Agenda - Council Workshop - 20240618Town of Aurora
Council Workshop/Education Session
Agenda
Date:Tuesday, June 18, 2024
Time:7 p.m.
Location:Council Chambers, Aurora Town Hall
Meetings are available to the public in person and via live stream on the Town’s YouTube channel.
Pages
1.Call to Order
2.Land Acknowledgement
3.Approval of the Agenda
4.Declarations of Pecuniary Interest and General Nature Thereof
5.Consideration of Items Requiring Discussion
5.1 Risk Management 1
(Presentation to be provided by Tony Lackey, BA, FCIP, RF)
6.Adjournment
Risk Management PRESENTED BY :TONY LACKEY, BA, FCIP, RFPage 1 of 33
INTRODUCTIONTony Lackey, BA, FCIP, RF•15 years in Property and Casualty Insurance•Last position ‐ Vice President, Claims •21 years in Risk Management at University – Executive Director•Town Councillor•Instructor Sprott School of Business, Carleton university ‐ Canadian risk management certification courses•TL Risk Solutions – Clients include Bank of Canada, Service Canada, Laurentian UniversityPage 2 of 33
AGENDA1.Introduction2.What is Risk and Risk Management?3.Enterprise Risk Management vs. Operational Risk Management4.Goal of a Risk Management Program 5.Responsibilities6.Overview of proposed Risk Management Policy7.Review of Risk Management Framework and Process8.Next StepsPage 3 of 33
WHAT IS RISK AND RISK MANAGEMENT?Many different definitions depending on industry. •Possibility of Loss or injury, peril (Webster’s Dictionary)•Subject matter of insurance•Insurance applicant •Cause of LossPage 4 of 33
WHAT ARE RISKS?What are Risks?•Risks are potential events or circumstances that can have an effecton the Town’s strategic or operational goals.•An effectis a positive or negative variation on what is expected. •The effecta risk has on an organization is expressed in terms of: •the combination of the impacts of an event; and•the associated likelihood of occurrence.Page 5 of 33
WHAT RISKS COULD IMPACT THE TOWN?Some examples of Risks that can impact the Town are:Uncertainty in financial markets;Project failures;Legal liabilities;Accidents/Incidents; Natural disasters; Data Privacy;Cyber Security.Page 6 of 33
WHAT IS THE PROCESS OF RISK MANAGEMENT?Risk Management•The process of identifying, assessing, and prioritizing risks; •Followed by coordinated activities within the organization to direct and control those risks through:•Risk Treatment and Minimization; •Risk Monitoring; and •Controlling Impact.Page 7 of 33
WHAT ARE THE TWO LEVELS OF RISK MANAGEMENT?Enterprise Risk Management•Systematic approach to managing uncertainties resulting from the organization’s key enterprise risks. It is a holistic approach to identify, evaluate, and treat key risks to the organization’s strategic goals. •Enterprise Risk Management is used to inform senior management and the Town Council of the top risks and emerging risks faced by the organization as a whole.Operational Risk Management •Systematic approach to managing uncertainties resulting from inadequate or failed internal processes, the actions of people or the failure of systems or external activities.•Operational Risk Management is practiced at the department or project level and is led by department or project managers.•Operational Risk Management is an input into Enterprise Risk Management.Two levels of Risk Management:Page 8 of 33
RISK MANAGEMENT SUCCESS•Message from the top•Commitment from Senior Management and Town Council•Communication and training staffoVision StatementoRisk Management PolicyoRisk Management FrameworkoRisk Management Training & Education Page 9 of 33
WHAT DOES A RISK MANAGEMENT POLICY INCLUDE?A Risk Management Policy may include:•Purpose for Risk Management•Policy Statement•Scope•Responsibilities (Governance Structure & Accountability)•Highlight requirements for:Risk Management Program and FrameworkCommunication and Reporting Training and Awareness Compliance and Legal Considerations Policy Review and UpdateGuidance on the preferred method of Risk Financing (Insurance)Development of risk related Policies and ProceduresPage 10 of 33
PURPOSE STATEMENTS •To encourage the integration of risk management practices at all levels within the organization and to establish guidelines for the reporting of risk to Senior Management and the Town Council. •Will promote:Awareness of the business risks that are associated with the operations of the organization;Awareness of the key enterprise risks that the organization faces;Application of due diligence in decision‐making;An appropriate level of due care in daily operations;Intelligent risk taking in the pursuit of new ideas and innovation; Improved resource allocation;Increased organizational resilience;Legal and statutory compliance as a minimum standard; and Risk Mitigation and Control.PurposePage 11 of 33
WHO DOES RISK MANAGEMENT APPLY TO?Scope•Risk Management applies to everyone! •Council •Executive Leadership Team•Managers & Supervisors •All Staff•“We are all Risk Managers” Page 12 of 33
RISK MANAGEMENT FRAMEWORKPage 13 of 33
