GFOA Alberta Policy Handbook

GFOA Alberta – Policy Manual

Introduction

The purpose of risk assessment document is to identify and eliminate any associated risks arising from current GFOA activities, while enabling informed decisions to be taken.

Risk assessments do not have to be complicated; the level of detail contained in them should be relevant to the level of the risks involved with the activity. In many cases a risk assessment will lead to the clarification and documenting of local protocols and procedures that are often already in place.

An example of the risk assessment was completed by the GFOA Board of Directors who met in-person in October 2019, to discuss the organization’s current exposure to risk.

GFOA Alberta Risk Assessment

Total risk assessed according to two factors:

• • Potential impact to the organization
  • Likelihood of occurrence

The following risk categories were identified by the board and subsequently ranked based on the factors noted above.

A Risk Mitigation Policy has been developed by the Board Policy Sub-Committee as an approach to addressing each risk category noted as Medium (9-16) or High (17-25). The board recognizes that that the general Governance and Operational Policies and bylaws of GFOA Alberta are sufficient to address any risk category assessed as Low (1-8).

Level of Risk

Risk assessments can also assist in the identification of requirements for, and levels of, instruction, information, training and supervision that may be required for the activity.

Responsibilities

The following posts have responsibilities:

Operational Staff:

• • Assisting with and participating in the process of risk assessment.

Executive Director and Board of Directors:

• • Undertaking risk assessments, identifying and implementing control measures, effectively communicating the outcomes to employees and others as appropriate

Risk Evaluation and Estimation

Once hazards associated with activities have been identified, it becomes necessary to establish what the potential hazardous outcomes or events could be associated with the hazard.

When identifying who could be harmed, identify how they could be harmed.

The next stage is to examine the likelihood of a hazardous event occurring. Infrequently occurring hazards, present less risk than frequently occurring hazards.

Once likelihood has been determined the probable Impact of the hazardous event, should be considered. Impacts can be considered in terms of severity of potential injury (is it probable that a person would die or sustain minor injuries) but the impact also can be considered in broader terms, including reputational impact.

For the purposes of illustration, a five-point model is suggested below:

Table 1

This risk estimation process helps to determine the significance of the risks associated with the hazards. The number of people who may be affected by a hazard is a relevant consideration during risk estimation.

The matrix below illustrates how risks can be evaluated using the five-point model.

Risk assessment is the overall judgement of the level of risk arising from the threat, based upon the likelihood of the threat occurring and the potential severity of the account existing risk control measures that are already established to be placed to reduce/control the risk. Using the risk matrix as a guide, the level of risk should be assessed to identify the risk rating.

Table 2 below gives further guidance on the interpretation of the categories described in Table 1

Once the matrix has been used to determine the risk rating, it is then possible to use Table 3 below to establish the appropriate actions required:

Table 3 

All risks associated with activities will now be identified and systematically assessed.

Risk Control

Suitable and sufficient risk control measures will be identified and implemented to ensure that all risks are appropriately controlled and meet legal requirements as a minimum. All risk control measures will follow the hierarchy of risk control stated in this procedure.

Risk control measures are methods used which reduce/control risks arising. Control measures must take into account any relevant legal requirements which establish the minimum levels of risk control. Where additional control measures are required to reduce the risk, they should be considered according to the order in the following hierarchy of risk control which, as well as being in order of effectiveness to control risks, is also in order of the minimum amount of operational effort required to maintain them.

Table 4

When considering additional control measures, it should be ensured that they will not introduce any new hazards.

When the control measures have been identified and agreed they must be prioritized, placed into an action plan and implemented. The action plan needs to be clear about exactly what needs to be done, when and by whom with SMART objectives (Specific, Measurable, Achievable, Realistic and Timed). Where full implementation of the control measures identified cannot be achieved rapidly adequate steps may need to be taken in the interim to minimize the risk.

The implementation of the action plan must be monitored and subsequently reviewed to ensure that the remedial actions identified have been, and continue to be, adequate, appropriate and implemented.

Communication

Relevant information identified in the risk assessment regarding the hazards, must be effectively communicated, and be readily accessible to, employees and others as appropriate.

The Executive Director and Board need to ensure that the findings of the risk assessments and the precautions to be taken are effectively communicated to, understood and implemented by those persons covered in the assessment.

Monitoring and Review

The risk assessment and control process are not a one-off activity but part of the process for continuous improvement and should be reviewed and revised as appropriate.

Risk assessments must be reviewed

• • if there has been a significant change in the matters to which it relates
  • if there is reason to suspect that it is no longer valid
  • at least annually

Review of Policy

This policy will be reviewed on a yearly basis or at an earlier date if changes are required due to risk assessment review or changes in government advice.

GFOA Alberta – Policy Manual

The term “data residency” in this policy refers to the physical location of GFOA Alberta’s data. GFOA Alberta does not collect or store sensitive personal data other than what may be found through other methods. Examples include member names, the name of members’ municipalities, work phone numbers, positions within the municipality, email addresses and sometimes mobile phone numbers if
provided.

GFOA Alberta’s member database is in the United States stored on a secured server. Data stored on staff devices are stored on equipment that are password protected.

Payment methods are typically through Stripe, cheques, wires and EFTs. Stripe credit card information is not retained by GFOA Alberta, EFTs and wires are through Alberta Treasury Branch office. Photocopies of member cheques may be stored on staff devices in different locations.

Bookkeeping data is processed through QuickBooks Online Canada which stores its data on Amazon Web Services (storage may not be specific to Canada). Website data including the document library and Discord discussion forum are stored on a secure server located in the United States.

Administrative material such as minutes, agendas and correspondence are stored on Google Workspace
in the United States on secure servers.

GFOA Alberta recognizes that in an extreme situation the data stored in the United States could be seized by that country. However, the data stored in the United States is not unique or sensitive personal information.

This policy will be reviewed on a regular basis to ensure in the eventuality that GFOA Alberta collects any unique sensitive personal information it will be stored securely in Canada.