28 minute read
How to embed ERM into strategy
Global Survey
Enterprise Risk Management is most successful when it is fully integrated into the organization. In a 2020 discussion paper released by Dr. John Walter of St. John’s University, only 24% of ERM leaders identified that employees were risk aware. Risk leaders must close the gap. They can do so with appropriate resourcing, staff training, and the tools needed to deliver value to the organization.
Embedding ERM into Strategy
A major source of risk for any enterprise are risks associated with its strategic plan. Strategy involves making assumptions about the future and making choices about the direction and focus of the enterprise based on those assumptions. As a result, risk is inherently part of strategy. Integration, or the “embedding” of Enterprise Risk Management (ERM) into strategy development, supports successful execution of strategy.
The embedding of ERM into strategy is particularly valuable to the Board of Directors. The primary roles of the Board include the strategic direction of the enterprise and the risks facing the enterprise. The Board has oversight on the selection and execution of the strategy and over the development and execution of risk management. Embedding ERM into strategy supports better decision making by the Board in relation to these roles.
ERM can therefore enhance the development and execution of strategy by better supporting the Board in their decision making around strategy choice and execution. Embedding ERM into strategy can enhance focus on strategic risks that could impact the enterprise’s strategic plan. It allows for the testing/challenging of key planning assumptions upon which the strategy is based and allows for the monitoring and mitigation of those risks while executing the strategy. It also allows for the ability to “course correct” on the strategic journey based on risks that arise, how those risks impact the enterprise, and how those risks are managed.
How to embed ERM into strategy:
• Integrate the ERM framework within the strategy and business planning process.
• Operationalize the organization’s risk appetite statements and develop associated risk tolerances.
• Integrate the ERM framework with other key corporate tools or frameworks that support resource planning, asset management, etc.
Risk Response Strategies
Risk Treatment techniques include avoidance, mitigation, transfer, retention, and exploiting. These techniques are not mutually exclusive, and some risks will require multiple techniques to address them. For example, as a result of the 1998 ice storm, transmission tower standards changed to hold more weight and line monitoring techniques were introduced. Updating standards is a way to mitigate future occurrences. Utilities, however, will continue to purchase insurance to transfer some of the financial risk.
Risk Mitigation
Ideally, actions to mitigate risk should be clearly defined, measurable, and tracked on an ongoing basis. The progress of these mitigation actions should be communicated to the Board on a regular basis. When not being achieved as planned, any significant impact to residual risk should be identified.
The Board must understand the role of ERM in the allocation of the finite resources of the company. If risks are being mitigated to an extent such that the residual risk falls well below the accepted risk tolerance, resources could likely be allocated more effectively.
Risk Transfer
As a result of risk treatment, risk transfer occurs when the company moves the impact of the risk to a third party. The purchase of insurance is an example of a risk transfer action. Companies must stay aware of changes to their insurance rates and policies to ensure that they are the necessary value. In times of a hard market when insurance rates are being adjusted to external forces such as climate change, pandemics, labour shortages, and supply chain disruption, it is prudent for the risk team to work with the finance team to find the best possible rates.
Risk Retention
Identifies the strategy of retaining the impact of the risk. The unexpected failure of a transformer may be considered an acceptable risk. Retention occurs when there is no desire or benefit to shift the financial burden of the risk, in this case the risk is retained for the company to shoulder the impact.
Reporting Timeliness
As identified in Part I, the Board of any company must be informed of any changes to the company’s risk profile. Reporting must provide assurance that company risks are being actively and properly managed on an ongoing basis. Information related to risk management should be communicated to the Board on a regular basis so that they are adequately informed of the current risk exposure to the company. Following an annual risk refresh/update, the Board should be informed of any changes to the ranking of the top risks, any new risks that have been identified, and any changes to the risk mitigation strategies.
Deriving Value from Risk Profiles
In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate, and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making and better allocation of resources in an organization.
A Corporate Risk Profile identifies risks that affect the achievement of objectives. Risks, including threats and opportunities, must be forward looking and relate to future uncertainty. A risk is not a business condition, a current issue or problem. Sometimes, reoccurring issues may be interpreted as risks. In this instance, organizations should identify the risks associated with managing those reoccurring issues, rather than describing the issues themselves.
Profiles should reflect the organization’s particular circumstances and objectives. It should reflect the current business conditions of the organization, as well as the size of the organization and the complexity of its mandate. Likewise, a risk profile should be presented in a balanced way, with enough detail to provide context and a clear description of risks, including how these risks are being managed within the organization. There should not be so much detail that it overwhelms the reader or is not easily used to support effective decision-making.
Industry Risk Categories
Operational
Operational risks can be defined as risks that might affect key operations of the organization impacting its ability to execute its strategy. The Risk Management Association also defines operational risk as “the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events”. Operational risks can be very broad and will be unique to each organization, as well as unique to various types of utility services, and typically occur at every level in an organization. Operational risk is inherent in all our activities, processes and systems and losses can be directly or indirectly financial.
The electricity industry is currently undergoing a rapid operational change driven by changes to traditional electricity services and there are several common and rising risks that can be identified.
Common Operational Risks Rising Operational Risks
Employee conduct and employee error Accelerating Changes in Industry Structure
Breach of private data resulting from cybersecurity attacks
Technology risks tied to automation, robotics, and artificial intelligence Globalization and Shortages of the Supply Chain
Integration of New Technologies
Business processes and controls Meeting Net Zero
Physical events that can disrupt a business, such as natural catastrophes
Internal and external fraud
Business Interruption
Product Failure
Health & Safety
Human Resources
With new developments in climate change, there is a transition that is being sought from carbon intensive sources to move to a net zero carbon footprint. This may result in operational risks for stranded assets.
The emergence of new technologies such as electric vehicles (EVs), grid technologies including smart meters and distributed connection generation increases the operational risk in these areas. Grid modernization and increased capital may be required. New technologies may also mean new vendors and suppliers, which may create additional operational risk including quality control, availability and suitability.
The COVID-19 pandemic and globalization of supply chains is negatively impacting the supply chain with increasing costs and possibly impacting the ability to deliver on capital programs. Organizations should ensure that they have sufficient planning to compensate for delays in the deliveries of key materials.
These key operational risks in isolation or in combination for most organizations currently require attention.
Environmental
The primary external environmental risk pertaining to the utility industry in Canada is extreme weather events. Such events, increasingly exacerbated because of climate change, can have significant financial impacts, in part through increased capital and maintenance costs to repair or replace damaged equipment and infrastructure, and through reduced revenue. Moreover, due to the industrial nature of electrical distributions sites, there is a high likelihood that some degree of contaminants (arsenic, polychlorinated biphenyls and petroleum hydrocarbons) exists in all utilities across the country. To mitigate such risks, utilities consider site specific climate and weather factors, such as flood plain mapping and extreme weather history; performing regulatory due diligence to manage environmental liability; all while ensuring system adequacy through system planning and coordination.
Environmental risks are increasingly associated with government policies relating to the production and procurement of renewable and clean energy. Carbon emissions and conservation are certainly present in utilities’ evolving landscape. Canada’s climate has warmed and will warm further in the future, driven primarily by human influence. As a result, the Canadian government has taken significant steps forward by releasing plans last year to reach Net Zero by 2050, and recently increased its 2030 target to reduce greenhouse gas (GHG) emissions to up to 45%. The risks pertaining to utilities in meeting these targets are very real. Particularly, for the most carbonexposed players that face escalating financial challenges—like carbon pricing, product substitution and demand pressures—as well as brand headwinds including social licence, workforce retention, and shareholder activism.
As they diversify the scope of their activities and operations, utilities will need to compete for scarce talent in a number of spheres, including environmental science. Even in the back office, utilities may feel the need to expand the range of skills necessary for success in the emerging business environment. Whether it is sourcing capital from more environmentally conscious lenders or meeting new compliance needs for ESG reporting, utilities may discover that their need for managerial and professional talent runs consistently ahead of their ability to attract or retain it.
