7. eNHANCED rISK mANAGEMENT (ERM) – PHASE 1

GESTION AMÉLIORÉE DES RISQUES (GAR) – PHASE 1

COMMITTEE RECOMMENDATION:

That Council approve the conceptual Enhanced Risk Management Framework described in this report, including the revised Enhanced Risk Management Policy attached as Document 2.

RECOMMANDATION DU COMITÉ

Que le Conseil approuve le cadre conceptuel de gestion améliorée des risques décrit dans le présent rapport, y compris la politique révisée de gestion améliorée des risques énoncée dans le document 2 ci-annexé.

DOCUMENTATION

1. City Manager’s report dated 6 April 2010 (ACS2010-COS-ODP-0004).

2. Extract of Draft Minute, 6 April 2010.

Report to/Rapport au:

Corporate Services & Economic Development Committee

Comité des services organisationnels et du développement économique

and Council / et au Conseil

April 6 2010/ le 6 avril 2010

Submitted by/Soumis par: Steve Kanellakos

Deputy City Manager, City Operations / directeur municipal adjoint, Opérations municipales

Contact Person/Personne-ressource : Donna Gray, Director/directrice

Organizational Development and Performance/Services du développement et du rendement organisationnels

613‑580‑2424, ext./poste 25684

Ref N°: ACS2010-COS-ODP-0004

SUBJECT:

eNHANCED rISK mANAGEMENT (ERM) – PHASE 1

OBJET:

GESTION AMÉLIORÉE DES RISQUES (GAR) – PHASE 1

REPORT RECOMMENDATION:

That the Corporate Services and Economic Development Committee recommend that Council approve the conceptual Enhanced Risk Management Framework described in this report, including the revised Enhanced Risk Management Policy attached as Document 2.

RECOMMANDATION DU RAPPORT

Que le Comité des services organisationnels et du développement économique recommande que le Conseil municipal approuve le cadre conceptuel de gestion améliorée des risques décrit dans le présent rapport, y compris la politique révisée de gestion améliorée des risques énoncée dans le document 2 ci-annexé.

EXECUTIVE SUMMARY

The purpose of this report is to advise Committee and Council of the work undertaken by staff on the enhanced risk management (ERM) program and request approval of the conceptual ERM framework, which includes the revised ERM policy.

The Auditor General’s report on the City’s Management Control Framework in 2005 contained recommendations with respect to risk management. As well, City Council in 2008 directed staff to undertake a number of initiatives on risk management to create a better awareness of its importance in the delivery of municipal services.

Staff has made significant progress on the Auditor General’s and Council’s recommendations by completing a conceptual ERM framework, revising the previously approved Council risk management policy, developing a guidance module on how to do a risk assessment utilizing the tools and templates from the framework, completing four risk reviews in operational areas and establishing a Corporate Risk Management Committee to guide ERM activities.

Over the next 24 months, staff will prepare and implement the communications and training plans required to support managers in the identification, assessment, mitigation and monitoring of risks in all program areas of the City. Upon completion of training, Management Performance Appraisals will be amended to include an assessment of risk behaviours component.

RÉSUMÉ

L’objectif de ce rapport est de donner des avis au Comité et au Conseil municipal relativement au travail accompli par le personnel pour le programme de gestion améliorée des risques (GAR) et de demander l’approbation du cadre conceptuel de la GAR, comprenant notamment une politique en la matière.

Le rapport du vérificateur général de 2005 sur le cadre de contrôle de la gestion de la Ville comprenait des recommandations concernant la gestion des risques. De même, en 2008, le Conseil municipal avait demandé au personnel de la Ville de mettre en œuvre diverses initiatives en gestion des risques dans le but de favoriser une sensibilisation accrue à cette question au sein des services municipaux.

Le personnel de la Ville a fait de grands progrès pour la mise en pratique des recommandations du vérificateur général et du Conseil municipal. Le cadre conceptuel pour la GAR a été réalisé, la politique de gestion des risques déjà approuvée par le Conseil municipal a été révisée, on a mis sur pied un module d’encadrement sur la façon d’évaluer les risques à l’aide des outils et des grilles de la structure conceptuelle, on a procédé à quatre examens des risques dans des centres opérationnels et à la mise sur pied d’un Comité de gestion des risques pour encadrer les activités de GAR.

Au cours des 24 prochains mois, le personnel préparera et mettra en œuvre les plans de communication et de formation nécessaires pour aider les gestionnaires à repérer, évaluer, réduire et contrôler les risques dans tous les secteurs des programmes de la Ville. Une fois cette formation complétée, les évaluations de rendement des gestionnaires seront mises à jour afin d’inclure une évaluation de la composante des comportements à risques.

BACKGROUND

In the 2005 Audit of the Management Control Framework, the Auditor General identified there was “no enterprise-wide approach, or ability for the City to consistently assess the level of risk it faces across the organization to aid in planning and priority setting”. As part of that audit, the Auditor General recommended that the City’s senior management introduce integrated risk management within the City as part of the planning and performance management cycle including such activities as:

· Development of an integrated[1]risk management policy;

· Development of tools and approaches for risk management; and

· Provision of risk management training.

On May 9, 2007 Council approved an approach to implement the Auditor General’s recommendations. The expected outcome was the development a new corporate integrated risk management policy and to train management staff involved in the evaluation of risk as part of the business planning process for each Branch.

On March 26, 2008, Council approved a report from the Long Range Financial Plan Sub-Committee (Reference Number ACS2008-CMR-CSE-0026) with respect to Risk Management. The recommendations approved by Council were:

Develop a conceptual ERM Framework aligned with Strategic Branch Reviews;
Prepare tools to support the ERM Framework, including:

a) Templates and approaches;

b) Assessment of risk behaviours as part of management performance appraisals; and

c) The inclusion of a Risk Management Implication section on staff reports to Committee and Council;

Provide training to support the ERM Framework and culture change;
Undertake Risk Management Reviews of two key clients (2008 and 2009); and
Establish a Risk Management Committee to monitor ERM progress and report on Phase 2 for Budget 2010.

The purpose of this report is to advise Committee and Council of the work undertaken by staff on the enhanced risk management program and request approval of the conceptual enhanced risk management framework and the revised enhanced risk management policy.

DISCUSSION

Conceptual Enhanced Risk Management Framework

In response to the Auditor General and Council’s approved direction, a conceptual Enhanced Risk Management framework has been developed.

The framework provides the City with a consistent approach to manage risks by creating the means to discuss, compare and evaluate substantially different risks across the corporation. It applies to all lines of business and covers all types of risks faced in the operation of the City, whether they are policy related, operational, financial, legal, environmental, health and safety, etc.

The purpose of the framework is to

· Provide the foundations and organizational arrangements that will embed it throughout the organization at all levels. It is through the building of a framework that the City decides which ERM components best address needs and then decides how these components will be implemented in the City. Choices will be influenced by the City’s goals, objectives, risk management culture and philosophy;

· Deliver a proactive, systematic and consistent approach to understand, manage and communicate risks from an organization-wide perspective;

· Contribute to building a risk-conscious culture that allows for innovation and responsible risk-taking while ensuring legitimate precautions are taken to protect the public interest, maintain public trust and ensure due diligence;

· Standardize communication and consultation methods with respect to critical risks in order to achieve an organization’s business objectives.

The key objectives of the Enhanced Risk Management framework are to:

Integrate ERM into existing business processes such as Service Excellence Plans and the City Strategic planning process;
Embed a proactive risk management culture in City managers and increase accountability;
Enable informed decision-making by developing a consistent process that facilitates the identification, assessment, prioritization and reporting of risks across the City;
Reduce surprises (unacceptable events or situations);
Better prepare the City’s business units to manage new risks that might emerge due to changes in the business environment;
Realign resource allocation as part of the mitigation process and, thereby, jointly manage City-wide risks in a cost-effective way; and
Provide consistent tools and approaches to facilitate cross organizational discussions on risk issues resulting in Citywide implementation and mitigation strategies

The framework establishes the foundation for enhanced risk management in the City. This foundation sets a common understanding of the benefits of risk identification among all City managers. It documents the roles and responsibilities for risk management in the corporation from City Council to managers. The framework provides a common set of tools for management to identify, assess, prioritize and mitigate risk within their respective areas of service and program delivery. The framework communicates risk tolerance and a process to develop a Corporate Risk Profile.

It is important to acknowledge that risk management is not new to the City of Ottawa. City Council approved a risk management policy in September 2001. Many branches and divisions in the City have a long history of addressing risk in the delivery of their programs and services. As a consequence, an effective risk management culture already exists in some work groups. These risk management activities are ongoing and will continue to be fundamental to our business. This framework will support and expand that knowledge base, increase awareness and the management of risk to all other areas of the corporation.

A summary of the Conceptual Enhanced Risk Management Framework is included in Document 1 of this report.

The Corporate Enhanced Risk Management Policy

In his 2005 audit on the management control framework, the Auditor General recommended the introduction of integrated risk management within the City, including the development of an integrated risk management policy. In their response, management noted that the City already had a risk management policy, approved by City Council in September 2001. Management and the Auditor General subsequently agreed on a revised recommendation whereby management would develop a new corporate integrated risk management policy or modify the existing policy.

The ERM policy will provide staff with an approved direction to ERM and is an overarching document from which all city departments can take guidance.

The revised policy on Enhanced Risk Management is attached in Document 2. The major changes are:

A concise policy statement that embraces and commits enhanced risk management in all aspects of city operations;
The commitment to monitor, report and document risk management;
The inclusion of management accountabilities and performance metrics for identifying risk in city operations;
An emphasis on a corporate-wide, systematic approach to risk management that seeks to identify and manage potential risks effectively; and
The inclusion of clearly defined responsibilities for risk management in the corporation.

Tools to support Enhanced Risk Management

a) Templates and approaches

A Risk Management Module has been created to assist managers s to consider and incorporate risk management into their service delivery and operations. It provides the tools, templates and approaches for managers to identify the top three to five risks in their lines of business.

This module explains how to do a risk assessment, which is an application of the ERM process. The module’s various tools address context setting, determining risk impact, establishing likelihood or frequency, plotting risk impact and frequency to recognize risk exposure, reaching a risk score, prioritizing in order of risk exposure and, finally, establishing mitigations to control high risks. A chart is provided on sample risk categories to consider. A template is also provided to visually identify the result of the risk assessment based on the impact and likelihood of a risk occurring. High risks require a mitigation strategy. (A sample copy of these tools/templates is included in Document 1.) The end product is a summary chart capturing the outcomes of the exercise and documenting the mitigations planned for each risk.

The outcomes of the risk analysis will be incorporated into the department Service Excellence Plans. Assistance to understand and apply the Module will be provided by Corporate Risk Management. These departmental results will form a comprehensive list of all the City’s risks. The risk assessment process will then be used by senior management to create a prioritized list of the City’s top risks – a Corporate Risk Profile.

b) Management performance appraisals

Once training has been delivered, the management performance appraisals will be updated to include an assessment of risk behaviours.

c) Risk considered as part of Committee/Council reports

A risk implications section now forms part of the staff reports to Committee(s) and Council. Staff preparing reports must consider and address risk within the context of the report. The report writer is responsible to route reports to Corporate Risk Management in the department of Organizational Development and Performance for review to ensure that risks have been adequately addressed. Corporate Risk Management is also available to provide assistance to the report writer(s)/subject matter expert(s) on potential risk implications at an early stage in the development of a report.

Training

Formal training on the Enhanced Risk Management Module will be provided to targeted City staff. It is anticipated that the training and communication plans will be developed in 2010 and rolled out to staff in 2011. A major part of this training will focus on the risk assessment process.

Risk Management Committee

A Corporate Risk Management Committee to monitor ERM progress has been established. Their mandate is to advise, guide and monitor the development and implementation of the ERM organizational framework and matters of risk management that impact the City’s strategies and objectives.

The first meeting was held in November 2008. In accordance with the Committee’s Terms of Reference, the Committee meets at least quarterly.

Risk Management Reviews

In 2008 and 2009, Corporate Risk Management worked with key clients to undertake risk management reviews. The review results have identified specific areas where operations can be changed to reduce or eliminate potential risks. The management of the respective work groups are responsible to act on the recommendations, as resources are available and to monitor their completion. A summary of the reviews follows.

Risk reviews completed in 2008

a) Surface Operations

On August 6 and 7, 2008, a risk review of Surface Operations winter maintenance procedures was conducted by the Frank Cowan Company, the City’s liability insurer. The project involved reviewing the City’s documents, policies and procedures with respect to two known storms that were chosen by Cowan. These storm events occurred on December 1 – 5, 2007 and March 8 – 11, 2008. Two of the City’s work yards were selected and each was allocated a storm date. The final report contained nine (9) recommendations; 7 directed at Surface Operations and 2 for Legal Services. The results of the review provided staff and management with recommendations and observations that will improve operational readiness in future storm occurrences.

b) Parks & Recreation

A risk review was conducted in early November 2008 and focused on Parks and Recreation. The review looked at a variety of sites including two multi-use community centres: one rural and one in the inner city. Parks and Recreation chose the community centres and provided the reviewer with current policies and procedures. The chosen sites were Walter Baker Arena, Ray Friel Complex, Millenium Park, Fisher Heights Daycare and Centrepointe Skateboard Park. The first phase examined seven (7) elements deemed essential in the development of a successful risk management program and the second phase consisted of physical inspections of the selected sites. The purpose of the inspections was to review the sites for legislative compliance and assess potential liabilities.

Five recommendations resulted mainly falling under the category of ‘Documentation’. Additionally, there were 2 recommendations arising from the site inspections. Parks and Recreations staff has used the review results to modify their operations.

Risk reviews completed in 2009

a) Ottawa Public Library

Ottawa Public Library (OPL) Services requested a privacy focussed risk review to assist with their risk management practices. The focus of this review was to evaluate how the Library is doing to safeguard the privacy of staff and users. This suggestion came from a member of the Library Board. The Frank Cowan Company conducted the review in July 2009.

Ottawa Public Library’s policies and procedures were reviewed and four (4) sites were physically inspected. Additionally, there were interviews with site managers regarding OPL’s policies and procedures.

Four broad recommendations resulted and are being implemented by OPL.

b) Skateboard Parks, Parks & Recreation

The Frank Cowan Company provided a risk management review report on the City’s skateboard parks. The review was conducted September 13 through 17, 2009 and involved 14 locations. There were 7 recommendations under the heading ‘Signage and Emergency Contact’, one “Maintenance and Repair Inspections’ recommendation and one “Component Improvement’ recommendation. Parks and Recreation staff has fully implemented the recommendations.

Enhanced Risk Management Policy

The conceptual risk management framework described above was developed using best practices from the field of risk management including COSO (Committee of Sponsoring Organizations), AS/NZS 4360:2004 (Australia/New Zealand Standard) and ISO (International Organization for Standardization) 31000. All are popular international standards for risk management. Input from other municipalities more advanced in risk management capability was built in.

Both Senior Management Committee and Executive Committee have approved the framework. City staff will receive training on the framework and will use it to identify, assess and document key risks using a common approach. The ERM framework provides a reliable systematic approach for managers to manage risk within their spheres of responsibility consistent with approved risk tolerances.

The revised risk management policy, attached as Document 2, was developed in consultation with the Corporate Risk Management Committee. The Committee consists of senior staff from a wide range of City departments who are risk practitioners. The Committee supports the approval of the draft policy. Senior Management Committee and Executive Committee have also approved the draft policy.

NEXT STEPS

Staff will continue with the following activities to successfully implement Enhanced Risk Management in the corporation during Phase 2 in 2010 and 2011:

a) Communication plan including a risk escalation procedure;

b) Development of a training program in 2010;

c) Delivery of training in 2011 to managers and supervisors;

d) Accountability of risk behaviours built into management performance appraisals;

e) Development of Corporate Risk Profile in 2010-2011; and

f) Establishment of monitoring and reporting processes based on Risk Profile in 2011.

g) Report progress on the implementation of the framework to Council in 2011.

Corporate Risk Management will develop these activities with the guidance of the Corporate Risk Management Committee.

RURAL IMPLICATIONS

There are no specific rural implications associated with this report.

CONSULTATION

The Corporate Risk Management Committee was consulted in the development of the Enhanced Risk Management policy.

LEGAL/RISK MANAGEMENT IMPLICATIONS

There are no legal/risk management impediments associated with this report.

FINANCIAL IMPLICATIONS

There are no financial implications associated with this report.

SUPPORTING DOCUMENTATION

Document 1 – Summary of conceptual Enhanced Risk Management Framework

Document 2 – Enhanced Risk Management Policy

DISPOSITION

Staff will action any direction received as part of consideration of this report.

Document 1

Summary of Conceptual Enhanced Risk Management Framework

The first step in implementing Enhanced Risk Management (ERM) is to establish a framework. This is an overarching structure under which reside the basic components that comprise ERM. The framework provides the foundations and organizational arrangements that will embed it throughout the organization at all levels. It is through the building of a framework that the City decides which ERM components best address needs and then decides how these components will be implemented in the City. Choices will be influenced by the City’s goals, objectives, risk management culture and philosophy. The ERM framework presents a reliable systematic approach to ERM.

All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. The ERM framework recognizes culture and provides processes and tools to identify strategic opportunities and reduce uncertainty. The ERM framework establishes communication and consultation methods with respect to critical risks in order to achieve an organization’s business objectives. It formalizes process and content accountability.

Adopting ERM is a major undertaking. It requires the City to examine how to manage risk comprehensively. This is how competitive advantage is achieved even as the City’s risks keep increasing.

The framework will allow City staff to identify, assess and document key risks using a common reliable approach. Following is an outline of each section of the framework.

1. What is Risk Management & ERM? Why do we do it?

ERM is a continuous, proactive, systematic and consistent process to understand, manage and communicate risks from an organization-wide perspective.

2. The Global Perspective of Risk in the Public Sector

Discusses risk management guidelines including COSO, AS/NZS 4260 and ISO 31000. By adopting elements from each approach, the City has the best process to apply to its activities.

3. The Evolution of Risk Management at the City

Discusses the history of risk management at the City and its journey from traditional risk management to ERM.

4. Framework

a) Objectives & principles

ERM’s objectives are to: embed risk management into the culture of the organization, reduce events or conditions that create uncertainty and to ensure that unplanned events are managed effectively.

Principles include a commitment to promote and reward ‘risk-conscious’ thinking and behaviour throughout the City. By becoming part of decision making, risk management will help prioritize actions and distinguish among alternative courses of action.

b) Governance Structure

The design of a robust architecture for enhanced risk management begins with a clearly understood governance model describing ERM related responsibilities and accountabilities. Council’s role is to approve the risk policy, ensure that the major risks of the City are considered and approve risk tolerance.

c) Risk Management Committee

This Committee provides advice and guidance to Corporate Risk Management on the development and implementation of the ERM program. They validate the risk management tools and reporting processes to ensure that these can be applied across the City.

These risk practitioners are the means by which ERM integrates into the City’s departments.

d) ERM policy

Our policy states that the City is committed to develop, implement and practice ERM to ensure risks that impact the City’s strategies and objectives are managed.

e) Tools & Resources

A Risk Management Module has been created to assist Management to consider and incorporate Risk management into their service delivery and operations. Managers will use the Module to identify the top three to five risks in their operations. The outcomes of the risk analysis will be incorporated into the Department Service Excellence Plans. Assistance to understand and apply the Module is available from Corporate Risk Management.

The charts on the following page are examples of the tools/templates that are available to assist in completing a risk assessment.

Sample of Risk categories

Likelihood rating tool

H = requires a strategy

M = risks must be considered

Low = risks usually accepted

Formal training on the Module will be provided to targeted staff. It is the intent that training and communication plans will be developed in 2010 and rolled out to staff in 2011.

A major part of this training will focus on the risk assessment process, which is a desired tool sought by many City departments.

f) Tolerance/Appetite

Articulating risk appetite and tolerance sets the parameters for risk-informed decision making. There must be an alignment between corporate risk appetite and risk-taking in practice. To achieve alignment, risk appetite must be fully articulated and applied in the front lines.

g) Link to Planning & Performance

A Risk Management module forms part of the Service Excellence Plan. Departments will identify their top 3 – 5 risks. These will then be rolled up into a corporate Risk Profile. Senior management will then assess to determine a city-wide risk profile.

The next Strategic Planning process of the City will utilize this information.

h) Application of the ERM Process

This module explains how to do a risk assessment, which is an application of the ERM process. The module addresses context setting, impact and frequency determination, reaching a risk score, controlling and monitoring risk. Finally, prioritized risks are recorded on a Summary chart.

i) Risk Monitoring & Reporting

Under the existing model, risk practitioners are resident in City departments and participate in the Corporate Risk Management Committee. The risk escalation procedure will dictate what risks must be elevated to senior management and Council. Day-to-day monitoring of risk is conducted by the risk owner.

Future ERM plans are to measure and manage risks quantitatively and aggregated on an enterprise-wide basis.

5. Lessons Learned

What we can learn from other organizations more advanced in their ERM journey.

6. Next Steps

The steps required to advance the risk management program in the City are identified.

Document 2

enhanced risk management Policy

Approved By	City Council	Approval Date
Section	Organizational Development and Performance	Effective Date
		Revision Date

policy statement

The City of Ottawa is committed to develop, implement and practise Enhanced Risk Management (ERM) to ensure risks that impact the City’s strategies and objectives are managed.

purpose

To create a risk-aware corporate culture where the management of risks is integrated into the operations and administration of the City.

The objectives of Enhanced Risk Management are to:

Embed risk management into the culture of the City
Reduce events or conditions that create uncertainty
Ensure that unplanned events are managed effectively.

Applying a systematic ERM approach and recognizing risk management as critical to the achievement of the City’s governance responsibilities will accomplish this. Departments will have clear accountability for both ownership and cost of risk and the tools to effectively manage and report risk. This should enhance public confidence and avoid unexpected/undesired outcomes.

application

This Policy applies to all City employees, Boards and Committees of Council, their employees and volunteers.

policy requirements

ERM is an addition to and not a replacement for existing risk management activity. Employees are expected to promote and facilitate appropriate risk control techniques to manage the risks to the public and employees’ health, safety and security, mitigate liability and protect corporate assets against loss and damage. Risk financing strategies consistent with corporate objectives shall be utilized, including the procurement of insurance coverage, an adequately funded self-insurance program and a prudently managed Insurance Reserve Fund. Sound claims management practices shall be delivered.

The City is committed to the application of an ERM process, which includes a systematic approach to the anticipation and identification of loss exposures, the assessment of those exposures, in terms of frequency and severity, and the application of risk control measures. Clearly defined risk tolerance establishes the total risk the City is willing to accept or retain. Staff are responsible to report incidents, assess exposures, reduce, control and monitor risk in corporate programs and operations. Stakeholders shall ensure that risks are brought within the City’s risk appetite.

Specific directions to accomplish the ERM Policy objectives include:

· Identify, assess, analyze, evaluate, categorize and prioritize risks

· Accept or mitigate risks

· Monitor, report and document risk activity

· Communicate risks and mitigation strategies to Council, Committee, senior management and internally

· Choose compensation policies and performance metrics to promote and track the pursuit of a risk-aware corporate strategy

responsibilities

The management of risk is a shared responsibility at all City levels. All employees are required to demonstrate risk-aware thinking and accountability and communicate significant risks to their managers and Council.

City Council approves, oversees and promotes the ERM initiative.

The City Manager ensures compliance with the ERM Policy and for overall risk management throughout the City.

The Executive Committee retains overall accountability for ERM, sets the City’s risk tolerance and approves the ERM framework.

The Senior Management Committee oversees the implementation of an appropriate ERM program. Managers support the City’s ERM philosophy, promote compliance and manage risks within their spheres of responsibility, consistent with the City’s risk appetite.

Department Managers own, and are therefore accountable for the effective management of risk within their department. They are responsible for the application of risk-aware thinking in day-to-day activities.

The Deputy City Solicitor has responsibility for insurance activities.

The Manager, Litigation and Labour Relations is responsible for claims activities.

Corporate Risk Management provides guidance for the advancement and support of ERM throughout the City. It develops, implements and maintains the framework for the management of risk. It develops and executes ERM initiatives and ensures the integration of ERM with strategic management and decision processes.

monitoring/contraventions

Department Management Teams will monitor the application of the ERM Policy to ensure that policy requirements are met within their jurisdictions.

The ERM Policy and its framework will be regularly reviewed, verified and continually improved.

Non-compliance may result in disciplinary action, up to and including dismissal.

references

Occupational Health and Safety Policy

City Owned Property Insurance Claim Policy

City Owned Property Insurance Claim Procedures

Claim Reporting Procedures Involving Members of the Public or City Property

Strategic Branch Reviews Policy, 2008

Procedures for Strategic Branch Review, May, 2008

Strategic Branch Review, Support Module E: Risk Management, June, 2008

legislative and administrative authorities

City Council Minutes, Risk Management Policy Statement, Sept 12, 2001

Audit of the Management Control Framework Recommendations, Office of the Auditor General, 2005

Council-approved Audit Recommendations, May 9, 2007

Council-approved Long-Range Financial Plan Sub-Committee,

Report 3 Recommendation to implement Phase 1 of an ERM process, March 26, 2008

definitions

Enhanced Risk Management (ERM) – provides a continuous, proactive, systematic and consistent approach to understand, manage and communicate risks from an organization-wide perspective.

Risk – an event or conditions that create uncertainty around the achievement of objectives and/or variation of the expected outcome(s) over time. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by impact/consequences and likelihood/probability.

Risk Management – the systematic process of identifying, analyzing and responding to risk. Risk Management includes the avoidance and/or mitigation of hazards, the management of uncertainty and the harnessing of opportunities.

Risk Management Committee – a management committee formed under a Council directive to oversee, guide and monitor ERM at the City of Ottawa.

Risk Tolerance (or Risk Appetite) – the total amount of risk acceptable to Council and senior management while pursuing the City’s mission and vision. It is the City’s readiness to bear risks after mitigations are effected. The measurement of risk may be evaluated qualitatively or quantitatively. Risks need to be brought within the City’s risk tolerance. The Risk Impact Measurement chart sets out the City’s tolerance for risk.

Risk Owners – are accountable for the risk (usually the operating department) and responsible to implement the risk treatment, maintain risk controls, document and report relevant risk information.

keyword search

Claims

Corporate Risk Management

ERM

Enhanced Risk Management

Enterprise Risk Management

Insurance

Liability

Risk

Risk Appetite

Risk Impact

Risk Management

Risk Owner

Risk Tolerance

Self-insurance

enquiries

For more information on this Policy, contact:

Corporate Risk Management

Organizational Development and Performance Department

Corporate Business Services

City Operations

Tel: 613-580-2424, ext. 43703

[1] In the public sector, the terms integrated risk management, enhanced risk management, enterprise risk management and enterprise-wide risk management are interchangeable.