Logo Internal Audit Report

Internal Audit Report

Audit of Legal Risk Management

Project 2013-6B259

Date: March 7, 2014

Logo canada government

TABLE OF CONTENTS

1.0 EXECUTIVE SUMMARY
2.0 BACKGROUND
3.0 AUDIT OBJECTIVE
4.0 AUDIT SCOPE
5.0 AUDIT APPROACH
6.0 AUDIT FINDINGS
7.0 AUDIT OPINION
8.0 STATEMENT OF ASSURANCE
APPENDIX A — AUDIT CRITERIA

1.0  EXECUTIVE SUMMARY

Fisheries and Oceans Canada has demonstrated its commitment to legal risk management through the establishment of the Department’s Legal Risk Management Committee in 2001. In the spring of 2010, a review of the legal risk management process was undertaken to ensure that the Department’s legal risk management regime was positioned to strategically and proactively identify, track, assess and manage the legal risks facing the organization.

As a result of this review, a number of initiatives were undertaken to enhance the Department’s legal risk management program.  The following list highlights some of the key initiatives that were undertaken:

  • The mandate and membership structure of the Legal Risk Management Committee were revised to reflect the need to be more strategic and less transactional.
  • The Legal Risk Management Committee established ad-hoc working groups to undertake the analytical work required on the priority legal risks facing the Department.
  • A new Legal Risk Management Secretariat was formed to support the work of the Legal Risk Management Committee.

The audit examined whether the controls established by the Department for managing its legal risks following the legal risk management process review were appropriate and functioning as intended. Based on the audit findings, our opinion is that, overall, controls are in place and effective for managing the legal risks facing the Department. The renewed Legal Risk Management Committee identified in its new Terms of Reference key roles and responsibilities as well as outcomes to be achieved to enhance the Department’s legal risk management regime. While the Committee has met some of these requirements, not all of the roles and responsibilities were fulfilled.

There are improvements that should be made to ensure the work of the Legal Risk Management Committee features a continued emphasis on the strategic management of the Department’s legal risks in an effort to proactively and sustainably embed the culture of legal risk management into policy, program and operational planning and decision making. The recommended improvements are as follows:

  • Develop a detailed work plan and/or forward agenda that covers all of the responsibilities defined in the Terms of Reference of the Committee.  The detailed work plan and/or forward agenda would include such items as:
    • Reassess the Department’s top legal risks, risk drivers, and legal risk management strategies on a regular basis to ensure they remain relevant and reflect the Department’s legal risk environment.
    • Review and approve the key risk indicator and target that are to be included as part of the Department’s Corporate Risk Profile.
    • Perform a self-assessment to measure and monitor the Committee performance in achieving the objectives defined for legal risk management. 
  • Revisit the roles and responsibilities of the Legal Risk Management Secretariat to ensure that they accurately reflect the needs of the Committee.
  • Develop and implement a communication and training strategy to ensure that the Department's legal risk management concepts are disseminated to departmental staff as a means of embedding a culture of legal risk management within the Department.
  • Define the roles and responsibilities for reviewing and updating the Legal Risk Management Diagnostic Instrument to ensure that this training tool is updated to reflect any changes in the Department's legal risk environment and then communicated to the user community.
  • Clarify the roles, responsibilities and accountabilities for managing and maintaining the legal risk management documentation stemming from the Committee as well as its Subcommittee and ad-hoc working groups. 

Management Response

Management is in agreement with the audit findings and has accepted the recommendations included in this report. Management Action Plans have been developed by Management and have been included in the report to address the recommendations.

2.0 BACKGROUND

Legal Risk Management within the Government of Canada

Within the federal Government of Canada, risks, including legal risks, are present in all aspects of the government’s activities. Legal risk management is a key component of the Treasury Board Secretariat’s Framework for the Management of Risk.   The Framework indicates that the deputy head of each federal department and agency is responsible for the management of the risks (including legal risks) associated with their program and policy decisions.

The Treasury Board Secretariat and the Department of Justice define legal risk management as a process of making and carrying out decisions that reduce the uncertainty, the frequency and severity of legal problems that may affect the department’s or agency’s ability to meet its objectives successfully. It includes the identification, assessment, communication, prevention, mitigation and management of legal risks.