Technology
Technology is evolving rapidly and redefining the industry with transforming business models and changing customer roles and expectations. Much of Canada’s electricity infrastructure is nearing its end of life and the expectation is that like-forlike replacement and incremental technological improvements will no longer be adequate. The risk for utilities is increasing due to the rapid pace of change and the significant level of investment required in the coming decades.
Technological advancements in areas such as renewable energy, distributed energy resources, battery storage and energy efficiency products and services will ensure a sustainable power supply for the future and better meet evolving customer expectations. However, they may also result in stranded assets and could significantly impact retail sales.
As a result, utilities are having to develop strategies that include innovation and experimentation, balance investments between traditional infrastructure and more technologically advanced assets, and drive cost efficiency to mitigate rate impacts. Utilities are also having to develop new business models that will lead to long-term value creation by developing new revenue streams from customers seeking solutions for their energy challenges.
Regulatory
The ability for regulatory bodies to change or enact regulations that reduce revenue, increase costs, or limit a utility’s ability to recover prudently incurred costs and earn an appropriate return on assets has long been a risk for utilities. Increasing regulatory risk in some jurisdictions is linked to disruptive factors in the industry, including rapid advances in technology, a shift towards clean energy, and changing customer expectations.
The traditional cost-of-service model utilized by many economic regulators can be an impediment since it requires utilities to go through demanding reviews of investment plans that link the proposals to customer value. Similarly, as utilities develop new business models to align with shifts in the industry and take advantage of opportunities related to new energy, products, and services, they run the risk of regulators disallowing the proposed changes. Moreover, regulators are increasingly expecting utilities to demonstrate efficiency when applying for rate increases driven by investments in clean energy and new technologies.
Utilities are managing regulatory risk through regulatory filings meant to educate and inform, as well as through ongoing consultation with stakeholders and governments.
Health & Safety
Ensuring the health and safety of workers and members of the public is a core value for utilities. Significant effort is put into building a strong organizational safety culture and ensuring occupational health and safety standards are followed. Information campaigns focus on educating the public about safety hazards and steps are taken to keep members of the public at a distance from energized equipment. Nonetheless safety incidents continue to occur.
One aspect of health and safety that has recently risen in prominence is mental wellness. The COVID-19 pandemic has shown that utilities must be prepared for public health threats and be ready to implement heightened safety protocols, but it has also underscored the importance of maintaining good mental health. Employee wellbeing is critical to a business’s success since employees that are feeling depressed and anxious are more likely to be disengaged, less productive, have higher levels of absenteeism, and are at a higher risk of having a safety incident.
Never has there been more urgency for organizations to champion mental health initiatives in their workplace. Over the past eighteen months, many organizations have implemented or enhanced mental health resources to support employees and have broadened awareness of the issue to reduce the stigma attached to mental health.
Financial
The winds are changing when it comes to the financial risks faced by Canadian Utilities. In the pre-pandemic era, financial risks were mostly dominated by the underlying regulatory environment (i.e., regulatory or rate changes impacting cost recovery of assets); credit ratings and financing; volatility in prices of certain commodities and industrial inputs, counterparty credit risk, volatility in interest or foreign exchange rates, and the accuracy of financial reporting. While these risks will always be in play, the rapidly changing political, economic, social, and technological landscape in which utilities operate, as exacerbated by the COVID-19 pandemic, is rapidly changing the futuristic views on financial risk for CFOs across the country.
During the height of the COVID-19 pandemic, writer Derek Thompson said: “because the pandemic pauses the present, it forces us to live in the future”. In that sense, over the past two years, the sentiment that the Canadian government and its people need to do more about climate change has grown exponentially. Why does this matter? Because climate related risks are substantive financial risks as they have a direct and measurable impact on the expected production and distribution of electricity from various facilities. A prime example is the electrification of personal transport, which could be as significant for the electricity sector in this century as the internal combustion engine was to the petroleum industry in the twentieth century. The financial community, not just in Canada but worldwide, also appears to have embraced the need for climate change action, with a particular emphasis on Environment, Social, and Corporate Governance (ESG) imperatives. ESG is becoming the decisive factor in obtaining access to sufficient capital/liquidity in financial markets. A lack of ability to tap-in thereto may restrict growth opportunities, and is therefore becoming a mounting financial risk in the eyes of Canadian utilities.
The increasing effect of climate change causes financial risk to power and electrical utilities considering recent market developments in the insurance industry. The power and utilities sector is likely to see a substantial increase in its insurance premiums, even as there is a reduction in the insurance industry’s willingness to offer coverage. As an example from a global perspective, Lloyd’s of London is scaling back its exposure to coal and oil sands, in a reversal of its traditional hands-off approach to climate change strategy.
With the significant uncertainty, volatility, and change in the financial markets brought on by ESG, will the regulatory model of today be sustainable? Or are future consumers to pay for today’s investments? Financial markets work best when assets are properly valued; however, in today’s market economy, climate factors are often mispriced, and climate risks are generally underappreciated. Prices and incentives that reflect climate risk will be critical to succeed in tomorrow’s financial environment.
Legal
Legal risk is the potential loss that a company or individual could face as the result of a legal issue. Legal risk can include claims made against the organization, a change in law or failure to take the proper legal measures. As with Operational Risk, legal risk can be very broad across an organization.
Legal risk is currently a key risk for many electricity organizations. Organizations face a potentially challenging environment with exposure to financial and reputational losses if legal risks develop. Regulatory and legislative requirements for organizations are becoming more stringent and contracting requirements are also becoming more complex.
Legal departments are now doing more and focusing on the identification, management and mitigation of legal risks facing their organizations. There is a heightened interest in regulatory requirements, health and safety, and environmental considerations examining how legal risks align with the enterprise risks. This heightened interest leads organizations to identify and manage the legal risk and the interaction with the business more effectively. Regulatory risk sits firmly between legal and political risk as provincial governments will have an impact on regulations and regulatory activity that can quickly become policy, framework, or laws that electricity companies must adhere to. The industry is subject to the risk that its business activities may be impeded through the actions of regulatory authorities or by changes in regulation.
Common Legal Risks Rising Legal Risks
Regulatory Breaches Contract Management
Breach of Privacy Health and Safety
Improper Trade/ Market Practices Environmental
Property Cost/ Land Usage Changes in Regulations
Digital Transformation and Innovation
Political
Political risk is the risk faced by investors, corporations, and governments from political decisions. The political climate can change with competing political parties pushing their own agendas to capture votes. Changes in the political landscape can lead to shifting attitudes in areas of emerging risk. Political risk may arise at any level, including the international, federal, provincial, and municipal levels.
Political risk is constantly changing and significantly impacted by socio-economic and environmental movements across the globe. We have recently seen the landscape changing at an accelerated pace that is unprecedented in our industry. Environmental, Social, and Governance issues are also rising, driven by politics at multiple levels across organizations and industries.
Common Political Risks Rising Political Risks
Trade Barriers Changes in Regulations/ Legislation
Change in Taxation Socio-Economic Imbalances
Change in Government Leaders Environment Regulations
Sustainability
Case Study: Interest Deductibility Limit (IDL)
In 2021, the Government of Canada introduced IDL in their budget for 2023 In 2022, they released draft legislation This legislation effectively limits the amount of debt interest a business can deduct from their taxable income Not all in the electricity industry are impacted by this proposed legislation, but those who are impacted will suffer increased costs This can cut into funds that can otherwise be used to invest in other government mandated activities to hit Net Zero For Canada to reach its Net Zero by 2050 goals, or for utilities to establish a clean gird by 2035, companies will be required to make increased investments in large amounts of renewable capital and initiatives IDL will impact the feasibility of these large investments and resulting costs could be passed on to the ratepayers
Societal
Transformation within the utility industry is largely driven by society’s changing expectations for utilities with regard to environmental, social, and economic sustainability as well as the role customers will play in energy transactions and long-term decision-making related to a lower-carbon economy.
