the state of enterprise risk management in canada
DESCRIPTION
CFERF 2016: The state of enterprise risk management in CanadaTRANSCRIPT
![Page 1: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/1.jpg)
The State of Enterprise Risk Managementin Canada
![Page 2: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/2.jpg)
![Page 3: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/3.jpg)
The State of Enterprise Risk Management in Canada
![Page 4: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/4.jpg)
DISCLAIMERThis paper was prepared by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF), the research arm of FEI Canada, as non-authoritative guidance.
CPA Canada and CFERF do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.
The State of Enterprise Risk Management in Canada
Issued in print and electronic formats.
ISBN 978-1-55385-981-9 (print). ISBN 978-1-55385-982-6 (pdf).
Joint Copyright © 2016 Chartered Professional Accountants of Canada and Canadian Financial Executives Research Foundation (CFERF)
All rights reserved. This publication is protected by copyright and written permission is required to reproduce, store in a retrieval system or transmit in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise).
For information regarding permission, please contact [email protected]
![Page 5: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/5.jpg)
iii
Table of Contents
Executive Summary 1
Research Methodology 3
Survey Demographics 4
The View of Risk Management in Canada Today 5
Level of Confidence in an Organization’s Ability to Effectively Manage Risk 6
To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite? 8
Do Corporate Directors Understand an Organization’s Opportunities and Risks? 9
Does the Senior Management Team Understand the Organization’s Opportunities and Risks? 11
Do Employees Understand the Organization’s Opportunities and Risks? 13
How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks? 17
Significance of Different Types of Risk on Organizations Today 19
The Significance of Risks Facing Organizations During the Next 12 Months 25
Strategic Risks 25
Operational Risks 26
![Page 6: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/6.jpg)
iv The State of Enterprise Risk Management in Canada
Financial Risks 27
External Risks 28
Unidentified Risks 29
Risk Management Program 30
Which Risk Management Framework Has Your Organization Adopted? 32
Who Is and Who Should Be Primarily Responsible for Risk Management? 33
Conclusion 35
Appendix A — Demographics 37
Appendix B — Forum Participants 41
![Page 7: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/7.jpg)
1
Executive Summary
Modern financial and operational threats range from international economic contagion in a connected global economy to the real and growing threat of cyber sabotage and natural disasters. Add to that the pressures caused by uncertainty around commodity prices, interest rates, foreign exchange rates and the very real possibility of internal business failures or shortcomings, and there are plenty of real and potential risks that organizations must identify and plan for. Yet risk, when managed correctly, can be a driver of new possibilities, growth, expansion and innovation.
In general, large organizations have robust programs in place to manage risk and use those programs as part of their overall business strategy. However, almost 20% of participants in a recent survey about the state of risk man-agement in Canada conducted for this study by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF) report their organizations currently have no documented risk management program.
The results of the survey suggest that many executives are actively dealing with rising uncertainty and risk. With more than 320 respondents answering the survey, the majority (66%) described themselves as only “somewhat confi-dent” in their organization’s ability to manage risk. A minority (20%) described themselves as extremely confident. Overall, respondents generally believe that their boards understand the risks — both positive and negative — facing their organizations, have even more confidence in their senior management’s awareness of risk but notably less confidence in the front line employees’ understanding of risks facing the company.
The 2008 financial crisis and the great recession that followed reinforced the need for risk management while highlighting the threat of unprecedented and unexpected occurrences. High profile cases of cyberattacks on corpora-tions have raised awareness even further. Organizations are paying attention,
![Page 8: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/8.jpg)
2 The State of Enterprise Risk Management in Canada
according to results of the survey: 93% of organizations review new activities or initiatives during the planning stage to address risks, either through a for-mal, informal or ad hoc process.
What risks are Canadian organizations most wary of? Getting the strategy wrong, it turns out. Beyond general economic and industry conditions, organi-zations worry about leadership, enterprise reputation and enterprise strategy, identifying these risks and others as major impacts or business continuity risks to the organization.
Survey participants held a variety of opinions on who is and who should be responsible for identifying and mitigating business risks. Answers ranged from senior management to the board of directors to the CEO or the CFO. Some respondents said more corporate directors should have the ultimate oversight for risk than they currently do and some respondents said they thought CFOs should bear less of the burden of responsibility.
Nearly two-thirds (61%) do not have a chief risk officer or equivalent, while 38% have at least one individual charged with risk management in either a full or part-time role.
Risks are real and given the speed of change in today’s economy, the ability to identify and address risks in a timely fashion is critical to an organization’s success.
![Page 9: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/9.jpg)
3
Research Methodology
The state of risk management in Canada was prepared by CFERF, the research arm of FEI Canada, in partnership with CPA Canada, the national organization established to support a unified Canadian accounting profession.
The research objective of this study was to examine the existing state of risk management in Canada. In addition, the purpose was to understand how risk functions are structured in organizations, to look at what organizations have identified as key risks in the past, as well as a review of the significance certain risks pose to organizations in the next 12 months.
The report encompasses the opinions and experiences of more than 320 financial executives, who may or may not have risk management responsibility. Partici-pants completed an online survey in April 2015. Insights were gathered at an executive research roundtable, connected by videoconference and teleconfer-ence, held on April 23, 2015 with 15 senior financial executives in Vancouver, Winnipeg, Toronto and Montreal. A productive dialogue was achieved through this roundtable, with representatives from financial services, telecommunica- tions and IT, food manufacturing and food services, manufacturing, consulting, construction, recreational facilities, services and government all sharing their real-life experiences and expertise on the current state of enterprise risk management in Canada. The study encapsulates the responses from a broad cross-section of experienced financial executives from both public and private companies, and experts and consultants managing risk from domestic to multi-national organizations of varying sizes.
![Page 10: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/10.jpg)
4 The State of Enterprise Risk Management in Canada
Survey DemographicsThe main respondents to the online survey of this research study were CFOs (30%), controllers (23%), and vice-presidents of finance (12%). Just over half (56% of total) of the respondents were from privately held companies and 26% were from publicly traded companies. The balance of the respondents were from the not for profit sector (10%), Crown corporations (4%), government (2%) and other (2%).
