Final Audit Report - Audit of Integrated Risk Management

December 2008

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Management Response and Action Plan

Table of Contents

• Executive Summary
• Introduction
  • The Growing Importance of Risk Management
  • Office of Integrated Risk Management
  • Objective(s)
  • Scope and Approach
• Findings, Recommendations and Management Responses
  • Governance
    • Leadership and Support for IRM
    • A New Governance Structure
  • Policy and Process
    • IRM Framework
    • The Corporate Risk Profile
  • Planning
    • Departmental Strategic Planning
    • Departmental Operational Planning
    • Branch Risk Management Initiatives
  • Learning and Tools
    • IRM Learning Strategies
    • IRM Tools
• Conclusion
• Appendix
  • Appendix A: Lines of Enquiry and Audit Criteria

Executive Summary

Risk management is a shared responsibility amongst Health Canada's decision-makers and is defined as the systematic processes including the practice and procedures, which the department uses to identify and manage its strategic risks.

The objective of the audit was to determine if an effective control framework is in place to support integrated risk management at Health Canada, including leadership, policies, processes, planning and learning.

Audit work covered activities that took place from fiscal years 2005-06 to 2007-08 and reports on actions taken up to the end of the fieldwork. The audit focussed on the Office of Integrated Risk Management and departmental planning, progress reporting and learning activities.

The audit did not attempt to assess the risks in the Corporate Risk Profile (CRP) or to identify the full complement of risk management practices in the Department.  In addition, regulatory risk was not included as part of the scope of this engagement due to the audit conducted by the Office of the Auditor General and reported in chapter 8 - Allocating Funds to Regulatory Programs (2006).  Further, the audit did not examine the Department's management of specific risks related to the health and safety of Canadians such as a contaminated food product or an unsafe consumer product.

The audit was conducted in accordance with the professional standards of practice as outlined in the Government of Canada's Policy on Internal Audit.

As a pilot department for modern comptrollership, Health Canada has been working towards integrating risk management into its management practices since 2002.  In that year, the Departmental Executive Committee (DEC) agreed to proceed with the implementation of the Departmental Integrated Risk Management Framework.

During the time of the audit, senior management had not been receiving updates on the Department's progress in implementing the Integrated Risk Management Framework, nor did they receive the 2006 and 2007 CRP for discussion and approval.  The department had yet to establish a continuous, systematic process for profiling its risks on a department-wide basis.  Furthermore, the CRP was limited to identifying risks related to the functional support activities of the Department (e.g. human resources and information technology).

There are four different "risk" reporting mechanisms that are producing different risk results (the Corporate Risk Profile, the Report on Plans and Priorities, the Departmental Performance Report and Branch Plans).  The inconsistency between these areas of risk reporting needs to be eliminated.

Risk practices across Health Canada vary widely amongst branches. In some cases, these processes are highly developed whereas others have barely been formalized. Evidence shows that where individual branches have taken the lead to fund dedicated resources to profile their risks and to develop mitigating strategies, they have been able to prepare and implement focused and innovative risk management strategies.

The lack of an overall internal communication strategy combined with an outdated website and database may have made it more difficult for managers to develop the required knowledge, skills and tools to manage risks effectively.

Management agrees with the recommendations. Its response indicates its commitment to take action.  In fact, they have already started to implement many of the proposed actions that will address the findings.

Introduction

The Growing Importance of Risk Management

In early 2000, the Government of Canada put forth an agenda for change, which made a commitment to modernize comptrollership across the government and, within that context, ensure risk management was integrated into departmental decision-making processes. 

Treasury Board Secretariat of Canada introduced the Management Accountability Framework (MAF) in 2003. The MAF is structured around ten key elements that collectively define management and establish the performance expectations of senior public servants. One key element of the MAF is risk management, which requires the executive team to define the corporate risk context and practices and to manage organizational and strategic risks. Each year Health Canada is assessed on its progress towards meeting this performance expectation.

In 2006, the Government of Canada's new Internal Audit Policy directedHealth Canada's Departmental Audit Committee (DAC) to review, at least annually, the corporate risk profile and departmental risk management arrangements. 

As a pilot department for modern comptrollership, Health Canada has been working towards incorporating integrated risk management into its management practices since 2002. In that year, the Departmental Executive Committee (DEC) agreed to proceed with the implementation of the Departmental Integrated Risk Management (IRM) Framework.

Risk management, as defined by Health Canada, is a systematic process that includes the practices and procedures that the Department uses to identify and manage the risks it faces.  Integrated risk management incorporates risk information into the strategic direction-setting of the Department, supports the government agenda of modernizing management practices, and supports innovation through more responsible risk-taking. The vision for modern comptrollership is that management decisions, at every level, integrate risk management.

Office of Integrated Risk Management

In 2003, Health Canada set up an Office of Integrated Risk Management (the Office) to facilitate the implementation of the IRM Framework and action plan. As well, the Office remains accountable for identifying effective linkages with all other related initiatives and processes across corporate, branch and agency levels and to ensure that the Senior Management Board and its sub-committees are kept informed of integrated risk management activity.

The Office also acts as a centre of excellence for the Department and functions as a single window with Central Agencies and other government departments regarding IRM. To strengthen the authority and reach of the Office within Health Canada, a Risk Management Champion was assigned. The current champion of IRM is the Chief Financial Officer.

The Office maintains the IRM Network.  All branches, regions and areas of functional expertise were directed by the Departmental Executive Committee (DEC) to assign a senior official to create a network responsible to take the necessary actions to implement the Integrated Risk Management (IRM) Framework in their respective branches/agency and to act as a lead for incorporating risk management practices.

Objective

The objective of the audit was to determine if an effective control framework was in place to support integrated risk management, including leadership, policies, processes, planning and learning.

The report does not attempt to develop a new Health Canada Corporate Risk Profile or to identify and assess departmental risks.

Scope and Approach

The audit was conducted in accordance with the Government of Canada's Policy on Internal Audit.   Audit work covered activities that took place from fiscal years 2005-06 to 2007-08 and reports on actions taken up to the end of the fieldwork. The audit focussed on the Office of Integrated Risk Management and departmental risk planning, progress reporting and learning activities.

The audit did not attempt to assess the risks in the Corporate Risk Profile (CRP) or to identify the full complement of risk management practices in the Department.  In addition, regulatory risk was not included as part of the scope of this engagement due to the audit conducted by the Office of the Auditor General and reported in chapter 8 - Allocating Funds to Regulatory Programs (2006). Further, the audit did not examine the Department's management of specific risks related to the health and safety of Canadians such as a contaminated food product or an unsafe consumer product.

Audit Criteria were guided by Treasury Board of Canada Secretariat's Core Management Controls: A Guide for Internal Auditors and were accepted by the Office of Integrated Risk Management.

Methodology included a literature review of risk management practices, interviews with senior management, including staff in the Office of Integrated Risk Management and the members of the Department's Integrated Risk Management Network. The audit team also reviewed all departmental, branch, regional and agency business plans, yearly Corporate Risk Profiles (CRPs) and the corresponding environmental scans, the Management Accountability Framework (MAF), the Departmental Performance Report (DPR), and the Report on Plans and Priorities (RPP).

Audit work was carried out primarily at Health Canada's headquarters and regional work was conducted via telephone interviews and document requests.

Findings, Recommendations and Management Responses

Governance

Audit Criterion

A corporate level senior organizational committee should provide leadership and actively support integrated risk management.

Leadership and Support for IRM

Between 2002 and 2007, the Departmental Executive Committee (DEC) was the key corporate-level senior organizational committee responsible for ensuring that these expectations for IRM were met. Beginning in 2002, when Health Canada agreed to be a pilot department for modern comptrollership, many initiatives were carried out to create a successful environment for integrating risk management.  Support was demonstrated when senior management approved the creation of the Office of Integrated Risk Management (the Office), assigned a Champion for risk management, and earmarked funding for its activities.  The DEC also instituted the IRM Network, discussed later in this report.

According to Treasury Board of Canada Secretariat guidance, integrated risk management typically involves providing senior management with up-to-date information on an organization's progress in implementing IRM.  Such information would signal to senior management any emerging problems and would enable them to make timely corrections.

During the period under review, Health Canada's senior management had not been receiving updates on the Department's progress in implementing the Framework. For example, it did not receive the 2006 and 2007 Corporate Risk Profiles for discussion and approval. According to Treasury Board of Canada Secretariat guidelines, this information increases a department's capacity to make informed decisions relating to effectively managing corporate risks.

Although Health Canada is into its fifth year of the integrated risk management initiative, it has yet to establish a formal basis for reporting on progress.  Reporting has typically consisted of meetings, discussions and presentations that have focussed on the Office's activities related to risk management.  As well, the Departmental Performance Report for 2006-2007 did not include progress in implementing integrated risk management.

A New Governance Structure

During the course of the audit, Health Canada revised its governance structure. Under the new structure, the Senior Management Board (SMB) replaces the Departmental Executive Committee (DEC). Its role remains the same:  to provide strategic overall direction in the Department. Included in this governance structure is a new SMB-Risk Management sub-committee (SMB-RM). This sub-committee was established to address the risks associated with emerging scientific, health or legal risks confronting the Department. Meanwhile, the SMB-Finance, Evaluation and Accountability (SMB-FEA, previously DEC-FEA) sub-committee continues to have specific responsibility for integrated risk management.

Additional support will also come from the new Departmental Audit Committee (DAC) as a result of the new Government of Canada internal audit policy. Their first meeting was held in April 2008. The DAC is intended to provide independent and objective advice, guidance and assurance to the Deputy Minister in various areas, including risk management.

Beyond having a policy and framework for integrating risk management across the Department, Health Canada has a Champion for IRM who provides visible and continuous support.  The Deputy Minister has assigned the role of champion to the Chief Financial Officer (CFO).  The CFO has direct accountability and authority for the Office of Integrated Risk Management and chairs the SMB-FEA sub-committee. This combined authority should afford stronger corporate leadership and better, coordinated direction for the integrated risk management function.

Given that the new SMB-RM and other elements of the new governance structure were instituted later in the audit process, no audit work was conducted to assess their effectiveness and the extent to which these factors will contribute to strengthening IRM in the Department.

Recommendation #1

It is recommended that the Chief Financial Officer establish a formal process for reporting on the progress of integrated risk management in the department and that they present, at least annually, the Corporate Risk Profile to the Senior Management Board for review, discussion and approval.

Management Response

The Chief Financial Officer accepts the recommendation.  Recent changes in the alignment of the Senior Management Board (SMB) and its sub-committees have contributed to a renewed emphasis in their mandates on integrating risk management in discussions and decisions.   A new SMB-Risk Management sub-committee was created to specifically review risks related to scientific, health, legal and communications issues.  The SMB-Finance, Evaluation and Accountability sub-committee continues to have specific responsibility for integrated risk management.  The 2008 Corporate Risk Profile was presented to SMB-Policy for discussion on November 17, 2008 and will be presented to both the SMB and the Departmental Audit Committee on an annual basis.

Policy and Process

Audit Criterion

Health Canada should have a framework for integrated risk management and a profile of its corporate risks. 

IRM Framework

The Treasury Board of Canada Secretariat's Integrated Risk Management (IRM) Framework (2001) was an initiative designed to strengthen management capabilities in departments and agencies with respect to managing risk. As noted earlier, the Department established the Office of Integrated Risk Management (the Office) in 2003 to facilitate the implementation of the Framework. As well, the Office was expected to be the risk management "centre of excellence" for the Department. It was responsible for developing the policies, strategies and processes for implementing the IRM Framework and, most importantly, for profiling the Department's risks.

