In 2019 I co-authored an article, published in Journal of Government Financial Management, entitled: Auditors, Accountants and ERM. (1) The thrust of the article was that auditors and accountants around the world were starting to push Enterprise Risk Management (ERM). The recent ERM audit of the City of Vancouver British Columbia Canada Police Department (2) is an example of this growing trend. This piece examines the audit findings and recommends.

Background

The audit of the Vancouver Police Department was conducted by the office of the Auditor General. It covered the period of January 1, 2022, to July 31, 2023. The audit examined the Oversights Board (Board) and Vancouver Police Department’s (VPD) risk management policies, framework, guidelines, processes, reports, data, and other documents related to the implementation of ERM. The ERM standards against which the audit was conducted was the International Organization for Standardization (ISO) 31000:2018 Risk Management guidelines.

Interviews with members of the board and VPD staff also occurred. In addition, because of the unique nature of police work, the auditors work closely with subject matter experts with experience in executive management in law enforcement, law, academic and ERM specific to policing. These experts assisted in establishing the criteria for the audit and assessing the findings.

The scope of the audit did not include:

• Risks related to specific initiatives or services provided by the VPD.
• Day-to-day risk management engaged in by individual officers.
• The City’s ERM Framework and performance reporting.
• Governance matters not related to risk management.
• The quality of the VPD strategic plan.

The Key findings of the audit are presented below.

Findings

1. The risk oversight process primarily involved the Board receiving limited risk and issue-related information from the Department. Issues were discussed on an ad hoc basis.
2. The Board periodically received risk-related information from the Department, but this information did not include elements typically found in a risk register, such as severity, prioritization, and residual risk.
3. The Board did not take steps to ensure that risk mitigation strategies identified by the Department were in place and working.
4. Although the Department had unit-level processes in place intended to manage risks and threats affecting its ability to keep the public safe, it did not have:
5. An ERM program, documented framework, policy direction or processes to guide it management of enterprise risks; and
6. A dedicated function or business area to ensure that management can effectively manage its enterprise risks and use risk-based decision making to support the achievement of organizational objectives.
7. The Department did not use ERM principles or tools to manage enterprise-wide risks and did not have documented processes to address department-wide risks.
8. Did not utilize formal and documented assessments of Department risks to inform the strategic decision making and planning process.

Based on these findings, the auditors made nine recommendations. Four were for the Board and five were for the Department. A sample of the recommendations for each are below.

Recommendations for the Board

1. The Board should clarify and expand sections of its governance manual relating to oversight of enterprise risk management to include:
2. A statement that identifies the Board as the overseer of enterprise risk management for the Department and describes what that entails.
3. A definition of risks including key risk categories the Board oversees such as: hazards, material, strategic, financial, reputation, governance, operations etc.
4. The roles of the Board and Chief Constable in defining and communicating the levels and types of risk the organization is willing to accept.
5. The Board should introduce consistent mechanisms to implement the Board’s risk management direction, such as:
6. A process for the Board’s involvement in the development of an enterprise risk management policy, and the development and management of Department risk registers.
7. A schedule to review the risk register at least annually.
8. Processes through which the Board can obtain reasonable assurance that the Department’s risk management, internal control systems, and information systems are properly designed, reliable and operating effectively to prevent and mitigate risks, such as:

• Reporting, testing and third -party validations.
• Regular reporting from management or direct oversight of the Department’s internal audit functions.

The recommendations for the Department included:

1. The Vancouver Police Department should:
2. Develop an enterprise risk management Framework. The framework should include at a minimum:

• Clearly documented procedures to identify, assess, manage, and oversee its enterprise risks.
• Communication procedures to enable consistent understanding of enterprise risk by all relevant stakeholders.

1. Develop an enterprise risk management policy that includes:

• A requirement for management to apply enterprise risk management principles in managing department-wide risks.
• Policy aims such as how risk management will assist the Department.
• Specific responsibilities and accountabilities related to managing enterprise risks for units and individuals throughout the Department.

2. The Vancouver Police Department should develop a risk register that includes:

• Risks identified by internal and external stakeholders during its strategic planning sessions and facilitated unit-level risk assessments sessions.
• Risk identified at Vancouver Police Board planning sessions and risk assessments conducted at these sessions.
• Assignment of identified risks into categories to ensure that risks affecting similar functions, units and areas are clearly flagged to highlight areas of focus.
• Documentation on the effectiveness of risk treatments.
• Risk thresholds, as developed with the Board.

Both the Board and the VPD accepted the findings and are taking appropriate steps to implement the recommendations.

Conclusion

The ERM audit of the VPD is an example of the continuing push by auditors, in this case, and accountants for ERM adoption. The auditors prepared thoroughly before the audit. They brought in subject matters experts to help craft the audit process. They used ISO 31000:2018 as the model against which they audited. Further, they excluded elements, such as risks related to specific initiatives or services, or individuals. This helped gain acceptance of the findings and furthered the goal of ERM adoption.

The audit found that, while risks were recognized, it was on an ad hoc basis. There was no formal or structured ERM process. Thus, the Board was not well informed about risks and the effectiveness of any mitigative efforts.  Similarly, VPD did not have any way of identifying or tracking enterprise-wide risks. Information which could allow them to better allocate resources.

Only time will tell how well the ERM system is implemented by the Board and VPD. The audit did raise awareness and move both the Board and VPD towards ERM implementation and use.

Endnotes

1. Kline, James. J. and Greg Hutchins, 2019, Auditors, Accountants and ERM, Journal of Government Financial Management, Winter, pages 33-37.
2. Office of the Auditor General, 2023, Vancouver Police Department’s Enterprise Risk Management, December, https://vancouver.ca/files/cov/2023-vpd-enterprise-risk-management-audit-report.pdf

BIO:

James J. Kline has worked for federal, state, and local government. He has over ten years’ supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored over one hundred articles on quality management in government and risk analysis. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon.  He edited “Quality Disrupted”, also available on Amazon.