Business Administration AP 509: Enterprise Risk Management

Background

Fort McMurray Public School Division is committed to ensuring that risk management practices are embedded into key processes and operations to drive consistent, effective and accountable actions and decision making in management practice and Board governance.  Fort McMurray Public School Division’s Enterprise Risk Management (ERM) framework is consistent with the practices suggested by generally accepted global ERM standards frameworks.

ERM is designed to identify potential events/risks that may significantly affect the Division’s ability to achieve it’s mission, beliefs, standards and goals. Through the ERM process, identified risks are assessed based on likelihood and impact. Management processes and controls are used to provide reasonable assurance that significant risks are sufficiently mitigated to support the achievement of the Division’s goals.

ERM assists to assess the Division’s appetite for risk (risk tolerance) and identifies gaps where identified risks are either over or under mitigated. This leads to the identification of opportunities and strategies to either close gaps where residual risk is higher than risk appetite or to reallocate resources from areas where residual risk is lower than risk appetite.

The end product of ERM includes a ranked risk register reviewed in developing the budget. ERM is an ongoing process with the administrative procedure and outcomes revisited and reported at least annually.

Purpose

The purpose of the ERM Administrative Procedure is to establish ERM roles and responsibilities as well as the strategy of Fort McMurray Public School Division to manage its risks. The Division will identify and manage it’s enterprise risks in support of it’s vision, beliefs, standards, and goals. The Division cannot seek to eliminate risk; rather, it will support that existing and emerging risks are identified, communicated, and effectively managed.

Definitions

The following definitions will apply for the purpose of this administrative procedure:

Enterprise Risk Management (ERM): ERM is an integrated enterprise‐wide process established over time that links the management of risk to strategic goals in order to improve organization performance.    It creates a formal process for managing the myriad of risks an organization faces.  While ERM is not the same as a risk assessment, the assessment of risk is an integral part of an ERM process.

Risk: An internal or external event, activity or situation that impacts the ability of the Division to achieve its vision, beliefs, standards, and goals.

Enterprise‐wide Risks: For identification purposes, risks may occur in any one of the following categories: environment, facilities, financial, governance, government relations, human resources, information technology and support areas, managerial effort/capacity, operations, reputation, strategy and vision and student outcomes. Risks rated as high using division tolerance levels will be deemed enterprise‐wide risks.

Financial Risk: The ability of the Division to meet assumptions, principles, and priorities set in the annual budget.  

Reputational Risk: Real or perceived event that has the ability to impact the public confidence in the Division.

Inherent Risk: The possibility that risks will prevent an organization from achieving its goals before the consideration of processes and controls are in place to manage or mitigate the risks.

Impact: Significance of a particular risk to the entity. The significance of a particular risk can range from insignificant to severe/catastrophic. The magnitude of the impact is determined with respect to an organization’s risk appetite, risk capacity, and organizational goals.

Likelihood (of Occurrence): Probability that a particular risk will occur. These probabilities range from rare to almost certain.

Manage: To control or take charge of risk(s) in order to avoid or minimize its adverse impact on the Division and to maximize its opportunity.

Mitigate: To lessen or minimize the adverse impact of risk(s) through specific management processes or internal control activities.

Optimize: To balance potential risks versus potential opportunities within the Division’s stated willingness or appetite and capacity to accept risk. This may require an organization to increase or decrease the amount of risk relative to the potential opportunity.

Residual Risk: Risk remaining after considering the effectiveness of management responses optimize (i.e., processes and controls used to manage or mitigate the risks).

Risk Identification: The process of identifying and understanding potential risks to the Division.

Risk Management: The process of identifying, evaluating, selecting and implementing an action plan to avoid or mitigate threats and to leverage and maximize, where possible, risk opportunity.

Risk Monitoring: The process of reviewing and evaluating the effectiveness of the action plan implemented through the risk management process and identifying opportunities to minimize the future reoccurrence of similar risk.

Risk Opportunity: The return which may be realized if the risk is assumed but managed in a manner that maximizes its potential benefit.

Risk Appetite: Level of risk an organization is prepared to accept to achieve its goals and objectives (i.e., the level of tolerance for risk in a company).

Risk Owner/Leader: An individual that has been given the authority to manage a particular risk and is accountable for doing so.

Management Effort: The use of resources and implementation of processes to support the Division achieving its strategic goals.

1. Roles and Responsibilities
   1. The following defines roles, accountabilities and responsibilities for: identifying and evaluating key risks; documenting and managing the response to key risks; facilitating appropriate risk/reward decisions at all levels of administration; communicating risks, and administrative responses and priorities to all relevant staff; and for governance of risk management at the Division.
   2. Board of Trustees
      The Board has ultimate responsibility for risk in the school division and therefore, the Board provides governance oversight of the Division’s ERM program and foster a culture of risk=informed decision making throughout its work. This responsibility is demonstrated through a review of at least the following items:
      1. Board Policy as it relates to the committee’s terms of reference, minimum annually
      2. Administration’s risk appetite/tolerance levels
      3. Administration’s risk register and risk assessment results for the Division’s top enterprise‐wide risks (minimum annually).
      4. Review Audit and Finance Committee Reports
   3. Audit and Finance Committee
      The Audit and Finance Committee (as a subcommittee of the Board) has certain delegated responsibilities for oversight of the ERM program from the Board. The Audit and Finance Committee is responsible for reviewing, and presenting to the Board as required, the following:
      1. Changes to the Division’s ERM framework.
      2. Administration’s risk appetite/tolerance levels
      3. Administration’s risk register and risk assessment results for the Division’s top enterprise‐wide risks.
      4. Action plans to address risk mitigations and opportunities identified as a high priority.
   4. Superintendent of Schools
      The Superintendent or designate is accountable to the Audit and Finance Committee and Board of Trustees with respect to ERM, and is responsible for ensuring the ERM framework approved by the Board is implemented and operational through:
      1. Championing risk management within the Division to embed a risk-aware culture throughout the Division.
      2. Integration of ERM into the strategic, business and operational planning and decision-making.
      3. Ensuring effective risk identification, risk assessment, risk management and risk monitoring processes within the Division.
      4. Consulting, as required, with the Division’s employees or external consultants to effectively manage all aspects of risk.
      5. Providing ERM status updates (either directly or via a designate) at every Audit and Finance Committee, and at least once per year to the Board of Trustees, on risk management activities, as well as if any significant risk changes or issues arise.
   5. Associate Superintendent of Business and Finance (CFO)
      The Associate Superintendent of Business and Finance is accountable to the Superintendent of Schools and is responsible to managing the implementation and maintenance of the ERM administrative procedure and framework by:
      1. Developing, monitoring and revising the ERM administrative procedure.
      2. Coordinating the risk identification, risk assessment, risk management and risk monitoring processes.
      3. Preparing status updates at least once per year to the Superintendent on risk management activities, as well as if any significant risk changes or issues arise.
   6. Senior Leadership Team
      The Senior Leadership team is accountable to the Superintendent and is responsible for:
      1. Active participation in the risk assessment process, including promoting the Division’s ERM Administrative Procedure and Framework as well as expectations for the management of risk.
      2. The formal identification of risks that impact the Division’s strategic goals and objectives.
      3. Assisting to rank risks, based on the Division’s impact and likelihood criteria.
      4. Monitoring progress in managing risks and implementing improvement opportunities.
      5. Ensures that tools and training for ERM are integrated into schools, departments and or Division plans.
      6. Reporting at Senior Leadership Team meetings on the status of risk items delegated to specific risk owners.
      7. Communicating the expectations of staff impacted by the identified ERM risks.
      8. Communicating ERM results to all staff
   7. Principals and Supervisors
      The Principals and Supervisors are accountable to the Superintendent or their designate and are responsible for:
      1. Integrate risk management into the planning and operations for which they are responsible, drawing on risk management training, tools and guidance.
      2. Ensure risk management activities are carried out effectively, integrating them with ongoing activities & decisions.
      3. Escalate risks to the Senior Management Team.
   8. Staff
      Staff are accountable to their Principal or Supervisor and are responsible for:
      1. Apply risk management within their scope of duties and responsibilities and
      2. Report risks to their Supervisor or School Principal
         
