ARCHIVED - Integrated Risk Management Implementation Guide

This page has been archived.

Integrated Risk Management Implementation Guide

 

Table of Contents

Introduction

About This Guide

Getting Started—Committing and Sustaining Senior Management Support

1. Developing the Corporate Risk Profile

2. Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision making Processes and Reporting

3. Practising Integrated Risk Management

4. Ensuring Continuous Risk Management Learning

Developing and Implementing Integrated Risk Management: an Overview

Summary of What and How for Establishing Each Element of the Integrated Risk Management Framework

Selected References

Appendix A

Appendix B

Appendix C

Appendix D

Appendix E

Appendix F

 

Introduction

This guide is a companion to the Government of Canada's Integrated Risk Management Framework (IRMF) of April 2001. It is intended for use with the IRMF in implementing integrated risk management in a federal organization.

The IRMF supports the government agenda of modernizing management practices and supporting innovation through more responsible risk taking. The IRMF embodies principles and practices that follow through on the vision of the 1997 Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada and the commitments made in Results for Canadians: A Management Framework for the Government of Canada, a report issued by the Treasury Board of Canada Secretariat (TBS) in 2000.

The Independent Review Panel highlighted a new philosophy for comptrollership. The philosophy combines a strong commitment to four key components: performance reporting (both financial and non-financial); sound risk management; the application of an appropriate system of control and reporting; and values and ethics. The vision for modern comptrollership is that management decisions, at every level, integrate risk management, financial and non-financial performance information, appropriate controls, and values.

With regard to risk management, the panel report highlighted the need to:

• ensure that employees are risk-attuned (not only in identifying, but also in managing risks);
• match more creative and client-driven decision-making and business approaches with solid risk management; and
• create an environment in which taking risks and the consequences of doing so are handled within a mature framework of delegation, rewards, and sanctions.

The importance of strengthening risk management was reinforced in Results for Canadians, which promised development of an integrated risk management framework. An integrated approach to risk management supports the four management commitments outlined in the report (citizen focus, values, results, and responsible spending) by promoting a more corporate and systematic approach to managing risk, applying sound risk management practices, and fostering a working culture that values learning, innovation, responsible risk taking, and continuous improvement.

In June 2003, TBS released the Management Accountability Framework (MAF), which continues the emphasis on corporate risk management. A key expectation of the MAF is that the executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively as part of achieving management excellence. The MAF presents indicators and measures for risk management and the other expectations placed on modern public service management.

This guide recognizes that managers have many roles and responsibilities. Managers are expected to achieve specific results, while taking into account numerous competing demands. The IRMF and this guide support managers by emphasizing results and priority setting while promoting approaches and tools that build on existing management systems and practices. In fact, a primary aim of integrated risk management is to improve results through more informed strategic and operational decisions that contribute to achieving an organization's overall objectives.

Overview of the IRMF

The IRMF establishes an approach to integrating risk management into an organization's decision-making processes and managing risk on an aggregate basis, while still allowing departments and agencies to develop their own approaches within common parameters.

This section provides an overview of the concepts, purpose, and expected results of the IRMF, offering readers a basic understanding of the underlying risk management concepts and the linkages among the IRMF's four elements. Individuals new to the subject are encouraged to read the framework, available on the TBS risk management Web site at /rm-gr/site/default.aspx. Practitioners and risk champions already familiar with the IRMF may choose to go directly to the sections on implementing the framework's four elements.

There are three critical concepts that are cornerstones of the IRMF: risk, risk management, and integrated risk management. The IRMF adopted the following descriptions, developed for the Public Service of Canada in the context of the IRMF and explained in the framework in greater detail:

The framework provides guidance on adopting a more holistic approach to managing risk, emphasizing four related elements: Developing the Corporate Risk Profile; Establishing an Integrated Risk Management Function; Practising Integrated Risk Management; and Ensuring Continuous Risk Management Learning. More detail can be found in the IRMF and throughout this guide.

The expected results for the four elements are summarized below:

Element 1: Developing the Corporate Risk Profile

Element 2: Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting

Element 3: Practising Integrated Risk Management

Element 4: Ensuring Continuous Risk Management Learning

About This Guide

This guide provides practical advice to those leading and facilitating implementation of integrated risk management in their organizations. It will be useful as well in increasing understanding and collaboration where needed. Risk champions familiar with the IRMF can look to the guide for what to do next. The guide is also a reference tool for assessing progress and identifying gaps in organizations where integrated risk management is already underway.

The guide's focus is integrated risk management, not risk management. Much material is available on various aspects of risk management (project, financial, health and safety, etc.), more than could even be usefully summarized in this guide. The guide section on Element 3 therefore focusses, as its title suggests, on "practising integrated risk management." For material on risk management in specific circumstances, readers are directed elsewhere (e.g. to the appendices, references, and the TBS Web site).

The guide relies on lessons learned by implementation leaders, particularly members of the IRMF Implementation Council.¹ Federal experience with integrated risk management, and most experience worldwide, is on Elements 1 (Developing the Corporate Risk Profile) and 2 (Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting). There is less information on and practical experience with Elements 3 and 4, i.e. the ongoing practice of integrated risk management and continuous risk management learning. As the practice of integrated risk management matures and a broader range of organizations gain experience, more examples will be available from which lessons can be drawn.

Structure and Format

Following the introductory material and tips for getting started, the guide is divided into four sections, reflecting the four elements of the IRMF:

1. Developing the Corporate Risk Profile;
2. Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting;
3. Practising Integrated Risk Management; and
4. Ensuring Continuous Risk Management Learning.

For ease of reference, these sections contain common sub-sections offering practical advice and examples. The sub-sections are as follows:

Some references are listed at the end of this guide; in addition, the Integrated Risk Management Framework and other resources are available on the TBS risk management Web site at /rm-gr/site/default.aspx.

Also at the end of the guide is an overview chart summarizing the steps in implementing an integrated approach to risk management within an organization. It describes key requirements and decisions for the critical stages in the process. Following the overview are summaries of what and how for establishing each IRMF element—practices and techniques for what organizations have done or need to do to develop and implement the particular element.

Getting Started—Committing and Sustaining Senior Management Support

This is about building the will and capacity for change—leading the initiative and managing the change.

Managing the Initiative—Key Drivers of Success

Implementing an integrated approach to risk management requires sustained effort. This section identifies key factors for departmental and agency risk champions, senior managers, and others to consider when planning implementation. Whether the process has been underway for some time or is just beginning, how they deal with these factors and how they set and adjust the course has a significant impact on the speed and success of implementation.

Recognize at the outset that the organization is undertaking a cultural change by moving away from a silo approach to a more corporate one. Readiness—where the organization is now and its capacity to adapt—affects how fast and far it will progress. Borrow and use the lessons and practices of change management to foster the will and capacity for change.

For example, consider the concepts and strategies outlined in Changing Management Culture: Models and Strategies to Make It Happen (TBS, March 2003). The paper focusses on modern comptrollership, but its approach is generic and can be applied to any attempt to change management culture in support of modernizing and enhancing excellence in the Public Service. As well, The Conference Board of Canada's report, Integrating Risk Management Through a Change Management Process (2001), shows how change initiatives progress through a series of steps. It describes how change management can be a valuable guide to developing, implementing, and maintaining an integrated risk management program tailored to the organization.

Also recognize that there will be start-up costs (time, attention, training, systems, and communications) until the practice becomes an integral part of departmental planning and business processes.

Raising Executive Awareness and Discussing Organizational Readiness and Roles

Opening the Risk Dialogue

Initial discussion at the executive table will centre on gaining a common understanding of what integrated risk management is and what it means specifically for the organization. Many departments and agencies are undergoing or have completed a modern comptrollership capacity check² and implementing integrated risk management is likely part of the organizational response or action plan to advance the modern management agenda. Since integrated risk management is to be incorporated into existing decision-making processes, it is important to consider from the beginning how to align it with other corporate initiatives and priorities. Early discussion will also consider factors such as organizational readiness, capacity for change, and senior management roles, including a risk champion, as well as the champion's location and support/resources.

Understanding and Support of Senior Management

The deputy head and senior management set the tone. The engagement of senior managers signals organizational commitment, and their active, continuing support is vital for implementation. They must understand integrated risk management and its potential contribution to achieving corporate objectives. Risk-aware executives understand the key corporate risks and how they are being managed for the organization as a whole and for their areas of responsibility. Risk-aware executives appreciate the interdependencies and connections among the different types of risk—the source and level of control of the risk and the opportunities to innovate within the boundaries of responsible risk-taking.

It will help for senior managers to be familiar with the Integrated Risk Management Framework, as well as risk management reports and guidance developed by the Privy Council Office and the Canadian Centre for Management Development (CCMD). Risk awareness can also be raised by briefings, seminars, and retreats and by formal courses, such as those offered by CCMD.

For information on which to base briefings for the executive team, departmental officials may wish to consult the TBS Risk Management Centre of Expertise about the concepts contained in the IRMF, the thinking around integrated risk management and the state of implementation government-wide. It is also important to seek information from other departments and agencies or other external sources that have similar interests or operating environments.

Assigning a Risk Champion

Executive Leadership—Identifying Key Roles. Strong leadership is essential. The deputy head and senior management risk champion must ensure executive support on the part of leaders at various levels who will legitimize and sanction implementation of integrated risk management with their words and actions. This can be done in many ways as the organization's integrated risk management approach and practice matures.

The chosen risk champion will be an enthusiastic and knowledgeable supporter of integrated risk management. The champion must be able to show how integrated risk management will help executives meet corporate objectives in the short term and better position the organization for the future, as well as how to communicate these benefits broadly. Consider the current level of executive awareness and engagement in integrated risk management and the role senior managers will play in making it come alive by leading, supporting, and communicating progress.

The most effective lead for implementing integrated risk management is certainly at the deputy head level, but it is also common to place the lead in a corporate function at the assistant deputy head level, for example, in the strategic or business planning unit or corporate services branch. The risk champion is not a figurehead. Implementing integrated risk management involves major change requiring significant leadership capacity to show the value of change and inspire enthusiasm and support for a common vision.

Time and effort are needed to gain momentum, provide training for managers and specialists, and establish good tools and processes. Consider an initial investment in start-up to support the champion with appropriate resources, such as time at the executive table, people, and funds. For example, a group of specialists can be formed to provide expertise and promote a systematic approach to the process of integrating risk management. This can begin where the expertise resides (e.g. finance or internal audit) and migrate as appropriate (e.g. to strategic planning). The group can provide direction and co-ordination for integration with corporate planning and priority setting, along with guidance for common processes to set priorities among major risk areas, allocate resources, and conduct a corporate-level environmental scan. Organizations without an internal source of expertise on integrated risk management often collaborate with an external consultant or practitioner.

Creating or Using an Existing Executive Forum
Chaired by the Deputy Head

A new or existing executive forum chaired by the deputy head can direct and sustain integrated risk management by considering corporate risk issues, approaches, and performance. Organizations do this by making integrated risk management a key agenda item for an existing committee chaired by the deputy head or by convening the executive committee as a departmental risk management committee. First discussions are an opportunity to get a sense of the senior management team's risk culture and knowledge and for the risk champion to take stock of where alliances can be created and where more work is needed to ensure a common understanding, purpose, and goals. As the organization's practice matures, discussion will move toward implementation strategy and progress in light of the organization's key high-risk areas. The departmental audit committee, in its broad oversight role, could also review departmental risk management strategies and practices.

To support the executive team in its decision-making and advisory roles, larger departments typically create or use an existing department-wide working group (director general, director, or senior officer levels) to propose and advise on corporate approaches, implementation plans, systems, and practices. This is an opportunity to raise awareness in the organization and communicate the importance of the practice, while improving horizontal linkages, enhancing team spirit, and creating collective ownership.

Assessing Organizational Readiness and Roles

Implementation approaches must recognize that the shift to a risk-smart mindset will place demands on a workforce already operating in an environment characterized by considerable competition for change. Assessing readiness is essential if integrated risk management is to be aligned with management initiatives already underway and built on existing systems and processes. It will also contribute to better management of the discomfort inherent in change and can help people go beyond simple compliance and embrace the underlying purpose. (For additional guidance on roles, see Appendix A.) Several factors will be helpful in assessing readiness.

Modern Comptrollership Capacity Check. The capacity check provides a useful assessment across a range of interrelated management initiatives. Use assessment results to align integrated risk management with comptrollership initiatives already underway. It is expected that assessment results, combined with other management reports and performance information, will be used to identify departmental priorities for improvements and to develop action plans to address them. Priorities will vary with departmental circumstances, businesses, client needs, and other considerations.

The Workforce and Organizational Culture. To assess readiness, consider several areas as a starting point; these are considered more fully as implementation progresses. Organizations take into account the current organizational culture for risk management and how the culture needs to change. Consider how employees are going to react and how the organization will help them succeed despite the discomfort of change. This will depend in part on the extent to which risk management is already incorporated into strategic or business planning and operations, for example, whether current plans identify sources of risk and the extent of identification and knowledge of important strategic, operational, and financial risks; staff awareness of and/or capacity to manage the risks; the existence of systems and protocols to respond to potential threats, opportunities, or risk events.

