Archived - Audit of Enterprise Risk Management

December 2014

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

1.0 Introduction

Risk management is an explicit and systematic approach to identify, assess and address risks associated with objectives.Footnote 1 It facilitates the sharing of risk information, which enhances informed decision-making and improved planning. As such, risk management increases organizational resilience by improving predictability in achieving outcomes, protecting corporate assets and maintaining stakeholder trust. Enterprise Risk Management (ERM) promotes a continuous, proactive and systematic process to understand, manage and communicate risk information from an organization-wide perspective.

Core risk management principles are articulated in the Treasury Board Secretariat (TBS) 2010 Framework for the Management of Risk (TBS Framework). Accompanied by the TBS Guide to Integrated Risk Management (TBS Guide), the TBS Framework guides deputy heads on the implementation of effective risk management practices at all levels of their organization.

The CBSA ERM Policy designates the Chief Risk Officer as the process owner for the risk management self-assessment function and for providing assurance that the organization is operating effectively from a risk perspective. The Chief Risk Officer is responsible for ensuring that the TBS Framework and Guide are reflected in the CBSA’s policies, guidance, and tools.

The Enterprise Risk Management and Transformation Initiatives Division (ERMTID) in the Corporate Affairs Branch supports the Chief Risk Officer through the development and implementation of the ERM Framework, which includes risk-related policy, processes, tools, resources, services and training. The Division provides horizontal support and leadership for risk management to all branches and programs on risk-related matters. Vice-presidents and direct reports to the President are ultimately accountable for managing risks.

2.0 Significance of the Audit

Risk management makes a significant contribution to strengthening the departmental capacity to recognize, understand, accommodate and capitalize on new challenges and opportunities. It prepares an organization to respond to change and uncertainty, contributes to improved decision making and better allocation of resources. Risk management is recognized as a core element of effective public administration.Footnote 2

With the current fiscal environment of deficit reduction and limited resources, key decisions and resource allocation rely on effective risk management and analysis. Risk management enables organizations to respond proactively to change and uncertainty by using risk-based approaches and information to enable more effective decision-making.Footnote 3

The audit is timely as changes are being made to the Management Accountability Framework (MAF). MAF 2014–2015 has a new core area of management: Management of Integrated Risk, Planning and Performance. Its objective is to strengthen integration and alignment of planning in departments and agencies. It is also responding to a need for coordinated and consistent TBS-wide guidance on planning and risk management, and better alignment between integrated risk management, planning and performance functions within departments and agencies.

The audit objective was to provide assurance that the Agency’s ERM Framework is in place, that key Agency risks are identified, assessed and managed effectively for achieving its objectives, and that risk information is integrated into planning and decision making. The audit scope covered the ERM control framework and processes at both the corporate level and within selected branches and programs, in addition to how information was utilized for integrated business planning and decision making.

Given the CBSA’s mandate of providing integrated border services that support national security and public safety priorities and facilitating the free flow of persons and goods, operational risk management activities occur on a daily basis. The audit did not examine activities supporting operational risk management, such as the targeting and intelligence programs. The audit focused on the process for developing the Enterprise Risk Profile (ERP), which is part of the risk management process and control framework. Observations are based on the 2013 ERP, which was the most recent version at the time of the audit.

Further details of the audit scope and criteria can be found in Appendix A.

3.0 Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board’s Policy on Internal Audit.

4.0 Audit Opinion

The Agency’s ERM Framework is aligned with the key principles of the TBS Framework and Guide to identify, assess and manage risks. Opportunities for improvement relate to reviewing the CBSA Framework to continuously mature risk management practices. The Agency is identifying, assessing, mitigating and monitoring its risks at the corporate level with the consistent application of the CBSA ERM Policy and associated guidance. Opportunity exists to further strengthen risk management practices below the corporate level by developing mitigation strategies for identified risks. Regular monitoring of risks, risk drivers, and the mitigation plans at all levels of the Agency would ensure that changes affecting the Agency's environment are identified in a timely manner. A process has been defined for integrating risk information into planning and decision making.

This translates to a medium risk exposure to the Agency.

5.0 Key Findings

The Agency’s risk management approach and process have been well defined and documented in the CBSA ERM Policy, Framework and Handbook, which are communicated across the organization. Together, these documents describe an ERM program that is generally in line with TBS principles for risk management. Exceptions noted relate to the absence of periodically reviewing the Agency Framework and defining risk tolerance.

An analysis of the 2013 Enterprise Risk Profile and associated Branch and Program Risk Profiles indicated that significant risks are identified and assessed, and respect the process defined in the CBSA ERM Handbook. Risk mitigation plans were developed and documented for the corporate risks, and identified appropriate risk sponsors and mitigating activities to address enterprise risks. Opportunity exists to further strengthen risk management practices below the corporate level, by developing mitigation strategies for identified risks.

Corporate level risks were being monitored annually; however, risks identified below the corporate level were not monitored as required by the CBSA ERM process. Regular monitoring of risks, risk drivers, and risk mitigation strategies at all levels of the organization would allow the Agency to identify changes affecting its environment in a timely manner.

The audit also noted that corporate risk information was generally integrated in corporate planning documents and integrated business plans (IBP). The IBP integrated business planning process is currently being revised to further integrate risk information. Corporate risk management practices are also regularly monitored by governance bodies within the Agency.

At the CBSA, risk is managed on a daily basis at the operational level. While ERM practices continue to mature, without a more structured and integrated approach to risk management below the corporate level, the Agency cannot be assured that the identified risks are being properly managed, reduced or eliminated.

6.0 Summary of Recommendations

The audit makes two recommendations relating to:

  • periodically reviewing the CBSA ERM Framework and program to identify and address gaps and opportunities for improvement;
  • ensuring that formal mitigation plans at below the corporate level are developed implemented and monitored.

7.0 Management Response

The Corporate Affairs Branch agrees with the recommendations of the Audit of Enterprise Risk Management. The principal means by which the Branch will respond to the audit recommendations is through a comprehensive review and update of the ERM Framework, including the ERM Policy and related tools, and through the further integration of risk management within the business planning and performance measurement processes.

In that context, the Branch has already taken steps to begin to improve and mature the ERM Program, and will continue to work in collaboration with key stakeholders across all branches to complete this work. The Branch is also working on establishing contacts with counterparts in other government departments and in Border Five (B5) and Five Country Conference customs and immigration administrations, to explore opportunities to share best practices with key partners. This consultative approach will inform the new strategic direction for moving the ERM Program forward. The Branch will implement its action plan by the end of July 2015.

8.0 Audit Findings

8.1 Risk Management Framework

Audit Criteria:

  • The CBSA’s risk management framework and processes are documented, complete and communicated across the Agency.

8.1.1 TBS Risk Management Framework and Guide

The TBS Framework for the Management of Risk (TBS Framework) is a key policy instrument that outlines a principles-based approach to risk management for all departments and agencies. The Framework describes Deputy Heads’ responsibility in the effective management of their organizations in all areas of work and at all levels of their organization, including risk management and describes the expectations for an effective risk management practice.Footnote 4 It is supported by the TBS Guide to Integrated Risk Management (TBS Guide) which outlines practical guidance and considerations for operationalizing these principles. The principles represent the minimum requirements and encourage departments to focus on areas that will assist them in progressing towards a cohesive and consistent approach to risk-informed decision-making. The TBS Framework does not provide specific requirements to integrated risk management to departments as their mandate, risk exposure, and management capacity vary.

The TBS Guide further outlines a framework and process for risk management that includes risk management principles, framework elements, and process steps such as ongoing communication, risk assessment and risk treatment, and monitoring and review.

8.1.2 The Agency’s ERM Framework is aligned with TBS Framework

The Agency has documented its approach to risk management in the CBSA ERM Policy; the CBSA ERM Framework – Process and Tools; and the CBSA Risk Management (RM)Handbook.

Our review of the CBSA ERM Framework, Policy and Handbook found that the Agency has a fully documented risk management framework and process. The risk management framework and process are modelled after the TBS Framework and Guide, and capture most of the key elements, including a:

  • demonstrated mandate and commitment to ERM through a defined and endorsed ERM Policy, and assigned roles and responsibilities for risk management consistent with TBS guidance;
  • framework design that is generally aligned with TBS guidance (i.e. an understanding of the Agency and its environment, an established ERM Policy, integration into organizational processes such as planning, and resources allocated to ERM); and
  • risk management process that has been designed to include all of the key activities outlined by TBS (i.e., process activities such as communication and consultation, establishing the context, the risk assessment process, risk treatment processes, and guidance for monitoring and reviewing identified risks and mitigation strategies).

