250 likes | 356 Views
Risk Reporting – A How To Guide. Developed for: ORIMS Professional Development Session October 22, 2013 Presented by: Steve Pottle, York University Michelle Williamson-Reid, TSSA. http://www.youtube.com/watch?v=laKprX-HP94. Discussion Points.
E N D
Risk Reporting – A How To Guide Developed for: ORIMS Professional Development Session October 22, 2013 Presented by: Steve Pottle, York University Michelle Williamson-Reid, TSSA
Discussion Points • To be heard or not to be heard – that is the question... • How to communicate risk intelligently and effectively • Risk Report Content – York and TSSA perspective • Your turn (tell us your good ideas)
Is Risk on the Radar? • Risk Management has many homes in any organization • Champion - who has the ear of the Board?
Getting on the Agenda • Befriend the person(s) that creates the: • Board work plan • Committee work plans • Audit Committee • Governance Committee • Etc. • Management meeting agendas
When in Doubt • Read the Board Charter • Read company policies • Read your job description
Make it Relevant • What do they want to know • What should they know: • CICA’s “20 Questions” • risks to mission, vision and strategy • risks to business plan • reputational risks
Be Brief • Be clear • Be concise • Relate the risk information to their role: • Board charter • position description / job profile • Relate it to the big picture • Engage them (push versus pull)
Be Careful • While there is job security in always being on the agenda... • Make management accountable • Encourage management to report on risk • Facilitates greater buy-in • Influences a risk aware culture
York Board Reports • Annual Risk Report • Audience: Audit and Finance Committee of Board of Governors • Focus: Risk Management tied to University’s Academic Plan (Key driver for senior admin decision making) • Supplement: Board memo on insurance coverage
York Board Reports • Table of Contents • Introduction • Risk Management • Awareness and Educational Initiatives • Insurance Program Update • Premiums • Claims
York Board Reports • Legislative Compliance Annual Report • New report for Risk Management as of 2013 • Update on Universe of Legislation applicable to York (Board Directive) • What are we going to report on? • Developed three-year reporting cycle approved by CFO and VP Admin. (Board Stakeholders)
York Board Reports Legislative Compliance Annual Report (three-year reporting cycle)
York Board Reports • Legislative Compliance Annual Report (three-year reporting cycle) • Year one: Review Top 15 Acts (based on risk impact); refresh Universe of Legislation (Federal, Provincial, Municipal) • Year two: Identify new Acts for possible inclusion in Top 15 • Year three: Review Universe of Legislation
Audit, Finance and Risk Committee • Quarterly reporting on: • priority enterprise risks and their impact on strategic and business plan initiatives • status of risk mitigation activities and impact on level of risk • assurance (audit) activities • status of audit action plans • large losses (insured and uninsured)
Audit, Finance and Risk Committee • Annual reporting on: • insurance program (renewal) • changes to ERM framework, Guideline, Risk Register • Business Continuity Plan (changes, results of tests, etc) • three-year audit plan
Governance, Safety and Human Resources Committee • Quarterly reporting on priority enterprise risks and their impact on strategic and business plan initiatives • Quarterly reporting on status of risk mitigation activities and impact on level of risk • Reporting on results of assurance/audit activities, as appropriate
Board of Directors • Annual reporting on results of enterprise risk assessment • Annual reporting on risk mitigation activities (in conjunction with strategic and business plan) • Reporting on results of assurance/audit activities as appropriate
Tricks of the Trade • Risk legend for all agendas • Relate individual agenda items to risks • Add dedicated section / heading for risk to all reports, briefing material, etc.
Dedicated section for risk in meeting material (For Illustrative Purposes Only) Purpose – For Discussion This report provides information to the Audit, Finance and Risk Committee (AFRC) on the implementation status of the fiscal year 2012/2013 internal audit plan, and internal audit action plans arising from previously completed audits, consistent with the AFRC work plan. Desired Outcome This report is intended to engage AFRC in discussions relative to the level of residual risk present as a result of control weaknesses identified during internal audit activities. Impact on Strategic Plan and Priority Enterprise Risks The internal audit action plans are designed to mitigate identified control weaknesses and/or risks and enable the achievement of objectives. Specifically, the action plans arising from the incident data, technical data and Oracle-Operating Engineers inspection process audits mitigate elements of the data and information risk (#6) and business controls and process risk (#7). The action plan arising from the information technology general controls audit also aims to mitigate aspects of the business controls and processes risk. Background XXX