Rescinded [2010-09-03] - Risk Management Policy
We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
In the broadest sense, effective risk management ensures the continuity of government operations, and the maintenance of services to, and protection of the interests of, the Canadian public. Because all manner of risks are present throughout government operations, successful delivery of a program is contingent upon effective and cohesive management of those risks.
The importance of risk management has been growing steadily during the last several years. There is increasing awareness and expectation in Canada and abroad of the need to manage risks, rather than leaving them solely to insurance.
The risk environment has been evolving rapidly, as advancing technological and social developments bring forth new or hitherto dormant risks associated with such phenomena as hijacking, hazardous materials, pollution, electronic data, and exposure to legal and political liability. The government has an obligation to be fully aware of the state of the art in risk management, and to prevent losses and unnecessary expenditures.
Risk management can be extremely cost-effective when departments assess their risks properly and determine the most economical way to avoid them entirely, or reduce them to a minimum and limit potential expenditures arising from accidents or emergencies.
Risk management is a logical step-by-step process to protect, and consequently minimize risks to, the government's property, interests and employees. Risk includes the chance of damage to or loss of government property, and the chance of incurring second- or third-party liability to non-government entities. The saying "forewarned is forearmed" is an apt description of the management of risk. As shown in Appendix A, there are four phases in risk management:
before an incident:
Phase 1 - identifying risks and the entities exposed to and in control of the risks; and
Phase 2 - Minimizing risks and their cost;
during an incident:
Phase 3 - containing the effects of any damaging or harmful incident; and
after an incident:
Phase 4 - compensating or restoring and recovering in the event of such incidents, and providing feedback of information as a basis for improving the management system.
The objective of this policy is to safeguard the government's property, interests, and certain interests of employees during the conduct of government operations.
It is government policy to identify, and reduce or eliminate risks to its property, interests and employees, to minimize and contain the costs and consequences in the event of harmful or damaging incidents arising from those risks, and to provide for adequate and timely compensation, restoration and recovery.
This policy applies to:
- departments and departmental corporations named in Schedules I and II of the Financial Administration Act; any division or branch of the Public Service of Canada, including commissions appointed under the Inquiries Act, designated by the Governor in Council as a department; and the Canadian Forces; referred to in this policy as "departments"; and
- every individual appointed or employed as a servant of Her Majesty in Right of Canada (the Crown). Without limiting the generality of this application, "servant" includes any individual appointed or employed by any of the entities referred to above; any minister, agent, and former servant of the Crown; and the estate of a deceased servant of the Crown. It does not include any person appointed or employed by or under the authority of an ordinance of the Yukon Territory or the Northwest Territories, or any person engaged under a contract for services.
1. Departments must identify the potential perils, factors and types of risk to which their assets, program activities and interests are exposed.
2. Departments must analyze and assess the risks identified, and design and implement cost-effective risk prevention, reduction or avoidance control measures.
3. Departments must:
- select underwriting options;
- self-underwrite the risks to which the government alone is exposed and over which it generally has control, and provide for and absorb, through their annual appropriations, any cost that may arise from self-underwriting;
- ensure that contractors do not procure insurance on risks that are clearly the responsibility of the government, and that contractors are not indemnified by the government against the risks to which only the contractors are exposed.
4. Departments must plan and budget for containment, compensation, restoration and disaster recovery.
5. Departments must activate emergency organizations, systems, and contingency plans, and initiate recovery measures.
Compensation, restoration and recovery
6. Departments must:
- investigate incidents to determine their causes;
- assess the extent and value of damages and determine potential legal liability; and
- make incident reports.
7. Departments must settle and pay claims by or against the Crown and against its servants in an adequate and timely manner, and generally refer cases involving legal proceedings, and claims associated with a contract, to the Department of Justice.
8. Departments must repair or replace damaged assets and operating systems to return operations to normal as soon as possible.
