the state of enterprise risk management in canada

The State of Enterprise Risk Managementin Canada

The State of Enterprise Risk Management in Canada

DISCLAIMERThis paper was prepared by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF), the research arm of FEI Canada, as non-authoritative guidance.

CPA Canada and CFERF do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.

The State of Enterprise Risk Management in Canada

Issued in print and electronic formats.

ISBN 978-1-55385-981-9 (print). ISBN 978-1-55385-982-6 (pdf).

Joint Copyright © 2016 Chartered Professional Accountants of Canada and Canadian Financial Executives Research Foundation (CFERF)

All rights reserved. This publication is protected by copyright and written permission is required to reproduce, store in a retrieval system or transmit in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise).

For information regarding permission, please contact [email protected]

iii

Table of Contents

Executive Summary 1

Research Methodology 3

Survey Demographics 4

The View of Risk Management in Canada Today 5

Level of Confidence in an Organization’s Ability to Effectively Manage Risk 6

To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite? 8

Do Corporate Directors Understand an Organization’s Opportunities and Risks? 9

Does the Senior Management Team Understand the Organization’s Opportunities and Risks? 11

Do Employees Understand the Organization’s Opportunities and Risks? 13

How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks? 17

Significance of Different Types of Risk on Organizations Today 19

The Significance of Risks Facing Organizations During the Next 12 Months 25

Strategic Risks 25

Operational Risks 26

iv The State of Enterprise Risk Management in Canada

Financial Risks 27

External Risks 28

Unidentified Risks 29

Risk Management Program 30

Which Risk Management Framework Has Your Organization Adopted? 32

Who Is and Who Should Be Primarily Responsible for Risk Management? 33

Conclusion 35

Appendix A — Demographics 37

Appendix B — Forum Participants 41

1

Executive Summary

Modern financial and operational threats range from international economic contagion in a connected global economy to the real and growing threat of cyber sabotage and natural disasters. Add to that the pressures caused by uncertainty around commodity prices, interest rates, foreign exchange rates and the very real possibility of internal business failures or shortcomings, and there are plenty of real and potential risks that organizations must identify and plan for. Yet risk, when managed correctly, can be a driver of new possibilities, growth, expansion and innovation.

In general, large organizations have robust programs in place to manage risk and use those programs as part of their overall business strategy. However, almost 20% of participants in a recent survey about the state of risk man-agement in Canada conducted for this study by the Chartered Professional Accountants of Canada (CPA Canada) and the Canadian Financial Executives Research Foundation (CFERF) report their organizations currently have no documented risk management program.

The results of the survey suggest that many executives are actively dealing with rising uncertainty and risk. With more than 320 respondents answering the survey, the majority (66%) described themselves as only “somewhat confi-dent” in their organization’s ability to manage risk. A minority (20%) described themselves as extremely confident. Overall, respondents generally believe that their boards understand the risks — both positive and negative — facing their organizations, have even more confidence in their senior management’s awareness of risk but notably less confidence in the front line employees’ understanding of risks facing the company.

The 2008 financial crisis and the great recession that followed reinforced the need for risk management while highlighting the threat of unprecedented and unexpected occurrences. High profile cases of cyberattacks on corpora-tions have raised awareness even further. Organizations are paying attention,

2 The State of Enterprise Risk Management in Canada

according to results of the survey: 93% of organizations review new activities or initiatives during the planning stage to address risks, either through a for-mal, informal or ad hoc process.

What risks are Canadian organizations most wary of? Getting the strategy wrong, it turns out. Beyond general economic and industry conditions, organi-zations worry about leadership, enterprise reputation and enterprise strategy, identifying these risks and others as major impacts or business continuity risks to the organization.

Survey participants held a variety of opinions on who is and who should be responsible for identifying and mitigating business risks. Answers ranged from senior management to the board of directors to the CEO or the CFO. Some respondents said more corporate directors should have the ultimate oversight for risk than they currently do and some respondents said they thought CFOs should bear less of the burden of responsibility.

Nearly two-thirds (61%) do not have a chief risk officer or equivalent, while 38% have at least one individual charged with risk management in either a full or part-time role.

Risks are real and given the speed of change in today’s economy, the ability to identify and address risks in a timely fashion is critical to an organization’s success.

3

Research Methodology

The state of risk management in Canada was prepared by CFERF, the research arm of FEI Canada, in partnership with CPA Canada, the national organization established to support a unified Canadian accounting profession.

The research objective of this study was to examine the existing state of risk management in Canada. In addition, the purpose was to understand how risk functions are structured in organizations, to look at what organizations have identified as key risks in the past, as well as a review of the significance certain risks pose to organizations in the next 12 months.

The report encompasses the opinions and experiences of more than 320 financial executives, who may or may not have risk management responsibility. Partici-pants completed an online survey in April 2015. Insights were gathered at an executive research roundtable, connected by videoconference and teleconfer-ence, held on April 23, 2015 with 15 senior financial executives in Vancouver, Winnipeg, Toronto and Montreal. A productive dialogue was achieved through this roundtable, with representatives from financial services, telecommunica- tions and IT, food manufacturing and food services, manufacturing, consulting, construction, recreational facilities, services and government all sharing their real-life experiences and expertise on the current state of enterprise risk management in Canada. The study encapsulates the responses from a broad cross-section of experienced financial executives from both public and private companies, and experts and consultants managing risk from domestic to multi-national organizations of varying sizes.


Survey DemographicsThe main respondents to the online survey of this research study were CFOs (30%), controllers (23%), and vice-presidents of finance (12%). Just over half (56% of total) of the respondents were from privately held companies and 26% were from publicly traded companies. The balance of the respondents were from the not for profit sector (10%), Crown corporations (4%), government (2%) and other (2%).

The main industries represented were:• manufacturing (21%)• finance and insurance (18%)• mining, quarrying and oil and gas (9%)• professional, scientific and technical services (8%)• construction (7%)• wholesale trade (7%)

For the purposes of this report, organizations were grouped into three broad revenue groups:• 55% were small, with revenues less than $100M • 26% were mid-sized ($100M — under $1B)• 19% were large, (revenues of $1B or higher)

Results were also reviewed by number of employees and grouped according to Statistics Canada’s definition of small, medium and large organizations. • 36% were small (100 employees or less)• 29% were mid-sized (101-500 employees)• 35% were large (over 500 employees)

For more demographic information, please see Appendix A.

5

The View of Risk Management in Canada Today

Risk and uncertainty are constant elements of the business environment. Risk is “the combination of the probability of an event and its consequence. Consequences can range from positive to negative.” (The Institute of Risk Management)1 The study’s respondents believed that their organization has the ability to manage risk, with 66% stating they are “somewhat confident” and an additional 20% “extremely confident” in the processes to deal with both positive and negative consequences. Confidence in risk management processes was higher among not-for-profit, government and Crown cor-porations than privately held companies. Organizations with more than 500 employees were most confident, with 90% somewhat to extremely confident.

1 Retrieved from www.theirm.org/media/886059/ARMS_2002_IRM.pdf, July 8, 2015.

https://www.theirm.org/media/886059/ARMS_2002_IRM.pdf


Level of Confidence in an Organization’s Ability to Effectively Manage Risk

Level of Confidence in an Organization's Abilityto E�ectively Manage Risk

Neutral, 8%Extremely confident, 20%

Somewhat confident, 66%

Not very confident, 6%

12%

3% 1%

59%

26%

Private

7%

71%

14%

8%

100 employeesor less

10%

74%

12%

4%

101-500employees

4%

61%

23%

12%

over 500employees

63%

27%

9%

Crown corp,Gov’t, Other

8%

54%

38%

NGO

6%

68%

26%

Public0%

20%

40%

60%

80%

100%

Extremely confident Somewhat confident Neutral Not very confident

BY CORPORATE ENTITY BY NUMBER OF EMPLOYEES

7The View of Risk Management in Canada Today

The concept of aligning risk strategy with an organization’s tolerance for risk is well understood among organizations, particularly larger ones. Overall, 72% of survey participants declared that their company’s strategy is either mostly or fully aligned with its risk appetite. That perceived degree of alignment between overall strategy and risk tolerance was highest among organizations with more than 500 employees (with 81% mostly or fully aligned) while small organizations with under $100 million in annual revenue were seen as least aligned at 69%. The relationship between confidence and size also held true with 78% of organizations with revenue of $1 billion or more being mostly or somewhat aligned. Just 4% of all participants said their organization’s strategy was “not very aligned” with its risk appetite. Interestingly, there was virtually no variability in results given an organization’s corporate structure.


To What Extent Is the Organization’s Strategy Aligned to Its Risk Appetite?

To What Extent Is the Organization's Strategy Aligned to Its Risk Appetite

Fully aligned Mostly aligned Somewhat aligned Not very aligned Not aligned at all

0%

20%

40%

60%

80%

100%

under$100M

26%

5%

56%

13%

$100M to lessthan $1B

20%

6%

60%

14%

$1B orabove

21%

1%

52%

26%


29%

52%

3%

16%

101-500employees

25%

8%

58%

9%

over 500employees

60%

21%

16%

3%

BY ANNUAL REVENUE BY NUMBER OF EMPLOYEES

Somewhataligned, 24%

Fullyaligned, 16%

Mostlyaligned, 56%

Not very aligned, 4%


“We keep reminding ourselves that it is about the opportunities and the threats, but as accountants, our inclination is to think about the threats first. That’s the benefit of ensuring we bring more operational, sales and marketing people into the room, to remind ourselves it goes both ways.”

Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.

Do Corporate Directors Understand an Organization’s Opportunities and Risks? In most organizations, the board of directors represents the final decision making authority and the highest level of responsibility. According to the CPA Canada report A framework for board oversight of enterprise risk,2 “boards of directors are not expected to unilaterally identify, analyze, mitigate and monitor enterprise risk. Rather, boards must oversee the risk management systems and processes and continuously review the associated outcomes and planning.”

Knowledge of risks among corporate directors, however, is not necessarily viewed as comprehensive. Overall, 72% of survey respondents felt that boards of directors mostly or fully understood the risks and opportunities associated with the organization. That level of comfort falls dramatically amongst small organizations (under $100M), with 10% reporting their board having little or no understanding of threats and opportunities, roughly double the percenage among other revenue groups. When viewed by employee count, mid-sized organizations (101-500 employees) rated their boards lower at 66% mostly or fully understanding risks than small (72%) and large organizations (78%).

2 Caldwell, John. A Framework for Board Oversight of Enterprise Risk, Retrieved from www.cpacanada.ca/business-and-accounting-resources/strategy-risk-and-goverance/enterprise-risk-management/publications/board-oversight-a-new-framework-for-identifying-understanding-and-addressing-risk, July 8, 2015.

https://www.cpacanada.ca/business-and-accounting-resources/strategy-risk-and-goverance/enterprise-risk-management/publications/board-oversight-a-new-framework-for-identifying-understanding-and-addressing-risk





0%

20%

40%

60%

80%

100%

By Corporate Entity

Do Corporate Directors Understandan Organization’s Opportunities and Risks?

0%

20%

40%

60%

80%

100%

Fully understands Somewhat understandsMostly understandsDoes not understand at allUnderstands a little

BY REVENUE SIZE BY NUMBER OF EMPLOYEES

under$100M

21%

8%

2%

46%

23%


20%

4%

52%

24%

$1B orabove

19%

6%

40%

35%


21%

6%1%

43%

29%

101-500employees

22%

11%

1%

52%

14%

over 500employees

46%

32%

20%

2%

Public

6%

20%

39%

35%

Private

21%

48%

25%

5%1%

24%

50%

18%

8%

TOTAL

47%

25%

21%

6%1%


16%

13%

63%

8%

Non-Government/Not for profit


“Oversight is 100% the board’s responsibility. At CDIC, we have a board policy on Enter-prise Risk Management that sets this out. For me, the role of the CEO and the Executive Management team is the management of the risk.”

Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.

Does the Senior Management Team Understand the Organization’s Opportunities and Risks? The senior management team perceives themselves to have a somewhat stron-ger grasp of the risks facing organizations than boards of directors. Overall, participants stated that 80% of the responding organizations’ senior manage-ment teams mostly (49%) or fully (31%) understood the risks associated with the business. Confidence in senior management was somewhat lower in small-revenue based organizations, i.e. those with less than $100M (79%). The type of corporate structure (private, public, government/NGO indicated some varia-tion — for instance, 28% of survey respondents from private companies and 25% from government and Crown corporations said their senior management team “fully understands” the risks to the organization, compared to 41% of NGOs.

0%

20%

10%

40%

30%

60%

50%

80%

70%

90%

100%

Board ofDirectors

SeniorManagement Team

Employees

6%

1%

21%

47%

25%

2%

18%

49%

31%

2%

23%

44%

31%


72% feltthat Boardof Directors

eithermostlyor fully

understoodrisk

80% feltthat Sr.

Mgmt Teameithermostlyor fully

understoodrisk

Only 31% feltthat

Employeeseithermostlyor fully

understoodrisk

Extent of Understanding Risks That Are Relevantto the Organization


0%

20%

40%

60%

80%

100%

Does the Senior Management Team Understandthe Organization’s Opportunities and Risks?

By Corporate Entity

0%

20%

40%

60%

80%

100%



under$100M

18%

3%

51%

28%


18%

1%

51%

30%

$1B orabove

18%

42%

40%


17%

1%

52%

30%

101-500employees

24%

2%

49%

25%

over 500employees

47%

37%

15%

1%

Public

14%

2%

49%

35%

Private

19%

2%

51%

28%


25%

50%

25%

NGO

21%

38%

41%

TOTAL

49%

31%

18%

2%


Do Employees Understand the Organization’s Opportunities and Risks?While it can be said that confidence in both senior management and directors’ recognition and understanding of risk are at similar levels among survey par-ticipants, the same level of assurance does not hold among other employees in organizations. Only 31% believe that employees mostly or fully understand the opportunities and threats relevant to their organization, a sizeable gap compared to management and directors. This may reflect a communications gap from the top of the organization to other levels. In this regard, whether measured by employee count or revenue, the largest organizations scored highest (39% or 45% respectively) while the ones “stuck in the middle” scored lowest (22 or 24%).

Risk appears to be better understood by employees at either small organiza-tions or large organizations. Anecdotally, at small organizations “everyone knows and understands” what’s in play through informal discussions, while in large organizations formal communication plans exist to disseminate the information to staff. It’s the employees of mid-size organizations who have the least knowledge of the risks facing their organization, perhaps because these organizations appear to not be large enough to have the formal procedures in place yet are too large for an informal network of communication.

“We’re a very complex organization. We have several business units across several geo-graphic areas, almost 300 organizations and partnerships, and a few hundred employees. Most of our employees don’t really think in terms of risk management.”

Jeff Shickele — VP, Accounting, Amacon


Do Employees Understand the Organization'sOpportunities and Risks?

Text

0%

20%

40%

60%

80%

100%

By Corporate Entity

0%

20%

40%

60%

80%

100%

25%

4%

43%

28%

23%

2%

51%

24%

18%

37%

45%

22%

4%

45%

29%

33%

3%

42%

22%

44%

39%

16%

1%

under$100M


$1B orabove


101-500employees

over 500employees



Public

16%

1%

48%

35%

Private

28%

4%

42%

26%


17%

4%

50%

29%

NGO

18%

38%

44%

TOTAL

44%

31%

23%

2%


It’s not surprising that boards of large organizations have a fairly strong under-standing of the risks facing the organization. Over the past 10 years, increased regulatory, media, and investor pressure has forced boards to become more knowledgeable and active in risk management, and this trend has permeated through all sectors of the economy. Conversely, smaller organizations are often owner-managed with risk management being an informal activity based on the owners’ gut feel, rather than a formal board-level activity. The call to action dif-fers by size of organization; larger organizations must ensure that their boards are fully conversant with risk exposure and mitigation plans so that they can be formally approved, whereas smaller organizations should consider devoting greater attention to risk management activities.

The large divergence in risk understanding that we see at the employee level is also — unfortunately — not surprising. What makes risk management a greater concern is that employees might inadvertently accept risks that the organiza-tion wishes to avoid (or vice versa of course). For example, an organization might have a strategy that calls for effectively 100% on time order fulfillment; this strategy might mean that some potential orders are turned down as there might not be sufficient capacity to deliver on them. This strategy must encour-age all levels of the organization to ensure that employees do not, for example, “chase volume or revenue” that might generate undesirable risk, and that incen- tives align with the strategy. It is imperative therefore that all employees understand the risk appetite of the organization, both in qualitative and quantitative terms, but more importantly that the organization act on its words as it defines its risk strategy.


CASE STUDY: RISK ASSESSMENT AT TELUS“At TELUS, about a decade ago, we implemented our own in-house developed risk assess-ment survey tool, and once a year, about 1,500 team members complete this e-survey. So the reported view of risk was statistically valid.

For senior executives, the top ten risks were typically strategic risks. When you went down to the front line, top-rated risks were typically more operational in nature such as customer service related risks, or process related concerns. In other words, the things which were inhibiting their ability to do their jobs well. It is a great tool. The survey findings were transparent to the board including a compare and contrast of risk rankings by level in the organization.

