Enterprise Risk Management Directive
The Enterprise Risk Management Directive sets out principles, requirements and responsibilities for effective and efficient enterprise risk management. Enterprise Risk Management is a proactive, systematic, organization-wide process to understand and manage risks as an interrelated portfolio. The directive applies to ministries and provincial agencies.
1. Introduction
Risk is the effect of uncertainty on objectives. It can be characterized as either a potential negative (threat) or positive (opportunity) consequence or event that deviates from an expected outcome. Enterprise Risk Management is a proactive, systematic, organization-wide process to understand and manage risks as an interrelated portfolio. It is about making strategic decisions that contribute to the achievement of the organization’s objectives.
The Enterprise Risk Management Directive establishes the government’s policy regarding management of risk. The Ontario Public Service (OPS) Enterprise Risk Management Framework
2. Purpose
This Directive sets out principles, requirements and responsibilities for effective and efficient enterprise risk management.
3. Application and scope
This Enterprise Risk Management Directive applies to ministries and provincial agencies.
Provincial agencies are required to manage and report on risk as set out in the Agencies and Appointments Directive. These risk requirements are consistent with the principles in the Enterprise Risk Management Directive. Provincial agencies and their responsible ministries work together to ensure that risk assessment, evaluation and reporting requirements under the Agencies and Appointments Directive are fully supported and met and form part of ministry risk assessment and reporting.
This Directive should be read in conjunction with any requirements with respect to risk management under other directives and policies.
4. Administration
This Directive is issued under subsection 3 (3) of the Management Board of Cabinet Act and is meant to be read and applied in its entirety.
The Secretary of Treasury Board/Management Board of Cabinet has the authority to issue mandatory operational policies consistent with this Directive.
A ministry must seek Treasury Board/Management Board of Cabinet (TB/MBC) approval if, in exceptional circumstances, the ministry or one of its provincial agencies, requires an exemption from all or part of this Directive. The ministry must set out the rationale for the exemption in a business case.
5. Principles
The following principles guide the application of this Directive.
Enterprise Risk Management:
- Is focused on the achievement of objectives;
- Requires the active participation of senior management and staff across the organization;
- Is driven by deliberate and dedicated communication and consultation activities;
- Is driven by a common approach and application across the enterprise;
- Is tailored to the organization’s external and internal context.
6. Requirements
Ministries and provincial agencies must have risk management practices in place tailored to the capacity, mandate, objectives, activities and responsibilities of the organization. To accommodate the diversity of organizations, programs and activities, the system of risk management can be customized to reflect unique business needs.
Ministries shall:
- Implement a system of integrated Enterprise Risk Management, informing key decision making.
- Apply the OPS Enterprise Risk Management Framework including:
- Using the Five-Step Risk Management Process defined in section 8 of this directive. The process helps ensure that risks are properly identified, assessed, and mitigated. The five steps:
- state objectives and establish context;
- identify risks;
- assess risks;
- plan and take action;
- monitor and report.
- Considering the four Business Objective Lenses when identifying and assessing risks:
- Strategy (high-level goals and objectives);
- Project (activities and tactics aimed to achieve defined objectives);
- Operations (effective and efficient use of resources);
- Continuity (emergency management and contingency planning).
- Using the Five-Step Risk Management Process defined in section 8 of this directive. The process helps ensure that risks are properly identified, assessed, and mitigated. The five steps:
- Establish a Risk Profile, as defined in section 8 of this Directive, that shall be updated at least annually and reviewed as part of ministry risk oversight and monitoring.
- Establish governance structures for oversight and monitoring of risk including creating or assigning a senior level committee, that shall meet at least once every six months, to review:
- New and ongoing risks;
- The implementation and effectiveness of risk mitigation strategies;
- The use of Enterprise Risk Management information and reporting in decision-making;
- The ongoing maintenance of the Risk Profile, including its update and refresh;
- Performance measures to identify trends and determine if the risk management process is functioning as intended (e.g. number of risks managed down from high over a given period of time, number of unmitigated high risks in a given period of time);
- Compliance with requirements of this Directive and action plans to ensure compliance;
- Integration with audit and assurance activities including the ministry's Internal Control Framework.
- Develop and maintain processes to build risk management capability and capacity including linking risk management competencies to recruitment, retention, and professional development.
- Ensure that provincial agencies for which they are accountable are aware of the requirements of this Directive.
- Identify instances where the requirements of this Directive have not been met and establish an action plan to remedy them.
- Report risk information to central agencies through the government’s annual business and fiscal planning process and other processes as required.
7. Roles and responsibilities
All Ontario Public Service staff, provincial agency appointees, and provincial agency staff are responsible for following sound risk management practices and are accountable to the government for management of risk. More specific responsibilities are outlined below:
7.1 Treasury Board/Management Board of Cabinet
- Approving changes and exemptions to this Directive.
- Taking relevant key risks into account when making decisions.
7.2 Secretary of Treasury Board/Management Board of Cabinet
- Issuing mandatory operational policies consistent with this Directive.
