Corporate Risk Management
The Corporate Risk Office is responsible for the Corporate Risk Management Program which ensures that the significant risks identified by the organization, and confirmed and prioritized by City Council, are being addressed in a positive, systematic and productive way. This includes helping departments assess the effectiveness of their current risk mitigation strategies and the need for additional or alternate actions.
The City provides a wide range of programs and services that citizens rely on every day, and this diversity of activity creates an equally diverse and complex range of risks and opportunities. The Corporate Risk Infographic shows just some of the many areas where the City's risks exist.
This Office also oversees the internal audit function of the corporation by working with the contracted internal auditor in meeting the timelines and expectations of the internal audit plan. Monitoring the implementation of audit recommendations is also a focus of this area.
Risk Based Management Program
Risk is necessary for growth and improvement, and providing services to citizens does involve risks; therefore, it is important to ensure risk is managed. The City is implementing a Risk-Based Management Program (RBM) that will assist the Administration to enhance intelligent risk performance in all areas of the operations, ensuring continuous improvement in the way the City is managed, as well as continued growth in public confidence in the City’s performance.
RBM will enhance business, budget and strategic planning by providing a continuous, proactive and systematic process to ensure risk is understood, managed and communicated throughout the organization. The framework will assist departments in developing processes that help identify and document risks before they occur, allowing for a planned approach to reducing the likelihood and impact of an adverse event, and also increasing the possibility and magnitude of benefits that could result from seizing an opportunity.
A consistent approach for identifying, evaluating, mitigating and reporting on risk promotes better alignment of risk, value and resources. When effectively integrated into the strategic and decision making processes, the risk management process will help to:
- Achieve Strategic Goals and operational objectives;
- Improve financial and operational management by effectively allocating resources to high-risk areas;
- Strengthen the planning and priority-setting process;
- Increase management accountability by demonstrating due diligence; and
- Foster innovation and continuous improvement.
Saskatoon, like all municipal governments, faces many types of risk, including strategic, operational, financial and compliance risks that, if not effectively managed, can impede the successful delivery of services and achievement of goals and objectives. Strategic risks are affected or created by an organization’s business strategy and strategic goals; operational risks affect an organization’s ability to execute its strategic plan; financial risks arise from financing activities and financial transactions; and compliance risks relate to legal and regulatory compliance.
Proposed Risk Based Management Program, Internal Audit Services – Request for Proposals
Key Risks and Risk Based Management Update
Update on Key Strategic Risks - 2016
Update on Key Strategic Risks - 2017
List of Key Strategic Risks - 2017
2017 Year-End Update on Key Strategic Risks
In order to help ensure that the City of Saskatoon is protected from the negative effects of risk to the fullest extent possible, and realizes maximum positive results from its activities and efforts, a Risk Based Management policy has been developed.
Frequently Asked Questions
Why does The City of Saskatoon have a Risk Based Management Program and Policy?
The intent of the City’s Risk Based Management Program is to promote a proactive risk management practice and culture within the City of Saskatoon; on an ongoing basis, we want to ensure any potential risks to the Corporation are dealt with - before they occur. Risk Based Management helps us to identify positive opportunities, key in our Strategic Goal of a Culture of Continuous Improvement with innovation and forward-thinking. This program will help ensure the City is protected from the negative effects of risk to the fullest extent possible, help us to realize positive results from our activities and efforts, and ensure continuous improvement in the way we manage the City of Saskatoon. All Risk Based Management decisions made by City Council and Administration will be vetted against the Program so that the total Risk Based Management picture can be considered.
Is the City just starting to monitor and deal with risk? Why now?
The City has a number of policies, practices, and tools that it uses to efficiently manage our risk profile. Everything we do involves risk, and though the City already manages risk, we can be more strategic how we deal with risk as a corporation.
How will risks be assessed and prioritized?
The City’s logical Risk Based Management Program helps to identify, analyze, evaluate, treat, monitor and communicate any risks to the City, those that can impact any activities, functions, programs, or our service levels.
The City ranks and prioritizes potential risks using a risk assessment matrix that assesses the likelihood and potential impact of each scenario. Risks are categorized by organization impact, those that have organization-wide impact and those where the impact is more concentrated at the department level.
What was the role of PricewaterhouseCoopers?