Existing Knowledge and Systems. Consider whether existing committees, systems, and processes can be used (executive and operational committees, planning and reporting processes). Some organizations already have a common risk management language and framework or parts of it. Consider whether people are using a common language and process and build on existing understanding of risk or risk management. It may be helpful to transfer such knowledge and skills. Put the current culture and system to the acid tests: Is risk management factored into policies and advice to ministers? Does failure to address risk management prevent plans from being approved?

Developing and Communicating an Action Plan

Develop and communicate an action plan for implementing integrated risk management. The plan should include organizational context, approach, priorities, desired outcomes and performance measures, activities, responsibilities, and timelines. The implementation approach must suit the organization's culture and be based on an assessment of organizational readiness and roles, with advice from the executive team.

The risk champion leads preparation of the departmental or agency action plan. Since implementation progresses in phases of focussed effort, with each phase providing significant information and requiring key decisions, the plan is updated and detail added as implementation progresses.

In collaboration with the IRMF Implementation Council, TBS has developed the Illustrative Template for Developing Action Plans for Federal Departments and Agencies Implementing the Integrated Risk Management Framework. The template builds on the Modern Comptrollership Action Plan template and is available on the TBS risk management Web site. It proposes an action plan consisting of six sections:

1. context and background;
2. approach and priorities;
3. alignment with the IRMF;
4. accountability for integrated risk management;
5. challenges; and
6. implementation plan time frame.

As outlined in the following paragraphs, the action plan should provide direction, consider the challenges commonly encountered in implementation, and identify the areas where focussing first efforts is most useful.

Consultation and Communication. The risk champion ensures consultation on the action plan and communication of the final plan, as approved by the executive team, throughout the organization. Communication can take many forms and should, at a minimum, outline the vision, objectives, and expectations for integrated risk management implementation. Directions should be consistent with existing decision-making processes and structures and establish and communicate implementation goals (and timelines, where appropriate). Create opportunities for input as documents providing direction are being developed and use a common risk management language and consistent messages in all communications.

Common Challenges. Major challenges identified to date through the experiences of departments and agencies leading implementation fall into three broad categories.

First Areas of Focus. Organizations beginning integrated risk management find it most useful to focus initial efforts in three areas.

1. Developing the Corporate Risk Profile

Developing a corporate risk profile involves taking stock of the organization's operating environment and its capacity to deal with key high-level risks linked to achievement of corporate objectives.

Developing a risk profile is a logical starting point in implementing integrated risk management. Organizations take stock of their operating environment, identify key risks, and review the organization's capacity to deal with these risks.

A corporate risk profile helps a department or agency establish a direction for managing corporate risks. The profile presents a snapshot of the organization's risk status at a particular point in time by addressing the following questions from a risk perspective: where is the organization now (threats, opportunities, strengths, and weaknesses); where is it going (organizational objectives and expected results); and what are the key high-level risks that need to be managed at the senior management level to enable the organization to achieve its corporate objectives and results?

To develop the profile, risk information at both the corporate and operational levels is analyzed to understand the key characteristics of the broad range of internal and external risks facing the organization. Senior management attention is focussed on a manageable number of risks (five to ten) in the context of the organization's mandate, objectives, available resources, and capacity for integrated risk management. In managing key risks, decision makers must also take into account risk tolerances of key stakeholders.

There is a significant interrelationship between developing a corporate risk profile and the strategic planning process. Risk management underlies all aspects of priority setting, planning, and resource allocation; in addition, the corporate risk profile, with two-way linkages from and into each of these areas, provides a vehicle to integrate them at the corporate level. Thus, the corporate risk profile is informed by and feeds back into departmental strategic planning documents and processes. In a mature practice of integrated risk management, a robust strategic and business planning process should assimilate the corporate risk profile, eliminating the need to present it separately.

The Fundamentals

The deputy head and executive committee should:

• ensure clarity of corporate objectives: achievement of corporate objectives is the foundation for developing the corporate risk profile; corporate objectives must be identified, clearly articulated, and understood by all managers (the development of the organization's report on plans and priorities provides a good opportunity to do that);
• support the risk champion by providing a clear mandate for the development of the corporate risk profile;
• be prepared to invest time and resources: organizations that have developed a corporate risk profile report that updating the profile is much faster and less costly once concepts and processes are established and embedded in traditional planning and decision-making processes;
• ensure that the corporate risk profile is linked in a meaningful way to corporate priority setting and resource allocation exercises;
• ensure that responsibility, authority, and accountability, including progress reporting for development of the corporate risk profile, are communicated to departmental managers;
• encourage senior management dialogue related to corporate risk profile development;
• understand and reflect stakeholders' expectations—the level and nature of engagement will change as practice matures;
• be aware that the contents of the profile are evergreen: the profile and process must be dynamic and respond to changes (e.g. major events such as those of September 11, 2001, significantly influenced key high-level risks for several departments); and
• ensure ongoing communication: communication is a basic principle of integrated risk management and fundamental to developing a corporate risk profile; key managers need to understand what is being done, why, what the expected results are, and what contribution is expected from them.

How to Do It

Developing a corporate risk profile involves activities under six general headings:

• plan and prepare;
• conduct an environmental scan;
• understand stakeholders' risk tolerance;
• assess current risk management capacity;
• develop the initial risk response; and
• portray the corporate risk profile.

Plan and Prepare

The focus and approach to developing the corporate risk profile are influenced by and linked to the organization's operating environment and state of readiness. Several factors can influence profile development, including the organization's mandate, resource base, and size; whether the organization is a central agency, a science-based or a regulatory department; whether the organization is largely operational or predominantly involved in policy development or learning; whether it is highly centralized; and how many program responsibilities it has. For example, regulators in science-based departments will naturally be more sensitive to and likely influenced by Canadians' low tolerance for risks to public health and safety. On the other hand, departments implementing administrative programs and central agencies may see more opportunity to innovate and experiment with new approaches to program and service delivery and policy.

Ideally, senior management should be asked to endorse a process model (methodology) that:

• provides a structured and disciplined approach to data collection;
• ensures that the entire executive team shares a common understanding; and
• facilitates engagement of other key managers in developing the corporate risk profile.

This may require separate briefings of individuals or consideration at several meetings, depending on factors such as the team's comfort level with the integrated risk management concept and the anticipated benefits of developing the corporate risk profile.

Briefings of the executive team on integrated risk management to gain support for moving forward on corporate risk profile development would typically cover the following:

• what integrated risk management is, including the four interrelated elements;
• the benefits of integrated risk management in general and specifically for the organization in terms of advancing its priorities (how the organization and its executive team will benefit in the short term and be better positioned for the future);
• a general sense of what exists or is already being done in the organization to manage risk;
• what information needs to be collected to develop the corporate risk profile, how this will be done, and what will be done with the information collected; and
• key roles, reporting relationships, and timelines for development of the profile.

Most organizations can build the corporate risk profile using existing sources. For example, existing information and/or data collection mechanisms can help guide development of the corporate risk profile.

Conducting an Internal and External Environmental Scan

A corporate risk profile identifies key risk areas that cut across the organization (issues, functions, programs, systems), as well as individual events, activities, or projects in the various business lines that could significantly influence overall management priorities, performance, and achievement of corporate objectives.

These internal and external factors and risks are identified through an environmental scan or preliminary data collection and analysis. Major trends and changes to them over time are particularly relevant in providing early warning of potential risks that may adversely affect departmental outputs and ultimately objectives, results, and outcomes.

The IRMF provides several suggestions about risk identification techniques, such as brainstorming, scenario planning, and surveys. Other sources of risk information include audit reports, performance reports, and other management information systems.

Internal Scan

The following sources provide insights that may help to determine the state of the organization in terms of what is at risk and types and sources of risk (threats, opportunities, strengths, and weaknesses).

• Results of the modern comptrollership capacity check and the corresponding action plan. Most departments have completed the capacity check, which provides a wealth of information about managers' perceptions of the organization's status in areas such as risk management, strategic leadership, values and ethics, integrated performance information, stewardship, and accountability. The organization's status is mapped against a maturity model for each area.
• Departmental strategic planning documents: the corporate plan, departmental performance report, report on plans and priorities, audit observations and recommendations, capital assets, and functional plans.
• Performance management reports, information, and systems help determine whether the organization is meeting its performance expectations and targets.

These documents are likely good sources of information on organizational objectives, direction, new projects and initiatives, current performance, and areas needing attention or improvement.

For additional data collection or surveys, an interview guide or model that classifies or groups risk areas (identification of what is at risk, types and/or sources of risk, a ranking scale and methodology) will facilitate consolidation and analysis of information collected. Data can be organized by program, business line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and other relevant categories.

The following activities could supplement the information gathered from the sources already discussed:

• Review central agency and departmental policy instruments to determine direction on risk management. Determine departmental practices related to these policy instruments.
• Consult with corporate planning, policy, audit, and evaluation personnel to identify areas where the organization may be at risk or vulnerable.
• Reach out to branch, program, business line, functional assistant deputy ministers, executives, and key managers to identify risks in their immediate area of responsibility and the organization as a whole.
• Seek key managers' assessments of risk areas, ranking of the risks from highest to lowest priority, and how the risks are currently being managed.

External Scan

Understanding the organization's risk universe helps identify and assess key high-level risks for the corporate risk profile. External factors to be considered include the political, economic, social, and technological environments, as well as trends and changes that could influence the conduct of the organization's activities or achievement of its objectives. The interests and risk tolerance of key external stakeholders are also important considerations in developing the risk profile and establishing the organization's risk tolerance(s).

• Consider the following information sources: media monitoring; the government's policy agenda, including the Speech from the Throne; benchmarking of the organization's status against that of other departments; public opinion research; advisory groups, boards, or councils; consumer groups (users of programs and services); Statistics Canada databases; think tanks; associations; interest and lobby groups.
• Consider the following to collect the required information: internal scanning services of an existing corporate function (e.g. the corporate communications group); a targeted or omnibus survey or questionnaire; use of electronic bulletin boards and what-if scenarios to seek reaction and direction from stakeholders; focus testing and pilot approaches to target markets or specific geographic areas.

Understand Risk Tolerance

An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organization's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide Decision-making. Management must determine which risks the organization should accept at which levels, then re-evaluate these choices as circumstances change.

Risk tolerance and performance expectations should be linked directly at the corporate level. Organizations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure.

Consider the following in understanding the organization's risk tolerance level and that of its key stakeholders:

• the operating policy framework, i.e. acts, regulations, TB and departmental policies, directives and guidelines, levels of delegation of authority; the governing instruments generally articulate acceptable departmental practices and expectations in given circumstances;
• the organization's performance expectations and actual performance;
• how the organization or stakeholders have reacted to past risk events and issues;
• formal or informal mechanisms to track, report, and act on performance;
• employees' understanding of the risks taken by themselves, their team or group and the department;
• whether there is a common understanding of risk tolerance and risk management and how effectively it is communicated across the department and to its internal and external stakeholders;
• employees' understanding of the risk tolerances of key stakeholder groups; and
• whether stakeholders have been consulted on risk tolerances and performance targets.

The following diagram presents risk tolerance in relation to the cost of managing to different levels of risk. Source: presentation by Kevin W. Knight, Ottawa, June 2003.

Assess Current Risk Management Capacity

It is important to identify the nature, adequacy, and usefulness of existing organizational tools, techniques, human resources skills, and expertise for managing risk.

By taking stock of the risk management tools and techniques now in use, as well as the risk management skills available in the organization, it will be possible to assess the state of risk infrastructure in terms of organizational stability and system capacity. Management must ensure that this infrastructure is capable of supporting the organization's current and anticipated integrated risk management needs.

Developing the Initial Risk Response

Once information has been collected (environmental scan, capacity to manage risk, stakeholders' risk tolerance) and findings and assumptions have been validated, it needs to be analyzed, aggregated, and presented to the executive committee. The deputy head and the executive committee should collectively assess the broad spectrum of risks facing the organization in terms of likelihood and impact on achievement of corporate objectives. They can then decide which of the key high-level risks need to be managed at the corporate level and which should or could be managed by other levels.

Each member of the executive committee should rank the key high-level risks by priority and be prepared to explain the ranking and linkages to corporate objectives and other risks. Anonymous voting technology or similar approaches can be used to rank risks. Based on the discussion, the executive committee can decide on the corporate ranking of risks and determine the steps the organization will take to manage the risks. These steps should be informed by the findings of the environmental scan, the organization's capacity to manage risk, and stakeholders' risk tolerance, as well as the management team's knowledge and experience.

In developing the initial risk response, the organization should ideally seek to engage key stakeholders in dialogue to gain their support for the proposed steps. The organization should attempt to strengthen and ensure a common understanding of the possible options and trade-offs and seek stakeholders' help in formulating plans that contribute to the achievement of organizational objectives to the greatest extent possible.

The results of the risk assessment and ranking must be linked to the department's priority setting and resource allocation processes so that management attention and resources flow to the highest risks.

