It is the responsibility of the Edmonton Police Commission (Commission) to ensure that the Edmonton Police Service (Service) are effectively managing all significant risks the organization faces.
The Commission also provides the oversight function for all audit functions and overall risk management for the Service to ensure that its assets and reputation are protected and safeguarded within reasonable business limits.
Definitions:
Risk: is the effect of uncertainty on objectives and is a positive or negative deviation from what is expected. In this policy risk refers to all those social, economic, organizational, and human elements both within the Service and the community it serves that would affect the achievement of the Service’s approved mission, goals, objectives, and activities.
Risk Management: refers to a coordinated set of activities and methods used to direct and control the risks that can affect an organization’s ability to achieve its objectives and to provide reasonable assurance regarding the achievement of the organization’s objectives.
Risk Management Framework: is a set of components that support and sustain risk management throughout an organization.
Risk Management Process: is the process of systematically applying risk management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyze, evaluate, treat, monitor, record, report, and review risk.
Risk Profile: is a representation at a given point in time of an organization’s overall exposure to some specific risk or group of risks.
Guidelines:
- The Commission will be the primary oversight for all external and internal auditors.
- The Commission will integrate risk management into polices, strategic planning, and oversight of the Service.
- The Commission will participate in the annual review of risks based on a scan of community issues and includes advice from the Chief.
- The Commission will ensure that the Service has established an enterprise risk management (ERM) process in which risk identification, awareness, tolerance, and mitigation is determined, monitored, and reported.
- The Commission will review and assess the Service’s Integrated Risk Management Framework and processes.
- The Commission will approve the Service’s Corporate Risk Profile (CPR) including the risk appetite and risk tolerance levels for significant risks identified, ensure mitigation strategies are in place, and review annually.
- The Commission will ensure that the risks identified in the Service’s CPR and other risk assessments are considered within the Commission’s annual audit plan.
- The Commission will approve and provide ongoing monitoring of the Director of Audit & Risks (Director) annual audit plan, strategic plan and ensure appropriate resourcing is available.
- The Service will provide the Commission with regular performance reports of the identified risk mitigation strategies and will include where their assessments have remained at the level identified, or if a raising or lowering of the residual risks have been deemed necessary.
- The Commission requires that the Director shall provide a risk-based audit plan that assesses risks within the organization whose priority merits an audit review.
- The Commission requires that the Chief of Police and the Director will provide the results of all audits, operational reviews, and compliance reviews. The Chief of Police and Director will highlight any issues that will assist in determining whether the Service and/or Commission is in compliance with related statutory requirements, and issues that have potential risk or liability to the Service and/or Commission.
- The Commission will provide ongoing monitoring of the actions taken by the Service in addressing unacceptable levels of risk and/or identified weaknesses in internal controls.
- The Commission will ensure that the Service has implemented appropriate systems of internal controls for financial reporting, compliance will all relevant laws and regulations and financial, operational, and corporate risk exposure.
- The Commission will review any policies for which significant risks have been identified.
- The Commission will regularly review the processes in place to communicate a consistent message on risk management and associated expectations across the Service.
- The Commission will review the Service’s strategic plans to ensure there are performance measures and key performance indicators (KPIs) in place to monitor high risk areas.
- The Commission will ensure that all performance evaluations of the Chief address high risk areas that have been identified.
- The Commission will approve the Internal Audit Charter (Appendix E).
- The Commission will review, at a minimum every 5 years, the Internal Audit Quality Assurance and Improvement Program to ensure conformance with the Institute of Internal Auditor’s International Standards for the professional practice of internal auditing.
- During external audits of the Commission all members and staff will respond to record requests and/or inquiries in a timely manner and will work to ensure that the audit’s purpose, objectives, and scope are met.
- In addition to all internal audits and related work plans prepared by the Commission and/or the Service, the Commission may request external audits to be conducted on matters of concern to the Commission.
References:
- Appendix E – EPC Audit Charter
- 5.2.3 Finance and Audit Committee Terms of Reference