Web-Based ERM Tools

The Internal Audit and Advisory Services division of British Columbia’s Ministry of Finance has developed a web-based toolkit for government ministries designing and implementing enterprise risk management (ERM) programs.  Tools available on the website include a dictionary of risks common in government, a tool for tracking risks, and a maturity model. 

The IIAS notes that a fully mature ERM initiative is expected to take up to five years and be achieved in three phases.  The phases are:

• Phase I: Assist in the planning of ERM implementation
• Phase II: Assist in the implementation of ERM

• Phase III: Provide assurance through IAAS

IAAS will provide services such as defining risk tolerances where none have been identified based on the experiences of internal audit, reviewing the effectiveness of management’s risk assessments and internal controls, and facilitating ERM training. 

Risk Dictionary

The risk dictionary identifies common risks encountered in government and creates a standardized language for use in ERM implementation in different ministries.  The risks are categorized as outcome risks and risks associated with unintended consequences of implementation.  Each risk may also be viewed as an opportunity by using the reverse of its meaning. Alignment risk is an outcome risk that a ministry will fail to align business process objectives and performance measures with enterprise-wide or operating unit objectives, leading to conflicting or uncoordinated activities.  Unintended consequences risks are risks that the intended outcome may be achieved but have unintended consequences for the either the policy implemented or another project or group.  An example is communication and consultation risk that insufficient communication with stakeholders, like taxpayers, clients or service providers, will result in reputation damage or political exposures.

Sample ERM Organization in a Ministry

The website includes a sample illustration of an ERM Organization within a government ministry.  This example illustrates how the ministry executive is charged with ensuring that ERM is an ongoing process to identify, assess, and manage risk to an acceptable level of exposure and establishing the ministry’s risk tolerance.  The ministry level Audit Committee has financial reporting and internal control oversight responsibilities.  As part of assessing internal control, the Audit committee must evaluate the process for identifying principal risks and report to the executive.  Each ministry will also have a risk management committee comprised of business unit senior management and representatives from risk-related functions.  The risk management committee is charged with establishing and implementing effective enterprise-wide risk management processes.

ERM Project Management Tool

The ERM project management tool helps each ministry understand and track risks to the ERM implementation project using a best practice project management methodology.  The tool facilitates the creation of work plans, project assessment, and time management.  All IAAS ERM tools use a risk scoring system that measures outcomes from the range of rare to almost certain.  The consequences of these outcomes are ranked from insignificant to catastrophic.  This ranking system allows each ministry to evaluate the likelihood and consequences of risk events.

ERM Maturity Model Tool

The ERM Risk Maturity Model allows ministries to evaluate their progress in implementing ERM and to set goals for performance.  At each level of maturity the model describes:

• Organization philosophy and culture
• Risk management leadership and commitment
• Integration with other management practices and systems

• Reporting and control

IAAS recognizes that ERM will be implemented differently in ministries based on their unique objectives and risks.  The ERM implementation tools on their website provide support to ministry risk management committees responsible for establishing ERM programs and the Audit Committees and Ministry executives who must evaluate them.