Effective date: February 23, 2012
Responsibility: Executive Vice-President and Chief Financial Officer
- Statement of Policy
- Risk Management Objective
- CBC/Radio-Canada’s Risk Appetite
- Application
- Roles and Responsibilities
- References
- History
- Person Responsible for Interpretation and Application
- Department Responsible to Update This Webpage
- Appendix A – Risk Management Procedures and Guidelines
As Canada’s national public broadcaster, CBC/Radio-Canada occupies an important place in the Canadian broadcasting system and faces a unique set of risks to its plans and operations. Like all broadcasters, the Corporation must adapt to technological changes, shifts in demographics and evolving consumer demands, as well as structural changes in the industry. As a public broadcaster with a statutory mandate to serve all Canadians, CBC/Radio-Canada also faces unique financial challenges and risks.
It is CBC/Radio-Canada policy to develop, implement and practice effective risk management to ensure risks and opportunities that impact the Corporation’s strategies, objectives and operations are identified, assessed and managed appropriately.
CBC/Radio-Canada’s risk management objective is to support the achievement of the Corporation’s strategic and operational objectives by:
- Ensuring risks and opportunities are properly identified, assessed, managed and reported;
- Aligning risk appetite and strategy;
- Embedding risk management in decision making;
- Allocating resources to effectively and efficiently manage risks; and
- Ensuring that the risk management process is robust and evolves with best practices.
CBC/Radio-Canada’s risk management objective is not to eliminate risk, but rather to manage risk in relation to CBC/Radio-Canada’s risk appetite.
Additional guidance is provided in the Procedures and Guidelines.
CBC/RADIO-CANADA’S RISK APPETITE
The Corporation’s risk appetite is influenced primarily by its role as Canada’s national public broadcaster whose mandate, object, powers and financial authorities are set out in the Broadcasting Act. It is the Corporation’s policy to identify, prioritize and manage the risks of the Corporation and to report to the Audit Committee of the Board on the actions to address any significant risks using the Corporation’s risk appetite as context.
The present policy applies to all CBC/Radio-Canada employees. Managers and staff have a responsibility to identify, assess and manage risk. This includes monitoring risks and related controls to continually optimize the control of risks across the entire organization.
CBC/Radio-Canada’s Risk Management Program is part of an enterprise-wide approach integrated into business processes. Responsibility for risk management is shared amongst the following groups: CBC/Radio-Canada’s Board of Directors; the Board’s Audit Committee; the Senior Executive Team; Internal Audit; and operational units.
The Board oversees CBC/Radio-Canada’s key risks at a governing level, approves major policies and ensures that the processes and systems required to manage risks are in place. The Board is ultimately accountable for the risk management process, including the risk culture, risk appetite and alignment of the Corporation’s risk management practices with strategy, risk appetite and stakeholders’ expectations.
The Audit Committee of the Board discharges its stewardship and oversight responsibilities over risk management by monitoring key risks, discussing their status with management at quarterly Audit Committee meetings, and ensuring that management has programs for evaluating the effectiveness of internal controls.
The Senior Executive Team identifies and manages risks, reports on CBC/Radio-Canada’s key risks to the Audit Committee and the Board, recommends policies, and oversees financial reporting and internal control systems. The Senior Executive Team is also responsible to help resolve cross-component risk issues and challenges.
Internal Audit plans its audits in accordance with the results of the risk assessment process and provides assurance that major risks are covered on a rotational basis by the annual audit plan. Internal Audit is responsible for assessing the effectiveness of risk management practices and processes.
Media and support business units initially identify and assess risks through the annual business plan process, and develop and execute detailed plans to manage risks. Risks are prioritized based on their potential impacts and their likelihood of occurring. The status of risk mitigation on these identified risks as well as any emerging risks are reported to the Board’s Audit Committee on a quarterly basis.
Every manager is responsible for integrating sound risk management planning and process into the business processes they are responsible for and for reporting risks with causes, impacts, or mitigations beyond their scope of responsibility to their supervisor.
Every employee is responsible for applying sound risk management within the scope of their duties and responsibilities and reporting risks with causes, impacts, or mitigations beyond their scope of responsibility or available resources to their supervisor.
Risk Management and Insurance within Corporate Finance and Administration is responsible to coordinate, review and manage the overall key risk identification and reporting process.
COSO Enterprise risk Management – Integrated Framework
ISO 31000 – Risk Management – Principles and Guidelines
Management Policies:
- 2.2.16 Occupational Health, Safety and Environment
- 2.2.18 Crisis Management
- 2.2.21 Code of Conduct
- 2.3.8 Delegation of Financial Authorities
This policy, which is a formalization of the process that has been in practice since 2007, was approved by the Board of Directors on February 23, 2012.
PERSON RESPONSIBLE FOR INTERPRETATION AND APPLICATION
All questions pertaining to the interpretation or application of this policy should be referred to the Director, Insurance & Risk Management. The responsibility for interpretation of this policy ultimately resides with the Vice-President and Chief Financial Officer.
DEPARTMENT RESPONSIBLE TO UPDATE THIS WEBPAGE
Corporate Secretariat.
APPENDIX A: RISK MANAGEMENT PROCEDURES AND GUIDELINES
DEFINITIONS
RISK MANAGEMENT
"Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (COSO)
RISK
Risk is defined as the effect of unexpected positive or negative events or consequences on objectives. Risks include business environment, process, strategic and financial risk.
RISK APETITE
"Risk appetite is the amount and type of risk that an organization is willing to pursue or retain" (ISO Guide 73). Risk appetite is influenced by external legislation and policies, stakeholder expectations and CBC/Radio-Canada’s Board of Directors’ guidance.INHERENT RISK
Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact, ie the level of risk prior to taking into account existing controls and any existing risk responses.
RESIDUAL RISK
Risk remaining after risk treatment, ie. the remaining risk level after taking into account existing controls and any existing risk responses.
RISK IDENTIFICATION AND ASSESSMENT
Risk identification and assessment is integrated into the annual business plan process.
Risk assessment and management is a process to determine the threats and opportunities that components must identify and effectively manage to achieve component business objectives, successfully execute component strategies, and meet component performance goals. The risk assessment considers all forms of risk, including business environment, process, strategic and financial risk.
Within CBC/Radio-Canada, the risk assessment and management process begins with the Environmental Outlook presented to the Board of Directors.
The process then moves to the annual business plan process within which each component identifies and assesses their component risks to achieving component objectives and highlights their action plans to mitigate these key risks. Risks are evaluated and ranked by components using a common set of evaluation criteria and risk definitions provided in the Business Plan Guidelines. The ranking is determined by risk score, which is a function of the assessed risk’s impact and likelihood of occurrence, each measured on a scale of 1 (low) to 5 (high).
In order to assist components in completing the risk assessment and action plans, the following resources are attached:
- Schedule 1 – CBC/Radio-Canada Risk Management Framework
- Schedule 2 – CBC/Radio-Canada Risk Definitions
- Schedule 3 – CBC/Radio-Canada Risk Assessment Definitions
- Schedule 4 – CBC/Radio-Canada Risk Management Model
The component risks are aggregated into a risk register. The risks identified by the components and forming the risk register are categorized by commonality. The corporate ranking of the key risks is compiled and presented to the Senior Executive Team for approval. Risks assessed with a corporate risk score below 12 continue to be reviewed and managed by components but are not reported on in detail at the Board level.
RISK CATEGORIES
The business risk definitions are provided as reference to assist in the identification of risks by media and the support business units. The CBC/Radio-Canada’s business risk definitions are organized into three primary risk categories:
- Strategic Risks
Strategic risks are the risks of failing to achieve strategic objectives. Strategic objectives are high-level goals, aligned with and supporting the CBC/Radio-Canada’s mission/vision. - Financial Risks
Financial risks are the risks of failing to allocate scarce resources to meet strategic objectives and investment decisions and/or failing to manage financial pressures. - Business Risks
Business risks encompass content, operations, people and information process and technology. Business risks are the risks of failing to achieve operational objectives. Operational objectives relate to the effectiveness and efficiency of the CBC/Radio-Canada’s basic operations, including the safeguarding of resources against loss.
RISK REPORTING
The annual business plan process culminates in the Annual Risk Report that is presented to the Audit Committee in February and to the Board of Directors in March of each year. The risks assessed with a score below 12 continue to be reviewed and managed by media and support business units but are not reported on in detail at the Board level. The Annual Risk Report is made up of two sections:
- Status Update of the Key Risks as at December 31 of the fiscal year in question; and the
- Key Risks and Mitigation Strategies for the upcoming fiscal year starting April 1st.
Risk Management updates are a standing agenda item at quarterly Audit Committee meetings. These Risk Management updates provide the status of the identified key risks and action plans as well as identify changes is risk levels and any emerging risks. The Risk Management Updates are provided to the full Board as an information item.
RISK MANAGEMENT PROCESS COORDINATION
Risk Management and Insurance within Corporate Finance and Administration is responsible to coordinate and manage the overall data gathering process and report preparations for the Annual Risk Report as well as the Quarterly Risk Management Updates.
Schedule 1 – CBC/Radio-Canada’s Risk Management Framework
Schedule 2 – CBC/Radio-Canada Risk Definitions
Strategic Risks | Business Risks | Financial Risks |
---|---|---|
Political Policies and Mandate | Content and Services | Self-Generated Revenue |
Competitive Environment | Quality and Distinctiveness of Content Offering | Financial Markets/ Economy |
Technological Innovation | Journalistic Standards and Conflict of Interest | Financial Reporting |
Strategy Development/ Refresh & Execution | Content that Responds to Changing Consumption Patterns | Budgeting & Planning |
Reputation and Brand Management | Rights & Copyrights Management | Fraud |
| Operations | Government Funding |
| Efficiency |
|
| Partnering/Outsourcing |
|
| Implementation of Major Projects |
|
| Business Interruption |
|
| Regulatory/Legislative Environment |
|
| Organisational and Governance Structure |
|
| People |
|
| Change in Leadership |
|
| Succession Planning |
|
| Engagement |
|
| Change Readiness |
|
| Health & Safety/Wellness |
|
| Diversity |
|
| Infrastructure |
|
| Information and Cybersecurity |
|
| Infrastructure Portfolio Optimisation |
|
Risk Category | Risk Description | Examples |
Strategic Risks | ||
Political Policies and Mandate | The government or any future government may:
| Government legislative changes eg: (Access to Information, CMF, copyright)
|
Competitive Environment |
|
|
Technological Innovation | Failure to anticipate the next big trends in technology, content development, content delivery and/or content consumption, could threaten our connection with audiences and achievement of our strategic objectives. | |
Strategy Development/Refresh & Execution | Development of a strategic plan that is agile and can adapt to changing circumstances is critical to long-term sustainability and viability of the Corporation. Successful execution of our A space for us all strategy is critical to enable the long term success and relevance of our business. | Clarity of vision and strategy (positioning). |
Reputation and Brand Management | Inability to respond swiftly, reasonably and proportionately to significant events or criticisms could impact our reputation. There is a risk that negative perception of CBC/Radio-Canada may decrease credibility, stakeholder support and funding. |
|
Business Risks | ||
Content and Services | ||
Quality and Distinctiveness of Content Offering | Failure to continue to improve the quality, distinctiveness and innovation of our output in all genres while delivering a streamlined CBC/Radio-Canada could limit our ability to meet Canadian’s needs and expectations in an ever more competitive marketplace. |
|
Journalistic Standards and Conflict of Interest | Failure to uphold our editorial values and standards in all our content could affect our ability to maintain high levels of Canadian’s trust, damage our brand or lead to legal exposure. | |
Content that Responds to Changing Consumption Patterns | Failure to deliver content when and how it is demanded, or to anticipate future consumption patterns could threaten our connection with, or relevance to, Canadians. | |
Rights & Copyrights Management | Failure by CBC/Radio-Canada to obtain, create and retain the rights and copyrights related to popular programming could adversely affect the Corporation’s revenues and relevance. | |
Operations | ||
Efficiency | Ability to leverage our assets, successfully implement new processes and technologies, achieve benefits from organization redesign or site consolidations or other efficiency initiatives could impact the achievement of strategic or cost reduction targets. |
|
Partnering/Outsourcing | Alliance or partnering agreements impact the operations, costs and/or reputation of the Corporation. |
|
Implementation of Major Projects | Delayed and ineffective implementation of major projects could compromise the delivery of the CBC/Radio-Canada’s strategic objectives. |
|
Business Interruption | Inadequate business continuity and disaster recovery planning may increase disruption to operations, increase costs and damage the reputation of the Corporation. |
|
Regulatory/Legislative Environment | Changes to regulatory or legislative requirements may:
|
|
