Enterprise Risk Management
Policy Sponsor: Director, Strategy and Business Management
Approver: Board of Directors
Initial Approval Date: October 24, 2024
Effective Date: November 1, 2024
The mandate of Enterprise Risk Management (ERM) is to promote risk-informed decision making and support the effective execution of TSHC’s strategic directions and business plans by implementing an enterprise-wide risk management framework.
Policy Objective(s)
The objective of this Policy is to articulate the Corporation’s approach to ERM and provide an overview of the related roles, responsibilities and accountabilities.
ERM is a common practice utilized by organizations across a variety of sectors which aims to manage the risk necessary in the pursuit of strategic priorities and objectives. ERM forms part of the overall management system, helping to improve decision-making capabilities throughout the Corporation.
Scope
The ERM Policy outlines TSHC’s philosophy and approach to the management of risk exposures across the corporation. The Policy highlights the structure and processes contained within the ERM framework. In addition, this Policy outlines the key roles and responsibilities for ERM with TSHC.
Definitions
Enterprise Risk Management (ERM): the coordinated activities to direct and control risks within an organization. This includes assessing risks, communicating risks, assigning responsibility for risks, identifying mitigating strategies to avoid or lessen risk, planning risk response strategies and reviewing and improving risk management based on lessons learned from risk experience.
ERM Framework: the suite of policies, procedures, tools and training that support Enterprise Risk Management within the Corporation. The ERM Framework includes the ERM Policy, the risk management process and supporting tools and procedures.
Risks: the likelihood that there will be a positive or negative deviation from the expected objective. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by likelihood or probability of occurrence and the impact or consequences should they occur. Risks will be classified as insignificant, minor, moderate, major, or severe.
Risk Appetite: the general amount of risk the corporation is willing to accept, which has an influence how risks are assessed and treated. Defining risk appetite will help TSHC develop risk mitigation and risk response strategies appropriate to the Corporation’s needs.
Risk Assessment: Overall process of risk identification, risk analysis, and risk evaluation.
Risk Monitoring and Reporting: The process of communicating risk to different stakeholders. Monitoring risk is a continuous activity that results in awareness throughout the Corporation.
Risk Register: A listing of strategic risks (with impact and likelihood assessed) will form the risk register.
Roles and Responsibilities
Board of Directors
The Board of Directors has responsibility for providing effective oversight of the corporation’s risks and risk management processes. This includes:
- approving the Policy, risk register, heat map, and risk appetite on an annual basis
- receiving reasonable assurances on a regular basis from Management, External Auditors and Internal Audit (e.g., attestations, third-party reports, etc.) on the efficacy of the organization’s internal controls
- receiving detailed presentations from Management on individual risks or groups of risks as required or as requested, and
- receiving quarterly briefing from Management on changes to the organization’s risks, emerging risks, and planned responses/mitigation actions
Note: These responsibilities have been delegated to the Audit, Finance and Risk Committee (AFRC) and are included in the Committee’s list of accountabilities as outlined in their Terms of Reference. However, the Board retains the collective, overarching oversight of the risk management program.
Chief Executive Officer
The Chief Executive Officer acts as the ultimate management body responsible for risk, acting as the key conduit between the Board of Directors and Management within the governance structure.
Leadership Team
The Leadership Team acts as the ultimate management body responsible for risk, in conjunction with the processes and efforts to manage performance and the achievement of strategic directions.
Director, Strategy and Business Management
The Director, Strategy and Business Management is responsible for the ownership and management of this Framework and the ERM Program as a whole. This includes ensuring that the right supports and tools are in place to enable staff to identify, assess, manage and monitor risks relevant to the Corporation.
Risk Owner
Each risk identified by TSHC must have a designated Risk Owner (i.e., the Division and/or Department) responsible for the overall management of the risk.
Subject Matter Experts
Subject Matter Experts are comprised of staff members or key partners (e.g. TCHC) who have subject matter knowledge and expertise to inform and guide the management of risks. They ensure that risks relevant to the achievement of business objectives are considered from all relevant perspectives, and that potential impacts of a risk (new or revised) can be assessed well in advance of that risk becoming a reality.
Employees
Employees are responsible for integrating risk management into their day-to-day activities. This includes applying the risk management process in their respective functions, informing management of new risks and significant changes to current risks, and providing requested information required for reporting.
Principles
The following principles will guide risk management at TSHC.
- We recognize that risk – and risk management – is part of our day-to-day work.
- We will balance risk and reward, working to do the right thing to maintain the trust of our tenants, staff and stakeholders.
- We understand that everyone has a role to play in managing risk, and we work to establish clear accountability for understanding risks.
- We know that risk is dynamic, and we seek to evolve to ensure that we manage risk in a way that is aligned with the needs of our operating environment.
Risk Management Process
Structure and consistency in process and approach is key to successful risk management. TSHC’s risk management processes are aligned to the principles of the ISO 31000 Risk Management standard. The steps of our general risk management method are depicted below:
- Establish scope, context and criteria
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Risk Treatment
- Monitoring and Review
Reporting
The Corporation will provide regular reporting on its enterprise-wide risks to provide decision-makers with a comprehensive and integrated view of its key risks. Risk reporting will be conducted in accordance with the procedures and processes defined in the Corporation’s ERM Framework. Risk reporting will provide information on risks and risk levels (i.e., impact and likelihood), risk treatment plans and the status of risk mitigation activities, and risk indicators to support monitoring of changes in risk trends.
Regular reporting will include:
- Risk reports to be reviewed and actioned by the Leadership Team
- Risk reports on key/top risks (i.e., risks with the highest impact and likelihood) that describe planned risk treatment, status against risk treatment action items, overall status of risk action plans, and trends in risk ratings to the Leadership Team to focus detailed reviews of the most relevant risks
- Consolidated risk and performance reports on top/key risks and emerging risks to the Board of Directors and the AFRC
Related Legislation, Regulations, and TSHC Policies:
- TSHC Audit, Finance, and Risk Committee Terms of Reference (TOR)
Amendments (Revision History):
Initial policy approved by Board of Directors on October 24, 2024, effective November 1, 2024.
Next Scheduled Review Date: 2027
This Policy will be reviewed once every three years.
Policy Contact
Director, Strategy and Business Management
Appendices
- ERM Framework