In determining an appropriate response to affect likelihood and impact the cost of the response and the impact of those risks occurring will be balanced with the benefits of reducing risks. Possible risk responses include avoidance, reduction, sharing and acceptance. The appropriateness of responses will be evaluated based on their ability to migrate the anticipated risk to within stated risk tolerance levels based on the resources consumed.
Risk management will be founded on a risk based approach to internal control which is embedded in day to day operations of Tanager. Control activities are the policies and procedures that help ensure that the risk responses are carried out. Event identification, risk assessment risk response and control activities will provide Tanager Resources Inc. with a risk profile. The board will maintain a current risk profile as a basis for implementing and monitoring the risk management activities. This profile will include details of the impact and likelihood of each risk identified, indicate ownership/responsibility and specify an action plan for treatment. Progress of the risk management program will be a standing board agenda item. Management will ensure that organizational policies, procedures and guideline manuals indicate where there are mandatory processes and procedures (i.e. approvals, signing authorities, thresholds, verifications, security of assets, segregation of duties etc.). Full compliance with these standards will be required and confirmation of compliance sought. Non- compliance with specified procedures may constitute an unacceptable risk.
Managers and staff at all levels will have a responsibility to identify, evaluate and manage or report risks and will be equipped to do so. It is imperative that people have the relevant, credible and timely information to effectively carry out their responsibilities.
Management will foster a culture that provides for disseminating best practice, lessons learned and expertise acquired from our risk management activities across the organization. Monitoring will be done through ongoing operations and/or separate evaluations.
Responsibilities of the board of directors, management, risk officer, internal auditors, and other personnel are outlined in Appendix 2.
The use of this risk management approach assists in the identification of areas for more detailed review and to inform and support Tanager and divisional management assurance.
The risk profile will inform internal audit of the work necessary to provide assurance to the audit committee of the board that controls are in place and working to mitigate the areas of highest risk to the achievement of Tanager’s objectives. Internal Audit will evaluate the effectiveness of existing controls and risk management responses. Internal Audit assurance will include an assessment of the reliability and effectiveness of Tanager’s overall risk management arrangements.
Provides an overview of the risks inherent to the organization and key internal and environmental factors that influence their mitigation. The
Profile provides a common understanding and the impetus for discussion of risks that influence organizational performance and the development of strategies for the management of risk.
Provides the foundation for establishing a sound IRM function. The Framework builds on what exists and communicates the organization’s IRM direction and infrastructure in terms of:
After development of the risk profile and the framework, gaps and opportunities related to IRM will be identified within the organization. The action plan outlines the critical next steps for advancing the incorporation and implementation of IRM strategies into decision-making and operations at all levels of the organization.
IRM is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the organization, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The level of risk Tanager is willing to accept in pursuit of its objectives. This can be measured qualitatively, with categories such as high, medium or low, or it can take a more quantitative approach. The level of risk acceptable is directly related to the strategy, where the desired return is aligned with the risk tolerance. Tanager’s risk tolerance will be considered by management for resource allocation purposes as it aligns its people, processes and structure to effectively respond to risk.
The Policy is to be implemented by Tanager Resources Inc. and is responsible for maintaining documented business risk profiles using analytical techniques to identify, evaluate and manage risks in compliance with the Treasury Board of Canada’s Integrated Risk Management policy. In addition to those reporting requirements set out in the framework,
Tanager’s management are asked by the board to provide:
In addition to the role of Tanager as stated above, management are charged with supporting the successful integration of risk management into Tanager’s processes by undertaking the following general responsibilities:
These guidelines provide additional guidance to assist with the implementation of the five-step
Tanager’s Risk Management Framework.
In the first step of Risk Management Framework all of the possible risks associated with individual project/platform as well as normal operations should be identified. The focus in this step is on capturing and not necessarily evaluating the risks. In addition, the consequence of an incident (risk) occurring should be identified. It is also important to note that there may be significant cross-functional value-added input from different individuals, for example, soliciting the input from project managers, project leaders, coordinators from host organizations, specialist may provide valuable insight.
At a minimum, the organization’s risk profile should address risks in the following risk classes: strategic; functional (operational); project-related; and, platform-related.
Some of the perils that threaten operations and assets and create risks include fire, collision, theft, fraud, security leaks, violence, climate and earthquakes.
Factors influencing risks should be identified. They include: acts of nature; human inefficiency, negligence, error and willfulness; and physical factors such as the availability and quality of materials and the state of a particular technology.
Each risk should be identified as one that is either: strictly internal to the Tanager Resource Inc. or partly or wholly related to the actions or omissions, and property of other parties such as host organizations, collaborators, funding partners or suppliers, either by design or by chance. This distinction has important implications for determining the respective obligations or potential liabilities, the degree of control that can be exercised over the probability of chance occurrences, the effect these occurrences may have, and the selection of the appropriate mitigation action.
Examples of possible risks include:
For those risks that are deemed to require further analysis two main components, impact and probability should be considered in determining the acceptability of a risk and their risk exposure index. These risk components should be analyzed separately.
Impact can be described as follows:
Probability can be described as follows:
To simplify the analysis of the various risks it may be appropriate to group or classify the various by categories that would be considered appropriate by source or nature of risks, for example, scientific, technology, ethical, for financial.
The assessment of the impact and probability will result in a risk exposure index that will determine the extent of actions required. The risk exposure index will also guide the prioritization of the identified risks. Other considerations in the prioritization could include the probability of detection and the possible timeframe within which this event may occur.
This step requires the determination of the following:
Responsibility (designate person)
Approach (Accept, Mitigate or Watch/Monitor)
identifies a contingency trigger)
Scope of Actions
As a general rule, high risk events require a plan that avoids transfers or prevents the risks. Moderate risk events require inspection and correction controls and monitoring processes (for downstream risks). Low risk events may be deemed acceptable and not require further documentation. In establishing the plan certain constraints may need to be considered such as performance requirements, cost, schedule (timing) or safety.
This step will require that relevant tracking data be collected. The frequency (weekly, monthly, quarterly, annually) of the data collection would be defined in the risk action plans. Once the data has been compiled, the risk attributes (probability, impact, probability of detection and timeframe) should be re-evaluated.
Pre-defined reports should be prepared and distributed and should include:
This last step is actually the beginning of a continuous improvement process that determines the next action of the risks, strategy and possibly the overall risk management approach.
Possible decisions associated with the identified risks include: