Audit Report of the Corporate Risk Management Framework Final 2009 09 28

12 pages

English

Audit Report of the Corporate Risk Management Framework Final 2009 09 28

Shiem - Jjanu

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

12 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Audit of the Corporate Risk Management Framework AUDIT REPORT Project # 08/09 01–04 prepared by the Audit and Evaluation Directorate SEPTEMBER 2009 PROJECT # 08/09 01-04 AUDIT OF THE CORPORATE RISK MANAGEMENT FRAMEWORK A UDIT REPORT Table of Contents 1.0 SUMMARY............................................................................................................................................ 3 1.1 AUDIT OBJECTIVE.......................................................................................................................... 3 1.2 AUDIT OPINION.............................................................................................................................. 3 1.3 STATEMENT OF ASSURANCE.......................................................................................................... 3 1.4 SUMMARY OF RECOMMENDATIONS ................................................................................................ 3 2.0 AUDIT REPORT ................................................................................................................................ 5 2.1 BACKGROUND 5 2.2 AUDIT OBJECTIVE, SCOPE AND APPROACH..................................................................................... 6 2.3 FINDINGS, RECOMMENDATIONS AND MANAGEMENT RESPONSES..................................................... 7 2.3.1 ...

Informations

Publié par	Shiem
Nombre de lectures	14
Langue	English

Extrait

Audit of the Corporate Risk Management Framework AUDITREPORTProject # 08/09 01–04

prepared by the Audit and Evaluation Directorate

SEPTEMBER2009

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORKTable of Contents

PROJECT#08/090104AUDITREPORT

1.0SUMMARY............................................................................................................................................ 3

1.1AUDIT OBJECTIVE.......................................................................................................................... 3

1.2AUDIT OPINION.............................................................................................................................. 3

1.3STATEMENT OF ASSURANCE.......................................................................................................... 3

1.4SUMMARY OF RECOMMENDATIONS................................................................................................ 3

2.0 AUDIT REPORT ................................................................................................................................ 5

2.1BACKGROUND.............................................................................................................................. 5

2.2AUDIT OBJECTIVE,SCOPE AND APPROACH..................................................................................... 6

2.3FINDINGS,RECOMMENDATIONS AND MANAGEMENT RESPONSES..................................................... 7

2.3.1CORPORATERISKMANAGEMENTFRAMEWORK................................................................... 7

2.3.2CORPORATEFRAMEWORK—BASIC PRINCIPLES OF INTEGRATED RISK MANAGEMENT.......... 10

2.3.3CORPORATERISKMANAGEMENTFRAMEWORK FULLY APPLIED......................................... 10

Appendix 1 Management Action Plan ................................................................................................ 11

AUDIT ANDEVALUATIONDIRECTORATE

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK1.0 SUMMARY

1.1

1.2

1.3

1.4

AUDIT OBJECTIVE

PROJECT#08/090104AUDITREPORT

The objective of the audit is to evaluate to what extent management had set up a corporate risk management framework that provided for operational risk to be taken into account.

AUDIT OPINION

In our opinion, the Corporate Risk Management Framework has moderate issues requiring management focus.

STATEMENT OF ASSURANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time of the audit, against preestablished audit criteria, and is only applicable to the particular entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards for internal audit. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.

SUMMARY OF RECOMMENDATIONS

The Safety and Program Assurance Directorate is responsible for directing and coordinating the risk management function at the Canadian Space Agency (CSA). To properly do so it relies on the cooperation of personnel in all sectors and at all management levels.

In general, our audit has shown that CSA’s Corporate Risk Management Framework is in accordance with theIntegrated Risk Management Framework(IRMF) of Treasury Board Secretariat(TBS).

Moreover, following our examination of CSA’s Corporate Risk Management Framework,we recommend

•the corporate policy and associated procedures be finalized, approved and that disseminated; •the necessary particulars be added to clearly distinguish the Corporate IRMF from that the Project Management Framework, which contains a risk management component; • that the information pertaining to the Corporate IRMF be presented in its own intranet section; •the role of risk management champion be assumed by a senior manager who has a that corporate vision; and

AUDIT ANDEVALUATIONDIRECTORATE

PROJECT#08/090104AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK AUDITREPORT• that the responsibility for the risk management function be exercised by the incumbent of the Director, Planning and Performance position.

Signature of the Chief Audit Executive Original signed by Dominique Breden

Audit team member Jimmy Cheung

AUDIT ANDEVALUATIONDIRECTORATE

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK2.0 AUDIT REPORT

2.1

BACKGROUND

PROJECT#08/090104AUDITREPORT

In addition to control and governance processes, risk management constitutes the other component of CSA’s management framework.

Project management has always been at the heart of CSA’s activities. In December 1999 the Treasury Board approved a risk management framework, as proposed by CSA, to ensure, in particular, that projectrelated risks were financed within approved reference levels. Since 1999, the Project Risk Management Framework has been an integral part of theProject Approval and Management Framework(PAMF).

Even though project management lies at the heart of CSA activities, we noted, following an analysis of the 2009–2010 Annual Reference Level Update, that CSA devotes only about 33% of its budget envelope of approximately $300 million to project activities, and 67% to its other program activities and corporate services.

In 2001, with the publication of the IRMF, the TBS provided managers throughout the federal government with a systematic approach, applicable to the whole organization that would inculcate concepts and practices conducive to the establishment of a riskconscious environment. That approach is based on the development of a corporate risk profile, the creation of an integrated risk management function, the practice of integrated risk management and continuous learning.

CSA began implementation of a corporate IRMF in May 2005 so as to introduce an integrated risk management approach in all of its operations.

AN OVERVIEW OF THE CORPORATE RISK MANAGEMENT PROCESS

Responsibility for the Agency’s risk management function, commonly called "corporate risks," lies with the Director, Safety and Program Assurance, who is also responsible for PAMF administration.

The table below gives an overview of the Agency’s IRMF and the PAMF risk management process.

Risk Management Principle

Planning

Identification

Agency’s IRMF (Corporate Risks)

• Sectors are to begin analyzing risks that may adversely affect achievement of their objectives

• Sectors are to share their risk analysis

• Risks are recorded and consolidated in a database –Consolidated Corporate Risks

AUDIT ANDEVALUATIONDIRECTORATE

PAMF / Risk Management

• The PAMF integrates risk management principles

• The project manager must integrate the results of his or her risk assessment into the Project Approval Document (PAD)

• Project managers identify and document risk in a database –the Risk Information and Assessment System(RIAS)

• Each type of risk is classified according to its

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK• Each type of risk is classified according to its effect on the following:

2.2

Assessment

Reaction

Monitoring and control

• vision and business strategy

• space systems

• stakeholder support

• trust in CSA governance

• integration and implementation

• workforce

• Risk assessment is done on the basis of a matrix that combines the probability of occurrence and the impact

• CSA’s risk profile is established

• Mitigation measures are developed

• An action plan is developed

• Risk management committees (RMCs) are formed in each sector

• The risk profile and the mitigation measures are approved by the Executive Committee

• The approved action plan is integrated into the sectors’ work plans and the Report on Plans and Priorities

AUDIT OBJECTIVE,SCOPE AND APPROACH

effect on the following:

• cost

• schedule

PROJECT#08/090104AUDITREPORT

• technicalperformance

• programming

• Risk assessment is done on the basis of a matrix that combines the probability of occurrence and the impact

• Mitigation measures are developed

• Risk funding is calculated on the basis of quantified, weighted risks

• Reserve funds are kept at a level that will cover all identified and unforeseen risks that may arise during a given year

• The project manager regularly follows up on identified risks

• Risk management committees (RMCs) are formed in each sector

• Reserve funds are decommitted, subject to RMC approval, when the risk materializes

• PAMF staff monitor compliance

The objective of the audit was to evaluate to what extent management had set up a corporate risk management framework that provided for operational risk to be taken into account.

The current audit project focused specifically on CSA’s corporate risk management framework. Moreover, as indicated in theInternal Audit Planof the Audit and Evaluation Directorate, risk profile development will be reviewed in the course of a governmentwide audit project conducted by the Office of the Comptroller General.

Various audit processes were employed, including staff interviews and reviews and analyses of documents and records. In developing audit criteria, we relied on the Treasury Board

AUDIT ANDEVALUATIONDIRECTORATE

PROJECT#08/090104AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK AUDITREPORTSecretariat’sIntegrated Risk Management Framework(IRMF) andIntegrated Risk Management ImplementationGuide.

2.3

FINDINGS,RECOMMENDATIONS AND MANAGEMENT RESPONSES

2.3.1CORPORATERISKMANAGEMENTFRAMEWORK

The Safety and Program Assurance Directorate is responsible for coordinating risk management at the Agency, in compliance with the Treasury Board’s IRMF. Hence, we expected to find a governance framework in place including the following main elements:

an approved corporate policy and procedures;

defined roles and responsibilities;

a defined, common risk management terminology; and

an established risk management process.

In general, management has set up a corporate risk management framework well suited to all CSA operations. However, we want to point out certain findings that require management attention.

CORPORATE POLICY AND PROCEDURES

CSA should have

•approved corporate policy and procedures for integrated risk management; an •corporate policy and procedures embodying clear terminology; and a • a good communication strategy, to ensure that management expectations are properly understood.

We found that many reference and working documents were made available to staff to help them perform their risk management duties. However, no approved corporate policy and procedures yet exist, although there are draft versions, dated February and April 2008 respectively.

It is important for these instruments to be finalized, setting out principles, requirements and the scope of implementation, among other things, so that management expectations as regards to risk management may be formally communicated to all levels of management, in all sectors.

RECOMMENDATION

1) The person responsible of the risk management function should finalize the corporate policy and associated procedures and have them approved and disseminated.

AUDIT ANDEVALUATIONDIRECTORATE

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORKMANAGEMENT RESPONSE

PROJECT#08/090104AUDITREPORT

Director of the Safety and Program Assurance agrees with the recommendation.

INFORMATION DISSEMINATION

To ensure successful corporate IRMF implementation, management should develop instructions and tools and ensure that all CSA staff are aware of them. The Intranet is an ideal (and common) medium for such staff information.

Even though risk management is a corporate management function, we have found, on the one hand, that the corporate IRMF reference documents appearing on the Intranet are part of the PAMF documentation system and, on the other hand—from reading them—, that the information is excessively projectoriented.

It is vital to make it clear that CSA has a corporate risk management framework and that that framework is a corporate management function that applies to all levels of management, in all sectors, for all operations. It is true that project management is at the heart of CSA’s activities, but it is important to put things in perspective and avoid misunderstandings by clearly distinguishing the Corporate Risk Management Framework from the Project Management Framework, which contains a component of risk management.

It is essential to make that distinction clearly, and a good way to begin would be to withdraw the corporate IRMF documentation from the PAMF documentation system, and instead to present and distribute it in a separate Intranet section.

RECOMMENDATIONS

The person responsible of the risk management function should

see that the necessary particulars are added to clearly distinguish the Corporate IRMF from the Project Management Framework, which contains a risk management component; and

present the information pertaining to the Corporate IRMF in its own Intranet section.

MANAGEMENT RESPONSE

Director of the Safety and Program Assurance agrees with the recommendations.

RISK MANAGEMENT CHAMPION

We expected to find a risk management champion appointed by the President. The champion’s role should be assigned to a senior manager, since that person must supply the necessary leadership to obtain the unanimous support of management and staff. As part of the implementation of a corporate IRMF, the chosen champion must demonstrate how integrated risk management will help management to achieve the organization’s objectives. He or she must promote a risk management approach and culture that will extend to all operations, and must

AUDIT ANDEVALUATIONDIRECTORATE

PROJECT#08/090104AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK AUDITREPORTmaintain constant communications with all sectors and levels of management since the success of integrated risk management depends on the combined efforts of all staff. In addition, the champion is responsible for monitoring the implementation of integrated risk management.

The role of integrated risk management champion has been assigned to the incumbent of the Senior VicePresident position— which, however, has been vacant since November 2008. For the time being, the champion’s role is being played by the Director, Safety and Program Assurance.

RECOMMENDATION

The President should ensure that the role of risk management champion is assumed by a senior manager (XC member) who has a corporate vision.

MANAGEMENT RESPONSE

The function of corporate risk supervision will be performed by its champion, the Chief Financial Officer. This follows from his or her existing role as PAMF champion (which includes projectlevel supervision) and the fact that the two functions are highly integrated.