         
2. Risk Identification
   1. When identifying risks, consider:
      1. Current and future expected risks.
      2. Risks associated with recent internal changes in the business.
      3. Risks associated with the external change in the business or political environment.
      4. The root causes for the risks (i.e., the source of the risk: why, how, and where the risk originates, either outside the organization or within its processes or activities) in order to achieve a more rigorous risk assessment and to better position the school division to manage the risks
   2. Use the risk categories below as a guide:
      1. Environment Health and Safety
      2. Facilities
      3. Financial (ex: government funding formula and the ability for the Division to achieve its budget and Annual Education Results Report (AERR))
      4. Governance (ex: Board Authority)
      5. Government Relations
      6. Legal
      7. Managerial Effort / Capacity (ex: Human Resources, Teacher’s ability to teach all students)
      8. Operations
      9. Reputational (ex: protecting privacy and cyber security)
      10. Strategy & Vision
      11. Student Outcomes
   3. Repeat identification cycle annually and on an ad-hoc basis as required for significant changes or new processes, programs and initiatives.
   4. The cycle identifies key risks on a functional or strategic basis which are then integrated to derive key enterprise-wide risks.
   5. Review of the risk list is on the Board’s agenda at least once per year.
   6. The Appendix attached contains specific examples of Education sector-specific risk categories.
      
      
3. Risk Assessment
   1. The Risk Assessment step identifies the significance of those risks that might affect the achievement of the Fort McMurray School Division’s goals.
   2. Risk assessment considers both the likelihood that an identified risk will occur and the impact that risk would have, if it did occur, on the achievement of the Division’s goals
   3. Risk assessment to be reviewed by the Audit and Finance Committee.
   4. The key result is that the risks identified are all placed on the heat map using an agreed-upon system.  The “hotter” the placement of the risks, the more immediacy is attached to the risk.
   5. Likelihood:
      1. First, assign a “likelihood” of happening to each of the identified risks by estimating the probability of the risk occurring during the planning horizon:

         1. Rare: less than once every 10 years

         2. Unlikely: once in 5-10 years

         3. Moderate: once in 3 years

         4. Likely: once in 1-2 years

         5. Almost Certain: multiple times per year

   6. Impact:
      1. The impact of the identified risk is assessed by estimating how the impact would be characterized if the risk occurred:

         1. Insignificant - The consequences are dealt with by routine day-to-day operations.

         2. Minor - The consequences would threaten the efficiency or effectiveness of some aspects of the school division but would be dealt with internally.

         3. Moderate - The consequences would not threaten the school division, but the administration of the school division’s strategy would be subject to significant review or changed ways of operating.

         4. Major – The consequences would threaten the survival of the school division in its current form or the continued effective function of a strategic area, or would require intervention by the Superintendent or the Board.

         5. Catastrophic – The consequences would likely result in significant organizational or structural changes at the school division, or would likely cause major problems for the school division’s stakeholders or the Ministry of Education.

4. RISK ASSESSMENT MATRIX

   
   

   Impact Categories	Impact Factors
   	Insignificant	Minor	Moderate	Major	Catastrophic
   Environmental Health and Safety	Impact can be managed by Staff member	Impact can be managed by Staff member in consultation with Supervisor	Impact can be managed by school or department in consultation Division Office	Superintendent required to Intervene	Potential to lead to temporary or Permanent closure of 1 or more sites
   Facilities	Minor deficiency handled by staff	Impact can be handled by the department	Can be handled by the department but requires reallocation of significant resources.	Superintendent required to intervene.	Authorization from Board required to remedy.
   Financial	The financial impact of  event is less than $50,000	The financial impact of event exceeds $50K, but is less than $250K	The financial impact of event exceeds $250K, but is less than $1.5M	The financial impact of event exceeds $1.5M, but is less than $5M	The financial impact of event exceeds $5M
   Governance	Routine Board Inquiries	In-depth Board Inquires	Concerns raised by the Board	School Division's ability to deliver on strategic plan is questioned	Board loses faith in the Division Plan
   Reputational	One negative article in one publication	Negative articles in more than one publication	Short term negative media focus and concerns raised by stakeholders	Long term negative media focus and sustained concerns raised by stakeholders	Stakeholders lose faith in management or Trustees
   Government Relations	Routine ministerial inquiries	In-depth ministerial inquiries	Concerns raised by Ministry of Education	School division’s ability to deliver on mandate is questioned	Ministry loses faith in the organization
   Legal	Legal action threatened	Civil action commenced / small fine assessed	Criminal action threatened / moderate fine assessed	Criminal lawsuit commenced  significant fine assessed	Jail term of any length for a Trustee / Superintendent multiple significant fines assessed
   Managerial  Effort / Capacity	Impact can be absorbed	Some management effort is required to manage the impact	Can be managed under normal circumstances with moderate effort	With significant management effort can be endured,	Potential to lead to the closure of a school, site or department
   Operations	Impact can be managed by staff member	Impact can be managed by Staff member in consultation with Supervisor	Impact can be managed by Teacher or Staff member in consultation with Supervisor and Division Office	Superintendent required to intervene	Authorization from Board Required to remedy
   Strategy and Vision	Immaterial Impact on Three Year Plan	Deviations from three plan begin to show in metrics and reports	Concern by stakeholders is being raised on achieving Three Year Plan	Three Year Plan metrics and reports are below expectations.	Board Required to approve new Three Year Plan
   Student Outcomes	Immaterial impact on student achievement	Student achievement metrics begin to show a decline	Parents complain about student achievement	Overall student competency levels are below standards	Inability to satisfactorily deliver curriculum or key programs

