Enterprise Risk Management Update

of 3

Enterprise Risk Management Update Item 4 February 12, 2019 Building Investment, Finance and Audit Committee Report: BIFAC:2019-13

To: Building Investment, Finance and Audit Committee (“BIFAC”)

From: Senior Director, Fire Life Safety & Risk Management

Date: February 5, 2019

PURPOSE: The purpose of this report is to provide an update on Toronto Community Housing Corporation’s (“TCHC’s”) Enterprise Risk Management (“ERM”) program, specifically for the year one (“Y1”) deliverables: risk profile, risk treatment plans, and risk appetite. RECOMMENDATIONS: It is recommended that BIFAC receive this report for information. REASONS FOR RECOMMENDATIONS: At TCHC, an ERM framework is utilized to systematically identify, assess, and monitor potential, actual, and emerging enterprise risk exposures. As well, identified risk exposures and their associated treatment and mitigation plans are used to inform enterprise-wide planning and risk-informed decision making, including being integrated as a key input into the development of the strategic plan, internal audit plan, and divisional business plans.

of 3

In 2017, the TCHC Board of Directors approved the three-year ERM refresh plan. As part of the 2018-Y1 deliverables, TCHC established its risk profile, risk treatment plans, and risk appetite. In 2018, TCHC refreshed its risk profile through the ERM Committee (“ERMC”), whose membership includes TCHC Officers and Executive Leadership Team (“ELT”). The TCHC risk profile includes 23 priority risk exposures (see Attachment 1, pages 5 to 9), however, ERMC further narrowed the list to the top 10 priority risk exposures, and subsequently appointed risk leads to each of the priority risk exposures to provide oversight on overall risk management. The ERMC risk leads for each of the priority risk exposures were responsible in developing the corresponding risk treatment plans (see Attachment 1, pages 10 to 20), which included calibrating the risk statement for the specific priority risk exposures, as well outlining the portfolio of risk treatments that use a combination of avoidance, mitigation, and transfer techniques. The ERMC leveraged risk appetite statements to inform the dialogue on the amount and type of risk exposure that an organization is willing to seek or accept to achieve its objectives or desired outcomes. Specifically, ERMC members were engaged in establishing risk appetite statements for each of the priority risk exposures (see Attachment 1, pages 21 to 30).

SIGNATURE:

“John P. Angkaw”

John P. Angkaw Senior Director, Fire Life Safety & Risk Management ATTACHMENT: 1. Update: Enterprise Risk Management

of 3

STAFF CONTACT: John P. Angkaw, Senior Director, Fire Life Safety & Risk Management 416-981-4318 [email protected]

Fire Life Safety & Risk Management Update: Enterprise Risk Management

Building Investment, Finance, and Audit CommitteeFebruary 12, 2019

Item 4 - ERM 2018 Update BIFAC Public Meeting - February 12, 2019

Report:BLIFAC:2019-13Attachment 1

Objectives

1. To provide an update on Toronto Community Housing Corporation’s (“TCHC’s”) Enterprise Risk Management (“ERM”) program, specifically regarding:

• Risk Profile; • Risk Treatments; and• Risk Appetite.

2. To outline next steps in advancement of the ERM refresh plan.

2



Part 1:ERM Background

3



Background

At TCHC, measures are taken to ensure there is appropriate oversight on the enterprise-wide risk profile. All priority risk exposures are identified and appropriate risk treatments are implemented to mitigate the exposures within the established risk appetite. This supports the advancement of the risk culture that shapes how risk decisions are made and enhance value to its shareholder and stakeholders.

TCHC utilizes ERM framework to systematically identify, assess, and monitor potential, actual, and emerging enterprise risk exposures. As well, identified risk exposures and their associated treatment plans are used to inform enterprise-wide planning and risk-informed decision making, including being integrated as a key input into the development of the strategic plan, internal audit plan, and divisional business plans.

