The State of Enterprise Risk Management in Canada
The State of Enterprise Risk Management in Canada
DISCLAIMER This paper was prepared by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF), the research arm of FEI Canada, as non-authoritative guidance. CPA Canada and CFERF do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.
The State of Enterprise Risk Management in Canada Issued in print and electronic formats. ISBN 978-1-55385-981-9 (print).
ISBN 978-1-55385-982-6 (pdf).
Joint Copyright Š 2016 Chartered Professional Accountants of Canada and Canadian Financial Executives Research Foundation (CFERF) All rights reserved. This publication is protected by copyright and written permission is required to reproduce, store in a retrieval system or transmit in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise). For information regarding permission, please contact permissions@cpacanada.ca
iii
Table of Contents
Executive Summary
1
Research Methodology
3
Survey Demographics
4
The View of Risk Management in Canada Today
5
Level of Confidence in an Organization’s Ability to Effectively Manage Risk
6
To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite?
8
Do Corporate Directors Understand an Organization’s Opportunities and Risks?
9
Does the Senior Management Team Understand the Organization’s Opportunities and Risks?
11
Do Employees Understand the Organization’s Opportunities and Risks?
13
How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks?
17
Significance of Different Types of Risk on Organizations Today
19
The Significance of Risks Facing Organizations During the Next 12 Months
25
Strategic Risks
25
Operational Risks
26
iv
The State of Enterprise Risk Management in Canada
Financial Risks
27
External Risks
28
Unidentified Risks
29
Risk Management Program
30
Which Risk Management Framework Has Your Organization Adopted?
32
Who Is and Who Should Be Primarily Responsible for Risk Management?
33
Conclusion
35
Appendix A — Demographics
37
Appendix B — Forum Participants
41
1
Executive Summary Modern financial and operational threats range from international economic contagion in a connected global economy to the real and growing threat of cyber sabotage and natural disasters. Add to that the pressures caused by uncertainty around commodity prices, interest rates, foreign exchange rates and the very real possibility of internal business failures or shortcomings, and there are plenty of real and potential risks that organizations must identify and plan for. Yet risk, when managed correctly, can be a driver of new possibilities, growth, expansion and innovation. In general, large organizations have robust programs in place to manage risk and use those programs as part of their overall business strategy. However, almost 20% of participants in a recent survey about the state of risk management in Canada conducted for this study by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF) report their organizations currently have no documented risk management program. The results of the survey suggest that many executives are actively dealing with rising uncertainty and risk. With more than 320 respondents answering the survey, the majority (66%) described themselves as only “somewhat confident” in their organization’s ability to manage risk. A minority (20%) described themselves as extremely confident. Overall, respondents generally believe that their boards understand the risks — both positive and negative — facing their organizations, have even more confidence in their senior management’s awareness of risk but notably less confidence in the front line employees’ understanding of risks facing the company. The 2008 financial crisis and the great recession that followed reinforced the need for risk management while highlighting the threat of unprecedented and unexpected occurrences. High profile cases of cyberattacks on corporations have raised awareness even further. Organizations are paying attention,
2
The State of Enterprise Risk Management in Canada
according to results of the survey: 93% of organizations review new activities or initiatives during the planning stage to address risks, either through a formal, informal or ad hoc process. What risks are Canadian organizations most wary of? Getting the strategy wrong, it turns out. Beyond general economic and industry conditions, organizations worry about leadership, enterprise reputation and enterprise strategy, identifying these risks and others as major impacts or business continuity risks to the organization. Survey participants held a variety of opinions on who is and who should be responsible for identifying and mitigating business risks. Answers ranged from senior management to the board of directors to the CEO or the CFO. Some respondents said more corporate directors should have the ultimate oversight for risk than they currently do and some respondents said they thought CFOs should bear less of the burden of responsibility. Nearly two-thirds (61%) do not have a chief risk officer or equivalent, while 38% have at least one individual charged with risk management in either a full or part-time role. Risks are real and given the speed of change in today’s economy, the ability to identify and address risks in a timely fashion is critical to an organization’s success.
3
Research Methodology The state of risk management in Canada was prepared by CFERF, the research arm of FEI Canada, in partnership with CPA Canada, the national organization established to support a unified Canadian accounting profession. The research objective of this study was to examine the existing state of risk management in Canada. In addition, the purpose was to understand how risk functions are structured in organizations, to look at what organizations have identified as key risks in the past, as well as a review of the significance certain risks pose to organizations in the next 12 months. The report encompasses the opinions and experiences of more than 320Â financial executives, who may or may not have risk management responsibility. Participants completed an online survey in April 2015. Insights were gathered at an executive research roundtable, connected by videoconference and teleconference, held on April 23, 2015 with 15 senior financial executives in Vancouver, Winnipeg, Toronto and Montreal. A productive dialogue was achieved through this roundtable, with representatives from financial services, telecommunications and IT, food manufacturing and food services, manufacturing, consulting, construction, recreational facilities, services and government all sharing their real-life experiences and expertise on the current state of enterprise risk management in Canada. The study encapsulates the responses from a broad cross-section of experienced financial executives from both public and private companies, and experts and consultants managing risk from domestic to multinational organizations of varying sizes.
4
The State of Enterprise Risk Management in Canada
Survey Demographics The main respondents to the online survey of this research study were CFOs (30%), controllers (23%), and vice-presidents of finance (12%). Just over half (56% of total) of the respondents were from privately held companies and 26% were from publicly traded companies. The balance of the respondents were from the not for profit sector (10%), Crown corporations (4%), government (2%) and other (2%). The main industries represented were: • manufacturing (21%) • finance and insurance (18%) • mining, quarrying and oil and gas (9%) • professional, scientific and technical services (8%) • construction (7%) • wholesale trade (7%) For the purposes of this report, organizations were grouped into three broad revenue groups: • 55% were small, with revenues less than $100M • 26% were mid-sized ($100M — under $1B) • 19% were large, (revenues of $1B or higher) Results were also reviewed by number of employees and grouped according to Statistics Canada’s definition of small, medium and large organizations. • 36% were small (100 employees or less) • 29% were mid-sized (101-500 employees) • 35% were large (over 500 employees) For more demographic information, please see Appendix A.
