IN THIS ISSUE
Reinventing Risk Assessment *
How did the CSA program get started at OPG?
A resurgence took place when the chief financial officer, Wayne Bingham, initiated changes to our business planning requirements in August 2001. We'd gone from year-over-year type business planning to a more risk-based approach. A lot of it was centered in the chief financial officer's group, where a business-planning person developed the original CSA risk format with help from outside consultants. This person moved on, and Audit Services picked up CSA in 2001. Since then, it's been used quite extensively throughout the company.
What led to the resurgence was the deregulation and splitting up of Ontario Hydro into individual companies. As a result, cultural transformation was necessary. The company needed to move from a regulated mindset to more of a commercial mindset. To accomplish this, employees needed new tools and new ways of looking at the world. The CSA process has relatively little to do with the traditional business planning process. It has everything to do with shifting the mindset of the management team, bringing it from a compliance-oriented, no-internal-risk mindset, to a new perspective where employees own all the risks and need to understand them. Business unit management teams needed to take a new look at themselves, not only at the way they were but also at how they might be in the future. They needed new methodologies to gain an understanding of what their processes are, how they interrelate, and what risks are being created as a result. They needed to become internal risk managers within their own divisions or departments. We offered a risk-based auditing approach as one of the tools to help them, and it has gained wide acceptance.
Some organizations are better able to adapt to self-assessment than others. What has helped at OPG?
What challenges do you have to overcome to make your program work?
Our role is to communicate information about risk throughout the organization. By continuously working with the business units and providing them with teaching tools, lessons, and opportunities to participate in these workshops, over time, we will build the knowledge base to where it needs to be. Knowledge becomes ingrained naturally in this process because people can see how it impacts all areas of the organization. Everyone is very excited about the opportunity to participate in the workshops and learn more about their business and the company as a whole.
What was your first risk self-assessment workshop like?
That highlights another important aspect of CSA: The workshops can be very effective in breaking down silos of risk management. Historically, the company — even the internal audit group — was divided into functional silos. We were not as effective as we are now at sharing ideas and information or at making sure employees could see the big picture. For example, the market risk managers and credit risk managers sat next to each other, but many of them did not know each other's names. Getting these people in a room together and having them listen to each other in the workshops created greater understanding about the company and about risks.
Was it important for your department to re-engineer or reinvent itself to implement self-assessment successfully?
For your CSA program, what training did you take and what type of tools do you use?
It's important for anyone who is contemplating rolling out a CSA program to start with a competency assessment. We looked at our internal skills and determined areas where we had good competency versus those where we had training needs. That prompted us to bring in experts to help teach us, with the key focus being on internalizing those skills. We also had the experts work with us for a couple of sessions. We needed to see what a good facilitator was and how someone needed to work and act as a team to be effective. Then we needed to build these skills into our own organization. It was also important that we didn't just have one or two people doing it — that everybody was involved.
What has been the reaction to results from the workshops?
Now, we sometimes receive "cold calls" from clients asking for a risk self-assessment after a traditional audit shows a problem. This is a good indication that people see the benefit of our approach and our abilities. To help us figure out whether or not our new approach was working, we looked at how many management requests came in for the year and how much time we were spending in the field based on management requests. In 2000, it was less than 10 percent. In 2001, 40 percent of our resources were dedicated to management requests. Now, we're getting one or two calls a week from people in the field asking for help. We have to postpone other projects, rebalance our resources, engage outside parties, or bring people in from within the organization to help. That's perhaps the biggest sign of success.
Ken, I understand you worked in one of the very first CSA shops in the mid-1980s. What changes have you seen over the years from the birth of CSA to where we are today?
What is the future for CSA in your organization?
* Because some readers were unable to access this article in the last CSA Sentinel, it is being redistributed for the benefit of Center members.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.