RESTARTING THE PROGRAM-2006-2008
In early 2006, the head of Audit Services' proposal to update the 2003 risk assessment was endorsed by BCLC's executive team. Audit Services facilitated an assessment of critical strategic and operational risks facing BCLC, by developing a set of risks for analysis through consultation with the executive team, preparing an environmental scan, and concluding with a facilitated risk workshop to evaluate and prioritize each risk. The initiative was strongly informed by the successful ERM program being run at that time by another Canadian lottery organization, the Atlantic Lottery Corporation.
The intended outcome of the 2006 assessment was to inform the three-year-old audit plan, to develop new risk criteria, and to raise awareness about the importance of risk management. The success of the exercise led to the development and acceptance of a business case in August 2006 to resource a part-time risk manager, responsible for putting into operation the risk management program. This approach was endorsed by the CEO as part of an organization-wide initiative to develop and embed a high-performance culture across BCLC.
Exhibit 10.1 2006 ERM Organizational Structure
Leadership for the initiative was assigned to an executive sponsor. In the first instance, this was the chief information officer.
A cross-functional leadership team model was also approved, to be known as the ERM Advisory Team, responsible for oversight and approval of recommendations on behalf of the Executive Committee and consisting of the executive sponsor and a small number of key directors from each BCLC division. Operational support was provided by Internal Audit. The organizational structure is shown in Exhibit 10.1.
It is not entirely clear why the 2006 risk assessment exercise led to support for an ongoing ERM program while the 2003 initiative did not. The head of Internal Audit championed both initiatives, and the earlier risk assessment activity was well received. The consultants reporting in 2003 stated that "the culture in BCLC is proactive and is ideally suited to the EROM's philosophy and benefits." Executive response to both initiatives was largely positive. There does not appear to have been a so-called burning platform created in 2006; it was more a growing recognition that the time was right to adopt a more formal approach to ERM. It may be that increasing recognition of the importance of managing risk across North America with the introduction of Sarbanes-Oxley requirements and publication of COSO's ERM Integrated Framework in 2004 influenced senior management. Or it could be that the simple iterative approach adopted by the head of Internal Audit when he decided to update the 2003 risk assessment – "Start slow and at the top, get learning and feedback, and then take down the ladder" – demystified the concept and increased engagement. Regardless, 2006 marked a new start for ERM, and the genesis of the current BCLC program.
-  The Sarbanes-Oxley Act of 2002 was enacted in the United States as a response to a number of corporate governance scandals and introduced a number of financial governance regulations, including the requirement to produce a report on internal control.