WHAT DOES A RISK MANAGEMENT FRAMEWORK INCLUDE?Frameworks based on international standardsISO 31000 Enterprise Risk Management guidelinesCOSO Enterprise Risk Management, Integrating with Strategy and PerformanceFramework Includes:•Vision Statement•Definitions•Key Principles•Roles and Responsibilities•Risk Appetite Statements•Risk Management ProcessPage 14 of 33
RISK MANAGEMENT FRAMEWORK – OBJECTIVES Objectives of the Risk Management Framework•Assist the Town in creating a structured approach to managing uncertainty while enhancing its ability to achieve its strategic goals;•Ensure that corporate risks are considered when undertaking and implementing strategic management decisions;•Ensure the management of operational risks is integrated into standard management and accountability processes; •Provide a framework to identify, analyze, treat and report key enterprise and operational risks;•Develop a formal approach where staff assume responsibility for managing risks through the proactive identification, analysis and treatment of risks. Page 15 of 33
RISK MANAGEMENT FRAMEWORK -VISIONVisionThe Town’s Risk Management Program will create a risk‐aware culture that promotes and integrates principled decision‐making by identifying, analyzing, and treating risk. Risk Management is practiced at both the enterprise and operation level and continually supports the Town’s strategic goals by exploiting opportunities while also mitigating the negative impacts of risk.The Risk Management Framework should be a core component of the corporate governance responsibilities of the Town’s management. The Risk Management Framework will:•be applied by all Town Departments and any controlled entities;•Identify options for improving and streamlining policies, administrative practices and internal controls and ensure the ongoing relevance, safety, viability, compliance and accountability in day‐to‐day operations.Page 16 of 33
RISK MANAGEMENT FRAMEWORK - KEY PRINCIPLES1.Risk Management creates and protects value ‐ it contributes to the demonstrable achievement of objectives and improvement in performance across all areas of the organization.2.The organization will recognize and disclose key risks systematically and take appropriate action to manage these risks.3.The responsibility for overseeing risk management within the organization rests with the Chief Administrative Officer. 4.Directors and Managers are responsible for implementing and supporting policies and procedures for the effective management of risk, including the Risk Assessment.5.Risk Management facilitates continual improvement of the organization.6.One centralized division, likely Legal services, will advise all levels of the Town governance structure on the Risk Management Framework and the Risk Management Policy; and monitor and report on the risk management process.7.Risk Management will be integrated with standard management practices, with accountability following established reporting lines.Page 17 of 33
RISK MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIESThe Risk Management Framework lays out the roles and responsibilities of the following:•Town Council•Chief Administrative Officer•Directors and Managers•Paralegal – Insurance, Risk Management & Litigation •Risk Management Committee •StaffPage 18 of 33
RISK APPETITE – QUANTITATIVE (EXAMPLE)EntrepreneurialBalancedConservative•For risks that have an Entrepreneurial risk appetite, the Town is willing to accept risks with a risk ranking of below 20.•If the activity is greater than 20, the risk should be mitigated to reduce the risk ranking below 20.•If the mitigation is unable to reduce the risk ranking, the risk should be escalated to the appropriate Vice‐President for discussion. •For risks that have a Balanced risk appetite, the Town is willing to accept risks with a risk ranking of 11 to 16. •If the activity is greater than 16, the risk should be mitigated to reduce the risk ranking below 16.•If the mitigation is unable to reduce the risk ranking, the risk should be escalated to the appropriate Vice‐President for discussion. •For risks that have a Conservativerisk appetite, the organization is willing to accept risks with a risk ranking of 10 or less•If the activity is greater than 10, the risk should be mitigated to reduce the risk ranking below 10.•If the mitigation is unable to reduce the risk ranking, the risk should be escalated to the appropriate Vice‐President for discussion.Page 19 of 33
CATEGORIES OF RISK AND RISK APPETITE (EXAMPLE)Risk AppetiteRisk CategoryNo. EntrepreneurialStrategic1ConservativeFinancial viability2EntrepreneurialResearch3BalancedCulture and values4BalancedTeaching and learning5BalancedEnvironment and social responsibility6ConservativeOperational7ConservativeLegal8ConservativePeople9BalancedTechnological10Page 20 of 33
RISK MANAGEMENT PROCESSSTEP 1 ‐ Scan Internal and External Environment (Goals and Context)STEP 2 ‐ Identifying risks, using a systematic process (Risk Identification)STEP 3 ‐ Analyze risks by applying defined risk criteria (Risk Assessment)STEP 4 ‐ Treat Risks (Risk Response and Control Activities)STEP 5 ‐ Monitor and Assure (Information, Communication and Monitoring)Risk Management process includes the following steps:Page 21 of 33
RISK MANAGEMENT PROCESS – STEP 1•Review Strategic Plan and Established Goals•Establish Context for Risk AssessmentEnvironmental ScanStrategic PlanPolitical Climate Economic Conditions Cultural FactorsSTEP 1 – Goals and ContextPage 22 of 33
RISK MANAGEMENT PROCESS – STEP 2•Risks must be identified before they can be managed•To optimize Risk Management, organizations need to identify emerging risks in addition to existing risks•TOP DOWN/BOTTOM‐UP APPROACH•Method of Risk Identification•Multi‐tool approachReview of Loss HistoryReview of Relevant DocumentsTeam Approach – Facilitated WorkshopRisk Survey“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, thereare things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” – Donald RumsfeldSTEP 2 – Risk IdentificationPage 23 of 33
RISK MANAGEMENT PROCESS – STEP 3•Analyze risks to determine the most important risks that can impede the organization’s strategic goals•An identified consequence may be so unlikely or insignificant that it requires little or no further analysis. •More complex consequencesmay require several analysis methods to determine the level of risk involved.•The suggested method of analysis will use Risk Matrixes for the likelihood of the risk and the impact of the riskRisk score = likelihood score X impact score•The higher the risk score the more significant the risk•INHERENT RISK VS RESIDUAL RISKSTEP 3 – Risk AssessmentPage 24 of 33
RISK MANAGEMENT PROCESS – STEP 3STEP 3 – Risk AssessmentRisk ProbabilityFrequency81‐100%Quite Probable the risk will occurAlmost Certain561‐80%More Likely than not this risk will occur in the next 36 monthsLikely441‐60%Somewhat Likely this loss will occur in the next 36 monthsPossible321‐40%Low possibility this risk will occur in the next 36 monthsUnlikely21‐20%Very low possibility these risks will occur in the next 36 monthsNo Chance or Rare1Compliance Regulation Legal EXEXAMPLEPage 25 of 33
RISK MANAGEMENT PROCESS – STEP 3STEP 3 – Risk Assessment Compliance Regulation Legal EXEXAMPLEPage 26 of 33
RISK MANAGEMENT PROCESS – STEP 4STEP 4 – Risk Response and Control ActivitiesRisk Management Approach – 5 categories1.Avoidance2.Modification3.Transfer4.Retention 5.ExploitationPage 27 of 33
RISK MANAGEMENT PROCESS – STEP 5STEP 5 – Information, Communication, and Monitoring•Report the result of regular Risk Assessments to ELT.•Reporting frequency determined by committee •Top 5 Risk Report will include:RiskRisk FactorsRisk DescriptionRisk Ranking ScoreRisk Appetite statusRisk Treatment updatePage 28 of 33
REPORTING – ENTERPRISE RISKPage 29 of 33
Compliance Regulation Legal EXEXAMPLERisk Treatment Comments• Stormwater Management Ponds will have a documented inspection once every year to ensure regulatory compliance. • A study will be performed in 2025, confirming the capacity of ponds will meet the Town’s projected need for 20 years.• Annual budget allocation approved by Council to fund planned maintenance.• The Town has purchased liability insurance with limits of $20 million to cover damages for successful claims.• The Town has a contracted emergency maintenance contract to ensure any blockages can be resolved timely.RISK; Blockage of Stormwater Management PondsRisk Appetite -ConservativeRisk Factors•Flooding: overflow flooding in urban areas can damage homes, businesses and infrastructure creating liability/claim risks for the Town. •Roadways: Flooding of roads can cause disruption to transportation and emergency services •Ecosystem disruption: altered water flow can affect local Ecosystems harming plants and animals. •Mosquito Breeding Grounds: Stagnant water in a blocked pond can become a breeding ground for mosquitos, increasing the risk of vector-bornediseases.•Insufficient resources: Additional funding is needed to provide necessary maintenance.•Non-Compliance: Failure to maintain can result in non-compliance with environmental legislation, leading to fines and legal action. Page 30 of 33
REPORTING – OPERATIONAL REPORTINGVERY HIGHHIGHMEDIUMLOWVERY LOW☐☐☐☒☐STRATEGIC☐☐☐☒☐LEGAL☐☐☒☐☐OPERATIONAL☐☐☒☐☐TECHNOLOGICAL☐☐☐☒☐FINANCIAL☐☐☒☐☐REPUTATIONALAnalysis and Strategic AlignmentFinancial ImplicationsRisk, Legal, and ComplianceReputational Implications and Communication StrategyOperational ImplicationsTechnology ImplicationsWhich Key Risk(s) need to be treated 9.0 OVERALL RISK MANAGEMENT ANALYSISPage 31 of 33
QUESTIONSPage 32 of 33
NEXT STEPS1.Draft Risk Management Policy & Appetite Statement2.Present to Council for Approval3.Draft Risk Management Framework 4.Implementation of the Risk Management Policy & Framework & Staff Training 5.Risk Identification and Assessment Workshops (Staff and Council)6.Report to Council on Top 5 Risks7.Development of Risk Related Policies and Procedures (subject to Council’s release of funding)Page 33 of 33