III: Implementation of the R3M at the CFIA

To support an Agency-level Enterprise Risk Management (ERM) analysis at the Canadian Food Inspection Agency (CFIA), the Risk Management Maturity Model (R3M) was developed based on the five key areas of risk management outlined in the Treasury Board of Canada Secretariat’s (TBS) Risk Management Capability Model:

1. Governance, leadership and accountability;
2. Priority setting and decision making;
3. Monitoring, performance and results;
4. Training and continuous learning;
5. Stakeholder engagement and communication.

These key areas are presented in Table 1 below. They are broken down by maturity levels (i.e., Informal, Basic, Managed, Integrated and Optimized) and connected to the main criteria applied to determine them.

The R3M complies with the TBS Framework for the Management of Risk and with CFIA internal policies and practices. The model is used to monitor and report on the level of ERM implementation, to help the Agency better assess its performance against the current baseline and strive towards an improved state of maturity over time. The CFIA utilized the R3M to conduct an evidence-based internal assessment of the implementation of risk management practices at the CFIA. The objective was to determine the level of ERM maturity at the Agency and to determine where it needed to focus to improve its ERM systems and practices.

Under the guidance of the Agency’s Chief Risk Officer, a second line of defense (IIA, 2020) in CFIA conducted an evidence-based assessment of CFIA’s performance in implementing Enterprise Risk Management. The R3M was utilized by assessing the advancement and application of ERM in the 5 key areas. The assessment looked at the importance and weight of ERM within various realms of the Agency, including the rates of completed risk-related trainings, the discussion of ERM at governance and leadership tables, ERM-based priority setting and decision making, and so on.

Risk Owners, who are senior executives responsible for strategic decision making, were also surveyed to determine their perspective on the strengths and weaknesses within the CFIA on ERM implementation, utilizing the criteria established in the R3M. The survey questions requested that the Risk Owners rank the Agency on various aspects: the level of communication, awareness and implementation of risk tools and resources; organization-wide ERM maturity, and the effective integration of ERM into governance and decision-making practices.

The results of the internal assessment and the Risk Owners survey were evaluated against the R3M to ascertain both unanimity and consistency. The final results were subsequently documented in the CRO Report, serving as a basis to brief the President on the Agency's ERM maturity and potential areas for advancement.

IV: How a Risk Management Maturity Model Can Be Used by Auditors

According to the Institute of Internal Auditors (IIA), Maturity models provide a way for an organization to determine its current state as a whole – or any procedure or activity within the organization – as it relates to best practice development. These models can aid in creating development plans and can serve as a tool for internal auditors to use while conducting assessments (LogicManager, 2015). However, in order to realize the maximum benefits maturity models can provide, audit practitioners must select or create an appropriate model for each engagement and apply it in a way that yields the greatest insight (IIA, 2018).

When appropriately selected or designed and then subsequently applied, maturity models can provide:

• A framework for envisioning the future, the desired state and the development of improvement plans.
• Benchmarks for the organization to compare its processes internally or externally.
• A mechanism to provide insight into the improvement path from an immature to a mature process.
• A disciplined method that is easy for management to understand and implement (IIA, 2018).

V: Lessons Learned

A. Receiving Buy-in from Senior Management Is Imperative

Endorsement and support from senior management, as early as possible, will be the number one success factor in implementing ERM and assessing its success.

Prior to developing the R3M, agreement on the process and criteria was discussed with both the internal auditors and senior management. Once the Agency’s R3M was developed, it was presented to senior management for feedback and approval. Prior to the evidence-based assessment being completed, senior management was approached to disclose how they would rate the Agency according to the criteria outlined in the R3M. Finally, once the assessment was completed, senior management was provided with the preliminary results prior to a final report being written, to ensure that senior management felt that they had input into the instrument’s construction and the final assessment. As a result, the final report, which provided a story around the evidence-based assessment, was well received and appreciated and recommendations for improvement were endorsed and acted upon to further enhance the implementation of risk management practices and processes.

B. Identifying Key Stakeholders, Who Often Cut Across the Organization, Is Critical

The key stakeholders who have responsibility for ensuring the success of ERM based on the R3M should be identified and communicated with early – before the R3M criteria is finalized. Behind every assessment finding, there are often a group of individuals who share some responsibility for the deficiency identified. However, because of the risk of cultural and leadership resistance, creating change in an organization cannot rest on the shoulders of one individual or even a group of individuals. Strong leadership from the top will be critical (as explained above). Understanding each of the key areas being assessed, and the criteria that will be used to assess ERM success, will help guide the assessor to the people who have the power and ability to affect positive change, even if they are not aware of it yet. Recognizing that these individuals may be in many parts of the organization and may require a better understanding of why they should care about that will be essential. Once these stakeholders are identified, you can better tap into what controls these individuals have in place and would like to see in place, to fulfill everyone’s overall objective: to achieve results in an efficient manner.

C. Understanding the Story Behind the Results Facilitates Communication and Acceptance of Results

Understanding the story behind the organization can be achieved primarily through readily available materials: Corporate risk ranking, planning, monitoring, and reporting documentation (for example, Departmental Plans and Departmental Results Reports), and recent internal audit and evaluation reports. Although the evidence-based assessment revealed that change needed to occur and how, it was critical for the assessors to understand the story behind the current state to better appreciate how to communicate the evaluation’s findings effectively, with a focus on what tangibly needed to occur to ensure that the stakeholders have sufficient support to implement ERM. Every stakeholder we worked with was dedicated, experienced, and well respected. They earned this respect through their leadership and delivery on results. Promoting the controls that had been put in place by these highly skilled individuals helped to communicate balanced and fair recommendations for improvement, and helped senior management appreciate where their controls were strong and where attention was not necessarily required.

A written report on results should focus on next steps to be taken (often collectively) to enable critical strategic shifts that will move the organization up the R3M scale. Understanding the story behind the results will better ensure fair and balanced reporting to senior management. Support from the stakeholders involved will be beneficial, but not imperative. At the end of the day, the credibility of the R3M will depend on its accuracy in reflecting reality.