5
The View of Risk Management in Canada Today Risk and uncertainty are constant elements of the business environment. Risk is “the combination of the probability of an event and its consequence. Consequences can range from positive to negative.” (The Institute of Risk Management)1 The study’s respondents believed that their organization has the ability to manage risk, with 66% stating they are “somewhat confident” and an additional 20% “extremely confident” in the processes to deal with both positive and negative consequences. Confidence in risk management processes was higher among not-for-profit, government and Crown corporations than privately held companies. Organizations with more than 500 employees were most confident, with 90% somewhat to extremely confident.
1
Retrieved from www.theirm.org/media/886059/ARMS_2002_IRM.pdf, July 8, 2015.
6
The State of Enterprise Risk Management in Canada
Level of Confidence in an Organization’s Ability to Effectively Manage Risk Level of Confidence in an Organization's Ability to Effectively Manage Risk Not very confident, 6% Extremely confident, 20%
Neutral, 8%
Somewhat confident, 66%
BY CORPORATE ENTITY
100%
3% 12%
8% 7%
BY NUMBER OF EMPLOYEES
4% 10%
6%
8%
12%
1% 9%
4%
80% 54%
60%
59%
68%
63%
71%
74%
61%
40% 20% 0%
38% 26%
Public
26%
14% Private
Extremely confident
12% Crown corp, Gov’t, Other
NGO
Somewhat confident
23%
100 employees 101-500 or less employees Neutral
Not very confident
27%
over 500 employees
The View of Risk Management in Canada Today
The concept of aligning risk strategy with an organization’s tolerance for risk is well understood among organizations, particularly larger ones. Overall, 72% of survey participants declared that their company’s strategy is either mostly or fully aligned with its risk appetite. That perceived degree of alignment between overall strategy and risk tolerance was highest among organizations with more than 500 employees (with 81% mostly or fully aligned) while small organizations with under $100 million in annual revenue were seen as least aligned at 69%. The relationship between confidence and size also held true with 78% of organizations with revenue of $1 billion or more being mostly or somewhat aligned. Just 4% of all participants said their organization’s strategy was “not very aligned” with its risk appetite. Interestingly, there was virtually no variability in results given an organization’s corporate structure.
7
8
The State of Enterprise Risk Management in Canada
To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite? To What Extent Is the Organization's Strategy Aligned to Its Risk Appetite Not very aligned, 4% Fully aligned, 16%
Somewhat aligned, 24%
Mostly aligned, 56%
BY ANNUAL REVENUE
100%
BY NUMBER OF EMPLOYEES 1%
5%
6%
26%
20%
3%
8%
16%
21%
80%
3%
29%
25%
60% 60%
52%
40%
56%
60%
20%
0%
52%
58%
26% 13%
14%
under $100M
$100M to less than $1B
Fully aligned
Mostly aligned
21%
16% $1B or above
9%
100 employees or less
Somewhat aligned
101-500 employees
Not very aligned
over 500 employees Not aligned at all
The View of Risk Management in Canada Today
“We keep reminding ourselves that it is about the opportunities and the threats, but as accountants, our inclination is to think about the threats first. That’s the benefit of ensuring we bring more operational, sales and marketing people into the room, to remind ourselves it goes both ways.” Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
Do Corporate Directors Understand an Organization’s Opportunities and Risks? In most organizations, the board of directors represents the final decision making authority and the highest level of responsibility. According to the CPA Canada report A framework for board oversight of enterprise risk, 2 “boards of directors are not expected to unilaterally identify, analyze, mitigate and monitor enterprise risk. Rather, boards must oversee the risk management systems and processes and continuously review the associated outcomes and planning.” Knowledge of risks among corporate directors, however, is not necessarily viewed as comprehensive. Overall, 72% of survey respondents felt that boards of directors mostly or fully understood the risks and opportunities associated with the organization. That level of comfort falls dramatically amongst small organizations (under $100M), with 10% reporting their board having little or no understanding of threats and opportunities, roughly double the percenage among other revenue groups. When viewed by employee count, mid-sized organizations (101-500 employees) rated their boards lower at 66% mostly or fully understanding risks than small (72%) and large organizations (78%).
2
Caldwell, John. A Framework for Board Oversight of Enterprise Risk, Retrieved from www.cpacanada.ca/ business-and-accounting-resources/strategy-risk-and-goverance/enterprise-risk-management/publications/ board-oversight-a-new-framework-for-identifying-understanding-and-addressing-risk, July 8, 2015.
9
10
The State of Enterprise Risk Management in Canada
Do Corporate Directors Understand an Organization’s Opportunities and Risks? By Corporate Entity 100%
80%
60%
6%
1% 5%
20%
21%
13%
16%
24%
63%
50%
47% 48%
35% 25%
0%
80%
25%
18% 8%
Private
Public
Crown corp, Gov’t, Other
BY REVENUE SIZE
100%
21%
39%
40%
20%
1% 6%
8%
2% 8%
Non-Government/ Not for profit
TOTAL
BY NUMBER OF EMPLOYEES
4%
6%
20%
19%
1%
1%
6%
11%
2% 20%
21%
21%
22%
60% 40%
40%
46%
52%
20%
0%
46%
43%
52%
23%
24%
under $100M
$100M to less than $1B
29%
35%
32% 14%
$1B or above
100 employees or less
Fully understands
Mostly understands
Understands a little
Does not understand at all
101-500 employees
Somewhat understands
over 500 employees
The View of Risk Management in Canada Today
“Oversight is 100% the board’s responsibility. At CDIC, we have a board policy on Enterprise Risk Management that sets this out. For me, the role of the CEO and the Executive Management team is the management of the risk.” Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.
