Audit of the Industrial and Regional Benefits Management Control Framework

3.3 Risk Management

According to the Core Management Controls, in an environment with well-designed controls, management and staff should have a solid and up-to-date understanding of the internal and external factors that may expose their strategic and operational objectives to risk. Well-managed organizations should have in place formal and institutionalized practices that permit them to monitor their environments for conditions that may result in risk or opportunity.

The existing components of the IRB risk management regime include the following:

• The draft Business Plan includes an analysis of external and internal risks that may affect the objectives, policies and/or control environment of the Directorate;
• For each of the seven areas of critical importance within the draft Business Plan, there is a listing of key risks, and a strategy to mitigate those key risks; and
• As part of the IRB transaction verification process, IRB managers conduct risk assessments to identify/verify large transactions, or transactions that are high risk from an operational policy perspective. This process is not documented, and the approach differs among IRB managers.

The draft Business Plan indicates that a Risk Analysis Framework will be developed and implemented during the planning period. We noted that the Plan does not provide an assessment of each risk in terms of impact and likelihood.

According to the Core Management Controls, management should have a documented approach to risk management that identifies risks that may preclude the achievement of its objectives, and that identifies and assesses the existing controls in place to manage its risks.

As part of the changes to its management control framework, the Directorate is currently mapping key processes, procedures and controls related to IRB.

At the IRB project level, we did not find documented and articulated risk management practices or a risk methodology. We were informed that risk-related issues are discussed at staff meetings. The IRB Directorate should articulate, document and communicate its risk management practices/methodology and related tools to ensure an appropriate risk-based monitoring and management approach to its projects. The methodology should encompass an assessment of the impact and likelihood of risks that are identified.

Recommendation 3.0:  The Director, IRB Directorate should ensure that, at the project level, risk methodology, risk management practices, and related tools are documented and communicated.

4.0 Conclusion

The IRB Directorate's initiatives to update its MCF are partially implemented or under development and, therefore, it is too early for AEB to provide an assessment of the MCF's effectiveness. The Directorate's draft Business Plan 2010–13 represents a proactive approach to define the Directorate's vision and mandate, and it contains the key foundational pieces of the revised MCF that need to be implemented. The proposed MCF aligns well with most of the criteria of OCG Core Management Controls.