Organisational and Governance structure | Failure to deliver a flexible and agile management and governance structure could limit our ability to respond quickly to new challenges and impact delivery of strategic priorities. |
|
Infrastructure | ||
Information and Cybersecurity | Cyber threats (hacking, computer viruses, denial of service attacks, industrial espionage, unauthorized access to confidential, proprietary or sensitive information or other breaches of network or IT security) are constantly evolving and IT defences need to be constantly monitored and adapted. Vulnerabilities could harm our brand and reputation as well as our stakeholder relationships. |
|
Infrastructure Portfolio Optimisation | There is a risk that: Ownership of buildings with maintenance deficits increases operating costs, puts pressure on the capital budget and impacts the residual values of the property; Excess space and infrastructure affects operating and capital budgets as more space than required generates excess costs; Outdated infrastructure reduces flexibility to adapt and affects operating costs; and Cumbersome governance and approval process may impact project viability. | Infrastructure includes:
|
People & Culture | ||
Change in Leadership | Turnover of members of the Senior Executive Team, key members of the component management team or members of the Board may create uncertainty for CBC/Radio-Canada staff and the stakeholders regarding expectations and vision and may affect the Corporation's competitive position and reputation and impact operations. | |
Succession Planning | Ability to plan for the succession of key employees and managers may impact operations. | |
Engagement | Ability to attract, retain, develop and engage qualified employees to achieve long-term goals. | |
Change Readiness | Ineffective change management and the failure to successfully integrate operations under revised structures could adversely affect our business and our ability to achieve our strategic objectives. | |
Health & Safety/Wellness | Inadequate controls could endanger the health and safety of individuals, the natural environment and our reputation. | |
Diversity | Failure to improve the demographic representation (diversity) of the workforce may influence the Corporation’s ability to maintain or improve the Corporation’s relevance. | |
Financial Sustainability | ||
Self-Generated Revenue | Volatility in revenues will affect the ability to balance budgets and achieve strategic objectives. |
|
Financial Markets/Economy | Movements in interest rates may affect the returns on the Corporation's investments and its capacity to re-invest the returns into programming activities. Movements in interest rates may impact the pension plan’s funding and solvency position and the Corporation's capacity to contain costs. Movements in foreign exchange rates may affect payments denominated in foreign currencies as well as the Corporation's capacity to contain costs. Inflation impacts the Corporation's operating and capital expenses. |
|
Financial Reporting | Failure to ensure accuracy of financial reporting (fairly present the financial position of the Corporation, the results of its operations and its cash flows) may negatively affect the Corporation's reputation or may result in criminal liability to the Corporation. |
|
Budgeting & Planning | Ability to adequately plan for the range of potential changes to our funding model (contingency planning) could impact the delivery, scope or timing of our strategic objectives and/or result in further cost reductions. Ability to allocate scarce resources to meet strategic objectives and manage financial pressures. |
|
Fraud | Fraudulent activities perpetrated by management or employees against the Corporation may expose the Corporation to financial loss or impair its reputation. |
|
Government Funding | The government or any future government may affect operational and capital funding levels impacting its ability to create programming and maintain current service levels to Canadians. |
|
Schedule 3 – CBC/Radio-Canada Risk Assessment Definitions - Impact Descriptors
|
| People | Financial | Operational | Reputation | Regulatory |
5 | Severe |
|
|
|
|
|
4 | Major |
|
|
|
|
|
3 | Moderate |
|
|
|
|
|
2 | Minor |
|
|
|
|
|
1 | Insignificant |
|
|
|
|
|
Likelihood Descriptors
|
| Description | Example - Probability |
5 | Almost Certain | The event is expected to occur in most circumstances. | 90% or greater chance of occurrence |
4 | Likely | The event will probably occur in most circumstances. | 65% up to 90% chance of occurrence |
3 | Possible | The event should occur at some time. | 35% up to 65% chance of occurrence |
2 | Unlikely | The event could occur at some time. | 10% up to 35% chance of occurrence |
1 | Rare | The event may occur only in exceptional circumstances. | Less than 10% chance of occurrence |
Schedule 4 – CBC/Radio-Canada Risk Management Model