Introduction to Risk Management - Video Transcript

We've got about an hour today so we're here to talk about risk.

Today I'm we're going to talk about what does that mean, what is risk?

And people have different notions coming into this.

A lot of times, what we find out, our clients is, risk is understood to be more financial, so they meet with Finance Group, deals with whether it be with the reports, the annual audit, whether it's relating to fraud risks or so.

Generally people think of it either as a finance risk or a catastrophic risk.

Looking at you know, or in the Nova Scotia we get hit by hurricanes, or we're here in BC, we're in a earthquake zone, or Manitoba or Saskatchewan, and there's flooding and tornadoes.

So people can just think about risk as that, or I think there's a question coming in and we do have, yeah, thank you for asking here's a question that's come in.

Do you have a list of common risks? We absolutely do.

In the materials that were sent out to you in the Excel spreadsheet, you'll see in one of the worksheets, it's called risk statements or risk themes.

And those are a list of risks, that in working with my clients across Canada, these risks seem to be common themes that came up fairly regularly, so they revolve around culture and language, and rates and title, and land use, land protection the environment health.

So these are risks that many of us face as working with First Nations so there is that list that's available to you.

We're going to be covering all today, why is risk important? What does it mean to you?

Why should you care about it? And what can you do about it that's the next problem.

What would be the approach?

And risk management is a very well established discipline if you can call it, that there is the approach, and we have a four-phased approach.

It's based on best practices and will be sharing that with you today, and walk you through that.

As part of this, we will be looking at who does what, because not everyone in the organization has the same responsibilities, and there's so many risks out there we will be talking about.

How to understand why at certain level, Chief and Council will be concerned about more high impact or high risk events as opposed to the staff who are into the day-to-day operational.

And then we're going to touch on what I really need to do well, our keys to success to really benefit from a risk management process.

And just to clarify where the other questions we have had, we did this webinar this morning was, do I need to have a risk management plan already in place? And the answer is no, absolutely not.

This session is really to go over the basics of what is risk, why you can benefit from managing it, and who does what, and how you can maximize the chances of achieving your strategic objectives. So no, you do not have to have a risk management plan in place.

So what is risk? It's generally speaking the possibility that a negative event will happen. And that this event may prevent your First Nation from achieving its objectives.

So it's pretty broad, it really builds on the notion that we all know that bad things happen, and that we we generally are not prepared to learn, not as well as we think we are, and so how can we anticipate them?

And in turn be prepared for them, and minimize the impact? So the  reason why it is important, and it's you know, we all tend to focus on our day-to-day, and get really involved in, and what keeps us up at night is generally not these larger, more impact-ful or hidden risks, you want to call it that.

We're usually focused on making sure we have enough cash to pay our bills, pay employees, making sure that we're filling in sick leaves, what fire we're putting out dealing with the day-to-day operations.

When really there is an expression in French which we had in Quebec said this morning that it's no one ever tripped over a mountain, but lots of people trip on stones.
And so that's what this is really capturing and saying, we need to look at those hidden, or out of mind of risks that are out there that can really impact our ability to meet our organization's strategic objectives.

So we like to think of it in the risk management world that risks can be opportunities and that better managing them will result in better outcomes for your First Nation to meet your strategic goals, to make better decisions, and to use and allocate your resources much more efficiently.

So it's changing the way that you think about something, and saying well you know we want to go ahead with looking at this economic development opportunity. One of a client out east

who was looking at tourism opportunity, and if they have an archaeological site that and there are urban so I think this could really bring a lot of visitors to their First Nation or to their territory and that's a great opportunity.

It's a great opportunity to build their culture, to share their culture, and to generate own source revenues, but the risks associated with it or that they're you know and they thought about this, and went to the members.

And the member said you know what? that means a lot of traffic going through our land, and that's going to be wear and tear on our roads and our infrastructure, and it's going to be bringing strangers into our community that may could harm our children.  So there you have to think of it as well.
There is an opportunity for sure and we all have our strategic objectives, but there's always risks that come with that. And it doesn't mean you would not pursue it, it just means you go in knowing that you would have to manage these risks that come with that strategic objective to generate own source revenues.

The question that come in, do you have a suggestion for other plans we should have?  

As well  it seems like we should have a strategic plan .

Actually that's a that's a good question.

Ideally yes, you would have a strategic plan in place because we're going to get to this and a little bit.

The risk management of planning is we recommend, and it's normally done in tandem with your strategic planning.

Now that's not to say that you can't get started on this because we do it.

And you know across Canada who just may not have a formal strategic plan but they know  their strategic priorities, or their members know when they have it outlined in a document they don't call it strategic plan per se, they call it either annual report, they have their priorities that they're focusing their efforts and and operations on, so certainly you can start from that and then look at the risks associated with that.

But generally I think as a best practice, as is you know outlined in your Financial Administration Law, that yes you would want to have a strategic plan, and you want to start with that if you don't have one already and once you have that, you would be look at risk management as part of that strategic planning process.

I just want to just pause for a minute, and allow anyone else, I know it's great we've been getting some questions.

So if anyone else has a question, to sort of remind you that you can go to the top left hand corner of your screen, and on a QA you can type in your questions in the box there. So feel free  to do that.

If there are any further questions at this point, I'll continue on with what is risk management.

So that the approach in that understandings first, which risks that your First Nation actually faces?

And this sounds a lot easier than it actually is because there's it's making sure that the right people are at the table talking about risks, and they are well informed. So it's departmental managers, and your senior management, your Senior Financial Officer, and your senior manager .  

You want to make sure that all those people have the knowledge to be having this brainstorming session on identifying the universe of risks because we tend to focus on what's right in front of us on a day-to-day.

But as we mentioned on a previous slide on line four, and it's really those other risks that are working in the industry shadows that can really prevent you from achieving your strategic objectives.

The framework to a risk management will also give you a method for evaluating risks in terms of the impact that they may have, and the likelihood that they may have occurd, and then what you can do about that.

There's different approaches to risk management, so what we're really getting at here is that not all risks are equal.

Because if they were, you commanded 200 risks right and that's a lot so it's really being able to narrow in on which risks matter most to your First Nation, and those risks that matter most are the ones that can most seriously stop you from achieving your strategic goals.

So and what naturally flows from that is that different risks are managed at different levels in your First Nation and we're to be talking about that in a little bit, in terms of who does what.

So this is what goes back to the earlier question from Sarah, which is, how this risk management then fit into my overall planning activities?  

So risk management is the whole process is usually done annually where you look at your universe of risks, and how you rank them, and then what you're going to be doing about that.

You do that in part of your strategic planning sessions.

So I know from working with clients, generally the way they'll do is they'll schedule a week to do their strategic planning, when they expect that the department have already done their work in advance of that planning session, that they've thought about and identified their priorities and activities, and how that links to strategic goals.

And then they meet together, and as part of that planning session, you would want to at least have a day of brainstorming set out for the risk management process.

We're going to get into the different phases of it.

I won't get ahead of this. But just so you understand that it is something that needs to be done.

It's a live document. It's something that needs to be ingrained in your organization. It's not something that should sit on the shelves and collect dust.

The decisions should be based on your risk management planning, their risk assessment .

This is just showing the different type of risks that exist.

So I'll put up the full graphic. You can see that at the top in the blue, we've got organizational risks. And those are ones that are real critical risk that could threaten members their viability, their ability as First Nation to operate, and that is managed at Council and senior management level.

And if you look to the left of the screen under control source, what we're really saying, there's what would that impact at this level organizationally.
You can control the risk through good decision-making.

So to an example of land-use planning and laying the tourism, you know opportunity and developing that versus the you know concerns that members, and you know the wear and tear of infrastructure, and the Privacy & safety of community.

Those are decisions that council need  to look at when they're assessing you know their strategic goals and initiatives.

When we go down the level to the yellow, the financial risk that's really what we're talking about.

Financial reporting audit risk, the risk that fraud could occur. So and this is generally managed at  Finance and Audit Committee level and the departmental level.

And it's you know you can look at making sure that the policies and procedures are in place to make sure that there aren't any faulty expense claims you know coming from employees that something accounting normally deal with.

And it's really dealt with through policy procedures. Having good rules in place, and then we get down to operational where we're really getting into the day-to-day, and that's managed through, again, the policies procedures and rules at a departmental level.

So an example of that would be you know one of our clients in the capital was saying they have vehicles that employees have to use to get from site to site, and that the employees were using the vehicles.

The risk was there, and they had you know, reason to believe that these vehicles are being used for personal reasons and that creates not only additional wear and tear on the vehicles, and there's a liability issue there as well.