Does the Senior Management Team Understand the Organization’s Opportunities and Risks? The senior management team perceives themselves to have a somewhat stronger grasp of the risks facing organizations than boards of directors. Overall, participants stated that 80% of the responding organizations’ senior management teams mostly (49%) or fully (31%) understood the risks associated with the business. Confidence in senior management was somewhat lower in smallrevenue based organizations, i.e. those with less than $100M (79%). The type of corporate structure (private, public, government/NGO indicated some variation — for instance, 28% of survey respondents from private companies and 25% from government and Crown corporations said their senior management team “fully understands” the risks to the organization, compared to 41% of NGOs.
Extent of Understanding Risks That Are Relevant to the Organization 100% 90% 80%
1%
2%
2%
6% 18%
23%
21%
70% 60% 50%
47%
40% 30% 20% 10%
25%
72% felt that Board of Directors either mostly or fully understood risk
49%
80% felt that Sr. Mgmt Team either mostly or fully understood risk
44%
31%
31%
Senior Management Team
Employees
0% Board of Directors Fully understands
Mostly understands
Understands a little
Does not understand at all
Somewhat understands
Only 31% felt that Employees either mostly or fully understood risk
11
12
The State of Enterprise Risk Management in Canada
Does the Senior Management Team Understand the Organization’s Opportunities and Risks? By Corporate Entity 100%
2%
2%
2%
14%
19%
21%
25%
18%
80%
60%
38% 51%
49%
49% 50%
40%
20%
0%
41%
35%
Public
25%
Private
Crown corp, Gov’t, Other
BY REVENUE SIZE
100%
18%
18%
TOTAL
NGO
BY NUMBER OF EMPLOYEES 1%
1%
3%
31%
28%
17%
18%
2%
1% 15%
24%
80%
60%
42% 51%
51%
28%
30%
under $100M
$100M to less than $1B
47%
52% 49%
40%
20%
0%
40%
$1B or above
30%
100 employees or less
Fully understands
Mostly understands
Understands a little
Does not understand at all
37% 25%
101-500 employees
Somewhat understands
over 500 employees
The View of Risk Management in Canada Today
Do Employees Understand the Organization’s Opportunities and Risks? While it can be said that confidence in both senior management and directors’ recognition and understanding of risk are at similar levels among survey participants, the same level of assurance does not hold among other employees in organizations. Only 31% believe that employees mostly or fully understand the opportunities and threats relevant to their organization, a sizeable gap compared to management and directors. This may reflect a communications gap from the top of the organization to other levels. In this regard, whether measured by employee count or revenue, the largest organizations scored highest (39% or 45% respectively) while the ones “stuck in the middle” scored lowest (22 or 24%). Risk appears to be better understood by employees at either small organizations or large organizations. Anecdotally, at small organizations “everyone knows and understands” what’s in play through informal discussions, while in large organizations formal communication plans exist to disseminate the information to staff. It’s the employees of mid-size organizations who have the least knowledge of the risks facing their organization, perhaps because these organizations appear to not be large enough to have the formal procedures in place yet are too large for an informal network of communication. “We’re a very complex organization. We have several business units across several geographic areas, almost 300 organizations and partnerships, and a few hundred employees. Most of our employees don’t really think in terms of risk management.” Jeff Shickele — VP, Accounting, Amacon
13
14
The State of Enterprise Risk Management in Canada
Text
Do Employees Understand the Organization's Opportunities and Risks? By Corporate Entity
100%
1% 16%
60%
18%
17%
28%
80%
2%
4%
4%
23%
38%
48%
50%
44%
42%
40%
20%
0%
44% 35%
Public
29%
Private
Crown corp, Gov’t, Other
BY REVENUE SIZE
100%
80%
23%
25%
4%
43%
1% 16%
18% 22%
33%
44% 45%
51%
42%
40%
0%
3%
37%
60%
20%
TOTAL
NGO
BY NUMBER OF EMPLOYEES
2%
4%
31%
26%
45% 28%
24%
under $100M
$100M to less than $1B
$1B or above
29%
100 employees or less
Fully understands
Mostly understands
Understands a little
Does not understand at all
39% 22%
101-500 employees
Somewhat understands
over 500 employees
The View of Risk Management in Canada Today
It’s not surprising that boards of large organizations have a fairly strong understanding of the risks facing the organization. Over the past 10 years, increased regulatory, media, and investor pressure has forced boards to become more knowledgeable and active in risk management, and this trend has permeated through all sectors of the economy. Conversely, smaller organizations are often owner-managed with risk management being an informal activity based on the owners’ gut feel, rather than a formal board-level activity. The call to action differs by size of organization; larger organizations must ensure that their boards are fully conversant with risk exposure and mitigation plans so that they can be formally approved, whereas smaller organizations should consider devoting greater attention to risk management activities. The large divergence in risk understanding that we see at the employee level is also — unfortunately — not surprising. What makes risk management a greater concern is that employees might inadvertently accept risks that the organization wishes to avoid (or vice versa of course). For example, an organization might have a strategy that calls for effectively 100% on time order fulfillment; this strategy might mean that some potential orders are turned down as there might not be sufficient capacity to deliver on them. This strategy must encourage all levels of the organization to ensure that employees do not, for example, “chase volume or revenue” that might generate undesirable risk, and that incentives align with the strategy. It is imperative therefore that all employees understand the risk appetite of the organization, both in qualitative and quantitative terms, but more importantly that the organization act on its words as it defines its risk strategy.
