A performance audit conducted by the city’s independent auditor general has concluded the Vancouver Police Board and Vancouver Police Department do not have an “effective enterprise risk management framework” in place to oversee and manage organizational risks.
Fair question: what exactly does that mean?
And what is a performance audit, as opposed to a financial audit?
Does this mean the VPD’s finances were not examined in this exercise?
The following provides some answers and insight into the audit conducted by Auditor General Mike Macdonell and his staff. The findings are contained in a 64-page report recently posted to the city’s website.
When was the audit conducted and what was its scope?
The audit covered the period of Jan. 1, 2022 to July 31, 2023. Its scope included the police board and the VPD's risk management policies, frameworks, guidelines, processes, reports, data and other documentation related to the oversight and management of enterprise risk.
The audit did not assess the effectiveness of the VPD's identification or treatment of risks related to specific initiatives or services or management of operational day-to-day risks carried out to keep officers and the public safe.
How did Macdonell’s office obtain the information from the police board and VPD?
He and his office conducted interviews with board members and VPD staff responsible for risk management, reviewed and analyzed the strategies and practices in place to support the board and the VPD in managing department-wide risks and looked at approaches to “enterprise-risk management” in other Canadian policing jurisdictions.
Was this a financial audit?
No, the mandate for the city’s auditor general excludes financial attestation audits. Macdonell’s office only conducts performance audits, which are sometimes referred to as value-for-money or economy/efficiency/effectiveness. The audit of the VPD focused on organizational risk management, sometimes referred to as enterprise-wide risk management.
Enterprise risk management, or ERM, is mentioned frequently in the report. What does it mean?
Essentially, it’s the process an organization uses to ensure that risk information is adequately utilized in making decisions. This includes how risk is assessed, the roles and responsibilities of senior leaders and all employees in managing risk, and the effective reporting and communication of risk information throughout the organization.
An example of risk?
Reputational risks to the department as a result of officer misconduct and human resources-related risks to officer morale, retention and wellness.
Whose responsibility is it to implement an effective ERM program?
The responsibility for ERM is shared by the board as overseer of the VPD and the department itself. Given the budget for the VPD represents more 20 per cent of the city's total budget, and given VPD's critical public safety role, “it is particularly important for VPD to have an effective framework in place to oversee and manage enterprise risks.”
What were the findings of the audit regarding the police board?
Some of the findings included gaps in the [police] board's approach to overseeing enterprise risks “that limited its ability to stay appropriately informed about major risks and the processes the VPD used to identify, monitor, manage and report on those risks.”
The board defined its risk management oversight responsibilities in its governance manual. However, the manual had several gaps and limitations, and the board had not followed through on implementing some aspects of its policy.
Although the board and VPD identified, discussed, and addressed some enterprise-wide risks, the oversight process primarily involved the board receiving limited risk and issue-related information from the department, “discussing issues at meetings as the department raised them, and initiating ad hoc responses after incidents occurred.”
The board did not take steps to ensure that risk mitigation strategies identified by the VPD were in place and working.
Also, some information the VPD provided to the board was “dated, inaccurate or highly generalized.”
Findings regarding the VPD?
Although the VPD had unit-level processes in place intended to manage risks and threats affecting its ability to keep the public safe, the department did not have:
• An ERM program, documented framework, policy direction or processes to guide its management of enterprise risks.
• A dedicated function or business area to ensure that management can effectively manage its enterprise risks and use risk-based decision-making to support the achievement of organizational objectives.
In the absence of an appropriate framework, the VPD annually presented a set of risks to the police board.
However, there was no record that the department presented or discussed its methodology or processes with the board, “further limiting the level of assurance and oversight the board had on the completeness or robustness of the risks and mitigation activities the department identified.”
Were any case studies provided?
No, the findings were not specific to one case or cases, where details of an incident or concern and person or people involved were identified.
Did the auditor general make any recommendations?
Yes, nine. Both the board and department have committed to implementing all of them, with police board member Frank Chong saying in an email Monday that:
“The Vancouver Police Board recognizes that enterprise risk management is ultimately a governance accountability and accepts the auditor general’s findings and recommendations. The board’s finance and risk committee has already begun taking steps to act on recommendations to expand the committee’s terms of reference and develop an ERM framework for the organization.”
What was the VPD’s response?
In a lengthy statement provided in the audit report, the department said it acknowledges the findings of the report and is supportive of the recommendations, “understanding that dedicated resources and increased organizational capacity will be needed to prioritize the implementation of these recommendations.”