CPPM Policy Chapter 20: Loss Management

This Core Policy and Procedures Manual chapter covers policy on the management of losses. Included are descriptions of the types of loss incidents, roles and responsibilities of organizations and individuals in managing loss and additional resources available.

• 20.0 Loss Management
  • 20.1 Objectives
  • 20.2 General
  • 20.3 Loss Management Policy
  • 20.4 Fraud Risk Management Policy
  • 20.5 Information and Resources

20.1 Objectives

• Identify categories of loss.
• Identify responsibilities for the prevention, detection, reporting, investigation and mitigation of losses.
• Provide direction on loss management, reporting and links to resources to assist ministries.

20.2 General

A loss is any event that temporarily or permanently causes a decline in value or deprives the government of revenues, services, assets (tangible or intangible) or resources including human resources. Loss prevention, detection, reporting, investigation and mitigation are integral to government's enterprise-wide risk management process, financial control framework and to managing an ethical organization.

Loss incidents usually fall into one of the following categories:

1. Information incidents involving the actual or suspected loss of information and/or information technology security incidents, including:
   • loss of a portable medium with information capacity (e.g., a hard drive, thumb drive, memory card, magnetic or optical disks, etc.) containing sensitive, personal or confidential information; or
   • damage to or a compromising of the protection of data, systems, documents, computer-generated information or information processing facilities. These incidents can be accidental or deliberate threats to confidentiality, integrity or availability.

Procedure Requirements - L.2

2. Illegal activities that are actual, suspected or attempted. Examples of such illegal activities include:
   • fraud including embezzlement and misappropriation. See CPPM 20.4;
   • breach of trust;
   • breach of Cabinet confidentiality;
   • break and enter;
   • theft including failure to return government property;
   • damage to Crown property;
   • forced entry;
   • robbery;
   • vandalism; etc.

Procedure Requirements - L.3

3. General incidents including:
   • accident;
   • damage;
   • neglect;
   • act of God (events outside of human control); etc.

Procedure Requirements - L.4

4. Intentional harm or the threat of harm to employees or others from internal or external sources including:
   • physical harm;
   • telephone or email threats;
   • abusive clients; etc.

Procedure Requirements - L.5

5. Bodily injury to persons outside of government, including:
   • accidents on government property, etc.

Procedure Requirements - L.6

6. Due to the nature of certain programs, some ministries experience recurring losses from general incidents and/or illegal activities. These ministries often have internal resources dedicated to managing the losses (e.g., Prevention and Loss Management Services Branch). Examples of such loss incidents include:
   • suspected false or fraudulent claims for social benefits, loans, grants, or transfers including employment and income assistance, student loans and MSP;
   • overpayments or erroneous payments;
   • loss of revenue that should have been received or collected;
   • theft of Crown property (e.g., unauthorized timber harvest);
   • damage to Crown property; etc.

These ministries that have internal resources dedicated to managing losses must report their loss incidents to the Risk Management Branch by June 30th of each year for the preceding fiscal year on an Annual Loss Summary Report.

Procedure Requirements - L.7

Roles and Responsibilities

Employees

• Understand and comply with this policy, the Standards of Conduct for Public Service Employees and CPPM 4.3.20, Obligation to Report to the Comptroller General.
• Acknowledge and assume accountability for safeguarding government assets entrusted to them.

Ministries

• Ensure that this policy, the Standards of Conduct for Public Service Employees, and CPPM 4.3.20, Obligation to Report to the Comptroller General, are clearly communicated to employees and complied with.
• Hold employees to account where they have been entrusted with government assets.
• Recover losses cost-effectively.
• Report professional misconduct to the appropriate professional body.

Comptroller General

• Provide ministries direction on loss management including fraud.
• Ensure employees can report losses due to illegal activities confidentially.
• Investigate a loss incident where appropriate.
• Monitor loss investigations.
• Provide ministries with guidance and tools for the prevention, detection, reporting and mitigation of losses.
• Require that persons involved in an investigation have the necessary skills.

Government Chief Information Officer

• Works with ministries to develop and set corporate policies, standards, processes, procedures, and guidelines for information management and information technology (IM IT).
• As per the Information Incident Management Policy, provides ministries with expert advice, support and investigative services to assist them in navigating the information incident process.