5. Heat Mapping:
   1. Each risk is mapped according to its likelihood of occurring and the impact of it occurring:
      
      

      Heat Map
      Likelihood	Impact
      	1 Insignificant	2 Minor	3 Moderate	4 Major	5 Catastrophic
      5 Almost Certain	5	10	15	20	25
      4 Likely	4	8	12	16	20
      3 Moderate	3	6	9	12	15
      2 Unlikely	2	2	6	8	10
      1 Rare	1	2	3	4	5

   2. For example: a “snow day” is an event that is almost certain to happen (5), but has an insignificant impact (1) on achieving the Board’s strategic goals and so would be rated as a 5 X 1 = 5 , or yellow level risk.
   3. Each identified risk will be assessed using this heat map.  The outcome of the risk assessment will clearly show which risks need the most attention.  Risk assessment process can be conducted in three ways:
      1. collaboratively between the Senior Leadership team and the Audit and Finance Committee, o
      2. in parallel, with each group conducting separate assessments and then comparing outputs, or
      3. solely through the Senior Leadership team to assess the risks and report the outputs to the Audit and Finance Committee.
6. Risk Mitigation / Management
   1. The Guidance chart below shows how the four risk responses correlate to the Heat Map:
      
      

      Guidance on Risk Mitigation / Management
      Risk Rating	Action Required
      Extreme (16-25)	Mitigate, Transfer or Avoid. Immediate attention required. The action plan developed by risk owner
      High (10-15)	Mitigate or Transfer. Action plan for mitigation or transfer developed by risk owner/leader.
      Moderate (5-9)	Accept or Mitigate. Action plan for mitigation developed by risk owner/leader.
      Low (1-4)	Accept and monitor. No further action required.

      
      
      1. Accept – school division accepts, manages and monitors the level of risk and takes no action to reduce the risk (e.g. cost of mitigation is greater than the benefit).
      2. Mitigate – school division accepts some risk by implementing control processes to manage the risk within established tolerances.
      3. Transfer – school division transfers the risk to a third party (e.g. obtaining insurance).
      4. Avoid – school division feels the risk is unacceptable and will specifically avoid the risk (e.g. cease the activity).
   2. The Audit and Finance Committee’s ongoing role in this section is to monitor activity, through receiving reports, in order to support the Senior Leadership Team decision making practice and process to rank identified risks.
   3. The Administration’s role is to develop risk controls, or risk mitigation plans and report on the implementation and impact of those controls.
   4. Further, these risks are assigned “Risk Leaders, (the most responsible Principal/Supervisor)” who are responsible for specific mitigation activities and the related reporting functions. 
7. Risk Reporting
   1. Internal reporting
      At a minimum, upon the completion of the annual risk assessment process, as noted in the Roles and Responsibilities for ERM section above, the following is reported to the Board of Trustees:
      1. Prioritized risk register displaying the top organization-wide risks;
      2. The corresponding key risk mitigation processes or controls; and
      3. Any strategies that were developed to address key risks that were determined to be insufficiently mitigated.
   2. Status Reporting
      At least once per year, the school division will engage in high-level reviews of the risk register. The following is reported to the Board:
      1. That the review has been undertaken;
      2. Any new risks that have been identified, including ranking the new risk based on the likelihood and impact heat map; and
      3. Significant changes in existing key risks or mitigations processes.
   3. External Reporting
      Any discussions of risk that occur within externally facing reports, such as the AERR and or Budget, should be consistent with the annual risk assessment results. That is, the identification of risks for external disclosure purposes should not be a completely separate process from the regular risk management process with dfferent key risks being identified in external reporting.
      
      
8. APPENDIX A – RISK EXAMPLES