9. Departments must:
- report each fiscal year in the Public Accounts: all payments of claims against the Crown; all ex gratia payments; court awards; and all losses of $1,000 or more including accidental destruction of, damage to, or theft of, assets that would normally be covered by insurance had insurance existed;
- report to the appropriate law enforcement agencies losses over $1,000 which are due to suspected illegal activity; and
- maintain their own data-base as part of the feedback system of management information.
10. Departments must establish new or improved measures to prevent the recurrence of incidents, and to recover from disasters.
The Department of Justice provides legal advice, opinions, arbitration and negotiation services and is responsible for all litigation concerning claims by or against the Crown and against its servants.
Labour Canada and the Office of the Fire Commissioner of Canada are responsible for the provision of fire protection services, maintenance of fire loss records and, when required, the preparation of reports on fire losses in the government.
The Treasury Board Secretariat will review the effectiveness of this policy in assisting departments to manage the risks to which they are exposed. The impact of the policy on departmental operations and performance will be gauged by how well the department has: identified and minimized its risks; contained the effects of any damaging or harmful incident; and achieved adequate and timely compensation, restoration and recovery.
Feedback on the implementation and the effectiveness of the policy will be obtained from departmental monitoring information, internal audits, reviews and information available from other reports and government organizations.
This policy is issued under the authority of section 7 of the Financial Administration Act.
Treasury Board Publications
Account Verification Policy.
Managing Risks in the Public Service (video)
Business Resumption Planning:
- Technical Standards, 1992
- Video, 1992
Government Security Policy.
This policy cancels chapters 530, 531 and 532 of the Administrative Policy Manual and Treasury Board Circular letters 1990-3, 1990-1, 1989-17, 1987-33, 1986-15, 1985-51.
All enquiries about this policy should be directed to the official designated by each department as responsible for risk management and, when appropriate, to legal services. When required, officials should then refer inquiries to Risk Management Division, Comptrollership Branch, Treasury Board Secretariat.
For fundamental or more complex enquiries, a risk management analysis should first be undertaken (see Appendices A and B).
Appendix A - Risk Management Phases
Appendix B - Guidelines
These guidelines deal with: identifying and minimizing risks to prevent an incident; containing damages or harmful effects in the event of an incident; compensating or restoring and recovering following an incident; and providing feedback to improve the risk management system (see Appendix A).
1. Phase 1 - Identifying risk
1.1 Identifying operations and assets at risk
In the first phase of risk management all of the operational areas and assets of the department should be identified, for example:
- owned or leased real and personal property, such as machinery, buildings, transport, inventories and art treasures;
- contracting for construction, goods and services, and ongoing sources of supply;
- cash, accounts payable and lending;
- internal audit;
- information storage and transfer, such as record keeping, mail distribution, telecommunications, transportation and electronic data;
- services to the public or other departments;
- conferences and meetings;
- governmental activity; and
- toxic operations and waste.
As described below, potential perils, factors, and types of risks present in each of the foregoing should then be identified for subsequent threat assessment and analysis as an input to the minimization phase. This is to determine the risk exposure as a basis for deciding on the need for, and extent of, further risk management phases. It is also to ensure that the system for dealing with a specific risk is compatible with those of other risks in the same area.
Each peril should be identified to establish probable exposure, i.e. the degree of risk and its cost, determine alternatives for minimizing them and develop control procedures. Some of the perils that threaten operations and assets and create risks include fire, collision, theft, fraud, security leaks, violence, climate and earthquakes.
Factors influencing risks should be identified. They include: acts of nature; human inefficiency, negligence, error, and wilfulness; and physical factors such as the availability and quality of materials and the state of a particular technology.
1.4 Types of risk
Each risk-bearing activity should be identified as one that is either: strictly internal to the government; or partly or wholly related to the actions or omissions, and property of other parties with which the government comes into contact, on or off government premises, either by design or by chance.
This distinction has important implications for determining the respective obligations or potential liabilities, the degree of control that can be exercised over the probability of chance occurrences, the effect these occurrences may have on the government, and the selection of the appropriate underwriting option.
