April 2004 — PRINT EDITION    
 
ERM: doorway to the future Table of Contents
   
 

ERM: doorway to the future

By Jonathan D. Andrews & Edward Robertson
Illustration: John Sapsford

Central to the implementation of a comprehensive
enterprise-wide risk management program is the web-based tool "PEAK"

A small doorway next to a well-known jeweler's on Government Street leads into an older building that was once part of Victoria's more notorious, colourful past. It is now home to the government of British Columbia's Risk Management Branch, and the source of an initiative that is impressive in its scope and farsightedness.   An enterprise-wide risk management (ERM) program is being rolled out across BC's provincial ministries. The program's early results will be reflected in some ministry plans by the end of the first quarter of 2004; implementation will eventually include the broader provincial public sector.

The story begins in early 2001 with the recognition of a growing need for an ERM methodology by the risk management branch. Eventually, the branch adopted an internationally recognized ERM standard and launched a series of initiatives to establish ERM as BC's preferred framework for decision-making.

In 2001 and 2002 serious concerns developed in private-sector corporate governance and accountability. Crises such as 9/11 encouraged heightened risk awareness. Advanced practice

in risk management had already moved from conventional hazard-based assessments toward an enterprise-wide approach, where every aspect of the organization is scrutinized when analyzing risk.

The new approach was taken up by Phil Grewar, director of the risk management branch. "Senior executives in the ministries liked the way we were approaching risk management from a risk analysis perspective," Grewar says. Moreover, risk-based financial controls are an important tenet of current comptrollership practices — a key factor in winning support from BC's comptroller general.

"So we had interest from the comptroller general and the desire from a financial control perspective: from budgets, from government and from operations," Grewar says.

While it was expected it would take a year to sell the concept to the rest of the senior executives, it was achieved within a month: "Intellectually, the whole idea resounded with people," says Grewar. "There was im-mediate buy-in, from the deputy ministers to the premier."

The chief reason for early acceptance was that ERM was promoted as a method-ology to lend rigor to existing planning processes, not as an added administration. Risks are comprehensively identified, an-alyzed in terms of likelihood and degree of consequence and ranked. The value of existing mitigation strategies — or the need for new ones — is then determined rationally. Decision-makers end up with a statement of their most pressing business risks, forming a defensible basis for distributing resources.

For Grewar and his team, that was the sell and it worked quite well, he says. ERM is now mandated in corporate policy.

Decision-makers for managing organizational risks need to adopt some kind of framework, says Graham Fisher, ERM project manager. A cornerstone is necessary to anchor the methodology and promote a common language. Fisher's research led him to evaluate various standards, including those of Canada, Japan, UK, Australia and New Zealand. The standard was required to demonstrate such attributes as:

  • analysis of financial and operational risks;
  • recognition of risk in terms of adverse consequences and opportunities;
  • balance of costs of controls against potential benefits;
  • support for a culture of risk-taking, accountability and transparency; and
  • enhancement of goal-setting and performance measurement.

The Australia/New Zealand 4360:1999 standard met or exceeded all of Fisher's criteria and "demonstrated a clear superiority to its rivals." Moreover, it had already generated a significant body of published information through its practical implementation in several areas.

Having identified the new standard, BC's risk management branch began to implement a program through complementary resources and activities. Supporting program elements included:

  • survey on ministries' risk culture;
  • guideline documents;
  • introductory course offerings;
  • presentations to foster awareness;
  • list of qualified external consultants;
  • initiation of an ERM community of practice (about 70-strong); and
  • Web-based technologies, including information sites and ERM software.

At this point, internal audit and advisory services (IAAS), within the office of the comptroller general, began to support the program by playing a consulting role as an internal resource for those ministries wishing to build a risk management capacity. David Fairbotham, executive director of IAAS, says his group is now facilitating risk assessment processes but later will focus more on governance. His immediate concerns included finding time and resources for senior management support and keeping the approach comprehensive so people can use it.

The risk management branch has been a leading advocate of ERM working with different branches in government, contractors and Crown agencies in the capacity of a facilitator and leader, Fisher says.

With interest being generated in a common approach, newer risk managers began both to ask for direction and to point out individual concerns. Where, specifically, were they to apply ERM techniques? To what extent could they develop their own methods? It was clear that ministries had to establish their own risk management priorities. A logical start would be to run the goals and objectives in their annual plans through the risk analysis process.

"[ERM] is a tool you would use when starting a new initiative," says Fisher, "or as a planning tool, or to help you manage specific projects." While pockets of risk management activity continue to grow, it is envisioned that there will be a roll-up of service plan risk assessments within ministry hierarchies.

The needs of Crown corporations and health and education authorities are being addressed. In fact, many public sector entities are already participating in a newly established community of practice — a discussion group facilitated by the risk management branch for those charged with risk management. Grewar estimates ERM will be implemented within the entire public sector over the next two to three years.

The philosophy promoted within the BC government is that risk management is not an additional administrative procedure but an improvement to existing pro-cesses: ERM is intended to be an integral part of the way ministry employees think, plan and manage. Each ministry, with its particular business areas and risk profile, needs to develop its own risk management culture. Initial efforts are focused on developing risk champions at both senior and operational levels.

The ERM community of practice was organized and facilitated according to the fundamentals of knowledge management. Those practising risk management need to set their own discussion agenda, compare notes and learn from one another. In several plenary sessions and through exchanges on a collaboration website, issues such as service plan requirements, freedom of information concerns and software implementation plans have been covered.

Fisher is somewhat cautionary: "The process of implementation is in its early stages and it will take at least three to five years before one can expect to measure a meaningful improvement in risk management maturity." Still, he is encouraged that awareness of ERM is growing and actions are being taken.

A risk culture survey was completed in July 2002 and another one is scheduled for 2005 to see how far the culture has developed. "Hopefully, we've moved along into a mature position. However, we're really depending on management themselves," Grewar says. "We'll be able to tell by the quality of the work that comes out of the service plan cycle."

High-level risk analyses are expected from more than half the 20 provincial ministries in 2004. Central to BC's plans to implement the ERM methodology is a Web-based ERM software tool, performance excellence through action and knowledge (PEAK).

Three types of Web-based technologies used in the initiative are: three information sites (Internet, InTRAnet and EX-TRA net); a discussion forum; and PEAK.

The purpose of the Web and collaboration sites is clear, but business case considerations were key in the selection of PEAK. A tool was needed across government to support the preferred Australian/ New Zealand method and terminology, as well as to facilitate a common approach to the roll-up and communication of risks within ministry hierarchies.

PEAK was proposed because it is for solving problems where there is a structured process that needs to be implemented and there is a need to coordinate a team or large organization of people. It handles document management and the ERM working process in one view.

An early buy-in to the application was done by involving a cross-government team in software testing and evaluation. Also important was the design of the specific configuration and business rules to be used. The core design, suitable for risk analysis in any government area, was also tested by the community of practice and in a pilot exercise within a ministry.

Each ministry will take up the application in its own way. The key is to target both the service planners and those who demonstrate interest in being early adopt- ers and ERM champions.

It is anticipated that PEAK will create business value for users, and that its consultative approach will assist speedy implementation. For its own part, the risk management branch is training internal staff, including administrative support, in its use. It is the tool of choice for conducting risk identification sessions and, as Hooper says, "capturing all the business risk information in one location."

The current feeling is that BC government operations applying ERM to strategic and operational decision-making will have greater assurance that their objectives will be achieved. Ministries will be in a better position to allocate program re- sources rationally and defensibly. In the long run, ERM will complement performance management and reporting.

The enterprise part of the government's ERM implementation has several aspects, including the strategic use of a common policy and standard, support of Web-based tools and consultation with people at each stage. Such a program will give the government an opportunity to develop a mature risk management culture, facilitated by an effective set of standards and a compelling use of technology. 

Jonathan D. Andrews, CA•IT/CISA, FCA (England & Wales), is president of NetLearn Services Inc., in Victoria. Edward Robertson, MES, MPA, is program manager, ERM implementation, risk management branch of BC

Technical editor: Deryck Williams, CMC, FCA, partner at PKF Hill in Toronto

  
RELATED LINKS
  

The IVM solution, by Murray Wolfe & Cathy McIsaac, CAmagazine, October 2003

Managing risk organization-wide, by George N. Allport, CAmagazine, September 2000

The brain gain, by Peter Dent and Olivier L. Curet, CAmagazine, August 2003

Enterprise Risk Management Framework, PriceWaterhouseCoopers

Enterprise-wide risk management:  Additional resources

Risk, control, results and values, Treasury Board of Canada Secretariat

Annotated bibliography for the study on: Best practices in risk management…, Treasury Board of Canada Secretariat (1999)

Integrated risk management framework – pamphlet, Treasury Board of Canada Secretariat

Integrated risk management framework: A report on implementation progress - March 2003, Treasury Board of Canada Secretariat