The main industries represented were:• manufacturing (21%)• finance and insurance (18%)• mining, quarrying and oil and gas (9%)• professional, scientific and technical services (8%)• construction (7%)• wholesale trade (7%)
For the purposes of this report, organizations were grouped into three broad revenue groups:• 55% were small, with revenues less than $100M • 26% were mid-sized ($100M — under $1B)• 19% were large, (revenues of $1B or higher)
Results were also reviewed by number of employees and grouped according to Statistics Canada’s definition of small, medium and large organizations. • 36% were small (100 employees or less)• 29% were mid-sized (101-500 employees)• 35% were large (over 500 employees)
For more demographic information, please see Appendix A.
![Page 11: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/11.jpg)
5
The View of Risk Management in Canada Today
Risk and uncertainty are constant elements of the business environment. Risk is “the combination of the probability of an event and its consequence. Consequences can range from positive to negative.” (The Institute of Risk Management)1 The study’s respondents believed that their organization has the ability to manage risk, with 66% stating they are “somewhat confident” and an additional 20% “extremely confident” in the processes to deal with both positive and negative consequences. Confidence in risk management processes was higher among not-for-profit, government and Crown cor-porations than privately held companies. Organizations with more than 500 employees were most confident, with 90% somewhat to extremely confident.
1 Retrieved from www.theirm.org/media/886059/ARMS_2002_IRM.pdf, July 8, 2015.
![Page 12: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/12.jpg)
6 The State of Enterprise Risk Management in Canada
Level of Confidence in an Organization’s Ability to Effectively Manage Risk
Level of Confidence in an Organization's Abilityto E�ectively Manage Risk
Neutral, 8%Extremely confident, 20%
Somewhat confident, 66%
Not very confident, 6%
12%
3% 1%
59%
26%
Private
7%
71%
14%
8%
100 employeesor less
10%
74%
12%
4%
101-500employees
4%
61%
23%
12%
over 500employees
63%
27%
9%
Crown corp,Gov’t, Other
8%
54%
38%
NGO
6%
68%
26%
Public0%
20%
40%
60%
80%
100%
Extremely confident Somewhat confident Neutral Not very confident
BY CORPORATE ENTITY BY NUMBER OF EMPLOYEES
![Page 13: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/13.jpg)
7The View of Risk Management in Canada Today
The concept of aligning risk strategy with an organization’s tolerance for risk is well understood among organizations, particularly larger ones. Overall, 72% of survey participants declared that their company’s strategy is either mostly or fully aligned with its risk appetite. That perceived degree of alignment between overall strategy and risk tolerance was highest among organizations with more than 500 employees (with 81% mostly or fully aligned) while small organiza- tions with under $100 million in annual revenue were seen as least aligned at 69%. The relationship between confidence and size also held true with 78% of organizations with revenue of $1 billion or more being mostly or somewhat aligned. Just 4% of all participants said their organization’s strategy was “not very aligned” with its risk appetite. Interestingly, there was virtually no variability in results given an organization’s corporate structure.
![Page 14: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/14.jpg)
8 The State of Enterprise Risk Management in Canada
To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite?
To What Extent Is the Organization's Strategy Aligned to Its Risk Appetite
Fully aligned Mostly aligned Somewhat aligned Not very aligned Not aligned at all
0%
20%
40%
60%
80%
100%
under$100M
26%
5%
56%
13%
$100M to lessthan $1B
20%
6%
60%
14%
$1B orabove
21%
1%
52%
26%
100 employeesor less
29%
52%
3%
16%
101-500employees
25%
8%
58%
9%
over 500employees
60%
21%
16%
3%
BY ANNUAL REVENUE BY NUMBER OF EMPLOYEES
Somewhataligned, 24%
Fullyaligned, 16%
Mostlyaligned, 56%
Not very aligned, 4%
![Page 15: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/15.jpg)
9The View of Risk Management in Canada Today
“We keep reminding ourselves that it is about the opportunities and the threats, but as accountants, our inclination is to think about the threats first. That’s the benefit of ensuring we bring more operational, sales and marketing people into the room, to remind ourselves it goes both ways.”
Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
Do Corporate Directors Understand an Organization’s Opportunities and Risks? In most organizations, the board of directors represents the final decision making authority and the highest level of responsibility. According to the CPA Canada report A framework for board oversight of enterprise risk,2 “boards of directors are not expected to unilaterally identify, analyze, mitigate and monitor enterprise risk. Rather, boards must oversee the risk management systems and processes and continuously review the associated outcomes and planning.”
Knowledge of risks among corporate directors, however, is not necessarily viewed as comprehensive. Overall, 72% of survey respondents felt that boards of directors mostly or fully understood the risks and opportunities associated with the organization. That level of comfort falls dramatically amongst small organizations (under $100M), with 10% reporting their board having little or no understanding of threats and opportunities, roughly double the percenage among other revenue groups. When viewed by employee count, mid-sized organizations (101-500 employees) rated their boards lower at 66% mostly or fully understanding risks than small (72%) and large organizations (78%).
2 Caldwell, John. A Framework for Board Oversight of Enterprise Risk, Retrieved from www.cpacanada.ca/business-and-accounting-resources/strategy-risk-and-goverance/enterprise-risk-management/publications/board-oversight-a-new-framework-for-identifying-understanding-and-addressing-risk, July 8, 2015.
![Page 16: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/16.jpg)
10 The State of Enterprise Risk Management in Canada
0%
20%
40%
60%
80%
100%
By Corporate Entity
Do Corporate Directors Understandan Organization’s Opportunities and Risks?
0%
20%
40%
60%
80%
100%
Fully understands Somewhat understandsMostly understandsDoes not understand at allUnderstands a little
BY REVENUE SIZE BY NUMBER OF EMPLOYEES
under$100M
21%
8%
2%
46%
23%
$100M to lessthan $1B
20%
4%
52%
24%
$1B orabove
19%
6%
40%
35%
100 employeesor less
21%
6%1%
43%
29%
101-500employees
22%
11%
1%
52%
14%
over 500employees
46%
32%
20%
2%
Public
6%
20%
39%
35%
Private
21%
48%
25%
5%1%
24%
50%
18%
8%
TOTAL
47%
25%
21%
6%1%
Crown corp,Gov’t, Other
16%
13%
63%
8%
Non-Government/Not for profit
![Page 17: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/17.jpg)
11The View of Risk Management in Canada Today
“Oversight is 100% the board’s responsibility. At CDIC, we have a board policy on Enter-prise Risk Management that sets this out. For me, the role of the CEO and the Executive Management team is the management of the risk.”
Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.
Does the Senior Management Team Understand the Organization’s Opportunities and Risks? The senior management team perceives themselves to have a somewhat stron-ger grasp of the risks facing organizations than boards of directors. Overall, participants stated that 80% of the responding organizations’ senior manage-ment teams mostly (49%) or fully (31%) understood the risks associated with the business. Confidence in senior management was somewhat lower in small-revenue based organizations, i.e. those with less than $100M (79%). The type of corporate structure (private, public, government/NGO indicated some varia-tion — for instance, 28% of survey respondents from private companies and 25% from government and Crown corporations said their senior management team “fully understands” the risks to the organization, compared to 41% of NGOs.
0%
20%
10%
40%
30%
60%
50%
80%
70%
90%
100%
Board ofDirectors
SeniorManagement Team
Employees
6%
1%
21%
47%
25%
2%
18%
49%
31%
2%
23%
44%
31%
Fully understands Somewhat understandsMostly understandsDoes not understand at allUnderstands a little
72% feltthat Boardof Directors
eithermostlyor fully
understoodrisk
80% feltthat Sr.
Mgmt Teameithermostlyor fully
understoodrisk
Only 31% feltthat
Employeeseithermostlyor fully
understoodrisk
Extent of Understanding Risks That Are Relevantto the Organization
![Page 18: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/18.jpg)
12 The State of Enterprise Risk Management in Canada
0%
20%
40%
60%
80%
100%
Does the Senior Management Team Understandthe Organization’s Opportunities and Risks?
By Corporate Entity
0%
20%
40%
60%
80%
100%
BY REVENUE SIZE BY NUMBER OF EMPLOYEES
Fully understands Somewhat understandsMostly understandsDoes not understand at allUnderstands a little
under$100M
18%
3%
51%
28%
$100M to lessthan $1B
18%
1%
51%
30%
$1B orabove
18%
42%
40%
100 employeesor less
17%
1%
52%
30%
101-500employees
24%
2%
49%
25%
over 500employees
47%
37%
15%
1%
Public
14%
2%
49%
35%
Private
19%
2%
51%
28%
Crown corp,Gov’t, Other
25%
50%
25%
NGO
21%
38%
41%
TOTAL
49%
31%
18%
2%
![Page 19: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/19.jpg)
13The View of Risk Management in Canada Today
Do Employees Understand the Organization’s Opportunities and Risks?While it can be said that confidence in both senior management and directors’ recognition and understanding of risk are at similar levels among survey par-ticipants, the same level of assurance does not hold among other employees in organizations. Only 31% believe that employees mostly or fully understand the opportunities and threats relevant to their organization, a sizeable gap compared to management and directors. This may reflect a communications gap from the top of the organization to other levels. In this regard, whether measured by employee count or revenue, the largest organizations scored highest (39% or 45% respectively) while the ones “stuck in the middle” scored lowest (22 or 24%).
Risk appears to be better understood by employees at either small organiza-tions or large organizations. Anecdotally, at small organizations “everyone knows and understands” what’s in play through informal discussions, while in large organizations formal communication plans exist to disseminate the information to staff. It’s the employees of mid-size organizations who have the least knowledge of the risks facing their organization, perhaps because these organizations appear to not be large enough to have the formal procedures in place yet are too large for an informal network of communication.
“We’re a very complex organization. We have several business units across several geo-graphic areas, almost 300 organizations and partnerships, and a few hundred employees. Most of our employees don’t really think in terms of risk management.”
Jeff Shickele — VP, Accounting, Amacon
![Page 20: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/20.jpg)
14 The State of Enterprise Risk Management in Canada
Do Employees Understand the Organization'sOpportunities and Risks?
Text
0%
20%
40%
60%
80%
100%
By Corporate Entity
0%
20%
40%
60%
80%
100%
25%
4%
43%
28%
23%
2%
51%
24%
18%
37%
45%
22%
4%
45%
29%
33%
3%
42%
22%
44%
39%
16%
1%
under$100M
$100M to lessthan $1B
$1B orabove
100 employeesor less
101-500employees
over 500employees
BY REVENUE SIZE BY NUMBER OF EMPLOYEES
Fully understands Somewhat understandsMostly understandsDoes not understand at allUnderstands a little
Public
16%
1%
48%
35%
Private
28%
4%
42%
26%
Crown corp,Gov’t, Other
17%
4%
50%
29%
NGO
18%
38%
44%
TOTAL
44%
31%
23%
2%
![Page 21: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/21.jpg)
15The View of Risk Management in Canada Today
It’s not surprising that boards of large organizations have a fairly strong under-standing of the risks facing the organization. Over the past 10 years, increased regulatory, media, and investor pressure has forced boards to become more knowledgeable and active in risk management, and this trend has permeated through all sectors of the economy. Conversely, smaller organizations are often owner-managed with risk management being an informal activity based on the owners’ gut feel, rather than a formal board-level activity. The call to action dif-fers by size of organization; larger organizations must ensure that their boards are fully conversant with risk exposure and mitigation plans so that they can be formally approved, whereas smaller organizations should consider devoting greater attention to risk management activities.
The large divergence in risk understanding that we see at the employee level is also — unfortunately — not surprising. What makes risk management a greater concern is that employees might inadvertently accept risks that the organiza-tion wishes to avoid (or vice versa of course). For example, an organization might have a strategy that calls for effectively 100% on time order fulfillment; this strategy might mean that some potential orders are turned down as there might not be sufficient capacity to deliver on them. This strategy must encour-age all levels of the organization to ensure that employees do not, for example, “chase volume or revenue” that might generate undesirable risk, and that incen- tives align with the strategy. It is imperative therefore that all employees under- stand the risk appetite of the organization, both in qualitative and quantitative terms, but more importantly that the organization act on its words as it defines its risk strategy.
![Page 22: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/22.jpg)
16 The State of Enterprise Risk Management in Canada
CASE STUDY: RISK ASSESSMENT AT TELUS“At TELUS, about a decade ago, we implemented our own in-house developed risk assess-ment survey tool, and once a year, about 1,500 team members complete this e-survey. So the reported view of risk was statistically valid.
