Audit of Integrated Risk Management

Table of contents

Conformance with Professional Standards

This audit conforms to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Background

“Integrated risk management (IRM) is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective.”                                   
- Framework for the Management of Risk

The Treasury Board (TB) Framework for the Management of Risk provides guidance to Deputy Heads on the implementation of effective risk management practices to support strategic priority setting and resource allocation, informed decision-making, and improved results. The Framework outlines principles for effective risk management as well as Deputy Heads’ roles and responsibilities, including of note: “ensuring that risk management principles and practices are understood and integrated into the various activities of their organizations”.

IRM is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It supports strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review.

Public Safety Canada’s (PS) IRM Framework, approved in 2019, aims to provide guidance to employees and management on the implementation of sound risk management practices at all levels of the Department in support of strategic priority setting and resource allocation, informed decision-making in line with the organization’s risk tolerance, and improved results. The Framework details key concepts of risk, the integration of risk management in departmental processes, and roles and responsibilities in relation to risk management.

IRM is led by the Strategic Planning Division (SPD) within the Portfolio Affairs and Communications Branch (PACB). The SPD is responsible for the development and maintenance of the Department’s IRM Framework and associated processes, including the Corporate Risk Profile (CRP). As the focal point of the Department’s IRM efforts, the CRP plays a major role in priority setting and decision making by providing timely risk information. A comprehensive and thorough review of the CRP is to be conducted every three years and reviewed annually to remain current, flexible and responsive.

Advisory Engagement of Enterprise Risk Management (2019)

In 2019, the Internal Audit and Evaluation Directorate (IAED) completed the Advisory Engagement of Enterprise Risk Management. The engagement found that the IRM Framework includes fundamental aspects to guide risk management activities across the Department and aligns with the Treasury Board Secretariat’s (TBS) guidance and industry best practices. However, the engagement identified areas for improvement with respect to:

In response to the findings and related recommendations issued, a series of actions were implemented to improve the robustness of IRM within the Department. This included updating the Framework to clarify roles and responsibilities and to provide instruction on establishing risk tolerance. Further, PS branches committed to ensuring risk information available within their area of responsibility was shared and integrated in corporate risk management processes.

Specifically, as part of its actions, the Corporate Management Branch (CMB) committed to develop and implement a fraud risk assessment process. This action is consistent with the key principle in risk management literature that notes “the organization considers the potential for fraud in assessing risks to the achievement of objectives.” (COSO Fraud Risk Management Guide)

Objective and Scope

Objective

The objective of this audit was to provide assurance that PS’s IRM Framework and related practices are designed and implemented to support informed decision-making.

Scope Inclusions

The scope of the audit examined the Department’s IRM Framework and related practices utilized during fiscal year 2022-23 to manage risk. Activities from prior years were examined for context and to obtain an understanding of the three-year CRP cycle between 2019-2022.

The audit focused primarily on PACB as the owner of the IRM Framework, as well as CMB from a fraud risk management perspectiveFootnote1. Input was also gathered from Emergency Management and Programs Branch (EMPB), National and Cyber Security Branch (NCSB), and Crime Prevention Branch (CPB).

Scope Exclusions

The scope of the audit did not include an assessment of the appropriate alignment with the TB Framework for the Management of Risk and relevant guides, methodologies and tools, or an assessment of program, policy or project level risk management practices that may be occurring at the branch level.

Further, this audit was not intended as a follow-up to the Advisory Engagement of Enterprise Risk Management (2019) but did examine similar elements following the results of the risk assessment conducted during the audit’s planning phase.

Methodology and Approach

Methodology

For each criteria established (Annex A), an audit methodology was developed to sufficiently and appropriately examine the area in support of the audit objective. To complete the audit, the following methods were used:

Interviews

Interviews were conducted with representatives from PS branches who are involved in the coordination and/or input for the CRP exercise. Key interviews included representative(s) from:

Document Review

Literature and corporate documents were reviewed, including but not limited to:

Analysis

Records of decision from applicable PS governance committees for fiscal year 2022-23 were analyzed to determine the extent of integrated risk information shared with senior management for use in decision-making.

Observations

Observation #1: The IRM Framework lays the foundation for the governance structure supporting IRM practices; however, the structure was not appropriately and sufficiently leveraged during fiscal year 2022-23 for the communication of timely and relevant integrated risk information.

Defining the governance for IRM

The IRM Framework identifies three senior-level governance committees with risk management responsibilities: the Resource Management Committee (RMC), the Departmental Management Committee (DMC), and the Departmental Audit Committee (DAC).

According to its Terms of Reference, the RMC is mandated to provide departmental-wide oversight for risk management and the CRP. As part of its responsibilities defined in the IRM Framework, the RMC reviews and recommends the CRP to the DMC for approval. Finally, the DAC reviews and provides advice on the risk management arrangements established and maintained by the Department. Overall, we found the roles and responsibilities of the Committees in their respective terms of reference / charter documents and those in the IRM Framework are aligned.

No IRM updates to governance committees in 2022-23

While the governance structure supporting IRM practices is defined, we found it was not appropriately and sufficiently leveraged during fiscal year 2022-23. With fiscal year 2021-22 representing the final year of the three-year cycle (2019-2022) of the CRP, we expected to find a new CRP developed and presented to governance committees in 2022-23; however, resourcing challenges coupled with competing priorities in the SPD caused a delay in its development. In lieu of a new CRP, we expected governance committees would be informed of the status of the risks and related mitigation strategies identified in the previous year’s CRP update (2021-22), but this too did not occur. We found the last significant update on IRM activities provided to governance committees was in November 2021, when both the RMC and DMC were provided updates on the CRP. As a result, neither the RMC, the DMC, nor the DAC were presented with new IRM information during fiscal year 2022-23. Despite this, discussion of specific risks did occur at governance committees occasionally in the context of updates on finance, grants and contributions, and security for example. 

As at the conclusion of our audit, the new CRP was in development. A draft was presented to the RMC in July 2023 for feedback and subsequently a final version is expected to be tabled at the DMC for approval and to the DAC for information.

IRM information included in corporate documents

We found corporate documents such as the Departmental Plan (2022-23) and Departmental Results Report (2021-22) included integrated risk information originating from the CRP last updated in 2021-22. Further, the most recent Departmental Plan (2023-24) identified risks related to the Department’s core responsibilities. While these risks were not identified as the result of a formal integration exercise like the CRP, some of the risks related to the core responsibilities were applicable enterprise-wide, including risks related to resource availability and collaboration with partners. Ideally, the 2023-24 Departmental Plan would have been informed by the new CRP, had it been completed as scheduled in 2022-23.

Observation #2: Corporate risks are identified, assessed, responded to, monitored, and reported upon as part of the CRP exercise; however, there are opportunities for improvement to allow for a robust and responsive CRP.

Improving the risk management process for the development and update of the CRP

The IRM Framework establishes a five-step risk management process that is used in the development and ongoing maintenance of the CRP. To supplement the process, guidance materials are available to users including an environmental scan and a risk identification form that provides instructions and examples for identifying risks, drivers, existing controls, and related mitigation strategies tied to performance indicators and targets. Further, for the purpose of monitoring risks and mitigation strategies, a year-end review form is available for users to complete.

We found the steps in the risk management process were implemented at various points during the previous three-year CRP cycle (2019-2022) but their alignment and timing could be improved. Currently, there is no suggested schedule or frequency of these steps noted in the IRM Framework. At a high level, it is mentioned that the CRP is to be reviewed annually and comprehensively reviewed once every three years, but it is not clear what each review entails.

As the first step in the risk management process, environmental scanning helps capture key trends and issues, along with potential threats and opportunities. This information is collected and recorded in the PS Environmental Scan, which is intended to be an evergreen document and updated annually, at minimum. During the CRP exercise, the Environmental Scan is to be provided to branches to inform the risk identification step of the risk management process but can also be used as input for other steps. As part of the launch of the new CRP cycle in January 2023, branches were provided with a previous copy of the Environmental Scan from 2021-22; thus, this version of the Environment Scan may not have contained the most timely and relevant information for the purpose of the new CRP development, therefore reducing its effectiveness. The SPD has advised it plans to complete a new Environmental Scan in 2023-24. The date is not yet known.