15
16
The State of Enterprise Risk Management in Canada
CASE STUDY: RISK ASSESSMENT AT TELUS “At TELUS, about a decade ago, we implemented our own in-house developed risk assessment survey tool, and once a year, about 1,500 team members complete this e-survey. So the reported view of risk was statistically valid. For senior executives, the top ten risks were typically strategic risks. When you went down to the front line, top-rated risks were typically more operational in nature such as customer service related risks, or process related concerns. In other words, the things which were inhibiting their ability to do their jobs well. It is a great tool. The survey findings were transparent to the board including a compare and contrast of risk rankings by level in the organization. One would see process breakdowns and customer service right at the top of front line concerns and yet, we’re supposed to be putting customers first as an overall corporate objective. I think it was a tool that actually allowed the organization to say, “We have to do a lot more than provide lip service to our stated priority,” and the entire organization has to put customers first and improve customer service. By the way, that is exactly what happened as TELUS made remarkable progress on this priority since 2008. So, TELUS’ risk management tool helped shed light on whether what VPs and SVPs were reporting was actually what our frontline experienced. Our frontline responses were more correlated with the stats from our customers’ perceptions and so it was a great catalyst to doing something good in the organization to improve customer service, but the point being: Be very, very careful when compiling risk rankings. You have to ask the question: Who is saying these are the major risks and what is their natural bias/perspective? Unless you have a cross-section throughout the organizational hierarchy of a large organization, as opposed to merely a survey of senior management, then you’re not going to really have a good understanding of the true risks the organization faces.” Robert McFarlane — Corporate Director and former EVP and CFO, TELUS
The View of Risk Management in Canada Today
How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks? Larger and public organizations are more likely to have formal processes and structures in place to identify and manage risk. Overall, 69% reported a formal or informal process is in place to identify and address risk: that percentage rises to 87% for organizations with $1 billion or more in revenue and 78% for those with more than 500 employees. Private companies are more likely to have informal processes (46%), while public companies are more likely to have a formal process (46%). Private companies are most likely to have no process at all. “We have a documented risk management framework. I’d add though that we’re actively streamlining and trying to reduce the amount of documentation and administration. For example, we have a large number of risk policies and we’re trying to rationalize those; focusing more on the cultural aspect of risk management and on risk appetite. Why are we taking the risk? How does taking the risk contribute to our objectives and at what level? What do we need to do to manage within the risk appetite?” Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
“We’re a $100 billion business, but I can’t allow the framework that would apply to a $100 billion dollar business stifle a $7 million, or even a $700,000 opportunity. That’s why you still leverage the fundamentals that you have of your overall risk management, but it can’t overburden your ability to pursue opportunities.” Xerxes Cooper — CFO, IBM Canada
“At TELUS, we established our own definition of risk, in relation to an ethical organization. Ethics were used as a fundamental building block. You can have a great process but, unless you have a good understanding and some process to assess what the perception of the ethical culture and compliance is throughout the entire organization, then you may have a house of cards. If you have what looks like a robust risk management system that is in fact based upon an unethical culture, you can be exposed to a major failure.” Robert McFarlane — Corporate Director and former EVP and CFO, TELUS
17
18
The State of Enterprise Risk Management in Canada
How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks? By Corporate Entity 69%
TOTAL
28%
NGO
41%
35%
Crown corp, Gov’t, Other
24% 38%
46%
Private
17%
Public
27% 33%
17%
46%
28%
46%
0%
20%
6% 1%
30%
40%
8% 19%
60%
4%
80%
1%
5%
100%
By Revenue Size 87%
$1B or above
55%
$100M to less than $1B
32%
39%
under $100M
15%
0%
28%
23%
50%
20%
13%
10%
29%
40%
60%
6%
80%
100%
By Number of Employees 78%
over 500 employees
101-500 employees 100 employees or less
47%
31%
21%
45%
17%
0%
26%
47%
20%
40%
17%
30%
60%
80%
Organization has a formal process to identify and address risks
Organization has an informal process to identify and address risks
Organization has an ad hoc process to identify and address risks
Organization has no process to identify and address risks
Don’t know
5%
8%
6%
100%
The View of Risk Management in Canada Today
Significance of Different Types of Risk on Organizations Today Significance of Different Types of Risk on Organizations Today 100%
1%
2% 7%
6%
3%
6% Business
Continuity Concern or
55%
60%
Continuity
Continuity
Business
80%
Concern or
47%
Concern or
40%
Major
Major
Impact
Impact
54%
Business Continuity
Business
33%
Concern or Major
Major
Impact
Impact
36%
46%
61%
35%
40%
36% 35%
20%
27% 23% 8%
2%
0%
Strategy Risks
10%
15%
1%
Operational Risks
3%
Financial Risks
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
5% External Risks
Strategic risks are risks (opportunities and threats) that affect or are created by business strategy decisions. Included in this category are brand perception and value, changing customer needs, general economic and industry conditions, leadership, local, regional and national political environment.
Among the four categories of risks, strategic risk was viewed to have the highest overall impact (55% reporting a major impact and another 6% believing business continuity is called into question).
19
20
The State of Enterprise Risk Management in Canada
Significance of Strategic Risks on Organizations Today By Corporate Entity 100%
1%
4% 6%
5%
2% 6% 55%
80%
60%
4%
7%
51%
53%
56% 79%
40%
20%
0%
5%
24%
30%
28%
8%
1%
Public
Private
27% 13% 3%
18%
8%
NGO
TOTAL
4% Crown corp, Gov’t, Other
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
2%
Strategic risk had large variability between private and government/crown corporations (with 51% and 79%, respectively, stating it has a major impact). Operational risks are inherent, and reflect a company’s procedures, people and systems. Specific risk examples include business processes, surplus/shortage of capacity, change integration, channel effectiveness, customer satisfaction, operational efficiency, health and safety, product/ service performance, service delivery, supplier failure (quality, quantity or timeliness), and operational technology failure.
Overall, 54% of respondents said that operational risks posed a major impact or were a threat to business continuity. Operational risks tend to grow with company size: 46% of small organizations (less than $100 million in revenue) saw it as having a major impact or a continuity threat whereas 60% of organizations with $100 million to less than $1 billion in revenue and 65% of organizations with $1 billion or above in revenue felt the same. Among organization types, Crown corporations and government felt that operational risks posed the greatest threat (67%) while NGOs had the lowest (41%).