As part of its mandate, the Department of Justice provides legal risk management advice through its broad range of legal advisory, litigation and legislative services to government departments and agencies. It is in this context that the Department of Justice supports individual client departments, like the Department of Fisheries and Oceans, in their legal risk management activities.  Stated more clearly, the Department of Justice provides legal advice to the client department; however, it is the client department’s responsibility to determine the viability, means, and timing of incorporating the legal advice into its policies, programs, and operations based on the direction of the Government of Canada and the availability of resources.

Legal Risk Management within Fisheries and Oceans Canada

The Department of Fisheries and Oceans is responsible for legal risk management and its integration with corporate risk management.  As a result of historical litigation that impacted the Department’s policies and programs, and the measures taken to prevent and manage subsequent litigation risks, the Department has had an active legal risk management program since 2001. Two main elements within the program include the following:

  • A Legal Risk Management Committee that is chaired by the Associate Deputy Minister, co-chaired by the Senior General Counsel, and attended by members from the Departmental Management Board, the Senior Counsel, Legal Risk Management, and other selected members (e.g. Litigation Prevention and Management Coordinators).
  • A Litigation Prevention and Management Subcommittee (formally called the High Impact Committee) that supports the work of the Legal Risk Management Committee.  The Subcommittee is co-chaired by the Senior Counsel, Legal Risk Management, and the Legal Risk Management Secretariat Head.  Attending members include Litigation Prevention and Management Coordinators (from each sector and region) and the Senior General Counsel.

In the spring of 2010, the Deputy Minister challenged those involved in the management of the Department’s legal risks to establish a process that would ensure that the Department’s legal risk management regime was positioned to strategically and proactively identify, track, assess and manage the legal risks facing the organization. By doing so, legal risk vulnerabilities would be identified, and prevention, management and/or mitigation measures implemented more strategically.  

Furthermore, linkages between legal risks, corporate risks, mitigation actions and departmental business planning would be developed. In response to this challenge, a number of initiatives were undertaken to enhance the Department’s legal risk management program.  The following list highlights some of the key initiatives that were undertaken:

  • The mandate and membership structure of the Legal Risk Management Committee were revised to reflect the need to be more strategic and less transactional.
  • The Legal Risk Management Committee established ad-hoc working groups to undertake the analytical work required on the priority legal risks facing the Department.
  • A new Legal Risk Management Secretariat was formed to support the work of the Legal Risk Management Committee.  The Secretariat includes a Legal Risk Management Secretariat Head, and a Legal Risk Management Secretariat Manager who report to the Associate Deputy Minister.

It is anticipated that the Legal Risk Management Secretariat will also support the work of the Litigation Prevention and Management Subcommittee.  However, at the present time, the secretariat services to the Litigation Prevention and Management Subcommittee are being performed by the Senior Counsel, Legal Risk Management (co-chair) and other staff from the Department’s Legal Services Unit.

3.0 AUDIT OBJECTIVE

The audit objective is to provide assurance that the departmental controls for managing the legal risks facing the Department are appropriate and functioning as intended.

4.0 AUDIT SCOPE

The scope of this audit was risk-based and focused on the framework and initiatives that were in place from May 2010 to May 3, 2013.   The audit gathered evidence through interviews with key personnel and a review of documentation pertaining to legal risk management.

5.0 AUDIT APPROACH

The examination phase of this audit commenced in August 2013 and concluded in September 2013.  The audit team carried out its mandate in accordance with Treasury Board’s Policy on Internal Audit and the Internal Audit Standards for the Government of Canada.  The audit employed various techniques including a risk assessment of the audit entity, interviews, as well as reviews and analysis of documentation and information.

6.0 AUDIT FINDINGS

It is acknowledged that during the conduct of this audit, the Government of Canada’s 2013, Economic Action Plan (Budget 2013) outlined the Department’s commitments to pursue organizational changes to reduce duplication and improve decision-making processes (Budget 2013, page.266, 1st bullet, 3rd sentence).

Although the findings presented below are based on existing departmental decision-making processes, they should be considered as part of the transition as a means of ensuring that the Department continues to take responsibility for legal risk management and its integration with corporate risk management, policy work, operational decision making and business planning.

This section provides the observations and recommendations resulting from the audit work carried out.  While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase, this report is structured along the following main themes:

  • Governance;
  • Risk Management Processes; 
  • Information Management; and
  • Performance.

Based the audit work performed and our professional judgment, the risk associated with each observation was rated using a three-point scale. The risk ranking (high, moderate, and low) is based on the level of potential risk exposure we feel may have an impact on the achievement of Fisheries and Oceans Canada objectives, and is indicative of the priority Management should give to the recommendations associated with that observation. The following criteria were used in determining the risk exposure level:

Criteria Table
High Controls are not in place or are inadequate.
Compliance with legislation and regulations is inadequate.
Important issues are identified that could negatively impact the achievement of program/operational objectives.
Moderate Controls are in place but are not being sufficiently complied with.
Compliance with central agency/departmental policies and established procedures is inadequate.
Issues are identified that could negatively impact the efficiency and effectiveness of operations.
Low Controls are in place but the level of compliance varies.
Compliance with central agency/departmental policies and established procedures varies.
Issues identified are less significant but opportunities that could enhance operations exist.

6.1 GOVERNANCE

The Treasury Board Secretariat Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011, notes the importance of the presence of an oversight body by indicating that such bodies “ensure that management’s direction, plans and actions are appropriate and responsible.  Oversight bodies should be provided with timely and accurate financial and operating information in order to fulfill their oversight function. Resource allocation and budgets include financial, human and physical resources.  These are critical elements of a control framework as they define the required resources and competencies, and serve to ensure that sufficient resources exist to meet the objectives of the entity.   These controls provide employees and third party service providers with a clear understanding of priorities and performance targets and provide tangible support in the pursuit of operational objectives.”

Observations Section 6.1
Observations
Moderate 6.1.1 Governance

A renewed Legal Risk Management Committee was established in March 2011, and has a documented Terms of Reference that outlines the objective, mandate, membership, roles and responsibilities, operating principles as well as Secretariat support for the Committee.  However, not all of the requirements in the Terms of Reference are being fulfilled by the Legal Risk Management Committee or the Legal Risk Management Secretariat.

Legal Risk Management Committee:
Following the Department’s legal risk management process review in May 2010, a renewed Legal Risk Management Committee was approved by the Departmental Management Committee on May 26, 2010. The new Terms of Reference for the Committee were adopted on June 11, 2011.

Based on interviews and documentation review, the Legal Risk Management Committee was renewed with sufficient expertise, and the members from the Committee were aware of their roles and responsibilities as defined in the new Terms of Reference.  It was noted, however, that the rotational nature of the membership of the Committee for Regional Directors General and regional Litigation Prevention Management Coordinators may need to be revisited as there is a concern that the rotational nature of membership may disadvantage those regions that have areas of high legal risks but may not be represented at the time that those areas of high risk are presented to the Committee for discussion.

It was also noted during the documentation review that the renewed Legal Risk Management Committee was functioning and fulfilling most of its roles and responsibilities as outlined in its new Terms of Reference. However, the absence of a detailed work plan and/or forward agenda that covers all of the responsibilities defined in the Terms of Reference limited the Committee's ability to assess its performance on an annual basis, and revise its Terms of Reference accordingly. As a result, there is a risk that the Committee may be unable to provide assurance that its defined mandate and desired outcomes for legal risk management are being achieved within the Department.

Moderate

Legal Risk Management Secretariat:
Interviews as well as the documentation review revealed that the Legal Risk Management Secretariat was not functioning as intended to perform necessary strategic analysis to identify emerging themes and strategies as per the new Terms of Reference of the Legal Risk Management Committee. The Committee acknowledges this weakness and recognizes the need to re-examine the roles and responsibilities of the Legal Risk Management Secretariat.

Litigation Prevention and Management Subcommittee:
The new Terms of Reference of the Legal Risk Management Committee requires the Legal Risk Management Secretariat to attend and support the work of the Department’s Litigation Prevention and Management Subcommittee as a means of ensuring that the work of the Subcommittee and the Legal Risk Management Committee are aligned. However, interviews indicated that the Head of the Legal Risk Management Secretariat, who is also the Co-Chair of the Subcommittee, does not attend the meetings of the Subcommittee.  As a result, an essential linkage between the Legal Risk Management Committee and the Litigation Prevention Management Subcommittee is missing.  Furthermore, the absence of a key leadership role on the Subcommittee weakens the Department's representation on this joint working level committee as well as limits the Subcommittee's ability to undertake strategic analysis, and forward scanning as per its Terms of Reference.

Ad Hoc Working Groups of the Legal Risk Management Committee:
The Legal Risk Management Committee may decide to create temporary and/or permanent ad hoc working groups to perform the analytical work as needed.  Interviews and documentation review determined that the ad hoc working groups are a good approach to undertaking strategic and analytical work on behalf of the Legal Risk Management Committee. These groups were able to examine in more detail the factors (legal risk drivers) that are causing the legal risk considerations to occur.  It was also determined that the membership on the ad hoc working groups included sufficient representation and expertise from across the Department and legal services to perform assigned tasks.

Recommendations / Managment Action Plan
Recommendation Management Action Plan

R- 1.  The Chair of the Legal Risk Management Committee should develop a detailed work plan (or forward agenda) that covers all of the responsibilities defined in the Terms of Reference.  The detailed work plan (or forward agenda) would include such items as:

  • Reassessing the Department's Top Legal Risks, risk drivers, and Legal Risk Management Strategies on a regular basis to ensure they remain relevant and reflect the Department’s legal risk environment;
  • Reviewing and approving the key risk indicator and target that are to be included as part of the Department’s Corporate Risk Profile; and
  • Developing and performing a self-assessment to measure and monitor the committee's performance in achieving the objectives defined for legal risk management.

Given the recent changes to the structure of the Department’s senior management committees, a detailed work plan (or forward agenda) for the Legal Risk Management Committee is currently under development. 

As part of establishing the Committee’s priorities for the work plan, a special Committee meeting was held on February 27, 2014.  During this meeting progress was made on a number of the Committee’s responsibilities that included (but not limited to) the reassessment of the Department's Top Legal Risks and Risk Drivers.  For the top two legal risks that were identified, Champions were assigned to work on Legal Risk Management Strategies.  It is anticipated that as part of this work, key risk indicators will be identified.  Work Plans for the top two legal risks are expected to be in place by September 2014. These plans will be aligned with the actions necessary to mitigate the identified risks.

Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: September 2014 (Work plans-top 2 legal risks) February 2015
  
Recommendation Management Action Plan

R-2.  The Chair of the Legal Risk Management Committee should revisit the roles and responsibilities of the Legal Risk Management Secretariat to ensure that they accurately reflect the needs of the Committee.  Furthermore, the Committee should re-evaluate the resource requirements to fulfill those needs and ensure there is an alignment between the resources allocated and the responsibilities assigned to the Secretariat.

Given the Department’s commitment to implement the changes identified in the Government of Canada’s 2013, Economic Action Plan (Budget 2013), the resources allocated, as well as the roles and responsibilities assigned to the Legal Risk Management Secretariat and the Litigation Prevention and Management Subcommittee are currently being evaluated based on the current resource reality and limited capacity. In addition, a review of the Committee’s Terms of Reference will also be carried out in the coming fiscal year.

In the meantime, activities performed by the Secretariat are currently housed within the Legislative and Parliamentary Affairs Group of Strategic Policy.

Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: March 2015

6.2 RISK MANAGEMENT PROCESSES

According to the Guide to Project Management Body of Knowledge, risk management is a systematic process of identifying, analyzing and responding to risks. Risks should be managed proactively and formal risk management practices must be included in a control framework in order to assist decision-making and monitor the changes to the conditions that may result in risk or opportunity. Risk monitoring and control is an ongoing process of keeping track of the identified risks, monitoring residual risks, identifying new risks and evaluating the effectiveness of the risk management process.
According to the Treasury Board Framework for the Management of Risk, a key role of the Deputy Head is to ensure that risk management principles and practices are understood and integrated into the various activities of their organization. In addition, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization. Through their leadership, Deputy Heads foster a risk-informed organizational culture that supports risk-informed decision-making, enables dialogue on risk tolerance, focuses on results and enables the consideration of both opportunity and innovation.

Observations Section 6.2
Observations
Moderate 6.2.1 Risk Management Processes

Although the Department's top legal risks, legal risk drivers, and legal risk management strategies were identified in 2010, the Legal Risk Management Committee has not undertaken a process to reassess the top legal risks facing the Department or their risk management strategies.

Furthermore, the Committee has not developed and implemented a communication and training strategy to ensure that the Department's legal risk management concepts are disseminated to departmental staff as a means of embedding a culture of legal risk management within the Department as stated in its new Terms of Reference.

As part of the Legal Risk Management Committee process review in May 2010, the Department’s top legal risks, legal risk drivers, and legal risk management strategies were identified and added to the Department’s legal risk management program. Furthermore, in an effort to better understand the source of the legal risks and inform policy and program decisions, the Committee established ad-hoc working groups to examine the legal risk drivers underlying the Department's high impact litigation and prosecution cases. The auditors, however, did not find evidence to demonstrate that a systematic review had been performed to update the Department’s top legal risks, legal risk drivers, and legal risk management strategies to reflect the Department’s current operating environment. By not undertaking a systematic review as part of its formal work plan and/or forward agenda the Committee may be expanding effort in responding to areas of legal risks that may be of a lower risk while missing potentially higher risks. The Committee acknowledged the need to review and update these key elements of the Department’s legal risk management program especially as they were developed prior to the implementation of the Department’s transformation initiatives.

Interviews as well as the documentation review revealed that as part of the Department’s legal risk management program, the Department's Litigation Prevention and Management Subcommittee uses high impact criteria to assess the legal risks of the Department's litigation, prosecution and other legal issues on an ongoing basis. The results from these assessments form a Table of High Impact Issues and Cases that is used to monitor or track high risk litigation and prosecution cases and other high risk legal issues, and inform the Legal Risk Management Committee as well as senior managers in the program areas on an on-going basis. It is also important to note that the Table is also the basis for preparing the High Impact Briefing Notes which are distributed bimonthly to the Departmental Management Board, the  Legal Risk Management Committee,  Litigation Prevention and Management Subcommittee, as well as other interested senior managers.

Benchmarking with other government departments revealed that the continuum for training departmental staff on legal risk management concepts can vary from specific training provided in-person and/or on-line to being included as part of their Integrated Risk Management training.

Within Fisheries and Oceans Canada, there is no specific legal risk management training. However, at the direction of the Committee a Legal Risk Management Diagnostic Instrument was developed and posted on the Integrated Risk Management intranet on May 31, 2013 as part of the Department's suite of risk management guides and tools.  The Committee added the Instrument to the Department’s legal risk management program, as a means of providing departmental managers and officers with an increased capacity to identify and then manage potential or actual legal risks associated with the Department’s policies and programs for which they have responsibility. Based on interviews and documentation review; however, the essential elements for the implementation of the Instrument have not been established such as a strategy to communicate or provide training to the intended departmental staff to increase the likelihood of the Instrument being used. Moreover, the assignment of the roles and responsibilities for the on-going maintenance of the Instrument has not been done to ensure that it is updated to reflect changes in the Department's legal risk environment, and that the changes are then communicated to the intended departmental staff.  As a result, there is a risk that departmental staff may not fully understand or be aware of their role and/or the linkages between legal risk management and policy, program, operational planning and decision-making.

Interviews with members from the Legal Risk Management Committee indicated that there are challenges in communicating certain solicitor/client privileged legal risk management documentation to departmental staff as wide distribution may inadvertently result in the loss of the privilege thus increasing the Department’s legal risk. As a mitigating measure it is worth noting, that the Corporate Planning Performance and Risk Management Branch hold regular risk management meetings through the Department’s Corporate Planning, Performance and Risk Management network and that legal risks are included. Legal Services and the Legal Risk Management Secretariat often deliver a training module on legal risk management through these national meetings. Moreover, legal risk is included as a key risk in the Department's Corporate Risk Profile. Finally, the Litigation Prevention and Management Subcommittee is an ongoing means for Legal Services to provide training on legal risk management to the Department’s Litigation Prevention and Management coordinators in the regions, who in turn provide legal risk management training to managers and employees in the regions and sectors.

Recommendations / Managment Action Plan
Recommendation Management Action Plan
R-3. See Recommendation 1 for audit criterion 1.1 a See Management Action Plan for Recommendation R-1.
Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: February 2015
  
Recommendation Management Action Plan

R-4.  The Chair of the Legal Risk Management Committee should develop and implement a communication and training strategy to ensure that the Department's legal risk management concepts are disseminated to departmental staff as a means of embedding a culture of legal risk management within the Department. 

The Chair of the Legal Risk Management Committee requests that this management action plan be considered completed based on the following actions that have been taken.

As an outcome of the February 27, 2014, special Legal Risk Management Committee meeting, a reassessment of the Department's Top Legal Risks and Risk Drivers was undertaken.  For the top two legal risks that were identified, Champions were assigned to work on Legal Risk Management Strategies.  It is anticipated that as part of this work, the necessary communication and training components will be considered and reflected in the strategies developed.

For those legal risks that have been identified as having a lower impact and/or lower probability of occurring, the risks will be validated with case history and existing mitigation strategies such as reinforcing the need to follow protocols, attention to occupational health and safety policies, and establishing best practices.  This approach is deemed acceptable by the Committee, as it is felt that there is a good awareness of legal risk within the Department among executives.  In addition, a number of education and outreach tools have been put in place that include (but are not limited to) Legal Awareness Training, Risk Management Workshops and ongoing advice from the departmental Legal Services Unit. 

Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: Completed
  
Recommendation Management Action Plan

R-5.  The Chair of the Legal Risk Management Committee should define the roles and responsibilities for reviewing and updating the Legal Risk Management Diagnostic Instrument to ensure that this training instrument is updated to reflect any changes in the Department's legal risk environment and then communicated to the user community.

As part of the follow up from the February 27, 2014, special Legal Risk Management Committee meeting and the upcoming work of Champions on the two identified top legal risks, the Legal Risk Management Diagnostic Instrument will be reviewed.

Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: March 2015

6.3 INFORMATION MANAGEMENT

The Treasury Board Directive on Recordkeeping identifies information management as an essential component in the effective management of the business of a department.  Clear accountabilities for information management ensure that information retains its value throughout the entire period for which it is required for government business.

According to the Treasury Board Secretariat Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, oversight committees should receive and consider relevant and complete information from a variety of sources, in a timely fashion to permit them to fulfill their function.

Observations Section 6.3
Observations
Low  6.3.1 Information Management

Although the Legal Risk Management Committee and its subcommittees (including the ad-hoc working groups) were provided with sufficient, complete and accurate information in a timely manner to fulfill their roles and responsibilities, there is no information management strategy for legal risk management documentation, except that Legal Services retains legal opinions, and information on litigation and prosecution cases. The Governance Secretariat maintains records of Legal Risk Management Committee meetings, including documents, agendas and records of discussion.

Although there is no formal information management strategy for legal risk management, the documentation review revealed that the Legal Risk Management Secretariat is responsible for retaining, maintaining and disseminating legal risk management documents and records for analysis, monitoring and decision making purposes. Legal Services maintains records of legal opinions, and information on the Department’s litigation and prosecution cases in the Department of Justice’s integrated case management system (iCase), as well as in Legal Services’ paper and electronic files. Given the solicitor-client privilege nature of the information retained within iCase and Legal Services’ records, access is restricted to Department of Justice lawyers; however, if needed to perform their work, the records can be accessed by authorized users by submitting a request to a Department of Justice lawyer.

Interviews revealed that in general, the Legal Risk Management Committee and the ad-hoc working groups were provided with sufficient, complete and accurate information in a timely manner to fulfill their roles and responsibilities.  However, as part of collecting the information needed to perform this engagement, the auditors observed that the legal risk management documentation before and after the process review of the Legal Risk Management Committee has been retained in two different places. There has been no effort by the Legal Risk Management Secretariat to collect and consolidate the documentation into one repository accessible to the sectors and regions.  As a result, there is a risk that the Department may be unable to demonstrate that its decision-making regarding its legal risk management program is documented in a manner that permits reconstruction of its evolution and independent evaluation, audit and review.

In terms of information that may point to the potential for litigation or act as early warning signs for the department, the Taking a Risk Management Approach to Civil Litigation Costs in the Government of Canada: A Primer to Help Identify and Manage Costs suggests that items/issues from Access To Information and Privacy, Communications and Ministerial Correspondence could be considered.  Interviews indicated that this information is not being formally presented to the Legal Risk Management Committee. However, it is being presented to the Department's senior management through other communication channels and processes.

Recommendations / Managment Action Plan
Recommendation Management Action Plan

R-6. As part of revisiting the roles and responsibilities of  the Legal Risk Management Secretariat, the Chair of the Legal Risk Management Committee should clarify the roles, responsibilities and accountabilities for managing and maintaining the legal risk management documentation stemming from the Committee as well as its Subcommittee and ad-hoc working groups.

The Chair of the Legal Risk Management Committee requests that this management action plan be considered completed based on the following actions that will be taken (or have already taken place).

The Legal Risk Management Secretariat has undergone a number of shifts in structure, resources and reporting responsibility.  The resources allocated, as well as the roles and responsibilities assigned to the Legal Risk Management Secretariat and the Litigation Prevention and Management Subcommittee are currently being evaluated and the information management concerns noted in the audit will be considered as part of this assessment.

In the meantime, the link between the Litigation Prevention and Management Subcommittee (formally called the High Impact Committee) and the Legal Risk Management Committee have been confirmed with the Subcommittee now actively co-chaired by the Senior Counsel, Legal Risk Management, and the Legal Risk Management Secretariat Head.  This action remedies the absence noted in the audit of a key leadership role on the Subcommittee.

Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: Completed

6.4 PERFORMANCE

In the spirit of the Treasury Board's Management Accountability Framework, to maintain the Department's control environment, which includes the legal risk management regime, performance measurement allows the organization to perform a systematic assessment and monitoring of its accomplishments and progress towards meeting expected results and achieving established objectives.  The results from the assessment can further be integrated into departmental decision-making that may adjust or refine the Department's course of actions.  Finally, the practice of performance measurement supports accountability, transparency and sound stewardship.

Observations Section 6.4
Observations
Moderate 6.4.1 Performance

Although there is no formal performance measurement strategy, the Legal Risk Management Committee identified a commitment in its new Terms of Reference to undertake a self-assessment which could then in turn be used as a means of assessing and monitoring the results that are being achieved through its legal risk management initiatives. However, interviews and the documentation review determined that this commitment has not been clearly defined and thus not fulfilled.

The new Terms of Reference of the Legal Risk Management Committee include three desired outcomes to be achieved for legal risk management within the Department. Specifically:

  • to embed the culture of legal risk management into policy, program and operational planning and decision making;
  • to reduce unnecessary legal risks to the Department's policies, programs and operations and/or propose strategic approaches to better manage unavoidable risks; and
  • to assist in reducing legal costs.

As a means of measuring the Department's performance in achieving the aforementioned outcomes, it was noted in the new Terms of Reference for the Legal Risk Management Committee that the Committee would evaluate its own performance at the end of each fiscal year.  Interviews and the documentation review; however, revealed that the self-evaluation was not undertaken, nor were there any discussions at the meetings of the Committee on how the self-evaluation should be structured and/or conducted. In addition, the absence of a detailed work plan and/or forward agenda that covers this and other responsibilities outlined in the new Terms of Reference limits the Committee’s ability to address these elements and integrate them into the Department's legal risk management program.

Without a performance measurement strategy and/or commitment to undertake the self-evaluation to assess and monitor the results that are being achieved through the Department's legal risk management initiatives, the  Committee may not be able to effectively and efficiently ensure that the established objectives and desired outcomes are being achieved.  Given the nature and complexity of legal risk management, it is acknowledged that departments, such as the Department of Fisheries and Oceans as well as the Department of Justice, are having difficulty in defining performance measurement indicators that can be clearly linked to legal risk management and created in such a manner that allows them to be specific, measurable, attainable, reliable and timely.  The Department, however, does have the ability to be innovative and find other ways to assess its results by looking at either its inputs or the effort used to achieve the desired outcomes outlined in the new Terms of Reference of the Legal Risk Management Committee.

Recommendations / Managment Action Plan
Recommendation Management Action Plan
R-7. See Recommendation 1 for audit criterion 1.1 a See Management Action Plan for Recommendation R-1.
Office of Primary Interest: The Chair of the Legal Risk Management Committee
Due Date: February 2015

7.0 AUDIT OPINION

Based on the audit findings, our opinion is that, overall, controls are in place and effective for managing the legal risks facing the Department.  There are, however, improvements that should be made to ensure the work of the Legal Risk Management Committee features a continued emphasis on the strategic management of the Department’s legal risks in an effort to proactively and sustainably embed the culture of legal risk management into policy, program and operational planning and decision making.

The recommended improvements are as follows:

  • Develop a detailed work plan and/or forward agenda that covers all of the responsibilities defined in the Terms of Reference of the Committee.  The detailed work plan and/or forward agenda would include such items as:
    • Reassess the Department’s top legal risks, risk drivers, and legal risk management strategies on a regular basis to ensure they remain relevant and reflect the Department’s legal risk environment.
    • Review and approve the key risk indicator and target that are to be included as part of the Department’s Corporate Risk Profile.
    • Perform a self-assessment to measure and monitor the Committee performance in achieving the objectives defined for legal risk management.
  • Revisit the roles and responsibilities of the Legal Risk Management Secretariat to ensure that they accurately reflect the needs of the Committee.
  • Develop and implement a communication and training strategy to ensure that the Department's legal risk management concepts are disseminated to departmental staff as a means of embedding a culture of legal risk management within the Department.
  • Define the roles and responsibilities for reviewing and updating the Legal Risk Management Diagnostic Instrument to ensure that this training tool is updated to reflect any changes in the Department's legal risk environment and then communicated to the user community.
  • Clarify the roles, responsibilities and accountabilities for managing and maintaining the legal risk management documentation stemming from the Committee as well as its Subcommittee and ad-hoc working groups.

8.0 STATEMENT OF CONFORMANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report.  The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria.  The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with Management.  The opinion is applicable only to the entity examined and within the scope described herein.  The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit.  The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program (QAIP). The procedures used meet the professional standards of the Institute of Internal Auditors.  The evidence gathered was sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

APPENDIX A – AUDIT CRITERIA

Based on a combination of the evidence gathered through documentation examination, analysis and interviews, each of the audit criteria listed below was assessed and a conclusion for the audit criteria was determined using the following definitions:

Conclusion per Audit
  Conclusion on Audit Criteria Definition of Opinion
1 Criteria Met – Well Controlled Well managed or no material weaknesses noted, controls are effective.
2 Criteria Met with Exceptions – Controlled Requires minor improvements.
3 Criteria Met with Exceptions – Moderate Issues Requires improvements in the areas of material financial adjustments, some risk exposure.
4 Criteria Not Met – High Impact – Significant Improvements Requires significant improvements in the area of material financial adjustments, serious risk exposure.

The following are the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn.  In cases where significant improvements and/or moderate issues were observed, these were reported in the audit report.

Audit Criteria / Conclusions
Audit Criteria Conclusion on Audit Criteria Examples of Key Evidence/ Observations

Line of Enquiry
To provide assurance that the departmental controls for managing the legal risks facing the Department are appropriate and functioning as intended.

Criterion 1.1:
The Department’s legal risk management framework is defined, documented and communicated to all relevant stakeholders.  This includes the following:

a.
Departmental committee(s) and/or working groups are established (with sufficient expertize, and clear roles, responsibilities and accountabilities) and functioning as intended.
3 6.1.1
b.
The practices for legal risk management are established, communicated, and integrated into departmental decision-making. For example:
  • The risk management process(es) used for the identification, assessment, response, monitoring and review of the Department’s legal risks.
  • Legal risk management tools and training: The Department’s legal risk management Diagnostic Instrument, the legal risk management Strategies and the High Impact Criteria for high impact legal issues and litigation and prosecution issues and cases.
3 6.2.1
c.
An information management strategy that enables the Department to retain, maintain, and access its legal risk management documents and records for analysis, monitoring and decision-making.
2 6.3.1
d.
A performance measurement strategy that enables the Department to measure and monitor its performance in achieving the objective(s) defined for legal risk management.
3 6.4.1

Criterion 1.2: Sufficient, complete and accurate financial and non-financial information is provided in a timely manner to members of legal risk management committee(s) and/or working groups in advance of scheduled meetings to permit sufficient review and informed decision-making.

2 6.3.1