Governance, Risk, and Compliance
Redesigning Frameworks to Integrate a Resilient Corporate Governance and Risk Culture
Panel Session: Developing Risk Appetite and Maturity by Building a Positive Risk Culture
Shannon Devane, Manager, Risk Management and Registration Services, City of Vaughan
Julie Bastarache, Director General, Evaluation and Integrated Risk Management, Public Services and Procurement Canada
Beth Robb, Director, Enterprise Risk Management, Alberta Health Services
Melanie Rousseau, Chief Risk Officer and Director, Risk and Business Continuity Management, Alberta Environment, and Parks
Risk in a Post-Pandemic World
The profile of many workplaces all over the world has changed as a result of the pandemic. Most organizations previously conducted risk assessments and planned for the future, but a global pandemic was generally unforeseen and has forced many businesses and public sector institutions to re-assess and re-prioritize some of their practices, and to better incorporate risk into their planning. For instance, Beth Robb, the Director of Enterprise Risk Management at Alberta Health Services (AHS), says that risk now, more than ever, is about “ensuring that you’re taking a holistic view of the environment and the context in which your organization is operating in.” This is particularly important at an institution like AHS because it is “a fully diversified conglomerate,” and the pandemic has made it “even more complex.” Even with nine years of experience at AHS, she says the past year has been the most difficult. Risk, in general, is about “paying attention to the key and critical success factors and the underlying assumptions.” Normally these change only marginally and risk managers spend a lot of time looking into the details of how things do or should work. “But digging into the details is probably not where risk managers need to spend their time these days to be effective.” Now it is much more about enterprise risk management.
Melanie Rousseau, the Chief Risk Officer and Director of Risk and Business Continuity Management at Alberta Environment and Parks (AEP), says that in recent years, and undoubtedly exacerbated by the pandemic, risk has become about “providing risk input to our decision-makers on the issues of the moment, like vulnerability and uncertainty, and not necessarily just on what’s going to happen down the road. This has changed a lot of our thinking.” This is important in an organization like AEP because “we cover everything from environmental protection to social protection, health, and public safety, to economic development and recreation in every possible landscape.” They have “2,000 employees and over 175 facilities.” Being able to keep these running even through COVID-19 has been critical.
Julie Bastarache, the Director-General of Evaluation and Integrated Risk Management at Public Services and Procurement Canada (PSPC), says “the last year has shifted the way we do things and what we prioritize.” PSPC is the “procurement arm of the government of Canada,” apart from other things, so getting risk and procurement right is very important. For Julie in particular this has extra significance because she comes from a background of working at the Red Cross following the Haiti earthquake and tsunami. “Based on lessons I learned from that, I came to PSPC two years ago in order to rebuild the risk management culture.” In that time it has become clear that the industry has changed, especially in light of the pandemic. People are now asking different questions and are thinking differently about risk and how it affects them. Some of these things will become even more evident after the pandemic passes.
Shannon Devane, the Manager of Risk Management and Registration Services at the City of Vaughan in Ontario, says the field of risk has been evolving for a long time. Even her role used to be about “law, licensing, risk and registration services. Currently, it is called ‘risk management and registration services’ and soon it will be just about risk. This is because, at a municipal level in particular, “we’re striving to get to the point of having risk embedded into every role.” Apart from risk evolving, the municipal government has also changed. They now design community buildings, maintain parks, manage snow operations, amongst many other things. Given the nature of the operations, “everybody has to think about risk all the time. It has to be just baked in and embedded into the organization.” They are not quite at that embedded stage yet, but are getting close, with “champions at the senior leadership level,” and drivers across the organization.
