In June 2022 the Office of the Auditor General of Ottawa Canada issued an audit report on the city’s Enterprise Risk Management (ERM) process. This piece looks at the audit results and what they say about the state of ERM in local government. It also looks at how the recommendations compare with an ERM study in New Zealand. Finally, it discusses the implications for ERM going forward.
Background
ERM is an organization wide process which methodically allow management to identify, asses the impact and mitigate risks the organization faces. The Ottawa audit report considers ERM to be critical to the successful achievement of organizational objectives.
The city’s ERM process is governed by its ERM policy. The policy was updated in 2019. The framework by which the risk assessment is conducted was established in 2011. “The Policy and Framework describe the general expectation for risk management activities across the city.” (1)
In 2016 the decision was made to decentralize the risk management process. Thus, each department became responsible for risk management. Structurally three main risks are identified. The most basic are risks which affect a department. In this case, the General Management (GM) is accountable for the department’s risk management process. Departmental risk management assessment is assisted by the Business Support Services (BSS) unit within each department. The Innovative Client Services Department coordinates with each BSS to identify horizontal risks. These are risks which impact more than one department. Horizontal risks are forwarded to the Senior Leadership Team (SLT) for review. Based on the review the SLT decides which risks are to be considered corporate risks.
Audit Scope
The audit was conducted between January 1, 2019, and December 31, 2021. It covered the following areas.
- Governance and oversight
- Implementation of ERM processes
- Risk monitoring, reporting and decision making
- Risk management culture (focused on awareness of processes, responsibilities, attitudes, training, and support from senior management).
Audit Findings
The basic finding was that the city has a robust ERM process in place which is supported by a ERM policy and framework. “These processes support the development and update of an annual Corporate Risk Review which is provided by the SLT.” (2) The audit did recognize opportunities for improvement. Seven recommendations were made.
Recommendations
- Clearly define roles and responsibilities in the Policy and Framework.
- Departmental management, ICSD and SLT’s roles in the annual/ongoing risk management process.
- Clear expectations for risk owners including responsibilities to implement risk mitigation strategies and regular reporting of the status of the mitigation strategies and regular reporting of the status of the mitigation activities and the impact of the assessed risks.
- Informing Council of Corporate Risks
- The GM and ICSD, in conjunction with the City Manager and City Clerk, should determine what level of corporate risk information should be provided to the Council. The information enables the Council to incorporate the corporate risks into their making strategic decisions.
- Establish Centralized Oversight
- The City Manager should consider assigning additional authority and responsibility for ERM to ICSD or another centralized group (e.g., the Service Transformation Group). This would help ensure all departments meet a minimum standard and consistency of expected risk management activities as set out in the Policy and framework. This includes.
- Establishing a role in overseeing departmental risk management activities to ensure these activities achieve the outcomes intended from the policy and framework.
- Providing an independent challenge function of the risk management output of departments given their City-wide visibility/perspective.
- Integration of fraud risk with ERM.
- The GM and ICSD, in consultation with the CFO/City Treasurer, should establish expectations within the framework, for the integration of fraud risks within ERM. Further, an enterprise-wide fraud risk assessment should be undertaken.
- Mandatory Risk Management Training
- The GM should ensure that a mandatory risk management training program is developed and implemented (initial and refresher training) for those individuals with specific risk management responsibilities. This training program could leverage the existing training modules and should be tailored to the various stakeholder groups involved in the risk management process.
- Risk Management Awareness for Council
- A risk management awareness/training program, specifically designed for the needs of Council, should be developed, and delivered to the Council.
- Establish Risk Tolerance Levels
- The City Manager, supported by the GM, and ICSD, should initiate an exercise to develop risk appetite statements and risk tolerance levels for the City and provide them to the Council for approval to ensure appropriate resources are being allocated to mitigate risk where required and beneficial. Departments should utilize the established risk tolerance and appetite levels to determine where best to allocate their resources towards mitigation strategies.
The recommendations, while specific to Ottawa’s ERM process, indicate that despite having an ERM framework since 2011, there are issues. A key issue is the need for additional training for both employees, and the council. Another is the need to establish risk tolerance levels and have a more structured ERM process. Tolerance levels and well defined ERM structure are fundamental to the ERM process.
These recommendations can be compared with the results of research on local
government ERM implementation in New Zealand.
Controller and Auditor General of New Zealand Report
In June 2021 the Auditor General of New Zealand presented a report on “Our observations on local government risk management practices”. Sixty-three councils were studied. Fifty-five had a risk management framework. Most were using ISO 31000:2018. Based on the assessment four recommendations were made.
- Have someone who is responsible for enabling and driving good risk management practices throughout the council.
- Integrate risk management into all council activities, particularly strategy-setting and decision making.
- Improve the training and support provided to elected members, particularly in their roles and responsibilities for effective risk management.
- Carry out regular reviews of risk management activity to inform progress and areas of improvement. (3)
The New Zealand and Ottawa recommendations are consistent. Make sure the governing body is consistently informed of the ERM process. Make sure all risks are integrated into the ERM process. Make sure employees are continually trained on the risk management process.
The similarities between the two show that even though ERM processes have been in place for years, as in the case of Ottawa, management and the governing body need to continually monitor and advocate ERM. In addition, the ERM structure needs to be well defined and training continual.
Summary
The audit and the study indicate ERM is alive in local governments around the world. They provide two different perspectives. The Ottawa audit is on a municipality which has implemented ERM since 2011, while the New Zealand report is a cross sectional assessment. Each has shown that for ERM to be effectively implemented a structured approach is necessary.
ISO 31000:2018 is such a structured approach. ISO 31000:2018, for instance, provides a stepped sequence which helps management with the implementation process. It recommends, for instance, that the governing body determine early its risk appetite and carry out regular reviews of the effectiveness of the mitigative efforts.
The audit and the report focus on the administrative implementation process. Getting the ERM accepted and implemented is very important. However, if the risk mitigation efforts are not effective and continually improved, just checking the box for each ISO 31000:2018 step means little. If ERM is to have an important administrative and managerial impact, the mitigation actions, which is the goal, need to be continually assessed for their effectiveness. Thus, going forward, if ERM is to be successful, audits need to examine both the maturity of the implementation process, how well the steps are being implemented, as well as, the effective of the mitigation efforts.
Endnotes
- Office of the Auditor General, 2022, Audit of Enterprise Risk Management, page2, https://ottawa.ca.gov/Ottawa%20ERM%20audit%20report.pdf
- Ibid page 4.
- Controller and Auditor-General, 2021, Observations on local government risk management practices”, New Zealand, https://oag.parliament.nz/2021/risk-managment/docs/summary-risk-management.pdf.
Bio
James J. Kline has a PhD from Portland State University. He has worked for federal, state, and local government. He has consulted on economic, quality and workforce development issues. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He edited the book “Quality Disrupted”. It is also available on Amazon. He can be contacted on LinkedIn or jamesjk1236@outlook.com