	Français		Contact Us		Help		Search		Canada Site
	What's New		About Us		Publications		FAQ		Home

Printable Version

Email This Page

		Discrimination and Harassment

		Complaints

		Preventing Discrimination

		Alternative Dispute Resolution

		Strategic Initiatives

		Research Program

		Employment Equity

		Pay Equity

		Media Room

		Legislation and Policies

		Proactive Disclosure

Publications

Reports

Internal Audit and Evaluation Priorities Risk Assessment Exercise

Section 2

Reports

Internal Audit and Evaluation Priorities Risk Assessment Exercise

Section 2

Section 2

2. 1 Approach To Planning

The risk assessment exercise is based on the Treasury Board Secretariat Risk-based Internal Audit Priorities Toolset for Small Departments and Agencies dated March 2003. Using the Toolset, the Planning, Internal Audit & Evaluation Division (the Division) has identified sources of risks through the form of potential projects; conducted a risk assessment for each potential project based on a series of assessment criteria and defined the internal audit priorities. These priorities are reflected in the three-year risk-based plan of the Division.

The following assessment criteria were used to identify priorities for audit and evaluation projects:

Current Plan: Identifies whether the component/activity was included in the 2003-2004 Internal Audit and Evaluation Plan.
Government Priorities and Initiatives: The component/activity is a requirement or of a greater interest to the federal government (i.e. TBS, OAG, Speech from the Throne, Budget)
Interest to the Commission: The activity plays an important role in helping senior management to properly manage the affairs of the Commission and to fulfill the mandate of the Commission by delivering quality service to Canadians, Parliamentarians and other stakeholders.
Cost: Extent of financial and human resources consumed by the component/activity in dollar terms (FTE; O&M).
Reach: Number of people impacted by the component/activity, inside and outside the Commission.
Results: Priority put by the government, senior management of the Commission and the Internal Audit and Evaluation function on the need to audit or evaluate a specific component/activity.
Need: Priority put by managers (i.e. program managers) to audit or evaluate a component/activity on the basis that this component/activity could better meet their specific needs and increase corporate performance.

Within these assessment criteria, risk will be evaluated based on the significance of and potential or actual negative impact on the Commission of critical outstanding issues, in terms of staff morale, objective and results achievement, and/or criticisms or interests by TBS / OAG / Parliament.

2.2 Potential Sources of Risk

When identifying sources of risk, it is important to use a variety of views or perspectives, since risks can occur or materialize in many different ways.

For purposes of this document, "sources of risk" relate to business lines, programs, initiatives, functions, processes, systems, activities, etc., but also include other types of dimensions, factors or perspectives where risks may potentially exist.

Five main categories of views or perspectives are proposed to help identify sources of risk.

Strategic Perspective

Sources that can impede the achievement of mandate and objectives

Sources of Risk

Policy and strategy
Corporate reputation
Political factors
Public expectations
Stakeholder relations
Media relations
Industry developments
Changing demographics
Globalization
National security threats
Business continuity
Emergency preparedness

Business Line Perspective

Sources that can impede the achievement of business line or program objectives

Sources of Risk

Business line activities
Program activities
Program delivery
Client services
Service delivery
Alliances, partnerships
Etc.

*These sources of risk are unique to each organization

Corporate Management Perspective

Sources that may not effectively support the achievement of results

Sources of Risk

Structure and reporting relationships
Planning and priority setting
Budgeting and resource allocation
Expenditure management
Revenue and cost recovery
Transfer payments
Procurement and contracting
Financial management
Performance management
Project management
Change management
Inventory management
Asset management
Human resources
Information and knowledge
Information technology
Communications

Compliance Perspective

Sources that could embarrass the organization or cause liabilities for not complying with legal and regulatory frameworks.

Sources of Risk

Funding and appropriations
Statutory reporting
Compliance to laws and regulations
Compliance to central agency policies
Agreements and contractual obligations
Workplace health and safety
Environment protection
Security, privacy and confidentiality
Legal liabilities and litigation

Government Agenda Perspective

Sources that are critical to ensure alignment with government-wide commitments.

Sources of Risk

Citizen focus
Values and ethics
Accountability
Transparency
Managing for results
Responsible spending
Client satisfaction
Government on-line
Improved reporting
Modern comptrollership

2.3 Assessing the Likelihood of Occurrence

According to the document entitled TBS Integrated Risk Management Framework, "risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of likelihood and impact of an event with the potential to influence the achievement of an organization’s objective." Once all the risks have been documented, they are assessed as to their potential impact and likelihood, and a simple rating scale can be used for this purpose. The rating scale should range from minor to significant impact, and low to high likelihood, using a 3-point scale. Other, more sophisticated scales can be used if they are deemed to be more useful.

For purposes of the assessment, impact refers to the extent of the consequences or implications if the risk does occur. To assess impact, people need to ask themselves "How much of an impact will the risk have if it does occur?"

A minor impact suggests that the risk would not have important implications on the organization.
A moderate impact suggests that the risk could have implications for the organization’s ability to succeed.
A significant impact suggests that the risk would have important implications on the organization.

For purposes of the assessment, likelihood refers to the probability that the risk may occur given the current context of the organization. To assess likelihood, people need to ask themselves "How likely is the risk to occur in the future, given what we currently do about it?"

A low likelihood suggests that the risk is unlikely to occur, given its nature and current risk management practices in place.
A medium likelihood of occurrence suggests that the risk has a moderate probability of occurrence.
A high likelihood of occurrence suggests that the risk is likely to occur, despite current risk management practices in place.

Exhibit 1 shows the risk management actions that managers should consider for each possible impact and likelihood combination.

Exhibit 1: Risk Management Actions

Impact	Significant	Considerable Management Required	Must manage and monitor risks	Extensive management essential
	Moderate	Risk may be worth accepting with monitoring	Management effort worthwhile	Management effort required
	Minor	Accept risk	Accept, but monitor risks	Manage and monitor risks
		Low	Medium	High
		Likelihood

Previous Page Table of Contents Next Page