With regards to risk identification, we found the previous cycle of the CRP identified four risks through departmental consultations in 2018-19. Subsequent updates of the CRP during the previous cycle (2019-2022) did not include a mechanism for branches to identify possible new risks, and thus may be why no new risks were identified over the course of the cycle. The CRP would benefit from a revised methodology to ensure new, emerging risks may be accounted for during each update.

With respect to the assessment, response and monitoring and evaluation of risks, we found these steps were performed on an annual basis, on average, during the previous CRP cycle. This is consistent with the expectation set out in the IRM Framework for annual updates to the CRP but inconsistent with semi-annual risk reporting processes also set out in the IRM Framework.

While we don’t expect a new CRP to be developed each year, regular updates to the CRP aligned with annual business planning and/or mid-year review cycles as suggested by TBS guidance would contribute to a robust and responsive CRP. These updates should incorporate each step in the risk management process.

Resourcing challenges

We confirmed limited resources exist within the SPD dedicated to the IRM function. Responsibilities are performed by a manager and a strategic planning advisor, dedicating approximately 20% and 50% of their time to the function, respectively. Overall, this equates to approximately 0.7 full-time equivalent resources dedicated to IRM. However, in fiscal year 2022-23, a vacancy reduced this capacity for a significant portion of the year, thus contributing to the delays observed with respect to the development of a new CRP and Environmental Scan.

Support from branches

To support the SPD in the development of the new CRP in 2023, risk leads at the manager or director levels were identified and tasked with compiling relevant risk information on behalf of their branch and seeking appropriate approval. Thereafter, the information was sent to the SPD for consolidation and integration at an enterprise-wide level. While branches have not formally developed and maintained branch-level risk profiles and risk registers, the information compiled as part of the CRP can be leveraged for this purpose. Doing so would help facilitate a dynamic and ongoing CRP exercise should the analysis and information be kept current by risk leads within branches in collaboration with the leadership and expertise provided by the SPD. 

As a good practice, the CPB has initiated work on a foresight exercise to identify challenges and opportunities with the aim of creating a branch strategic framework. As part of this exercise, a branch risk profile has been developed and is pending Assistant Deputy Minister (ADM)-level approval, while a branch risk register will be developed.

“Risk information that is branch/program-specific should be documented in a branch/program risk profile and risk registry.”
-Section 4.0, IRM Framework

Observation #3: Communication and outreach activities aimed at sharing risk management materials and practices with employees were observed but greater consistency and frequency are needed. Further, the integration of a communication strategy and related protocols into the IRM Framework are necessary.

Availability of risk management materials

We found risk management materials, including links to the IRM Framework and CRP, are available on the Department’s Risk Management intranet page. The page provides information on the risk management process, concepts, methodology and best practices, risk scales and heat maps, and potential sources of threats and opportunities. Communication of these materials was made department-wide via the Department’s InfoBulletin in January 2022. However, there were no similar communications made during the following fiscal year (2022-23).

In addition, an article promoting the Risk Management Community of Practice (RMCoP) was also communicated on InfoBulletin in February 2022. The RMCoP was established by the SPD in 2022 to enhance the IRM through shared information & resources; the development of knowledge and expertise; the exploration of solutions for risk management issues and challenges; and the development of IRM processes. The forum is open to all risk-management practitioners within the Department at all levels including management. Meetings took place between March 2022 until April 2022 but, due to resources challenges, have been dormant since then.

Finally, during the launch of the new CRP cycle in January 2023, a presentation was made by the SPD to branches to inform them of the CRP process and their roles and responsibilities. During this presentation, the SPD offered one-on-one risk identification workshops to participants to provide clarification and guidance about the process. Only two small groups from CPB and NCSB, respectively, accepted the offer.

Lack of a communication strategy and protocols

On a broader scale, we found there was a lack of a communication strategy and protocols incorporated into the IRM Framework. This made it challenging to determine the breadth and reach of communication activities and processes aimed at disseminating integrated risk information across governance and organizational structures. Despite the existence of governance committees to review and approve the CRP, we found that during the SPD’s consultations with branches during the development of the new CRP in 2023, there was no forum for collaboration and sharing of risk information between branches. Rather, consultations were conducted individually, branch by branch, and the results were aggregated.

Communication of integrated risk information within and outside the context of the CRP exercise would benefit from the development of a communication strategy and protocols that include the full scope of products, methods, forums, and frequency of communication.

The re-establishment of the RMCoP can be leveraged in this strategy as a forum for ongoing, organization-wide reflection of risks including discussion of the CRP prior to the tabling at departmental governance committees.

Observation #4: No department-wide fraud risk management framework exists; however, some practices are in place to support the establishment of a framework.

Absence of a fraud risk management framework

We found there is no integrated department-wide fraud risk management framework in place at PS. While the IRM Framework includes a section on the sources, triggers, and resulting risks related to ethical misconduct, there is an absence of discussion on fraud risk. As a best practice, establishing a fraud risk management framework would help elevate the overall maturity of IRM at PS.

A fundamental element included in a fraud risk management framework is a department-wide fraud risk assessment. As part of the PS Advisory Engagement of Enterprise Risk Management (2019), CMB advised that it would be developing a fraud risk assessment process for the Department. However, upon review we did not find evidence that this had been completed as planned.

Other fundamental elements which are currently not in place at PS but would help delineate a fraud risk management framework include but are not limited to: a policy instrument, a department-wide inventory of preventative and detective control activities, and a dedicated process for reporting and investigating allegations of fraud.

“The combination of effective fraud risk governance, a thorough fraud risk assessment, and strong fraud prevention and detection measures, along with coordinated and timely investigations and corrective actions, can significantly mitigate fraud risks.”
-Guide on Managing Fraud Risks at the Office of the Auditor

Practices supporting fraud risk management

Despite the absence of a framework, we found there are some practices currently in place that form components of a framework and should be taken into consideration during the conduct of a fraud risk assessment. For example:

Conclusions

In conclusion, the design and implementation of the IRM Framework and related practices would benefit from refinements to better support informed decision-making. These refinements include discussion and communication of department-wide risks, and processes to develop a more dynamic and responsive CRP. 

Communication of integrated risk information to departmental governance committees was not observed during fiscal year 2022-23. While the absence of an updated CRP may have precluded a fulsome discussion of IRM at governance committees during this period, we still expected to find formal discussions of department-wide risks and mitigation strategies taking place. We did not, however, find evidence to support that such discussions occurred consistently or rigorously at either RMC or DMC. While we cannot overlook the possibility these discussions occurred elsewhere within the organization or in the context of other integrated risk exercises apart from the CRP, we did not observe evidence to this degree. Moving forward, the incorporation of a communication strategy and related protocols in the IRM Framework, as well as the re-establishment of the RMCoP, can aid in the likelihood of formal and regular discussions taking place.

While tools, processes, and guidance materials are available to support IRM, the alignment and timing of the steps that form the risk management process for the CRP can be improved. Currently, there is no suggested schedule or frequency of these steps noted in the IRM Framework. At a high level, it is mentioned that the CRP is to be reviewed annually and comprehensively reviewed once every three years, but it is not clear what each review entails. Based on our observations, the risk identification step of the risk management process is performed only once during a three-year cycle of the CRP, while other steps occur more often. Additionally, at a branch level, risk profiles and risk registers have not been established for the most part, thus their future development could aid the SPD in facilitating a more dynamic and responsive CRP.

Finally, outside the confines of these observations, and as a best practice, there is an opportunity to enhance the overall maturity of IRM in the Department through the development and implementation of a fraud risk management framework.

Recommendations

Recognizing current resource constraints, the following recommendations (and consideration) are proposed to improve the design and implementation of the IRM Framework in support of informed decision-making. While recommendations are subject to the IAED’s management action plan follow-up process, considerations are not included as implementation remains at management’s discretion.