As they're going to an accident, it was a you know a vehicle owned by the nation that was for personal use  to be covered by insurance.

There's all kinds of and that really goes added operational levels, those but generally not be managed by council.

Do you have templates for some of these items? Absolutely. Well what before I think your question, and correct me if I'm wrong, is do we have examples of policies and procedures to help you put in place the control structure to manage these types of risk? So the answer's absolutely, we do.

We have as many of you know on our website. Yes there is policies and procedures, so yes we do have very detailed policies and procedures around all these functions of finance, governance , HR, information management.

They're all on our website, and if you have trouble finding them, my coordinates are at the end of this presentation as our double team and Mindy Smith would be here, could also help you find those templates that we have.

We have identified  the risk management process that is really 4 stage process.

The first is the brainstorming,  identify all the possible risks and their impact.

That's the first stage, and we'll talk a little bit later about who gets involved at this level.

We then get into the risk register process, so that's now evaluating all of these risks, because you're going to have quite a few.

We've had clients who start you know maybe it was 30, and then others who bought 160 you know so it just depends on your context of you know what types of activities that you're involved in you know so many different factors.

So it will depend for each client each First Nation.

And then in this stage, the risk register you'll be evaluating the likelihood and impact of each risk, then you'll be going on to say well out of all of that then, how we rate them so we're saying, yeah there's is a chance that a tornado hits our community and it has happened for sure just happen in Manitoba, so it's a terrible thing but what are the chances that will happen, and what do we need to do about that to minimize it.  

You're not going to say yes you will manage and monitor report on the the highest risk, the highest impact and likely risks, and even moderately likely impacts on risk.

But generally speaking all the risk will, the last third where operational ones, do get minimized advantage through your control that you have in place, and the more that you implement your Financial Administration Law, and you will have progressed towards Financial Management System Certification, more controls that you actually have a place where those risks get managed  in turn.

And then the last stage is putting together a risk management plan, and then managing those key risks.

So that's a 4 stage continuous process. That yes you do revisit the whole process once a year, and you will be reporting on it quarterly in terms of monitoring any changes, any you know progress on your risk management plan. Are there any questions?

I can give this a few minutes, so feel free to jump in in terms of  this first stage, so and yeah just to remind you it is at the top left hand corner of your screen, the QA, to press on that and typing your questions.

This first stage that identifying the risk this is what it's going to start to look like in the template that we provided you in the Excel template under the risk register worksheet.

You'll see that you really in the brainstorming stage, you're really just going to want to have broader risk, and a broad description of the impact.

It's not at this stage that you get into quantifying the impact or trying to sort it.

Really the spirit of with this phase one would be identifying the risk that could happen in negative events is, trying to keep it general and trying to really think outside of the box.

So not recording our stories in language, and what will that has an impact that will impact have a negative impact on our culture, a lot of succession plans and that could impact our ability to continue the organization, loss of corporate knowledge, and what all the bad would it rolls delaying infrastructure and asset maintenance, so that could cause infrastructure failure and increased cost to your First Nation, to repair that it to replace those assets.

There can be planning shortfalls or even your funding cuts and then what that means for your members in terms of reduced or cut services, and not linking cultural values to economic development activities, and what that can mean that for the community to really understand with the example that I gave out east that you know.

And it's important to understand where your members are at with those other priorities are, so trying to get their support for certain initiative if it benefits the community and future generations.

So the next stage is looking at the evaluation. Maybe I should go back to the first issue.

I didn't mention, this is really, if we want to talk about who will be involved at this stage is, you want to have Chief and Council, your Finance and Audit Committee.

If you've got them in place and your band manageror your CAO and your Senior Financial Officer and departmental managers, that's really where the brainstorming this first phase is that.

We do recommend though as I mentioned earlier, come prepared to the session.

So i can give you an example. We have a client, who is, they have all been involved in forestry, and their economic development manager went out on sites to where they were logging and there was a machine that was being used that was not being used properly.

It was creating a very huge risk of safety to employees who were using that machine, and that that is a very serious risk that you have.

You know serious injury or death.

And so it was really just because the effective manager had gone out on site, and it had observed that the machine was not being used as it was supposed to be, all of the security precautions that sort of thing. So it was that was creating a huge risk not only for those who are using the machine, but for First Nation and so it's being aware of these risks.