However, the CBSA ERM Framework did not include the following elements from the TBS guidance:

  • ongoing monitoring and continuous improvement of the ERM Framework, and
  • risk tolerance definition and guidance.

Ongoing Monitoring and Continuous Improvement of the ERM Framework

Continuous improvement of the culture, capacity and capability of risk management encourages organizations to continually monitor, review and improve their risk management approach and processes to ensure their effectiveness, efficiency and relevance in supporting the organization’s overall performance.

An Integrated Risk Management Framework was approved by the Executive Committee in November 2008, and was replaced by a new ERM Policy, including the process and tools, in August 2010. In addition, an ERM Strategic Plan was developed which included two main objectives as well as performance indicators in 2010. Since the development of the ERM Policy and the ERM Strategic Plan, ongoing monitoring of the CBSA’s ERM Framework by ERMTID has not been implemented. Monitoring and reporting against the performance indicators, as envisioned in the ERM Strategic Plan, did not take place. An update and assessment against performance indicators was prepared at the time of the audit. Without regular review of the Agency’s risk management framework, risk management practices may not sufficiently evolve to address the Agency’s needs at all levels of the organization.

Risk Tolerance Definition and Guidance

The TBS Framework defines risk tolerance as “the willingness of an organization to accept or reject a given level of residual risk (exposure). Risk tolerance may differ across the organization, but must be clearly understood by the individuals making risk-related decisions on a given issue. Clarity on risk tolerance at all levels of the organization is necessary to support risk-informed decision making and foster risk-informed approaches”.Footnote 5 Although not a specific requirement, TBS suggests that guidance be provided on setting risk tolerance levels for identified risks.

Existing risk documentation did not include processes and guidance around establishing risk tolerances for identified risks.

Management indicated that risk tolerance was expressed in the Agency through management’s response to identified risks (i.e., accept and watch or mitigated) and that it was difficult to define and set Agency tolerance level.

Defining risk tolerance and developing a methodology for expressing tolerance levels would strengthen integrated risk management practices in the Agency. This, in turn, would facilitate risk-informed decision-making in regards to the acceptance of risk, senior management engagement when tolerance levels are exceeded, and the prioritization of resources related to risk mitigation and business planning.

Recommendation 1:

The Vice-President of the Corporate Affairs Branch should periodically review the CBSA ERM Framework and program in order to identify and address gaps and opportunities for improvement to further mature Agency risk management practices.

Management Action Plan Completion date

The Corporate Affairs Branch agrees with this recommendation. The Branch is currently in the process of undertaking a formal review of the CBSA ERM Policy, the RM Handbook, the ERP document and the ERP process to identify gaps and make the necessary changes to reflect the improvements that will mature the Agency’s ERM program. In updating the current ERM Policy, the Branch will commit to conducting a review of the ERM Framework and Program every three years, to coincide with the triennial MAF reporting cycle.

July 2015

8.2   Risk Management Practices

Audit Criteria:

  • Management identifies and assesses significant risks that may preclude the achievement of its objectives.
  • Management identifies and assesses the existing controls that are in place to manage its risks.
  • Management formally responds to its risks, and communicates both risks and risk management strategies to appropriate stakeholders across the organization enabling the Agency to carry out its responsibilities.
  • Risk information is integrated in and used for planning and decision-making purposes.
  • Risk management practices are regularly monitored by oversight bodies within the Agency.

8.2.1 Background

As outlined in the ERM Framework and the ERM Policy, the CBSA’s risk management process contains the following elements, and outlined in Figure 1 below:

  • 1. Establishing the risk context
  • 2. Risk assessment
    • Identify and analyze risks
    • Identify and analyze the controls
    • Evaluate the risks
  • 3. Addressing risks
  • 4. Monitoring, reporting, and re-evaluating risks; and
  • 5. Ongoing communication and consultation regarding risks

Figure 1: The CBSA’s Enterprise Risk Management ProcessFootnote 6

  • 1.0 The CBSA’s Enterprise Risk Management Process
    • 1.1. Establishing the risk context
    • 1.2. Risk assessment
      • 1.2.1. Identify and analyze risks
      • 1.2.2. Identify and analyze the controls
      • 1.2.3. Evaluate the risks
    • 1.3. Addressing risks
    • 1.4. Monitoring, reporting, and re-evaluating risks; and
    • 1.5. Ongoing communication and consultation throughout the process.

ERMTID facilitated risk assessment exercises below the corporate level, at the various Branch Management Teams (BMT) and Program Management Tables (PMT)Footnote 7. The facilitated risk assessment exercise included conducting interviews with BMT and PMT members, creating and validating the BMT/PMT risk inventories, assessing the risks identified, and the creating and validating of the BMT/PMT risk profileFootnote 8. These risk profiles provide input into the corporate risk identification, which in turn is presented to vice-presidents and members of the Executive Committee. The ERP 2013 also considered additional information sources, such as the CBSA Environmental Scan, the National Border Risk Assessment, the Departmental Security Plan, the Beyond the Border Risk Profile, and the Agency Performance Summaries, among others.

Even though ERMTID facilitates the risk identification process, the Vice-Presidents are ultimately accountable for managing risks for their areas of responsibility.

8.2.2 Establishing the Context

The purpose of establishing the context of risk management activities is to define the scope of the risk identification exercise, key stakeholders, and operating environmentFootnote 9. Furthermore, this allows an organization to identify and gather information regarding facts and trends impacting its operating environment that may create risks to meeting its objectives. The audit found that the sampled risk profiles provided a detailed background and context of the Branch/Program/Area being assessed.

8.2.3 Risk Identification and Analysis

The CBSA ERM Handbook outlines the process to identify and assess significant risks. The audit found that the identification and assessment of significant risks that may preclude the achievement of objectives was completed through the Branch and PMT Risk Profiles as well as the ERP 2013. These risk identification and assessment documents followed the process outlined in the ERM Handbook. Risks were identified, documented and assessed, and associated with the achievement of one or more business objectives, and also included considerations related to fraud.

The audit selected four out of thirteen Branch/PMT Risk Profiles and the 2013 ERP to determine whether identified risks included the expected attributes, such as the following:

  • both internal and external sources and/or risk drivers are considered;
  • potential consequences are considered;
  • identified risks are relevant to the branch/program/area;
  • the achievement of one or more specific objectives is considered;
  • identified risks are assessed using the Agency’s published scales for impact, likelihood and trends; and
  • the residual risk as final risk exposure assessment is considered.

The selected Branch/PMT Risk Profiles and the ERP were aligned with the CBSA guidance in terms of the approach and methodology used in the risk assessment process. For example, in the sample selected, the risk statements were consistent and used similar language; internal and external sources of drivers of risk were taken into consideration; and potential consequences were considered for each risk.

The ERP risks are identified by ERMTID from various information sources, such as the Branch and PMT Risk Profiles, the Departmental Security Plan, the National Border Risk Assessment, the CBSA Environmental Scan, and the Beyond the Border Risk Profile. The ERMTID did not have a formal process or documentation, such as a central risk register to indicate how and to what extent the Agency’s various sources were considered in developing the ERP. The audit reviewed the process and roll-up of information from these sources to determine whether significant risks were captured in the Agency’s ERP.

ERMTID facilitated the risk assessment exercise for the branch and PMT risk profiles, which included key branch and PMT personnel. Through discussions with the directors general, directors and regional directors, risks were identified and subsequently validated through votingFootnote 10.

Overall, risks are being identified, analyzed and assessed across the Agency with the consistent application of the CBSA ERM Policy and associated guidance.

8.2.4 Risk Evaluation

The CBSA ERM Handbook requires that once risks have been identified and assessed, controls in place are to be identified and analyzed. The effectiveness of the controls is assessed against the five-point Control Effectiveness Evaluation Scale and Matrix provided in the ERM Handbook. Additional guidance to the management team undertaking controls self-assessment is provided in the CBSA Management Control Framework.

The risk profiles included in our sample identified the relevant controls whose effectiveness was self-assessed using the appropriate CBSA guidance. When requested, documentation to substantiate the assessment of control effectiveness was not provided for our review. Documenting the process of how controls are identified and assessed for effectiveness would further mature the control assessment step within the risk assessment process at the branch/PMT level.

Following the results of the controls assessment, risks were evaluated on likelihood and impact. For the 2013 ERP cycle, Executive Committee members evaluated the enterprise risks by voting on the exposure from a likelihood and impact perspective. Following the voting, risk sponsors and risk responses were identified for each risk.

The audit concluded that the risk evaluation step of the ERM process was completed and followed Agency guidance.

8.2.5 Addressing Risks

The CBSA ERM Policy requires the development of mitigating strategies/plans by management to prioritize the risks when it is not feasible to address all risks. Once risks have been identified, and control effectiveness evaluated and risk responses have been determined (e.g., mitigate, accept and watch), mitigation plans are required for risks whose response is identified as ‘mitigate’.

For ERP 2013, risk mitigation plans were developed and documented, and identified appropriate risk sponsors and mitigating activities to address the risks as per the CBSA process guidance. Of the 20 key corporate risks identified, the ‘mitigate’ risk response was identified for 13 risks. Our analysis of the risk response strategies provided in the Annex B of the ERP 2013 indicated that the mitigation strategies were identified and documented.

Below the corporate level, the CBSA ERM process requires assigned risk sponsors to develop risk response strategies for the risks where the risk response was identified as ‘mitigate’. For the four risk profiles selected, risk sponsors were identified. However, documented risk mitigation strategies did not exist, unless the risk was rolled-up into the ERP and mitigated through the ERP mitigation plan by default. It was found that ERMTID does not request or receive copies of the mitigation plans below the corporate level.

Without a more structured and integrated approach to risk management below the corporate level, the Agency cannot be assured that the identified risks are being properly managed, reduced or eliminated.

8.2.6 Integration of risk into planning and decision-making

Once risks have been identified, assessed and addressed, the risk management process should be integrated within planning and decision-making.Footnote 11 By including risk information into decision-making, resource allocation and prioritization, the Agency can allocate its resources, both financial and non-financial, more effectively and efficiently.

At the corporate level, one form of integration of risk information into planning was identified in the Report on Plans and Priorities (RPP) and Departmental Performance Report (DPR). The audit reviewed the RPP 2013–2014, RPP 2014–2015 and DPR 2012–2013 and found that ERP risk information had been incorporated into these planning documents and was linked to priorities.

At the branch level, detailed guidance was developed on integrated business planning that includes templates on how risk information is to be integrated into planning and decision-making. Although some ERP risk information was included in the integrated business plans reviewed, the level of detail related to risk was inconsistent. While the plans were primarily based on core activities and/or key branch commitments, it was not evident how risk was considered in the final decision to allocate resources.

Further integrating risk into the planning process would allow the Agency to make more informed decisions around resource prioritization and allocation. ERMTID has indicated that the integrated business planning process was being revised for fiscal year 2014–2015.

8.2.7 Monitoring and Oversight

Monitoring, reporting, and re-evaluating risks

The CBSA ERM Policy defines risk monitoring as the process of monitoring risks and associated mitigation/action plans to ensure that risk exposure levels remain within acceptable ranges. As such, risk monitoring is expected to occur at all levels within the Agency.

At the corporate level, the Director, ERMTID, is responsible for developing and implementing a monitoring and performance measurement process to monitor Agency risks and corporate response strategies. The audit found that ERP risks and risk mitigation strategies are monitored by ERMTID on an annual basis through the development of the ERP (which is completed every two years) and through the ERP status updates (which are conducted in the interim years). The ERP Status Update prepared in even-numbered years provides information on changes to the Agency’s risk environment and on progress made in these mitigation efforts. To some degree, risk responses identified as part of the ERP are monitored by ERMTID through these ERP Status Updates. As part of this process, risk sponsors are consulted and various corporate documents (e.g. Environmental Scan) are reviewed. The updated risks are then presented to and validated by the vice-presidents. The implementation status of the planned mitigation activities is self-reported by the risk sponsors. With the exception of the ERP and ERP Status Update, no further monitoring of ERP risks and associated mitigations strategies is being conducted by ERMTID at the corporate level. During the course of the audit, ERMTID indicated that ERP monitoring results would be presented to the Executive Committee bi-annually.

Below the corporate level, vice-presidents, direct reports to the President, and managers are responsible for monitoring risks within their area of responsibility. As mitigation strategies did not exist for branch and PMT risks, they could not be formally monitored. Branch and PMT stakeholders involved in the risk assessment process described that risks, issues and controls are discussed at PMT and management meetings; but documentation was not provided to support these discussions.

