Audit Committee Report BH.02.JUN1516.R02

June 15, 2016

Report to: Audit Committee, Board of Health

Submitted by: Dr. Nicola Mercer, Medical Officer of Health & CEO



(a) That the Audit Committee makes recommendation to the Board of Health to receive this report for information.


Requirement 6.2 of the Ontario Public Health Organizational Standards (OPHOS) states that:

“The board of health shall ensure that the administration monitors and responds to emerging issues and potential threats to the organizations, from both internal and external sources, in a timely and effective manner.  Risk management is expected to include, but is not limited to: financial risks, HR succession and surge capacity planning, operational risks and legal issues.”1

Risk is the chance of something happening that will have an impact on objectives.  It is measured in terms of consequences and likelihood.

Risk management includes the culture, processes, and structures that are directed towards the effective management of potential opportunities and adverse effects. 2

Risk can include both threats and opportunities.  Risk management assists organizations in meeting strategic and operational objectives by ensuring processes for identifying, managing and/or mitigating risk. 

The Association of Local Public Health Agencies (alPHa) has conducted two workshops on Risk Management, the first in November 2015 and more recently, on February 24, 2016.  During these workshops, participants were introduced to the Risk Management Strategy and Process Toolkit used by the Ontario Internal Audit Division.  This toolkit outlines the recommended steps and processes for a successful risk management strategy.

Public Health and/or Financial Implications

WDGPH is currently investigating strategies and processes for a comprehensive risk management framework.  This framework, which will be modeled after the Risk Management Strategy and Process Toolkit, will include the following steps:

  • establishment of risk management objectives, including policy development and guidelines, 
  • risk management structures and training needs for all staff;
  • identification of risks and controls;
  • assessment of risks and controls;
  • evaluation of risk controls;
  • mitigation strategies and identification of required action plans, and
  • monitoring and reporting processes.

WDGPH will also investigate strategies to ensure a coordinated approach to the effective oversight, monitoring and management of risks.  

WDGPH Risk Management  Strategy and Approach

The development and implementation of a comprehensive risk management framework for WDGPH is a multi-year initiative.  However, risk management activities are regularly being conducted within and across WDGPH.  A risk register was developed in 2015 to identify existing or potential internal and external risks to the agency.  Review and update of this risk register is the first initiative being undertaken as part of the framework development.  The updated risk register will include the following components:

  • Risk identification: includes category, source, risk and potential consequence;
  • Risk Assessment: based on likelihood and impact to the agency;
  • Risk Controls: policy, process or other actions designed to manage or mitigate risk, and
  • Risk Monitoring: identifies responsibility, risk indicators and monitoring frequency.

Other initiatives to be undertaken as part of the WDGPH strategy include, but are not limited to:

  • Policy and guideline development
  • Development of risk reporting form for new and/or emerging risks
  • Identification of staff training needs across the agency
  • Establishment of a formal risk management cycle
  • ​Development of reporting tools for staff and the Board of Health

The Audit Committee of the WDGPH Board of Health is responsible for reviewing and reporting to the Board on any matter of agency risk that is referred to the Committee via the Board of Health, the Auditor or the Medical Officer of Health. 

As work progresses on the WDGPH Risk Management Framework and Strategy, the Audit Committee will be provided regular updates.  It is anticipated that the completion of a risk management framework will foster a culture of risk management, which will result in the achievement of strategic and operational objectives.  


1Ontario Ministry of Health and Long-Term Care, Ontario Ministry of Promotion and Sport.  Ontario Public Health Organizational Standards. 2011.…

2Lindsay, Hugh, FCA, CIP, 20 Questions Directors of Not-for-Profit Organizations Should Ask About Risk, CICA Publication, 2009, pg, 4.


Appendix “A” - Risk Management Process - Ontario Internal Audit Division

Prepared by: Meighan Finlay
Standards and Accountability Officer
Family Health and Health Analytics

Reviewed by: 

Dr. Nicola Mercer,
Medical Officer of Health & CEO

Approved by: 

Dr. Nicola Mercer,
Medical Officer of Health  & CEO