So when you're coming to the table to the brainstorming session, is knowing making sure that you talk to your staff, you've had your own brainstorming session with your staff at your departmental manager or your head of finance or CAO.

You want to make sure you have the opportunity to let your organization do their respective brainstorming sessions, that you can then bring that information to the table with your Chief and Council to do the phase one of risk management process.

So the second phase is the evaluation. So how do we go about doing that?

We create a list of all the risk statements, and a potential impacted table called the risk register.

We've already outlined that and then we start to evaluate based on the chance that they're actually going to happen, the likelihood, and then what impacts and things are going to have.

So as you see in this slide, we've got three of the likelihood, and for as the impact for the risk, that there's a funding shortfall, and that there could be, the impact could be reduced or cut services to members. So what does that mean?

It's three and four, so the likelihood we have done  this is a client's risk register, and that means that they had said, well is possible number three meant it's possible that our funding is cut, and it depends by program.

It's very you know, that's just a broad statement, but you look at it is on spectrum from 1, that's  rare, to 5, almost certain.

So for example, our earthquake example or the tornado or the ice storms or hurricanes, it just depends you'll have to really, it's usually at the senior management level that they will evaluate what being the likelihood of the impact.

Once the brainstorming session is done on identifying your universe of risks which Chief and Council,  they usually then take a step back, and it usually  goes back to the senior management to start the process of accessing the likelihood, and then the impact is the same sort of spectrum where one would be a insignificant impact as five being catastrophic.

And this is where it can get tricky, because we also think of evaluating like the impact by in financial terms and quantifying the cost, but what would happen if this happens and what would that cost us.

I mean definitely that we want to think about that, but also be aware that in this process what we received feedback from our clients is they were just so surprised that there's just so many other impact that they hadn't thought of.

Like a risk to their reputation, and what does that mean, how do you quantify that. So it's lost economic development opportunities, you know give you an example, we talked about this morning it was a client of ours.

It's a small First Nation and the CAO travels frequently, and had a practice in the past of when they were going on the road, writing a blank cheque and leaving that for finance in the event that something came up when they weren't there.

So that they had that in place that went on for years, and then you know during the audit in the last year, there were some abnormalities that came up in the audit, and then it was determined that over the course of six years, half a million dollars had gone missing, and it was a particular person in finance that had been using these blank cheques.

And so this is where  that could have a catastrophic impact, and so but at the beginning of that, you know when obviously and more than one person knew about this practice of writing blank cheques, while evaluating the risk of adding clearly have been and probably not in any systematic way  like this process we're talking about, but really, just well you know we're really just trying to be efficient.

They didn't have segregation of duties.  They didn't have consistently two signatures on every cheque.

There weren't two approvals that were happening for expenditures. There were just lots of controls and procedure that were not in place to prevent such a thing that people knew that there were blank cheques.

And I'm still glad you know that's okay, like we'll assume that risk, we'll accepted it. Just goes to show that it was evaluated as being a minor impact would actually ended up having a fairly major, if not catastrophic events on this small First Nation.

So it's really making sure that you have everyone in the room, and knowing what's going on to be able to say, hey, I know this is going on, is this really something that you know helping us achieve our strategic objectives?

Or is this something that could stop us, or hinder us from doing that in terms of the next phase which is monitor and report?

This is where in the template that we've provided. I should pause on that on the last phase.

If there was any questions again, it's on the top left hand corner, Q&A, feel free, oh a question just came in.

How long generally does it take for First Nations to go through this process? I'm sure there are lots of variables. Is there a best case scenario timeline?

That's a very good question. So what is the timeline and if they're sort of benchmark? What we've seen is that it gets done with the strategic planning process, so usually that starts for client in december january, so you really informally they start to have like a session or sessions that I would be in the month of January.

So what we see is clients will start doing this in December, where they're meeting with their individual departments and doing their own brainstorming, and risk assessment processes, and then being able in january, for the senior management and Chief and Council and Finance and Audit Committee, then have a higher level discussions around you know, are these risks have we captured all the universe of risks?

And are these the impact and the likelihood, is that of the assessment that we all agree on, and speaking the same language.

So i would say it takes as long as it takes your regular planning, because it has to be integrated to that process, so i've seen people who get it done you know for the month of december and january, so it's a two month process.

That's really maybe a best practice, and others will either actually do it shorter, but then you run the risk of, are you really capturing all the risks that are the right people at the table.

So you want to make sure that you as you say, there's lots of variable, they're involved for small First Nations.

Obviously this may be a lot easier, 'cause it's easier to get the stakeholders and the key decision-makers in the room.

Whereas with larger and more complex where people are on the road a lot, it's just depends on the availability.

And it's just getting ahead of it in the webinar, but you know it needs to be taken seriously and needs to be on Council's agenda.

It needs to be reported on quarterly, so it's making sure that that remind.

Is there that this is just another part of our strategic planning process.

So thank you for that question.

So the phase three is looking at this risk dashboard, which is a way your template in the Excel spreadsheet that we center around this webinar. It automatically populates this grid, and it's really neat. It's great visual to see the highest ranking  risk.

So if you look in the top right-hand corner here of the red risk, that's telling you that this first nation has three risks that are ranked a 4 on the likelihood scale, and a five on the impact, so three risks from the risk register.  

So this is automatically populated from the risk register that has done in that template, so really this client has six risks  that are really ranked you know highly probable and having a high impact.

So you definitely want to be managing these risks. Creating a risk management plan, and make sure they're on Chief and Council's and Finance and Audit Committee's agenda and on their radar screen.

In the next area of this grid agency the orange or yellow, which is moderately monitored risk, which will have a moderate impact if they happen, and they have a moderate likelihood of happening.

So the number is here as you see in the book so there's three risks from the risk register of this First Nation, that  was deemed as having somewhat possible likelihood of happening, but if it did happen, it would be catastrophic which is why at this orange yellow level, you would still want to be managing people, including them in your risk management plan.

And generally they get managed a senior management level, so your CAO, CFO,  Finance and Audit Committee.

So in the examples that we have been given, either speaking about you know, you would I guess I'm beginning maybe more catastrophic ones of some of the smaller, not smaller, just the  ones that are more getting towards the operational, would be managing the expense claims.

For example, they could have a larger impact, if for example its expense claims coming from an employee who is working in public works and the submitting very high you know expense claims, as opposed to someone in education doesn't travel that much, is you know they just, it depends.

So that's why it's orange level, generally would be managed at the financial level , and at the departmental manager level.

And then we get into the green area of the grid, and those are really the operational risks, and that get captured in your control, and your policies and procedures, and generally that managed through that, and managed by staff, and what they do, and they also have code of conducts.

So it's really generally those wouldn't be included on your risk management plan, because they do can see from the numbers and here  this total to be quite a lot, and you've only got limited resources.

You can, you know, it is just isn't value-added to be trying to put a risk management action plans for the green level risk, and this is a dashboard that you would be looking at on a quarterly basis at minimum, and that will go into to that part of it in a few minutes.

In terms of the frequency, and then how you will follow up on this.

So now we're into managing the risk, and what is that risk management plan, and so we've talked about of a fair amount of the orange, of the red rated risks, so when we look at this example that we go back to it, on the funding shortfall due to a discontinuation of grant funding, and that this could impact the services to members by either cutting the service, or reduce, or stopping it outright, and so the risk management plan can be developing other ways to fund the program by use a portion of your own source revenues for core cultural programs.

What's interesting in this is an example I like.

Because one of our clients, I came from one of our clients, and the discussion was they were funding certain programs from their own source revenues, but the own source revenues were declining, and they knew that it was an agreement of that in place, and they knew that was going to be declining over the next five years, and that meant that they had to make adjustments to how they funded this particular program.

And it was interesting because the CFO said to me you know this risk measurement process really helps me and our senior management, Cheif and Council understand that we had to do something.

You couldn't just continue with doing what we were doing because we were going to run out of money to fund this program.

Because these are our revenue streams from our excess  is going to be declining and we knew that and yet we weren't doing anything about it, so we had to look at other areas or that we were funding, and they looked at some donations that they were making to members and they said, you know we went back to our community and said here's a situation we've got this program and we can't continue to fund it with our own sources, and what can we do about it?

Here's what we're recommending, that we're going to be cutting back on this particular area of donations to members that we've been making that was very significant, and using of a large portion of their own source revenues, and there isn't a community that said, yeah we really want to continue this program, and it was a great way for them to be able to go back to their resistance, and say this is the situation are you okay with it?

Because we've got a choice here we can continue the program, or we can you know cut the donation. There is something's gotta give, and so it really helped them to have that informed conversation amongst themselves, and with their members.