Without regular monitoring of risks, risk drivers, and risk mitigation strategies, including updates on control effectiveness at all levels of the organization, changes affecting the Agency’s environment may not be identified in a timely manner. This could impede the achievement of Agency objectives/priorities and cause inefficiencies (e.g., expending resources to control a risk that no longer exists).

Oversight of CBSA Risk Management Practices

The audit expected to find governance structures that promote a risk informed culture and management practices throughout the Agency. As indicated in the CBSA ERM Policy and various committees’ terms of references, the following committees and positions have been delegated the responsibility of reviewing the Agency’s risk management practices:

  • The Agency Departmental Audit Committee;
  • The Executive Committee;
  • The Director of ERMTID; and
  • The Chief Audit Executive.

The Audit Committee is responsible for providing objective advice and recommendations to the President regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the Agency’s risk management, control and governance frameworks and processes; and for periodically reviewing the Enterprise Risk Profile and Agency risk management arrangements, and to document any significant concerns in relation to the Agency’s risk management framework and processes. The Audit Committee Charter requires the Committee to provide the President with objective advice on recommendations pertaining to adequacy and functioning of the Agency’s risk management framework and processes. The audit confirmed that the Audit Committee executes its responsibilities by periodically reviewing the ERP. Program updates, along with the ERP, are presented by ERMTID and are generally shared with the Audit Committee members on an annual basis.

In addition, the Executive Committee is required to identify key risks, prioritize Agency activities and identify, monitor and report on expected results, ensuring appropriate linkages to key management accountability documents.Footnote 12 The audit found that status updates were provided to Executive Committee for the 2011 ERP and mitigation plans, the ERP 2012 Status Update, and the 2013 ERP, but not the 2013 ERP mitigation plans.Footnote 13

According to the CBSA ERM Policy, the Chief Audit Executive is responsible for providing an independent and objective assessment of the application of the ERM framework and ERM strategies and practices. The Chief Audit Executive’s responsibilities for ERM are being carried out through the conduct of this audit.

To conclude, the audit found that risk management practices at the corporate level are regularly monitored by oversight bodies within the Agency.

Recommendation 2:

The Vice-President of the Corporate Affairs Branch should adhere to the CBSA ERM Policy and Guidelines to ensure that formal mitigation plans below the corporate level are developed, implemented and monitored.

Management Action Plan Completion date
The Corporate Affairs Branch agrees with this recommendation. The Branch has fully integrated risk management considerations into the 2015–2018 integrated business plan templates at the branch level. This includes requests for information from branches to develop their formal risk mitigation plans to identify key directorate-level commitments that will help mitigate specific risks and risk drivers identified in the 2013 ERP.  The updated ERM Policy will clarify the responsibilities and accountabilities of all vice-presidents to ensure that formal branch-level risk mitigation plans are developed, implemented and monitored, and will further clarify the role of the Vice-President, Corporate Affairs Branch in monitoring and reporting on the implementation of the ERM Policy. November 2015

Appendix A – About the Audit

Audit Objectives and Scope

The audit objective was to provide assurance that the Agency’s Enterprise Risk Management Framework is in place, that Agency risks are identified, assessed and managed effectively for achieving objectives, and that risk information is integrated into planning and decision making.

The audit scope covered the ERM control framework and processes at both the corporate level and within selected Branches and Programs, in addition to how information was integrated into existing management activities including business and operational planning and decision-making. It focused on the Agency’s ERM Policy, procedures, and tools and also considered how other risk management documents, including but not limited to, the National Border Risk Assessment, the Departmental Security Plan, the Strategic Emergency Management Plan and Major Projects, were used in the ERM process.

The audit was conducted from February 2014 to August 2014 and focused on the process for developing the Enterprise Risk Profile, which is part of the ERM process and control framework. Observations are based on the 2013 ERP, which was the most recent version at the time of the audit.

Finally, the audit examined whether the ERM process is being properly integrated with strategic and operational plans across the Agency at the branch and PMT level.

An audit of Enterprise Risk Management was approved by the Agency’s Audit Committee as part of the Risk-Based Audit Plan 2013–2014 to 2015–2016.