1.5 Risks to employees and to their personal property
Risks to employees and to certain personal property are treated in separate Treasury Board policies issued by the Human Resources Branch, TBS:
- injury and illness: refer to the Treasury Board Policy on "Occupational Safety and Health";
- motor vehicles and other employee-owned transportation, personal property during relocation, and personal property in Crown-owned living accommodation: refer to the Treasury Board policies on Government Travel and Living Accommodations.
Damage to employees' effects within the scope of employment is covered in the Policy on Claims and Ex Gratia Payments. Indemnification and legal assistance are covered in the Policy on the Indemnification of and Legal Assistance for Crown Servants.
2. Phase 2 - Minimizing risk
The minimization of risk is the second phase of risk management. It is founded on a thorough analysis of the identified risks in order to assess their potential threat to operations and assets, and to determine the degree of exposure (frequency and severity) as a basis for:
- avoiding risk by eliminating or radically reducing the risk by considering alternatives to current or proposed activities. For example, an activity could be cancelled or the risk shared with or transferred to others, such as contractors; or
- when acceptance of the risk is inevitable, developing and implementing cost-effective risk control practices such as loss prevention and reduction, including safety training, early detection, security precautions, emergency procedures or design changes (see Figure 1); and
- minimizing the financial consequences by considering options such as self-underwriting, when the risks are clearly internal to the government, ensuring that contractors have adequate insurance, or transferring the financial exposure to insurers; and
- planning and budgeting appropriate measures for potential containment, compensation, restoration and recovery.
As described below, each of the assets or operational areas identified may require analyses of the potential liabilities, underwriting, and financial aspects of risk minimization, together with political, diplomatic, administrative and contracting considerations.
2.2 Analysis of potential liability
"Liability" is defined as being under an obligation; for example, to make good any loss or damage. The determination of potential liability normally requires a legal opinion by the Department of Justice.
The extent to which the Crown or other persons may be liable, singly or jointly, and directly or vicariously, should be determined by examining:
- the potential for creating an employer-employee relationship;
- whether there is an agency relationship with the Crown;
- whether the activity is fulfilling a need of the government, or whether it is a commercial undertaking with non-government clients providing a product or service not needed by the government;
- whether a government-operated activity is a commercial type of undertaking and should, more appropriately, conform with commercial practices and obtain liability insurance; and
- the potential liability of others, and whether the Crown would be able to claim compensation or restoration from others.
2.2.1 Property liability
Potential liability affecting property should be determined by identifying:
- the ownership of the property and its location, for example, whether it is on the Crown's or a contractor's premises;
- proprietary and custodial responsibilities regarding care and custody, and the applicable law, for example, on bailment; and
- normal commercial practices and whether a limitation of liability exists.
2.2.2 Crown servants' liability
The potential liability of the Crown, because of the actions of its employees or agents, should be determined by identifying:
- the degree to which servants are involved;
- whether legislation and administrative policy protecting or insuring servants applies, or is deemed to apply, to non-servants; and
- the extent to which potential liability of non-government personnel engaged in an activity may be subsumed in that of the organization in which they are involved.
2.3 Underwriting analysis
Underwriting encompasses the various ways that financial protection against the potential consequences of risk can be arranged. To underwrite means to assume the financial consequences of the occurrence of a specific peril.
Underwriting options that should be considered, either separately or in combination, include:
- self-underwriting, when the government assumes the responsibility to underwrite specific risks, generally those over
which it has control, including the government's established liabilities. The government's policy of self-underwriting most
of its assets and program activities applies to:
- in-house risks when non-government entities are not involved; and
- risks of incidents involving non-government third parties to the extent that the Crown is liable, or that damages or losses cannot be recovered, or that a prior assumption of risks under the control of a department has been made;
- the use of insurance for other than the government's risks. Insurance is the undertaking by the insurer to indemnify another person or entity against loss or liability for loss in respect of specified perils or upon the occurrence of a specified event; or
- ensuring that appropriate insurance is carried in certain instances, such as through the specification or purchase of insurance by the government on behalf of others.