So that's what this risk management plan is about. He'll be assigning as you'll see in the Excel worksheet you know the owner of risk management action and the time frame so it's really a detailed plan that you'll be putting in place and monitoring on a regular basis.

So there's different actually, i'll just pause again for questions, if anyone wants to type in any questions, yep okay, are there any common mistakes in this process that we should know about so we can address those items before they are mistakes?

Yes, that's a good question. I think and yeah that's right now because this comes up a little bit later, but yes, but I think the most common a little bit called mistake or pitfall, is that the clients and the template that we've provided is used as as is and not tailored to your own specific circumstance.

And I think that's a common pitfall that we've seen, and unfortunately with that will end up being is that  you're not capturing all the risks could seriously impact your First Nation.

So it's taking the time, and setting the tone at the top, that this is really coming from Chief and Council and the senior managers and the departmental  managers that they buy into this, and this is really important and we need to understand the real risks that are in front of us, and how we can manage them.

So I think making sure that you make this your own, and that's a way to avoid that.

So the first risk management strategy is avoidance, so just stop the activity so for in that forestry example.

Actually maybe I'll go back to the blank cheques, is just stopping that nowhere blank cheques, that's just as simple as it got for them, and they did other things too and that's when we get into reduction, or putting in place different activities and policies, is really risk mitigation is this yellow next strategy.

And with the example of the blank cheques, is they put in place a Finance Audit Committee they put in place, policies and procedures around segregation of duties, and the delegation authorities and so it's really putting in place different activities to minimize the impact of the risk of fraud happening which is really simple. The white checks.

You can share or transfer some of the risk so that involves insurance when you're looking at insurance coverage for those catastrophic events or for accidents with the vehicles that we were talking about. Insurance will cover a portion of that.

In some instances you can enter into partnerships so there was an example of a water treatment plant and  a client of ours knew was going to need to be replaced within the next five years and they needed to look at how to put in place a financing plan for that they also had to look at there was an instance where the person who was maintaining the water treatment plant fell ill and they had to put in a replacement and that person was not, it turns out they found that person was not properly trained and was not maintaining the equipment as they should have.

It created a very large risk of serious risk to the health of the members in not having clean drinking water and so what they decided to do was enter into service agreement with a municipality close by so that they could access their training resources and vice versa so it was sort of a win-win for both of them and sharing the risk of maintaining water.

The water treatment equipment and the last one is accepting a risk where you say it like you know those of us who live in hurricane areas or flood areas or earthquake zones we just accept a certain portion of that risk and say we know we're living here and love it and that's just the way it's going to have to be.

Chief and council would generally have things they do have to sign off on that as part of the risk management plan that we accept that we will not be taking any further action on this so those are the four areas of risk management.

Are there any questions on  that ? Okay great

So I know it who does what and we've been talking about all throughout but just to be clear under your Financial Administration Law.

And in order to become Financial Management System certified, there's certain requirements at each level of the organization so for Chief and Council they need to make sure that there are policies and procedures in place and manage risks around fraud, financial reporting, your for-profit business activities, your investment, insurance policies, loans, guarantees and indemnities , emergency planning and your technology.

So these are the areas, and they're all included in the risk register in that template we gave you and just being you look at those, and all of the policies that support your Financial Administration Law contain the controls around these areas productivity so it is no sample policy that I referred to earlier.

And we now should send those around again to the whole group, I think that's what we'll do.

And we'll send around the sample policies to everyone.

And as we've mentioned earlier, Chief and Council do need to provide input into that risk assessment stage, phase one of the risk management process, and you need to be improving the risk management plan on an annual basis because it does get for you its entirety on an annual basis as we spoke about in the strategic planning process.

So the Finance and Audit Committee, so they would also provide input into the risk assessment process, they've got a unique perspective.

Really I'm looking at, from a more financial reporting perspective, and the audit, and also fraud risks, and making sure the control's in place to minimize those financial report on fraud risks are functioning effectively, and well also considering the cost.

So as you know, with Finance and Audit Committee, they're responsible for reporting, you know, making sure that monthly and quarterly that your annual financial reports are being done, making sure your external auditor is doing what they're supposed to be doing, they look of course at the risk management, and they're involved in the planning, and the budgeting  and we're seeing as well.

So that's why they're important to include in this risk assessment risk management process.