Portray the Corporate Risk Profile

The final step is to produce a document depicting the corporate risk profile. It sets out the results of the environmental scans, risk assessment, and analysis and identifies areas requiring corporate decisions or direction regarding risk management strategies. Organizations have developed various ways to present results, including matrices, risk maps, and reports with summaries by risk area. The reader may find it useful to refer to the sample risk map reproduced in Appendix D.

Questions to Consider

Ask the following questions to confirm that the organization is achieving the expected results of developing a corporate risk profile.

1. Are the key high-level risks for the department identified?
2. Is there evidence that the deputy head and departmental executive are engaged and committed to corporate risk profile development and related action? (That is, have they made it a departmental priority? Have start-up resources been allocated? Will findings be linked to decision-making processes, including priority setting and resource allocation exercises?)
3. In determining the initial departmental response and action to manage key high-level risks, has consideration been given to the risk tolerance of key stakeholders and is senior management mindful of the organization's capacity to manage such risks? (Are employees aware of risk management theory and practices? Are systematic risk management processes already being applied and can the organization leverage this knowledge and expertise? Do employees have the necessary knowledge, skills, and tools to manage risks within their areas of responsibility?)

Examples

Developing a Corporate Risk Profile: Framework for Engagement

To develop a corporate risk profile, one department, using the risk expertise within its internal audit group, developed Frameworks for Engagement (a Memorandum of Understanding) between the audit group and the departmental branches. The framework acts as the mechanism for outlining the roles and responsibilities for the identification and assessment of risks, development of corresponding mitigation strategies, and reporting. After a number of facilitated risk identification and assessment sessions conducted over nine months, followed by a period of regional consultations, key risks were identified and initial management strategies were suggested. These were subsequently used to develop a profile of corporate risk areas and a variety of mitigation strategies. Both the risks and the strategies are now important components of the organization's corporate plan.

Developing a Corporate Risk Profile: Environmental Scanning

Another department uses environmental scanning as the basis for developing its corporate risk profile. The scan includes the following:

• the identification and description of internal and external risks that significantly influence the achievement of the organization's objectives (key risk areas);
• an overview of the department's capacity to manage risk in terms of existing competencies and systematic processes;
• an identification of target risk units (activities, operating groups, systems, and programs that require specific attention because they entail significant potential risks); and
• systematic methods of managing risk for the priority target risk units.

The corporate risk profile also sets out an organization-wide view of risk tolerances and how they are communicated to managers and employees. The department's executive board reviews all components of the profile annually.

Use of a Corporate Risk Profile

One department, with a significant regional presence in program delivery, depends on its corporate risk profile to explain how its two types of risk (inherent risks arising from its department's mandate and risks arising from the changing operating environment) interact dynamically to affect the achievement of business objectives.

The corporate risk profile is also intended to inform staff and stakeholders about the following:

• the prevailing departmental perspective on inherent risks (key risk areas) arising from the mandate;
• risks emerging from the changing operating environment;
• priority target risk units and how their risks are to be mitigated and managed;
• risk tolerances and how they are to be communicated;
• current capacity of the department overall to manage and mitigate significant risks; and
• learning and support needs, structures, and actions to sustain integrated management of risk within the organization.

The corporate risk profile is updated annually and approved by senior management.

Integration with Planning

Senior management of the department described immediately above has committed to implement operational plans for all sectors and regions each year. The process includes internal and external environmental scans of risks, pressures, opportunities and other factors that could influence the department's policy and management agendas, with risk being one of the elements considered and addressed within the integrated planning process. There is also a commitment to develop what the department is calling a "dashboard" of key operational indicators that can serve as an early warning system for environmental changes.

Recently, all regions and sectors of this department have been asked to identify two projects and/or programs where risk tools could be applied beneficially. In doing so, regions and sectors are required to review their risks. In 1998 and again in 2000, all senior managers were interviewed and asked to identify their top risks. In 2002, there was an identification of areas where risk would be applied and an operational planning exercise involving a 'SWOT' assessment (strengths, weaknesses, opportunities, and threats) for each region and sector. The results covered operations and business lines within each region or sector.

Another department undertakes an extensive environmental scanning process at the start of each annual planning cycle. This scan is intended to provide intelligence and context for setting priorities as well as planning and decision making over the next year. Such a broad scan allows for consistent analysis of horizontal trends across sectors and regions and provides an important vehicle for reaching consensus within the department on key trends (political, economic, social, and technical), opportunities and threats that could influence the department.

One of the smaller departments uses environmental scanning to identify internal and external risks, which supports the development of risk profiles for each of the business lines. The risk profiles and scan results are integrated into a corporate risk profile and then discussed by the departmental senior executive committee at a strategic planning retreat. The environmental scanning is conducted under the co-lead of their strategic planning and corporate services groups. To get started more quickly, the department decided on a simple approach, avoiding overly elaborate methodology. This learning-by-doing approach is expected to build organizational commitment and result in a more integrated set of tools.

Many other examples exist among lead implementation departments. The TBS risk management Web site links readers with updated information on progress in these and other federal organizations.

2. Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting

Integrated risk management means establishing appropriate infrastructure by building on what exists.

This section is about integrating risk management into existing decision-making processes and using what is known about corporate risk and risk tolerance to begin changing the culture.

Under this element of the framework, organizations identify or design appropriate corporate infrastructure to ensure clear communication of risk issues, practices, and procedures throughout the organization. This aligns the corporate risk profile (Element 1) with the organization's overall objectives, vision, strategic direction, and operating practices. Risk management principles are integrated into governance structures and decision-making and reporting systems.

The Fundamentals

Integrating risk management into existing governance structures, decision-making processes, and reporting requires that:

• risk management be anchored at the deputy head level with senior management commitment;
• a corporate risk champion or unit be identified;
• management direction for integrated risk management be communicated; and
• a corporate risk profile be developed.

Integrated risk management becomes a key agenda item for executive committees, helping to communicate senior management commitment throughout the organization. Demonstrating executive commitment promotes staff engagement at all levels in a risk management culture and helps ensure a common understanding of what integrated risk management entails. Leading by example, senior managers raise awareness and communicate the importance of the practice, while improving horizontal linkages, enhancing team spirit, and creating collective ownership. This helps sustain integrated risk management when corporate-wide risk issues, approaches, and performance are considered.

The deputy head and risk champion must ensure support by managers at various levels who will legitimize and sanction implementation of integrated risk management with their words and actions. The champion speaks authoritatively about integrated risk management in the context of achieving corporate objectives and is an enthusiastic and knowledgeable supporter. The champion will be most effective by leading, supporting, and broadly communicating benefits and reporting progress.

The corporate risk profile (Element 1) provides fundamental guidance for establishing an integrated risk management function. A key component of the profile is the assessment of the readiness of the organization's governance, decision-making and accountability structures, and mechanisms. The profile allows senior management to make strategic plans for expanding capacity in terms of human resources, tools, and processes at both the corporate and the local level.

How to Do It

Clarifying who, what, and how is the first step in creating the groundwork for integrated risk management. Four key actions are involved in establishing the function and integrating risk management into existing decision-making systems:

• establish a corporate focus for risk management;
• communicate corporate direction for risk management;
• integrate risk management into existing decision-making structures; and
• build organizational capacity.

Establish a Corporate Focus for Risk Management

Integrated risk management requires a corporate focus, whether an existing structure or a new one. The groundwork may have been laid in action plans for getting started and in developing the corporate risk profile. The following steps can help establish a corporate focus for risk management.

Designate an Executive Forum to Direct and
Sustain Integrated Risk Management

Integrated risk management should be placed under the guidance of an executive forum chaired by the deputy head. Direction at this level is critical in ensuring that corporate risk issues and approaches are integrated with planning, Decision-making, and performance measurement. This forum could be an existing committee, such as the executive committee or another organization-wide executive committee convened for the express purpose of corporate risk management. Alternatively, a new integrated risk management forum could be set up to steer implementation initially and, as the practice matures, guide corporate strategy for risk management and innovative thinking.

One or more working groups should also be established to support the executive forum with cross-functional and organizational analyses of corporate risk issues.

Identify Resources as an Initial Investment

Departments that have made substantial progress in implementing integrated risk management have recognized the need for an initial investment of dedicated resources. This has usually entailed reprofiling resources to cover the costs of gearing up. It takes time and effort to gain momentum, train managers and specialists, and establish good tools and processes. In the longer run, integrated risk management should be resource-neutral; this initial investment sets the process in motion and signals the degree of commitment in the organization.

Designate and Support a Corporate Risk Champion

Designating an effective champion, ideally at the deputy head level, was identified as a fundamental step in initiating integrated risk management. The lead is also commonly assigned to a corporate function at the assistant deputy head level, for example, in the strategic and business planning unit or corporate services branch. The risk champion has a crucial role in creating and sustaining the shift to a risk-smart corporate culture. At this early stage, personal interest and natural fit with an existing corporate role might be relevant selection criteria; knowledge and enthusiasm in communicating the message are also important.

The corporate risk champion should be supported with appropriate resources; this might include specialists to provide expertise on and a systematic approach to the process of integrating risk management. The champion will also need time at the executive table to sustain the focus on integrating risk management as a priority in the organization's culture.

Select the Corporate Focal Point

The focal point selected initially will usually be where the expertise resides. While a number of departments are being supported by their internal audit unit in the implementation of integrated risk management, the responsibility and accountability for implementation nonetheless remains with management. This recognizes the need for departmental internal auditors to maintain objectivity and provide independent advice and assurance on the effectiveness of integrated risk management within their organization. It is not uncommon for the focal point to migrate subsequently to areas such as strategic planning, as the function matures and integrated risk management becomes ingrained in corporate planning and priority-setting processes. Regardless of location, it will be important to build linkages between the focal point and existing centres of functional expertise throughout the organization.

Communicate Corporate Direction for Risk Management

To create a culture in which all employees value risk management, senior management commitment and vision must be communicated throughout the organization.

Develop guidance tools

Overall direction on integrated risk management requires written guidance—a policy, framework, or operating principles to tailor the approach to the particular needs of the organization's operating environment. Guidance can be communicated by developing a departmental or agency risk management policy or framework or by updating existing corporate policies. In either case, it will be important to outline clear roles and responsibilities, accountability lines and mechanisms for reporting on performance. An integrated risk management policy or framework enables individual units to build risk management into their day-to-day operations.

Build a network of local change sponsors or risk champions

Policies and frameworks are fundamental tools to ready an organization for integrated risk management, but it is the people in the organization that make the practice work. Empowering individuals in operational areas as leaders or local risk champions—and connecting them through a working group to share experiences and deal with common implementation issues—will help ensure success in establishing the function.

This network of interested individuals can assist senior management in developing work plans that reflect a corporate perspective on risk-related issues. It is also an appropriate channel for communicating implementation concepts and timing throughout the organization.

Integrate Risk Management into
Existing Decision-making Structures

A critical aspect of successful implementation is weaving integrated risk management seamlessly into existing departmental processes—annual corporate planning, performance reporting, and training development and delivery must all be risk-attuned.

Aligning risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees. As implementation progresses, individuals should come to understand managing risk as part of their daily work, not something superimposed on their usual activities. Acceptance of the concepts of integrated risk management will be commensurate with the extent that the organization has been successful in establishing and using common risk terminology in corporate tools and documentation.

Throughout the strategic planning process, the risk champion or specialist group should act as a catalyst in guiding both the process and the officials involved. Corporate planners must drive the process by integrating risk awareness and thinking to support senior managers in carrying out corporate-wide planning, priority setting, and resource allocation.

Build Organizational Capacity

Just as risk management must be integrated with existing processes, so must organizational capacity for practising it be built on what exists. The corporate risk profile provides a baseline assessment of organizational capacity. Continued environmental scanning will reveal changes in the profile that require further enhancement of risk management skills, processes, and practices.

Assessing and building on existing capacity helps tailor the approach to deal with the department's or agency's specific situation and risk exposure. Guidance and advice can be sought as required from the TBS Centre of Expertise and through liaison with other federal organizations to share their lessons learned.

Human Resources

The IRMF identifies four principal areas that may require attention in building human resources capacity:

• building awareness of risk management initiatives and culture;
• broadening the skills base through formal training (including appropriate applications and tools);
• increasing the knowledge base by sharing best practices and experiences; and
• building capacity, capabilities, and skills to work in teams.

Tools and Processes

Similarly, the IRMF outlines how risk management tools and processes can enhance capacity:

• developing and adopting corporate risk management tools, techniques, practices, and processes;
• providing guidance on the application of tools and techniques;
• allowing for the development and/or use of alternative tools and techniques that might be better suited to managing risk in specialized applications; and
• adopting processes to ensure integration of risk management across the organization.

The section on Element 3 (Practising Integrated Risk Management) provides more detail on the range of tools departments and agencies are using.