Specific direction has been developed in three areas for self-underwriting or payment of insurance premiums:
- Leased real property: The Crown occupies and uses its own property and other properties on lease from the provinces,
institutions, companies, societies and individuals.
Where, under the terms of the lease, the Crown assumes liability for replacement of the property, or responsibility for a negotiated settlement in the case of loss or destruction of the property, insurance at the expense of the Crown should be allowed to lapse. The basis of this decision is that insurance, in such cases, operates for the protection of the lessor, and the Crown has the capacity to assume the risk without insurance. The non-insurance provision of this rule may be interpreted to apply to proposed leases not already covered by insurance.
Where, under the terms of the lease, the Crown assumes responsibility for reimbursing insurance premiums or extra premiums as a part of the rental, but assumes no further liability in the case of loss or destruction of the property as the result of fire or other risk covered by the insurance, then reimbursing the premiums may be continued. This rule may be interpreted to apply to proposed new leases.
- Motor vehicle insurance: The government underwrites its own risks associated with government-operated vehicles, subject
to the following:
- the separate authority of the Department of External Affairs regarding liability insurance for vehicles at Canadian posts abroad;
- the cost of a long-term vehicle lease should not normally include any insurance, but it may include minimum insurance coverage that provincial regulations require the leasing agency, as the vehicle owner, to carry. The department then assumes any risks not covered by the insurance;
- the cost of a short-term vehicle lease or daily rental contracted for by a department should normally include the standard deductible clause for any necessary coverage for collision insurance in use by the leasing agency. In the event of an accident, the deductible amount would be self-underwritten by the department;
- for daily rental of vehicles contracted for by employees on travel status, except where otherwise covered by a credit card, the standard deductible clause should be waived in favour of insurance and the related cost should be included in the claim for reimbursement of travel expenses;
- for leases and rentals in remote areas, departments may elect to obtain non-deductible coverage if there are offsetting administrative advantages, such as easier claim settlement; and
- when Crown-owned or leased vehicles are driven in the U.S.A., they are commercially insured against third party liability risks. Details are available from the Technical and Specialist Services Directorate, Public Works and Government Services Canada.
It should be noted that provincial automobile insurance legislation is not generally binding on the federal government. At the time of registration of the vehicle or in incidents involving law enforcement officers, proof of insurance should not be required. Proof of ownership or leasehold interest by the federal government should suffice.
- Shipments: Value declarations should not be placed on outgoing shipments by express, freight, air cargo and air express if this will involve the payment of any extra charge. Similarly, departmental purchase orders should discourage suppliers from placing value declarations on incoming cargoes where the terms of the purchase contract call for delivery "F.O.B. factory", "F.O.B. railhead", etc., and where shipping costs are not included as part of the contract price.
2.4 Financial analysis
The relative merits and cost-effectiveness of underwriting options and of loss control measures should be examined by assessing:
- the probable extent to which the government is directly or indirectly exposed financially;
- the degree to which the government can exert direct or indirect control over management of the risks and their underwriting;
- the direct and indirect costs of alternative underwriting options;
- the cost of investing in loss control measures compared with the probability of bodily injury or loss of life and the probable cost of damage to, or loss of, property;
- the net cost to the government, that is, whether underwriting costs rely on appropriations from tax revenues, or whether recovery could be used to offset the cost to the government, irrespective of the manner in which recovery may be allocated; and
- the merits, implications, and cost of an indemnification by the government.
To assist in a quantitative assessment of potential cost in a given case, relevant data on previous losses, damage and claims concerning the identified risk at home or abroad should be gathered and analyzed. The data may include incidents both within and outside the government. Data bases should also be created for each new activity, and loss, damage and claims experiences should be reviewed regularly.