The public and shareholders are intensifying the pressure for utilities and large emitters to decarbonize, which is driving governmental policies regarding emissions. The increasing pressure to respond to climate change, both within Canada and globally, will likely cause the federal government to accelerate the achievement of emission reduction targets which will put utilities at risk of having stranded assets.
Another key societal shift impacting the utility industry is the electrification of the economy. The adoption of electric vehicles (EVs) will reshape the transportation sector and dramatically reduce emissions. Utilities are faced with both challenges (such as ensuring grid capacity to handle the increased electricity requirements) and opportunities to develop new revenue streams by building out charging infrastructure. Utilities risk losing out on such opportunities if they cannot adapt quickly.
The switch to cleaner energy sources and implementation of technological advances will add cost, but customers expect utilities to find efficiencies to mitigate the rate impact of rising costs. Utilities, supported by lawmakers and regulators, will need to communicate to customers that such investments will increase the value of services being provided.
Reputational
Electricity companies also face reputational risk. For publicly traded companies this may impact shareholder value. Likewise, an organization that may be viewed negatively by its customers may face more regulatory scrutiny in order to appease the customer base. Companies that have suffered reputational damage may also see higher rates of voluntary staff attrition.
Reputation may be impacted by both external and internal causes. Decisions made one day, that may be viewed as necessary and operational feasible, may result in long-term reputational damage in years to come.
In the end, one can argue that poor risk management practices will impact the company’s reputation on many fronts and can be long-lasting. When there is a negative event or impact in any of the above categories, reputation can be damaged if there is proof your organization is at fault. If your company is not at fault, your organization will still face public scrutiny that may cause reputational obstacles.
Steps Forward
The concept of resilience has gained in popularity over the past several years, as organizations (and individuals) have faced an unprecedented level of disruption and volatility resulting from the COVID-19 pandemic. This global crisis has illustrated the holistic and interconnected nature of the world we live in, reminding us of the importance of taking a holistic view of risk and resilience. This also holds true within organizations. Building resilience is a ‘whole-organization’ endeavour, not something that can be relegated to a department or functional area. Now is the time for Enterprise Risk Management to demonstrate its value as both a practice and a mindset that adds value by strengthening resilience. To do so ERM must evolve to a more holistic practice, supporting risk awareness and a unified effort at all levels the organization.
Any evolution of ERM practice that leads to better integration of risk thinking throughout the organization is a positive step forward and will lead to an increased ‘big-picture’ view of risks and how they are interconnected.
The following are stepping-stones for risk and management teams and their respective Boards to advance integration and increase the relevance of Enterprise Risk Management for the benefit of the organization.
Chief Risk Officer
Executives are often tied to their specific functions within their departments of the organization. Designating a Chief Risk Officer (CRO) in the organization to handle risk, oversee a risk department, or ensure implementation of enterprise risk management strategies is a growing trend in many industries. A number of electricity companies have established CRO’s within their organization to spearhead risk change and awareness within the company. The CRO will oversee and guide all risk management strategies and operations within the organization.
See the Big Picture
Boards of Directors and Executive teams generally want to spend a good portion of their time on ‘big picture’ thinking and ‘connecting the dots’. Enterprise Risk Management practitioners can act as a catalyst to provide this perspective, but only by going beyond the traditional risk register or list of top risks. When enterprise risks are represented as a landscape rather than as a list, they will prompt holistic thinking and valuable discussions.
Scenario Mapping
Mapping the connections between enterprise risks supports more integrated thinking and can provide a useful basis for working through scenarios where multiple risks emerge at the same time or in sequence. Discussions like these are a great platform for developing strategy or gaining insight to make more complex decisions. Much of the value is in the discussion. It is important to remember that there is more to be gained through iterating risk and interconnected views with the Board and Executive teams.
Many Boards hold annual retreats. Risk workshops or risk scenario exercises can be a very effective anchor for these events as long as they are approached in a holistic manner and don’t feel overly mechanical to participants. These events require pre-planning, and advanced one-on-one interviews with Board members.
Integration
An integrated planning and ERM process is more time efficient for managers in the business, and also provides the ERM practitioner a chance to build credibility, relationships, and sources of valuable risk information (i.e., risk intelligence) across the business. Business planning and risk may be co-located within the organizational structure. This may make the task of integrating risk and planning easier, but it is not required to pursue this objective.
Similarly, using risk discussions as a component of strategic planning exercises can be highly effective, and while these usually happen less frequently than business planning processes, monitoring risks as part of ongoing strategy execution oversight can keep ERM front of mind.
For risk to be fully integrated, staff training is required. ERM must become part of the company culture. The best way to accomplish that is to integrate the risk strategy into the company strategy and integrate risk indicators and objectives into performance management objectives for all staff.
Framing the Problem
The same approach used to connect with different areas of the business and understand specific risks can be applied to help organizations resolve complex challenges or make difficult decisions. In this situation, the ERM practitioner is the facilitator and synthesizer, pulling perspectives and pieces of information together into a framework that will help build a comprehensive view of complex issues and evaluate potential solutions. For example, this could include one-on-one interviews on a topic, pulling together information into a background brief and a ‘risk framework’, and convening participants to discuss options to resolve. In doing this, participants who previously had only one view of an issue get to see the bigger picture, benefit from structured framework to represent the issue and options, and benefit from the ERM practitioner facilitating a dialogue. Providing such services, that are somewhat outside the traditional view of ERM, can significantly increase the profile, credibility, and relevance of the ERM group.
Going Digital
The industry is capitalizing on the four Ds: Decarbonization, Democratization, Decentralization, and Digitalization. Going digital requires a great deal of technological solutions that the industry may not be fully prepared to take on. Digitalization will support the other broad changes to the industry and play a significant role for those companies seeking to increase their performance and operational efficiencies. Digital solutions will be embedded into all aspects of a utility or generator. Companies will require talented staff that can handle big data and analytical solutions that will provide the company the toolset to move forward and grow. ERM will capitalize on all these changes and use big data analytics to their advantage. Data driven decision making and data science solutions will provide risk professionals with the ability to predict future events and impacts more accurately, and therefore apply better risk management techniques to the benefit of the company.
Key Risk Indicators
Use of Key Risk Indicators (KRI) is a growing trend in risk management. They are developed to be early predictors of risk events to the organization. They will vary by organization based on risk categories the company is sensitive to. They play a pivotal role by providing a means to develop thresholds for monitoring, predicting and establish an alert system that will enable an escalation process that the organization must address to mitigate the pending risk event.
Emerging Risk Intelligence
The new normal for ERM programs envisions a more robust and resilient risk organization that exhibits “risk intelligence”. This trend looks to a dynamic ERM state where the dial moves from today’s common speak of ‘integrated’ programs towards an ERM program that is ‘strategically’ consumed by organizations.
Where risk intelligence is “the organizational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities, and creating lasting value.” 5
Conclusion
Risk is ever present in the industry and will impact the electricity industry in a variety of forms. One risk event can easily set off another risk event for the company. The contents and recommendations throughout this document are aimed at increasing the awareness of the critical role enterprise risk management has in the industry when everyone in the organization is aware of it, understands its relationship with strategic and operational objectives, is knowledgeable enough to identify risks, and has the authority to make decisions to mitigate those risks.
Appendix A: Glossary of Terms
Term Description
Black Swan Risks Are risks that come as a surprise and have a major impact on the organization.
Control
Enterprise Risk Management
Likelihood
Action taken to manage risk.
The coordinated activities to direct and control a company’s efforts in regard to risk.
Chance of something happening.
Residual Risk The risk remaining after controls and treatment are taken into account.