Questions to Consider

1. Is there a designated departmental risk champion or unit to oversee the implementation of integrated risk management?
2. Is risk management communicated, understood, and applied throughout organizational processes? Is risk management integrated into existing governance and decision-making structures and performance-reporting systems? Have risk assessments been conducted for proposed business process or program innovations?
3. Have control and accountability systems been adapted to account for risk management processes? Have key performance indicators and critical success factors been identified and included in departmental reports? Does reporting on risk and risk management take place through existing management processes (e.g. performance reporting, ongoing monitoring, appraisals, internal auditing)?
4. Is there sufficient capacity to manage risk within the organization? Has the department put in place effective initiatives to build risk management awareness? Have employee workshops been run to disseminate risk management knowledge and techniques? Do the managers make use of knowledgeable resources in the types of issues they are facing?

Examples

Important lessons can be learned from the experiences of lead departments and agencies that belong to the IRMF Implementation Council.

Management Direction and Commitment

One department drafted a framework for integrated risk management, as well as an implementation plan and an action plan with strong support from the deputy minister. The approach was developed through extensive interviews and discussions across the organization, including a half-day workshop on risk with the deputy and senior executive committee. The deputy was personally involved in the risk assessment exercise and ensured that it was treated as an organizational priority.

Success Factors

One lead department has identified eight factors that contributed to its success in establishing an integrated risk management function:

1. Create a supportive environment.
2. Ensure commitment to the IRM concept.
3. Have a designated group of specialists.
4. Be prepared to make the necessary initial investment in integrated risk management infrastructure.
5. There must be clear but distributed responsibility for integrated risk management.
6. The organization must have senior management reporting requirements.
7. Ensure appropriate corporate planning and priority-setting processes.
8. Implementation of the integrated risk management function should be scalable.

Working Groups

One department established an ADM-level departmental risk committee with the deputy minister's approval. As well, a risk management working group was established at the management level with representation from all sectors. Its principal mandate is to foster organization-wide risk awareness and attentiveness, to promote achievement of a risk-smart organization, and to train local champions within business lines. The working group gives sectors a forum for discussion; advises on initiatives to develop a department-wide risk program; makes recommendations to the departmental risk committee; and shares lessons learned and informs sectors of risk management activities.

Advisory Committee on the Management of Risk

Another organization established a department-wide advisory committee to provide support and guidance on the general direction of the risk management initiative. The committee's goal is to facilitate more systematic application of risk management where warranted by decisions involving high costs and/or high impacts. Committee members share lessons learned and information about risk management activities in their areas.

Transition from Audit to Corporate Planning

One organization established a mechanism to integrate risk management with corporate planning and priority setting. The risk management function was located initially in the audit and evaluation area and later reassigned to corporate planning once dedicated resources were made available, demonstrating the commitment of the risk champion.

Additional examples of success in establishing an integrated risk management function are available from the TBS Centre of Expertise.

 

3. Practising Integrated Risk Management

Practise integrated risk management up, down, and across the organization for a full picture in a way that makes sense for the organization.

Organizations practise integrated risk management to improve achievement of their objectives and to generate better information for decisions. It is essential, therefore, to link risk management directly with achieving objectives at every level of the organization. If risk management does not appear to be helping Decision-making, it might come to be seen as an additional administrative requirement that can be ignored.

This section is about integrating the practice of risk management throughout an organization within the guiding framework, philosophy, and practices the organization has established. Local risk management thinking and practices must inform and be informed by the integrated view—the key risk areas and mitigating strategies identified in the corporate risk profile. To specialist groups well versed in managing specific local risks, it may seem at first that introducing integrated risk management changes little. Over time, however, the evolving context for their work will change information flows into and out of the broader picture. This in turn will influence local work and behaviour as interrelationships become apparent, individual and collective benefits accrue, and individuals see the value of their own contribution. Responsibility and accountability will also be clarified and improved.

The common risk management process reproduced in Appendix B can be adopted or adapted for identification, assessment, response to, and monitoring and evaluation of key, high-level risks linked to the achievement of corporate objectives, as well as for risks at all other levels of an organization. Emphasis on various points in the process may vary, as may the type, rigour, or extent of actions considered, but the basic steps are similar.

The Fundamentals

The practice of integrated risk management involves top-down direction (setting objectives and results) and bottom-up risk assessment (ranking and aggregating risks).

The logical, commonsense, and intuitive nature of the process allows this to occur smoothly as long as there is sustained commitment from employees, with direction from senior management. Hence, organizations will be ready to practise integrated risk management when the corporate culture has achieved the following:

• a corporate-wide focus for risk management has been established;
• the direction for risk management has been communicated to all levels and the seeds have been sown for risk-smart thinking;
• corporate decision-making structures and processes have incorporated risk management in a seamless fashion; and
• sufficient capacity has been achieved as a result of developing and providing the necessary guidance, tools, and staff training for integrated risk management.

How to Do It

Once the corporate risks are known and the infrastructure has been identified and mobilized, the key actions for practising integrated risk management are to:

• engage the whole organization;
• enable people with tools and techniques;
• sustain a supportive culture and processes; and
• consult and communicate throughout the process.

Engage the Whole Organization

Top-Down Direction, Bottom-Up Assessment—
Building on What Exists

Practising integrated risk management begins with top-down direction to put the organizational approach into practice—the policy or framework, objectives, operating principles, common language, and process approved by senior management. The organizational approach has been broadly tailored to fit the organization, based on the key risk areas, mitigating strategies, and capacity strengths and gaps identified in the corporate risk profile. The risk champion or specialist group now provides implementation advice about how and when to introduce and practise integrated risk management and co-ordinates its implementation.

When working well in mature practice, integrated risk management is seamless. For initial implementation, it helps to think of three levels of practice: corporate (organization-wide, highest level), business line (major functional area or unit), and all other areas (programs, major projects, activities, and processes). Some approaches characterize these levels as strategic, management, and operational or use other terms suited to their situation. Some organizations may include additional levels or categories, for example, they may consider programs and major projects separately.

No matter what terms are used, organizations find a layered perspective useful in describing and carrying out integrated risk management. At the highest corporate level, risk management results and key corporate risks are aggregated in the corporate risk profile to inform an organization-wide strategy for managing risk to achieve corporate objectives. The corporate risk profile generally derives from business line risk profiles developed at the next level below the corporate level, that is, in branches and functional units, typically led by assistant deputy ministers or, in smaller departments and agencies, directors general or executive directors. The third or operational level is the lowest level of risk assessment and aggregation. Results from this level are fed into business line and corporate risk profiles. People working at the operational level know their operations and risks best and are positioned to take any action required. Their involvement and input are therefore essential in gaining access to their knowledge, ownership, and action.

Use Common Language, Framework, and Process

Promote use of the common language, framework, and process the organization chose when establishing the integrated risk management function (see Element 2 and Appendix B). This means using the organization's risk terminology consistently in corporate policy, planning, and reporting documents and in upward reporting and horizontal sharing of local risk management results. Specialists do not have to abandon their professional or scientific risk terminologies, but they should use the organization's common language in presenting or feeding their results into the corporate view so that results are meaningful and useful across business lines. Better communication and understanding increase the value of one unit's work to other units and reveal links or the previously unrecognized need for links.

The risk management specialist or working group and local change sponsors work with or advise managers to ensure appropriate fit of the process with particular local requirements.

Integrate Risk Management into Practices at all Levels

Ensure that all levels of the organization actually use risk management concepts in their Decision-making and reporting in order to increase the linkages between workload, resource allocation, and risk across the organization.

The risk champion or specialist group provides overall direction and co-ordination for integrating risk management with corporate planning and priority setting. Use the risk management committee or working group as a sounding board and information source.

Local risk champions or change sponsors lead and facilitate alignment throughout the organization, working to make the important micro-level changes to all polices and local procedures, daily activities, processes, and systems.

• Consider risk management in developing organization-wide policies, plans, and priorities.
• Encourage people to assess the ripple effect of their work.
• Feed integrated risk management plans and results into corporate planning and priority-setting processes.
• Functional units (branches, divisions) should incorporate risk management into programs and major initiatives.
• Define what risk means in terms of managers' roles and accountabilities (e.g. conducting a risk assessment before major decisions, integrating risk assessments into business case analyses).
• Build risk assessment and response into local business plans at the activity, division, and regional level.
• Use new accountability mechanisms such as Risk-Based Audit Frameworks and Results-Based Management and Accountability Frameworks to help build risk management into planning.
• Ensure synergy between overall departmental risk management strategy and local risk management practices.

Decision makers and specialists have distinct roles in implementing integrated risk management: decision makers need to understand their responsibilities and place a premium on integrated analysis and advice, while specialists must understand operations and provide relevant and credible information and analysis. To ensure that the right information is available at the right time for value-based, results-oriented decisions, information must be brought together from many sources; this in turn requires partnership between specialists and decision makers.

Management of risk, like comptrollership, is a mindset. Managers should be conscious of risk management and integrate it with their other management practices. Risk management will be more relevant to the extent that overly bureaucratic and complex processes are avoided. Managers need flexibility to use techniques that make sense for them and their operations. However, techniques must allow for roll-up and comparison of operating unit results at the corporate level.

The accompanying diagram was adapted from an approach used by Indian and Northern Affairs Canada. It illustrates the point that risk management in general and the application of the decision-making process in particular do not occur in isolation. They take place in the context of and can inform and be informed by continuing operational activities at all levels of the organization.

Individual Factors: elements of an individual's experience, personality, background, and preferences that affect his or her propensity to take risks

Group Factors: how others in the immediate situation can affect an individual's willingness to take a risk

Organizational Factors: the direct and indirect messages an organization sends its members about the ground rules for risk taking in general

Environmental Factors: the elements outside the organization that have a stake in or an impact on a particular risk decision or risk taking in general

Enable People

Enable people to practise risk management locally in a way that informs and is informed by organization-wide integrated risk management.

Tools and Techniques

The organization should ensure that all staff have adequate training, access to proven tools for risk management, and a clear understanding of common risk management language to facilitate communication. The terminology must balance clarity with usefulness to ensure that tools are easy to understand and use. Key tools include risk maps and modelling tools.

A risk management model (such as the IRMF model reproduced in Appendix C) can be used to assess where a particular risk falls in terms of likelihood (low, medium, high) and impact (significant, moderate, minor). The results of the risk assessment help determine the risks of highest importance. The model can also be used to ascertain or facilitate discussion of risk tolerance by establishing a zone defining acceptable and unacceptable risk. Finally, the model can be used to present a summary map of risks—plotting each risk's likelihood and impact—for purposes of comparison or ranking.

Using a common approach not only facilitates the process but supports comparability when results are aggregated and considered at the corporate level.

Approaches and methods that are easy to understand are more likely to be used correctly. Consider existing tools or those available from professional associations; employees may already be familiar with them or find them useful in other contexts.

Sustain a Supportive Culture and Processes

Active Leadership of the Deputy Head,
Executive Team, and Risk Champion

The deputy head, risk champion, and senior managers need to provide continuing support for managing the key risks identified in the corporate risk profile and keeping the profile current. These leaders should visibly encourage the practice of risk management and information sharing across business lines and functional units.

Support from senior leaders should include collective executive-level discussion of corporate risks and strategies and monitoring of and input into strategic and business planning and performance reporting. The extent to which senior leaders model the principles of risk management sets the tone for a sustained integrated risk management culture throughout the organization.

Consult and Communicate

Tell People about Risk Management Practices

Develop and implement a communications strategy, monitor results, and adjust accordingly. For example, the risk champion and local change sponsors should establish regular information feedback loops with all units and areas and promote opportunities to share risk management information across disciplines and functions. Set up information tools (intranet sites, newsletters) to share risk management techniques, tools, and information. Encourage and track the number of risk management forums or workshops held and whether sessions have identified risks, proposed mitigation strategies, and discussed best practices. Conduct periodic surveys to determine whether all staff are aware of key risks, risk escalation procedures, and contingency plans. Have there been timely, useful stakeholder consultations with respect to risk management and have consultation processes been consistent with the Communications Policy of the Government of Canada?

Questions to Consider

1. Has the organization adopted a common process for risk management? Is there a common understanding of risk and risk management in the organization? Is a common risk management language being used?
2. How are risk management tools and methods being applied to decision-making? What risk management tool kits are available (e.g. checklists, maps, electronic questionnaires, and best practices)? Do they make use of existing guidance, such as the Values and Ethics Code for the Public Service (2003)? Are they being used effectively and consistently? Have scenario analysis and/or forecasting models been used to understand various scenarios relating to business and contingency planning?
3. Do all business and operational plans consider risks and incorporate measures to mitigate those risks and/or to maximize opportunities? Are systems and processes in place to monitor risks and the effectiveness of risk mitigation strategies? Is management accountable for risks and risk management processes?
4. Are processes in place to support regular communication with stakeholders on risks, risk perception, and risk tolerances?

Examples

Appendix D provides sample templates for identifying, assessing, recording, and reporting risk information. Additional examples are available on or through links at the TBS Web site and more will be added as they become available.

 

4. Ensuring Continuous Risk Management Learning

Continuous risk management learning is about leveraging and building on existing knowledge and capacity to achieve the desired cultural shift to a risk-smart workforce and operating environment.

