Risk Management

January 2010

Table of Contents

Executive Summary

Detailed Report

Appendices


Executive Summary

Introduction

The Internal Audit of Risk Management is part of the Risk-Based Annual Internal Audit Plan 2009-10 approved by the Canadian Institutes of Health Research (CIHR) Governing Council (GC).

The Canadian Institutes of Health Research (CIHR)
The CIHR Act that came into force on June 7, 2000, established a corporation known as the Canadian Institutes of Health Research (CIHR). CIHR is a Departmental Corporation listed in Schedule II of the Financial Administration Act (FAA). An arms-length agency of government, it is accountable to Parliament through the Minister of Health. CIHR has one business line: to achieve excellence in the creation of new knowledge through research and its translation into improved health for Canadians, more effective health services and products, and a strengthened health-care system. CIHR supports more than 13,000 researchers and trainees and 13 "virtual" Institutes, each headed by a Scientific Director who is assisted by an Institute Advisory Board (IAB). CIHR's Institutes are networks of researchers brought together to focus on important health problems. Each Institute is dedicated to a specific health-related area and links and supports researchers pursuing common goals.

Risk Addressed by the Audit

As noted in the Treasury Board's (TB) Risk Management Policy, in the broadest sense, effective risk management ensures the continuity of government operations and the maintenance of services to, and protection of the interests of, the Canadian public. Per the TB Integrated Risk Management Framework, "Risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization's objectives…Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues [and]…Integrated risk management is a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives."

The audit addresses the risk that CIHR has not taken sufficient action to mitigate threats to the achievement of its mandate. This risk is related to the Risk Management element of the Treasury Board Secretariat's (TBS) Management Accountability Framework (MAF): "The executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively." The CIHR Chief Financial Officer (CFO) is the Chief Risk Officer (CRO).

Objective

The audit's objective is to assess the adequacy of CIHR's corporate risk management framework.

Scope

The audit covers the formal corporate risk management practices that have been established to assist decision-making and ensure the achievement of goals and objectives. The scope includes Risk Management Policy and Procedures, Risk Identification, Risk Assessment, Control Assessment, and Risk Mitigation. It excludes for the most part processes and activities related to Governance and Oversight, and Continuous Improvement, which will become applicable once the draft CIHR Risk Management Framework has been approved.

Overall Audit Opinion

The audit has concluded that the risk management framework at CIHR has moderate issues: there are control weaknesses, but overall risk exposure is limited because either the likelihood or the impact of the risk is not high, and because management has recognized the weaknesses and has initiated its mitigating actions.

Statement of Assurance

The audit of the risk management framework was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the opinion provided in this report. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management.

Summary of Internal Control Strengths

CIHR has implemented the following key elements of risk management:

Summary of Internal Control Weaknesses

The following aspects of risk management require management's attention:

Internal Audit thanks management and staff for their excellent cooperation during this audit.

Dev Loyola-Nazareth, Chief Audit Executive
Steven Nimmo, Manager, Internal Audit
Michael Bazant, Internal Auditor
Canadian Institutes of Health Research

Detailed Report

Methodology and Criteria

The assessment of risk management at CIHR was performed through consultations with management and staff; review of documentation; and analysis of controls against audit criteria. Controls were deemed adequate if they were sufficient to minimize the risks that threatened the achievement of objectives.

The audit criteria are derived from the TBS Core Management Control: A Guide for Internal Auditors, which is aligned with the MAF and has been developed for use by Chief Audit Executives in planning and providing holistic assurance in relation to risk management, control, and governance processes.

Detailed criteria and conclusions are contained in Appendix A to this report.

The audit was conducted between August and October 2009.

Observations, Recommendations, and Management Action Plan

The following are audit observations, recommendations, and management action plan to address weaknesses in the risk management framework at CIHR.

Observation Recommendation Management Action Plan
1. The CIHR risk identification process considered internal and external sources of risk, as documented in the draft Risk Management Framework and the Corporate Risk Profile. The Framework and Profile need to be updated to consider additional risks associated with the new CIHR Strategic Plan 2009/10-2013/14 – the Health Research Roadmap – and the related reorganization within CIHR.

The CIHR Risk Management Framework and the Corporate Risk Profile were developed in 2008-09, and discussed at Executive Management Committee (EMC) and the Standing Committee on Performance Measurement, Evaluation and Audit. In October 2009, CIHR issued an updated Framework and Profile to reflect the recent reorganization and to identify Risk Champions and Risk Owners. EMC approved the Corporate Risk Profile on October 13, 2009. Management is submitting the Risk Management Framework to Audit Committee on October 22 for its recommendation for Governing Council approval.

The 22 top risks identified during the development of the CIHR Risk Management Framework include: management accountability, governance structure, stakeholder relations, values and ethics, knowledge translation, results management, allocation of funds, program alignment with needs, program design, standard operating procedures, peer reviewers, partner engagement, partner monitoring, appropriate staff, staff retention, succession planning, knowledge management, budget pressures, funds to support operations, information for decision-making, IT infrastructure, and business continuity. These 22 risks have been consolidated into 16 Key Risks in the CIHR Corporate Risk Profile, according to their interdependencies and interrelationships.

Governing Council approved CIHR's new Strategic Plan for 2009/10-2013/14, titled the "Health Research Roadmap," on August 21, 2009. Per the Plan, CIHR will pursue the following strategic directions, along with related objectives, over the next five years:

  1. Invest in world-class research excellence
    • Training, retaining and sustaining a healthy research foundation
    • Selecting and sustaining research excellence
    • Promoting interdisciplinary and international innovation
  2. Address health and health system priorities
    • Setting research priorities
  3. Accelerate the capture of health and economic benefits of health research
    • Reaping socio-economic benefits from research through KT and partnerships
    • Enhancing the application of research and its evaluation
  4. Achieve organizational excellence, foster ethics and demonstrate impact
    • Advancing organizational excellence and ensuring transparency and accountability
    • Fostering a culture of ethics
    • Assessing progress and impact

For the new Strategy to be successful, the risks that threaten its achievement need to be identified, assessed, mitigated, and monitored. These risks relate to assumptions made in the Strategy, for example, about the availability of appropriate resources both financial and human, the accessibility of the technology that is required, the viability of the time schedule of 5 years in which to complete all the activities needed to achieve the strategic objectives, and the cooperation and collaboration of external partners and stakeholders.

Since September 2009, CIHR has undertaken a reorganization of its portfolios and branches in order to implement the Strategy. This reorganization is risk mitigation; however, it too carries inherent resource, schedule, and technical risks that need to be identified, assessed, mitigated, and monitored.

It is recommended that the Chief Financial Officer (CFO), as the Chief Risk Officer (CRO), update the Corporate Risk Profile to reflect the assessment of risks related to the achievement of the new Strategic Plan, including the recent reorganization at CIHR that is intended to help achieve the Plan.

Responsibility: CFO

Action: Update CIHR's Corporate Risk Profile to reflect the assessment of risks related to the achievement of the new Strategic Plan, including the recent reorganization at CIHR that is intended to help achieve the Plan.

Timelines: The Health Research Roadmap's (CIHR's new Strategic Plan) Implementation Strategy and Plan are still under development. It is anticipated that these items will be in place in time for the Risk Refresh in the First Quarter of 2010-11. The Risk Profile was updated in October of 2009 to reflect CIHR's reorganization.

2. The 16 Key Risks in the Corporate Risk Profile need to be analyzed for their potential effect on the new Strategic Plan and related CIHR reorganization.

The Corporate Risk Profile contains the following 16 Key Risks, for each of which it specifies the level of risk (high, medium, low), the Risk Champion, the Risk Owner, the Impact, and the Mitigation:

  • Human Resource Management;
  • Knowledge Translation;
  • Governance and Accountability;
  • Results Management;
  • Peer Reviewer Recruitment;
  • Sustainability of Funding Model;
  • Shareholder Relations;
  • Program Design;
  • Alignment of Program to Needs of Health Research Priorities;
  • Values and Ethics;
  • Information Management;
  • Budgeting Process;
  • Standard Operating Procedures;
  • Infrastructure for Future Needs;
  • Management of Partnerships; and
  • Business Continuity.

These 16 Key Risks may have a significant impact on the achievement of the new Strategic Plan and the implementation of the reorganization. Consequently, their existing assessments and mitigations may have to be updated.

It is recommended that the CFO reassess the Key Risks identified in the Corporate Risk Profile for their impact on the achievement of the new Strategic Plan and the implementation of the CIHR reorganization.

Responsibility:CFO

Action: Update CIHR's Corporate Risk Profile as required.

Timelines: Risk Refresh Cycle: First Quarter of 2010-11

3. The draft Risk Management Policy, contained in the CIHR Risk Management Framework, states the objectives; assigns accountabilities, authorities, and responsibilities for risk management; and requires an annual update and reporting by the Chief Risk Officer (CRO); but it does not explicitly address the setting of risk tolerance levels (i.e., the limits of acceptable risk-taking).

The TB Integrated Risk Management Framework contains the following guidance on Risk Tolerance:

Risk Tolerance

An awareness and understanding of the current risk tolerances of various stakeholders is a key ingredient in establishing the corporate risk profile. The environmental scan will identify stakeholders affected by an organization's decisions and actions, and their degree of comfort with various levels of risk. Understanding the current state of risk tolerance of citizens, parliamentarians, interest groups, suppliers, as well as other government departments will assist in developing a risk profile and making decisions on what risks must be managed, how, and to what extent. It will also help identify the challenges associated with risk consultations and communication.

In the Public Service, citizens' needs and expectations are paramount. For example, most citizens would likely have a low risk tolerance for public health and safety issues (injuries, fatalities), or the loss of Canada's international reputation. Other risk tolerances for issues such as project delays and slower service delivery may be less obvious and may require more consultation.

In general, there is lower risk tolerance for the unknown, where impacts are new, unobservable or delayed. There are higher risk tolerances where people feel more in control (for example, there is usually a higher risk tolerance for automobile travel than for air travel).

Risk tolerance can be determined through consultation with affected parties, or by assessing stakeholders' response or reaction to varying levels of risk exposure. Risk tolerances may change over time as new information and outcomes become available, as societal expectations evolve and as a result of stakeholder engagement on trade-offs. Before developing management strategies, a common approach to the assessment of risk tolerance needs to be understood organization-wide.

Determining and communicating an organization's own risk tolerance is also an essential part of managing risk. This process identifies areas where minimal levels of risk are permissible, as well as those that should be managed to higher, yet reasonable levels of risk.

The CIHR Risk Management Framework document, as well as the intranet instruction and guidance on risk management, advocates that high risk areas be actively managed, those medium risk areas be periodically monitored, and low risk areas be managed routinely as being of "no major concern." The Corporate Risk Profile identifies CIHR's 16 Key Risks, their risk ratings (high, medium, or low), the responsible managers, the impacts of the risks, and the mitigations. However, risk tolerances (e.g., avoid, mitigate, or accept) still need to be formally established through consultation with all key stakeholders, including the CIHR Audit Committee and Governing Council. The established risk tolerance levels will inform the risk mitigation strategies:

  1. Avoid the risk by discontinuing the activity that generates it;
  2. Reduce the likelihood of the occurrence;
  3. Reduce the consequences of the occurrence;
  4. Transfer the risk; or
  5. Retain the risk.

The selected strategy will in turn inform the mitigating action, which should take into account costs and effectiveness. The objective of the mitigation should be to ensure that the residual risk is consistent with the established tolerance level. Appendix B contains more information on this subject from the TB Integrated Risk Management Implementation Guide.

It is recommended that the Chief Financial Officer (CFO) include the requirement for consultation with key CIHR stakeholders on the risk assessments contained in the Corporate Risk Profile and establishment of risk tolerance levels for the identified risks. The stakeholders should include the CIHR Audit Committee and Governing Council.

Responsibility: CFO

Action: Formally establish risk tolerance levels through consultations with all key stakeholders, including the CIHR Audit Committee and Governing Council through established and recorded reporting mechanisms.

These tolerance levels will inform the risk mitigation strategies:

  1. avoid the risk by discontinuing the activity that generates it,
  2. reduce the likelihood of the occurrence,
  3. reduce the consequences of the occurrence,
  4. transfer the risk, or
  5. retain the risk.

Timelines: Risk Refresh Cycle: First Quarter of 2010-11

4. The Corporate Risk Profile describes the 16 Key Risks, their assessed levels (high, medium, or low), and the related mitigating actions. It needs also to specify the proposed tolerance level for each risk; define the corresponding residual risk level that is expected to be achieved through mitigation; and set mitigation milestones (e.g., planned phased reductions in the risk levels and their related timelines) so that progress and effectiveness of the mitigating action can be monitored and reported.

The Corporate Risk Profile assigns a risk level to each of its 16 Key Risks. For example, as excerpted below, it recognizes Human Resources (HR) Management as a High Risk that merits Active Management by the Champion (the CFO), and Risk Owner (the Director of HR); and it explains the nature of the HR risk, its impact, and the mitigation.

Human Resource Management:

Status Champion Owner
High - Active Management Chief Financial Officer and Vice President, Resource Planning & Management Director, Human Resources

This risk is an amalgamation of

  1. Adequacy of Succession Planning,
  2. Ability to Retain Key Staff, and
  3. Appropriately Qualified Staff.

There is a risk that

  1. CIHR does not have a plan or process to systematically and deliberately prepare for and replace future vacancies in key positions;
  2. CIHR is unable to retain key staff and
  3. CIHR is not able to staff positions with appropriately skilled and experienced people.

Impact:

The possible impacts of this risk include: vacancies going unfilled for an extended period of time; suitable candidates within the organization not being properly groomed for the roles; inexperienced staff acting in roles that are beyond their capabilities; loss of corporate memory; loss of skills and knowledge; employee burnout; job dissatisfaction; increased staffing costs; a high turnover/vacancy rate; and an inability to deliver on operational plans, develop strategies and meet its mandate.


Mitigation:

CIHR mitigates this risk by identifying critical positions and preparing a succession plan for these positions annually. Leadership development and language training are provided centrally to ensure that leaders are appropriately skilled and able to take on greater challenges. Anticipatory staffing is conducted whenever possible and the staffing process has been significantly streamlined to maintain a staffing turnaround time of less than 3 months for vacant positions. CIHR monitors the retention and departure rate annually and has an exit interview process in place. An employee survey was conducted in 2008 and an action plan is being developed to respond to the concerns identified. CIHR monitors 65 human resources performance indicators annually to gauge the overall health of the organization and the satisfaction level of the workforce. Executive Champions work with the Human Resources Branch to ensure implementation of the HR Strategy and to maintain high visibility on human resources management issues.

The tolerance levels for this and other Key Risks still need to be formally established through consultation with all key stakeholders, including the CIHR Audit Committee and Governing Council. The tolerance level will help define the acceptable residual level of the risk to CIHR (i.e., high, medium, or low), thereby setting the goal for the mitigation strategies. The tolerance level, mitigation goal, and mitigation strategy will enable the monitoring and reporting of the progress and effectiveness of the mitigation and the taking of corrective action.

It is recommended that the CFO propose tolerance levels for each key risk for Audit Committee's review and recommendation; set the corresponding residual risk levels; define the actions, resources, and timelines needed to achieve those levels; and report periodically to Audit Committee on the progress and effectiveness of the mitigation.

Responsibility: CFO

Action: Update CIHR's Corporate Risk Profile to include tolerance levels (i.e., risk goals) through consultations with all key stakeholders, including the CIHR Audit Committee and Governing Council as per established risk reporting timelines. The tolerance levels will help define the acceptable residual level of the risks to CIHR thereby setting the goals for the mitigation strategies. The tolerance levels, mitigation goals and mitigation strategies will enable the monitoring of effectiveness of the mitigations and the taking of corrective action.

Timeline: Risk Refresh Cycle: First Quarter of 2010-11

5. In accordance with annual planning and budgeting instructions from Finance, the Branch operational plans are required to state their goals and objectives and the risks and mitigating actions. In 2009-10 plans, the risks were not defined consistently, in a manner that enables them to be synthesized, inform the Corporate Risk Profile, and be managed on a corporate-wide basis. Some plans contained mitigating measures, while others did not.
Some Branches identified tactical risks (such as a lack of human and financial resources, and workload pressures) that impact the achievement of their own operational goals and objectives. Others defined the strategic risks that the non-performance of their functions would pose to the achievement of CIHR-wide goals and objectives. A process is needed to ensure that the identified risks are assessed, synthesized, and managed appropriately. This issue has been reported previously in the internal audit of Corporate Governance and is being repeated here because of its direct relevance to this audit. The related recommendation and management action plan are a part of the Corporate Governance audit and will not be duplicated here.

Appendices

A: Audit Criteria and Conclusions

The audit uses the following definitions to make its assessment of the risk management framework at CIHR.

Conclusion on Audit Criteria Definition of Opinion
Well controlled Well managed, no material weaknesses noted or only minor improvements are needed.
Moderate issues Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
Significant improvement required Requires significant improvements in the area of material financial adjustments or control deficiencies represent serious exposure.

Overall Conclusion
The audit has concluded that the risk management framework at CIHR has moderate issues: there are control weaknesses, but overall risk exposure is limited because either the likelihood or the impact of the risk is not high, and because management has recognized the weaknesses and has initiated its mitigating actions.

Criteria Conclusions
Risk Management Policy and Procedures
1. Management has a documented approach with respect to risk management. a. CIHR's direction and approach to risk management are formally articulated (i.e., documented), well-communicated, and well-understood. Well controlled
b. The direction and approach are suitably comprehensive and include:
  • CIHR's objectives with respect to risk management, including the value and relevance of risk management;
  • CIHR's risk management policy requirements that encompass, at a minimum, the frequency with which risk assessment must take place and the limits of acceptable risk taking (i.e., tolerance levels);
  • Risk management processes, methods, and tools that support all aspects of the risk management cycle (i.e., risk identification, risk assessment, risk response/treatment and risk monitoring), including guidelines on how these tools should be applied; and
  • Roles, responsibilities, and accountabilities related to risk management.

Moderate issues

Observations 3 and 4

Risk Identification
2. Management identifies the risks that may preclude the achievement of its objectives.

a. The risk identification process is rigorous:

  • It is formal (a structured risk assessment methodology is documented, communicated, and applied);
  • It involves appropriate levels of management and all appropriate functional areas (i.e., those who have subject-matter expertise) in identifying the risks; and
  • It is led by a resource with the appropriate skills and experience who is directly responsible to senior management.
Well controlled

b. The risk identification process considers both internal and external sources of risk, including but not limited to the following factors:

  • political conditions;
  • legislation, policy, and regulation;
  • supply sources;
  • technology changes;
  • business process change or organizational restructuring;
  • economic conditions;
  • natural events;
  • human resource changes and capacity; and
  • dependencies and inter-relationships with other federal entities and parties outside government.

Moderate issues

Observations 1 and 2

c. Risk events are identified at the entity and activity levels. Well controlled
d. Management's risk identification process permits the identification of interrelationships and interdependencies.

Moderate issues

Observation 2

e. All types of risks are identified including, but not limited to:

  • legal risk;
  • operational risk;
  • financial risk; and
  • reputational risk.
Well controlled
Risk Assessment
3. Management assesses the risks it has identified. a. Risk assessment is done annually, ideally as part of the strategic planning process.

Moderate issues

Observations 1 and 2

b. Formal assessment process and guidelines exist and are applied to facilitate the assessment of the risks to which CIHR is exposed. Well controlled
c. The risk assessment process considers the results of the internal control assessment and includes an analysis of the risks' residual impact and likelihood of occurrence.
d. Appropriate levels of management and all appropriate functional areas (i.e., those who have subject-matter expertise) are involved in analyzing the risks.
e. Risk assessment techniques support the development of a composite assessment of risk, and enable management to consider risk from an entity-wide, or portfolio, perspective.
Control Assessment
4. Management identifies and assesses the existing controls that are in place to manage its risks.

a. Formal process and guidelines exist and are applied to facilitate the identification of those controls that are in place to manage the identified risks.

b. Formal process and guidelines exist and are applied to facilitate the assessment of those controls which are in place to manage the identified risks.

c. Input into the control assessment comes from a variety of sources including line managers, internal audit, and other parties, such as security, legal, etc.

Well controlled
Risk Mitigation
5. Management formally responds to its residual risks.

a. Residual risk exposure is examined against established risk tolerances by the level of management responsible for the risk.

b. A formal response (e.g., avoid, mitigate, or accept) to the risk is documented and communicated to all necessary parties.

c. Action plans are put in place to manage or treat risks that are deemed by management to be unacceptable. Action plans include:

  • specific mitigation measures;
  • the timeline during which the measures will be applied; and
  • the owner of each action.

Moderate issues

Observations 3 and 4

6. Management appropriately communicates its risks and risk management strategies to key stakeholders. a. Risk information is regularly presented to and discussed at established management and oversight committees. Well controlled
b. Risk information (including risks and risk management strategies) is embedded in CIHR's key planning and performance reports. Well controlled
c. Communication to stakeholders on risks and risk management strategies is pertinent and timely.

Moderate issues

Observations 3 and 4

7. Management considers risk information in its planning and resource allocations.

a. Risk-based planning tools exist and are consistently applied in support of strategic and operational planning processes.

b. Risk information is used to support key management decisions.

c. Risk information is used to support business continuity planning.

Moderate issues

Observation 5

Governance and Oversight
8. CIHR has independent oversight to monitor and provide assurance on the quality of risk management and due diligence in risk decision-making. a. An oversight committee (such as the Departmental Audit Committee) with formal responsibility for monitoring risk and risk management exists. Well controlled
b. The oversight committee receives and considers relevant and complete information from a variety of sources (including management and internal audit) in a timely fashion to permit it to monitor management's risk profile and risk management strategies.
c. The oversight committee concurs with the organization's risk tolerance levels. These criteria are not applicable at the time of the audit because the Risk Management Framework and the Corporate Risk Profile are in their approval stages.
d. The oversight committee reports to Governing Council on the quality of risk management and on significant risks.
Continuous Improvement
9. CIHR promotes organizational learning and improves its risk management performance. Management reviews, reports on, and updates its risk profile and management practices annually to ensure that it is implementing its mitigating actions on schedule and incorporating new risks as they emerge.

B: Integrated Risk Management Implementation Guide

Understand Risk Tolerance

An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organization's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide Decision-making. Management must determine which risks the organization should accept at which levels, then re-evaluate these choices as circumstances change.

Risk tolerance and performance expectations should be linked directly at the corporate level. Organizations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure.

Consider the following in understanding the organization's risk tolerance level and that of its key stakeholders:

The following diagram presents risk tolerance in relation to the cost of managing to different levels of risk. Source: presentation by Kevin W. Knight, Ottawa, June 2003.

Risk tolerance in relation to the cost of managing to different levels of risk

Date modified: