STRENGTHENING THE PROGRAM – 2010-2013
In 2010, it was agreed that Internal Audit should conduct a review of the risk management program with a view to "identify any gaps and areas for improvement to ensure that the fundamental building blocks are in place to deliver on the organization's risk management needs effectively and efficiently." Interviews were conducted with Enterprise Risk Management Advisory Committee members, the executive team, CEO, and board and Audit Committee members.
The review found that the ERM process was well established and documented, with strong levels of support from all levels of the organization and an increasingly risk-conscious culture. However, risk management was not yet fully embedded within all of the organization's functions. There was some variance in perceptions of risk tolerance, and in general the program was stronger on reporting risks than it was at driving change, with significant amounts of informal risk-related discussions taking place outside of the program. Senior management also reported that too many risks were escalated to them, often at a level that was perceived to be too granular or operational.
In addition to the internal review, BCLC took part in a benchmarking exercise conducted by Ernst & Young together with seven other Canadian lottery and gaming organizations. The exercise consisted of a questionnaire completed by key risk personnel at each organization facilitated by telephone interviews conducted by the E&Y team.
The results (Ernst & Young 2010) showed that BCLC was in a similar position to many of the other gaming organizations in having a relatively young ERM program. In common with much of the gaming industry at the time, BCLC's strongest area was risk assessment, while risk tracking and the ERM structure were relatively weak (see Exhibit 10.3). The exercise included a simple self-assessment of perceived ERM maturity, where BCLC assessed itself as having risk activities in
Exhibit 10.3 ERM Maturity at BCLC in 2010 Extracted from Ernst & Young ERM Benchmarking Survey, 2010.
place, but that risk management was not yet consistently applied and well understood by management and employees across the organization.
The results of the internal review and the E&Y assessment were presented to BCLC's executive team in February 2011. A number of recommendations were proposed and adopted, including strengthening senior management ownership and accountability, realigning risk criteria to better match the BCLC's tolerance for risk across organizational objectives, and broadening the focus of the program from largely operational to a more strategic level.
In April 2011, the risk management function moved to the Finance and Corporate Services division, with the CFO taking responsibility for executive leadership of the program. The risk criteria and evaluation matrix were updated and the risk review process strengthened, establishing regular review meetings for every division whereby each division's senior management team reported to their vice president (VP) on their risks every quarter. Risk oversight was also reviewed, and in addition to strengthening processes at a divisional level, dedicated time at executive meetings was scheduled to review the quarterly risk report prior to presentation to the Audit Committee. A key step in increasing accountability came from the formal assignment of each area of high risk to the appropriate VP, who would be responsible for reporting each risk in detail and providing a regular update on progress with the agreed treatment plans.
At this time, the ERM Advisory Committee was disbanded. While the committee of risk champions had played a significant role in coordinating initial assessment activities and in increasing the understanding of risk management across the organization in the early years of the risk management program, it was now felt that as all directors were expected to be fully conversant with risk management and with the movement of risk identification, evaluation, and reporting into mainstream management, the group no longer added significant value.
A new Risk Management Planning Group reporting to the CFO was established to align and coordinate a number of risk and compliance activities, in particular looking for synergies between the risk, business continuity, insurance, and antifraud programs. The intention of the group was to assist in the design of tools and approaches that deliver progress across the programs and also reduce managerial overload from potentially competing programs.
Over the next year, a series of risk reviews were undertaken with each division, with the aim to refresh the divisional registers and to make sure that each group reviewed both current and potential risks against both BCLC and divisional strategies. The format of the reviews varied across groups, dependent on divisional responsiveness and parallel activities. Several workshops were held with broader management teams, two were jointly coordinated with Internal Audit exercises, and one was externally facilitated. The review process further increased ownership and accountability by reinforcing the message that risk management and reporting are the responsibility of everyone throughout the organization.
In early 2012 BCLC invited an external consulting firm to look again at its ERM program, consider the progress made since the work in 2003, and make some recommendations as to next steps. In April 2012, the consultants delivered a presentation to the board on "Moving from a Risk Monitoring Organization to a Risk Intelligent Organization," and facilitated a discussion on risk governance and oversight. It was agreed to move risk oversight from the Audit Committee to the full board, to include more formal consideration of risk in the strategic planning process, and to continue to improve risk management processes, practices, and awareness.
In the winter of 2012 an opportunity arose to embed ERM into strategic planning when an exercise to identify and assess strategic risks was undertaken. The aim of this exercise was to identify and prioritize a set of holistic enterprise-level longer-term risks in order to inform strategic planning alongside a program of optimization. An off-site workshop was led by the CEO and the executive team with additional input from a small group of directors known as the leadership team, and supported by risk, corporate strategy, and audit services. Facilitation was provided by an external party. During the workshop, political, regulatory, economic, competitive, technology, and social business environmental factors were considered, and after a lively and informed discussion 11 key strategic risks were identified and initial sponsors assigned.
Following the workshop, a series of meetings were held with the assigned VP leads and other relevant parties, facilitated by the Senior Manager, Risk Advisory to discuss each risk in greater detail and using a bow tie approach, identifying key causes, consequences, controls, and planned treatments. A formal report was developed, and a strategic risk register is now in place. Going forward, the strategic risks will be used to inform strategic planning and business optimization, while the shorter-term, more operationally focused risks continue to be reflected and addressed in business planning at an enterprise, divisional, and initiative level.
-  Bow-tie analysis is a simple diagrammatic way of describing and analyzing the pathways of a risk from causes to consequences. The approach is outlined in ISO 31010 risk assessment techniques. Also see pages 291-293 of Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives, ed. John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010).