This wiki retires in 2027; content deletion started in 2026. No planned cloud migration.
|
-
Created by
Chris Jones, last updated by Tetyana Kolomiyets on 14 Apr, 2020
10 minute read
Paragraph 1.2: Establishment risk policy.
Corporate risks are linked to the strategic objectives. In order to face each risk, a response strategy, organized in planning and actions, is developed. The example of Canada reflects the top-down approach to risk management, starting from the risk identification phase (please see the theoretical part of the guidelines for further information).
Focus on - Building-up a risk policy and a corporate risk profile in Statistics Canada
At Statistics Canada, Integrated Risk Management (IRM) is an ongoing and dynamic activity that supports corporate decision-making, and is a central theme of the annual integrated strategic planning process. An integral part of Statistics Canada's risk management model is the corporate risk profile, a high-level summary of the most critical risks being managed by Statistics Canada. The development corporate risk profile was a comprehensive process that included a review of risk information from several sources and reflected recommendations from the Management Accountability Framework Round IX, as well as feedback from managers. The process also included an improved risk questionnaire, revised guidelines, and clearer definitions of risk sources. A communication strategy was developed and implemented involving information sessions, a documentation package and reinforcement of the importance of IRM in the Agency. The information sessions also served to remind managers of their roles and responsibilities in the IRM process and to address any questions and concerns they had.
All program area risk registers were reviewed and approved by the respective Field Planning Board to ensure that the risks were equally understood, explicitly identified in the long-term planning process and took into consideration interdependencies between projects. After having identified the key risks, the managers were also required to assess likelihood of occurrence and potential impact. The information collected from risk registers provided the Agency with a hierarchical risk assessment.
To ensure that the revised corporate risk profile reflected the major risks currently facing Statistics Canada, a number of significant documents were also reviewed (risk registers, program performance reports, project executive dashboards, program quality reviews, internal audit reports, the Report on Plans and Priorities, the Departmental Investment Plan, the Departmental Security Plan, and the Business Continuity Plan). This approach also responded to the advice received from the Departmental Audit Committee (DAC), the Administrative Practices Committee (APC) and the Corporate Planning Committee of Policy Committee.
The draft corporate risk profile was developed following this advice and included the six key risks and the corresponding mitigation strategies, the risk's link to the Program Alignment Architecture and its link to organizational priorities (see example below).
| Risk | Risk Response Strategy | Link to Program Alignment Architecture |
Increased
| Mitigation strategies identified in the Agency's corporate risk profile for 2012/2013 to 2013/2014 comprise closely monitoring response rates and assessing potential biases in survey results; continuing the research and development of the dwelling-based household survey frame as an alternative to existing frames respondents; engaging respondents through various mechanisms (Statistics Canada, Government of Canada and other departments' websites as well as social media) to ensure high response rates; reviewing the possible use of administrative data sources, keeping in mind privacy concerns as these sources are used further; continuing to innovate to meet respondents' needs, which includes greater use of multi-mode data-collection options, such as e-questionnaires and mobile devices; continuing to investigate the possibility of conducting interviews by cellphone; undertaking additional studies; and incorporating lessons learned. |
|
Source: Corporate risk profile methodology and outcome. Statistics Canada: http://www.statcan.gc.ca/
Once the 2012-13 and 2013-14 corporate risks were validated, functional leads and management committees were assigned to review existing and potentially new mitigating strategies and prepare action plans and timelines. The APC then reviewed and approved the full corporate risk profile, before it was presented to the DAC. After receiving final approval by the Corporate Planning Committee, the corporate risk profile was posted on Statistics Canada’s Internal Communications Network.
The following list identifies and describes the Agency's (SC) three top corporate risks:
Increased difficulties in reaching respondents: An ongoing challenge to the quality of social statistics is the growing difficulty with collecting information from respondents. This risk was identified in both the 2012/2013 and the 2013/2014 Reports on Plans and Priorities.
Reputational risk related to respondent information: Any releases of confidential information, or real or perceived breaches of Statistics Canada's informatics infrastructure and related business processes, pose the risk of damaging reputation, credibility, image and public trust. This risk was identified in both the 2012/2013 and the 2013/2014 Reports on Plans and Priorities.
