Purpose
The purpose of enterprise risk management (ERM) is to support WorkSafeNB in its pursuit of its organizational goals and objectives.
This will be accomplished by:
Scope
This policy applies to all activities, policies, procedures, plans, property, and individuals that constitute WorkSafeNB.
Statements
1.0 Background
WorkSafeNB has a legislated responsibility to serve New Brunswick’s workforce and its business community in a variety of ways. However, the activities, resources, and infrastructure needed to deliver upon these responsibilities expose the organization and its stakeholders to varying degrees of risk.
ERM is a proactive and systematic approach to identifying, understanding, managing and communicating risks that may impact WorkSafeNB’s ability to achieve its objectives.
WorkSafeNB’s disciplined approach to ERM results in more informed decision-making, strengthened management practices, and the consistent achievement of organizational goals and objectives. ERM also supports continuous improvement by enabling WorkSafeNB to manage the risk that is inherent in innovation.
2.0 Policy Statements
WorkSafeNB’s ERM discipline enables the organization to understand, manage, and communicate risk from an organization-wide perspective.
WorkSafeNB is committed to:
WorkSafeNB develops and advances an ERM policy, process, and framework. Collectively, these define WorkSafeNB’s approach to risk management. WorkSafeNB periodically reviews these components and makes updates as required.
WorkSafeNB’s Board of Directors establishes the risk appetite and risk criteria for the organization, and provides oversight for the ERM program.
The Executive Leadership Team ensures that the appropriate level of resources are allocated to support the risk management process and to those accountable and responsible for managing risk.
Risks are identified through the risk management process, which is integrated into WorkSafeNB’s planning processes and management activities. At a minimum, WorkSafeNB engages in a comprehensive, organization-wide risk identification and assessment activity in conjunction with its annual strategic planning process. Also, projects of significant scope or size require risk management to be incorporated into the project management process.
Management identifies new risks and reports on changes to existing risks when planning projects, launching new initiatives, and when evaluating operations. Management develops risk treatment plans for risks that are determined to be in excess of WorkSafeNB’s risk appetite.
Internal Audit monitors compliance to the ERM policy and process, and will recommend improvements to the ERM discipline.
3.0 Risk Management Principles
In a mature ERM culture, every member of the organization is familiar with the principles of risk management, participates in the management of risk within their area of responsibility, and escalates those risks beyond their scope of authority.
WorkSafeNB recognizes the risk management principles articulated in ISO 31000:2009. They are as follows:
1. Risk management creates and protects value.
New Brunswickers rely on WorkSafeNB to promote safety and provide care for New Brunswick’s workforce in a responsible and sustainable manner. By assessing and managing its risk, WorkSafeNB ensures that adversity will not erode the value that the organization creates for New Brunswickers, providing assurances that WorkSafeNB will reach its goals and deliver upon its responsibilities, in spite of forces to the contrary.
2. Risk management is an integral part of all organizational processes.
At WorkSafeNB, risk management is not a stand-alone activity that is separate from the day-to-day activities of the organization. Rather, risk management is integrated as a key consideration in all aspects of its business including the planning, execution, and evaluation of activities.
3. Risk management is part of decision-making.
WorkSafeNB uses a structured approach to identifying and evaluating risk as part of its decision-making process, helping decision makers make informed choices.
4. Risk management explicitly addresses uncertainty.
WorkSafeNB’s ERM manages the effects of uncertainty on WorkSafeNB’s ability to reach its objectives. By its very nature, ERM deals exclusively with events that have not yet happened – in contrast to organizational responses to those events which have already taken place.
5. Risk management is systematic, structured and timely.
WorkSafeNB is disciplined in its approach to ERM ensuring that risk is identified, evaluated, and treated in a consistent, effective, and time-sensitive manner.
6. Risk management is based on the best available information.
WorkSafeNB makes every reasonable effort to ensure its risk management is rooted in reliable, accurate, and relevant data. Data can be both qualitative and quantitative, and can be derived from a number of sources including: historical data, experience, forecasts, stakeholder feedback, observation, and expert opinion amongst other sources.
7. Risk management is tailored.
Every organization is exposed to risk in unique ways based on the type of activities the firm engages in. WorkSafeNB tailors its risk management strategies and processes to most adequately address the risk it faces.
8. Risk management takes human and cultural factors into account.
WorkSafeNB considers the capabilities, perceptions, values, and intentions of its stakeholders (internal and external) as considerations within the risk management process.
9. Risk management is transparent and inclusive.
Appropriate and timely involvement of stakeholders and decision makers at all levels of the organization ensures that risk management remains relevant and up-to-date. Involvement of key stakeholders also allows for their views to be taken into account when assessing potential impacts of a particular risk.
10. Risk management is dynamic, iterative and responsive to change.
WorkSafeNB will remain agile and flexible in its approach to risk management. WorkSafeNB will continue to adapt its risk management strategies and tactics to adapt to an ever changing landscape in order to adequately manage new and emerging risk.
11. Risk management facilitates continual improvement of the organization.
Risk management at WorkSafeNB is designed to facilitate continuous improvement and growth for the organization. This includes continual improvement of the risk management discipline itself.
4.0 Roles and Responsibilities
The roles and responsibilities of the parties involved in the risk management process are as follows:
Board of Directors
Executive Leadership Team
Management
Internal Audit
Planning and Policy
All Staff
Workplace Health, Safety and Compensation Commission and Workers’ Compensation Appeals Tribunal Act (S.N.B. 1994, c. W-14)
4(1), 4(2), 4(3), 4(4), 7(a), 7(b), 7(c), 7(d), 7(e), 7(f), 7(f.1), 7(g), 7(h)
Occupational Health and Safety Act (S.N.B. 1983, c. O-0.2)
8(1), 8(2), 9(1)(a), 9(1)(b), 9(1)(c), 12(a), 12(b), 12(c), 12(d), 12(e), 12(f), 47(1)(a), 47(1)(b), 47(2), 48, 49
Right to Information and Protection of Privacy Act (S.N.B. 2009, c. R-10.6)
Personal Health Information Privacy and Access Act (S.N.B. 2009, c. P-7.05)
Policy 45-002 Business Continuity Management
ERM Framework – a set of components that collectively provide definition and structure to an organization’s ERM discipline.
Risk – the effect of uncertainty on an organization’s ability to meet its objectives (positive or negative).
Risk Appetite – the level of risk that an organization is prepared to accept.
Risk Assessment – the overall process of identifying, analysing, and evaluating risk.
Risk Control – a specific measure that modifies an organization’s exposure to risk.
Risk Criteria – terms of reference against which the significance of a risk is evaluated.
Risk Identification – the process of finding, recognizing, and describing risk.
Risk Management – activities designed to identify, analyse, and control risk.
Risk Management Process – a systematic application of risk management policies and procedures which aid an organization in identifying, analysing, evaluating, treating, monitoring, communicating, and reviewing risk.
Risk Treatment – a strategy or series of initiatives intended on changing an organization’s exposure to a particular risk. Risk treatment may consist of the implementation of a single or multiple risk controls.
Risk Treatment Plan – a plan that outlines the activities that an organization will undertake in order to manage risk.