The View of Risk Management in Canada Today
Significance of Operational Risks on Organizations Today By Corporate Entity 100%
1% 7%
6%
3%
8%
80%
7%
38% 54%
44%
52%
47%
59%
60%
40%
47% 35%
35%
33%
20%
33%
0%
13%
1%
7% Public
1%
Private
Crown corp, Gov’t, Other
BY ANNUAL REVENUE
100%
80%
1% 6%
5%
1%
1%
4%
6%
52%
56%
55%
39% 33%
under $100M
TOTAL
8%
10%
39%
20%
0%
NGO
34%
60%
13%
10%
BY NUMBER OF EMPLOYEES
40% 55%
40%
12%
1%
38%
29%
7%
5%
$100M to less than $1B
$1B or above
1%
17%
1%
100 employees or less
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
5% 101-500 employees
30%
1%
7% over 500 employees
1%
21
22
The State of Enterprise Risk Management in Canada
“[Food safety] is only one of my risks. … The second thing is the POS (point of sale) system, when the POS systems go down (technology), you can’t run a restaurant. You cannot collect cash without a POS system.” Ross Corcoran — CFO, Bantam Restaurant Group
Financial risks include the following: regulatory/compliance requirements, commodity prices and input costs, credit rating and access to capital, foreign exchange, interest rates, liquidity and cash flow, regulatory, legal and compliance, tax policies and laws.
Overall, 46% of respondents said that financial risks today constituted either a major impact on their organization or actually posed a threat to its business continuity. This assessment was highest for publicly traded companies (58%) and lowest for Crown corporations/government (29%).
The View of Risk Management in Canada Today
Significance of Financial Risks on Organizations Today By Corporate Entity 100%
1% 3%
11%
4%
6%
12%
25%
80%
39%
40%
35% 47%
60% 54% 36%
40%
35%
36%
15%
15%
32%
20% 19%
0%
13%
2%
8%
2%
Public
Private
4%
3%
3%
Crown corp, Gov’t, Other
NGO
TOTAL
BY ANNUAL REVENUE
100%
1%
1%
3%
7%
80%
BY NUMBER OF EMPLOYEES
8%
8%
37% 40%
38%
44%
4%
4%
41%
41%
37%
41%
60%
40%
40%
34%
31% 39%
20% 16%
0%
under $100M
2%
18%
19% 2%
$100M to less than $1B
8% $1B or above
1%
3%
100 employees or less
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
15%
101-500 employees
3%
11% over 500 employees
3%
23
24
The State of Enterprise Risk Management in Canada
External risks are associated with factors outside of the organization and these occurrences are largely outside of an organization’s control, but the impact can be greatly influenced. Included in this category would be the changing natural environment, natural disasters, attacks on personnel, terrorism, sabotage and cyber security risk.
Significance of External Risks on Organizations Today By Corporate Entity 100%
2% 6%
2% 4%
1% 3%
4% 15%
80%
33%
33%
37%
54%
60%
55% 34%
40%
35%
32% 29%
20%
24%
21% 2%
0%
Public
2%
3% Private
23%
24% 17% Crown corp, Gov’t, Other
NGO
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
5% TOTAL
Overall, the expectation of a major impact or threat to business continuity from external risks is 43% for public companies, with Crown corporations and government organizations most affected at (54%). Those reported to be least affected by external risks are NGOs, with only 19% expecting a major impact or threat to business continuity. “As a financial services company, we obviously have a lot of confidential information and so cyber security is one of our top evolving risks. We’re spending a lot of time on initiatives to manage that risk. It’s a lot about what you don’t know that can hurt you because you might find a solution to protect against the latest cyber breach methodology, but then something else could come up that you’re not protected against. As an organization, we devote a fair amount of time talking to our board about information security risk and the programs that are in place.” Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
25
The Significance of Risks Facing Organizations During the Next 12 Months
Strategic Risks Local, regional, national political environment Leadership
1% 6%
Enterprise reputation
27%
31% 39%
2% 4% 1% 2%
52%
22%
23%
12%
2% 2%
Global market and geo-political conditions
Enterprise strategy
36%
2% 10%
Intellectual property
General economic and industry conditions
28%
33%
11%
33%
2% 8% 2% 14% 5%
30% 52% 36% 36%
15%
39%
8%
18%
36%
Brand perception and value
7%
21%
33%
20%
40%
35% 34%
60%
1% 4% 1%
44%
Changing customer needs
0%
23%
80%
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
3% 1% 4% 1% 3% 3% 2%
100%
26
The State of Enterprise Risk Management in Canada
Among the strategic risks, other risks that pose a major impact and threat to business continuity were general economic and industry conditions (56%), leadership (56%) and enterprise strategy (47%). The lowest threats were seen to be the local, regional and national political environment (28%) and intellectual property (14%).
Operational Risks Information technology failure
4%
Supplier failure (quality, quantity or timeliness)
11%
Service delivery
5%
18%
Product/service performance
6%
16%
Human resources
5%
29%
Capacity: Surplus, shortage or misalignment
5%
Business processes
2%
0%
30%
30%
37%
26%
28%
38% 38%
40%
20%
35%
60%
2% 1%
21%
31%
43%
20%
2%
43% 39%
19%
2%
46%
33%
22%
5%
30%
29%
24%
8%
9%
39%
24%
15%
Health and safety Channel effectiveness
19%
80%
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
1% 5% 3% 1% 1%
100%
Among operational risks, other risks that pose major impact and threat to business continuity were information technology failure (48%), service delivery (48%) and product/service performance (45%); health & safety was viewed as the lowest of these risks (22%). “Our top three risks are operational. One of these risks is one that would be certainly unique to us. As the federal deposit insurer in Canada, we need to be prepared if and when a member institution experiences difficulty. Another of our key risks is cyber. We are a small organization, but we have a heavy reliance on technology to fulfill our mandate. Again, being a small organization, another key risk is on the HR side. We have been challenged to attract the necessary expertise in certain areas and we also have made succession planning a priority to ensure we are well positioned for the future.” Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.