”Across the public sector, there’s no one-size-fits-all approach to risk management. In fact, across all sectors of government there’s an increased demand for transparency, accountability and integrityJulie Bastarache, Director General, Evaluation and Integrated Risk Management, Public Services and Procurement Canada
Drivers of change and lessons from the pandemic
Obviously, COVID-19 has changed everything. But in the world of risk in Canada, things began changing well before the pandemic hit. Melanie Rousseau says that they realized that risk had to be part of every process, and thus developed “a logic model that asks what vision and big changes you want to see in the future, and how will you achieve that?” This creates thinking about outcomes and thus drives thinking about risk. It has been implemented across four areas of AEP, specifically: “public health and safety; environmental health and integrity; economic development; and recreational opportunities.” The tool helps them achieve outcomes in each of those areas, but importantly, also lets them see “the risks and what we need to get out of the way to achieve those outcomes.” In this case, details are important, but keeping them in the context of the bigger picture is what really matters.
In many ways, there is a “much greater linkage now between business continuity and enterprise risk management.” Previously, business continuity was “linked to emergency management responses.” Looking at things from a broader perspective “allows us to achieve our bigger outcomes.” Moreover, the other changes over time and over the course of the pandemic have been about “the difference between responsibility and accountability.” AEP looks after the water systems in Alberta, but municipal operators do the monitoring. Usually, there is a distinct differentiation between the roles, but during the peak of summer and COVID-19 last year, everyone came together to conduct essential services. Therefore “the accountability came back to us, even though we don’t have a role in what happens at the operational level.” Part of it stems from “competing mandates” and management.
Beth Robb says that being a health service, by nature they are (or were) “absolutely risk-averse.” At the same time, even before the pandemic – and especially since – innovation has become a big part of their industry. So there is a “big balancing act between the need to innovate and the need to take really smart risks.” In their industry, defining what smart risks are is the key to their success, and for them, it is often about taking enough risk to be creative and ground-breaking, but not so much that it could potentially cause harm. In the healthcare sector, “clinical ethics” also need to be part of these conversations, along with discussions about “practical and corporate services.”
“Our risk appetite conversations are some of the most complex and challenging conversations that we have, as well as being very important, inclusive and multifaceted.”Beth Robb, Director, Enterprise Risk Management, Alberta Health Services
Julie Bastarache says that “the public sector historically has been very rigid in its processes.” Over the years this has been changing slowly and now “we’re seeing a need for resiliency, adaptability, and flexibility,” concepts that were rarely spoken about in the public sector. Of course, like many things, these concepts became crucial during the pandemic, and “now is not the time to waste this crisis.” In essence, the risk is about value-adding and ensuring that there is resiliency built-in. “If we’re not adding value, why are we doing it?” The pandemic showed that not only is risk management important, but that “people can be comfortable taking on some risk.” Maybe that means they will be less compliant because they are comfortable doing things without a safety net, but transparency is also important. “In many ways, the pandemic has taught us that we all need to be better prepared and to be prioritize things differently. When the next crisis happens, we need to be better prepared.”
Preparedness though is not only about the emergency response. The PSPC is also the main landlord of government buildings, and before the pandemic, “there was a lot of push back whenever there was talk of working remotely.” Clearly, COVID-19 showed that not only can people work remotely, but that they can be at least as productive at home as they were in the office. This means “we need to question our preconceived notions and biases,” and need to be prepared for new scenarios. Risk is about having an appetite for certain things, whether they seem positive or not. Two years ago PSPC “didn’t have an articulated risk appetite statement.” It is a very diverse and large department so developing an overarching statement has been difficult, and certain parts of the department are more risk-averse than others. But the pandemic and other factors have led to the creation of a risk tolerance tool “that allows us to operationalize our risk appetite, and helps in making decisions.” They’ve also learned that “risk is not a bad thing; it is just uncertainty.”
Shannon Devane says that part of the reason why risk is changing is because of a change in mindsets. The pandemic “has shone a light on a lot of inequities and injustices in our society, and also on our own processes and how we operate.” For a long time, “people used to say that we’re just the insurance people. We’ve worked hard to turn that around. While insurance might be one thing we do, we’re so much more than that.” Now, particularly in a municipal government like theirs, a lot of what they do is about data, claims, risk, and importantly, culture. Ultimately, having a good culture and understanding why risk is important will allow it to be embedded.