Thank you, Mr. Chair.
Risk management is very important and fundamental to how well a department can manage its resources. The observation that was made in the past was that there really wasn't a holistic and integrated risk management approach. While departments might have had some risk elements they managed from a program-to-program basis, there really wasn't something at the corporate-wide level. Since that time, we reported that all departments we've audited have a corporate risk profile. They're able to bring their various risks together so they can see and prioritize at a departmental level.
The other aspect about identifying risk is to assess them to look at their likelihood and then to assess how much risk tolerance we can take, and what kinds of risk mitigation plans we should have. The departments we've looked at have risk mitigation plans. The risk tolerance definition is still a bit weak. While we're saying there has been good progress, it doesn't mean we have wrestled this one firmly to the ground. In fact, if you speak with most of the deputy heads, they indicate the groundwork has been laid, but we really have to get in to make sure we have the right risks identified and the proper risk management plan.
The internal audit function and the departmental audit committee both have a risk focus, and together they help strengthen the risk management ability of the entities.