2.5 Political and diplomatic considerations
To guard against any embarrassment to the Crown and ministers, and to adopt the stance of a good corporate citizen, further aspects of risk minimization that should be examined and taken into account include:
- the interests and safety of the general public;
- industrial, domestic and foreign practices;
- federal, provincial and foreign legislation; and
- the potential of commercial insurance as an arm's-length buffer.
To provide for a clear division of responsibilities in risk management consistent with potential liability or perceived or established responsibility:
- the organization and people responsible for management of the risks should be identified;
- administrative options such as claims administration by the government, adjustment firms, insurers, or brokerage services should be explored; and
- the risk management mandates, experiences and practices of other agencies of the government should be taken into account, as well as the need for their involvement and necessary relationships with them.
2.7.1 Types of risk
Risk analysis identifies the type of risk to any given asset or activity. This in turn determines the appropriate choice of underwriting option.
Contracting authorities should ensure that contractors do not procure insurance on risks that are clearly the responsibility of the government unless the respective responsibilities are so commingled that they are indistinguishable.
Contracting authorities should consult their legal advisers whenever there is any question as to the type of risk involved.
For contracting situations, other than leasing motor vehicles, three basic options, as set out below, are open to departments to ensure prudent use of insurance.
2.7.2 Contractor-controlled insurance
Contractor control of insurance coverage is a satisfactory method and should be the general rule in most contractual circumstances.
This method puts the onus on contractors to arrange their own insurance in accordance with the customs of the trade. Contracting authorities should ensure that contractors make prudent use of insurance commensurate with their financial capability and their legal and contractual liability.
Contracting authorities should consider the influence of sales tax on the final contract price when insurance is purchased by a contractor and its cost is included in calculating the tax.
2.7.3 Government-specified insurance
The specification of insurance requirements in tender documents and contracts should be the rule whenever the nature of the work involves inherent risks that are closely associated and identifiable with the contract.
Inherent risk situations include most construction contracts, work done to particular government specifications, work involving extraordinary danger to the public, and work beyond the normal operations of the contractor. The production of items in a factory for the commercial market usually does not involve inherent risks, but there are exceptions such as explosives and nuclear products.
The dollar value of a contract is not a useful guide in determining whether to specify insurance requirements, because the contractor's exposure to legal liability frequently exceeds this value. This is particularly true where there is a risk of danger to property and to the safety of the public. Examples include: flight testing of aircraft, transporting ammunition, altering public buildings, transporting securities and hazardous materials.
Contracting authorities should:
- predetermine the types of work to which specification of insurance will apply routinely; and
- prepare appropriate insurance requirement schedules for such contracts, including type of coverage, extent of coverage and deductibles.
The more usual method of specifying a minimum level of insurance is preferred. However, if the contracting authority specifies a maximum in order to limit the cost of premiums in the contract price, a legal responsibility to indemnify the contractor against losses beyond the specified maximum may be created. A maximum should, therefore, be set only when an unusual risk is involved for which the premium would be extraordinarily high, and after consultation with the Treasury Board Secretariat.
2.7.4 Government-controlled insurance
The consolidation of all insurance requirements of a major project in a government-controlled insurance program can result in significant savings of insurance premiums.
This option may be effective for:
- insuring risks to a number of contractors or other persons commonly involved in, or affected by, a single endeavour; and
- achieving economies in the insurance cost of a continuing requirement involving a number of contractors providing a service over several years; for example, for the third-party liability risks to the contracted-out operation of functionally identical government facilities across Canada.
- Contracting authorities should consider:
- the potential cost savings in contracting government-controlled insurance for others;
- the ability of contractors to contract for insurance through a focal point on their own behalf;
- the extent to which contractors may already be insured;
- the applicability of this option whenever the estimated costs of a project exceed $5 million and a number of contracts is involved; and
- the applicability of this option when: the work involved in a project is of sufficient value; project management is used; or when the services of more than one prime contractor are required; using, to the greatest extent, the standards specified by the contracting authorities in other contracts.
The premium costs of a government-controlled program must be allocated to the project budget and may, depending on administrative efficiency and advantages, be paid directly by the department or be paid by contractors and included in their prices.