For senior executives, the top ten risks were typically strategic risks. When you went down to the front line, top-rated risks were typically more operational in nature such as customer service related risks, or process related concerns. In other words, the things which were inhibiting their ability to do their jobs well. It is a great tool. The survey findings were transparent to the board including a compare and contrast of risk rankings by level in the organization.
One would see process breakdowns and customer service right at the top of front line concerns and yet, we’re supposed to be putting customers first as an overall corporate objective. I think it was a tool that actually allowed the organization to say, “We have to do a lot more than provide lip service to our stated priority,” and the entire organization has to put customers first and improve customer service. By the way, that is exactly what happened as TELUS made remarkable progress on this priority since 2008.
So, TELUS’ risk management tool helped shed light on whether what VPs and SVPs were reporting was actually what our frontline experienced. Our frontline responses were more correlated with the stats from our customers’ perceptions and so it was a great catalyst to doing something good in the organization to improve customer service, but the point being: Be very, very careful when compiling risk rankings.
You have to ask the question: Who is saying these are the major risks and what is their natural bias/perspective? Unless you have a cross-section throughout the organizational hierarchy of a large organization, as opposed to merely a survey of senior management, then you’re not going to really have a good understanding of the true risks the organiza-tion faces.”
Robert McFarlane — Corporate Director and former EVP and CFO, TELUS
![Page 23: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/23.jpg)
17The View of Risk Management in Canada Today
How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks?Larger and public organizations are more likely to have formal processes and structures in place to identify and manage risk. Overall, 69% reported a formal or informal process is in place to identify and address risk: that percentage rises to 87% for organizations with $1 billion or more in revenue and 78% for those with more than 500 employees. Private companies are more likely to have informal processes (46%), while public companies are more likely to have a formal process (46%). Private companies are most likely to have no process at all.
“We have a documented risk management framework. I’d add though that we’re actively streamlining and trying to reduce the amount of documentation and administration. For example, we have a large number of risk policies and we’re trying to rationalize those; focusing more on the cultural aspect of risk management and on risk appetite. Why are we taking the risk? How does taking the risk contribute to our objectives and at what level? What do we need to do to manage within the risk appetite?”
Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
“We’re a $100 billion business, but I can’t allow the framework that would apply to a $100 billion dollar business stifle a $7 million, or even a $700,000 opportunity. That’s why you still leverage the fundamentals that you have of your overall risk management, but it can’t overburden your ability to pursue opportunities.”
Xerxes Cooper — CFO, IBM Canada
“At TELUS, we established our own definition of risk, in relation to an ethical organization. Ethics were used as a fundamental building block. You can have a great process but, unless you have a good understanding and some process to assess what the perception of the ethical culture and compliance is throughout the entire organization, then you may have a house of cards. If you have what looks like a robust risk management system that is in fact based upon an unethical culture, you can be exposed to a major failure.”
Robert McFarlane — Corporate Director and former EVP and CFO, TELUS
![Page 24: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/24.jpg)
18 The State of Enterprise Risk Management in Canada
0% 20% 40% 60% 80% 100%
87%By Revenue Size
55% 32% 13%
39% 28% 23% 10%
15% 50% 29% 6%under $100M
$100M toless than $1B
$1B or above
0% 20% 40% 60% 80% 100%
78%
47% 31% 17%
21% 45%
17% 47%
26%
30%
5%
8%
6%100 employees
or less
101-500employees
over 500employees
By Number of Employees
Organization has a formal processto identify and address risks
Organization has an ad hoc process to identify and address risks
Organization has an informal processto identify and address risks
Don’t know
Organization has no process to identify and address risks
0% 20% 40% 60% 80% 100%
28%
69%
41% 24% 6% 1%
35% 38% 27%
46% 33% 17% 4%
17% 46% 28% 8% 1%
46% 30% 19% 5%
By Corporate Entity
How Does the Organization ReviewNew Activities and Initiatives During the Planning
Stage to Identify and Address Risks?
Public
Private
Crown corp,Gov’t, Other
NGO
TOTAL
![Page 25: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/25.jpg)
19The View of Risk Management in Canada Today
Significance of Different Types of Risk on Organizations Today
Significance of Di�erent Types of Risk on Organizations Today
0%
20%
40%
60%
80%
100%
Strategy Risks
6%
2%
55%
27%
8% 2% 1%
Financial Risks
36%
3%
6%
External Risks
3%
1%
35%
23%
33%
5%
Operational Risks
7%
47%
35%
10%
40%
15%
Business
Continuity
Concern or
Major
Impact
61%
Business
Continuity
Concern or
Major
Impact
54%
Business
Continuity
Concern or
Major
Impact
46%
Business
Continuity
Concern or
Major
Impact
36%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Among the four categories of risks, strategic risk was viewed to have the high-est overall impact (55% reporting a major impact and another 6% believing business continuity is called into question).
Strategic risks are risks (opportunities and threats) that affect or are created by business strategy decisions. Included in this category are brand perception and value, changing customer needs, general economic and industry conditions, leadership, local, regional and national political environment.
![Page 26: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/26.jpg)
20 The State of Enterprise Risk Management in Canada
0%
20%
40%
60%
80%
100%
Public
56%
28%
5% 1%
Private
7%1%
51%
30%
6%4%
24%
18%
53%
TOTAL
27%
55%
Crown corp,Gov’t, Other
8% 3% 8%
NGO
4%
4%
5%6%
2%
2%
79%
13%
By Corporate Entity
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Significance of Strategic Risks on Organizations Today
Strategic risk had large variability between private and government/crown corporations (with 51% and 79%, respectively, stating it has a major impact).
Overall, 54% of respondents said that operational risks posed a major impact or were a threat to business continuity. Operational risks tend to grow with company size: 46% of small organizations (less than $100 million in revenue) saw it as having a major impact or a continuity threat whereas 60% of orga-nizations with $100 million to less than $1 billion in revenue and 65% of organizations with $1 billion or above in revenue felt the same. Among organization types, Crown corporations and government felt that opera- tional risks posed the greatest threat (67%) while NGOs had the lowest (41%).
Operational risks are inherent, and reflect a company’s procedures, people and systems. Specific risk examples include business processes, surplus/shortage of capacity, change integration, channel effectiveness, customer satisfaction, operational efficiency, health and safety, product/ service performance, service delivery, supplier failure (quality, quantity or timeliness), and operational technology failure.
![Page 27: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/27.jpg)
21The View of Risk Management in Canada Today
0%
20%
40%
60%
80%
100%
Public
52%
33%
7%
Private
6%1%
1%
44%
35%
7%
47%
12%
38%
TOTAL
35%
47%
Crown corp,Gov’t, Other
13% 10%
NGO
8%3% 7%
59%
33%
1% 1%
54%
By Corporate Entity
Significance of Operational Risks on Organizations Today
0%
20%
40%
60%
80%
100%
40%
39%
13%
5%
55%
33%
6%1% 1%
1% 1%1% 1%1%
38%
5%
52%
30%
56%
7%
10%
55%
29%
5%
8%
34%
39%
17%7%
4% 6%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
BY ANNUAL REVENUE BY NUMBER OF EMPLOYEES
under$100M
$100M to lessthan $1B
$1B orabove
100 employeesor less
101-500employees
over 500employees
![Page 28: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/28.jpg)
22 The State of Enterprise Risk Management in Canada
“[Food safety] is only one of my risks. … The second thing is the POS (point of sale) system, when the POS systems go down (technology), you can’t run a restaurant. You cannot col-lect cash without a POS system.”
Ross Corcoran — CFO, Bantam Restaurant Group
Overall, 46% of respondents said that financial risks today constituted either a major impact on their organization or actually posed a threat to its business continuity. This assessment was highest for publicly traded companies (58%) and lowest for Crown corporations/government (29%).
Financial risks include the following: regulatory/compliance requirements, commodity prices and input costs, credit rating and access to capital, foreign exchange, interest rates, liquidity and cash flow, regulatory, legal and compliance, tax policies and laws.
![Page 29: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/29.jpg)
23The View of Risk Management in Canada Today
2%2%
0%
20%
40%
60%
80%
100%
Public
47%
32%
8%
Private
3%1%
39%
36%
11%
35%
15%
35%
TOTAL
36%
40%
Crown corp,Gov’t, Other
19% 15%
NGO
4%
4% 3% 3%
12% 6%
25%
54%
13%
2% 2% 3% 3% 3%1%
0%
20%
40%
60%
80%
100%
40%
34%
16%
3%
37%
40%
7%
1%
37%
15%
41%
41%
41%
18%
8%
44%
39%
8%
8%
1%
38%
31%
19%11%
4% 4%
under$100M
$100M to lessthan $1B
$1B orabove
100 employeesor less
101-500employees
over 500employees
BY ANNUAL REVENUE BY NUMBER OF EMPLOYEES
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
By Corporate Entity
Significance of Financial Risks on Organizations Today
![Page 30: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/30.jpg)
24 The State of Enterprise Risk Management in Canada
2% 2%
0%
20%
40%
60%
80%
100%
Public
37%
32%
21%
Private
4%
3% 5%
2%
33%
34%
6%2%
55%
24%
15%
TOTAL
35%
33%
Crown corp,Gov’t, Other
24% 23%
NGO
4% 3%1%
54%
29%
17%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
By Corporate Entity
Significance of External Risks on Organizations Today
Overall, the expectation of a major impact or threat to business continuity from external risks is 43% for public companies, with Crown corporations and government organizations most affected at (54%). Those reported to be least affected by external risks are NGOs, with only 19% expecting a major impact or threat to business continuity.
“As a financial services company, we obviously have a lot of confidential information and so cyber security is one of our top evolving risks. We’re spending a lot of time on initiatives to manage that risk. It’s a lot about what you don’t know that can hurt you because you might find a solution to protect against the latest cyber breach methodology, but then something else could come up that you’re not protected against. As an organization, we devote a fair amount of time talking to our board about information security risk and the programs that are in place.”
Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
External risks are associated with factors outside of the organization and these occurrences are largely outside of an organization’s control, but the impact can be greatly influenced. Included in this category would be the changing natural environment, natural disasters, attacks on personnel, ter-rorism, sabotage and cyber security risk.
![Page 31: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/31.jpg)
25
The Significance of Risks Facing Organizations During the Next 12 Months
Strategic Risks
0% 20% 40% 60% 80% 100%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Local, regional, nationalpolitical environment
Leadership 2%
6% 28% 36% 27%
52%
12%
23%
23%
30%
52%
44%
39%
35%
34%
1%
2%
4% 1%
1%
1%
1%
1%
4%
4%
3%
3%
3%
5%
8%
7%
2% 8%
14%
15%
18%
21%
22%
11%
10% 31%
39%
33%
33%
33%
36%
36%
36%2%
2%
2%
2%
2%
Intellectual property
Global market andgeo-political conditions
General economicand industry conditions
Enterprise strategy
Enterprise reputation
Changingcustomer needs
Brand perceptionand value
![Page 32: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/32.jpg)
26 The State of Enterprise Risk Management in Canada
Among the strategic risks, other risks that pose a major impact and threat to business continuity were general economic and industry conditions (56%), leadership (56%) and enterprise strategy (47%). The lowest threats were seen to be the local, regional and national political environment (28%) and intellec- tual property (14%).
Operational Risks
0% 20% 40% 60% 80% 100%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Information technologyfailure
Supplier failure (quality,quantity or timeliness) 11%
4% 19% 29% 39%
30%
46%
43%
29%
33%
30%
21%
20%
31%
35%
9%
5%
2%
1%5%
1%
3%1%
1%
8%
5%
2%
5% 24%
37%
28%
22%
19%
5%
6%
24% 30%
18%
16%
39%
43%
38%
38%
26%15%
2%
2%
Service delivery
Product/serviceperformance
Human resources
Health and safety
Channel e�ectiveness
Capacity: Surplus, shortageor misalignment
Business processes
Among operational risks, other risks that pose major impact and threat to busi- ness continuity were information technology failure (48%), service delivery (48%) and product/service performance (45%); health & safety was viewed as the lowest of these risks (22%).
“Our top three risks are operational. One of these risks is one that would be certainly unique to us. As the federal deposit insurer in Canada, we need to be prepared if and when a member institution experiences difficulty. Another of our key risks is cyber. We are a small organization, but we have a heavy reliance on technology to fulfill our mandate. Again, being a small organization, another key risk is on the HR side. We have been challenged to attract the necessary expertise in certain areas and we also have made succession planning a priority to ensure we are well positioned for the future.”
Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.
![Page 33: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/33.jpg)
27The Significance of Risks Facing Organizations During the Next 12 Months
“In the food business, our number one risk is food safety. That has unconditional priority in terms of active risk management from the C-suite all the way down to shop floor level and the responsibility of every employee.”
Brian Fiedler — CFO, Give and Go Prepared Foods Corp.
“Being an aircraft operator, we are very much regulated under Transport Canada. We need to make sure our planes are well-maintained and that everything is up to par.”
Marc Malouin — CFO, DAC Aviation International
Financial Risks
0% 20% 40% 60% 80% 100%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Tax policies and laws
Asset value impairment 26%
19% 36% 33%
10%
27%
37%
31%
23%
17%
25%
23%
32%
12%
1%
1%
1%
1%
3%
3%
1%
22%
21%
14%
35%
24%
25%
26%
8%
7%
39% 23%
30%
26%
24%
28%
28%
32%15%
3%1%
7%
Regulatory, legaland compliance
Liquidity and cash flow
Interest rates
Foreign exchange
Credit ratingand access to capital
Commodityand input costs
Survey participants took a fairly benign view to financial risks. Of those viewed to pose the greatest risk to their organization (major impact and threat to bus- iness continuity), liquidity and cash flow topped the list at 44%, followed by commodity and input costs at 35%. Just 11% saw asset value impairment as a significant risk while 12% viewed tax policies and laws as potentially having a major impact or continuity risk.
![Page 34: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/34.jpg)
28 The State of Enterprise Risk Management in Canada
Of course, these results may be heavily influenced by the profile of the survey respondents. A survey of organizations with major operations in politically less stable environments, perhaps subject to capital controls, expropriation/ nationalization, uncertain legal or regulatory structures, etc., may result in very different perspectives.
External Risks Defined as risks associated with factors largely beyond the organization’s control, the most significant external risk is viewed to be cyber security, with 28% of respondents considering it to constitute a major impact or threat to business continuity.
0% 20% 40% 60% 80% 100%
25% 36% 22% 14%
2%
1%
2%
1%
11%
3%
21% 38% 25%
24%12% 30% 30% 4%
1%
23% 37% 26% 12%
Has a major impact
Business continuity is called into question
Don’t know
Has no or very minor impact
Has a minor impact
Has a moderate impact
Changing naturalenvironment
Cyber security
Natural disasters
Attacks on personnel,terrorism, sabotage, etc.(physical or electronic)
“We’ve all heard about managing business on the cloud. A large portion of our business going forward is to take more more responsibility for our end-users, our clients and their data. And with that also comes their business responsibility, the reputational risk and so on.”
Xerxes Cooper — CFO, IBM Canada
![Page 35: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/35.jpg)
29The Significance of Risks Facing Organizations During the Next 12 Months
Unidentified RisksParticipants were asked to identify major risks to their business not described in the survey. Notable responses included inclement weather, technology and worrisome employee demographics:• “Since we are a housing construction company, longer winters will hurt our
industry since outside work cannot be accomplished unless a higher cost is attached to it and it will also lengthen the construction period which will diminish the anticipated surplus.”
• “Inability to move faster on all IT related investment. Major changes in competitor channel delivery and use of internet can fundamentally change our business.”
• “Baby boomers departing all at once, impacting skill sets currently in place within the organization and succession planning.”
“If a so-called ‘black swan’ or an event you have little control over occurs, chances are the first time it happens you’ll be forgiven. However, an inappropriate response won’t be. It almost doesn’t matter what the crisis is, focus on a response that mitigates the impact to your customer and other stakeholders and then the company.”
Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
![Page 36: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/36.jpg)
30
Risk Management Program
According to the Institute of Risk Management (IRM), risk management is defined as the systematic process of understanding, evaluating and addressing risks to maximize the chances of objectives being achieved and ensuring organizations, individuals and communities are sustainable. Risk management also exploits the opportunities uncertainty brings, allowing organizations to be aware of new possibilities. Essentially, effec-tive risk management requires an informed understanding of relevant risks, an assessment of their relative priority and a rigorous approach to monitoring and controlling them. With this definition in mind, do you have a documented risk management program?
![Page 37: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/37.jpg)
31Risk Management Program
0% 20% 40% 60% 80% 100%
No, we do not have a risk management program at all
Don’t know
Yes, our organization has a robust and advanced risk management program
Yes, we have a somewhat developed risk management program
Yes, we have a minimally developed risk management program
44%
15% 37% 28%
2%
2%
3%
1%
1%12%
27%
28%
35%
9%
4%
28%
6%
19%
21%
6%
28%
44%
67%
30%
41%
8%
8%
40% 12%
51%
30%
22%
36%
8%
21%26%
under $100M
TOTAL
$100M to lessthan $1B
$1B or above
BY
CO
RP
OR
AT
E E
NT
ITY
BY
RE
VE
NU
E S
IZE
Private
Crown corp,Gov’t, Other
NGO
Public
Do You Have a Documented Risk Management Program?
“We assess our risk profile at least quarterly, but, the more meaningful and deep assess-ment of whether they are within risk appetite is best when it’s an integral part of business planning. If it happens in a separate exercise, significant value is lost.”
Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
When it comes to actively managing risk, 80% of organizations have some level of program in place, ranging from one that is robust and advanced (15%), to somewhat developed (37%) and minimally developed (28%). A robust risk management program is most likely to be found at the largest organizations by revenue (44%) or public companies (28%).
Participants reported similar percentages of implementation of a risk manage-ment framework: 16% had one fully implemented and 54% had one partially implemented. More than a quarter (28%) however have not implemented a risk management framework.
![Page 38: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/38.jpg)
32 The State of Enterprise Risk Management in Canada
For those 61% of respondents whose organizations have adopted a framework, less than half are using COSO (Committee of Sponsoring Organizations of the Treadway Commission) with the second most popular being ISO 31000. Inter-estingly, many indicated they were using an ‘other’ framework, such as the one developed by Office of the Superintendent of Financial Institutions (OSFI) for financial institutions, and many were using an internally created framework, sometimes with guidance from the organization’s parent.
Which Risk Management Framework Has Your Organization Adopted?
No framework adopted 39%
COSO Enterprise Risk Management — Integrated Framework 28%
Other — please specify: 19%
ISO 31000 Risk Management — Principles and Guidelines on Implementation 8%
Standard & Poor’s ERM 3%
FERMA (Federation of Enterprise Risk Management — European Risk Management Association) A Risk Management Standard
1%
BS 31100 Code of Practice for Risk Management 1%
OCEG Red Book 2.0 (GRC Capability Model) 0%
Total 100%
As a result, our interpretation of the survey results is that the degree to which a risk management program is documented is closely aligned with the applica-tion or implementation of a risk management framework.
“In our commercial and wholesale divisions we do have documented risk. In our consumer division, it’s a lot less formal but we’re aware of it and we manage it on an individual basis.”
Lenny Eichler — CFO, Distributel
“We have a documented risk process and we brought in a Chief Risk Officer about one and a half years ago. Based on our benchmarking at that time, that’s fairly unique among municipal governments, it’s not been something that has been a formal process. So we expect to see change across the country.”
Patrice Impey — CFO, City of Vancouver
“We do not have a formal documented process. We are a private company, but it does not mean that we do not go through the same procedures. We just do not invest the same amount of resources on documenting things.”
John Forester — CFO, DBG Canada Ltd.
![Page 39: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/39.jpg)
33Risk Management Program
“A smaller organization that we worked with undertook an organizational review of their risks and then went about the process of setting up an enterprise risk management program. That was really enlightening because the organization had been doing some things well but informally. And so it was a real eye opener [for the company] to go through a formal process and engage employees in different divisions and different roles. The end result was a much more comprehensive approach to risk management than had previously existed.”
Karen Horcher — Consultant, Hedge Rho Management Inc.
The existence of a CRO or equivalent, either fully or partially, is linked to com-pany size and corporate structure. Overall, 61% do not have such a role but in organizations with less than 100 employees, that figure jumps to 75%. This is a striking contrast to organizations with over $1B in revenue, where only 27% of them reported not having a CRO at all while 44% have at least one fully dedicated person for this role.
Where the CRO position exists, just under half report to the CEO (47%). If not reporting to the CEO, this position is likely to report to either the CFO (21%) or directly to the board of directors (18%).
Who Is and Who Should Be Primarily Responsible for Risk Management?More than one-third (34%) believe that senior management as a group is responsible for the oversight of risk management, followed by the CEO (23%), the board (18%) and the CFO (15%).
Asked who should be primarily responsible for risk management, the respon-dents’ answers were similar: 33% stated senior management, 25% stated for each of the board and the CEO and 8% for the CFO. The largest shifts between the present and target situations were the declining role for the CFO (15% to 8%) and the roughly commensurate expansion of the board’s role (18% to 25%).
![Page 40: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/40.jpg)
34 The State of Enterprise Risk Management in Canada
0% 20% 40% 60% 80% 100%
25% 25% 8% 7% 33% 2%
1%18% 23% 15% 9% 34%
CEO
Chief Risk Ocer (CRO) or equivalent
Other (please specify)
Board of directors
CFO
Senior management team, collectively
Primarily responsiblefor oversight of risk
management TODAY
Who SHOULD beprimarily responsible
for oversightof risk management
Who Is and Who Should Be Primarily Responsible for Risk Management
“I think the CFO is the person who is the best equipped and most professional in order to manage and do the oversight for risk.”
Ross Corcoran — CFO, Bantam Restaurant Group
“We actually have multiple boards and directors, because we own companies and are in joint ventures that have their own boards. There should be separate oversight structures aligned to the way you oversee your overall business. This is just another element of managing your businesses, so however you do the rest of it, you should generally follow the same approach with anything risk related. That’s what we do, so that particular boards deal with risks for their different units, and the monitoring gets more and more high level as you go up to avoid duplicating efforts.”
Senior Financial Executive
![Page 41: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/41.jpg)
35
Conclusion
The world is becoming a riskier place for most businesses to operate and pros-per. The range of risks, significant and insignificant, likely and unlikely to occur, known and unknown, is growing and gaining prominence as organizations find it necessary or are required to publicly report data breaches, cyber attacks and unexpected operational short comings that were once simply described as “surprises.”
Canadian organizations have more work to do when it comes to recogniz- ing and managing risks. While most organizations are concerned with risk, a significant number (one in five) continue to operate without a risk program of any kind.
Perhaps unsurprisingly, more robust, institutionalized enterprise risk manage-ment programs are most common among large and public companies, where nearly one half have one in place. The percentages decline for smaller and private entities. Our survey found similar percentages for implementation of a risk management framework: 16% had one fully implemented and 54% had one partially implemented. More than one quarter (28%) have not implemented a risk management framework.
The survey results suggest more work has to be done to bolster oversight and operational responsibility for enterprise risk management by relevant levels and individuals in organizations, be they boards of directors, CEOs, CFOs, and the latest C-suite member, the CRO. This is supported by U.S. research from the “2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities”3 which found that demands for board and executive risk oversight continue to rise.
3 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities. Retrieved June 24, 2015 from: www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_study_2015.pdf
![Page 42: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/42.jpg)
36 The State of Enterprise Risk Management in Canada
Enterprise risk management is still an emerging field for mid-sized orga-nizations. While it remains a mostly informal or ad hoc process for small organizations, it has been ingrained in strategy and initiatives by large organi-zations, both private and government entities, as well as Crown corporations.
What is becoming standard practice among large organizations with regards to risk management practices and standards will likely spread to smaller, private companies and NGOs as they seek to emulate their larger peers.
“Many companies tend to focus on the formal aspect of their risk frameworks, and I find that sometimes it creates a bit of a false sense of security. Even if you have a great risk framework and documented procedures, if you don’t have an open, transparent environ-ment in which people feel comfortable challenging ideas, and a communication mechanism to facilitate this, those formal processes simply won’t be as effective. Often, boards look at their organizations’ formal frameworks and processes and say `Okay, we’ve got all these great matrices and colourful heat maps,’ but what they really need to ask is what is the true corporate culture with respect to openness and transparency, and how does risk manage-ment fit within the broader strategic plan.”
Michael Kobrin, President, Michael Kobrin Consulting
![Page 43: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/43.jpg)
37
APPENDIX A
Demographics
Corporate Structure
Public26%Crown
Corporation4%
Government2%
Other2%NGO
10%
Private56%
![Page 44: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/44.jpg)
38 The State of Enterprise Risk Management in Canada
Primary Industry
0% 5% 10% 15% 20% 25%
Manufacturing
Finance and insurance
Mining, quarrying and oil and gas extraction
Wholesale trade
Construction
Retail trade
Utilities
Transportation and warehousing
Real estate and rental leasing
Health care and social assistance
Information and cultural activities
Educational services
Agriculture, forestry, fishing and hunting
Management of companies and enterprises
Arts, entertainment and recreation
Accommodation and food services
Other (please describe):
Administrative and support, wastemanagement and remediation services
Professional, scientificand technical services
21%
18%
9%
8%
7%
7%
4%
3%
3%
3%
3%
3%
2%
2%
2%
2%
1%
1%
1%
![Page 45: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/45.jpg)
39Demographics
Position Title
CFO
Controller
VP Finance
Director of Finance
CEO
Treasurer
CRO (Chief Risk O�cer)
COO (Chief Operating O�cer)
Other
Founder, Owner,President or Principal
0% 5% 10% 15% 20% 25% 30%
30%
23%
12%
9%
6%
3%
2%
2%
2%
11%
Annual Revenue
$1B or above
$500M to less than $1B
$100M to less than $500M
$50M to less than $100M
$25M to less than $50M
$5M to less than $25M
less than $5M
0% 5% 10% 15% 20% 25%
11%
11%
12%
6%
19%
20%
21%
![Page 46: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/46.jpg)
40 The State of Enterprise Risk Management in Canada
Number of Employees
more than 3,000
1,001-3,000
501-1,000
251-500
101-250
26-100
25 or less
0% 5% 10% 15% 20%
16%
15%
14%
11%
14%
10%
20%
Where Employees Reside — Geographic Regions [Select All That Apply]
0%
20%
40%
60%
80%
100%
Canada
99%
Other Countries
20%
United States
26%
![Page 47: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/47.jpg)
41
APPENDIX B
Forum Participants
Forum Chair Victor Wells, Chair, Canadian Financial Executives Research Foundation (CFERF)
Moderators Laura Pacheco, VP, Research, FEI Canada
Robert Torok, Partner & Co-Founder, BetterVu
Vancouver Karen Horcher, Consultant, Hedge Rho Management Inc.
Patrice Impey, CFO, City of Vancouver
Robert McFarlane, Corporate Director & former EVP & CFO, Telus
Jeff Shickele, VP, Accounting, Amacon
Toronto Xerxes K. Cooper, CFO, IBM Canada
Dean Cosman, VP Finance & Administration & CFO, Canada Deposit Insurance Corporation
Brian Fiedler, CFO, Give and Go Prepared Foods Corp.
John Forester, CFO, DBG Canada Ltd.
Hubert Huang, VP, Risk Management, Brookfield Asset Management
Michael Kobrin, President, Michael Kobrin Consulting
Kerry Reinke, VP, Enterprise Risk Management, Group Risk Management, Manulife Financial
![Page 48: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/48.jpg)
42 The State of Enterprise Risk Management in Canada
Montreal Ross Corcoran, CFO, Bantam Restaurant Group
Lenny Eichler, CFO, Distributel
Marc Malouin, CFO, DAC Aviation International
Winnipeg Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.
Observers
Vancouver David Chiang, Senior Director, Member Services, CPA BC
Michael Conway, President & CEO, FEI Canada
Jan Sampson, EVP for Member Engagement for CPA BC
Todd Scaletta, Director, Research, Guidance and Support, CPA Canada
Toronto Gord Beal, VP Research, Guidance and Support, CPA Canada
Laura Bobak, Research and Communications Manager, FEI Canada
Gigi Dawe, Principal, Research, Guidance and Support, CPA Canada
Carol Raven, Principal, Research, Guidance and Support, CPA Canada
Paul Brent, Writer, FEI Canada
We gratefully acknowledge the efforts of our survey respon-dents and our round table participants who took valuable time away from their day jobs to participate in this research.
![Page 49: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/49.jpg)
![Page 50: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/50.jpg)
About CPA Canada The new Canadian designation, Chartered Professional Accountant (CPA), is now used by Canada’s accounting profession across the country. The pro-fession’s national body, Chartered Professional Accountants of Canada (CPA Canada), is one of the largest in the world with more than 200,000 members, both at home and abroad. The Canadian CPA was created with the unifica-tion of three legacy accounting designations (CA, CGA and CMA). CPAs are valued for their financial and tax expertise, strategic thinking, business insight, management skills and leadership. CPA Canada conducts research into current and emerging business issues and supports the setting of accounting, auditing and assurance standards for business, not-for-profit organizations and govern-ment. CPA Canada also issues guidance and thought leadership on a variety of technical matters, publishes professional literature and develops education and professional certification programs. www.cpacanada.ca
About Financial Executives International Canada (FEI Canada) FEI Canada is the all-industry professional membership association for senior financial executives. With eleven chapters across Canada and more than 1,600 members, FEI Canada provides its members thought leadership, advocacy services and extensive professional development opportunities — including its executive education offering, the CFO Leadership Beyond Finance program. The association membership, which consists of Chief Financial Officers, Audit Committee Directors and senior executives in the Finance, Controller, Treasury and Taxation functions, represents a significant number of Canada’s leading and most influential corporations. Further information can be found at www.feicanada.org. Follow us on Twitter at @FEICanada.
About the Canadian Financial Executives Research FoundationCFERF is the non-profit research institute of FEI Canada. The foundation’s mandate is to advance the profession and practices of financial management through research. CFERF undertakes objective research projects relevant to the needs of Canada’s senior financial executives in working toward the advancement of corporate efficiency in Canada. For more information, please visit www.feicanada.org.
![Page 51: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/51.jpg)
The State of Enterprise Risk Managementin Canada
![Page 52: The state of enterprise risk management in Canada](https://reader033.vdocuments.site/reader033/viewer/2022042906/579075e11a28ab6874b6a854/html5/thumbnails/52.jpg)
277 WELLINGTON STREET WESTTORONTO, ON CANADA M5V 3H2T. 416 977.3222 F. 416 977.8585WWW.CPACANADA.CA