BC Public Service Agency

• Provide ministries guidance and advice on the prevention and reporting of harm or threats of harm to employees.
• Provide guidance and advice to ministries investigating incidents which have the potential to result in employee discipline and/or criminal charges.

Risk Management Branch

• Provide ministries with guidance and tools for the prevention, detection, reporting and mitigation of losses.
• Administer the collection and analysis of loss information (GILRs (government access only) and Annual Loss Reporting Summaries) and provide follow-up advice to the ministries.
• Assess the need for further investigation or action in cooperation with the Comptroller General.
• Provide a monthly report and analysis of all loss incidents to the Comptroller General.
• Prepare summarized statistics annually of reported government losses, which include information from the GILRs (government access only) and the Annual Loss Reporting Summary, and submit to the Comptroller General and the Auditor General. Publish on the Government Security Office website.

Corporate Compliance and Controls Monitoring Branch

• Detect control weaknesses and inappropriate payments and recommend corrective action to ministries, central agencies, and the Comptroller General to prevent and mitigate financial loss to government.
• Report losses to ministries and the Comptroller General.

20.3 Loss Management Policy

1. In any loss incident, if there is evidence of threatening behaviour or an emergency situation, notify the police immediately.
2. Ministries must establish, communicate and monitor internal processes for loss management including prevention, detection, reporting, investigation, and mitigation. Ministries must also review and amend processes as appropriate to minimize losses particularly following a loss incident.
3. All losses must be reported according to procedures described in CPPM L, Loss Reporting.
4. Ministries must make every effort to recover a loss in a cost-effective manner.
5. In all cases where a ministry has reason to believe that the conduct of an employee or contractor in the workplace is criminal in nature, the ministry should promptly notify the appropriate police authority and cooperate in any resulting investigation or prosecution. It is recommended that ministries contact the Comptroller General; Legal Services Branch; and the BC Public Service Agency for advice and guidance.
6. When dealing with a loss incident alleging illegal activity by a ministry employee or contractor, the ministry must not make any threat or promise to the employee or contractor or to their representatives as to whether the alleged illegal activity will or will not be referred for criminal investigation or prosecution.

20.4 Fraud Risk Management Policy

Objectives

• Provide understanding of fraud risks within government programs.
• Identify responsibilities for the management of fraud risks in government.
• Provide direction on assisting ministries in the management of fraud risks in government.

General

The purpose of this section is to provide direction and guidance on how ministries can manage fraud risks within their program areas.

1. What is fraud?

For the purposes of managing fraud risks within government, fraud is defined as any intentional act to deceive others, resulting in the government suffering a loss and/or the perpetrator achieving a gain. Fraud can be in the form of, but not limited to:

• Suspected fraud.
• Incidents under investigation.
• Completed incidents, whether fraud was proven or not.
• Incidents that were dealt with by a criminal, civil or administrative remedy.

The risk of fraud can occur if the following elements are present:

• Incentive: There is a want or need to commit fraud.
• Opportunity: There is weakness in the controls that persons can exploit to commit fraud.
• Rationalization: There are people who are convinced that fraudulent behaviour is acceptable and worth the risk to commit fraud.
• Capability: There are people who have the necessary traits and ability to carry out the fraud. These people may be working inside or outside the organization.

2. Managing fraud risk

Fraud risk is the vulnerability or exposure an organization has towards fraud. It combines the probability of fraud occurring and the potential impacts in measurable terms. This risk can be managed by:

• Use of preventive controls and the provision of guidance and advice for an organization to reduce the likelihood of fraud occurring.
• Use of detective controls to reduce the impact of possible losses.

Employees and ministries have the following roles and responsibilities in managing fraud risks in government:

Employees

1. Understand and comply with the Standards of Conduct for Public Service Employees.
2. Understand and comply with CPPM 4.3.20, Obligation to Report to the Comptroller General. Specifically, the Financial Administration Act (FAA), section 33.2, obligates every member of the public service to report to the Comptroller General any expenditure or payment that they consider contravenes sections 32.1 to 33.1 of the FAA. Below are intended as general examples only, with the context that there is an intentional act to deceive others, resulting in the government suffering a loss and/or the perpetrator achieving a gain. Applicable sections of the Act require reference for a full understanding of the obligation to report:
   • For an expenditure, this may include an authorization that:
     • Causes the appropriation to be exceeded.
     • Reduces the available balance in the appropriation so it cannot meet all the commitments charged against it.
     • Creates an unlawful charge against the appropriation.
     • Is approved by a person without the delegated expense authority.
     • Is contrary to a term of an agreement, enactment, Treasury Board Directive or term of a trust.
   • For a payment, this may include a situation where:
     • The related expenditure was not authorized.
     • An advance payment is made (without receipt of goods or services) and the agreement does not provide for such a payment.
     • The amount paid is unreasonable (other than in emergency or extenuating circumstances, i.e., when costs cannot be estimated or specified).
     • The payment is contrary to a term of an agreement, enactment, Treasury Board Directive or term of a trust.

Ministries

3. Through the responsibility of the ministry deputy minister:
   • Determine the requirement for criminal record checks and enhanced security screening for designated positions within the BC Public Service. See Security Screening (Human Resources Policy).
   • Ensure employees understand and comply with the Standards of Conduct for Public Service Employees. Specifically:
     • Advise employees of the required standards of conduct and the consequences of non-compliance.
     • Deal with breaches of this policy statement in a timely manner, taking the appropriate action based upon the facts and circumstances.
4. Ensure employees understand and comply with CPPM 4.3.20, Obligation to Report to the Comptroller General. See CPPM 20.4 section 2.b
5. Establish, communicate, assess, and monitor internal processes for managing fraud risks including prevention, detection, reporting, investigation, and mitigation. Ministries must also review and amend processes as appropriate to minimize losses particularly following a loss incident.

Examples of possible fraud indicators that should be addressed in ministries’ internal processes include:

• Determine the requirement for criminal record checks and enhanced security screening for designated positions within the BC Public Service. See Security Screening (Human Resources Policy).
• Lack of employee compliance with the Standards of Conduct for Public Service Employees.
• Key documents missing (e.g. invoices, contracts, authorizations).
• Inadequate or no segregation of duties.
• Absence of controls and audit trails.
• Inadequate follow up on controls identified as not working as intended (resulting from periodic testing and evaluation performed by government offices. See CPPM 20.5).
• Documentation that is not validated as original or is lacking essential information.
• Missing expenditure documents, authorizations, and official records.
• Numerous adjustments or exceptions on transactions.
• Excessive variations to contract amounts and no audit trails.
• Accountable advance amounts not reconciled or cannot be balanced.
• Incurring expenses on government corporate cards not related to government business.
• Duplicate payments.
• Government policies and procedures not being followed.

6. Through the responsibility of the ministry executive financial officer or delegate, ministries must report losses (regardless of the value) due to actual, suspected or attempted illegal activities. Reporting these activities provides information to increase awareness of fraud risk in specific areas and provides ways in which the risk can be managed and reduced.
   
   Ministries must also make every effort to recover a loss in a cost-effective manner. It is recommended that ministries contact the Comptroller General; Legal Services Branch; and the BC Public Service Agency for advice and guidance. See CPPM L.3. Note that the loss incident must be reported regardless of the efforts used in the recovery of loss.

20.5 Information and Resources

Apart from specific requirements in policy and procedures, ministries can consult with:

• the Comptroller General;
• the Government Chief Information Officer;
• the BC Public Service Agency (government access only); and/or
• the Risk Management Branch.

These offices support the development and implementation of loss prevention, detection, reporting, investigation and mitigation plans for ministries. See also CPPM 15, Security.

Additional resource information on loss management and incident reporting is available at the following:

• Office of the Comptroller General:
  • Risk Assessment Tools 
• Corporate Compliance and Controls Monitoring Branch:
  • Cross Government Reports on Corporate Compliance (government access only)
• Risk Management for Government & Provincial Public Sector:
  • Risk Management Newsletter
  • Government Loss Reporting
• Government Chief Information Officer:
  • Information Incident Management Policy
• BC Public Service Agency (government access only):
  • Incident Reporting and Investigations - Checklist (government access only)
• See also CPPM L, Loss Reporting for information on reporting a loss incident

Corporate Compliance & Controls Monitoring < Previous | Next > Government Transfers