One would see process breakdowns and customer service right at the top of front line concerns and yet, we’re supposed to be putting customers first as an overall corporate objective. I think it was a tool that actually allowed the organization to say, “We have to do a lot more than provide lip service to our stated priority,” and the entire organization has to put customers first and improve customer service. By the way, that is exactly what happened as TELUS made remarkable progress on this priority since 2008.

So, TELUS’ risk management tool helped shed light on whether what VPs and SVPs were reporting was actually what our frontline experienced. Our frontline responses were more correlated with the stats from our customers’ perceptions and so it was a great catalyst to doing something good in the organization to improve customer service, but the point being: Be very, very careful when compiling risk rankings.

You have to ask the question: Who is saying these are the major risks and what is their natural bias/perspective? Unless you have a cross-section throughout the organizational hierarchy of a large organization, as opposed to merely a survey of senior management, then you’re not going to really have a good understanding of the true risks the organiza-tion faces.”

Robert McFarlane — Corporate Director and former EVP and CFO, TELUS


How Does the Organization Review New Activities and Initiatives During the Planning Stage to Identify and Address Risks?Larger and public organizations are more likely to have formal processes and structures in place to identify and manage risk. Overall, 69% reported a formal or informal process is in place to identify and address risk: that percentage rises to 87% for organizations with $1 billion or more in revenue and 78% for those with more than 500 employees. Private companies are more likely to have informal processes (46%), while public companies are more likely to have a formal process (46%). Private companies are most likely to have no process at all.

“We have a documented risk management framework. I’d add though that we’re actively streamlining and trying to reduce the amount of documentation and administration. For example, we have a large number of risk policies and we’re trying to rationalize those; focusing more on the cultural aspect of risk management and on risk appetite. Why are we taking the risk? How does taking the risk contribute to our objectives and at what level? What do we need to do to manage within the risk appetite?”

Kerry Reinke — VP, Enterprise Risk Management, Group Risk Management, Manulife Financial

“We’re a $100 billion business, but I can’t allow the framework that would apply to a $100 billion dollar business stifle a $7 million, or even a $700,000 opportunity. That’s why you still leverage the fundamentals that you have of your overall risk management, but it can’t overburden your ability to pursue opportunities.”

Xerxes Cooper — CFO, IBM Canada

“At TELUS, we established our own definition of risk, in relation to an ethical organization. Ethics were used as a fundamental building block. You can have a great process but, unless you have a good understanding and some process to assess what the perception of the ethical culture and compliance is throughout the entire organization, then you may have a house of cards. If you have what looks like a robust risk management system that is in fact based upon an unethical culture, you can be exposed to a major failure.”

Robert McFarlane — Corporate Director and former EVP and CFO, TELUS


0% 20% 40% 60% 80% 100%

87%By Revenue Size

55% 32% 13%

39% 28% 23% 10%

15% 50% 29% 6%under $100M

$100M toless than $1B

$1B or above

0% 20% 40% 60% 80% 100%

78%

47% 31% 17%

21% 45%

17% 47%

26%

30%

5%

8%

6%100 employees

or less

101-500employees

over 500employees

By Number of Employees

Organization has a formal processto identify and address risks

Organization has an ad hoc process to identify and address risks

Organization has an informal processto identify and address risks

Don’t know

Organization has no process to identify and address risks

0% 20% 40% 60% 80% 100%

28%

69%

41% 24% 6% 1%

35% 38% 27%

46% 33% 17% 4%

17% 46% 28% 8% 1%

46% 30% 19% 5%

By Corporate Entity

How Does the Organization ReviewNew Activities and Initiatives During the Planning

Stage to Identify and Address Risks?

Public

Private


NGO

TOTAL


Significance of Different Types of Risk on Organizations Today

Significance of Di�erent Types of Risk on Organizations Today

0%

20%

40%

60%

80%

100%

Strategy Risks

6%

2%

55%

27%

8% 2% 1%

Financial Risks

36%

3%

6%

External Risks

3%

1%

35%

23%

33%

5%

Operational Risks

7%

47%

35%

10%

40%

15%

Business

Continuity

Concern or

Major

Impact

61%

Business

Continuity

Concern or

Major

Impact

54%

Business

Continuity

Concern or

Major

Impact

46%

Business

Continuity

Concern or

Major

Impact

36%

Has a major impact

Business continuity is called into question

Don’t know

Has no or very minor impact

Has a minor impact

Has a moderate impact

Among the four categories of risks, strategic risk was viewed to have the high-est overall impact (55% reporting a major impact and another 6% believing business continuity is called into question).

Strategic risks are risks (opportunities and threats) that affect or are created by business strategy decisions. Included in this category are brand perception and value, changing customer needs, general economic and industry conditions, leadership, local, regional and national political environment.


0%

20%

40%

60%

80%

100%

Public

56%

28%

5% 1%

Private

7%1%

51%

30%

6%4%

24%

18%

53%

TOTAL

27%

55%


8% 3% 8%

NGO

4%

4%

5%6%

2%

2%

79%

13%

By Corporate Entity

Has a major impact


Don’t know


Has a minor impact


Significance of Strategic Risks on Organizations Today

Strategic risk had large variability between private and government/crown corporations (with 51% and 79%, respectively, stating it has a major impact).

Overall, 54% of respondents said that operational risks posed a major impact or were a threat to business continuity. Operational risks tend to grow with company size: 46% of small organizations (less than $100 million in revenue) saw it as having a major impact or a continuity threat whereas 60% of orga-nizations with $100 million to less than $1 billion in revenue and 65% of organizations with $1 billion or above in revenue felt the same. Among organization types, Crown corporations and government felt that operational risks posed the greatest threat (67%) while NGOs had the lowest (41%).

Operational risks are inherent, and reflect a company’s procedures, people and systems. Specific risk examples include business processes, surplus/shortage of capacity, change integration, channel effectiveness, customer satisfaction, operational efficiency, health and safety, product/ service performance, service delivery, supplier failure (quality, quantity or timeliness), and operational technology failure.


0%

20%

40%

60%

80%

100%

Public

52%

33%

7%

Private

6%1%

1%

44%

35%

7%

47%

12%

38%

TOTAL

35%

47%


13% 10%

NGO

8%3% 7%

59%

33%

1% 1%

54%

By Corporate Entity

Significance of Operational Risks on Organizations Today

0%

20%

40%

60%

80%

100%

40%

39%

13%

5%

55%

33%

6%1% 1%

1% 1%1% 1%1%

38%

5%

52%

30%

56%

7%

10%

55%

29%

5%

8%

34%

39%

17%7%

4% 6%

Has a major impact


Don’t know


Has a minor impact



under$100M


$1B orabove


101-500employees

over 500employees


“[Food safety] is only one of my risks. … The second thing is the POS (point of sale) system, when the POS systems go down (technology), you can’t run a restaurant. You cannot col-lect cash without a POS system.”

Ross Corcoran — CFO, Bantam Restaurant Group

Overall, 46% of respondents said that financial risks today constituted either a major impact on their organization or actually posed a threat to its business continuity. This assessment was highest for publicly traded companies (58%) and lowest for Crown corporations/government (29%).

Financial risks include the following: regulatory/compliance requirements, commodity prices and input costs, credit rating and access to capital, foreign exchange, interest rates, liquidity and cash flow, regulatory, legal and compliance, tax policies and laws.


2%2%

0%

20%

40%

60%

80%

100%

Public

47%

32%

8%

Private

3%1%

39%

36%

11%

35%

15%

35%

TOTAL

36%

40%


19% 15%

NGO

4%

4% 3% 3%

12% 6%

25%

54%

13%

2% 2% 3% 3% 3%1%

0%

20%

40%

60%

80%

100%

40%

34%

16%

3%

37%

40%

7%

1%

37%

15%

41%

41%

41%

18%

8%

44%

39%

8%

8%

1%

38%

31%

19%11%

4% 4%

under$100M


$1B orabove


101-500employees

over 500employees


Has a major impact


Don’t know


Has a minor impact


By Corporate Entity

Significance of Financial Risks on Organizations Today


2% 2%

0%

20%

40%

60%

80%

100%

Public

37%

32%

21%

Private

4%

3% 5%

2%

33%

34%

6%2%

55%

24%

15%

TOTAL

35%

33%


24% 23%

NGO

4% 3%1%

54%

29%

17%

Has a major impact


Don’t know


Has a minor impact


By Corporate Entity

Significance of External Risks on Organizations Today

Overall, the expectation of a major impact or threat to business continuity from external risks is 43% for public companies, with Crown corporations and government organizations most affected at (54%). Those reported to be least affected by external risks are NGOs, with only 19% expecting a major impact or threat to business continuity.

“As a financial services company, we obviously have a lot of confidential information and so cyber security is one of our top evolving risks. We’re spending a lot of time on initiatives to manage that risk. It’s a lot about what you don’t know that can hurt you because you might find a solution to protect against the latest cyber breach methodology, but then something else could come up that you’re not protected against. As an organization, we devote a fair amount of time talking to our board about information security risk and the programs that are in place.”

Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.

External risks are associated with factors outside of the organization and these occurrences are largely outside of an organization’s control, but the impact can be greatly influenced. Included in this category would be the changing natural environment, natural disasters, attacks on personnel, ter-rorism, sabotage and cyber security risk.

25

The Significance of Risks Facing Organizations During the Next 12 Months

Strategic Risks

0% 20% 40% 60% 80% 100%

Has a major impact


Don’t know


Has a minor impact


Local, regional, nationalpolitical environment

Leadership 2%

6% 28% 36% 27%

52%

12%

23%

23%

30%

52%

44%

39%

35%

34%

1%

2%

4% 1%

1%

1%

1%

1%

4%

4%

3%

3%

3%

5%

8%

7%

2% 8%

14%

15%

18%

21%

22%

11%

10% 31%

39%

33%

33%

33%

36%

36%

36%2%

2%

2%

2%

2%

Intellectual property

Global market andgeo-political conditions

General economicand industry conditions

Enterprise strategy

Enterprise reputation

Changingcustomer needs

Brand perceptionand value


Among the strategic risks, other risks that pose a major impact and threat to business continuity were general economic and industry conditions (56%), leadership (56%) and enterprise strategy (47%). The lowest threats were seen to be the local, regional and national political environment (28%) and intellectual property (14%).

Operational Risks

0% 20% 40% 60% 80% 100%

Has a major impact


Don’t know


Has a minor impact


Information technologyfailure

Supplier failure (quality,quantity or timeliness) 11%

4% 19% 29% 39%

30%

46%

43%

29%

33%

30%

21%

20%

31%

35%

9%

5%

2%

1%5%

1%

3%1%

1%

8%

5%

2%

5% 24%

37%

28%

22%

19%

5%

6%

24% 30%

18%

16%

39%

43%

38%

38%

26%15%

2%

2%

Service delivery

Product/serviceperformance

Human resources

Health and safety

Channel e�ectiveness

Capacity: Surplus, shortageor misalignment

Business processes

Among operational risks, other risks that pose major impact and threat to business continuity were information technology failure (48%), service delivery (48%) and product/service performance (45%); health & safety was viewed as the lowest of these risks (22%).

“Our top three risks are operational. One of these risks is one that would be certainly unique to us. As the federal deposit insurer in Canada, we need to be prepared if and when a member institution experiences difficulty. Another of our key risks is cyber. We are a small organization, but we have a heavy reliance on technology to fulfill our mandate. Again, being a small organization, another key risk is on the HR side. We have been challenged to attract the necessary expertise in certain areas and we also have made succession planning a priority to ensure we are well positioned for the future.”

Dean Cosman — VP Finance and Administration and CFO, Canada Deposit Insurance Corp.

27The Significance of Risks Facing Organizations During the Next 12 Months

“In the food business, our number one risk is food safety. That has unconditional priority in terms of active risk management from the C-suite all the way down to shop floor level and the responsibility of every employee.”

Brian Fiedler — CFO, Give and Go Prepared Foods Corp.

“Being an aircraft operator, we are very much regulated under Transport Canada. We need to make sure our planes are well-maintained and that everything is up to par.”

Marc Malouin — CFO, DAC Aviation International

Financial Risks

0% 20% 40% 60% 80% 100%

Has a major impact


Don’t know


Has a minor impact


Tax policies and laws

Asset value impairment 26%

19% 36% 33%

10%

27%

37%

31%

23%

17%

25%

23%

32%

12%

1%

1%

1%

1%

3%

3%

1%

22%

21%

14%

35%

24%

25%

26%

8%

7%

39% 23%

30%

26%

24%

28%

28%

32%15%

3%1%

7%

Regulatory, legaland compliance

Liquidity and cash flow

Interest rates

Foreign exchange

Credit ratingand access to capital

Commodityand input costs

Survey participants took a fairly benign view to financial risks. Of those viewed to pose the greatest risk to their organization (major impact and threat to business continuity), liquidity and cash flow topped the list at 44%, followed by commodity and input costs at 35%. Just 11% saw asset value impairment as a significant risk while 12% viewed tax policies and laws as potentially having a major impact or continuity risk.


Of course, these results may be heavily influenced by the profile of the survey respondents. A survey of organizations with major operations in politically less stable environments, perhaps subject to capital controls, expropriation/ nationalization, uncertain legal or regulatory structures, etc., may result in very different perspectives.

External Risks Defined as risks associated with factors largely beyond the organization’s control, the most significant external risk is viewed to be cyber security, with 28% of respondents considering it to constitute a major impact or threat to business continuity.

0% 20% 40% 60% 80% 100%

25% 36% 22% 14%

2%

1%

2%

1%

11%

3%

21% 38% 25%

24%12% 30% 30% 4%

1%

23% 37% 26% 12%

Has a major impact


Don’t know


Has a minor impact


Changing naturalenvironment

Cyber security

Natural disasters

Attacks on personnel,terrorism, sabotage, etc.(physical or electronic)

“We’ve all heard about managing business on the cloud. A large portion of our business going forward is to take more more responsibility for our end-users, our clients and their data. And with that also comes their business responsibility, the reputational risk and so on.”

Xerxes Cooper — CFO, IBM Canada

29The Significance of Risks Facing Organizations During the Next 12 Months

Unidentified RisksParticipants were asked to identify major risks to their business not described in the survey. Notable responses included inclement weather, technology and worrisome employee demographics:• “Since we are a housing construction company, longer winters will hurt our

industry since outside work cannot be accomplished unless a higher cost is attached to it and it will also lengthen the construction period which will diminish the anticipated surplus.”

• “Inability to move faster on all IT related investment. Major changes in competitor channel delivery and use of internet can fundamentally change our business.”

• “Baby boomers departing all at once, impacting skill sets currently in place within the organization and succession planning.”

“If a so-called ‘black swan’ or an event you have little control over occurs, chances are the first time it happens you’ll be forgiven. However, an inappropriate response won’t be. It almost doesn’t matter what the crisis is, focus on a response that mitigates the impact to your customer and other stakeholders and then the company.”


30

Risk Management Program

According to the Institute of Risk Management (IRM), risk management is defined as the systematic process of understanding, evaluating and addressing risks to maximize the chances of objectives being achieved and ensuring organizations, individuals and communities are sustainable. Risk management also exploits the opportunities uncertainty brings, allowing organizations to be aware of new possibilities. Essentially, effec-tive risk management requires an informed understanding of relevant risks, an assessment of their relative priority and a rigorous approach to monitoring and controlling them. With this definition in mind, do you have a documented risk management program?

31Risk Management Program

0% 20% 40% 60% 80% 100%

No, we do not have a risk management program at all

Don’t know

Yes, our organization has a robust and advanced risk management program

Yes, we have a somewhat developed risk management program

Yes, we have a minimally developed risk management program

44%

15% 37% 28%

2%

2%

3%

1%

1%12%

27%

28%

35%

9%

4%

28%

6%

19%

21%

6%

28%

44%

67%

30%

41%

8%

8%

40% 12%

51%

30%

22%

36%

8%

21%26%

under $100M

TOTAL


$1B or above

BY

CO

RP

OR

AT

E E

NT

ITY

BY

RE

VE

NU

E S

IZE

Private


NGO

Public

Do You Have a Documented Risk Management Program?

“We assess our risk profile at least quarterly, but, the more meaningful and deep assess-ment of whether they are within risk appetite is best when it’s an integral part of business planning. If it happens in a separate exercise, significant value is lost.”


When it comes to actively managing risk, 80% of organizations have some level of program in place, ranging from one that is robust and advanced (15%), to somewhat developed (37%) and minimally developed (28%). A robust risk management program is most likely to be found at the largest organizations by revenue (44%) or public companies (28%).

Participants reported similar percentages of implementation of a risk manage-ment framework: 16% had one fully implemented and 54% had one partially implemented. More than a quarter (28%) however have not implemented a risk management framework.


For those 61% of respondents whose organizations have adopted a framework, less than half are using COSO (Committee of Sponsoring Organizations of the Treadway Commission) with the second most popular being ISO 31000. Inter-estingly, many indicated they were using an ‘other’ framework, such as the one developed by Office of the Superintendent of Financial Institutions (OSFI) for financial institutions, and many were using an internally created framework, sometimes with guidance from the organization’s parent.

Which Risk Management Framework Has Your Organization Adopted?

No framework adopted 39%

COSO Enterprise Risk Management — Integrated Framework 28%

Other — please specify: 19%

ISO 31000 Risk Management — Principles and Guidelines on Implementation 8%

Standard & Poor’s ERM 3%

FERMA (Federation of Enterprise Risk Management — European Risk Management Association) A Risk Management Standard

1%

BS 31100 Code of Practice for Risk Management 1%

OCEG Red Book 2.0 (GRC Capability Model) 0%

Total 100%

As a result, our interpretation of the survey results is that the degree to which a risk management program is documented is closely aligned with the applica-tion or implementation of a risk management framework.

“In our commercial and wholesale divisions we do have documented risk. In our consumer division, it’s a lot less formal but we’re aware of it and we manage it on an individual basis.”

Lenny Eichler — CFO, Distributel

“We have a documented risk process and we brought in a Chief Risk Officer about one and a half years ago. Based on our benchmarking at that time, that’s fairly unique among municipal governments, it’s not been something that has been a formal process. So we expect to see change across the country.”

Patrice Impey — CFO, City of Vancouver

“We do not have a formal documented process. We are a private company, but it does not mean that we do not go through the same procedures. We just do not invest the same amount of resources on documenting things.”

John Forester — CFO, DBG Canada Ltd.

http://www.osfi-bsif.gc.ca/Eng/Pages/default.aspx

33Risk Management Program

“A smaller organization that we worked with undertook an organizational review of their risks and then went about the process of setting up an enterprise risk management program. That was really enlightening because the organization had been doing some things well but informally. And so it was a real eye opener [for the company] to go through a formal process and engage employees in different divisions and different roles. The end result was a much more comprehensive approach to risk management than had previously existed.”

Karen Horcher — Consultant, Hedge Rho Management Inc.

The existence of a CRO or equivalent, either fully or partially, is linked to com-pany size and corporate structure. Overall, 61% do not have such a role but in organizations with less than 100 employees, that figure jumps to 75%. This is a striking contrast to organizations with over $1B in revenue, where only 27% of them reported not having a CRO at all while 44% have at least one fully dedicated person for this role.

Where the CRO position exists, just under half report to the CEO (47%). If not reporting to the CEO, this position is likely to report to either the CFO (21%) or directly to the board of directors (18%).

Who Is and Who Should Be Primarily Responsible for Risk Management?More than one-third (34%) believe that senior management as a group is responsible for the oversight of risk management, followed by the CEO (23%), the board (18%) and the CFO (15%).

Asked who should be primarily responsible for risk management, the respon-dents’ answers were similar: 33% stated senior management, 25% stated for each of the board and the CEO and 8% for the CFO. The largest shifts between the present and target situations were the declining role for the CFO (15% to 8%) and the roughly commensurate expansion of the board’s role (18% to 25%).


0% 20% 40% 60% 80% 100%

25% 25% 8% 7% 33% 2%

1%18% 23% 15% 9% 34%

CEO

Chief Risk Ocer (CRO) or equivalent

Other (please specify)

Board of directors

CFO

Senior management team, collectively

Primarily responsiblefor oversight of risk

management TODAY

Who SHOULD beprimarily responsible

for oversightof risk management

Who Is and Who Should Be Primarily Responsible for Risk Management

“I think the CFO is the person who is the best equipped and most professional in order to manage and do the oversight for risk.”

Ross Corcoran — CFO, Bantam Restaurant Group

“We actually have multiple boards and directors, because we own companies and are in joint ventures that have their own boards. There should be separate oversight structures aligned to the way you oversee your overall business. This is just another element of managing your businesses, so however you do the rest of it, you should generally follow the same approach with anything risk related. That’s what we do, so that particular boards deal with risks for their different units, and the monitoring gets more and more high level as you go up to avoid duplicating efforts.”

Senior Financial Executive

35

Conclusion

The world is becoming a riskier place for most businesses to operate and pros-per. The range of risks, significant and insignificant, likely and unlikely to occur, known and unknown, is growing and gaining prominence as organizations find it necessary or are required to publicly report data breaches, cyber attacks and unexpected operational short comings that were once simply described as “surprises.”

Canadian organizations have more work to do when it comes to recogniz- ing and managing risks. While most organizations are concerned with risk, a significant number (one in five) continue to operate without a risk program of any kind.

Perhaps unsurprisingly, more robust, institutionalized enterprise risk manage-ment programs are most common among large and public companies, where nearly one half have one in place. The percentages decline for smaller and private entities. Our survey found similar percentages for implementation of a risk management framework: 16% had one fully implemented and 54% had one partially implemented. More than one quarter (28%) have not implemented a risk management framework.

The survey results suggest more work has to be done to bolster oversight and operational responsibility for enterprise risk management by relevant levels and individuals in organizations, be they boards of directors, CEOs, CFOs, and the latest C-suite member, the CRO. This is supported by U.S. research from the “2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities”3 which found that demands for board and executive risk oversight continue to rise.

3 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities. Retrieved June 24, 2015 from: www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_study_2015.pdf

http://www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_study_2015.pdf

http://www.aicpa.org/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_study_2015.pdf


Enterprise risk management is still an emerging field for mid-sized orga-nizations. While it remains a mostly informal or ad hoc process for small organizations, it has been ingrained in strategy and initiatives by large organi-zations, both private and government entities, as well as Crown corporations.

What is becoming standard practice among large organizations with regards to risk management practices and standards will likely spread to smaller, private companies and NGOs as they seek to emulate their larger peers.

“Many companies tend to focus on the formal aspect of their risk frameworks, and I find that sometimes it creates a bit of a false sense of security. Even if you have a great risk framework and documented procedures, if you don’t have an open, transparent environ-ment in which people feel comfortable challenging ideas, and a communication mechanism to facilitate this, those formal processes simply won’t be as effective. Often, boards look at their organizations’ formal frameworks and processes and say `Okay, we’ve got all these great matrices and colourful heat maps,’ but what they really need to ask is what is the true corporate culture with respect to openness and transparency, and how does risk manage-ment fit within the broader strategic plan.”

Michael Kobrin, President, Michael Kobrin Consulting

37

APPENDIX A

Demographics

Corporate Structure

Public26%Crown

Corporation4%

Government2%

Other2%NGO

10%

Private56%


Primary Industry

0% 5% 10% 15% 20% 25%

Manufacturing

Finance and insurance

Mining, quarrying and oil and gas extraction

Wholesale trade

Construction

Retail trade

Utilities

Transportation and warehousing

Real estate and rental leasing

Health care and social assistance

Information and cultural activities

Educational services

Agriculture, forestry, fishing and hunting

Management of companies and enterprises

Arts, entertainment and recreation

Accommodation and food services

Other (please describe):

Administrative and support, wastemanagement and remediation services

Professional, scientificand technical services

21%

18%

9%

8%

7%

7%

4%

3%

3%

3%

3%

3%

2%

2%

2%

2%

1%

1%

1%

39Demographics

Position Title

CFO

Controller

VP Finance

Director of Finance

CEO

Treasurer

CRO (Chief Risk O�cer)

COO (Chief Operating O�cer)

Other

Founder, Owner,President or Principal

0% 5% 10% 15% 20% 25% 30%

30%

23%

12%

9%

6%

3%

2%

2%

2%

11%

Annual Revenue

$1B or above

$500M to less than $1B

$100M to less than $500M




less than $5M

0% 5% 10% 15% 20% 25%

11%

11%

12%

6%

19%

20%

21%


Number of Employees

more than 3,000

1,001-3,000

501-1,000

251-500

101-250

26-100

25 or less

0% 5% 10% 15% 20%

16%

15%

14%

11%

14%

10%

20%

Where Employees Reside — Geographic Regions [Select All That Apply]

0%

20%

40%

60%

80%

100%

Canada

99%

Other Countries

20%

United States

26%

41

APPENDIX B

Forum Participants

Forum Chair Victor Wells, Chair, Canadian Financial Executives Research Foundation (CFERF)

Moderators Laura Pacheco, VP, Research, FEI Canada

Robert Torok, Partner & Co-Founder, BetterVu

Vancouver Karen Horcher, Consultant, Hedge Rho Management Inc.

Patrice Impey, CFO, City of Vancouver

Robert McFarlane, Corporate Director & former EVP & CFO, Telus

Jeff Shickele, VP, Accounting, Amacon

Toronto Xerxes K. Cooper, CFO, IBM Canada

Dean Cosman, VP Finance & Administration & CFO, Canada Deposit Insurance Corporation

Brian Fiedler, CFO, Give and Go Prepared Foods Corp.

John Forester, CFO, DBG Canada Ltd.

Hubert Huang, VP, Risk Management, Brookfield Asset Management

Michael Kobrin, President, Michael Kobrin Consulting

Kerry Reinke, VP, Enterprise Risk Management, Group Risk Management, Manulife Financial


Montreal Ross Corcoran, CFO, Bantam Restaurant Group

Lenny Eichler, CFO, Distributel

Marc Malouin, CFO, DAC Aviation International

Winnipeg Bev Davies, VP, Enterprise Risk Management, Investors Group Inc.

Observers

Vancouver David Chiang, Senior Director, Member Services, CPA BC

Michael Conway, President & CEO, FEI Canada

Jan Sampson, EVP for Member Engagement for CPA BC

Todd Scaletta, Director, Research, Guidance and Support, CPA Canada

Toronto Gord Beal, VP Research, Guidance and Support, CPA Canada

Laura Bobak, Research and Communications Manager, FEI Canada

Gigi Dawe, Principal, Research, Guidance and Support, CPA Canada

Carol Raven, Principal, Research, Guidance and Support, CPA Canada

Paul Brent, Writer, FEI Canada

We gratefully acknowledge the efforts of our survey respon-dents and our round table participants who took valuable time away from their day jobs to participate in this research.

About CPA Canada The new Canadian designation, Chartered Professional Accountant (CPA), is now used by Canada’s accounting profession across the country. The pro-fession’s national body, Chartered Professional Accountants of Canada (CPA Canada), is one of the largest in the world with more than 200,000 members, both at home and abroad. The Canadian CPA was created with the unifica-tion of three legacy accounting designations (CA, CGA and CMA). CPAs are valued for their financial and tax expertise, strategic thinking, business insight, management skills and leadership. CPA Canada conducts research into current and emerging business issues and supports the setting of accounting, auditing and assurance standards for business, not-for-profit organizations and govern-ment. CPA Canada also issues guidance and thought leadership on a variety of technical matters, publishes professional literature and develops education and professional certification programs. www.cpacanada.ca

About Financial Executives International Canada (FEI Canada) FEI Canada is the all-industry professional membership association for senior financial executives. With eleven chapters across Canada and more than 1,600 members, FEI Canada provides its members thought leadership, advocacy services and extensive professional development opportunities — including its executive education offering, the CFO Leadership Beyond Finance program. The association membership, which consists of Chief Financial Officers, Audit Committee Directors and senior executives in the Finance, Controller, Treasury and Taxation functions, represents a significant number of Canada’s leading and most influential corporations. Further information can be found at www.feicanada.org. Follow us on Twitter at @FEICanada.

About the Canadian Financial Executives Research FoundationCFERF is the non-profit research institute of FEI Canada. The foundation’s mandate is to advance the profession and practices of financial management through research. CFERF undertakes objective research projects relevant to the needs of Canada’s senior financial executives in working toward the advancement of corporate efficiency in Canada. For more information, please visit www.feicanada.org.

https://www.feicanada.org/events/CFO-Leadership-Beyond-Finance/Program

The State of Enterprise Risk Managementin Canada

277 WELLINGTON STREET WESTTORONTO, ON CANADA M5V 3H2T. 416 977.3222 F. 416 977.8585WWW.CPACANADA.CA

the state of enterprise risk management in canada

Documents