They have to recommend on an annual basis the risk management plan to Chief and Council, and they also will be reviewing it on a quarterly basis, and we'll see it in a second, a senior manager, your band manager will be presenting the risk management plan any progress made against a quarterly basis to the Finance and Audit Committee, so here we are a senior manager is the owner of this process.

They're really the one who is held accountable for making sure that the risk assessment process does get done, and then it gets monitored on a regular basis, so they have to ensure that the risk management plan gets prepared and updated on a quarterly basis, and presenting that to their Finance and Audit Committee.

The Senior Financial Officer is really more focused on the procedural as we've been talking about, so they're looking at the controls that are in place, managing the risks particularly around fraud and financial reporting, making sure that those dual separate approvals are happening that expenditures are linked to the budget that they're reporting on that, and that's all part of their control world, that that's what they're responsible for.

And that gets incorporated into risk management plan, from how that is being managed, and as we were saying with that blank cheque example, that you know it really, that is something that should have been flagged if they were doing a risk management process that likely would have been flagged as a higher risk activity, and they're just the CFO.

The SFO is assuring the approved procedures are taking place and they report on these to the Senior Manager on a quarterly basis, so now we're at the key.

So are there any questions on the rules? And who does what responsibilities?

Okay great, I think we've talked a bit, there was a question earlier that asked about you know, what are the common, what can go wrong?

And I think we've been talking about that they're really communicating and consistently across, the oh wait, there's a question of kind of, sorry that I missed how many people should be in the Audit Committee.

No we didn't talk about that, but certainly we can an audit community generally.

You have a minimum of three that's requirement in the Financial Administration Law, at least one of those has to be a counselor.

Generally as the counselor would be a chair at that Finance and Audit Committee.

If you have four or more members, you have to have two who are counselors, and one would be a Chair. There also used to be a Vice Chair appointed by Council.

If you go over three to four, you can go to five, it just gets a little more heavy to manage.

Certainly we do have clients who have larger Finance and Audit Committee, and they work just fine. Just making sure you have the right roles and responsibilities in terms of reference set out, so we have more information on Finance and Audit Committee available for everyone who wants to know more about that.

Or actually I think I'll just plug our pre-conference workshop that is going to be happening on February 7, 2017 as part of the AFOA National Conference.

So we will be going in depth on this Finance and Audit committee , so  you want to register.

You'll be getting a communication and email on that. If not this week, early next week.

So in terms of another key to success, it's monitoring. it's making sure this is a living document, it is not meant to sit on a shelf.

Just like your strategic plan, it  should be your go-to documents for making decisions, and making sure that what you're doing is helping the organization achieve its strategic objectives.

That's the same way as your risk management plan. It's the same thing.

It's making sure that you are doing everything that you can do, so that your First Nation achieves its goals.

So making sure that you're monitoring that.

Being consistent, so using the same approach across the organization. And that's this four phased approach that we talked about, because if you miss, if you go short on the first step which is the risk assessment, that's going to really compromise the rest of the process.

So make sure everyone understands the consistent approach that's communicated.

We're certainly able here in FMB to help you to you know, help train that process. If there's more that we can do to help explain it, we're here to do that.

Our contact information's at the end of this slide. Next we welcome you to reach out to us and making sure that you're being efficient and aligning your control and monitoring to those risks that matter the most.

So it goes back to my point earlier, which is making sure that you're focused on the risks that are really the risk that should be keeping you up at night, not the day to days.

You know there's the expression you don't trip over a mountain, you end up tripping over the stone.

Just making sure  your controls are in place for all those pebbles out there, but the mountain, that can really stop you from moving forward.

And so that's where it's making sure that you have the monitoring of that landscape of risk.

As you know, we live in a world that changes and you know what is the risk today may not be there tomorrow.

So making sure that you're aware of what your staff, what your Nation is facing, and what is important for your members, and I guess I could just only reiterate this needs to be an inclusive process, and to make sure that you have a process in place to get that feedback from your staff at the departmental level, so that when the managers go to be that they really are informed, and are able to brainstorm on all the risks that are, that your First Nation faces.

So and this I guess I'll open it up. I mean we have a few minutes left, if there's any other questions again, it's at the top left hand corner. You can enter in your question.

Well it looks like and again, here's our contact information I'm Suzanne Trottier and I got here with me Mindy Smith, we've also got Ritesh Desai and Melanie Lyons, who are more than happy to answer your questions and please feel free to reach out to us. Great, Thank you very much. Well, thank you all.