Risk Acceptance An informed decision by the risk owner to accept the consequences of the risk.
Risk Appetite The amount of risk the company is willing to be exposed to.
Risk Avoidance An informed decision to withdraw from a risk event.
Risk Identification Identifies impacts, causes and consequences of the risk incident
Risk Impact
Risk Management Framework
The risk impact are the consequences when and if the risk event occurs, often measured in cost to the company.
Policies, procedures and processes concerning risk management.
Risk Profile
Characteristics and assessment of a range of specified risks that the organization may face.
Risk Register A registry of risk information that identifies risk events, the potential impact, costs, mitigation techniques, stakeholders, owners of the risk, etc.
Risk Tolerance The level of variation from the pre-determined risk appetite that the organization is willing to accept before changing the risk response.
Risk Transfer Moving or shifting the risk burden of loss to another party with the use of insurance, contracts or other legal means.
Appendix B: Example Risk Profile
An example of risk details is provided below:
Issue Human Resources
Risk ID
001
Risk Owner ADM, Research and Policy Branch | Accountable | ADM, HR Branch
Statement There is a risk that the organization may not be able to maintain the current number of staff in scientific job categories.
Category This risk belongs to the Human Resource Capacity category. The risk refers to insufficient HR capacity for scientific research.
Sources The organization is exposed to this risk due to following:
• Increased private sector demand in the science and technology field.
• Increased demand for staff in scientific field within the federal government.
• Insufficient retention and recruitment activities specific to the science and technology field.
Inherent Risk Exposure
If the risk were to materialize, consequences would be severe and could not be endured by the organization without sustaining extensive delays to research targets.
Existing Controls
Residual Risk Exposure
The organization currently employs the following strategies to mitigate the risk:
• Communication with local colleges and universities to promote the organization as an employer of choice.
If the risk were to materialize consequences would be significant, however, they could be endured by the organization by adjusting the research agenda and setting new targets. This may result in some activities being subject to review to address shortfalls.
Consequences and Strategic Outcome
• If not mitigated, the research targets would not be met.
• If not mitigated, the reputation of research excellence would be compromised.
• If not mitigated, the organization may lose the ability to provide the scientific community with timely, relevant information.
• If not mitigated, the organizational objectives may not be met.
Issue
Risk Evaluation
Risk Responses
Action and Timelines Human Resources
The organization's tolerance for human resource risks is within the moderatehigh risk level. The organization evaluated the risk and the residual exposure remains outside our tolerance. Additional risk responses are proposed to increase the retention and recruitment rate over the next 2 years.
Additional risk responses include renewal of staffing and retention policies and accessing broader pools of qualified candidates to fulfil the scientific requirements of the organization.
• The organization will develop a retention program that will encourage long-term commitment.
• The organization will create a formal graduate recruitment program with universities across the country.
• The organization will create an internship program with colleges and universities to promote the organization.
• Identify and establish partnerships with colleges and universities – Fall 2010
• Develop communication and stakeholder engagement strategy – Fall,
Winter 2010
• Establish and implement policy changes with the HR Branch – Spring,
Summer 2011
Indicators • Organizational turnover rate in the science and technology category.
• Organizational retention and recruitment rates over the next two years
• Analysis of research targets over the next 3 to 5 years.
References
1. Committee of Sponsoring Organizations of the Treadway Commission. (2004) Enterprise
Risk Management – Integrated Framework, Executive Summary.
2. International Standards Organization (ISO). (2018) ISO 31000 Risk Management Guidelines.
3. The role of the board in preparing for extraordinary risk. McKinsey and Company, (2022).
4. Guide to Corporate Risk Profiles – Government of Canada (https://www.canada.ca/en/ treasury-board-secretariat/corporate/risk-management/corporate-risk-profiles.html)
5. Tilman, Leo. Risk Intelligence: A Bedrock of Dynamism and Lasting Value Creation. Retrieved from: https://www.europeanfinancialreview.com/risk-intelligence-a-bedrock-of-dynamismand-lasting-value-creation/