To achieve the desired cultural shift to a risk-smart workforce, organizations must embrace opportunity, innovation, and responsible risk taking, while striving to achieve corporate objectives. To do this, organizations will need to encourage learning and focus on building risk management capacity, while concentrating on increasing risk management awareness, knowledge, and skills—at the individual, team, and organizational levels—and strengthening processes (i.e. the development and use of risk management tools).

Continuous learning is fundamental to integrated risk management performance. Every day, individuals and organizations are finding new ways to manage risk effectively. Organizations need to monitor and learn from situations where risk management has become a decision-making tool.

The Fundamentals

• Build on the existing knowledge and capacity base.
• Create and foster a supportive work environment where individuals can learn from situations that did not go as planned.
• Provide incentives to recognize and reinforce desired new behaviours.
• Encourage and reward a proactive attitude to dealing with risk; learn to anticipate.
• Value exploratory learning and experimentation, particularly where the anticipated benefits of success outweigh the cost of failure.
• Invest in the power of knowledge; instead of fearing the unknown, find a way to make it known. Good information is critical to good decisions. Teach the basics. Promote conscious management and employee commitment to developing risk management skills and to developing, applying, and refining risk management tools (develop plans and invest in building risk management capacity at organizational and individual levels).

How to Do It

Based on the capacity assessment developed for the corporate risk profile, the next step is to establish an implementation plan for closing gaps in the capacity needed to manage both current and anticipated organizational risk. The techniques for doing this include building concepts and practices into training plans and learning programs, sharing best practices in a variety of ways, and incorporating incentives in reward systems.

For effective skills development, learning needs to be linked to strategy. Organizations can build learning plans into their risk management processes and practices and employee agreements. Departments and agencies can leverage or capitalize on learning opportunities that contribute to increasing the knowledge base and skill set of employees and the effectiveness of processes. Options to consider include training offered by CCMD, Training and Development Canada, other departments, and outside consultants; conference participation; membership in associations or institutes; processes and tools used by other departments; and employee deployments to develop skills and knowledge.

Departments and agencies may also wish to develop organization- or subject-specific in-house courses, learning venues, processes, and tools to address specific organizational needs or focus on approaches and priorities. One source of pertinent advice, tools, techniques, and related resources is the CCMD publication, A Foundation for Developing Risk Management Learning Strategies in the Public Service (2001).

In terms of sharing best practices, departments and agencies can explore mechanisms for encouraging risk management learning. For example, individuals in your organization are likely to have and be willing to share ideas about understanding and managing risk. Organizations can use existing vehicles or establish new mechanisms to communicate, share, and facilitate access to such knowledge. Effective processes and means to share best practices might include your organization's risk management working group, the intranet/Internet, learning events, information sessions, a newsletter, and publications to share specific lessons learned about risk management or integrated risk management.

Celebrating success stories and significant contributions is another way to share information and lessons learned. Organizations can encourage and reward sharing and promote risk management learning by documenting and communicating lessons learned, case studies, and best practices within the department. To extend learning beyond departmental boundaries, this knowledge can be communicated to the broader community; similarly, making time to learn from the experience of others is also an important part of continuous learning.

Management can also model desired behaviour in terms of continuous risk management learning. To demonstrate that knowledge, new ideas, new relationships, and experimentation are valued, include a range of perspectives in Decision-making, such as the views of stakeholders and citizens. Actively seeking input and feedback as a basis for further action sends a similar message.

Finally, continuous risk management learning means assessing the effectiveness of selected management actions and approaches and adjusting them as required, based on whether they are contributing to the organization's expected or desired results.

Questions to Consider

1. Are lessons learned and best practices celebrated, documented, and communicated broadly? Are they used in planning and training exercises?
2. Have incentives been introduced to identify, encourage, and reward risk identification, good risk management practices, innovation, and responsible risk taking?
3. Is risk management thinking embedded in existing learning programs? Is risk management training highlighted in the organization's training program? Are opportunities for learning and the availability of risk management tools broadly known?

Examples

Departments are clearly starting to recognize the benefits of sharing practices. Mechanisms are being developed to facilitate the movement of knowledge and experience to minimize duplication of effort. The extent to which departments are creating an environment to support continuous risk management learning can be seen in learning plans, priorities for risk management training, the systematic evaluation of risk management activities, and the feedback and sharing of results for continuous improvement. Several departments promote learning throughout their organizations and share lessons learned with the broader community. For example:

• Some departments have established risk management components on their modern comptrollership intranet sites to share risk management information.
• One organization invited officials from several other departments to participate in its in-house integrated risk management training.
• Some departments have made presentations to others on their implementation challenges in the spirit of promoting sharing and co-ordination.
• A number of organizations have shared their environmental scans or risk management frameworks with others.

In addition to departmental efforts, TBS is contributing to continuous risk management learning. For example:

The TBS Risk Management Directorate (RMD) has established a Web site and an IRMF Implementation Council to facilitate the sharing of risk management information broadly across the Public Service. RMD has organized and will continue to organize and participate in learning events and venues that contribute to building risk management awareness, knowledge, and capacity.

RMD and the TBS Comptrollership Modernization Directorate (CMD) have worked collaboratively with CCMD and Training and Development Canada to develop risk management learning products (courses, workshops, e-learning, armchair sessions).

CMD has also established a Web site to facilitate sharing of departmental practices on comptrollership modernization, including risk management. In addition, as part of its social marketing initiative, CMD has published testimonials on leading practices on risk management.

Developing and Implementing
Integrated Risk Management:
an Overview

Getting Started—Commit and Sustain Senior Management Support

The deputy head and senior management set the tone. To build the will and capacity for implementation, they must understand integrated risk management and its contribution to achieving corporate objectives. Their engagement signals organizational commitment, while their active, continuing support is vital to success.

• Discuss organizational readiness, roles, and approaches at the executive table to gain commitment to lead and manage the necessary change. Executives' risk awareness can be raised through briefings, retreats, workshops, and courses.
• Assign a senior executive risk champion to lead and facilitate development of implementation plans and guidance on integrating risk management with existing Decision-making.
• Create or use an existing executive forum for risk management chaired by the deputy head; consider an organization-wide working group to propose and advise on corporate approaches, plans, systems, and practices.
• Develop and communicate an action plan for implementing integrated risk management and report on progress.

Develop the Corporate Risk Profile

Understand the operating environment—threats and opportunities, strengths and weaknesses—to help set strategic direction for integrated risk management. Take stock to create a corporate snapshot of key risks and the capacity to deal with them.

• Conduct internal and external environmental scans to identify and assess types and sources of risk and what is at risk, taking into account interdependencies in risk areas cutting across the organization and significant individual events or activities.
• Understand risk tolerance to appreciate what sorts of risks and levels of risk stakeholders are willing to accept.
• Assess current risk management capacity (i.e. the usefulness of existing organizational tools, techniques, skills, expertise, and resources for managing risk) to determine current abilities to control risks and to identify gaps.
• Develop the initial risk response by identifying mitigating strategies and consulting and refining the results of the scan and response.
• Portray the corporate risk profile (i.e. the results of the scan, assessment and response) in ways useful to stakeholders, including top management. For example, present a one-page risk map and snapshots by headquarters and regions, business lines, and programs.

Establish an Integrated Risk Management Function to Integrate Risk Management into Existing Decision-making Processes and Reporting

Establish and communicate organizational direction and infrastructure, building on what exists.

• Establish a corporate focus using existing structures or building new ones under the guidance of an executive forum, with initial resources for mobilization and a designated corporate risk champion.
• Communicate corporate direction throughout the organization. The risk champion leads the development of written guidance, such as an integrated risk management policy or framework and operating principles, to support individual units in building risk management into day-to-day operations. Identify and provide guidance on roles and responsibilities, program targets, critical success factors, performance measures, and sources and kinds of risk; make this guidance available on the organization's intranet.
• Integrate risk management with existing decision-making structures in a seamless fashion. Establish a common risk language and process or model; align the approach with corporate planning; show how it supports the organization's objectives.
• Build organizational capacity. Identify risk management skills, processes, and practices that need to be developed and strengthened; build on existing capacity, tailoring it as needed.

Practise Integrated Risk Management

Manage risks at the organizational level and in functional units, programs, projects, activities, and processes.

• Engage the whole organization. Align integrated risk management fully with objectives in all policies, plans, and operations. Encourage active leadership of the deputy head and champion, as well as executive discussion of corporate and business-line risk profiles. Feed integrated risk management plans and results into corporate planning and priority-setting processes.
• Enable people with processes, tools, and techniques, making available effective and proven resources and tools.
• Sustain the initiative by building a supportive culture and processes that develop participation, trust, and swift action on issues; continue to show executive support, devoting time in planning and operational meetings; keep the corporate risk profile current; report on performance; document risks, processes, decisions, plans, actions, and results.
• Consult and communicate with internal and external stakeholders throughout the process.

Ensure Continuous Risk Management Learning

Create and maintain a supportive work environment for evaluation, feedback, and sharing of lessons. Support innovation and encourage learning for people and processes at the individual, team, and organizational levels.

• Cultivate a supportive work environment. Show management commitment to learning by linking learning to the departmental strategy and priorities; value knowledge, new ideas, new relationships, and experimentation; get the incentives right by building in rewards and recognition; celebrate success stories and significant contributions.
• Build capacity. Build risk management into employee learning plans and learning plans into risk management practices; leverage external learning; develop courses and provide learning events on departmental approaches; include a range of perspectives (those of stakeholders and citizens) in Decision-making; actively seek input and feedback as a basis for further action.
• Learn from experience. Monitor, evaluate, and adjust systems, processes, and practices; document and share lessons and best practices internally and externally; encourage learning from experience rather than assigning blame.

 

Summary of What and How for Establishing Each Element of the Integrated Risk Management Framework

Getting Started—Commit and Sustain Senior Management Support

Build the will and capacity for change—lead the initiative and manage the change.

What What your department or agency has already done or needs to do:	How There are a variety of ways to do it. Try these proven techniques.
The executive team discusses organizational readiness, roles, and approaches to get the commitment to lead and manage the necessary change. Managers need to believe in the value of integrated risk management.	Brief and train senior management to gain understanding and commitment, using internal expertise or in collaboration with an external practitioner, implementation leader, or consultant. Consider executive retreats, seminars, workshops, and formal courses. Encourage awareness of the IRMF and available material from the Privy Council Office, CCMD, and departments. Initial discussion of readiness, key factors (other corporate initiatives and priorities, location of the risk champion, etc.).
The deputy head assigns a risk champion, with appropriate resources, who leads the development and implementation of an integrated risk management framework and policy or guidance. The risk champion role reflects the need for central co-ordination and advice.	A risk champion at the deputy head level is most effective; it is also common and effective to place the lead in a corporate function, at the assistant deputy head level, such as strategic and business planning or corporate services. Invest in start-up—the champion is supported with employee(s) and funds. Effort is required to gain momentum, ensure training of managers and specialists, and establish good tools and processes. Designate a group of specialists to provide expertise and promote a systematic approach to the process of integrating risk management. Begin where some expertise resides (e.g. corporate services) and migrate as necessary (e.g. to strategic planning). With the champion, the group can provide direction and co-ordination for integration with corporate planning and priority setting and for common processes to set priorities among major risk areas and to allocate resources, as well as for a corporate-level environmental scanning process.
The deputy head establishes and chairs a forum for risk management to build the will and capacity for implementation, to manage the change, and for ongoing consideration of risk issues, implementation approaches, capacity, and performance.	Create a separate executive forum or use an existing one, such as the departmental executive committee. Demonstrate personal commitment and engagement. The executive committee is useful to drive progress by establishing events with and requiring reports to this most senior management level. Emphasize that deputy and senior executives must be willing to take ownership. Although it is centrally co-ordinated, responsibility is clear and distributed, since corporate risks are often managed by business line. Establish a representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices.
Assess organizational readiness and roles to prepare for this major change initiative that will require an investment of time and resources over the longer term.	Use results of the modern comptrollership capacity check and the organizational response/plan. Ask fundamental questions: how will integrated risk management (IRM) help us meet our objectives, how do we ensure success, how will employees react? Apply high-level assessment tools to assess general readiness: change models, organizational assessment processes, cultural maps and surveys, situational analysis tools, focus groups (see sources in the Selected References section of this guide). Borrow and use the practices of change management. Use departmental or agency lessons learned and tools already developed (e.g. Human Resources Development Canada's IRM benchmarking and diagnostic tool). Use the risk management committee or working group as a sounding board and information source. Hold sessions with management and other stakeholders, using outside facilitators. Consult external sources and advisors. Use reference libraries (e.g. TBS, Risk and Insurance Management Society—RIMS).
Develop and communicate an action plan for implementing integrated risk management, based on the assessment of readiness and roles.	Prepare an action plan (TBS template available). Plan for scalable implementation. IRM will likely progress in stages; consider pilots. Have a strategy to move from pilots to full-scale integration to help keep implementation on track over longer periods. Use the organization-wide risk management framework self-assessment tool. Establish cross-functional advisory groups. Target and support early adopters whose acceptance and demonstration of tangible benefits will engender support from other management teams. Develop partnerships with others, e.g. change sponsors (business line leaders) to keep IRM a priority and change agents to implement the change in all policies and daily activities, systems, and processes. Build in training and learning plans. Provide examples and benchmarks from similar outside organizations, as follows: use reference libraries (TBS, CCMD, Conference Board of Canada, RIMS); see the TBS Progress Review Plan for progress indicators and tracking approaches; and use self-assessment tools (see Selected References).
Ongoing: Consult and communicate, communicate, communicate with all employees, stakeholders, and clients.	Establish cross-functional advisory groups. Disseminate current work and provide tools to seek and capture feedback. Make effective use of current performance information systems. Introduce IRM-related training and learning.