The Significance of Risks Facing Organizations During the Next 12 Months
“In the food business, our number one risk is food safety. That has unconditional priority in terms of active risk management from the C-suite all the way down to shop floor level and the responsibility of every employee.” Brian Fiedler — CFO, Give and Go Prepared Foods Corp.
“Being an aircraft operator, we are very much regulated under Transport Canada. We need to make sure our planes are well-maintained and that everything is up to par.” Marc Malouin — CFO, DAC Aviation International
Financial Risks Tax policies and laws
19%
36%
33%
12% 1%
Asset value impairment
39%
26%
Regulatory, legal and compliance
8%
Liquidity and cash flow
7%
Interest rates
30%
23% 31%
26% 35%
7%
32%
22%
24%
28%
Credit rating and access to capital
21%
25%
28%
0%
3% 1%
37%
Foreign exchange
Commodity and input costs
1%
27%
23%
15%
10%
17% 25% 23%
1% 1% 3% 3%
14%
26%
20%
24%
40%
32%
60%
80%
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
1%
100%
Survey participants took a fairly benign view to financial risks. Of those viewed to pose the greatest risk to their organization (major impact and threat to business continuity), liquidity and cash flow topped the list at 44%, followed by commodity and input costs at 35%. Just 11% saw asset value impairment as a significant risk while 12% viewed tax policies and laws as potentially having a major impact or continuity risk.
27
28
The State of Enterprise Risk Management in Canada
Of course, these results may be heavily influenced by the profile of the survey respondents. A survey of organizations with major operations in politically less stable environments, perhaps subject to capital controls, expropriation/ nationalization, uncertain legal or regulatory structures, etc., may result in very different perspectives.
External Risks Defined as risks associated with factors largely beyond the organization’s control, the most significant external risk is viewed to be cyber security, with 28% of respondents considering it to constitute a major impact or threat to business continuity. 2%
Attacks on personnel, terrorism, sabotage, etc. (physical or electronic) Natural disasters
Cyber security
25%
36%
22%
14%
25%
11%
1% 3%
21%
38%
12%
30%
30%
24%
2% 4% 1%
Changing natural environment
0%
23%
37%
20%
40%
26%
60%
12%
80%
Has no or very minor impact
Has a major impact
Has a minor impact
Business continuity is called into question
Has a moderate impact
Don’t know
1%
100%
“We’ve all heard about managing business on the cloud. A large portion of our business going forward is to take more more responsibility for our end-users, our clients and their data. And with that also comes their business responsibility, the reputational risk and so on.” Xerxes Cooper — CFO, IBM Canada
The Significance of Risks Facing Organizations During the Next 12 Months
Unidentified Risks Participants were asked to identify major risks to their business not described in the survey. Notable responses included inclement weather, technology and worrisome employee demographics: • “Since we are a housing construction company, longer winters will hurt our industry since outside work cannot be accomplished unless a higher cost is attached to it and it will also lengthen the construction period which will diminish the anticipated surplus.” • “Inability to move faster on all IT related investment. Major changes in competitor channel delivery and use of internet can fundamentally change our business.” • “Baby boomers departing all at once, impacting skill sets currently in place within the organization and succession planning.” “If a so-called ‘black swan’ or an event you have little control over occurs, chances are the first time it happens you’ll be forgiven. However, an inappropriate response won’t be. It almost doesn’t matter what the crisis is, focus on a response that mitigates the impact to your customer and other stakeholders and then the company.” Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
29
30
Risk Management Program
According to the Institute of Risk Management (IRM), risk management is defined as the systematic process of understanding, evaluating and addressing risks to maximize the chances of objectives being achieved and ensuring organizations, individuals and communities are sustainable. Risk management also exploits the opportunities uncertainty brings, allowing organizations to be aware of new possibilities. Essentially, effective risk management requires an informed understanding of relevant risks, an assessment of their relative priority and a rigorous approach to monitoring and controlling them. With this definition in mind, do you have a documented risk management program?
Risk Management Program
Do You Have a Documented Risk Management Program?
BY CORPORATE ENTITY
BY REVENUE SIZE
TOTAL
15%
37%
$1B or above
28% 40%
44%
19%
1%
12%
2% 2%
$100M to less than $1B
8%
under $100M
8%
NGO
51% 30%
35%
26%
Crown corp, Gov’t, Other
44%
21%
Private 6% Public
28%
21%
9% 8% 4%
36%
28%
20%
40%
28% 22%
41%
60%
1%
27%
67% 30%
0%
12%
80%
6%
3%
100%
Yes, our organization has a robust and advanced risk management program Yes, we have a somewhat developed risk management program Yes, we have a minimally developed risk management program No, we do not have a risk management program at all Don’t know
“We assess our risk profile at least quarterly, but, the more meaningful and deep assessment of whether they are within risk appetite is best when it’s an integral part of business planning. If it happens in a separate exercise, significant value is lost.” Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
When it comes to actively managing risk, 80% of organizations have some level of program in place, ranging from one that is robust and advanced (15%), to somewhat developed (37%) and minimally developed (28%). A robust risk management program is most likely to be found at the largest organizations by revenue (44%) or public companies (28%). Participants reported similar percentages of implementation of a risk management framework: 16% had one fully implemented and 54% had one partially implemented. More than a quarter (28%) however have not implemented a risk management framework.
31
32
The State of Enterprise Risk Management in Canada
For those 61% of respondents whose organizations have adopted a framework, less than half are using COSO (Committee of Sponsoring Organizations of the Treadway Commission) with the second most popular being ISO 31000. Interestingly, many indicated they were using an ‘other’ framework, such as the one developed by Office of the Superintendent of Financial Institutions (OSFI) for financial institutions, and many were using an internally created framework, sometimes with guidance from the organization’s parent.
