KEY STEPS IN THE DEVELOPMENT OF THE ERM PROGRAM
For the second risk assessment, a streamlined process was adopted. Rather than starting with the risk statements from the dictionary, each VP was simply asked to identify their top three strategic and operational risks, with the results analyzed, combined, and allocated into the 2006 categories.
The resulting 37 risks were brought to two executive-level workshops and, as with the 2003 assessment, voting technology was used for prioritization. Nine critical risks were identified and taken forward to be integrated into the audit plan. One key difference from the 2003 assessment was the development of BCLC-specific likelihood and consequence qualitative criteria. Of interest is the correlation between the two assessments, with only two critical risks identified in 2003 not appearing in the critical zone in 2006, and no new critical risks introduced.
With the appointment of a dedicated Enterprise Risk Manager and the support of an executive sponsor, the launch of a formal ERM program became possible. The senior auditor from the Internal Audit team moved to the new position, bringing continuity with previous ERM initiatives. Between August and December 2006, the focus was on developing the core risk documentation, including terms of reference for the new steering group, an ERM policy, a project charter, and an initial plan. The initial areas of focus were to:
• Develop and continuously refine a practical ERM framework to support the identification and management of risk.
• Continuously manage risks, limiting exposure to an acceptable level while maximizing business opportunities.
• Embed a risk awareness that is a key component of instilling a high- performance culture.
A key feature of the new approach to ERM was the formation of the ERM Advisory Committee (known as ERMAC). The concept of ERMAC was to create risk champions, high-performing senior leaders from each division whose role would be to influence, communicate, and educate management and staff within their business areas about the benefits of risk management.
By January 2007, the new committee was established and the ERM policies and plan were in place, with proposals to embed risk management into project planning, business cases, and strategic planning under discussion.
In May 2007 a critical report about BCLC was issued by the British Columbia Ombudsman following an investigation into BCLC's prize payout processes (BC Ombudsman 2007). The investigation was triggered by a CBC Fifth Estate investigation in October 2006 on issues in Ontario associated with lottery retailers winning major prizes, with the concern being that similar issues could have occurred in British Columbia. Although no incidents of wrongdoing were discovered during the investigation, the report and a subsequent audit and recommendations published by Deloitte & Touche in October 2007 marked a critical point in BCLC's transformation into a modern player-centric organization.
For risk management, the Ombudsman's review led to both a greater impetus and a broader focus for the program. BCLC had always considered integrity to be vital to the organization, but the fundamental goal of delivering revenue to government was often the dominant concern, and this was reflected in earlier risk assessments. With the advent of the Player First program, significant additional resources and oversight were now dedicated to security, compliance, and reputation management, and this increased emphasis was reflected in the risk assessment conducted by the ERMAC team in April 2007.
The basis of the assessment was the risk statements completed by the Executive Committee in 2006, with new key risks facing BCLC added through consultation with key members of each of the business/support units and incorporated into an expanded risk dictionary. Once the new risk statement descriptions were agreed on, workshops were held to assess the risk ratings, and also to determine how effective were current arrangements for managing each risk. The 12 risks with the largest gaps identified between risk rating and management effectiveness were then selected for further profiling and control analysis.
Throughout 2007, the remaining enterprise risks were profiled in order to better identify the associated causes and controls. Two further enterprise risk assessments were facilitated in 2008, and a regular quarterly risk report produced from June 2008 forward provided details of both the development of the overall program and monitoring of individual risks.
Parallel to the enterprise risk assessment, a project risk assessment approach was developed and implemented, with a number of initiatives used to facilitate risk assessments, very similar to those conducted at an enterprise level. As with the enterprise risk assessments, the risk dictionary was used to support the development of potential risk statements, which were then voted on at a facilitated meeting of the core project team. Project risk assessments were piloted with four projects in 2007, and further developed with seven project risk assessments facilitated in 2008. Although the workshops were generally felt to be productive and beneficial, the volume of risks generated meant that on occasion it was not possible to assess all the risks presented.
In May 2008, the Enterprise Risk Manager was appointed director of Audit Services. Although risk assessments continued to be supported by the Internal Audit team, the further development of enterprise risk management was constrained due to the lack of dedicated resources, as the ERM manager post was not immediately filled.
-  The CBC investigative series Fifth Estate aired an episode entitled "Luck of the Draw" on March 14, 2007, about insider wins, featuring the story of Bob Edmonds, who was defrauded out of his lottery winnings by a retail clerk.
-  The Player First program was BCLC's response to the Ombudsman report and Deloitte recommendations, a collection of significant change initiatives under way from 2007 to 2011 designed to put the player at the forefront of BCLC activities.