In 2017, the TCHC Board of Directors approved the three-year ERM refresh plan, which aimed to strengthen the posture of TCHC to address its current risk profile and to advance the risk culture. The ERM refresh plan focused on the following key components of the program:

1. Y1 - 2018: Governance;2. Y1 - 2018: Framework;3. Y2 - 2019: Policies & Procedures; and4. Y3 - 2020: Integration.

In November 2018, the TCHC Board of Directors approved the inaugural TCHC ERM Policy.

4



Part 2: Risk Profile

5



TCHC Risk Heat Map 6



Item Priority Risks Risk Domain Risk Sub-Category Score

ITS Information Technology Systems Resource Information Systems 19.31

PS Physical Safety Business Environment, Health & Safety 18.05

DGI Data Governance & Integrity Resources Information Systems 16.84

M Mandate Business Business Operations 16.00

OP Operational Process Business Business Operations 15.72

HRP Human Resources Process Resources Human Resources 14.63

C Culture Resources Human Resources 14.58

G Governance Business Governance 13.27

VM Vendor Management Business Business Operations 13.25

B&R Brand & Reputation Business Reputation & Public Image 12.99

FLS Fire Life Safety Business Business Operations 12.73

RM Records Management Resources Information Systems 12.47

SSC Strategic Sourcing & Contracts Business Business Operations 12.47

PR Privacy Resources Information Systems 12.25

CF Capital Funding Resources Financial 11.37

OF Operational Funding Resources Financial 11.17

NLR Non-compliance with Legislations & Regulations Compliance Legislation, Regulatory, & Standards 10.32

OR Organizational Resiliency Business Human Resources 10.10

SA Strategic Alignment Business Business Operations 10.08

HS Health & Safety Compliance Environment, Health & Safety 9.42

LR Labour Relations Resource Human Resources 7.25

MR Market Risk Resource Financial 6.23

SJV Subsidiaries/Joint Ventures Business Business Operations 5.18

EH Environmental Health Business Business Operations NR

TCHC Risk Profile

Bold = Priority Risk

7



Item Priority Risks DefinitionsITS Information Technology Systems The risk that TCHC does not have the appropriate resources to support the

evolving IT needs of the business.PS Physical Safety The risk of violent crimes affecting the physical security of TCHC residents,

staff or contractors.DGI Data Governance & Integrity The risk that TCHC does not have accurate and consistent data to

measure the value of our programs and services against our strategic objectives.

M Mandate The risk that TCHC’s mandate is not well understood by shareholder and stakeholders, and supported by external service-delivery partners.

OP Operational Process The risk that TCHC lacks documented business processes to ensure well-understood and efficient operations throughout the corporation.

HRP Human Resources Process The risk that TCHC lacks effective HR processes required to fairly and appropriately manage its workforce, as well the ability to attract and retain top performing resources.

C Culture The risk that TCHC does not have effective change management processes in place to drive the change necessary to achieve an engaged workforce and deliver on our objectives.

G Governance The risk that TCHC is not recognized by shareholder as a wholly-owned and separate entity from the City of Toronto.

VM Vendor Management The risk in TCHC’s inability to have effective strategic sourcing and effective vendor management that deliver value for money and quality products and services.

B&R Brand & Reputation The risk to TCHC’s ability to effectively re-build its reputation and brand equity.

FLS Fire Life Safety The risk in TCHC’s ability to have a comprehensive Fire Life Safety program that enables effective coordination of key activities (e.g. audits, maintenance, compliance, education, communication) across business functions and the housing portfolio.

RM Records Management The risk that TCHC does not have a comprehensive records management program in place to ensure appropriate retention and storage of corporate documents.

TCHC Risk Profile


8



Item Priority Risks DefinitionsSSC Strategic Sourcing & Contracts The risk that procurement processes are not aligned to help TCHC deliver

value for money and provide quality work to TCHC’s internal clients and tenants.

PR Privacy The risk that personal data of staff or residents may be breached, due to staff error or unauthorized access to third parties.

CF Capital Funding The risk that TCHC is unable to access the capital funding needed to maintain our assets or to fund our 10 year Capital Plan resulting in buildings falling into critical state of disrepair.

OF Operational Funding The risk of ongoing viability of TCHC operations due to operational funding gap, strategic use of funding, and incurring costs associated with implementing the Tenant First recommendations with no additional funding.

NLR Non-compliance with Legislations & Regulations The risk of non-compliance with legislation or regulation that can lead to a legal claim for which TCHC is found liable.

OR Organizational Resiliency The risk that TCHC does not have the adequate measures in place to prepare and respond to emergencies or service disruptions of varying scope and severity that may occur across the corporation.

SA Strategic Alignment The risk that divisional/business unit goals do not align with TCHC’s strategic goals.

HS Health & Safety The risk of harm/physical injury to TCHC residents, staff, or contractors where TCHC may be held liable.

LR Labour Relations The risk of ineffective negotiations with labour partners that may result in a strike or lock-out.

MR Market Risk The risk that the value of our investments will decrease due to changes in market factors.

SJV Subsidiaries/Joint Ventures The risk that TCHC does not have an adequate governance framework to oversee our subsidiaries.

EH Environmental Health The risk that TCHC does not have a plan to manage the potential impact of environmental health issues.

TCHC Risk Profile


9



Part 3: Priority Risks& Risk Treatments

10



Risk Statement

The risk that TCHC does not have the appropriate resources to support the evolving IT needs of the business.

Risk Response: Avoidance, Mitigation, Transfer

• Implement Integrated Housing Management Solution

• IT systems and support review• IT risk assessment• InfoSec penetration tests• Enterprise Microsoft software upgrade• Vendor support for IT systems

• Vendor partnership to enhance visibility• Application compartmentalization in environment• Intra-department knowledge management• Employee cross-training• Alignment of capacity with technology changes• weapons to support network failure

Risk Drivers & Influence

Information

Information Technology SystemsPriority Risk Rank: 1Risk Lead: Vice President, Information Technology Services

Risk Treatment

Information Technology

Systems

CultureOperational Process

Data Governance & Integrity

CultureHuman Resources Process

11



Risk Statement

The risk of violent crimes affecting the physical security of TCHC tenants, staff or contractors.


• Partnering with Toronto Police Services in which CSU has the authority to enforce municipal code

• Proposed changes to existing legislation to more effectively address anti-social behaviour

• Enforcing liquor license act on residential property policy

• Annual safety auditing in high risk communities

• Community Partnership with Crime Stoppers to assist with anonymous tips

• Use of 3rd party private security services in areas with high volume service calls

• Incorporating better technology with lighting and CCTV footage

• Training of CSU Advisors to obtain International Crime Specialist designation

Physical SafetyPriority Risk Rank: 2Risk Lead: President & Chief Executive Officer

Risk Treatment

Physical Safety

CultureHealth & Safety

CultureMandate

12



Risk Statement

The risk that TCHC does not have accurate and consistent data to measure the value of its programs and services against our strategic objectives.


• Data Governance Committee to provide oversightono Project plan o Data inventory o Data repository o Data definitions o Data Warehouse

• Data Retention policy• Record Management policy• Utilize valid and current data for analysis and

reports• Validation of data in Asset Planner• Data storage and access controls


Data Governance & IntegrityPriority Risk Rank: 3 Risk Lead: General Counsel & Corporate Secretary

Risk Treatment

Data Governance & Integrity

CultureOperational Process

Records Management

CultureIT Systems

13



Risk Statement

The risk that TCHC’s mandate is not well understood by the shareholder and stakeholders, and supported by external service-delivery partners.


• Redefine TCHC mandate within stakeholder agreement

• Collaborative framework with external agencies• Shareholder/stakeholder direction and education• Partnership tools to ensure alignment of ext.

organizations

• Proactive/reacting shareholder/stakeholder engagement of TCHC mandate

• Proactive/reactive media engagement on TCHC mandate


MandatePriority Risk Rank: 4Risk Lead: Director, Strategic Planning & Stakeholder Relations

Risk Treatment

MandateOperational Process

Subsidiaries/Joint Ventures

CultureStrategic Alignment

14



Risk Statement

The risk that TCHC lacks documented business processes to ensure well-understood and efficient operations throughout the corporation.


• Refresh of divisional standard operating procedureso Project plano Communication plano Education plano Standardization toolkits Maintenance

checklists & reminderso Corporate repository

• Divisional SOP Governanceo Approval of top 10 divisional SOPso Approval of divisional SOPs by divisional

executive.• SOP 3Y plan

o Y1: Implement top 10 division and corporate reviews

o Y2: Address corporate-divisional duplication/process

o Y3: Conduct corporate check-in with divisions


Operational ProcessPriority Risk Rank: 5Risk Lead: Senior Director, Service Integration & Delivery

Risk Treatment

OperationalProcess

CultureStrategic Alignment

Records ManagementCulture

15



Risk Statement

The risk that TCHC lacks effective HR processes required to fairly and appropriately manage its workforce, as well as the ability to attract and retain top performing resources.


• Operational systems and processeso Application tracking systemo Taleoo HR information systemo Talent connect

• Recruitment & Retentiono Competency framework/Culture modelo Psychometric evaluations for key roleso Targeted recruitment on social/web

platforms/schoolso Time-to-recruit target (10 wks.)

• Responsibility Pay policy• Leadership Academy• Employee engagement survey and action plans• Planning: workforce, succession, retirement• Compensation

o CUPE 79 pay equity evaluationo Stabilizing the workforce – 1Y collective

agreemento Salary market review and pay band adjustments o Annual salary surveyso New policy around adjusting pay band annually


Human Resources ProcessPriority Risk Rank: 6 Risk Lead: Vice-President, Human Resources

Risk Treatment

Human Resources

Process

CultureHealth & Safety

CultureLabour Relations

16



Risk Statement

The risk that TCHC does not have effective change management processes in place to drive the change necessary to achieve an engaged workforce and deliver on our objectives.


• 2019-2022 strategic plan • Employee engagement surveys and action plan• Goals and objectives cascade to all staff level

• Leadership development• Stability in organizational leadership


CulturePriority Risk Rank: 7Risk Lead: President & Chief Executive Officer

Risk Treatment

Culture All Priority RisksAll Priority Risks

17



Risk Statement

The risk that procurement processes are not aligned to help TCHC deliver value for money and provide quality work to TCHC’s internal clients and tenants.


• Bonfire procurement systemo Direct vendor submission to RFPso Direct evaluation submission for RFPso Enhance ability to monitor variance

• Master repository of TCHC vendors system • Master repository of TCHC vendor evaluations• Procurement Law refresh through retained firm

o Paul Emanuelli


Strategic Sourcing & ContractsPriority Risk Rank: 8 Risk Lead: Chief Financial Officer &Treasurer

Risk Treatment

Strategic Sourcing & Contracts

Vendor ManagementRecords Management

Strategic Alignment

IT SystemsOperations Process

18



Risk Statement

The risk of non-compliance with legislation or regulation that can lead to a legal claim for which TCHC is found liable.


• Centralized compliance repository and tracking system

• Legal review within TCHC departments/functions to ensure compliance with appropriate legislations and regulations

• FM oversight on the compliance with municipal licenses and standards (MLS) bylaws

• FLS oversight on monitoring fire safety compliance and notice of violations from Toronto Fire Services (TFS)

• Compliance certificates every fiscal quarter to acknowledge compliance with WSIB and payroll.

• Retention of external firms to ensure adherence to fire safety compliance codes (e.g. Eurotech, Greater Toronto Fire Protection).


Non-Compliance with Legislations & RegulationsPriority Risk Rank: 9Risk Lead: General Counsel & Corporate Secretary

Risk Treatment

Non-Compliance w Legislations & Regulations

Records ManagementIT Systems

PrivacyOperations Process

19



Risk Statement

The risk that TCHC does not have a plan to manage the potential impact of environmental health issues.

• Risk Response: Avoidance, Mitigation, Transfer

• Annual inspections determined by OU.• Units are assigned a priority level from 1-5 and

examined for clutter, mold, pest, fire safety. • Specialized environmental health team (12

inspectors) with licensed/certification in pest management, asbestos, mold investigation, termites and West Nile Virus.

• Interior unit conditions – hoarding/sanitation is co-managed by Asset Management and Tenant Community Services; inspectors case manage as needed.

• Partnership with a Memorandum of Understanding with Toronto Public Health (assist TCHC as needed if additional resources needed)


Environmental HealthPriority Risk Rank: 10Risk Lead: Vice-President, Asset Management

Risk Treatment

Environmental Health

Non-Compliance w Leg/Reg.Health & SafetyPhysical Safety

Operational Funding

20



Part 4: Risk Appetite

21



What is Risk Appetite?

• It is the amount and type of risk exposure that an organization is willing to seek or accept to achieve their objectives or desired outcomes.

• It is considered with the potential/actual risk exposure(s) of derailing the achievement of objectives or desired outcomes

• It is often formalized and conveyed to the organization via risk appetite statements.

Why are the benefits of considering Risk Appetite?

• Communication: It clearly and concisely articulates the organization’s attitude towards risk taking throughout the organization.

• Resource Alignment: It allows more effective allocation of resources to manage risks and inform enterprise-wide strategic decisions.

• Measurement. It can be an enabler to develop metrics that can ensure that an organization is staying within its risk appetite and needs to take corrective actions.

• Prioritization. It can support and inform the prioritization and response to risk exposures in a consistent fashion.

Risk Appetite 22



Very LowRisk Avoid

LowRisk Averse

ModerateRisk Neutral

HighRisk Tolerant

Very HighRisk Seeking

Takes extreme caution and often accepts as little risk as possible

Takes a cautions approach towards risk taking

Takes a balanced approach to risk taking

Takes a greater than normal approach to risks

Takesaggressive risk taking actions and feels it is justified

Not willing to take any risks

Not willing to take justified risks

Preference for safe-delivery

Willing take strongly-justifiedrisks

Willing to takejustified risks

Willing to accept an extremely low amount of uncertainty

Willing to accept a low amount of uncertainty

Accepts a limited amount of uncertainty

Expects some uncertainty

Fully expect and accept uncertainty

Willing to accept lowest risk option all the time

Willing to accept if essential and limited possibility/ extend of failure

Willing to accept if limited and outweighed by benefits

Will choose to put objective at risk but manage impact

Will chooseoption with the highest return

Risk Appetite Scale

Risk Appetite 23



Risk Category Risk Domain

Human Resources Resources

Risk Appetite Statements

1. TCHC will have a very low risk tolerance for fraud, harassment, discrimination, or violation of the code of conduct; and

2. TCHC will have a moderate risk appetite in pursuit of a strong and positive culture and employee engagement in support of the organization’s mandate and values.

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


1.

2.

All fraud, harassment, discrimination, and misconduct will not be tolerated.

Mandatory and/or consistent disciplinary actions, including up to termination from the corporation.

Conservative approach to advance positive culture and employee engagement where change will be perceived as a negative impact on cost, resources, capacity, and morale.

Conservative approach to pursue culture shift and employee engagement where other initiatives take priority.

Thoughtful approach to managing fraud, harassment, discrimination, misconduct, up to performance management.

Thoughtful approach to a strong and positive culture and employee engagement, where change is proportionate to costs, resources, and capacity.

Tolerance for some/any fraud, harassment, discrimination, and misconduct up to a certain threshold.

Modest disciplinary actions, which includes a non-punitive approach, counselling or education.

Aggressively pursue culture shift and employee engagement, where benefits outweigh costs, resources, capacity, and morale

Aggressively pursue culture. shift and employee engagement as the top priority initiative

24




Financial Resources


1. TCHC will have a moderate risk appetite to explore additional efficiencies and alternative revenue streams; and

2. TCHC will remain fiscally responsible and continue to work towards financial sustainability to ensure the delivery of its strategic goals and objectives. In doing so, TCHC will have a very low risk appetite for irresponsible use of corporate resources.

