Corporate Risk Management

Saskatoon, like all municipal governments, faces many types of risk, including strategic, operational, financial and compliance risks that, if not effectively managed, can impede the successful delivery of services and achievement of goals and objectives. Strategic risks are affected or created by an organization’s business strategy and strategic goals; operational risks affect an organization’s ability to execute its strategic plan; financial risks arise from financing activities and financial transactions; and compliance risks relate to legal and regulatory compliance.

 Proposed Risk Based Management Program,  Internal Audit Services – Request for Proposals
 Key Risks and Risk Based Management Update
 Update on Key Strategic Risks - 2016
 Update on Key Strategic Risks - 2017
 List of Key Strategic Risks - 2017

 2017 Year-End Update on Key Strategic Risks
 

In order to help ensure that the City of Saskatoon is protected from the negative effects of risk to the fullest extent possible, and realizes maximum positive results from its activities and efforts, a Risk Based Management policy has been developed.

  C02-040 Corporate Governance – Risk Based Management

Why does The City of Saskatoon have a Risk Based Management Program and Policy?

The intent of the City’s Risk Based Management Program is to promote a proactive risk management practice and culture within the City of Saskatoon; on an ongoing basis, we want to ensure any potential risks to the Corporation are dealt with - before they occur. Risk Based Management helps us to identify positive opportunities, key in our Strategic Goal of a Culture of Continuous Improvement with innovation and forward-thinking. This new program will help ensure the City is protected from the negative effects of risk to the fullest extent possible, help us to realize positive results from our activities and efforts, and ensure continuous improvement in the way we manage the City of Saskatoon. All Risk Based Management decisions made by City Council and Administration will be vetted against the Program so that the total Risk Based Management picture can be considered.

Is the City just starting to monitor and deal with risk? Why now?

The City has a number of policies, practices, and tools that it uses to efficiently manage our risk profile. Everything we do involves risk, and though the City already manages risk, we can be more strategic how we deal with risk as a corporation.

How will risks be assessed and prioritized?

The City’s logical Risk Based Management Program helps to identify, analyze, evaluate, treat, monitor and communicate any risks to the City, those that can impact any activities, functions, programs, or our service levels.

The City ranks and prioritizes potential risks using a risk assessment matrix that assesses the likelihood and potential impact of each scenario. Risks are categorized by organization impact, those that have organization-wide impact and those where the impact is more concentrated at the department level.

What was the role of PricewaterhouseCoopers?

The City contracted PricewaterhouseCoopers to assist with identifying the key strategic risks faced by the City. The identified risks were then tied to the Corporate Strategic Goals:

• Asset and Financial Sustainability
• Quality of Life
• Environmental Leadership
• Sustainable Growth
•  Moving Around
•  Economic Diversity & Prosperity

​ How will the Risk Based Management Program continue to move ahead?

The City has assigned identified risks to the appropriate department for monitoring and will be incorporating risk management into the City’s strategic and business planning cycles. Attention will be given to all items, but special efforts will be focused on higher priority items.

Over the coming months, additional risk assessments will be completed throughout the organization to gain an understanding about the operational, financial and compliance risks faced by the City. Further reports will be prepared outlining those risks and the actions that the Administration has already taken, and plans to take, to manage those risks.

What is The City’s current risk situation?

A strategic risk assessment was completed by the Administration and PricewaterhouseCoopers in 2015 to identify the strategic risks faced by the City. This list has been ranked by priority: high, medium and low. We are confident in being able to manage these risks to ensure we can continue to meet our strategic goals.
 

What is The City’s identified level of tolerance for risk?

The City’s level of risk tolerance will be identified in coming months. Tolerance levels will be set in consideration of relevant legislated requirements, corporate goals and objectives, and the principles and processes outlined in the City of Saskatoon’s Corporate Governance – Risk Based Management Policy

A key component of the Risk Based Management (RBM) Program was the establishment of a Corporate Risk Committee (CRC).  The CRC was established in early 2015 with the mandate “…to promote a proactive risk management practice and culture within the City of Saskatoon so as to assist with the achievement of corporate goals through the timely identification and effective treatment of corporate risk.”

The CRC consists of the Senior Administration (City Manager, General Managers of the four departments, City Solicitor, and Director of Government Relations), Fire Chief, Police Chief, and the Director of Corporate Risk.

The Terms of Reference for the CRC requires the Committee to report, on an annual basis, to the Standing Policy Committee on Finance and City Council a summary of risk management activity for each calendar year.  

 Administrative Report - Corporate Risk 2016 Annual Report

 Corporate Risk 2016 Annual Report

 Administrative Report - Corporate Risk 2017 Annual Report

 Corporate Risk 2017 Annual Report

To  help ensure risk management is incorporated into the decision-making process, the Administration needs to understand how much risk is acceptable, and unacceptable, as it pursues achievement of the City's strategic objectives.  This understanding is gained through establishment of risk appetite, which is defined as "the amount and type of risk that an organization is willing to accept in order to achieve its objectives."

Risk appetite sets the overall tone for risk taking in an organization and encourages consistency in the way risk is considered.  It is as much about setting expectations and encouraging well-considered risk-taking as it is about imposing constraints to avoid risks. 

 Corporate Risk Appetite

Since August 1999, the City of Saskatoon has outsourced its internal audit function.  The current contracted internal audit service provider is PricewaterhouseCoopers LLP. 

 Appointment of Internal Audit Services Request for Proposal – Five Year Contract 
 Proposed Internal Audit Administration Process & Amendments to Council Policy No. C02-032 

The Internal Auditor is required to establish, and update on at least an annual basis, a long-range plan for assurance audits based on a risk assessment.

 Internal Audit Plan 2015-2019 
 2016 Updated Internal Audit Plan – PricewaterhouseCoopers 

 2017 Updated Internal Audit Plan - PricewaterhouseCoopers

 2018 Internal Audit Plan

For each engagement, the Internal Auditor establishes objectives to address the risks associated with the activity under review, determines the procedures that will be performed and the scope (nature, timing and extent) of those procedures.  The engagement objectives are submitted to the Standing Policy Committee on Finance for approval.

The results of each assurance audit are documented in a formal report.  The report is discussed with management, incorporates management responses and includes target dates for implementation of recommendations.  Audit reports are tabled with and presented to the Standing Policy Committee on Finance.

The purpose, authority and responsibility of the Internal Audit function is formally defined in the Internal Audit Charter.

 C02-032 Internal Audit Charter