School Board Audit Committee Training Module 2 Assessing Risk and Risk Management Click to edit Master text styles Second level Third level Fourth level

Session objectives After completing this session you will: Understand the Audit Committee’s responsibilities related to risk management Identify and assess the various types of risks: Governance Service Delivery / Operational Stakeholder Satisfaction / Public Perception Human Resources Financial Legal & Compliance Information Management Technology Assess risk against likelihood and significance Understand the assessment of risk within the School Board Audit Universe Understand standard risk management techniques

Risk terminology Definition of risk1 Risk is defined as “anything of variable uncertainty and significance that interferes with the achievement of organizational strategies and objectives”. 1 Source: COSO

Audit Committee duties related to Risk Management [ON Regulation 361/10 9(6)] To inquire about significant risks To review the School Board’s policies for risk assessment and risk management and to assess the steps taken to manage such risks (i.e. Internal controls, the adequacy of insurance). To perform other activities related to the oversight of the School Board’s risk management issues or financial matters, as requested. To initiate and oversee investigations, as appropriate.

An integrated approach to risk management is critical Risk categories Collectively, Ontario’s 72 District School Boards (DSBs) have the responsibility for education over two million students. School boards are faced with a wide range of risks that must be managed in order to achieve the educational outcomes demanded by stakeholders. These risks may be categorized to better facilitate the risk identification and management process. It is the responsibility of the Audit Committee to oversee the process used to assess risk and be comfortable that significant risks are identified and emerging risks considered. Categories: Technology Operational HR Financial Information Management Public Perception Governance Legal Compliance An integrated approach to risk management is critical

Risk type: Governance Operational The risk that the organization structure, accountabilities, or responsibilities are not designed, communicated or implemented to meet the organization's objectives, and the risk that culture and management commitment do not support the formal structures. Example of a governance risk that could potentially impact a DSB: Accountability and Oversight The risk that ineffective or undefined lines of authority may cause managers or employees to do things they should not do or fail to do things they should.

Risk type: Service Delivery / Operational The risk that ineffective and/or inefficient operations or interruptions to service delivery will impact the school board's ability to meet its goals and objectives. Examples of operational risks that could potentially impact a DSB: Outcome achievement: The risk that academic outcomes will not be achieved due to an inability to effectively deliver the academic curriculum to the student population. Student experience The risk of failing to deliver quality programs to students to allow them to develop the skills of lifelong learning. Personal security The risk of failing to provide a safe and secure environment for students, educators, parents and other members of the school community.

Risk type: Stakeholder Satisfaction/Public Perception The risk the school board will not meet the expectations of the public, the Ministry of Education and other external stakeholders and that the school board's actions will affect its public image. Example of stakeholder satisfaction/ public perception risks that could potentially impact a DSB: Stakeholder Engagement: The risk that stakeholders are not sufficiently engaged or provide the necessary oversight required to monitor and assess the organization.

Risk type: Human Resources The risk that insufficient, inappropriate or unqualified staff are hired/retained and that the turnover ratio of qualified staff is high. Examples of potential people risks in the context of a DSB include: Recruiting and retention The risk of failing to attract and retain personnel with the requisite knowledge, skills and experience to allow the DSB to effectively achieve its educational outcomes and business objectives. Attendance management The risk of impacting curriculum delivery and incurring additional teaching costs due to unplanned or excessive educator absences. Succession planning The risk of the DSB failing to appropriately anticipate and plan for the succession and renewal of key personnel resulting in the ability to perform critical functions or the loss of organizational knowledge capital.

Risk type: Financial The risk of financial loss caused by theft, incorrect financial reporting, fraud and/or the inability to meet budget requirements. Examples of financial risks facing a DSB include: Budgeting and forecasting The risk that unrealistic, irrelevant or unreliable budget and planning information or inadequate Ministry funding knowledge may cause inappropriate financial conclusions and operational decisions. Accounting and financial reporting The risk that transactions are not properly processed, reviewed, reported and disclosed resulting in errors or omissions in financial reporting. Cash Handling The risk that cash is misappropriated, is not accounted for, or is not adequately safeguarded. Fraud The risk of fraudulent activities (such as the misappropriation of assets) perpetrated by management, administrative employees, teachers or students, causing loss.

Risk type: Legal & Compliance The risk the school board will not be in compliance with legislation, regulations, contracts, guidelines and policy direction. Examples of legal & compliance risks in the context of a DSB include: Compliance risk The risk of the organization failing to comply with Ministry requirements or guidelines, resulting in corrective action and/or negative publicity. Legal risk The risk of the organization failing to meet or adhere to legal obligations and/or violating statutory requirements.

Risk type: Information Management The risk that school board information is incomplete, out-of-date, irrelevant or inappropriately disclosed. Examples include: IM/IT strategy The risk of a DSB failing to develop and implement an effective information management and technology strategy in order to meet the needs and requirements of multiple stakeholders.

Risk type: Technology The risk that IT does not align with business and does not support availability, access, integrity, relevance and security of data. Examples include: IT reliability and availability The risk of information technology systems, business applications and telecommunications systems being unavailable to support operations. Data privacy, quality and integrity The risk that there are inadequate controls in place to ensure the privacy, quality, integrity and accuracy of a DSB’s electronic information. IT security The risk of failing to appropriately secure a DSB’s networks, systems, applications.

Discussion - Risk Categories Identify other examples of risks affecting a DSB under the following categories: Governance Service Delivery / Operational Stakeholder Satisfaction / Public Perception Human Resources Financial Legal & Compliance Information Management Technology How would these risks impact the Board? What can be done to prevent these risks from impacting the organization?

Assessing risk: likelihood and significance Risk has two dimensions — likelihood and significance Likelihood: The probability that the risk will occur and impact the organization Significance: The potential impact that the risk will have (should it occur) on the organization Significance can be rated using various criteria. For the purposes of the DSB risk assessments the following criteria are used: Reputational – How would the occurrence of the risk impact the school / DSB / Ministry's reputation? Financial – What would be the financial impact/ consequences of the occurrence of the risk?

Assessing risk: likelihood and significance Significance of risk Likelihood of occurrence High Damage High Likelihood

Exercise – Assessing Risk In your groups, identify 8-10 risks that might prevent the workmen from meeting their objective (having lunch on top of the tall building) Using a flipchart, draw a risk map and map the risks to the appropriate quadrant.

Exercise – Assessing Risk Significance vs. Likelihood Losing balance Low High Significance Likelihood Strong wind Building falling down Small birds hitting workmen Dropping lunch Losing hard hat

Assessing risk: inherent vs. residual Risk can be assessed on two levels, Inherent and Residual. Inherent risk is the assessed level of risk in the absence of internal controls. Residual risk is the assessed level of risk once internal controls are taken into account. Internal controls can aid in the reduction of both the likelihood and significance of risk.

Why should we assess risks? Executing an organizational risk assessment is the first step in determining the focus of the internal audit function. It is completed to: Understand the risks within the environment in which the DSB operates Assess the potential likelihood and significance of the impact of these risks on the various processes undertaken by the DSB Identify the DSB’s higher risk processes

How is risk assessed? As part of the risk assessment process, the population of risks the DSB faces needs to be identified to understand how and where they could impact the organization. Using the risk categories as a guide, relevant sub risks in each category can be identified and assessed for applicability. As risks impact the organization in different areas, a top-down process view of the organization is required. This top-down, process view of the organization is referred to as the process universe.

Example Audit Universe EXAMPLE ONLY Example Audit Universe

Executing a risk assessment Define Process Universe Create Risk Framework Assess Process Risk Objective To identify the DSB’s major instructional and supporting activities To create a framework for assessing significant real and potential risks facing the DSB across business processes To assess inherent risk of each process contained in the DSB’s Process Universe in order to focus internal control documentation Activities Conducted interviews, reviewed documentation and validated with stakeholders Leveraged internal and external risk knowledge based on discussions, research and prior experiences Assessed process risk based on likelihood, financial impact and reputational consequences Deliverables DSB Process Universe DSB Risk Framework Risk-ranked DSB Process Universe

Risk Assessment Results EXAMPLE ONLY

What to do with the Risk Assessment Results? Internal Audit should focus efforts and resources on areas of highest perceived risk Process reviews of higher risk areas should be performed to: Identify and evaluate the internal controls currently in place within the DSB’s current processes Find and remediate existing internal control gaps Promote the achievement of the DSB’s objectives by strengthening processes and controls

Risk Management Techniques Avoidance Eliminate a service or an activity it considers too risky. Prevention or modification Reduce the likelihood of a risk (and related losses) occurring, by changing the activity so that internal controls reduce the probability of risk occurrence. Mitigation Accept the risk but lessen the impact of losses should they occur through existing or additional internal controls. Retention Accept the risk (and its consequences) as is. Some risk is inherent in the activities of your operation. Transfer (sharing) Transfer either the actual risk or the financial consequences of a loss to another party.

Leading risk management practices Applying risk management to manage transformation issues Aligning strategic planning with risk management Focus on integration of risk management with existing business process/initiatives Integrating dispersed risk management roles through clear governance structure Developing key risk indicators to link risk management with performance measurement Performing controls reviews/audits to assess financial risks and controls Performing operational reviews Information technology risk assessments and reviews Instilling “ethical”, open culture by promoting risk management and enhancing linkage to incident reporting Some risk management techniques exist in the absence of an internal control.

Discussion - Risk In groups, select a business process within the organization that your group members are familiar with. Identify the most important risks impacting this area. If these risks weren’t managed, assess the likelihood of risk occurrence and significance to the organization.