Toronto politicians seek “integrated” city-wide risk management approach

A month after City of Toronto staff reported a “lack of common understanding of risks across the entire organization,” municipal politicians have voted to ask the city’s most senior civil servant to “review options for managing risks on an integrated basis.”

During an assessment of risk across City of Toronto public sector organizations, “it became apparent that while certain elements of an integrated enterprise-wide risk management (ERM) framework are present, a complete and formal framework is not in place,” stated Beverly Romeo-Beehler, the city’s auditor-general, in a report submitted June 11 to City Council’s audit committee.

Toronto’s full council voted July 7 to request that City Manager Peter Wallace – the most senior official in the city’s administrative structure- “review options for managing risks on an integrated basis across the City and report back to Council on a work plan and timeline for implementation.”

That motion was based on a recommendation Romeo-Beehler made in June. In her report, Romeo-Beehler named other Canadian cities which -unlike Toronto – have adopted either ERM, integrated risk management or a similar framework. Those included Vancouver, Calgary, Edmonton and Ottawa, as well as the Ontario cities of Burlington, Guelph and Windsor.

The review that Toronto City Council is asking for would consider an “appropriate” corporate ERM policy, and/or “enterprise framework for an integrated approach to risk management.” The review must also consider” the appropriate resources, tools, and job aids to be made available” to the city’s divisions, agencies and corporations, “to support a common and consistent understanding of risk management processes and practices.”

The city manager’s review – also recommended June 26 by the audit committee – would also consider “appropriate mechanisms for tracking and monitoring risks,” and to report on “significant risks” either to full council or to an “appropriate” city council committee.

“A risk management framework with a common classification, consistent methodology, and/or tools for use across the City has not been established,” Romeo-Beehler wrote in her staff report to the audit committee. “As a result, there is a lack of common understanding of risks across the entire organization. For example, ‘risk management’ is often only referred to in the context of exposures addressed through insurance. Similarly, ‘risk assessment’ is often thought of in the context of fraud risks or risks to financial reporting or financial control. Seldom are divisions conducting formal risk assessments that contemplate broader strategic or governance risks, reputation risks, and/or human risks (social responsibility).”

During an auditor-general’s assessment in 2014, “16 out of 58 City divisions, agencies, and corporations indicated they had formal risk assessment processes in place,” Romeo-Beehler wrote in June. “Information provided by the division, agency, or corporation indicated that these processes were specific to its operations, services, and/or activities.”

For example, she noted, the Toronto Transit Commission plans to implement an ERM program by 2017.

“To our knowledge, only the TTC has acquired a software platform to facilitate monitoring, communication, and reporting of their ERM program,” Romeo-Beehler noted.

One organization with a risk assessment process in place is Toronto’s parks, forestry and recreation division. The risk areas it has identified include diversity and discrimination risk, employee relations, environment, privacy and confidentiality risk, project management risk, fraud and theft, among other things.

Romeo-Beehler suggested that individual city units’ scope of the risk assessments “were generally limited to one or more” of either operational risks, fraud risks, project-specific risks or compliance risks (based either on legislation or standards defined by the Ontario government).

“The City does not have formal communications and reporting mechanisms for keeping stakeholders continuously informed of organizational risk management processes, practices, and risk responses,” Romeo-Beehler wrote. “Key risks, both internal and external, that could significantly influence overall City priorities, performance, and achievement of corporate objectives, as well as their likelihood and their potential impacts should be available ‘at a glance.’ Risks at the operational level should be aggregated, if applicable, and then prioritized to create a succinct list of the organization’s key risks that require executive management and City Council attention.”