As noted earlier, initial efforts of the Office (led by one director and a senior policy analyst) were successful and saw the development of an IRM Framework, a corporate risk profile and the creation of a network of senior officials to guide the implementation of the Framework.

Health Canada has had an IRM Framework since 2003. It contains all the "right" components when compared to the TBS's expectations for such a framework. It includes an action plan for implementing the Framework, a coordinating strategy for integrating IRM with the planning cycle, and a description of IRM-related roles and responsibilities, including the role that senior management should play.

Over the past five years, financial and staff resources for IRM have not increased. Accordingly, Health Canada's internal capacity and support for implementing IRM on a corporate-wide basis has not kept pace with the rising expectations for this area.

In 2003, the Office of Integrated Risk Management recognized the importance of engaging the entire department in the implementation exercise, and it set up the Integrated Risk Management Network, referred to below, to work collaboratively toward implementing the departmental IRM Framework. The Network was to include a representative from each branch, region and area of functional expertise.  Setting up the Network was a useful initiative, given the diversity of Health Canada programs and the size of the Department in relation to the Office's two staff.

The Network was given an ambitious terms of reference. For example, its members were expected to guide the implementation of the IRM Framework and to act as lead for integrating risk management into their organizations. They were, among other things, also expected to identify high-level corporate risks, promote best practices, and develop a common understanding of risk tolerance.

Initially, meetings were held on a monthly basis, in addition to bi-annual retreats, which were regularly attended by senior members.  However, in the last few years (2006 and 2007) the frequency of meetings and attendance has declined.  Moreover, members were often not appropriately positioned within the Department to be able to effect change.

The lack of dedicated, influential Network members and the infrequency of meetings have reduced the Network's overall effectiveness. The Office of Integrated Risk Management does not know to what degree the Network was able to fulfill its mandate.  However, Network members reported benefits in regard to understanding the corporate agenda and sharing practices.

The Corporate Risk Profile

Health Canada first profiled its risks in 2003 and has been committed to updating these risks annually. The process for reviewing and updating the CRP was combined with the internal environmental scan (IES) produced by the former Health Policy Branch.  Data captured by the IES included a roll-up of "organizational changes" not necessarily "organizational challenges" or risks. While combining the two processes afforded a more streamlined and consolidated approach, the objectives of the two processes are different and data collection methodology, used to populate the IES and thus, the CRP, was limited to a small unrepresentative cross section of senior managers.

Although the consolidated methodology for updating the CRP was initially appropriate, Health Canada has continued to rely solely on this approach over the last five years resulting in an outdated and potentially incomplete picture of departmental risks.

Furthermore, the Corporate Risk Profile was limited to identifying risks related to the functional support activities of the Department (e.g. human resources and information technology). It did not identify risks that directly relate to the mission of Health Canada, even though the mission is to "maintain and improve the health of Canadians".

Notwithstanding early progress (including the efforts of individual branches), Health Canada does not have a continuous, systematic process for profiling its risks on a department-wide basis. 

Recommendation #2

It is recommended that the Chief Financial Officer:

1. update the IRM Framework; and
2. revise and expand the Corporate Risk Profile to include risks beyond functional support risks.

Management Response

The Chief Financial Officer accepts this recommendation.  Health Canada is currently updating its IRM Framework in broad consultations with officials at all levels from across the department.  The updated IRM Framework is expected to be presented to SMB by fiscal year end.  The updated IRM Framework will build on the earlier version.  It aims to provide clear guidance on how Health Canada manages a broad range of risks at all levels within the organization.  It will outline the vision and governance structure, roles and responsibilities for risk management, expectations and accountabilities.  It will also provide information about risk management tools and training.

The 2008 Corporate Risk Profile expands on earlier versions of the departmental profiles.  It has identified a smaller number of risks that have been prioritized based on a common rating approach.  As part of the development of the 2008 CRP, a departmental risk assessment tool was developed in broad consultation across the Department.  The corporate risks identified in the CRP are assigned to senior management leads and a SMB sub-committee is identified for providing the oversight and direction for actions to mitigate key risks.

Planning

Audit Criterion

Departmental operational and strategic plans should address risks at both the corporate and branch level.

Departmental Strategic Planning

Key corporate reports such as the Department's Report on Plans and Priorities (RPP)  and Departmental Performance Report (DPR) should discuss the key strategic risks identified in the Corporate Risk Profile, that could prevent the branches--and therefore the Department as a whole--from achieving their departmental objectives.

A review of Health Canada's RPP, DPR and CRP revealed that these reports are producing different risks results. For example, in the 2007-08 Report on Plans and Priorities, the Health Products and Food Branch noted five major challenges "that must be addressed to help ensure continued, timely access by Canadians to safe and effective health products and a safe and nutritious food supply." However, these challenges are not reflected in the CRP. Inconsistencies between these areas of risk reporting need to be eliminated in order to promote a more systematic approach to departmental risk management and reporting.

Meanwhile, a review of the 2006-07 Departmental Performance Report revealed that it failed to discuss the integrated risk management activities of the Department and the results of mitigating actions. A discussion of risk in these reports would suggest that strategic risks and the strategies for mitigating them had been taken into account in the departmental planning activities.

As long as the Corporate Risk Profile remains focussed on only these functional support activities, it cannot support the planning process upon which the RRP and DPR rely. 

Departmental Operational Planning

The IRM Office worked with corporate planners to update the departmental operational planning methodology to include a section on risk management. For the 2008-2009 operational planning process, new methodology called for branches to focus on identifying operational risks and developing mitigation strategies for these risks. At the same time, the methodology expects operational planners to consider the high level risks related to the strategic outcomes of the Department's programs.

In reviewing branch plans for the last two years, it was noted that most branches did not pay adequate attention to identifying the key risks.  Most risks identified related to the effect of shortfalls in resources (particularly for human resources and accommodation). Therefore, they may not have been focussing their risk management efforts on risks that might affect the success of the branches and the Department in critical areas.  Under these conditions, Health Canada will have difficulty identifying and managing its high-level corporate risks--which include those relating to the health of Canadians.  Despite these findings, a few branches did demonstrate more attention identifying their risks--see text box.

Currently, there are four different "risk" reporting mechanisms that are producing different risk results (the CRP, the RPP, the DPR and Branch Plans).  The inconsistency between these areas of risk reporting needs to be eliminated to ensure success at building a more systematic approach to departmental risk management and to enable more consistent reporting.

Recommendation #3

It is recommended that the Chief Financial Officer work with corporate planners throughout the planning cycle so that departmental operational plans take into account the operational and strategic risks as identified in the Corporate Risk Profile, and that key departmental reporting documents, such as the Report on Plans and Priorities and the Departmental Performance Report discuss these risks and mitigating strategies.

Management Response

The Chief Financial Officer accepts this recommendation.  In fact, the Office of IRM has worked closely with the strategic and operational planning groups to better integrate risks with strategic and operational plans, monitoring and reporting.  The 2008 Corporate Risk Profile was developed to inform strategic planning and priority setting.  It will also inform operational planning. For example, the Departmental Operational Plan clearly identifies risk and mitigation strategies that are informed by the 2008 Corporate risk Profile (CRP) and in turn, the risks identified in operational plans and their mitigation strategies will inform the 2009 CRP.  Both the Report on Plans and Priorities and Departmental Performance Report will discuss the risks and mitigation strategies identified.  While progress has been made, the Chief Financial Officer will continue to work towards the improvement and integration of risk management in the Department's strategic and operational planning activities.

Branch Risk Management Initiatives

Despite the weaknesses noted above, evidence shows that where individual branches have taken the lead to fund dedicated resources to profile their risks and to develop mitigating strategies, they have been able to prepare and implement focused and innovative risk management strategies.

The following three examples illustrate risk-management initiatives in branches. Although highly promising, the operational effectiveness of these initiatives was not audited.