3. Phase 3 - Containment
Containment is the third phase of risk management. Its primary purpose is to respond quickly to, and control, damaging incidents while they are happening, prevent the effects from spreading, and provide for continuation of the damaged service or function.
In effect, the containment phase entails implementation of all contingency plans developed earlier to minimize losses through the activation of emergency organizations, physical systems and procedures.
An important prerequisite to this phase is ensuring that contingency plans and systems are kept up to date and in good working order and, as far as possible, that people are trained and procedures are rehearsed.
Longer-range recovery and business resumption plans should also be initiated during this phase, (see References, Treasury Board Publications, in this chapter).
4. Phase 4 - Compensation, restoration and recovery
Risk management, after the occurrence of a damaging incident, includes compensation, restoration and disaster recovery. Compensation is the settlement and payment of claims by or against the Crown or its servants. Restoration, an element of recovery, is the use of approved funding to repair or replace damaged, lost or stolen Crown property. In this phase, recovery entails completion of the longer-term measures initiated during containment to return operations to normal as soon as possible.
4.2 Investigation and assessment
Both compensation and restoration involve investigation and assessment.
Investigating the facts of a harmful or damaging incident has four purposes:
- establishing its cause;
- assessing the extent and value of damages and potential legal liability;
- providing a data-base in support of submissions for approval to pay claims; and
- providing feedback on the effectiveness of existing measures, and acting as a basis for establishing new or improved measures to prevent a recurrence.
An investigation report should be prepared on every incident, but its scope and degree of detail will vary with the complexities of the incident. Statements in the report should be restricted to the relevant facts and be as objective as possible. Items in the report could include:
the incident: explain what happened, who was involved, and which official language used; describe the nature of, and reasons for, the involvement of servants of the Crown; include information on their status, such as whether they were travelling or were at their normal place of residence or work, and describe the scope of duties and employment and departmental procedures relative to servants of the Crown involved in the incident; where a Crown-owned or -leased motor vehicle is involved, provide detailed information relating to its use and authority for its use;
damages: provide estimates and an explanation;
the scene: describe the geographic location and distances from key areas and locations; the terrain; climatic conditions; time of day; vehicular, pedestrian, vessel or aircraft traffic in the area; any plans, sketches or photographs necessary to understand the exact nature of the incident;
the cause: explain how fault and liability were determined and any negligence identified;
expert advice and witnesses: indicate whether the R.C.M.P. was requested to assist in the investigation; describe the nature and source of the advice given, including technical, financial and legal assessments, and the opinion of the Department of Justice; obtain statements from witnesses; provide copies of any reports made to the police in connection with the incident;
comparable or previous settlements: identify;
sensitivity and precedent: state whether there were any political or diplomatic issues, commitments or pronouncements, and whether there is the potential for setting a precedent;
claims: provide the number and dollar value of any claims made and received, with supporting statements; indicate whether any further payments are anticipated from this incident;
commercial and contractual: state whether the incident or proposal is in relation to a contract or not, and whether it is consistent with, or deviates from, normal commercial or contractual practices;
relevant statutes or other compensation: cite legal services' opinion that the authority proposed is the only means by which a payment may be made. It should be noted that other possible means would include other federal or provincial statutes, programs or commercial insurance. The ages and family status of public servants and of the others involved may be relevant in determining the applicability of these possible means of payment. Particularly in ex gratia cases, carry out a review of possibly related statutes, program authorities and liabilities in order to be satisfied that the payment would not be a liability of the Crown but an act of benevolence done in the public interest or, as currently provided, in the interest of employees suffering damages to their personal effects in the course of their employment; and
corrective action and risk management: summarize briefly the procedures the department has in place to manage the risk of such incidents, as well as the department's approach to any corrective action required to minimize further incidents in the future.
For claims by and against the Crown and against servants of the Crown, see the Policy on Claims and Ex Gratia Payments, and the Policy on the Indemnification of and Legal Assistance for Crown Servants.