IN THIS ISSUE

Volume 7 · No. 2 · June 2003

Print Article Print Entire Issue

Reinventing Risk Assessment *

By Michael Pidzamecky, CMA
An interview with David Eden, Bruce Tanaka, Bart Demosky, Ken Graham, and Paul Kunkel
Risk & Assurance Services
Ontario Power Generation

THE ONTARIO POWER GENERATION (OPG) risk program helps management identify, analyze, and mitigate risk associated with the company's long-term and short-term business planning cycles, division operations, and special projects. Before a workshop, participants identify risk associated with specific objectives, using a worksheet for each risk they believe may have a relevant impact on objectives. The Risk & Assurance Services (RAS) group assists with this process and accumulates information about risks. The RAS group produces a booklet of all risks submitted, which is used as reference material for workshop participants. Using electronic voting technology in a workshop facilitated by trained RAS members, participants rank risks according to such criteria as impact, likelihood, and possibly controls mitigating the risk. Participants use the results from the workshop to create action plans to correct policies, procedures, and controls to better mitigate risks according to their rankings.

How did the CSA program get started at OPG?
It started in the early 1990s. Ontario Hydro (the precursor to OPG) brought in a CSA consultant through the internal control function in finance, and CSA was made a standard procedure for all employees. Around 1995, the Guidance on Criteria of Control (CoCo) model was introduced, and the president required each business unit to do a self-assessment based on CoCo. Each of the business units created procedures for self-assessments within their unit. Two of the four large units engaged a consulting firm, while the other two did it themselves. The nuclear division still has a procedure requiring a self-assessment review once a year. The other divisions no longer require the old procedure, but are still familiar with self-assessment techniques. The company had progressed up to a certain point by 1995, but then there were a number of organizational restructuring initiatives and the program fell out of use.

A resurgence took place when the chief financial officer, Wayne Bingham, initiated changes to our business planning requirements in August 2001. We'd gone from year-over-year type business planning to a more risk-based approach. A lot of it was centered in the chief financial officer's group, where a business-planning person developed the original CSA risk format with help from outside consultants. This person moved on, and Audit Services picked up CSA in 2001. Since then, it's been used quite extensively throughout the company.

What led to the resurgence was the deregulation and splitting up of Ontario Hydro into individual companies. As a result, cultural transformation was necessary. The company needed to move from a regulated mindset to more of a commercial mindset. To accomplish this, employees needed new tools and new ways of looking at the world. The CSA process has relatively little to do with the traditional business planning process. It has everything to do with shifting the mindset of the management team, bringing it from a compliance-oriented, no-internal-risk mindset, to a new perspective where employees own all the risks and need to understand them. Business unit management teams needed to take a new look at themselves, not only at the way they were but also at how they might be in the future. They needed new methodologies to gain an understanding of what their processes are, how they interrelate, and what risks are being created as a result. They needed to become internal risk managers within their own divisions or departments. We offered a risk-based auditing approach as one of the tools to help them, and it has gained wide acceptance.

Some organizations are better able to adapt to self-assessment than others. What has helped at OPG?
One of the strengths in OPG's culture is a pervasive attitude of people helping each other and sharing information. Those in the audit group new to self-assessment were very enthusiastic. They were keen on learning all about the process. Throughout the organization, there was a real openness to the self-assessment sessions.

What challenges do you have to overcome to make your program work?
For the program to be successful, there should be strong internal knowledge of the risks the organization faces. If participants do not really understand the risks we face, how effective can the workshop be? This is a major challenge to overcome for the program to be fully effective, but we bring in quite a lot of external expertise to enhance our knowledge base. By bringing in views from other companies and industries, we gain new insights and build our knowledge base over time.

Our role is to communicate information about risk throughout the organization. By continuously working with the business units and providing them with teaching tools, lessons, and opportunities to participate in these workshops, over time, we will build the knowledge base to where it needs to be. Knowledge becomes ingrained naturally in this process because people can see how it impacts all areas of the organization. Everyone is very excited about the opportunity to participate in the workshops and learn more about their business and the company as a whole.

