A flow chart showing the Risk Governance structure at CMHC as well as the three lines of defense.
First row: Board of Directors
Second row: Audit Committee, Risk management committee, Other Board committees
Third row: Senior management
First line of defense — Identify and control: involves the business areas and support functions as well as the operations support teams within that group.
Second line of defense — Set standards and challenge: involves the chief risk officer, chief financial officer, and chief compliance officer.
Third line of defense — Independent Assurance: involves internal audit.
A risk management framework isn’t created once, then forgotten. Part of being an agile organization is continually revaluating and tweaking it.
For example, each year we report on a number of risk categories. This shows us where we need to focus and prioritize. This graph created at the end of last year, showed that our risks in terms of reputation, insurance and guarantees, credit, market and liquidity remained low.
So, with this information in hand, we know we can focus on categories of higher risk.
The fact that strategic risk is in the moderate zone tells us that we need to continue to optimize our ability as an organization to foresee and plan how to respond to changes in our environment.
The fact that operations risk was high, reaffirms our plans to continue shoring up our internal systems — namely IT systems — which have suffered from many years of underinvestment.
Identifying and addressing this risk led to and continues to inform a multi-year technology and business transformation initiative currently underway at CMHC. It’s a major push to improve client and employee experiences, create opportunities to innovate and transform our services. And in turn, it will allow us to better embrace agility and risk in our work.
Low acceptable — risk is low or appropriately managed, no action required.
Insurance and guarantee risk
Moderate cautionary — requires on-going management attention, action may be required
High cautionary — requires close management attention
One of the things I’m most proud of — and what has been key to our growth in risk management — is our work to create a risk culture.
As you all know, changing culture in any organization is difficult. Cultivating a risk culture doesn’t just happen organically. We’ve had to be proactive, consistent and committed to keeping the risk conversation going.
We developed an employee awareness campaign, called Risk is Everyone’s Business, and offered training to empower employees.
Managers are tasked with discussing risk with their teams — both the actual risks in their everyday work, and making the connection with the broader conversation about risk as a strategic direction.
We address risk in blogs and articles in our internal e-bulletin and intranet.
My team and I have hosted live info sessions for staff and prepared online training modules for new staff as part of the onboarding process.
Perhaps the most important move was to embed risk in our corporate values. These are the touchstones for our work. They send a powerful message of what we expect from each other.
This slide shows three of our ten values:
“Be an owner” means owning responsibility for success and failures.
“Celebrate both wins and failures” acknowledges that failure can be an acceptable risk — and an integral part of innovation.
“Ask why” engages staff in innovation. It sends a message that constructive criticism and questioning is encouraged by all levels in the organization. Our President reinforces this value and often tells staff that the most costly words to any organization are: “We’ve always done it this way.”
The good news is that these awareness efforts are paying off.
We take regular, short surveys of staff on the topic of risk. When we started we simply wanted to gauge get an evolving portrait of their understanding and awareness of risk.
Over the years, we’ve added more questions about behaviours related to risk. We have also defined our aspiration in term of risk culture and communicated it with our employees. They feel more empowered: one of the highlights of 2017 was seeing that 84 percent of staff agree with our risk management culture.
In the five years since we began our major push to strengthen risk culture at CMHC, we’ve also seen great progress in the levels of awareness, understanding and behaviours. Most important, we’re seeing a consistent shift from risk averse to smart risk taking. And we hope to push the needle even further in 2018.
The value-add of risk management
Because our experience has shown us that a strong, proactive approach to risk management can be a power lever to meeting organizational goals in many areas.
It helps shows where you can afford to take risk and where you can have the most impact. It clarifies your planning and shows where you can provide leadership.
Let me share a few stories from our experience.
A few years ago, as part of our work on risk management, we began creating a number of stress tests to assess our solvency in the event of various cataclysmic events. As our President says, a failure of imagination is all that prevents us from coming to terms with the risk we carry.
So why we imagine nightmare situations. Worse-case scenarios beyond our control. Disasters like an earthquake in Vancouver, an oil price shock over a sustained period, or a five- or six-year period of global economic deflation. How would these scenarios affect housing markets and CMHC’s solvency?
Over the years we’ve continued to boost our investments in technology and personnel to enhance our stress testing processes. This testing shows us that it would take a very severe housing downturn and huge increase in unemployment rates, lasting several years, to erode our capital significantly.
This is all great news… and certainly helps us to assess the risk of our decisions. But last year, we recently took this exercise a step further. We decided to share the results and the methodology of our testing. This is considered a bold move in the financial industry — and we had to overcome plenty of internal opposition to the idea.
People feared that the results would not be well understood. They feared criticism of our stress testing approach. Pushing past this fear proved to be a success. We’ve learned from the experience. Clients have reached out to us to discuss our approach, and we’ve become better risk managers as a result.
I’d ask you to think about your own organizations. What’s the risk appetite for being more transparent in exchange for more credibility, leadership, or create opportunities for innovation? Is this widely understood and supported across the organization?
Another value-add of risk management: Efficiency and operational effectiveness.
Through our risk assessment, we realized that one of our risks was overly heavy processes and bureaucracy. This led to a decision to flatten the hierarchy of the organization and reduce focus on levels.
Again, reflect on your own organization: Have you used a risk-based approach to look at some of your processes? Are there lower risk projects or activities that don’t need as many layers of approvals? Are there higher risk projects that need more direct involvement from senior management, and more agile processes?
This brings me to another area where strong risk management has added great value for us a CMHC: our technology and business transformation.
Our Chief Information Officer is a big supporter of using risk management to enable IT decisions.
We worked together, using our risk framework to guide our decision to outsource major parts of our technology transformation, and to take an iterative approach, trying and testing a series of smaller IT projects. This has helped us to avoid some of the pitfalls seen in other, now infamous, large-scale government IT projects.
We knew there was definitely some risk in deciding to work with an outside company, Accenture. It meant relinquishing some of the control. But we scoped out these risks and we’ve been able to mitigate them. To the extent that our outsourcing arrangement has become a model for other government departments.
First, we took a long term view of the partnership. This gave both parties the incentive to invest in the relationship at all levels, starting at the most senior levels. Our CIO reports to our President, sits at our executive table and makes regular reports to the Board on the progress of this initiative. Our President has made it clear to everyone that he is 100 percent in support of the partnership and fully committed to its success.
We ensured each party plays a clear role. Each adds value and complements the other partner’s contribution. Accenture brings expertise that CMHC does not have. However at the end of the day, CMHC remains accountable. We own the risk and have to be in the driver’s seat for decision making.
Risks are documented and discussed openly. And when things do go wrong, if you have a robust risk culture, you can use mistakes as a learning opportunity. Our CIO has been honest and upfront with staff about some of the bumps in the road in our digital transformation. In doing so, he’s modelling our risk culture – learning from mistakes and adjusting course accordingly.
Another value-add of our approach to risk has been increased employee engagement. Engagement continues to be an area of concern across government, as the public service’s annual employee survey shows.
But when you put employees in the first line of defense against risk, when you encourage them to ask why and to take risks, you are honouring their expertise. You are showing confidence in their unique first-hand understanding expertise of the programs and services they deliver.
We want employees to understand that there is no innovation without risk. They are fellow travellers — and effective risk management demands intentional innovation.
People need to know that they are accountable, but that it’s not the end of the world when calculated risks don’t result in the anticipated benefit. And there’s much to learn from experimentation.
It’s no coincidence that as our risk management culture has improved, so have our levels of employee engagement, enablement and morale.
Again, a question for you to consider in terms of your organization: Do your employees understand what the risks to your organization are? Do they understand their role in identifying and managing risk? Are they clear on what their sandbox is for taking calculated risks? What message are they getting about the repercussions when risks don’t pay off as planned? And how does this relate to levels of staff engagement in your organization?
Ultimately a risk culture is a culture of transparency, continuous learning and personal accountability — a culture that is positioned to be agile and innovative.
Which brings me to the value-add of risk management that I want to mention — and I’ve already made this point throughout my remarks: innovation.
Innovative government is sometimes called an oxymoron. But the innovation agenda is challenging us all to find ways to make this a reality. And the only way it’s possible is by embracing risk.
We’re fostering innovation in the housing sector through our funding. Housing projects that go beyond the usual partnerships and funding models, for example. We need to be sure we’re modelling this same thinking internally.
To be sure we did this, we actually included innovation into our risk appetite. That was a big move in itself because usually risk appetite statements are negative – for example: ‘Don’t go over this limit.” Instead we included a positive statement: Foster innovation.
We continue to make sure staff are aware of the linkage between innovation and risk management, to see examples of it in their peers and managers, and understand how to apply in their everyday work.
A couple examples: At CMHC we’re involved in a cross-divisional initiative called the Future of Work. We’re looking at our relationship with work and how we work, and the conditions that need to be in place to make us a higher performing organization. It brings together five work streams that address HR policies, our workspaces, technology — and is being built based on feedback from a national tour that engaged staff in all our regions.
Again… an initiative not without risk. It calls on us to fundamentally rethink how we work with clients and with each other. But it reflects our core values and promotes an accountable culture and enabled employees. Ultimately, we think these changes will benefit employees and our business alike, letting us focus on what really matters.
Risk and innovation also come together in our strategy development process. During this process, we ask ourselves: What value does CMHC bring to Canadians? How must we change to meet the changing needs of our society? There’s a real commitment in this process to not content ourselves with maintaining the status quo. We have to be willing to explore non-traditional partners, building projects, funding and delivery models if the change is beneficial to Canadians. Always with the right tools to identity and mitigate risk as we go along.
Because this is what brings our mandate to life. This is what will make it possible for us to continue to play a role in creating:
… a housing system that can withstand financial crisis — in whatever form they take.
… safe places for women and children leaving abuse…
… stable housing for people living with HIV/AIDS or addictions…
… housing for an aging population that wants to stay engaged and involved.
… affordable, quality housing for new Canadians, for families on-reserve… in the North… and other remote areas of Canada.
I want to leave some time for questions, so I’ll finish with this familiar quote from astronaut Neil Armstrong: “There can be no great accomplishment without risk.”
The impacts of 21st century transformations will play out differently for your organizations. But there’s no doubt they will be monumental.
We, as leaders of Crown agencies, will need to continue to monitor these changes in order to fulfil our respective mandates and better serve Canadians each in our own way. We’ll have to get better and better at anticipating them, charting new courses and then readjusting these courses to remain relevant. We’ll be under more scrutiny and called on to be more transparent than ever.
But the exciting thing about all of this is that it gives us the opportunity to embrace risk. It’s a chance for you to think about how you can use risk management to better understand your changing context. And as a lever for effecting change in your organization. How can risk assessment help you imagine where you can best make a difference? How can your goals to become more transparent help you to actually diffuse risk, and build credibility? How can fostering a risk culture help you meet some of your goals to boost staff engagement and innovation?
Thank you. I’d be happy to take any questions.