Desktop version

Home arrow Management

REVITALIZING THE ERM PROGRAM – 2009-2010

In the fall of 2008 the position of Manager, Risk Planning and Mitigation was created and an experienced risk manager was recruited to the position in late December 2008. The original intention of the appointment was to increase focus on risk treatment strategies and business-unit-level risk management activities, with the expectation that Internal Audit would continue to develop and report on the enterprise risk management framework. In late January 2009, the director of Audit Services left BCLC and the manager of Risk Planning and Mitigation assumed responsibility for managing all aspects of the ERM program.

The new risk manager brought a more operational approach, and was able to build on the excellent foundations already established to develop a new ERM strategy and supporting plan designed to move the ERM program to the next stage of maturity.

Throughout 2009, BCLC transitioned from the previous approach, where a portfolio of enterprise risk statements was assessed at a corporate level by ERMAC members, to a specific risk register with risks evaluated and agreed on at a divisional level and significant risks then escalated to the enterprise register.

One of the first changes was to move from an assessment of inherent risk with a supplementary assessment as to whether the risk was thought to be managed effectively to the use of a residual risk assessment methodology that included a more formal assessment of the effectiveness of control mechanisms in place. The next enterprise risk assessment was conducted in March 2009, and moved from the ERMAC voting approach to assessments by individual risk owners, with the committee providing more of a quality assurance function. New risk criteria were also adopted. A significant outcome was that the majority of risks were rated at a lower impact/consequence level (18 out of 29 dropping at least one rating, and three falling from critical to low risk).

Between March and July 2009, a series of risk and controls assessments workshops were held covering all divisions. The workshops brought together either functional teams or collections of specialists in thematic sessions (for example, marketing). Close to 300 managers and staff were involved. Each group attended two workshops; the first featured an educational component, brainstorming exercises, and process mapping with threats and vulnerabilities identification, while the follow-up session looked at a number of prioritized areas of risk in more detail, with a deep-dive assessment of risks and controls. The output of the workshops was the creation of divisional risk registers. Enterprise-level risks were then extracted from the divisional registers for an organization-wide view of all significant risks.

By September 2009, risk registers were established for all divisions. The new registers were more comprehensive than the previous risk documentation, with a greater focus on risk treatment and specific individuals identified as responsible for each risk treatment plan. The risk management policy was updated and new supporting guidance published.

Through 2009 and 2010, the risk management approach was further developed and embedded. In particular, the use of risk management in business case development and project management increased, while the new registers were updated on a quarterly basis. Regular quarterly reports on the risk management program were produced for discussion by the Executive Committee and at the Audit Committee.

In the summer of 2010, the risk management policy and guidelines were updated and a new risk management strategy was produced to reflect the newly published international standard on risk management, ISO 31000:2009, Risk Management – Principles and Guidelines. BCLC had previously been using the Australian risk management standard (AS/NZS 4360:2004), so the move to the new standard was a simple transition. At the same time, the government of British Columbia endorsed the new standard across all ministries, and subsequently used the approach for a number of provincially coordinated risk management activities (for example, planning for the 2010 Winter Olympics and preparing for a potential pandemic). The policy stated: "BCLC is committed to building increased awareness and a shared responsibility for risk management at all levels of the organization, and to facilitate the integration of the management and prioritization of risks into planning and operational activities."

The terms of reference for the ERMAC were also updated (see Exhibit 10.2), reflecting the change in practice from a single central risk assessment to the more devolved approach now in place.

Exhibit 10.2 Terms of Reference for the Enterprise Risk Management Advisory Committee

January 2007-March 2010

March 2010-March 2011

C. Terms of Reference

C. Terms of Reference

ERM Advisory Committee ("ERMAC")

ERM Advisory Committee ("ERMAC")

The ERMAC is an operational committee promoted and supported by the Executive to oversee the risk management process of the BCLC. The ERMAC reports to the Executive Sponsor. The ERMAC will:

The ERM Advisory Committee is tasked by the Executive to support the implementation of risk management across BCLC. The committee will: Appraise, revise, and monitor the annual risk management program;

Approve a suitable risk management mandate, terms of reference, and policy for BCLC, for endorsement by the

Executive

Review any changes to the Risk

Management Policy prior to submission for approval by the Executive;

Consider and approve procedures and

Approve and oversee the implementation of a flexible, adaptable Risk Management process of BCLC as a whole, on behalf of Executive

guidance to support the risk management policy and process; Review the effectiveness of risk management processes used across

Recommend an appropriate risk appetite or level of exposure for BCLC to the Executive

BCLC;

Help embed a risk management culture across the organization;

Identify and quantify fundamental risks affecting BCLC, and ensure that arrangements are in place to manage those risks

Support the development of a risk management awareness and education program; and

Provide support for the Divisional Risk

At least annually, review fundamental risks and their controls and report to Executive

Representatives, through encouraging sharing experience and enabling frank

Inform the Audit Committee on risks and controls that should be included in the Audit needs assessment, ensuring the integration of Audit Services into risk management

discussion of any risk-related issues arising.

From time to time the committee may also focus on a particular area of risk.

Ensure that critical risks are adequately dealt with

Help embed a risk management culture into all major decisions, through risk education, high-level controls, and procedures

Consider major decisions affecting BCLC's risk profile or exposure

 
< Prev   CONTENTS   Next >

Related topics