What was your first risk self-assessment workshop like?
The first time, we may have been overly ambitious — in fact, it was a particularly bad CSA exercise. There were six departments with a total of 25 separate issues. Each person brought to the table their individual department's issues: The participants' perceptions of risk were not necessarily at a corporate level. They tended to have a parochial view of risk, where they saw risks that affected their area as the most important. They were very animated in discussions, but only about their own risks. There was little sense of appreciation of other areas. Looking back a year later, people now have a better understanding of the risk program and corporate risk issues that might impact achievement of corporate-level objectives.

That highlights another important aspect of CSA: The workshops can be very effective in breaking down silos of risk management. Historically, the company — even the internal audit group — was divided into functional silos. We were not as effective as we are now at sharing ideas and information or at making sure employees could see the big picture. For example, the market risk managers and credit risk managers sat next to each other, but many of them did not know each other's names. Getting these people in a room together and having them listen to each other in the workshops created greater understanding about the company and about risks.

Was it important for your department to re-engineer or reinvent itself to implement self-assessment successfully?
Yes. We undertook an ambitious program starting in early 2001 to transform the internal audit group. We started by changing the name of the group to Audit Services. For the kick-off, we met with all the business unit managers, directors, vice presidents, and senior executives, and asked them, "What do you need from us to move forward?" Managers needed to change the way people in their business units thought about risks. As the internal audit group, however, we hadn't been proactively helping them move forward because we were doing our assessments after the fact and telling them what went wrong a year ago. So, we transformed ourselves. We needed to re-engineer our own processes and our skill sets before we could become engaged as real business partners with the other business units. This process was essential for us to win the confidence of the business units and to roll out CSA effectively. 

For your CSA program, what training did you take and what type of tools do you use?
We had two basic training sessions, both of which were very helpful. We use electronic voting technology with remote keypads, so training on using the technology was an important step. Facilitation training was also important for us. However, we elected not to use a trainer on risk self-assessment. We felt we had learned a lot about risk through previous consultants and through our development and implementation of the auditing and risk assessment program.

It's important for anyone who is contemplating rolling out a CSA program to start with a competency assessment. We looked at our internal skills and determined areas where we had good competency versus those where we had training needs. That prompted us to bring in experts to help teach us, with the key focus being on internalizing those skills. We also had the experts work with us for a couple of sessions. We needed to see what a good facilitator was and how someone needed to work and act as a team to be effective. Then we needed to build these skills into our own organization. It was also important that we didn't just have one or two people doing it — that everybody was involved.

What has been the reaction to results from the workshops?
Clients tend to be more satisfied with self-assessment than with a traditional audit. Perhaps this is because, as participants, they own the results. It's not like a traditional audit where the auditor comes in, works, goes away, and then sends back the results. In the CSA approach, the group does the work, and true ownership resides within the group.

Now, we sometimes receive "cold calls" from clients asking for a risk self-assessment after a traditional audit shows a problem. This is a good indication that people see the benefit of our approach and our abilities. To help us figure out whether or not our new approach was working, we looked at how many management requests came in for the year and how much time we were spending in the field based on management requests. In 2000, it was less than 10 percent. In 2001, 40 percent of our resources were dedicated to management requests. Now, we're getting one or two calls a week from people in the field asking for help. We have to postpone other projects, rebalance our resources, engage outside parties, or bring people in from within the organization to help. That's perhaps the biggest sign of success.

Ken, I understand you worked in one of the very first CSA shops in the mid-1980s. What changes have you seen over the years from the birth of CSA to where we are today?
I think the most significant change is that, when CSA first started, people thought it was a tool that could replace traditional auditing. They thought you could implement CSA everywhere, and it would serve as a complete control infrastructure. The initial efforts of a lot of people were put into developing a comprehensive program and rolling it out everywhere, but I do not think this was very effective. Now people are using CSA more selectively, as a flexible tool that can be used for many different purposes.

What is the future for CSA in your organization? 
It's a positive one in which we will continue to evolve. We have good traction now. CSA is a successful part of our toolkit that we've communicated to the audit committee and management. It will be an ongoing approach for helping with risk management. There isn't any reason why we wouldn't continue to use it because results have been very positive for us.

*  Because some readers were unable to access this article in the last CSA Sentinel, it is being redistributed for the benefit of Center members.