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


1.

2.

Not willing to explore efficiencies and alternative revenue streams, as it will result in perceived negative impact on resources, capacity, and morale.

Explore traditional areas (e.g. services, resources) to pursue efficiencies and alternative revenues

Irresponsible use of corporate resources will not be tolerated.

Mandatory and/or consistent disciplinary actions, up to termination from the corporation.

Thoughtful approach to ensuring financial stability to achieve goals and objectives, by considering enterprise-wide priorities and impact.

Thoughtful approach for irresponsible use of corporate resources, up to performance management

Aggressively seek efficiencies and alternative revenues where benefits outweigh resources, capacity, and morale

Aggressively pursue innovative or non-traditional methods (e.g. partnerships, services) to gain efficiencies and alternative revenues.

Tolerance for some/any irresponsible use of corporate resources up to a threshold

Modest disciplinary actions, includes a non-punitive approach, counselling or education.

25




Information System Resources


1. TCHC will have a very low risk appetite for any inappropriate or irresponsible use of information systems and/or confidential/personal information in the organization; and

2. TCHC will have a high risk appetite to explore opportunities for information system enhancements that would improve data quality and integrity, system integration and/or efficiencies.

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


1.

2.

Any irresponsible use of information systems and/or CI/PI will not be tolerated.


Very conservative approach to improve data quality and integrity, system integration and/or efficiencies where change will be perceived as a negative impact on cost, resources, capacity, and morale.

Leverage traditional tools/systems or develop in-house tools/systems.

Thoughtful approach for any irresponsible use of information systemsand/or CI/PI, up to performance management.

Thoughtful approach to enhancing information system enhancements,where change is proportionate to costs, resources, and capacity.

Tolerance for some/any irresponsible use of information systems and/or CI/PI up to a certain threshold.


Aggressively exploring non-traditional tools/systems (e.g. partnerships, services) for system and capacity enhancements

Pursuing new technology, tools, systems to improve data quality and integrity, system integration and/or efficiencies.

26




Physical Assets Resources


1. TCHC will have a moderate risk appetite to ensure that all of the organization’s properties are clean, safe, and well-maintained for all tenants and communities;

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


Very conservative approach and status quo in managing resources, capacity, and partnerships to ensure that properties are clean, safe, and well-maintained

Adopting a reactive approach with preventative maintenance.

Thoughtful approach to ensuring our properties are clean, safe, and well-maintained by considering costs and materials for maintenance

Aggressively willing to explore enhanced resources, capacity, or partnerships to ensure that properties are clean, safe, and well-maintained.

Adopting a proactive and/or innovative approach (e.g. utilization of new software, methods, tools) with preventative maintenance

27




Health & Safety Compliance


TCHC will have low level of risk appetite to undertake any activities that would compromise the health and safety of employees across all properties.

Risk Appetite Scale

Information

Risk Appetite

Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


Any activities that would compromise the health and safety of tenants and employees will not be tolerated.

Mandatory and/or consistent disciplinary actions, up to termination from the corporation.

Strict adherence and interpretation of health & safety policies and procedures to avoid all health & safety risk exposures.

Thoughtful approach to managing procedural vs. operational activities that would compromise the health and safety of tenants and employees, where perceived benefits is proportionate to costs, resources, and capacity.

Thoughtful interpretation and application of health & safety policies and procedures against enterprise context.

Tolerance for some/any approach to managing activitiesthat would compromise the health and safety of tenants and employees up to a certain threshold.


Flexibility in interpretation and application of health & safety policies and procedures..

Aggressively exploring non-traditional tools/systems (e.g. partnerships, services) or industry best practices to ensure adherence to enhance health and safety

.

28




Legal, Regulatory, Standards Compliance


1. TCHC will have a very low risk appetite for any irresponsible or intentional activities that would violate applicable regulations and standards; and

2. TCHC will have a low level of risk appetite in ensuring that the organization is in full compliance of all applicable regulations and standards.

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


1.

2.

Any irresponsible or intentional activities that would violate will not be tolerated. regulations/standards.

Strict adherence and interpretation of legal and regulatory standards.


Non-compliance will not be tolerated.

Conservative interpretation of applicable regulations and standards

Thoughtful approach to managing procedural vs. operational activities that would violate regulations/standards, up to performance management.

Thoughtful interpretation and application of legal and regulatory standards against enterprise context.

Thoughtful approach in the interpretation of applicable regulations and standards

Tolerance for any approach for any irresponsible or intentional activities that would violate regulations/standards.


Flexibility in interpretation and application of policies and procedures.

Tolerance to incur fines up to a certain threshold resulting from non-compliance.

More flexibility in the interpretation of applicable regulations and standards

29




Policy & Procedures Compliance


1. TCHC will have a low risk appetite to undertake activities that could deviate from established policies and procedures in the organization; and

2. TCHC will have a moderate level of risk to ensure that appropriate and business-like policies and procedures are developed and standardized and enforce compliance throughout the organization.

Risk Appetite Scale

Information

Risk Appetite

#Very LowRisk Avoid

LowRisk Averse


HighRisk Tolerant


1.

2.

Activities that deviates from policies and procedures will not be tolerated.


Strict adherence and interpretation of policies and procedures.

Conservative approach to advance the standardization of policies and procedures, where change will be perceived as a negative impact on cost, resources, capacity, and morale.

Thoughtful approach to the management of activities that deviates from established policies and procedures, up to performance management.

Thoughtful interpretation and application of policies and procedures against enterprise context.

Thoughtful approach to the development andcompliance with standardized policies and procedures, where change is proportionate to costs, resources, and capacity.

Tolerance for some/any activities that could deviate from policies and procedures


Flexibility in interpretation and application of policies and procedures.

Aggressively willing to purse anapproach to advance the standardization of policies and procedures, where benefits outweigh costs, resources, capacity, and morale

30



Part 5: Next Steps

31



Next Steps

Overall, the ERM program has completed all the key deliverables across all the focus areas for 2018.In addition, the achievements gained provide the foundation to further advance the risk culture and ERM program through the following upcoming focus initiatives:

Governance

• ERM Evaluation: ERMC will be engaged to provide feedback on the ERM Program through a structured survey to identify areas of strength and opportunities for improvement.

Framework

• Risk Profile Monitoring: ERM department will monitor the priority risk profile and risk action plan. All priority risks with increasing risk exposure (e.g. likelihood, impact) will be escalated to ERMC.

• Risk Appetite Statements: ERMC has been engaged to initiate dialogue on risk appetite for each of the risk domains. As a next step, the Board of Directors will be engaged to provide feedback as we seek to formalize the TCHC risk appetite statements, a key component of the ERM framework.

Policy & Procedure

• Risk Appetite Policy: Upon confirmation of the TCHC risk appetite statements by the Board of Directors, a risk appetite policy will be formalized to be used in conjunction with the Enterprise Risk Management policy.

32



Appendix

33



Resource Risks

Risks that relate to the resource used by the organization to deliver our services.

Compliance Risks

Risks that relate to the ability to comply with regulatory requirements.

Business Risks

Risks that impact the delivery of services to our tenants and stakeholders.

Human Resources Environment, Health, & Safety

Financial

Information Systems

Physical Assets

Reputation & Public Image

Business Operations

Governance

Legal, Regulatory, & Standards

Policies & Procedures

Service DeliveryOperational PartnershipsCleaning & Maintenance

Public ImageMedia Exposure

Government Relations

Governance

Labour RelationsTalent Management

Culture

Operational FundingWorking Capital

InfrastructureData Integrity, Security, & Privacy

Business Continuity

BuildingsEquipment

Environmental ManagementOccupational Health & Safety

Life & Safety Systems

Legislation ComplianceRegulatory Standards

Policy Development & CompliancePolicy Education

Appendix A: Risk Domains 34



Enterprise Risk Management Update

Documents

Transcript of Enterprise Risk Management Update