Which Risk Management Framework Has Your Organization Adopted? No framework adopted
39%
COSO Enterprise Risk Management — Integrated Framework
28%
Other — please specify:
19%
ISO 31000 Risk Management — Principles and Guidelines on Implementation
8%
Standard & Poor’s ERM
3%
FERMA (Federation of Enterprise Risk Management — European Risk Management Association) A Risk Management Standard
1%
BS 31100 Code of Practice for Risk Management
1%
OCEG Red Book 2.0 (GRC Capability Model)
0%
Total
100%
As a result, our interpretation of the survey results is that the degree to which a risk management program is documented is closely aligned with the application or implementation of a risk management framework. “In our commercial and wholesale divisions we do have documented risk. In our consumer division, it’s a lot less formal but we’re aware of it and we manage it on an individual basis.” Lenny Eichler — CFO, Distributel
“We have a documented risk process and we brought in a Chief Risk Officer about one and a half years ago. Based on our benchmarking at that time, that’s fairly unique among municipal governments, it’s not been something that has been a formal process. So we expect to see change across the country.” Patrice Impey — CFO, City of Vancouver
“We do not have a formal documented process. We are a private company, but it does not mean that we do not go through the same procedures. We just do not invest the same amount of resources on documenting things.” John Forester — CFO, DBG Canada Ltd.
Risk Management Program
“A smaller organization that we worked with undertook an organizational review of their risks and then went about the process of setting up an enterprise risk management program. That was really enlightening because the organization had been doing some things well but informally. And so it was a real eye opener [for the company] to go through a formal process and engage employees in different divisions and different roles. The end result was a much more comprehensive approach to risk management than had previously existed.” Karen Horcher — Consultant, Hedge Rho Management Inc.
The existence of a CRO or equivalent, either fully or partially, is linked to company size and corporate structure. Overall, 61% do not have such a role but in organizations with less than 100 employees, that figure jumps to 75%. This is a striking contrast to organizations with over $1B in revenue, where only 27% of them reported not having a CRO at all while 44% have at least one fully dedicated person for this role. Where the CRO position exists, just under half report to the CEO (47%). If not reporting to the CEO, this position is likely to report to either the CFO (21%) or directly to the board of directors (18%).
Who Is and Who Should Be Primarily Responsible for Risk Management? More than one-third (34%) believe that senior management as a group is responsible for the oversight of risk management, followed by the CEO (23%), the board (18%) and the CFO (15%). Asked who should be primarily responsible for risk management, the respondents’ answers were similar: 33% stated senior management, 25% stated for each of the board and the CEO and 8% for the CFO. The largest shifts between the present and target situations were the declining role for the CFO (15% to 8%) and the roughly commensurate expansion of the board’s role (18% to 25%).
33
34
The State of Enterprise Risk Management in Canada
Who Is and Who Should Be Primarily Responsible for Risk Management Who SHOULD be primarily responsible for oversight of risk management
Primarily responsible for oversight of risk management TODAY
25%
25%
18%
0%
23%
20%
8%
15%
40%
Board of directors
7%
33%
2%
9%
34%
1%
60%
80%
100%
Chief Risk Officer (CRO) or equivalent
CEO
Senior management team, collectively
CFO
Other (please specify)
“I think the CFO is the person who is the best equipped and most professional in order to manage and do the oversight for risk.” Ross Corcoran — CFO, Bantam Restaurant Group
“We actually have multiple boards and directors, because we own companies and are in joint ventures that have their own boards. There should be separate oversight structures aligned to the way you oversee your overall business. This is just another element of managing your businesses, so however you do the rest of it, you should generally follow the same approach with anything risk related. That’s what we do, so that particular boards deal with risks for their different units, and the monitoring gets more and more high level as you go up to avoid duplicating efforts.” Senior Financial Executive
35
Conclusion The world is becoming a riskier place for most businesses to operate and prosper. The range of risks, significant and insignificant, likely and unlikely to occur, known and unknown, is growing and gaining prominence as organizations find it necessary or are required to publicly report data breaches, cyber attacks and unexpected operational short comings that were once simply described as “surprises.” Canadian organizations have more work to do when it comes to recognizing and managing risks. While most organizations are concerned with risk, a significant number (one in five) continue to operate without a risk program of any kind. Perhaps unsurprisingly, more robust, institutionalized enterprise risk management programs are most common among large and public companies, where nearly one half have one in place. The percentages decline for smaller and private entities. Our survey found similar percentages for implementation of a risk management framework: 16% had one fully implemented and 54% had one partially implemented. More than one quarter (28%) have not implemented a risk management framework. The survey results suggest more work has to be done to bolster oversight and operational responsibility for enterprise risk management by relevant levels and individuals in organizations, be they boards of directors, CEOs, CFOs, and the latest C-suite member, the CRO. This is supported by U.S. research from the “2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities”3 which found that demands for board and executive risk oversight continue to rise.
