identify and document risks; develop risk mitigating plans and assign responsibility; monitor and report on mitigation strategies; and adjust course, as necessary. The audit did find evidence of increased risk management activities in the Region's planning and decision-making processes.
From a planning perspective, the Region has identified a number of "key" internal and external risks in its draft 2012-13 Business Plan, which align to the departmental risks outlined in the most recent AANDC Corporate Risk Profile. This is an improvement from the 2011-12 Business Plan, which did not identify regional risks; only planning commitments were risk-assessed and linked to departmental risks. Each key risk identified in the draft 2012-13 Business Plan is accompanied by corresponding mitigating actions but no mention is made of the monitoring or reporting requirements for each risk. In addition, the assignment of responsibility for each key risk was not evident.
A review of a sample of three directorate work plans from the 2011-12 fiscal year indicated that two plans had identified key risks to the achievement of objectives, of which, one – the directorate work plan that followed the Saskatchewan Region's template – included an outline of planned mitigation strategies. The identification of risks and mitigation strategies was not incorporated in the one directorate work plan included in our sample reviewed from the 2010-11 fiscal year.
From a decision-making perspective, the audit team was provided with examples of decision notes used by the HRMC and the ROC to outline the risks of a particular decision item (e.g. the risks of not conducting a staffing action). While these decision note templates represent a positive practice, the audit team did not find evidence to demonstrate the monitoring of identified risks, particularly when decision items were rejected.
Monitoring of regional risks is conducted through the Department's quarterly reporting process and through discussions at various regional governing bodies. Through a review of the Saskatchewan Region's 2010-11 and 2011-12 Quarterly Reports, it was noted that:
- Regional risks contained in the Saskatchewan Region's Business Plans were identified in the Region's 2011-12 Quarterly Reports but not in those from 2010-11;
- Not all risks identified in the first three quarters of 2011-12 were referenced in the final quarterly report for 2011-12; and,
- Risks identified in the 2011-12 quarterly reports did not carry forward into the Region's draft 2012-13 Business Plan.
A sample of meeting minutes from the FMC, the HRMC, the ROC, and the RMC revealed that while risks were actively discussed, a formal process had not been established to document, communicate and monitor these risks.
Developing a Regional Risk Profile is an important governance and management oversight practice. A Regional Risk Profile should be based on a documented approach, using standardized templates and rating criteria, and be supported by a formal risk assessment, the development of mitigating action plans and a robust monitoring process. The results of the periodic risk assessments can be used by management to inform ongoing budget and resource allocation decisions by focusing resources and attention on areas of higher risk.
The Regional Director General of the Saskatchewan Region should ensure the Region develops a formal and documented approach to risk management, including an ongoing process and governance structure for identifying, assessing, monitoring and assigning responsibility for risk mitigating actions. In the development of a regional approach to risk management, the Saskatchewan Region should leverage AANDC corporate risk management expertise where relevant and practical to help ensure a consistent approach to risk management is adopted.