RESPONSIBILITY FOR THE RISK MANAGEMENT FUNCTION

Responsibility for directing and coordinating integrated risk management has always been discharged by the Director, Planning and Performance. In August 2007, that responsibility was transferred to the Director, Safety and Program Assurance.

It is, however, more appropriate for risk management to be an integral part of the corporate planning function, since the goal sought is the integration of risk management into CSA’s planning and prioritysetting process.

Moreover, placing the responsibility for risk management with the office of the Director, Planning and Performance, emphasizes that risk management applies to all CSA operations. Since the Director, Safety and Program Assurance has responsibility for the PAMF administration, one might suppose risk management applied only to project management.

RECOMMENDATION

The President should ensure that responsibility for the risk management function is exercised by the incumbent of the Director, Planning and Performance position.

MANAGEMENT RESPONSE

The recommendation for corporate risk management to be once again the responsibility of the Planning and Performance Directorate is accepted in principle, but this will be confirmed later in the year. In making the transfer, we need to be aware of links to other functions, such as PAMF management and the GIP project (investment planning and project management policies), and of the impact of the resources required for all these functions.

AUDIT ANDEVALUATIONDIRECTORATE

PROJECT#08/090104AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK AUDITREPORT2.3.2CORPORATEFRAMEWORK—BASIC PRINCIPLES OF INTEGRATED RISK MANAGEMENT

Risk management should include a set of management practices whereby risks may be identified, assessed, communicated and managed. Risk management should improve decision making, bolster the governance structure and enhance the ability to meet CSA objectives. We expected to find the basic principles of integrated risk management, including the following:

Risk identification;

Risk assessment;

Reaction to risk; and

Continuous risk monitoring.

Our findings revealed that management has indeed implemented the principles of integrated risk management in accordance with what is proposed in the TBS’s IRMF.

2.3.3CORPORATERISKMANAGEMENTFRAMEWORK FULLY APPLIED

We expected to find that integrated risk management would be fully applied to all CSA operations.

Before the implementation of the corporate IRMF, CSA had a risk management framework essentially focused on project activities. Since 2005, that is, since implementation of the corporate IRMF began, CSA has had a risk management framework that integrates into decision making processes the risks that may hinder achievement of organizational objectives. The effect of the corporate IRMF is that all levels of management, throughout the organization, are required to assess the risks that may affect their operational activities.

Our findings revealed that management is applying integrated risk management to all of its operations.

AUDIT ANDEVALUATIONDIRECTORATE

c) March 2010 / March 2011

The person responsible of the risk management function should see that the necessary particulars are added to clearly distinguish the Corporate IRMF from the Project Management Framework, which contains a risk management component.

Director

Safety and Program Assurance

Corporate Risk Management and Project Risk Management will be documented in such a way as to show the differences and interactions between the two. These documents will be referred to the XC for approval and officially posted on the intranet site.

This recommendation is accepted.

Responsibility Identified Organization Function

The person responsible of the risk management function should finalize the corporate policy and associated procedures and have them approved and disseminated.

Recommendations

Director

e) November 2010

PROJECT#08/090104 AUDITREPORT

Details of Action Plan

d) October 2010

Appendix 1 Management Action Plan

REF.

a)December 2009

Timetable

AUDIT OF THECORPORATERISKMANAGEMENTFRAMEWORK

Safety and Program Assurance

f) February 2011

This recommendation is accepted. a) Finalization of terms of reference and conditions governing RMCs b) Finalization of the GIP project (investment planning and project management policies) by June 10, 2010 c) Two new project manager positions will be provided under the Safety and Program Assurance Directorate’s 09/10 human resources plan (one new FTE for March 2010 and another for March 2011), if approved. d) Finalization of the corporate policy (taking into account the comments from the GIP project) e) Approval of the corporate policy by the Executive Committee (XC) f) Distribution of the corporate policy (presented to sectoral management committees and posted on the intranet site)

 XC presentation: January 15, 2010  finalization on intranet site: March 15, 2010

b) June 2010

2.3.1 Corporate Risk Management Framework

AUDIT ANDEVALUATIONDIRECTORATE