3
2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities. Retrieved June 24, 2015 from: www.aicpa.org/interestareas/businessindustryandgovernment/resources/ erm/downloadabledocuments/aicpa_erm_research_study_2015.pdf
36
The State of Enterprise Risk Management in Canada
Enterprise risk management is still an emerging field for mid-sized organizations. While it remains a mostly informal or ad hoc process for small organizations, it has been ingrained in strategy and initiatives by large organizations, both private and government entities, as well as Crown corporations. What is becoming standard practice among large organizations with regards to risk management practices and standards will likely spread to smaller, private companies and NGOs as they seek to emulate their larger peers. “Many companies tend to focus on the formal aspect of their risk frameworks, and I find that sometimes it creates a bit of a false sense of security. Even if you have a great risk framework and documented procedures, if you don’t have an open, transparent environment in which people feel comfortable challenging ideas, and a communication mechanism to facilitate this, those formal processes simply won’t be as effective. Often, boards look at their organizations’ formal frameworks and processes and say `Okay, we’ve got all these great matrices and colourful heat maps,’ but what they really need to ask is what is the true corporate culture with respect to openness and transparency, and how does risk management fit within the broader strategic plan.” Michael Kobrin, President, Michael Kobrin Consulting
37
APPENDIX A
Demographics
Corporate Structure Other 2%
NGO 10% Government 2% Crown Corporation 4%
Private 56%
Public 26%
38
The State of Enterprise Risk Management in Canada
Primary Industry 21%
Manufacturing Finance and insurance
18%
Mining, quarrying and oil and gas extraction
9%
Professional, scientific and technical services
8%
Wholesale trade
7%
Construction
7% 4%
Retail trade Utilities
3%
Transportation and warehousing
3%
Real estate and rental leasing
3%
Health care and social assistance
3%
Information and cultural activities
2%
Educational services
2%
Agriculture, forestry, fishing and hunting
2%
Administrative and support, waste management and remediation services
2%
Management of companies and enterprises
1%
Arts, entertainment and recreation
1%
Accommodation and food services
1%
Other (please describe):
3%
0%
5%
10%
15%
20% 25%
Demographics
Position Title 30%
CFO 23%
Controller 12%
VP Finance Founder, Owner, President or Principal
9%
Director of Finance CEO
6% 3%
Treasurer
2%
CRO (Chief Risk Officer)
2%
COO (Chief Operating Officer)
2% 11%
Other 0%
5%
10%
15%
20%
25%
30%
Annual Revenue 19%
$1B or above 6%
$500M to less than $1B
20%
$100M to less than $500M $50M to less than $100M
11%
$25M to less than $50M
12% 21%
$5M to less than $25M less than $5M 0%
11% 5%
10%
15%
20%
25%
39
40
The State of Enterprise Risk Management in Canada
Number of Employees more than 3,000
14% 11%
1,001-3,000 501-1,000
10%
251-500
15%
101-250
14%
26-100
20%
25 or less
16% 0%
5%
10%
15%
20%
Where Employees Reside — Geographic Regions [Select All That Apply] 100%
80%
60% 99% 40%
20%
0%
Canada
26%
20%
United States
Other Countries
41
APPENDIX B
Forum Participants Forum Chair
Victor Wells, Chair, Canadian Financial Executives Research Foundation (CFERF)
Moderators
Laura Pacheco, VP, Research, FEI Canada Robert Torok, Partner & Co-Founder, BetterVu
Vancouver
Karen Horcher, Consultant, Hedge Rho Management Inc. Patrice Impey, CFO, City of Vancouver Robert McFarlane, Corporate Director & former EVP & CFO, Telus Jeff Shickele, VP, Accounting, Amacon
Toronto
Xerxes K. Cooper, CFO, IBM Canada Dean Cosman, VP Finance & Administration & CFO, Canada Deposit Insurance Corporation Brian Fiedler, CFO, Give and Go Prepared Foods Corp. John Forester, CFO, DBG Canada Ltd. Hubert Huang, VP, Risk Management, Brookfield Asset Management Michael Kobrin, President, Michael Kobrin Consulting Kerry Reinke, VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
42
The State of Enterprise Risk Management in Canada
Montreal
Ross Corcoran, CFO, Bantam Restaurant Group Lenny Eichler, CFO, Distributel Marc Malouin, CFO, DAC Aviation International
Winnipeg
Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
Observers Vancouver
David Chiang, Senior Director, Member Services, CPA BC Michael Conway, President & CEO, FEI Canada Jan Sampson, EVP for Member Engagement for CPA BC Todd Scaletta, Director, Research, Guidance and Support, CPA Canada
Toronto
Gord Beal, VP Research, Guidance and Support, CPA Canada Laura Bobak, Research and Communications Manager, FEI Canada Gigi Dawe, Principal, Research, Guidance and Support, CPA Canada Carol Raven, Principal, Research, Guidance and Support, CPA Canada Paul Brent, Writer, FEI Canada
We gratefully acknowledge the efforts of our survey respondents and our round table participants who took valuable time away from their day jobs to participate in this research.
About CPA Canada The new Canadian designation, Chartered Professional Accountant (CPA), is now used by Canada’s accounting profession across the country. The profession’s national body, Chartered Professional Accountants of Canada (CPA Canada), is one of the largest in the world with more than 200,000 members, both at home and abroad. The Canadian CPA was created with the unification of three legacy accounting designations (CA, CGA and CMA). CPAs are valued for their financial and tax expertise, strategic thinking, business insight, management skills and leadership. CPA Canada conducts research into current and emerging business issues and supports the setting of accounting, auditing and assurance standards for business, not-for-profit organizations and government. CPA Canada also issues guidance and thought leadership on a variety of technical matters, publishes professional literature and develops education and professional certification programs. www.cpacanada.ca
About Financial Executives International Canada (FEI Canada) FEI Canada is the all-industry professional membership association for senior financial executives. With eleven chapters across Canada and more than 1,600 members, FEI Canada provides its members thought leadership, advocacy services and extensive professional development opportunities — including its executive education offering, the CFO Leadership Beyond Finance program. The association membership, which consists of Chief Financial Officers, Audit Committee Directors and senior executives in the Finance, Controller, Treasury and Taxation functions, represents a significant number of Canada’s leading and most influential corporations. Further information can be found at www.feicanada.org. Follow us on Twitter at @FEICanada.
About the Canadian Financial Executives Research Foundation CFERF is the non-profit research institute of FEI Canada. The foundation’s mandate is to advance the profession and practices of financial management through research. CFERF undertakes objective research projects relevant to the needs of Canada’s senior financial executives in working toward the advancement of corporate efficiency in Canada. For more information, please visit www.feicanada.org.
The State of Enterprise Risk Management in Canada
277 WELLINGTON STREET WEST TORONTO, ON CANADA M5V 3H2 T. 416 977.3222 F. 416 977.8585 WWW.CPACANADA.CA