The Office of Integrated Risk Management has continued to "ever-green" their inventory of risk management practices by drawing on all branches to provide risk management strategies and practices, such as the ones noted above, which provide a useful means of tracking risk management activity.  While there are some risk management strategies and practices occurring in the Department, they are operating in silos and have yet to be consolidated to influence the CRP and other corporate risk activities.

Learning and Tools

Audit Criterion

Staff should have the necessary knowledge, skills and tools to support the achievement of integrated risk management.

IRM Learning Strategies

Learning strategies complement existing risk management activity.  Participating in learning interventions can help equip employees with knowledge and skills to manage risk more effectively.  The Learning Division at Health Canada does offer training on integrated risk management and the Office of Integrated Risk Management has used their retreat as a means of educating and sharing. However, the training is only a "light" introductory course and the retreat caters to less than two percent of Health Canada's employees.

A pilot course was developed by the Office and was delivered to the Internal Control Division of the Chief Financial Officer Branch but it has yet to have been re-offered.  Although the Office of Integrated Risk Management and the Network of senior officials consider training a priority, limited resources has made it difficult to develop and implement training programs.  A centrally developed course would help promote integrated risk management consistency across branches and directorates.

In the absence of department-led training, a select number of branches have implemented their own training initiatives or have attended external courses. As an example, HECS Branch provides in-house training to its employees on risk management. The training has proved successful as several employees have been exposed to the fundamentals of risk management.

IRM Tools

The Office of Integrated Risk Management does not have an internal communication strategy to disseminate senior management's expectations for implementing integrated risk management.  This may include mitigation strategies related to operational risks and the articulation of senior management's level of tolerance for these risks.

The Office has developed a website and toolkit (also known as the IRM database) that offers access to some useful resources such as the Strategic Risk Communications Framework and the departmental Corporate Risk Profile.  However, the information contained in both the website and database has become dated.  In order to support Health Canada's managers in broadening their knowledge and application of risk management practices, information on external learning opportunities and a collection of risk management literature should be included on the website or database.

The lack of both IRM-related learning strategies and internal communication combined with an outdated website and database may have made it more difficult for Health Canada staff to manage risks effectively.

Recommendation #4

It is recommended that the Chief Financial Officer develop strategies for informing Health Canada management on IRM developments, including learning events and sharing of information, tools and best practices.

Management Response

The Chief Financial Officer accepts this recommendation.  A communications plan for risk management will be developed as part of an action plan following the approval of the Integrated Risk Management Framework by senior management.  Also, the Office of Integrated Risk Management is developing an Intranet website that will serve as an important communications vehicle for information on risk management and sharing of best practices.  With respect to learning and training, Health Canada is working with Treasury Board of Canada Secretariat - Risk Management team in the development of competencies and associated courses.  The department is hopeful that a number of useful tools and training courses for federal government employees will be developed through this initiative.

Conclusion

The audit of integrated risk management reviewed the effectiveness of the control framework in place to support integrated risk management, including leadership, policies, processes, planning and learning.  

The Chief Financial Officer Branch initially made good progress towards integrating risk management into the Department. Notwithstanding early efforts, progress in integrating risk management across Health Canada between 2005-06 to 2007-08 (up to the end of field work) has been slow and has resulted in an out-of-date IRM Framework.  As well, at the time of the audit, Health Canada did not have a continuous systematic process for profiling its risks on a department-wide basis.

Management agrees with all of the recommendations. Its response indicates its commitment to take action.  In fact, they have already started to implement many of the proposed actions that will address the findings.

Appendix

Appendix A: Lines of Enquiry and Audit Criteria

Lines of Enquiry	Audit Criteria
Governance	A corporate level senior organizational committee should provide leadership and active support on Integrated Risk Management.
Policy and Process	Health Canada should have a framework for integrated risk management and a profile of its corporate risks.
Planning	Departmental operational and strategic plans should address risks at both the corporate and branch level.
Learning and Tools	Staff should have the necessary knowledge, skills and tools to support the achievement of integrated risk management.