Audit of the Corporate Risk Management Framework
Download the PDF version (81 KB)
Project # 08/09 01-04
the Audit and Evaluation Directorate
Table of Contents
1.1 Audit objective
The objective of the audit is to evaluate to what extent management had set up a corporate risk management framework that provided for operational risk to be taken into account.
1.2 Audit opinion
In our opinion, the Corporate Risk Management Framework has moderate issues requiring management focus.
1.3 Statement of assurance
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time of the audit, against pre-established audit criteria, and is only applicable to the particular entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards for internal audit. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.
1.4 Summary of recommendations
The Safety and Program Assurance Directorate is responsible for directing and coordinating the risk management function at the Canadian Space Agency (CSA). To properly do so it relies on the co-operation of personnel in all sectors and at all management levels.
In general, our audit has shown that CSA's Corporate Risk Management Framework is in accordance with the Integrated Risk Management Framework (IRMF) of Treasury Board Secretariat (TBS).
Moreover, following our examination of CSA's Corporate Risk Management Framework, we recommend
- that the corporate policy and associated procedures be finalized, approved and disseminated;
- that the necessary particulars be added to clearly distinguish the Corporate IRMF from the Project Management Framework, which contains a risk management component;
- that the information pertaining to the Corporate IRMF be presented in its own intranet section;
- that the role of risk management champion be assumed by a senior manager who has a corporate vision; and
- that the responsibility for the risk management function be exercised by the incumbent of the Director, Planning and Performance position.
Signature of the Chief Audit Executive
Original signed by Dominique Breden
Audit team member
2.0 Audit Report
In addition to control and governance processes, risk management constitutes the other component of CSA's management framework.
Project management has always been at the heart of CSA's activities. In December 1999 the Treasury Board approved a risk management framework, as proposed by CSA, to ensure, in particular, that project-related risks were financed within approved reference levels. Since 1999, the Project Risk Management Framework has been an integral part of the Project Approval and Management Framework (PAMF).
Even though project management lies at the heart of CSA activities, we noted, following an analysis of the 2009-2010 Annual Reference Level Update, that CSA devotes only about 33% of its budget envelope of approximately $300 million to project activities, and 67% to its other program activities and corporate services.
In 2001, with the publication of the IRMF, the TBS provided managers throughout the federal government with a systematic approach, applicable to the whole organization that would inculcate concepts and practices conducive to the establishment of a risk-conscious environment. That approach is based on the development of a corporate risk profile, the creation of an integrated risk management function, the practice of integrated risk management and continuous learning.
CSA began implementation of a corporate IRMF in May 2005 so as to introduce an integrated risk management approach in all of its operations.
An overview of the corporate risk management process
Responsibility for the Agency's risk management function, commonly called "corporate risks", lies with the Director, Safety and Program Assurance, who is also responsible for PAMF administration.
The table below gives an overview of the Agency's IRMF and the PAMF risk management process.
|Risk Management Principle||Agency's IRMF (Corporate Risks)||PAMF / Risk Management|
|Monitoring and control||
2.2 Audit objective, scope and approach
The objective of the audit was to evaluate to what extent management had set up a corporate risk management framework that provided for operational risk to be taken into account.
The current audit project focused specifically on CSA's corporate risk management framework. Moreover, as indicated in the Internal Audit Plan of the Audit and Evaluation Directorate, risk profile development will be reviewed in the course of a government-wide audit project conducted by the Office of the Comptroller General.
Various audit processes were employed, including staff interviews and reviews and analyses of documents and records. In developing audit criteria, we relied on the Treasury Board Secretariat's Integrated Risk Management Framework (IRMF) and Integrated Risk Management Implementation Guide.
2.3 Findings, recommendations and management responses
2.3.1 Corporate risk management framework
The Safety and Program Assurance Directorate is responsible for coordinating risk management at the Agency, in compliance with the Treasury Board's IRMF. Hence, we expected to find a governance framework in place including the following main elements:
- an approved corporate policy and procedures;
- defined roles and responsibilities;
- a defined, common risk management terminology; and
- an established risk management process.
In general, management has set up a corporate risk management framework well suited to all CSA operations. However, we want to point out certain findings that require management attention.
Corporate policy and procedures
CSA should have
- an approved corporate policy and procedures for integrated risk management;
- a corporate policy and procedures embodying clear terminology; and
- a good communication strategy, to ensure that management expectations are properly understood.
We found that many reference and working documents were made available to staff to help them perform their risk management duties. However, no approved corporate policy and procedures yet exist, although there are draft versions, dated February and April 2008 respectively.
It is important for these instruments to be finalized, setting out principles, requirements and the scope of implementation, among other things, so that management expectations as regards to risk management may be formally communicated to all levels of management, in all sectors.
1) The person responsible of the risk management function should finalize the corporate policy and associated procedures and have them approved and disseminated.
Director of the Safety and Program Assurance agrees with the recommendation.
To ensure successful corporate IRMF implementation, management should develop instructions and tools and ensure that all CSA staff are aware of them. The Intranet is an ideal (and common) medium for such staff information.
Even though risk management is a corporate management function, we have found, on the one hand, that the corporate IRMF reference documents appearing on the Intranet are part of the PAMF documentation system and, on the other hand—from reading
them—, that the information is excessively project-oriented.
It is vital to make it clear that CSA has a corporate risk management framework and that that framework is a corporate management function that applies to all levels of management, in all sectors, for all operations. It is true that project management is at the heart of CSA's activities, but it is important to put things in perspective and avoid misunderstandings by clearly distinguishing the Corporate Risk Management Framework from the Project Management Framework, which contains a component of risk management.
It is essential to make that distinction clearly, and a good way to begin would be to withdraw the corporate IRMF documentation from the PAMF documentation system, and instead to present and distribute it in a separate Intranet section.
The person responsible of the risk management function should
2) see that the necessary particulars are added to clearly distinguish the Corporate IRMF from the Project Management Framework, which contains a risk management component; and
3) present the information pertaining to the Corporate IRMF in its own Intranet section.
Director of the Safety and Program Assurance agrees with the recommendations.
Risk management champion
We expected to find a risk management champion appointed by the President. The champion's role should be assigned to a senior manager, since that person must supply the necessary leadership to obtain the unanimous support of management and staff. As part of the implementation of a corporate IRMF, the chosen champion must demonstrate how integrated risk management will help management to achieve the organization's objectives. He or she must promote a risk management approach and culture that will extend to all operations, and must maintain constant communications with all sectors and levels of management since the success of integrated risk management depends on the combined efforts of all staff. In addition, the champion is responsible for monitoring the implementation of integrated risk management.
The role of integrated risk management champion has been assigned to the incumbent of the Senior Vice-President position — which, however, has been vacant since November 2008. For the time being, the champion's role is being played by the Director, Safety and Program Assurance.
4) The President should ensure that the role of risk management champion is assumed by a senior manager (XC member) who has a corporate vision.
The function of corporate risk supervision will be performed by its champion, the Chief Financial Officer. This follows from his or her existing role as PAMF champion (which includes project-level supervision) and the fact that the two functions are highly integrated.
Responsability for the risk management function
Responsibility for directing and coordinating integrated risk management has always been discharged by the Director, Planning and Performance. In August 2007, that responsibility was transferred to the Director, Safety and Program Assurance.
It is, however, more appropriate for risk management to be an integral part of the corporate planning function, since the goal sought is the integration of risk management into CSA's planning and priority-setting process.
Moreover, placing the responsibility for risk management with the office of the Director, Planning and Performance, emphasizes that risk management applies to all CSA operations. Since the Director, Safety and Program Assurance has responsibility for the PAMF administration, one might suppose risk management applied only to project management.
5) The President should ensure that responsibility for the risk management function is exercised by the incumbent of the Director, Planning and Performance position.
The recommendation for corporate risk management to be once again the responsibility of the Planning and Performance Directorate is accepted in principle, but this will be confirmed later in the year. In making the transfer, we need to be aware of links to other functions, such as PAMF management and the GIP project (investment planning and project management policies), and of the impact of the resources required for all these functions.
2.3.2 Corporate framework - Basic principles of integrated risk management
Risk management should include a set of management practices whereby risks may be identified, assessed, communicated and managed. Risk management should improve decision-making, bolster the governance structure and enhance the ability to meet CSA objectives. We expected to find the basic principles of integrated risk management, including the following:
- Risk identification;
- Risk assessment;
- Reaction to risk; and
- Continuous risk monitoring.
Our findings revealed that management has indeed implemented the principles of integrated risk management in accordance with what is proposed in the TBS's IRMF.
2.3.3 Corporate risk management framework fully applied
We expected to find that integrated risk management would be fully applied to all CSA operations.
Before the implementation of the corporate IRMF, CSA had a risk management framework essentially focused on project activities. Since 2005, that is, since implementation of the corporate IRMF began, CSA has had a risk management framework that integrates into decision-making processes the risks that may hinder achievement of organizational objectives. The effect of the corporate IRMF is that all levels of management, throughout the organization, are required to assess the risks that may affect their operational activities.
Our findings revealed that management is applying integrated risk management to all of its operations.
Appendix 1 - Management Action Plan
|Ref||Recommandations||Responsibility Identified||Details of Action Plan||Timetable|
|2.3.1 Corporate Risk Management Framework||Organization||Function|
|1) The person responsible of the risk management function should finalize the corporate policy and associated procedures and have them approved and disseminated.||Safety and Program Assurance||Director||This recommendation is accepted.
|2) The person responsible of the risk management function should see that the necessary particulars are added to clearly distinguish the Corporate IRMF from the Project Management Framework, which contains a risk management component.||Safety and Program Assurance||Director||This recommendation is accepted.
Corporate Risk Management and Project Risk Management will be documented in such a way as to show the differences and interactions between the two. These documents will be referred to the XC for approval and officially posted on the intranet site.
|3) The person responsible of the risk management function should present the information pertaining to the Corporate IRMF in its own Intranet section.||Safety and Program Assurance||Director||This recommendation is accepted.
A dedicated quick-access site (from the home intranet page) will be created after approval of the terms of reference and conditions governing RMCs and will be finalized after approval of the corporate policy.
|4) The President should ensure that the role of risk management champion is assumed by a senior manager (XC member) who has a corporate vision.||CSA||President||The role of integrated risk management champion will be played by the Chief Financial Officer from October 2009.||October 2009|
|5) The President should ensure that responsibility for the risk management function is exercised by the incumbent of the Director, Planning and Performance position.||CSA||President||
- Date modified: