Enterprise Risk Management
Fort McMurray Public School Division is committed to ensuring that risk management practices are embedded into key processes and operations to drive consistent, effective and accountable actions and decision making in management practice and Board governance. Fort McMurray Public School Division’s Enterprise Risk Management (ERM) framework is consistent with the practices suggested by generally accepted global ERM standards frameworks.
ERM is designed to identify potential events/risks that may significantly affect the Division’s ability to achieve it’s mission, beliefs, standards and goals. Through the ERM process, identified risks are assessed based on likelihood and impact. Management processes and controls are used to provide reasonable assurance that significant risks are sufficiently mitigated to support the achievement of the Division’s goals.
ERM assists to assess the Division’s appetite for risk (risk tolerance) and identifies gaps where identified risks are either over or under mitigated. This leads to the identification of opportunities and strategies to either close gaps where residual risk is higher than risk appetite or to reallocate resources from areas where residual risk is lower than risk appetite.
The end product of ERM includes a ranked risk register reviewed in developing the budget. ERM is an ongoing process with the administrative procedure and outcomes revisited and reported at least annually.
The purpose of the ERM Administrative Procedure is to establish ERM roles and responsibilities as well as the strategy of Fort McMurray Public School Division to manage its risks. The Division will identify and manage it’s enterprise risks in support of it’s vision, beliefs, standards, and goals. The Division cannot seek to eliminate risk; rather, it will support that existing and emerging risks are identified, communicated, and effectively managed.
The following definitions will apply for the purpose of this administrative procedure:
Enterprise Risk Management (ERM): ERM is an integrated enterprise‐wide process established over time that links the management of risk to strategic goals in order to improve organization performance. It creates a formal process for managing the myriad of risks an organization faces. While ERM is not the same as a risk assessment, the assessment of risk is an integral part of an ERM process.
Risk: An internal or external event, activity or situation that impacts the ability of the Division to achieve its vision, beliefs, standards, and goals.
Enterprise‐wide Risks: For identification purposes, risks may occur in any one of the following categories: environment, facilities, financial, governance, government relations, human resources, information technology and support areas, managerial effort/capacity, operations, reputation, strategy and vision and student outcomes. Risks rated as high using division tolerance levels will be deemed enterprise‐wide risks.
Financial Risk: The ability of the Division to meet assumptions, principles, and priorities set in the annual budget.
Reputational Risk: Real or perceived event that has the ability to impact the public confidence in the Division.
Inherent Risk: The possibility that risks will prevent an organization from achieving its goals before the consideration of processes and controls are in place to manage or mitigate the risks.
Impact: Significance of a particular risk to the entity. The significance of a particular risk can range from insignificant to severe/catastrophic. The magnitude of the impact is determined with respect to an organization’s risk appetite, risk capacity, and organizational goals.
Likelihood (of Occurrence): Probability that a particular risk will occur. These probabilities range from rare to almost certain.
Manage: To control or take charge of risk(s) in order to avoid or minimize its adverse impact on the Division and to maximize its opportunity.
Mitigate: To lessen or minimize the adverse impact of risk(s) through specific management processes or internal control activities.
Optimize: To balance potential risks versus potential opportunities within the Division’s stated willingness or appetite and capacity to accept risk. This may require an organization to increase or decrease the amount of risk relative to the potential opportunity.
Residual Risk: Risk remaining after considering the effectiveness of management responses optimize (i.e., processes and controls used to manage or mitigate the risks).
Risk Identification: The process of identifying and understanding potential risks to the Division.
Risk Management: The process of identifying, evaluating, selecting and implementing an action plan to avoid or mitigate threats and to leverage and maximize, where possible, risk opportunity.
Risk Monitoring: The process of reviewing and evaluating the effectiveness of the action plan implemented through the risk management process and identifying opportunities to minimize the future reoccurrence of similar risk.
Risk Opportunity: The return which may be realized if the risk is assumed but managed in a manner that maximizes its potential benefit.
Risk Appetite: Level of risk an organization is prepared to accept to achieve its goals and objectives (i.e., the level of tolerance for risk in a company).
Risk Owner/Leader: An individual that has been given the authority to manage a particular risk and is accountable for doing so.
Management Effort: The use of resources and implementation of processes to support the Division achieving its strategic goals.
- Roles and Responsibilities
- The following defines roles, accountabilities and responsibilities for: identifying and evaluating key risks; documenting and managing the response to key risks; facilitating appropriate risk/reward decisions at all levels of administration; communicating risks, and administrative responses and priorities to all relevant staff; and for governance of risk management at the Division.
Board of Trustees
The Board has ultimate responsibility for risk in the school division and therefore, the Board provides governance oversight of the Division’s ERM program. This responsibility is demonstrated through a review of at least the following items:
- Board Policy as it relates to the committee’s terms of reference, minimum annually
- Administration’s risk appetite/tolerance levels
- Administration’s risk register and risk assessment results for the Division’s top enterprise‐wide risks (minimum annually).
- Review Audit and Finance Committee Reports
Audit and Finance Committee
The Audit and Finance Committee (as a subcommittee of the Board) has certain delegated responsibilities for oversight of the ERM program from the Board. The Audit and Finance Committee is responsible for reviewing, and presenting to the Board as required, the following:
- Changes to the Division’s ERM framework.
- Administration’s risk appetite/tolerance levels
- Administration’s risk register and risk assessment results for the Division’s top enterprise‐wide risks.
- Action plans to address risk mitigations and opportunities identified as a high priority.
Superintendent of Schools
The Superintendent or designate is accountable to the Audit and Finance Committee and Board of Trustees with respect to ERM, and is responsible for ensuring the ERM framework approved by the Board is implemented and operational through:
- Championing risk management within the Division to ensure the Division remains focused on risk management.
- Integration of ERM into the strategic, business and operational planning and decision-making.
- Ensuring effective risk identification, risk assessment, risk management and risk monitoring processes within the Division.
- Consulting, as required, with the Division’s employees or external consultants to effectively manage all aspects of risk.
- Providing ERM status updates (either directly or via a designate) at every Audit and Finance Committee, and at least once per year to the Board of Trustees, on risk management activities, as well as if any significant risk changes or issues arise.
Associate Superintendent of Business and Finance (CFO)
The Associate Superintendent of Business and Finance is accountable to the Superintendent of Schools and is responsible to managing the implementation and maintenance of the ERM administrative procedure and framework by:
- Developing, monitoring and revising the ERM administrative procedure.
- Coordinating the risk identification, risk assessment, risk management and risk monitoring processes.
- Preparing status updates at least once per year to the Superintendent on risk management activities, as well as if any significant risk changes or issues arise.
Senior Leadership Team
The Senior Leadership team is accountable to the Superintendent and is responsible for:
- Active participation in the risk assessment process, including promoting the Division’s ERM Administrative Procedure and Framework as well as expectations for the management of risk.
- The formal identification of risks that impact the Division’s strategic goals and objectives.
- Assisting to rank risks, based on the Division’s impact and likelihood criteria.
- Monitoring progress in managing risks and implementing improvement opportunities.
- Reporting at Senior Leadership Team meetings on the status of risk items delegated to specific risk owners.
- Communicating the expectations of staff impacted by the identified ERM risks.
- Communicating ERM results to all staff
When identifying risks, consider:
- Current and future expected risks.
- Risks associated with recent internal changes in the business.
- Risks associated with external change in the business or political environment.
- The root causes for the risks (i.e., the source of the risk: why, how, and where the risk originates, either outside the organization or within its processes or activities) in order to achieve a more rigorous risk assessment and to better position the school division to manage the risks.
Use the risk categories below as a guide:
- Environment Health and Safety
- Financial (ex: government funding formula and the ability for the Division to achieve its budget and Annual Education Results Report (AERR))
- Human Resources
- Information Technology & Support Areas
- Governance (ex: Board Authority)
- Government Relations
- Managerial Effort / Capacity (ex: Human Resources, Teacher’s ability to teach all students)
- Reputational (ex: protecting privacy and cyber security)
- Strategy & Vision
- Student Outcomes
- Repeat identification cycle annually and on an ad-hoc basis as required for significant changes or new processes, programs and initiatives.
- The cycle identifies key risks on a functional or strategic basis which are then integrated to derive key enterprise-wide risks.
- Review of the risk list is on the Board’s agenda at least once per year.
- The Appendix attached contains specific examples of Education sector-specific risk categories.
- When identifying risks, consider:
- The Risk Assessment step identifies the significance of those risks that might affect the achievement of the Fort McMurray School Division’s goals.
- Risk assessment considers both the likelihood that an identified risk will occur and the impact that risk would have, if it did occur, on the achievement of the Division’s goals
- Risk assessment to be reviewed by the Audit and Finance Committee.
- The key result is that the risks identified are all placed on the heat map using an agreed-upon system. The “hotter” the placement of the risks, the more immediacy is attached to the risk.
First, assign a “likelihood” of happening to each of the identified risks by estimating the probability of the risk occurring during the planning horizon:
Rare: less than once every 10 years
Unlikely: once in 5-10 years
Moderate: once in 3 years
Likely: once in 1-2 years
Almost Certain: multiple times per year
- First, assign a “likelihood” of happening to each of the identified risks by estimating the probability of the risk occurring during the planning horizon:
The impact of the identified risk is assessed by estimating how the impact would be characterized if the risk occurred:
Insignificant - The consequences are dealt with by routine day-to-day operations.
Minor - The consequences would threaten the efficiency or effectiveness of some aspects of the school division, but would be dealt with internally.
Moderate - The consequences would not threaten the school division, but the administration of the school division’s strategy would be subject to significant review or changed ways of operating.
Major – The consequences would threaten the survival of the school division in its current form or the continued effective function of a strategic area, or would require the intervention by the Superintendent or the Board.consider
Catastrophic – The consequences would likely result in significant organizational or structural changes at the school division, or would likely cause major problems for the school division’s stakeholders or the Ministry of Education.
- The impact of the identified risk is assessed by estimating how the impact would be characterized if the risk occurred:
RISK ASSESSMENT MATRIX
Impact Categories Impact Factors
Financial The financial impact of event is less than $50,000 The financial impact of event exceeds $50K, but is less than $250K The financial impact of event exceeds $250K, but is less than $1.5M The financial impact of event exceeds $1.5M, but is less than $5M The financial impact of event exceeds $5M Reputational One negative article in one publication Negative articles in more than one publication Short term negative media focus and concerns raised by stakeholders Long term negative media focus and sustained concerns raised by stakeholders Stakeholders lose faith in management or Trustees Managerial Effort / Capacity Impact can be absorbed tThe impact normal activity Some management effort is required to manage the impact Can be managed under normal circumstances with moderate effort With significant management effort can be endured, Potential to lead to the collapse of the organization Government Relations Routine ministerial inquiries In-depth ministerial inquiries Concerns raised by Ministry of Education School division’s ability to deliver on mandate is questioned Ministry loses faith in the organization Legal Legal action threatened Civil action commenced / small fine assessed Criminal action threatened / moderate fine assessed Crimthe inal lawsuit commenced / significant fine assessed Jail term of any length for a Trustee / Superintendent multiple significant fines assessed Student Outcomes Immaterial impact on student achievement Student achievement metrics begin to show a decline Parents complain about student achievement Overall student competency levels are below standards Inability to satisfactorily deliver curriculum or key programs
- Heat Mapping:
Each risk is mapped according to its likelihood of occurring and the impact of it occurring:
Likelihood Impact 1 Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic 5 Almost Certain 5 10 15 20 25 4 Likely 4 8 12 16 20 3 Moderate 3 6 9 12 15 2 Unlikely 2 2 6 8 10 1 Rare 1 2 3 4 5
- For example: a “snow day” is an event that is almost certain to happen (5), but has an insignificant impact (1) on achieving the Board’s strategic goals and so would be rated as a 5 X 1 = 5 , or yellow level risk.
Each identified risk will be assessed using this heat map. The outcome of the risk assessment will clearly show which risks need the most attention. Risk assessment process can be conducted in three ways:
- collaboratively between the Senior Leadership team and the Audit and Finance Committee, or
- in parallel, with each group conducting separate assessments and then comparing outputs, or
- solely through the Senior Leadership team to assess the risks and report the outputs to the Audit and Finance Committee.
- Each risk is mapped according to its likelihood of occurring and the impact of it occurring:
Risk Mitigation / Management
The Guidance chart below shows how the four risk responses correlate to the Heat Map:
Guidance on Risk Mitigation / Management Risk Rating Action Required Extreme (16-25) Mitigate, Transfer or Avoid. Immediate attention required. The action plan developed by risk owner High (10-15) Mitigate or Transfer. Action plan for mitigation or transfer developed by risk owner/leader. Moderate (5-9) Accept or Mitigate. Action plan for mitigation developed by risk owner/leader. Low (1-4) Accept and monitor. No further action required.
- Accept – school ivision accepts, manages and monitors the level of risk and takes no action to reduce the risk (e.g. cost of mitigation is greater than the benefit).
- Mitigate – school division accepts some risk by implementing control processes to manage the risk within established tolerances.
- Transfer – school division transfers the risk to a third party (e.g. obtaining insurance).
- Avoid – school division feels the risk is unacceptable and will specifically avoid the risk (e.g. cease the activity).
- The Audit and Finance Committee’s ongoing role in this section is to monitor activity, through receiving reports, in order to support the Senior Leadership Team decision making practice and process to rank identified risks.
- The Administration’s role is to develop risk controls, or risk mitigation plans and report on the implementation and impact of those controls.
- Further, these risks are assigned “Risk Leaders, (the most responsible Principal/Supervisor)” who are responsible for specific mitigation activities and the related reporting functions.
- The Guidance chart below shows how the four risk responses correlate to the Heat Map:
At a minimum, upon the completion of the annual risk assessment process, as noted in the Roles and Responsibilities for ERM section above, the following is reported to the Board of Trustees:
- Prioritized risk register displaying the top organization-wide risks;
- The corresponding key risk mitigation processes or controls; and
- Any strategies that were developed to address key risks that were determined to be insufficiently mitigated.
At least once per year, the school division will engage in high-level reviews of the risk register. The following is reported to the Board:
- That the review has been undertaken;
- Any new risks that have been identified, including ranking the new risk based on the likelihood and impact heat map; and
- Significant changes in existing key risks or mitigations processes.
Any discussions of risk that occur within externally facing reports, such as the AERR and or Budget, should be consistent with the annual risk assessment results. That is, the identification of risks for external disclosure purposes should not be a completely separate process from the regular risk management process with different key risks being identified in external reporting.
- Internal reporting
- APPENDIX A – RISK EXAMPLES
|1||Financial||Government funding formula||There is a risk that the government's education funding formula does not provide a predictable, stable funding level, and may not appropriately reflect the school division's needs based upon its diverse makeup of students compared to other school divisions.|
|2||Human Resources||Teachers ability to teach all students||There is a risk that teachers may not be prepared or able to teach the diverse members of the student body and also achieve good educational outcomes for all students (FNMI, ELL, special needs).|
|3||Operations||Supporting FNMI students||There is a risk the school division may not have sufficient tools and resources to support FNMI(First Nations, Métis and Inuit) students to achieve desired educational outcomes.|
|4||Operations||Delivery of Quality Education||The current growth and change in the makeup of student population (diversity; ELL; French immersion; special needs) results in a variety of risks to the delivery of quality education to all students (facility capacity, busing, class size, front-line staff equipped to teach diverse students, parent and society expectations, etc.).|
|5||Governance||Board authority||There is a risk that the Board remains responsible for operations and educational outcomes, but has lost significant information and autonomy to act given that much decision making authority has transferred to the provincial and municipal governments (e.g., funding model; setting mill rates; Ministry strategic plan; setting school calendar and total hours of instruction).|
|6||Reputation||Ethical breaches by front line staff||There is a risk that ethical breaches by teachers or other front-line staff will result in reputation damage, possible legal or financial penalties, or parents switching students to other school divisions.|
|7||Facilities||Facility maintenance capacity||There is a risk the school division may not have the operational resources (funding or staff) to adequately maintain all of its schools in the future, resulting in further facility degradation, a sub-optimal teaching environment, and higher capital costs over the long-term for major repairs and replacements.|
|8||Operations||Child safety risk||There is a risk that incidents regarding the safety of children, including violence and threats, within care takes significant resources to prevent and manage, and could result in reputational damage, financial costs or legal action. (For example, prekindergarten transportation)|
|9||Facilities||Quality of facilities||There is a risk that space constraints in, and overall facility quality of, schools may result in a lower quality of education delivered to students (i.e., many schools over-capacity; teaching is occurring in spaces not intended for classrooms).|
|10||Human Resources||Front line succession planning||There is a risk the school division will not be able to hire a sufficient number of high-quality administrators (i.e., supervisors, Principals and Vice-principals), teachers, education assistants and other front-line staff as long-tenured staff retire.|
|11||Operations||Performance management - student outcomes||There is a risk the school division may not have effective and robust processes or tools to measure student outcomes (from students, parents and staff) in order to keep improving good practices and cease ineffective practices.|
|12||Reputation||Privacy and cybersecurity||There is a risk the school division may be the subject of a cybersecurity breach or internal leak resulting in the loss of private or confidential information, resulting in reputational damage, loss of credibility and possible legal action.|
|13||Operations||Demonstrating educational performance||There is a risk the school division may not appropriately understand the outcomes required to achieve the curriculum and demonstrate that it is truly being taught in order to achieve its educational goals and pass ministry assessments.|
|14||Support Areas (including IT & Admin)||Continuity planning||There is a risk the school division may not be able to provide appropriate educational continuity or emergency response to manage plausible events (hazards; catastrophes; pandemics) while managing the cost of continuity planning.|
|15||Facilities||School closures for safety reasons||There is a risk that if the school division had to close all or a significant portion of one of more schools for safety or structural reasons, there would be significant challenges getting students to, and accommodating them at, other facilities.|
November 25, 2020
Adopted from The Saskatchewan School Boards Association (SSBA), League of Educational Administrators, Directors and Superintendents of Saskatchewan (LEADS) and Saskatchewan Association of School Business Officials (SASBO).
Section 52, 53, 142, 222 Education Act