- Specifying requirements for ministries and provincial agencies to report risk information to central agencies.
- Ensuring this Directive is reviewed as needed, and at least every five years.
7.3 OPS Chief Risk Officer
- Overseeing the OPS ERM process, including reviewing and advising on ministry risk information and risk management practices.
- Providing guidance, training and being a center of expertise in support of this Enterprise Risk Management Directive and OPS Enterprise Risk Management Framework.
- Providing advice and guidance when the other program areas may be addressing risk in new or existing corporate directives and policies.
- Advising the Secretary of Treasury Board/Management Board of Cabinet on requirements for ministries and provincial agencies to report risk information to central agencies.
- Working in cooperation with ministries and central agencies to ensure that risk information is available to the Treasury Board/Management Board of Cabinet, and other key decision makers as required to inform decision-making.
7.4 Office of the Treasury Board
- Providing relevant key risk information to the Treasury Board/Management Board of Cabinet as required to inform decision-making, including integrating key risks into annual business planning.
7.5 Ontario Internal Audit Division
- Reviewing and advising on the effectiveness of Enterprise Risk Management systems and processes.
- Providing assurance that ministries and provincial agencies follow requirements of this Directive.
- Utilizing risk information to inform audit planning.
7.6 Deputy Minister/Agency Chief Executive Officer or Equivalent
- Ensuring that the principles and requirements of this Directive are adhered to within the ministry and/or provincial agency.
- Ensuring that the organization has the capacity and capability to effectively manage risks and develop and maintain a risk profile.
- Fostering an organizational culture that supports the integration of risk management into strategy, operations, projects and business continuity.
- Designating a senior leader at the level of Assistant Deputy Minister, Agency Chief Financial/Risk Officer or equivalent as having responsibility for risk.
7.7 Senior leader responsible for risk (Assistant Deputy Minister, Agency Chief Financial/Risk Officer, or equivalent)
- Working with other Assistant Deputy Ministers or equivalent provincial agency executives to ensure compliance with this Directive.
- Ensuring appropriate risk governance structures and processes are in place in accordance with the requirements of this Directive.
- Ensuring common risk management processes and tools are in place within the organization for effective risk management.
7.8 Management
- Complying with the principles and requirements set out in this Directive.
- Working with staff and other leaders and managers to support compliance with this Directive.
- Making staff aware of the principles and requirements of this Directive.
- Ensuring that staff are provided the knowledge, skills and competencies to practice risk-based decision making.
8. Definitions
For the purposes of this Directive, the identified terms have the following meanings:
Business Objective Lenses: Key high-level lenses representing the primary types of business objectives in which risk information is commonly found and organized throughout the enterprise.
- Strategy (high-level goals and objectives);
- Project (activities and tactics aimed to achieve defined objectives);
- Operations (effective and efficient use of resources supported through internal control and assurance activities);
- Continuity (emergency management and contingency planning).
Category: A brief one to two-word description of the core characteristics of the risk that it might share with other similar risks, considering both causes and impacts. Some examples might include “Financial”, “Human Resources” or “Information & Information Technology”. Within each category, organizations may choose to further define risks into more detailed sub-categories. Categorization helps an enterprise to recognize trends and root causes across the enterprise with respect to risk.
Enterprise Risk Management: A proactive, systematic, organization-wide process to understand and manage risks as an interrelated portfolio. It is about making strategic decisions that contribute to the achievement of an organization’s overall objectives.
Five-Step Risk Management Process: A process for ensuring risks are properly identified, assessed, and mitigated, set out in the OPS Enterprise Risk Management Framework:
- state objectives and establish context;
- identify risks;
- assess risks;
- plan and take action; and
- monitor and report.
Provincial Agency: An entity that is part of the Government of Ontario, but not organizationally part of a ministry.
Risk: The effect of uncertainty on objectives. It can be characterized as either a potential negative (threat) or positive (opportunity) consequence or event that deviates from an expected outcome.
Risk Assessment: The process used to determine risk management priorities by evaluating and comparing the level of risk against pre-determined standards, target risk levels or other criteria.
Risk Management: A systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on, monitoring, and communicating risk issues.
Risk Profile: A summary of the number of risks, categories of risk, and how risks may affect and inform strategy and achievement of objectives. The risk profile is normally informed by information included in a risk register.
Risk Register: A tool for documenting risks and actions to manage each risk. In the register, risks are identified, assessed and tracked. For each risk it should, at minimum include the objective at risk, a description of the risk, an assessment of likelihood, impact and overall risk, categorization of the risk taking into account existing controls, a risk mitigation plan, and accountability for the risk and its mitigation.
9. Additional resources
OPS Enterprise Risk Management Framework
Additional resources and guidance on Enterprise Risk Management are available on the ERM site on the Financial Management Gateway
Footnotes
- footnote[1] Back to paragraph Note: the links will open an internal site, which will not be available to everyone. Please send your inquiries to OPS Enterprise Risk Management office at OPS.erm@ontario.ca.