Recommendation 1: The Chief Risk Officer (Assistant Deputy Minister, Portfolio Affairs and Communication Branch) should incorporate a communication strategy and related protocols into the IRM Framework for the exchange of timely and relevant integrated risk information across governance and organizational structures. The strategy should consider the appropriate products, methods, forums and frequency of communications, both within and outside the context of the CRP. The re-establishment of the RMCoP should be given consideration.

Recommendation 2: The Chief Risk Officer (Assistant Deputy Minister, Portfolio Affairs and Communication Branch) should ensure the full lifecycle of CRP activities linked to the Department’s risk management process (i.e., scanning, identification, assessment, response, monitoring and evaluation) are implemented on an annual basisFootnote2, at minimum. A corresponding implementation schedule should be documented in the IRM Framework and communicated to key stakeholders, accordingly.  

Recommendation 3: The Assistant Deputy Minister, Corporate Management Branch, in collaboration with the Chief Risk Officer, should develop and implement a fraud risk management framework.

Consideration: As the risk management function matures at PS and as a best practice, ADMs from each branch, with guidance and direction provided by the Chief Risk Officer, should consider developing and maintaining branch-specific risk profiles and risk registers in support of a responsive CRP exercise.

Management Action Plan

Management Action Plan
Recommendations Actions Planned Planned Completion Date
Recommendation 1: The Chief Risk Officer (ADM, PACB) should incorporate a communication strategy and related protocols into the IRM Framework for the exchange of timely and relevant integrated risk information across governance and organizational structures. The strategy should consider the appropriate products, methods, forums and frequency of communications, both within and outside the context of the CRP. The re-establishment of the RMCoP should be given consideration. Create a standing agenda item on the RMC to discuss corporate risks and to present the annual update to the CRP. Present to DMC post-RMC as needed. December 2023
Update IRM Framework to include an integrated risk information communication strategy. March 2024
Re-engage the RMCoP to meet quarterly or as needed to discuss, identify and address inter-branch risks. March 2024
Recommendation 2: The Chief Risk Officer should ensure the full lifecycle of CRP activities linked to the Department’s risk management process (i.e., scanning, identification, assessment, response, monitoring and evaluation) are implemented on an annual basis, at minimum. A corresponding implementation schedule should be documented in the IRM Framework and communicated to key stakeholders, accordingly. Create a standing agenda item on the RMC to discuss corporate risks and to present the annual update to the CRP. Present to DMC post-RMC as needed. March 2024
Update IRM Framework to include an integrated risk information communication strategy. March 2024
Re-engage the RMCoP to meet quarterly or as needed to discuss, identify and address inter-branch risks. September 2024
Recommendation 3: The ADM, CMB, in collaboration with the Chief Risk Officer, should develop and implement a fraud risk management framework.
Consult with Central Agencies (TBS) and collect available documentation on fraud risk management October 2023
Develop a Fraud Risk Management Framework February 2024
Obtain approval of the Fraud Risk Management Framework from Senior Management and from DAC March 2024
Initiate the implementation of the Fraud Risk Management Framework April 2024
Monitor and report on fraud risk management results March 2025

Annex A

Audit Criteria

Criterion 1: Governance and Strategic Direction
The Department’s IRM Framework is supported by an effective governance mechanism.
Criterion 2: Risk Identification, Risk Assessment, and Risk Evaluation and Response
The Department identifies, assesses, prioritizes, responds, monitors and reports upon risks.
Criterion 3: Monitor and Review
The Department monitors risk trends and risk response strategies.
Criterion 4: Communication and Use for Decision-Making
The Department builds risk management into existing governance and organizational structures through communication to facilitate decision-making.
Criterion 5: Fraud Risk Management
The Department has a functioning fraud risk management framework in place to support the broader IRM Framework.

Footnotes

  1. 1

    In accordance with the Institute of Internal Auditors Performance Standard 2120.A2, the internal audit activity must evaluate how the organization manages fraud risk.

  2. 2

    Based on TBS Guide to Integrated Risk Management, section 6.2

Date modified: