Section 2 2. 1 Approach To Planning The risk assessment exercise is based on the Treasury Board Secretariat Risk-based Internal Audit Priorities Toolset for Small Departments and Agencies dated March 2003. Using the Toolset, the Planning, Internal Audit & Evaluation Division (the Division) has identified sources of risks through the form of potential projects; conducted a risk assessment for each potential project based on a series of assessment criteria and defined the internal audit priorities. These priorities are reflected in the three-year risk-based plan of the Division. The following assessment criteria were used to identify priorities for audit and evaluation projects: - Current Plan: Identifies whether the component/activity was included in the 2003-2004 Internal Audit and Evaluation Plan.
- Government Priorities and Initiatives: The component/activity is a requirement or of a greater interest to the federal government (i.e. TBS, OAG, Speech from the Throne, Budget)
- Interest to the Commission: The activity plays an important role in helping senior management to properly manage the affairs of the Commission and to fulfill the mandate of the Commission by delivering quality service to Canadians, Parliamentarians and other stakeholders.
- Cost: Extent of financial and human resources consumed by the component/activity in dollar terms (FTE; O&M).
- Reach: Number of people impacted by the component/activity, inside and outside the Commission.
- Results: Priority put by the government, senior management of the Commission and the Internal Audit and Evaluation function on the need to audit or evaluate a specific component/activity.
- Need: Priority put by managers (i.e. program managers) to audit or evaluate a component/activity on the basis that this component/activity could better meet their specific needs and increase corporate performance.
Within these assessment criteria, risk will be evaluated based on the significance of and potential or actual negative impact on the Commission of critical outstanding issues, in terms of staff morale, objective and results achievement, and/or criticisms or interests by TBS / OAG / Parliament. 2.2 Potential Sources of Risk When identifying sources of risk, it is important to use a variety of views or perspectives, since risks can occur or materialize in many different ways. For purposes of this document, "sources of risk" relate to business lines, programs, initiatives, functions, processes, systems, activities, etc., but also include other types of dimensions, factors or perspectives where risks may potentially exist. Five main categories of views or perspectives are proposed to help identify sources of risk. Strategic Perspective Sources that can impede the achievement of mandate and objectives Sources of Risk - Policy and strategy
- Corporate reputation
- Political factors
- Public expectations
- Stakeholder relations
- Media relations
- Industry developments
- Changing demographics
- Globalization
- National security threats
- Business continuity
- Emergency preparedness
| Business Line Perspective Sources that can impede the achievement of business line or program objectives Sources of Risk - Business line activities
- Program activities
- Program delivery
- Client services
- Service delivery
- Alliances, partnerships
- Etc.
*These sources of risk are unique to each organization | Corporate Management Perspective Sources that may not effectively support the achievement of results Sources of Risk - Structure and reporting relationships
- Planning and priority setting
- Budgeting and resource allocation
- Expenditure management
- Revenue and cost recovery
- Transfer payments
- Procurement and contracting
- Financial management
- Performance management
- Project management
- Change management
- Inventory management
- Asset management
- Human resources
- Information and knowledge
- Information technology
- Communications
| Compliance Perspective Sources that could embarrass the organization or cause liabilities for not complying with legal and regulatory frameworks. Sources of Risk - Funding and appropriations
- Statutory reporting
- Compliance to laws and regulations
- Compliance to central agency policies
- Agreements and contractual obligations
- Workplace health and safety
- Environment protection
- Security, privacy and confidentiality
- Legal liabilities and litigation
| Government Agenda Perspective Sources that are critical to ensure alignment with government-wide commitments. Sources of Risk - Citizen focus
- Values and ethics
- Accountability
- Transparency
- Managing for results
- Responsible spending
- Client satisfaction
- Government on-line
- Improved reporting
- Modern comptrollership
|
2.3 Assessing the Likelihood of Occurrence
According to the document entitled TBS Integrated Risk Management Framework, "risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of likelihood and impact of an event with the potential to influence the achievement of an organization’s objective." Once all the risks have been documented, they are assessed as to their potential impact and likelihood, and a simple rating scale can be used for this purpose. The rating scale should range from minor to significant impact, and low to high likelihood, using a 3-point scale. Other, more sophisticated scales can be used if they are deemed to be more useful. For purposes of the assessment, impact refers to the extent of the consequences or implications if the risk does occur. To assess impact, people need to ask themselves "How much of an impact will the risk have if it does occur?" - A minor impact suggests that the risk would not have important implications on the organization.
- A moderate impact suggests that the risk could have implications for the organization’s ability to succeed.
- A significant impact suggests that the risk would have important implications on the organization.
For purposes of the assessment, likelihood refers to the probability that the risk may occur given the current context of the organization. To assess likelihood, people need to ask themselves "How likely is the risk to occur in the future, given what we currently do about it?" - A low likelihood suggests that the risk is unlikely to occur, given its nature and current risk management practices in place.
- A medium likelihood of occurrence suggests that the risk has a moderate probability of occurrence.
- A high likelihood of occurrence suggests that the risk is likely to occur, despite current risk management practices in place.
Exhibit 1 shows the risk management actions that managers should consider for each possible impact and likelihood combination. Exhibit 1: Risk Management Actions Impact | Significant | Considerable Management Required | Must manage and monitor risks | Extensive management essential | Moderate | Risk may be worth accepting with monitoring | Management effort worthwhile | Management effort required | Minor | Accept risk | Accept, but monitor risks | Manage and monitor risks | | | Low | Medium | High | | | Likelihood |
|