Developing a Corporate Risk Profile

The corporate risk profile is a snapshot of the organization's operating environment and its capacity to deal with key high-level risks linked to the achievement of corporate objectives and results.

What What your department or agency has already done or needs to do:	How There are a variety of ways to do it. Try these proven techniques.
Plan and Prepare Engage senior management in corporate risk profile development, including the development of a process model.	Brief and train senior management on integrated risk management and seek input and endorsement of the process model to develop the corporate risk profile. The process model should include some basic classification of risk areas and a rating scale; possible categories of risk include health and safety; financial/economic; social; environmental; operational; public trust and confidence; asset; project; liability; security; IT; HR; political). Use internal expertise to develop a process model or develop it in collaboration with an external practitioner or consultant. Benchmark the organization's risk management status. Assess relevance of other approaches to your organization.
Use the guiding departmental forum or committee.	Use the executive forum or committee to guide development of the corporate risk profile. Consider use of a working group to support the executive committee.
Communicate the approved approach and progress.	Circulate an internal newsletter or memo. Hold a management information or briefing session. Hold a town hall session. Have a management retreat. Solicit specific information through interviews, call letters, an open forum, or facilitated session.
Gather data for key elements of the profile
Conduct an environmental scan.	Build on what already exists. Validate findings, assumptions, and perceptions with key managers and the executive committee. Internal Scan Review results of the modern comptrollership capacity check and the corresponding action plan. Review strategic planning documents, audit observations, and recommendations. Consider performance reports and information. Review the policy framework. Consult with corporate planning, policy, audit, and evaluation groups. Reach out to branch, program, business line, and functional executives and key managers. Consider the use of interviews, surveys, questionnaires, focus groups, and/or facilitated sessions. Consider collecting risk data by program, business line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and other relevant categories. External Scan Consider media monitoring and public opinion research. Establish advisory groups, boards, or councils. Solicit input from consumer groups (users of programs or services). Review the government's policy agenda, including the Speech from the Throne. Benchmark organizational status against that of other departments. Review Statistics Canada survey results to establish trends. Consult with think tanks, associations, as well as interest and lobby groups. Consider the following to collect the required information: Use the internal scanning services of an existing corporate function (e.g. the corporate communication group). Consult an external service provider for media monitoring or research services. Consider targeted or omnibus survey or questionnaire. Make use of electronic bulletin boards, what-if scenarios, and facilitated workshops to seek the reaction of stakeholders. Develop focus test and pilot approaches to target particular markets or geographic areas.
Understand risk tolerance.	Consider the following: Review the policy framework (governing instruments, acts, regulations, etc.). Review performance expectations and performance results. Determine employees' understanding of the risks taken by themselves, their team, and the department. Determine whether there is a common understanding of risk tolerance. Consult key stakeholders to gain a better understanding of their risk tolerance.
Assess current risk management capacity.	Identify risk management tools and techniques now in use and where. Determine the level of human resources expertise in risk management (current knowledge and skills). Assess infrastructure, i.e. organizational stability and capacity of systems.
Develop the risk response.	Analyze information collected (environmental scan, capacity to manage risk, and stakeholders' risk tolerance) and present an aggregate picture to the executive committee for consideration. The executive committee collectively assesses the broad spectrum of risks facing the organization in terms of likelihood and impact on achievement of corporate objectives. The executive committee decides on five to ten key high-level risks that need to be managed at the corporate level. The executive committee ranks key high-level risks and determines steps the organization will take to manage these risks. Seek to engage key stakeholders to garner support for planned steps.
Portray the corporate risk profile.	Consider incorporating corporate key risk and related information into departmental documents (strategic plan, performance reports, etc.). Think of developing a separate document to list corporate key risks and related information and mitigation measures.

Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing
Decision-making Processes and Reporting

Set up an organizational infrastructure—the why, what, who, and how—to position risk management as integral to organizational strategy and operations. Use the corporate risk profile to shape risk management objectives and strategies that align with the organization's objectives. Build in risk management so that it becomes part of day-to-day efforts to achieve objectives and is not seen as an additional requirement.

What What your department or agency has already done or needs to do:	How There are a variety of ways to do it. Try these proven techniques.
Establish a corporate focus for risk management, using existing structures or building new ones.	Situate integrated risk management under the guidance of a high-level executive forum chaired by the deputy head. Dedicate an initial investment of resources for mobilization. Designate a corporate risk champion and provide appropriate support in terms of executive time and specialist resources. Give integrated risk management an appropriate corporate focal point from which natural linkages can be built to functional areas.
Communicate corporate direction on risk management throughout all levels of the organization to create a risk-smart corporate culture.	The corporate risk champion leads development of an integrated risk management policy or framework, using internal expertise or working with a consultant; show how integrated risk management links to and supports the organization's objectives. Written guidance (framework, policy, or operating principles) communicated throughout the organization supports individual units in building risk management into day-to-day operations, making it meaningful and relevant to all employees. Identify and provide guidance on roles and responsibilities, program targets, critical success factors, performance measures, and sources and kinds of risk. Use a network of local risk champions as a sounding board, information source, and channel for communicating corporate risk messages.
Integrate risk management into existing decision-making structures in a seamless fashion.	Establish a common risk language (such as what is meant by risk, risk management, legal risk management) and use it consistently in organizational guidance and documents. Establish a common risk management process. A goal of the process is to make risk management an integral part of business practices, so that employees do not see it as additional work. Align the approach with corporate planning. The risk champion or specialist group provides direction and co-ordination for integration with corporate planning and priority setting, for common processes to set priorities and allocate resources among major risk areas, and for a corporate-level environmental scanning process. Use the representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices, including resource allocation.
Build organizational capacity: dentify risk management skills, processes, and practices that need to be developed and strengthened, by building on existing capacity, tailoring it as needed.	Build awareness of risk management initiatives and culture; broaden the skills base through formal training; increase the knowledge base by sharing best practices and experiences; build capacity for teamwork. Develop, adapt, and adopt corporate risk management tools, techniques, practices, and processes; provide guidance on the application of tools and techniques; allow for the development and/or use of alternative tools and techniques that might be better suited to managing risk in specialized applications; adopt processes to ensure integration of risk management across the organization.

Practising Integrated Risk Management

Implement flexible, dynamic approaches and processes to embed risk management in policies, plans, operations, and day-to-day Decision-making. Practise risk management up, down, and across the organization so the corporate view informs and is informed by local practices.

What What your department or agency has already done or needs to do:	How There are a variety of ways to do it. Try these proven techniques.
Engage the whole organization by aligning integrated risk management fully with objectives in all policies, plans, and operations and integrating results of risk management into practices at all levels.	Guided by the corporate risk profile and the direction provided in establishing the integrated risk management function: The risk champion or specialist group provides direction and co-ordination for integration with corporate planning and priority setting and for common processes to set priorities and allocate resources among major risk areas and for a corporate-level environmental scanning process. Align with objectives at all levels so that people can see the benefits individually and collectively and how they contribute—this also clarifies and improves accountability. Alignment is done or facilitated by local champions or change sponsors who work to make the important micro-level changes to all policies, local procedures, daily activities, processes, and systems. Use the risk management committee or working group as a sounding board and information source.
Enable people with processes, tools, and techniques, making available effective and proven resources and tools.	Use the common risk management process to identify, assess, respond to, monitor, and evaluate risk. Encourage people to assess the ripple effects of their work. Use a common risk management language to facilitate communication. Provide training tools to enhance knowledge of risk management, including common risk management processes and special processes, such as control and risk self-assessment.
Sustain a supportive culture and build processes that develop participation, trust, and swift action on issues.	Active leadership of the deputy head, risk champion, and senior managers, e.g. one-on-one discussion of key risks between the deputy head and ADM/business line leaders; collective executive discussion of corporate and business line risk profiles; senior managers actively show commitment and support by devoting time in planning and operational meetings. Use the representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices. Keep the corporate risk profile current. Report on performance (e.g. against risk management expectations in key performance indicators, employee performance agreements, and work descriptions). Document risks, processes, decisions, plans, actions, and results.
Consult and communicate with internal and external stakeholders throughout the process.	Use the organization's intranet to promote risk awareness and tools and to obtain and share risk information, e.g. on risk in specific areas. Aim specific risk messages at target audiences—think "What's in it for me?" for every person or group. Understand and communicate effectively to the public that risk—whether seen as good, bad or neutral—is inherent and government needs to manage risk to get a net reward. Make use of organizational reports to advance risk messages, e.g. how risk is being managed. Respect the Communications Policy of the Government of Canada.

Ensuring Continuous
Risk Management Learning

Leverage and build on existing knowledge and capacity to achieve the desired cultural shift to a risk-smart workforce and operating environment.

What What your department or agency has already done or needs to do:	How There are a variety of ways to do it. Try these proven techniques.
Create a supportive work environment.	Demonstrate management commitment to and support for learning by linking learning to departmental risk management priorities. Value knowledge, new ideas, new relationships, and experimentation. Celebrate success stories and significant contributions. Develop, use, assess, and refine risk management tools.
Build capacity.	Include risk management in formal training plans for individuals and teams. Incorporate risk management thinking in existing training programs, as appropriate. Leverage and capitalize on external learning opportunities. Develop courses to focus on departmental approaches and priorities.
Learn from experience.	Establish an effective process to document and share lessons learned internally and more broadly in the federal community. Consider decisions, events, and actions that do not turn out as planned opportunities for learning. Evaluate results of risk management decisions to determine effectiveness. (Would the same action be taken in similar circumstances in future?)

 

Selected References

Many integrated risk management and risk management resources, sources, examples, and case studies are available on the TBS Web site (/rm-gr/site/default.aspx) in the form of documents or links to other Web sites. Selected references follow.

Federal Government

Auditor General of Canada. April 2003 Report, in particular, the Auditor General's Message and Chapter 1—Integrated Risk Management. Available online at www.oag-bvg.gc.ca.

Canadian Centre for Management Development. The following documents available on-line at www.ccmd-ccg.gc.ca:

• A Foundation for Developing Risk Management Learning Strategies in the Public Service (2001).
• Building Trust: A Foundation of Risk Management (2001).
• A Primer on Risk Management in the Public Service (2001).

Human Resources Development Canada. Integrated Risk Management in HRDC (October 2002). The document details how HRDC managed the department-wide introduction of integrated risk management and lessons learned from this experience; available from HRDC.

Privy Council Office. Available on-line at www.pco-bcp.gc.ca.

• Risk Management for Canada and Canadians: Report of the ADM Working Group on Risk Management (March 2000).
• A Framework for the Application of Precaution in Science-based Decision-making about Risk (July 2003).

Treasury Board of Canada Secretariat. Documents available on-line at /rm-gr/site/default.aspx unless otherwise indicated:

• Integrated Risk Management Framework (April 2001).
• TBS Management Accountability Framework (2003). Available at /maf-crg/index-eng.asp.
• Integrated Risk Management Framework: A Report on Implementation Progress (March 2003). Available at /rm-gr/irmf-cgir/2003-03-rprt-eng.asp.
• Values and Ethics Code for the Public Service (2003). Available at /veo-bve/.
• Putting it all Together: Leading Practices and Testimonials of Modern Comptrollership, in particular, risk management case studies, pages 47 70. (March 2003). Available at /cmo_mfc.
• Changing Management Culture: Models and Strategies to Make It Happen (March 2003). Available at /cmo_mfc.
• Implementation of the Integrated Risk Management Framework: A Progress Review Plan. Prepared by T.K. Gussman Associates Inc. for TBS (January 18, 2002). Available at /rm-gr/irmfic/progrev-eng.asp.
• Inventory of Federal Risk Management Tools and Departmental Training (December 2001). Available at /pubs_pol/dcgpubs/RiskManagement/ifrmtdt-rofmmgrgf-eng.asp
• Best Practices in Risk Management: Private and Public Sectors Internationally, Prepared by KPMG LLP for TBS (April 1999).
• Review of Canadian Best Practices in Risk Management, Prepared by Performance Management Network Inc. for TBS (April 1999).
• Risk Innovation and Values—Examining the Tensions, Prepared for TBS by Otto Brodtrick, Centre for Public Management, (April 1999).

