Enhanced Risk Management Policy

Transcription

1 Enhanced Risk Management Policy Approved By: City Council Category: General Administration Approval Date: September 12, 2001 Effective Date: September 12, 2001 Revision Approved By: Revision Date: August, 2013 Review Date: Policy Statement The City of Ottawa is committed to the practice of Enhanced Risk Management (ERM) to ensure risks that impact the City s strategies and objectives are managed. Purpose This policy is designed to create a risk-aware corporate culture where the management of risks is integrated into the operations and administration of the City. The policy ensures all City employees understand their responsibilities related to risk management and are aware of the process to identify risks, and what must occur once potential risks are identified. The objectives of Enhanced Risk Management are to: Embed risk management into the culture of the City; Reduce events or conditions that create uncertainty; Ensure that unplanned events are managed effectively; Provide common and consistent risk management processes and practices. Application This Policy applies to all City employees. It applies to all work at strategic, corporate and operational levels including projects and work activities where risk is inherent. Policy Requirements Employee and Departmental Requirements Employees are expected to promote and facilitate appropriate risk control techniques to manage the risks to the public and employees health, safety and security, mitigate liability and protect corporate assets against loss and damage. Employees have a responsibility to report incidents, assess exposures, reduce, control and monitor risk in programs and operations. Employees also have a responsibility to

2 bring emergent or newly identified potential risks to the attention of a supervisor/manager, and the supervisor/manager has a responsibility to mitigate the risk, or escalate it to the next level of authority until the risk receives the appropriate level of visibility, action and control. For managers, the effective management of risk is considered a core competency, and must be reviewed as a measure of job performance during the City s annual performance review cycle. The City is also committed to a systematic ERM approach, which allows for the proactive detection, mitigation and reporting of risks. Departments are responsible for following this approach. The systematic ERM approach, which is detailed in the Risk Management Framework, includes the following steps: Conduct regular risk assessments to: identify, assess, analyze, evaluate, categorize and prioritize risks; Accept or mitigate risks; Monitor, report and document risk activity; Escalate risks to the next level of authority, when appropriate; Communicate risks and mitigation strategies internally and to senior management, as well as to Council, Committee, as appropriate; Ensure that all staff are aware of their responsibility to manage risk at all levels. Tracking and Reporting (Corporate Risk Profile) The main vehicle for ERM reporting is the Corporate Risk Profile. Refreshed once per term of Council and updated annually, departments must report regularly on their risks via the Corporate Risk Profile, following the format, process and timelines set out by Executive Committee. The Corporate Risk Profile requires departments to report on both the impact and likelihood of risks occurring, what mitigations are proposed, planned and/or in progress. Responsibilities The management of risk is a shared responsibility at all City levels. The governance model is depicted in Appendix A. All employees are required to demonstrate risk-aware thinking and accountability and communicate significant risks to their managers, escalating the risks as documented in Appendix B when warranted. The governance model for ERM, escalation process and terms of reference for the Steering and Practitioners committees are attached as Appendix A, B, and C respectively. City Council approved, oversees and promotes the ERM initiative. The City Manager ensures compliance with the ERM Policy and for overall risk management throughout the City.

3 Executive Committee retains overall accountability for ERM, sets the City s risk tolerance and approves the ERM framework. The Senior Management Committee oversees the implementation of an appropriate ERM program. Managers support the City s ERM philosophy, promote compliance and manage risks within their spheres of responsibility, consistent with the City s risk appetite. The Corporate Risk Steering Committee provides executive oversight of the Enhanced Risk Management framework and provides executive direction on risk-based decision-making. The Steering Committee is the authority on reviewing and approving the Corporate Risk Profile. The Steering Committee will also review escalated risks and make recommendations to Executive Committee on the overall management of risk in the organization. The Corporate Risk Management Practitioners Committee supports the development and implementation of the Enhanced Risk Management (ERM) organizational framework through shared learning. They are the liaison between the corporate office and departments for risk-related items and activities. Managers are accountable for the effective management of risk within their units, branches and departments. They are responsible for the application of risk-aware thinking in day-to-day activities. Utilizing the tools available, they identify, assess, mitigate and report on risk. Employees in a management role have an increased responsibility to be aware of and act on risk management, and to this end, competency in the management of risk has been built into the annual review process for these employees. Corporate Risk Management within the Corporate Programs and Business Services department provides guidance for the advancement and support of ERM throughout the City. The Corporate Risk Management office develops, implements and maintains the framework for the management of risk including tools and training. It develops and executes ERM initiatives and ensures the integration of ERM with strategic management and decision processes. It maintains and reports on the Corporate Risk Profile, which is maintained on a cycle to coincide with the Term of Council. All employees are responsible for managing risks as described in this Policy. Monitoring/Contraventions Departmental Management Teams will monitor the application of the ERM Policy to ensure that policy requirements are met within their jurisdictions. The ERM Policy and its framework will be regularly reviewed, verified and continually improved.

4 References n/a Legislative and Administrative Authorities Audit of the Management Control Framework Recommendations, Office of the Auditor General, 2005 City Council Minutes, Risk Management Policy Statement, Sept 12, 2001 Council-approved Audit Recommendations, May 9, 2007 Council-approved Long-Range Financial Plan Sub-Committee, Report 3 Recommendation to implement Phase 1 of an ERM process, March 26, 2008 Definitions Corporate Risk Management Practitioners Committee a group of risk-minded individuals who act as their departmental liaison for risk management matters and initiatives, while actively contributing to the corporate knowledge base by sharing experiences, skills and providing input on best practices. Corporate Risk Steering Committee a senior management committee formed to oversee, guide and monitor ERM at the City of Ottawa. Corporate Risk Profile a detailed, cross-departmental picture of risks and associated impacts, likelihood and mitigations. The Corporate Risk Profile is reviewed and reported on a regular schedule each year, and formally refreshed once per term of Council. Enhanced Risk Management (ERM) provides a continuous, proactive, systematic and consistent approach to understand, manage and communicate risks from an organization-wide perspective. Risk an event or conditions that create uncertainty around the achievement of objectives and/or variation of the expected outcome(s) over time. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by impact/consequences and likelihood/probability. Risk Management the systematic process of identifying, analyzing and responding to risk. Risk Management includes the avoidance and/or mitigation of hazards, the management of uncertainty and the harnessing of opportunities. Risk Owners are accountable for the risk (usually the operating department) and responsible to implement the risk treatment, maintain risk controls, document and report relevant risk information. Risk Tolerance (or Risk Appetite) the total amount of risk acceptable to Council and senior management while pursuing the City s mission and vision. It is the City s

5 readiness to bear risks after mitigations are effected. The measurement of risk may be evaluated qualitatively or quantitatively. Risks need to be brought within the City s risk tolerance. The Risk Impact Measurement chart sets out the City s tolerance for risk. Keyword Search Corporate Risk Management ERM Enhanced Risk Management Enterprise Risk Management Risk Risk Appetite Risk Committee Risk Impact Risk Management Risk Owner Risk Tolerance Steering Committee Enquiries For more information on this Policy, contact: Corporate Risk Management office Corporate Programs and Business Services Corporate Business Services Tel: , ext Appendices Appendix A-Governance Model for Enhanced Risk Management Appendix B-Escalation Model for Enhanced Risk Management Appendix C-Terms of Reference for Corporate Risk Management Practitioners Committee and Corporate Risk Steering Committee