Post on 22-Feb-2016
description
Developed for: ORIMS Professional Development Session
October 22, 2013
Presented by:Steve Pottle, York University
Michelle Williamson-Reid, TSSA
Risk Reporting – A How To Guide
Discussion Points
• To be heard or not to be heard – that is the
question...
• How to communicate risk intelligently and
effectively
• Risk Report Content – York and TSSA
perspective
• Your turn (tell us your good ideas)
Is Risk on the Radar?
• Risk Management has many homes in
any organization
• Champion - who has the ear of the
Board?
Getting on the Agenda
Befriend the person(s) that creates the: • Board work plan
• Committee work plans• Audit Committee
• Governance Committee
• Etc.
• Management meeting agendas
When in Doubt
• Read the Board Charter
• Read company policies
• Read your job description
Make it Relevant
• What do they want to know
• What should they know:• CICA’s “20 Questions”
• risks to mission, vision and strategy
• risks to business plan
• reputational risks
Be Brief
• Be clear
• Be concise
• Relate the risk information to their role:• Board charter
• position description / job profile
• Relate it to the big picture
• Engage them (push versus pull)
Be Careful
While there is job security in always being on the agenda... • Make management accountable
• Encourage management to report on risk• Facilitates greater buy-in
• Influences a risk aware culture
The York U Experience.....
York Board Reports
Annual Risk Report
• Audience: Audit and Finance Committee of Board of Governors
• Focus: Risk Management tied to University’s Academic Plan (Key driver for senior admin decision making)
• Supplement: Board memo on insurance coverage
York Board Reports
Table of Contents
• Introduction• Risk Management • Awareness and Educational Initiatives• Insurance Program Update • Premiums• Claims
York Board Reports
Legislative Compliance Annual Report
• New report for Risk Management as of 2013
• Update on Universe of Legislation applicable to York (Board Directive)
• What are we going to report on?
• Developed three-year reporting cycle approved by CFO and VP Admin. (Board Stakeholders)
York Board ReportsLegislative Compliance Annual Report (three-year reporting cycle)
Review Proposed Acts for Inclusion in
the Top 15
Review Federal, Provincial, and Municipal legislation (Updating for changes to existing legislation and
updating the Universe with new Acts)
Review existing Universe of Legislation
(Updating Inherent Risk Assessment)
York Board ReportsLegislative Compliance Annual Report (three-year reporting cycle)
• Year one: Review Top 15 Acts (based on risk impact); refresh Universe of Legislation (Federal, Provincial, Municipal)
• Year two: Identify new Acts for possible inclusion in Top 15
• Year three: Review Universe of Legislation
The TSSA Experience.....
Quarterly reporting on:• priority enterprise risks and their impact on strategic
and business plan initiatives
• status of risk mitigation activities and impact on level of
risk
• assurance (audit) activities
• status of audit action plans
• large losses (insured and uninsured)
Audit, Finance and Risk Committee
Annual reporting on:• insurance program (renewal)
• changes to ERM framework, Guideline, Risk
Register
• Business Continuity Plan (changes, results of
tests, etc)
• three-year audit plan
Audit, Finance and Risk Committee
• Quarterly reporting on priority enterprise risks
and their impact on strategic and business plan
initiatives
• Quarterly reporting on status of risk mitigation
activities and impact on level of risk
• Reporting on results of assurance/audit
activities, as appropriate
Governance, Safety and Human Resources Committee
• Annual reporting on results of enterprise risk
assessment
• Annual reporting on risk mitigation activities (in
conjunction with strategic and business plan)
• Reporting on results of assurance/audit
activities as appropriate
Board of Directors
Tricks of the Trade
• Risk legend for all agendas
• Relate individual agenda items to risks
• Add dedicated section / heading for risk
to all reports, briefing material, etc.
Strategies Priority RisksLRK Leverage Risk Knowledge Risk 4 Enabling legislationCF Compliance First Risk 6 Data and informationSRS Shared Responsibility for Safety Risk 7 Business processes and controlsOE Organizational Effectiveness Risk 12 System acquisition and implementationWKPL Board Governance Work Plan Risk 13 System functionalityNA Not Applicable Risk 19 Culture
Risk 20 Board of DirectorsRisk 22 Ministry of Consumer ServicesNA Not Applicable
Agenda Legend (For Illustrative Purposes Only)
Agenda Reference (For Illustrative Purpose Only)
Internal Audit
Time Item *Strategy*Priority Risk
#Reference Lead
12:40 p.m.(30 min)
1. Review updated internal audit business case
(FOR DISCUSSION)
WKPL/Action item
N/A Updated internal audit business case briefing note attached
Richard SmartGrant Thornton LLP(David Florio)
1:10 p.m.(30 min)
1. Internal audit plan update:A. Update on current year internal
audit plan and status of actions from completed internal audits
(FOR DISCUSSION)B. Review and recommend to the
Board 2012/2013 safety incident data review report
(FOR DECISION)C. Review report on timing of
addressing observations relating to the procurement audit plus action plan to address contracts that are non-compliant with the Procurement Policy
(FOR DISCUSSION)
WKPLWKPL
WKPL/ Action item
N/A67
A. Status report on internal audit plans attached;
B. 2012/2013 safety incident data review briefing note and GT report attached;
C. Procurement Audit update attached
Grant Thornton LLP(David Florio)Michelle WilliamsonBrenda Buchanan
Dedicated section for risk in meeting material (For Illustrative Purposes Only)
Purpose – For Discussion
This report provides information to the Audit, Finance and Risk Committee (AFRC) on the implementation status of the fiscal year 2012/2013 internal audit plan, and internal audit action plans arising from previously completed audits, consistent with the AFRC work plan. Desired Outcome
This report is intended to engage AFRC in discussions relative to the level of residual risk present as a result of control weaknesses identified during internal audit activities.
Impact on Strategic Plan and Priority Enterprise Risks
The internal audit action plans are designed to mitigate identified control weaknesses and/or risks and enable the achievement of objectives. Specifically, the action plans arising from the incident data, technical data and Oracle-Operating Engineers inspection process audits mitigate elements of the data and information risk (#6) and business controls and process risk (#7). The action plan arising from the information technology general controls audit also aims to mitigate aspects of the business controls and processes risk. Background
XXX
Best Practices You’d Like to Share...