The Conference Board of Canada

The following documents are available on-line to members of The Conference Board of Canada at www.conferenceboard.ca:

• Getting Reputation Right/A Risky Business, Glenda Myles and Karen Schoening-Thiessen (June 2003).
• Valuing Risk Management Performance, Proceedings of the 2002 Risk Management Conference. Karen Thiessen. Sponsored by TBS. Also available on-line within the federal Public Service at /rm-gr/site/default.aspx.
• Integrating Risk Management Through a Change Management Process, Karen Thiessen (October 2001).
• Forewarned is Forearmed/Identification and Measurement in Integrated Risk Management. Kimberley Birkbeck (January 1999).
• Realizing the Rewards in Risk Management/How Integrated Risk Management Can Benefit Your Organization. Kimberley Birkbeck (June 1998).
• A Conceptual Framework for Integrated Risk Management. Lucy Nottingham (September 1997).

Canadian Standards Association

Risk Management: Guideline for Decision-Makers, CAN/CSA-Q850-97 (October 1997).

Other Governments

Australia/New Zealand

Documents available through the Standards Australia portal at http://www.riskreports.com/standards.html:

• HB 143:1999 Guidelines for managing risk in the Australian and New Zealand public sector. A Joint Australian/New Zealand Handbook prepared by Joint Technical Committee OB/7 Risk Management, Standards Association of Australia, ISBN 0 7337 2815 4.
• HB 142 1999 A basic introduction to managing risk using the Australian and New Zealand Risk Management Standard, AS/NZS 4360:1999. An Australian Handbook prepared by Joint Technical Committee OB/7 Risk Management, Standards Association of Australia, ISBN 0 7337 2794 8.
• Australian/New Zealand Risk Management Standard, AS/NZS 4360:1999.

United Kingdom

• Risk: Improving government's capability to handle risk and uncertainty, Strategy Unit, Cabinet Office, November 2002. Available on-line at http://www.strategy.gov.uk/work_areas/risk/index.asp.
• Risk Management Strategy, Department for Environment, Food and Rural Affairs, April 2002. Available at http://www.defra.gov.uk/corporate/busplan/riskmanage/index.htm.
• UK Departmental Risk Management Frameworks. HM Treasury. Available at http://www.hm-treasury.gov.uk/about/about_riskmanage.cfm

Appendix A

Who Does What in Implementing Integrated Risk Management

See also the Integrated Risk Management Framework (April 2001),
Appendix: Shared Leadership—Suggested Roles and Responsibilities.

Elements/Results in Implementing Integrated Risk Management	Deputy Heads or Equivalent and Senior Management	Corporate Risk Champion/Focal Point	Managers	Functional Advisors and Specialists, Review, Internal Audit	All Public Service Employees
Getting Started—Committing and Sustaining Senior Management Support (Commit)	Commit—build the will and capacity for change, lead the initiative, and manage the change.
Expected Results: Organizational readiness is assessed. Key risks are considered initially by an executive forum. Roles and approaches to address risks are discussed collectively by senior management team. A senior management risk champion is identified.	Assess organizational readiness. Place integrated risk management on the executive team agenda; give it time at the executive table. Assign a risk champion. Demonstrate commitment and support to create momentum across the organization.	Become or stay current to talk knowledgeably about integrated risk management in the context of achieving corporate objectives. Raise executives' risk awareness. Lead and facilitate development and dissemination of implementation plans and necessary guidance.	Participate in assessing organizational readiness. Contribute to organization's risk awareness. Be agents of change.	Advise on and participate in assessment of organizational readiness. Support managers in their role as agents of change.	Understand and be open to upcoming change.
Developing the Corporate Risk Profile (Think)	Think strategically—take stock of the organization's operating environment and its capacity to deal with the key high-level risks linked to achievement of its objectives.
Expected Results: The organization's risks are identified through environmental scanning. The current status of risk management in the organization is assessed. The organization's risk profile is identified.	Set strategic direction. Consistently challenge assumptions. Encourage managers to renew their perspectives, keep their analysis current. Make and communicate decisions around priorities and risk acceptance so employees have a shared sense of risk and context for their individual judgements.	Lead development of the corporate risk profile or work with corporate planners in leading its development.	Contribute to environmental scan, threat and opportunity identification, analysis, and assessment, including internal risk management capacity.	Help managers identify and assess risk and effectiveness, efficiency, and economy of existing measures to manage risk.	Stay aware of and attentive to risk management issues.
Establishing the Integrated Risk Management Function (Prepare)	Prepare—establish appropriate infrastructure for integrated risk management by building on what exists.
Expected Results: Management direction on risk management is communicated, understood, and applied. The approach to operationalizing integrated risk management is implemented through existing decision-making and reporting structures. Capacity is built through the development of learning plans and tools.	Ensure risk management is anchored at the deputy head level and that the right people are involved in or leading implementation. Encourage timely design and implementation. Approve policy, approach, operating principles, and governance structure. Support the use or development of appropriate information/IT systems.	Advise on implementation approaches and change management strategies. Maintain support for function development, which can take time, e.g. demonstrating benefits to the organization (measurable gains/cost savings and better management of previously neglected risks).	Comment and advise on proposed approaches and strategies in light of local and corporate systems and issues. Understand and communicate corporate direction and employee/ local advice and issues.	Advise on design and whether the function being established or already established will meet the stated vision and objectives.	Understand the corporate approach to establishing the function and contribute to advice on its design and implementation.
Practising Integrated Risk Management (Act)	Act —practise integrated risk management up, down, and across the organization for a full picture in a way that makes sense for the organization.
Expected Results: A common risk management process is applied consistently at all levels. Results of risk management practices at all levels are integrated into informed Decision-making and priority setting. Tools and methods are applied. Consultation and communication with stakeholders is ongoing.	Provide strategic leadership that endorses the corporate risk profile, strategic and business plans, drives identification and review of top risks, and models the principles of good risk management. Continue to show support, devote time to planning and operational meetings. Communicate to reinforce the desired risk culture, aiming risk messages at target audiences as required.	Facilitate and advise, such as risk management centre of expertise approach, e.g. deal with organization-wide policies and direction, developed by or with the units with functional expertise and to gain acceptance; co-ordinate for an overview (trends/changes) and to avoid duplication.	Systematically identify and manage risk strategically in functional units. Always know who is managing. Ensure employees are familiar with the latest risk management guidance. Ensure particular risk management responsibilities are reflected in employees' work objectives.	Help managers design and implement tools for more effective risk management. Advise on whether the function is operating as intended, whether it is meeting the stated vision and objectives, and whether local or systemic changes are required.	Know that you are a risk manager. Understand how you contribute in your area and to the organization. Identify and assess risks. Report, respond to, monitor, and evaluate risks as required by your manager or organization. Document decisions and supporting information.
Ensuring Continuous Risk Management Learning (Improve)	Improve—leverage and build on the existing knowledge and capacity base to achieve the desired cultural shift to a risk-smart workforce and operating environment.
Expected Results: A supportive work environment is established where learning from experience is valued and lessons are shared. Learning plans are built into an organization's risk management practices. Results of risk management are evaluated to support innovation, learning, and continuous improvement. Experience and best practices are shared internally and across government.	Set the tone: integrated risk management is valuable and everyone can and must contribute. Ensure uniform metrics across the organization. Explain to stakeholders that risk is a part of managing to get a net reward, that innovation requires experimentation and learning from experience supported by sound risk management. Celebrate the successes of individuals and teams.	Ensure that communication and training considers "What's in it for me?" for every person. Ensure that training is in context and shows people the big picture, where they fit in, where they can help, and how IRM contributes to results for Canadians.	Put into operation the necessary practices, actions, and events to achieve the expected results of continuous learning.	Track and report on lessons learned from corporate and functional perspectives. Conduct independent assessments of risk management strategies and practices.	Request and contribute to individual learning plans. Document decisions and supporting information.

Appendix B

A Common Risk Management Process

A common, continuous risk management process helps organizations understand, manage, and communicate risk. Continuous risk management has several steps. Emphasis on various points in the process may vary, as may the type, rigour, or extent of actions considered, but the basic steps are similar. The accompanying diagram illustrates a sample continuous risk management process that focuses on an integrated approach to risk management. The diagrams and description are taken from the Integrated Risk Management Framework.

Internal and external communication and continuous learning improve risk management understanding and skills at all levels of an organization. The process provides common language, guides Decision-making at all levels, and allows organizations to tailor their activities at the local level. Documenting the rationale for decisions strengthens accountability and demonstrates due diligence.

The common risk management process and related activities are as follows:

Risk Identification

1. Identifying Issues, Setting Context

• Define the problems or opportunities, scope, context (social, cultural, scientific, etc.), and associated risk issues.
• Decide on necessary people, expertise, tools, and techniques (e.g. scenarios, brainstorming, checklists).
• Perform a stakeholder analysis (determine risk tolerances, stakeholders' position, attitudes).

Risk Assessment

2. Assessing Key Risk Areas

• Analyze the context and results of the environmental scan and determine the types and categories of risk to be addressed, significant organization-wide issues, and vital local issues.

3. Measuring Likelihood and Impact

• Determine the degree of exposure, expressed as likelihood and impact, of assessed risks and choose the appropriate tools.
• Consider both the empirical evidence and public context.

4. Ranking Risks

• Rank risks, considering risk tolerance and using existing or new criteria and tools.

Risk Response

5. Setting Desired Results

• Define objectives and expected outcomes for ranked risks for the short and long term.

6. Developing Options

• Identify and analyze options (i.e. ways to minimize threats and maximize opportunities), approaches, and tools.

7. Selecting a Strategy

• Choose a strategy and apply decision criteria that are results-oriented and problem- or opportunity-driven.
• Apply, where appropriate, the precautionary approach as a means of managing risks of serious or irreversible harm in situations of scientific uncertainty.

8. Implementing the Strategy

• Develop and implement a plan.

Monitoring and Evaluation

9. Monitoring, Evaluating, and Adjusting

• Learn to improve the decision-making and risk management process locally and organization-wide, using effectiveness criteria, reporting on performance and results.

Organizations can vary the basic steps and supporting tasks most suited to achieving common understanding and implementing consistent, efficient, and effective risk management. A focussed, systematic, and integrated approach recognizes that all decisions involve management of risk, whether in routine operations or for major initiatives involving significant resources. It is important that the risk management process be applied at all levels, from the corporate level to programs and major projects to local systems and operations. While the process allows tailoring for different uses, having a consistent approach within an organization assists in aggregating information to deal with risk issues at the corporate level.

Many other common processes for risk management are available, including the Australian/New Zealand Standard, the Canadian Standards Association's Q850, and those of the Software Engineering Institute. (Links to these organizations' Web sites are available on the TBS Web site). Regardless of the process, number of steps, or terminology, all processes cover the same four components:

• risk identification;
• risk assessment;
• risk response; and
• monitoring and evaluation.

Most models also emphasize the importance of communication throughout the process.

The following advice on applying a risk management process supplements the guidance provided in the IRMF.

Risk Identification

Search for and locate risks before they become problems.

Ways to do it

• brainstorming
• strength-weakness-opportunity-threat (SWOT) analysis
• risk forms/identification sheets
• surveys and questionnaires
• interviews and focus groups

Questions to consider

• What is at risk?
• What are the major objectives?
• What are the risks associated with each objective?
• Who are the stakeholders?

Tips

• Include contextual information, as well as the risk itself.
• Multi-disciplinary teams improve the chances of identifying new risks.
• Open communication and a forward-looking view are key.
• Include stakeholder risk tolerances, positions, and attitudes.

Risk Assessment

Transform risk data into decision-making information by examining risks in detail to assess key risk areas, determine the likelihood and impact of the risks, how they relate to each other, and which are the most important.

Ways to do it

• Determine the degree of exposure based on likelihood, impact, and time frame.
• Qualitative methods include brainstorming, evaluation using multi-disciplinary groups, specialist judgement, structured interviews, and questionnaires.
• Quantitative techniques include consequence analysis, decision trees, life cycle cost analysis, simulation or computer modelling, statistical analysis, and market research.
• Rank risks to determine which to deal with first.

Questions to consider

• What is the acceptable level of risk?
• What are the current controls?
• What are the potential consequences if the risk occurs?

Tips

• Assess key risk areas by grouping risks based on shared characteristics, by source, impact, or some other measure.
• Impact and likelihood matrices can help visualize all risks together.
• Consider both the empirical evidence and the public context.

Risk Response

Decide what to do about the risks identified by translating risk information into decisions and mitigating actions.

Ways to do it

• Set desired results and define objectives and expected outcomes for ranked risks over the short and long term.
• Develop options to minimize threats and maximize opportunities. Consider ways to avoid the risk; mitigate its impact or likelihood; transfer it to another party; accept and monitor it.
• Select and implement a strategy.

Questions to consider

• What is the feasibility and cost-effectiveness of each option?
• What resources are required?

Tips

• The objective is to take a balanced approach in developing mitigation strategies. Do not over-plan or oversimplify.
• Do not lose sight of the end product when developing mitigation plans.

Monitoring and Evaluation

Monitor risks and mitigation strategies, adjusting your approach as required. Learn from the approach to improve the decision-making and risk management process locally and organization-wide.

Ways to do it

• periodic status reports
• analysis of trends and patterns
• reports on performance and results

Questions to consider

• Based on the effectiveness of the mitigation strategy, has the status of any risk changed?
• Are initial assumptions still valid?
• What improvements to the current strategies and processes can be made?

Tips

• Have contingency plans in place to invoke if needed.
• Communicate best practices and lessons learned from both successes and failures.
• Understand that risk management is a continuous process; new risks may emerge requiring assessment and response.

Provide Effective Resources, Tools, and Techniques

Resources

Consider information on resources listed in the Selected References section of this guide and information on or links to risk management resources on the TBS Web site. For example, the CCMD document, A Foundation for Developing Risk Management Learning Strategies in the Public Service, provides useful information from several perspectives, such as understanding risks, competencies required, sample risk identification lists, and barriers and solutions to good risk management.

Tools and techniques

• software tools
• self-assessment tools
• risk scorecard tool kits
• modelling tools, such as scenario analysis and forecasting models
• functional frameworks, e.g. Precautionary Approach (A Framework for the Application of Precaution in Science-based Decision-making about Risk), Legal Risk Management
• systematic processes, e.g. Canadian Standards Association Q850
• Internet and intranet to promote risk awareness by sharing information internally and externally
• qualitative techniques, e.g. workshops, questionnaires

Consultation and communication

This is essential in supporting sound risk management decisions and must be considered at every stage of the risk management process.

Internal communication is necessary to provide efficient transfer of information between all levels in an organization.

Tips for Communicating with Managers

• Give the big picture first.
• Answer key questions.
• Provide a qualitative description, not just a number.
• Use real-life stories and powerful analogies.
• Tell not only what you know, but also what you suspect.
• Spare the minute details.
• Point out where data are weak.
• Indicate where there is uncertainty.
• Identify the positions of stakeholders.

External communication involves key stakeholders at all stages of the risk management process, as appropriate, respecting the Communications Policy of the Government of Canada. The following tips apply to communication at each of the four stages of the risk management process.

Risk Identification

• Define the issue and identify potential stakeholders.
• Explore stakeholders' needs, issues, and concerns.
• Decide how to communicate with stakeholders.
• Formulate initial messages and identify a spokesperson.
• Develop initial briefing material for key officials, as appropriate.

Risk Assessment

• Research background information on the risk issue and the history of stakeholders' concerns.
• Determine stakeholders' concerns, expectations, perceptions, knowledge levels, and needs.
• Anticipate possible incidents, events, or allegations that may arise and plan responses.
• Ensure rapid response mechanisms are in place to respond to media stories and stakeholders' concerns.
• Develop a media strategy to support the public consultation process.

Risk Response

When developing and analyzing options:

• facilitate continuing communication with and between stakeholders;
• share the concerns of stakeholders with others;
• determine acceptability to stakeholders of options for responding to the risk; and
• develop a proactive media strategy to assess public reaction to potential options.

When implementing a chosen option:

• implement a broad-based communications strategy, including a proactive media plan;
• adopt a high-visibility strategy in key locations to get the message out and to respond to public concerns about the action plan;
• finalize the media strategy;
• prepare information material for stakeholders and key government officials; and
• develop a rapid response mechanism for public comments.

Monitoring and Evaluation

• Monitor public reaction.
• Conduct polling to gauge public concerns and reactions.
• Analyze media coverage to determine trends.
• Fine-tune and rework key communications messages accordingly.
• Communicate findings internally and externally and flag emerging or potential issues.
• Conduct a formal evaluation and develop contingency plans for the future.
• Assess the impact of the action plan on affected stakeholders and compare to what was predicted.

Tips:

• Common understanding does not necessarily lead to consensus.
• Credibility and trust take a long time to develop but can be destroyed in an instant.
• Base all discussions on fact.
• Independent third-party support enhances credibility.
• Perceived risk often differs dramatically from objectively measured risk.
• Communicate early and often.

Departments and agencies have been sharing information on risk communication and consultation. Readers interested in additional information are directed to the TBS Web site or individual departmental or agency Web sites. For example, the Canadian Food Inspection Agency prepared a paper entitled Risk Communication and Government: Theory and Application for the Canadian Food Inspection Agency (available on-line at www.inspection.gc.ca). The paper, which includes an extensive reference list, was designed to explore risk communication from a government perspective, including a review of some of the recent theory on risk communication with a focus on food risk and science-based communication.

Appendix C

Common Risk Management Model

A risk management model from the IRMF

Many variations of this risk management model are in use, including matrices expanded by adding rows or columns for "very high" or "very low." Descriptions of impact and likelihood along the two axes may vary, as may descriptions in particular cells, depending on the context and requirements of the organization using the model. Some versions incorporate references to the organization's decision-making structure, e.g. the shaded cells may include the level of authority required or the rank of the person responsible for managing the particular risk. This facilitates assessment of where a particular risk falls in terms of likelihood and impact and helps establish the organizational response to manage the risk.

Other options for displaying key risks in relation to each other on a single page include risk maps for the whole organization or for a business line or program.

The model can also be used for assessing ideas in the context of opportunity seeking and innovation or experimentation—the thought being that an organization wants to make investments appropriate to the likely return on those investments. In this context, impact and likelihood could be considered by asking questions such as:

• What could this idea be worth if it works?
• How likely is this idea to work?
• What will it take to achieve this?

 

Appendix D

Sample Templates for Identifying, Assessing, Recording, and Reporting Risk Information

Organizations have developed a variety of templates to help management and employees identify, assess, and report risk information systematically and consistently. Templates generally fall into one of three categories, corresponding to the three vital areas of information they are designed to capture:

1. risk identification templates;
2. risk analysis templates; and
3. risk maps.

Risk Identification Template

Usually in the form of a table, this simple template is designed to allow managers to list major risks, or risk sources, often within predefined risk areas or categories. In most cases, the risk identification template also includes a section on a preliminary risk assessment. Some more advanced forms may include a likelihood and impact decision-making model to show a risk rating (i.e. a combination of impact and likelihood) prior to implementing mitigation strategies (see Appendix C).

Exhibit 1: A Risk Identification Template

Initiative or Project Objective:
Risks or Risk Areas:	Preliminary assessment
	LOW	MEDIUM	HIGH
1.
2.
3.
4.
5.

Risk Analysis Template

These templates, commonly referred to as worksheets, are often more elaborate, consisting of two or more tables. They are designed to capture and track as much information as possible about identified risks. In addition to a more detailed description of particular risks, the template may include such information as:

• linkages to program, corporate objectives, or other corporately defined themes;
• current risk level(s) in terms of likelihood and impact and sometimes risk level(s) after planned corrective actions are taken;
• existing measures and capacity to mitigate risk;
• planned management responses, strategies, and contingencies; and
• the unit or individual responsible for managing a particular risk.

Exhibit 2: A Risk Analysis Template

Corporate objective affected	Risk description and its consequences	Result of likelihood and impact assessment		Risk rating	Existing moderation capacity or capability	Additional mitigation action or strategy	Manager responsible
		Likelihood	Impact

Risk Maps

Risk maps are graphic representations of key risks facing an organization at any given time. Key risks are plotted or superimposed on a matrix depicting their impact and likelihood or severity and frequency. Risks can be colour-coded to show source, predefined category, or other considerations (e.g. insured versus uninsured risks) that may be relevant in the context of a particular organization, business line, or program. Risks or risk areas are usually numbered or coded to link them to detailed information in a risk analysis template or risk inventory. Organizations that have identified many risks may also show the total number of risks in each cell.

Exhibit 3: A Risk Map

Risks identified:

Economic and Financial F1 Interest rate F2 Securities F3 Cost of insurance	Environmental E1 Climate change E2 Pollution E3 Ozone depletion	Legal L1 Liabilities L2 Human rights L3 International agreements
Technological T1 Nuclear power T2 Biotechnology T3 Genetic engineering	Safety and Security S1 Invasion S2 Terrorism S3 Organized crime

Risks depicted are adapted from the Appendix E lists and shown in no particular order.

Template for Capturing and Reporting on Risk Information

Guidelines for Risk Advisory Note

Branch/Region: Name of Branch

Risk: Name of Risk

Corporate Risk Area: Name of Risk Area

Short statement on the risk events and impacts

Objectives at Risk:

• Brief point-form statement of branch objectives that may not be fully met. Such shortcomings may result from the challenges identified above and/or from challenges in implementing the mitigating strategies identified below.
• Trade-offs made in developing mitigating strategies tend to be made among these objectives.

Considerations:

Short, point-form statements of factors that should be taken into account in making the right trade-offs in developing acceptable mitigating strategies

Key Mitigating Strategies:

Identification of all key mitigating strategies

Time Frames:

Targeted completion date for each mitigating strategy

Source: Reproduced from Integrated Risk Management in HRDC (October 2002), Human Resources Development Canada.

 

 

Appendix E

Sample Risk Identification Lists

A hierarchy of possible risks. Cross-functional or interdisciplinary teams would be best suited to develop an inventory of potential risks in a holistic and comprehensive manner.

Source: Canadian Centre for Management Development, A Foundation for Developing Risk Management Learning Strategies in the Public Service (2001)

Potential Sources of Risk

Description of Views or Perspective	Strategic Perspective Sources that can impede the achievement of mandate and objectives	Business Line Perspective Sources that can impede the achievement of business line or program objectives	Corporate Management Perspective Sources that may not effectively support the achievement of results	Compliance Perspective Sources that could embarrass the organization or cause liabilities for not complying with laws and regulations	Government Agenda Perspective Sources that are critical to ensure alignment with government-wide commitments
Sources of Risk	Strategic policy and strategy corporate reputation political factors public expectations stakeholder relations media relations industry developments changing demographics globalization national security threats business continuity emergency preparedness technology trends economic trends competitive trends	Business Line business line activities program activities program delivery client services service delivery alliances, partnerships major projects	Corporate Management structure and reporting relationships planning and priority setting budgeting and resource allocation expenditure management revenue and cost recovery transfer payments procurement and contracting financial management performance management project management change management inventory management asset management human resources information and knowledge information technology communications risk management	Compliance funding and appropriations statutory reporting compliance with laws and regulations compliance with central agency policies agreements and contractual obligations workplace health and safety environmental protection security, privacy and confidentiality legal liabilities and litigation	Governement Agenda citizen focus values and ethics accountability transparency responsible spending client satisfaction Government On-Line improved reporting modern comptrollership fairness and equity Results for Canadians modern HRM integrated risk management
Source: Risk-based Internal Audit Priorities Toolset for Small Departments and Agencies (March 2003). Available at: http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/priorities-priorites/priorities-priorites-eng.pdf

A Sample of Risks Subject to Government Intervention Transportation automobiles, motorcycles trucks railroads aircraft ships, barges, other watercraft pipelines (oil, gas, water, commodities) electricity (especially electromagnetic fields) Environment climate change air, water, land pollution (e.g. acid rain, urban smog, contaminated sites) forestry practices toxic substances biodiversity and endangered species fisheries ozone depletion Natural Resources access and use of renewable resources (fish, timber, water, wildlife) access to and use of non-renewable resources (petroleum, coal, natural gas, minerals) Consumer Products automobiles (e.g. seatbelts, airbags, bumpers, running lights, fuel standards) drugs (for humans and animals) medical devices children's toys, clothes, cribs, car seats, etc. explosives pleasure boats (e.g. Jet Ski) tires Food food contamination during production and distribution food labelling pesticide application and residuals in food bovine growth hormone in milk irradiation genetically modified foods Technology nuclear power biotechnology genetic engineering information technologies Occupational workplace safety Economic or Financial related to financial instruments and institutions securities (debt and equity) banking and other financial institutions insurance companies pension plans deposit insurance related to purchase of products product labelling, including trademarks weights and measures misleading advertising or marketing practices quality assurance (e.g. birth control devices) efficacy of professional services related to income level and flow employment insurance Canada Pension Plan welfare payments workers' compensation crop insurance disaster relief (ad hoc) Human Safety Infrastructure dams, bridges, utility lines, roadways, pipelines Natural disasters weather events (hurricanes, tornados, floods, ice storms, blizzards, droughts, avalanches) earthquakes forest or grassland fires Security National security defence against invasion or attack protection against subversion from within Personal security of citizens police firefighters Rights human rights (including those in the Charter) collective bargaining humane treatment of animals Adapted from W. T. Stanbury, 2000, unpublished working paper submitted to CCMD Roundtable members. Umbrella of Risk Source: Presentation by Kevin W. Knight, Ottawa, June 2003

Appendix F

TBS Management Accountability Framework—
Risk Management Expectations

Risk Management
a key management expectation of the
Management Accountability Framework

Expectation	Indicators	Measures
The executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively	Key risks identified and managed Risk lens in decision-making Risk smart culture Capacity to communicate and manage risk in public context	Corporate Risk Profile, reviewed regularly Tools, training, support for staff Evidence of risk considerations in strategic planning Engagement of external stakeholders in assessing/ communicating risks

TBS Management Accountability Framework is available at: /maf-crg/index-eng.asp