Common tools and government wide priorities: At present, the Agency is not using any of the software tools that have been prescribed for corporate systems (i.e., the back-office systems that support human resource and financial administration and records management). The Agency’s existing systems are efficient by any standard and, in the short term, re-assigning staff from core activities to implement new systems would pose a risk to providing the statistical program. This risk was identified in both the 2012/2013 and the 2013/2014 Reports on Plans and Priorities.
Focus on: A behavioral approach to risk appetite
The practice described below concerns a behavioral approach to the definition of risk appetite in order to align the Institute's risk policy with the staff’s risk approach.
CASE STUDY
UK, Office for National Statistics (ONS)
Risk appetite is defined as the amount of risk that an organization is prepared to accept, tolerate or be exposed to at any point in time. The Office for National Statistics has had in place an overall ‘risk appetite statement’ for some time. However in order to truly embed risk management in decision making, deliver the organization’s strategy and respond appropriately to the pressures of an increasingly changing world, ONS decided to not only review its risk appetite but to use appetite as a catalyst for transforming its behaviors.
ONS recognized that, whilst a definition of risk appetite was essential to allow consistent and appropriate decision making, a single statement of risk appetite could be bland and open to interpretation. On a scale from ‘averse’ to ‘actively seeking’ risk, a single organization position seemed to end up at the mid-point as it would take account of areas at either end of the spectrum. Also, a statement along the lines of ‘we are averse to risk in x area’ is open to interpretation. What does this mean? How should staff act? What are the expectations of the organization’s leaders?
To address these questions ONS ran an approach to redefine risk appetite and to ensure the strategic alignment of risk based decision making, to bring risk appetite to life, and to drive cultural change. The overall approach involved setting a level of risk appetite for each of the organization’s highest level ‘strategic risks’, which themselves were aligned to the strategic aims within the organization’s strategy. A fundamental part of the approach, however, was defining the expected and specific behaviors aligned to the level of appetite, therefore developing a clear framework for decision making.
The approach taken by the ONS risk management team was simple, it involved 1) inviting the Executive and Non-Executive Directors of the organization to individually assess risk appetite across risk types (on a matrix, see overleaf), 2) to challenge and explore their views through a series of one-to-one meetings, and 3) to discuss a consolidated view at Board level and to agree the levels of risk appetite with articulated behaviors.
The ONS experience has proven the benefits of this process. Thinking through specifically what risk appetite means for culture/behaviors has been of great benefit, by way of illustration:
- Under a 'Cautious' appetite for ‘statistical quality’ risks a potential behavior may be "Formal outputs must be of high quality to maintain reputation and confidence, but development and timeliness needs to be challenged in order to improve quality. Timeliness is recognized as an element of quality therefore we aim for timely statistics whenever possible."
- Under an 'Actively Seeking' appetite for ‘innovation’ a potential behavior may be "We recognize the risk of irrelevance without innovation and are relentlessly curious, investing considerable time in new approaches and being prepared to try new things even if many of them do not result in a viable product."
In order to ensure the success of this exercise in ONS there was a parallel approach with managers from across the organization. The idea of this was to gain buy-in to the approach and to highlight any potential disconnect between the view of the senior leadership team and that of the wider organization – therefore highlighting areas where the agreed appetite would be difficult to implement.
Following approval by the organization’s Board the risk management team subsequently took the newly approved risk appetite statements and cascaded the new expectations throughout the business via seminars, risk training courses and the organization’s intranet. The risk appetite matrix is also used to regularly challenge decision making and articulate Board expectations.
Redefining the ONS risk appetite through this approach has brought color to what can be a transactional and subjective process. As well as encouraging a more uniform approach to risk taking within the organization, it supports the development of an organizational culture which is strategically aligned.
Paragraph 1.3: Adopting an integrated risk approach connected to statistical quality management.
Risk management must be integrated with: statistical quality management, strategic and operational planning cycle and performance assessment. Both examples proposed below have been selected because of their innovative approach to the themes of risk and quality management.
Focus on: Integration risk and quality management
Australian Bureau of Statistics (ABS)
Statistical collections are often exposed to the risk that one or more of the components of the process fail to meet the quality standard expected, such that the quality or the integrity of the statistical outputs are affected. This kind of risk is the "statistical risk".
Statistical risk arises for various reasons, some of which may include inadequate inputs, processes not being well defined, changes to existing processes, or human error.
Errors in statistical outputs can be minimized by committing to quality management strategies, such as risk management. Risk management is concerned with identifying potential risks, analyzing their consequences, and devising and implementing responses, ensuring that corporate and business objectives are achieved while upholding quality.
ABS has endeavored to instigate better quality management practices through the development and use of the risk mitigation strategy known as quality gates.
The six components of a quality gate are:
1. Placement,
2. Quality Measures,
3. Roles,
4. Tolerance,
5. Actions,
6. Evaluation.
1. PLACEMENT. "Placement" is the first component of the quality gate. It refers to the placement of quality gates throughout a statistical process (also known as a business process cycle, or statistical process cycle). Placement of a quality gate is determined by the level of risk associated with given points in the production process. Specifically, the placement of a quality gate should occur where a risk assessment of the process reveals that there is a need for a quality gate due to the impact on the process and statistical outputs that would occur if the risk was realized.
The ABS uses the Generic Statistical Business Process Model (GSBPM) as a guide to map the activities of statistical processes against. This is done to ensure all aspects of the statistical process are included for monitoring purposes.
By identifying the key activities associated with each step of the statistical process, an assessment of whether there are any risks in those steps can be made up front. This assists with determining where best to place quality gates. Some common risky areas in a process include:
• Hand-over or integration of data between multiple areas;
• Data transformation;
• Changes to processes, methods and systems.
The ABS has an overarching risk management framework, based on the International Risk Management Standard ISO 31000:2009, which details the ABS approach to risk management. The ABS has adapted this risk management framework to suit the business needs of the organization.
If a statistical risk assessment reveals that the risk rating is extreme or high it is recommended that a quality gate be utilized to mitigate the statistical risk.
For medium risk ratings it may be useful to utilize additional quality measures in existing quality gates that assist in monitoring the aspects which will highlight if the process isn't working correctly.
Routine procedures are generally sufficient for the monitoring of low risk ratings.
2. QUALITY MEASURES. Quality measures are a set of indicators that provide information about potential problems at a given point in the process. When determining what quality measures should be included in a specific quality gate it is important to consider the risks and what information would be required in order to make an assessment about fitness for purpose at that point in time.
3. ROLES. This component involves assigning tasks to various people or areas involved in the operation of a quality gate. Roles identifies areas or people who are directly connected to the quality gate and its operation, along with people or areas who are affected by issues with the process.
4. TOLERANCE. Tolerance refers to an acceptable level of quality. The acceptable level could be qualitative (e.g. Yes/No) or quantitative (e.g. 97%). Tolerance levels or thresholds are generally set by expectations of what should be observed at that point in the process for a given quality measure.
5. ACTIONS. Actions are predetermined responses to various outcomes for a quality gate. They provide a definition of what will be done if threshold or tolerance levels are met or not met with regards to each quality measure.
6. EVALUATION. As with any process that is undertaken an evaluation or review should occur to examine where improvements can be made for future use. At the end of each statistical process cycle is it recommended that the quality gates should be evaluated to determine what worked well, what didn't and where improvements can be made.
The Netherlands, Central Bureau of statistics (CBS)
Object Oriented Quality and Risk Management (OQRM) model (Nederpelt, 2012) is a quality framework developed in the field of official statistics in order to improve compliance with the European Code of Practice and deal with quality standards of statistical output.
One of the goals of OQRM was making CBS being able to decide on focus areas (60). For each of them, eleven steps can be made, including risk analysis and determining the right measures or actions to put the focus areas under control.
These measures, proposed by the managers, are integrated in the regular planning and control cycle of CBS:
1. Actions on corporate level: a set of high level objectives is identified on strategic, finance, operational and compliance level. Actions are identified to meet the objectives and assigned to the heads of divisions. Progresses of these actions are regularly monitored.
2. Action on process level: The audit framework is based on the quality guidelines for statistical processes. In these guidelines, international frameworks (CoP/QAF), national frameworks, (SN-law, privacy law, security regulations, archiving) and board decisions are integrated. Audits are also risk oriented.
The risk level is used to prioritize the recommendations in the audit report and these recommendations are converted into an action plan by the process owner.