The City contracted PricewaterhouseCoopers to assist with identifying the key strategic risks faced by the City. The identified risks were then tied to the Corporate Strategic Goals:
- Asset and Financial Sustainability
- Quality of Life
- Environmental Leadership
- Sustainable Growth
- Moving Around
- Economic Diversity & Prosperity
How will the Risk Based Management Program continue to move ahead?
The City has assigned identified risks to the appropriate department for monitoring and will be incorporating risk management into the City’s strategic and business planning cycles. Attention will be given to all items, but special efforts will be focused on higher priority items.
Over the coming months, additional risk assessments will be completed throughout the organization to gain an understanding about the operational, financial and compliance risks faced by the City. Further reports will be prepared outlining those risks and the actions that the Administration has already taken, and plans to take, to manage those risks.
What is The City’s current risk situation?
A strategic risk assessment was completed by the Administration and PricewaterhouseCoopers in 2015 to identify the strategic risks faced by the City. This list has been ranked by priority: high, medium and low. We are confident in being able to manage these risks to ensure we can continue to meet our strategic goals.
What is The City’s identified level of tolerance for risk?
The City’s level of risk tolerance will be identified in coming months. Tolerance levels will be set in consideration of relevant legislated requirements, corporate goals and objectives, and the principles and processes outlined in the City of Saskatoon’s Corporate Governance – Risk Based Management Policy
A key component of the Risk Based Management (RBM) Program was the establishment of a Corporate Risk Committee (CRC). The CRC was established in early 2015 with the mandate “…to promote a proactive risk management practice and culture within the City of Saskatoon so as to assist with the achievement of corporate goals through the timely identification and effective treatment of corporate risk.”
The CRC consists of the Senior Administration (City Manager, General Managers of the four departments, City Solicitor, and Director of Government Relations), Fire Chief, Police Chief, and the Corporate Risk Manager.
The Terms of Reference for the CRC requires the Committee to report, on an annual basis, to the Standing Policy Committee on Finance and City Council a summary of risk management activity for each calendar year.
Administrative Report - Corporate Risk 2016 Annual Report
Corporate Risk 2016 Annual Report
Administrative Report - Corporate Risk 2017 Annual Report
Corporate Risk 2017 Annual Report
Administrative Report - Corporate Risk 2018 Annual Report
Corporate Risk 2018 Annual Report
Corporate Risk Appetite
To help ensure risk management is incorporated into the decision-making process, the Administration needs to understand how much risk is acceptable, and unacceptable, as it pursues achievement of the City's strategic objectives. This understanding is gained through establishment of risk appetite, which is defined as "the amount and type of risk that an organization is willing to accept in order to achieve its objectives."
Risk appetite sets the overall tone for risk taking in an organization and encourages consistency in the way risk is considered. It is as much about setting expectations and encouraging well-considered risk-taking as it is about imposing constraints to avoid risks.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Since August 1999, the City of Saskatoon has outsourced its internal audit function. The current contracted internal audit service provider is PricewaterhouseCoopers LLP.
Internal Audit Plan
The Internal Auditor is required to establish, and update on at least an annual basis, a long-range plan for assurance audits based on a risk assessment.
For each engagement, the Internal Auditor establishes objectives to address the risks associated with the activity under review, determines the procedures that will be performed and the scope (nature, timing and extent) of those procedures. The engagement objectives are submitted to the Standing Policy Committee on Finance for approval.
The results of each assurance audit are documented in a formal report. The report is discussed with management, incorporates management responses and includes target dates for implementation of recommendations. Audit reports are tabled with and presented to the Standing Policy Committee on Finance.
Operating and Life Cycle Costs
Statement of Work - Review of Operating and Life Cycle Costs in Asset Management Plans and Annual Capital Budget Cycle
Capital Planning and Budgeting, Life Cycle Costs and Operating Costs Report
Administrative Response - Capital Planning and Budgeting, Life Cycle Costs and Operating Costs
Internal Audit Follow-up: Operating & Lifecycle Costs Update
Multi-Year Business Planning and Budgeting
Human Resources (HR) Health Check Engagement
Fraud Risk Assessment
The purpose, authority and responsibility of the Internal Audit function is formally defined in the Internal Audit Charter.