Risk Assessment

Our risk assessment conducted during the planning phase identified the following key risk areas:

  • If the Agency’s ERM process, including monitoring, does not align with an appropriate risk management framework (i.e. TBS Framework for the Management of Risk, etc.) and is not appropriately communicated, the effectiveness of ERM across the Agency could be reduced.
  • If the ERM process is not informed by the appropriate individuals across the Agency, there is a risk that risk profiles and decisions resulting from them will not be reflective of current and actual risks threatening the achievement of Agency objectives.
  • If ERM is not fully integrated into planning and decision-making practices and risk information is not shared across the Agency, there is a risk that the identified vulnerabilities may not be used for planning and resource allocation purposes, and may not be managed and mitigated effectively for achieving objectives.

Approach and Methodology

The examination phase of this audit was performed using the following approach:

  • Reviewing key risk management documents;
  • Conducting interviews on ERM processes, roles and responsibilities, oversight function and monitoring, etc.;
  • Reviewing management committee terms of reference and records of decision;
  • Reviewing documents relating to ERM monitoring processes and reports;
  • Reviewing a sample of risk assessments; and
  • Reviewing a sample of key organizational planning documents.

Audit Criteria

Given the preliminary findings from the planning phase, the following criteria were chosen:

Lines of Enquiry Audit Criteria
1. Risk Management Framework
  • 1.1 The CBSA’s risk management framework and processes are documented, complete and communicated across the Agency.
2. Risk Management Practices
  • 2.1 Management identifies and assesses significant risks that may preclude the achievement of its objectives.
  • 2.2 Management identifies and assesses the existing controls that are in place to manage its risks.
  • 2.3 Management formally responds to its risks, and communicates both risks and risk management strategies to appropriate stakeholders across the organization enabling the Agency to carry out its responsibilities.
  • 2.4 Risk information is integrated in and used for planning and decision-making purposes.
  • 2.5 Risk management is regularly monitored by oversight bodies within the Agency.

Appendix B – List of Acronyms

BMT
Branch Management Team
CBSA
Canada Border Services Agency
CRO
Chief Risk Officer
DPR
Departmental Performance Report
ERM
Enterprise Risk Management
ERMTID
Enterprise Risk Management and Transformation Initiatives Division
ERP
Enterprise Risk Profile
MAF
Management Accountability Framework
PMT
Program Management Table
TBS
Treasury Board Secretariat
RPP
Report on Plans and Priorities

Notes

Footnotes

Footnote 1

Adapted from the CBSA ERM Policy Appendix A

Return to footnote 1 referrer

Footnote 2

TBS Guide to Integrated Risk Management

Return to footnote 2 referrer

Footnote 3

Adapted from TBS Risk Management site

Return to footnote 3 referrer

Footnote 4

Treasury Board Secretariat, Center for Excellence on Risk Management (http://www.tbs-sct.gc.ca/tbs-sct/rm-gr/rm-gr-eng.asp)

Return to footnote 4 referrer

Footnote 5

TBS Risk Management Framework, Annex A

Return to footnote 5 referrer

Footnote 6

CBSA Risk Management Enterprise Handbook

Return to footnote 6 referrer

Footnote 7

Program Management Tables support strategic planning and horizontal communications across the Agency. More specifically, the role of Program Management Tables (PMTs) include establishing program priorities, resource allocations, performance measures and risks, identifying and leveraging best practices, understanding program costs, and developing national consistency across program areas as well as conducting strategic planning activities (i.e. longer-term priority setting and succession planning).This has been identified as part of the CBSA governance since 2012, and is part of the Functional Management Table.

Return to footnote 7 referrer

Footnote 8

Refer to the individual BMT/PMT Risk Profiles

Return to footnote 8 referrer

Footnote 9

Adapted from the Risk Management Handbook

Return to footnote 9 referrer

Footnote 10

The audit did not examine the voting results.

Return to footnote 10 referrer

Footnote 11

Adapted from the Integrated Business Planning Guidance.

Return to footnote 11 referrer

Footnote 12

Executive Committee Terms of Reference

Return to footnote 12 referrer

Footnote 13

Note that at the time of the audit, the 2014 ERP had not yet been prepared/ approved.

Return to footnote 13 referrer

Footnote 14

Privy Council Office, Orders in Council - SI/2011-0095, Public Service Rearrangement And Transfer Of Duties Act, http://laws-lois.justice.gc.ca/eng/regulations/SI-2011-95/FullText.html  

Return to footnote 14 referrer

Footnote 15

Based on the preliminary risk assessment.

Return to footnote 15 referrer

Date modified: