Developed for: ORIMS Professional Development Session

October 22, 2013

Presented by:Steve Pottle, York University

Michelle Williamson-Reid, TSSA

Risk Reporting – A How To Guide

http://www.youtube.com/watch?v=laKprX-HP94

Discussion Points

• To be heard or not to be heard – that is the

question...

• How to communicate risk intelligently and

effectively

• Risk Report Content – York and TSSA

perspective

• Your turn (tell us your good ideas)

Is Risk on the Radar?

• Risk Management has many homes in

any organization

• Champion - who has the ear of the

Board?

Getting on the Agenda

Befriend the person(s) that creates the: • Board work plan

• Committee work plans• Audit Committee

• Governance Committee

• Etc.

• Management meeting agendas

When in Doubt

• Read the Board Charter

• Read company policies

• Read your job description

Make it Relevant

• What do they want to know

• What should they know:• CICA’s “20 Questions”

• risks to mission, vision and strategy

• risks to business plan

• reputational risks

Be Brief

• Be clear

• Be concise

• Relate the risk information to their role:• Board charter

• position description / job profile

• Relate it to the big picture

• Engage them (push versus pull)

Be Careful

While there is job security in always being on the agenda... • Make management accountable

• Encourage management to report on risk• Facilitates greater buy-in

• Influences a risk aware culture

The York U Experience.....

York Board Reports

Annual Risk Report

• Audience: Audit and Finance Committee of Board of Governors

• Focus: Risk Management tied to University’s Academic Plan (Key driver for senior admin decision making)

• Supplement: Board memo on insurance coverage

York Board Reports

Table of Contents

• Introduction• Risk Management • Awareness and Educational Initiatives• Insurance Program Update • Premiums• Claims

York Board Reports

Legislative Compliance Annual Report

• New report for Risk Management as of 2013

• Update on Universe of Legislation applicable to York (Board Directive)

• What are we going to report on?

• Developed three-year reporting cycle approved by CFO and VP Admin. (Board Stakeholders)

York Board ReportsLegislative Compliance Annual Report (three-year reporting cycle)

Review Proposed Acts for Inclusion in

the Top 15

Review Federal, Provincial, and Municipal legislation (Updating for changes to existing legislation and

updating the Universe with new Acts)

Review existing Universe of Legislation

(Updating Inherent Risk Assessment)

York Board ReportsLegislative Compliance Annual Report (three-year reporting cycle)

• Year one: Review Top 15 Acts (based on risk impact); refresh Universe of Legislation (Federal, Provincial, Municipal)

• Year two: Identify new Acts for possible inclusion in Top 15

• Year three: Review Universe of Legislation

The TSSA Experience.....

Quarterly reporting on:• priority enterprise risks and their impact on strategic

and business plan initiatives

• status of risk mitigation activities and impact on level of

risk

• assurance (audit) activities

• status of audit action plans

• large losses (insured and uninsured)

Audit, Finance and Risk Committee

Annual reporting on:• insurance program (renewal)

• changes to ERM framework, Guideline, Risk

Register

• Business Continuity Plan (changes, results of

tests, etc)

• three-year audit plan

Audit, Finance and Risk Committee

• Quarterly reporting on priority enterprise risks

and their impact on strategic and business plan

initiatives

• Quarterly reporting on status of risk mitigation

activities and impact on level of risk

• Reporting on results of assurance/audit

activities, as appropriate

Governance, Safety and Human Resources Committee

• Annual reporting on results of enterprise risk

assessment

• Annual reporting on risk mitigation activities (in

conjunction with strategic and business plan)

• Reporting on results of assurance/audit

activities as appropriate

Board of Directors

Tricks of the Trade

• Risk legend for all agendas

• Relate individual agenda items to risks

• Add dedicated section / heading for risk

to all reports, briefing material, etc.

Strategies Priority RisksLRK Leverage Risk Knowledge Risk 4 Enabling legislationCF Compliance First Risk 6 Data and informationSRS Shared Responsibility for Safety Risk 7 Business processes and controlsOE Organizational Effectiveness Risk 12 System acquisition and implementationWKPL Board Governance Work Plan Risk 13 System functionalityNA Not Applicable Risk 19 Culture

Risk 20 Board of DirectorsRisk 22 Ministry of Consumer ServicesNA Not Applicable

Agenda Legend (For Illustrative Purposes Only)

Agenda Reference (For Illustrative Purpose Only)

Internal Audit

Time Item *Strategy*Priority Risk

#Reference Lead

12:40 p.m.(30 min)

1. Review updated internal audit business case

(FOR DISCUSSION)

WKPL/Action item

N/A Updated internal audit business case briefing note attached

Richard SmartGrant Thornton LLP(David Florio)

1:10 p.m.(30 min)

1. Internal audit plan update:A. Update on current year internal

audit plan and status of actions from completed internal audits

(FOR DISCUSSION)B. Review and recommend to the

Board 2012/2013 safety incident data review report

(FOR DECISION)C. Review report on timing of

addressing observations relating to the procurement audit plus action plan to address contracts that are non-compliant with the Procurement Policy

(FOR DISCUSSION)

WKPLWKPL

WKPL/ Action item

N/A67

A. Status report on internal audit plans attached;

B. 2012/2013 safety incident data review briefing note and GT report attached;

C. Procurement Audit update attached

Grant Thornton LLP(David Florio)Michelle WilliamsonBrenda Buchanan

Dedicated section for risk in meeting material (For Illustrative Purposes Only)

Purpose – For Discussion

This report provides information to the Audit, Finance and Risk Committee (AFRC) on the implementation status of the fiscal year 2012/2013 internal audit plan, and internal audit action plans arising from previously completed audits, consistent with the AFRC work plan.  Desired Outcome

This report is intended to engage AFRC in discussions relative to the level of residual risk present as a result of control weaknesses identified during internal audit activities.

Impact on Strategic Plan and Priority Enterprise Risks

The internal audit action plans are designed to mitigate identified control weaknesses and/or risks and enable the achievement of objectives. Specifically, the action plans arising from the incident data, technical data and Oracle-Operating Engineers inspection process audits mitigate elements of the data and information risk (#6) and business controls and process risk (#7). The action plan arising from the information technology general controls audit also aims to mitigate aspects of the business controls and processes risk. Background

XXX

Best Practices You’d Like to Share...