1. Developing the Corporate Risk Profile

Developing a corporate risk profile involves taking stock of the organization's operating environment and its capacity to deal with key high-level risks linked to achievement of corporate objectives.

Developing a risk profile is a logical starting point in implementing integrated risk management. Organizations take stock of their operating environment, identify key risks, and review the organization's capacity to deal with these risks.

A corporate risk profile helps a department or agency establish a direction for managing corporate risks. The profile presents a snapshot of the organization's risk status at a particular point in time by addressing the following questions from a risk perspective: where is the organization now (threats, opportunities, strengths, and weaknesses); where is it going (organizational objectives and expected results); and what are the key high-level risks that need to be managed at the senior management level to enable the organization to achieve its corporate objectives and results?

To develop the profile, risk information at both the corporate and operational levels is analyzed to understand the key characteristics of the broad range of internal and external risks facing the organization. Senior management attention is focussed on a manageable number of risks (five to ten) in the context of the organization's mandate, objectives, available resources, and capacity for integrated risk management. In managing key risks, decision makers must also take into account risk tolerances of key stakeholders.

There is a significant interrelationship between developing a corporate risk profile and the strategic planning process. Risk management underlies all aspects of priority setting, planning, and resource allocation; in addition, the corporate risk profile, with two-way linkages from and into each of these areas, provides a vehicle to integrate them at the corporate level. Thus, the corporate risk profile is informed by and feeds back into departmental strategic planning documents and processes. In a mature practice of integrated risk management, a robust strategic and business planning process should assimilate the corporate risk profile, eliminating the need to present it separately.

The Fundamentals

The deputy head and executive committee should:

• ensure clarity of corporate objectives: achievement of corporate objectives is the foundation for developing the corporate risk profile; corporate objectives must be identified, clearly articulated, and understood by all managers (the development of the organization's report on plans and priorities provides a good opportunity to do that);
• support the risk champion by providing a clear mandate for the development of the corporate risk profile;
• be prepared to invest time and resources: organizations that have developed a corporate risk profile report that updating the profile is much faster and less costly once concepts and processes are established and embedded in traditional planning and decision-making processes;
• ensure that the corporate risk profile is linked in a meaningful way to corporate priority setting and resource allocation exercises;
• ensure that responsibility, authority, and accountability, including progress reporting for development of the corporate risk profile, are communicated to departmental managers;
• encourage senior management dialogue related to corporate risk profile development;
• understand and reflect stakeholders' expectations—the level and nature of engagement will change as practice matures;
• be aware that the contents of the profile are evergreen: the profile and process must be dynamic and respond to changes (e.g. major events such as those of September 11, 2001, significantly influenced key high-level risks for several departments); and
• ensure ongoing communication: communication is a basic principle of integrated risk management and fundamental to developing a corporate risk profile; key managers need to understand what is being done, why, what the expected results are, and what contribution is expected from them.

How to Do It

Developing a corporate risk profile involves activities under six general headings:

• plan and prepare;
• conduct an environmental scan;
• understand stakeholders' risk tolerance;
• assess current risk management capacity;
• develop the initial risk response; and
• portray the corporate risk profile.

Plan and Prepare

The focus and approach to developing the corporate risk profile are influenced by and linked to the organization's operating environment and state of readiness. Several factors can influence profile development, including the organization's mandate, resource base, and size; whether the organization is a central agency, a science-based or a regulatory department; whether the organization is largely operational or predominantly involved in policy development or learning; whether it is highly centralized; and how many program responsibilities it has. For example, regulators in science-based departments will naturally be more sensitive to and likely influenced by Canadians' low tolerance for risks to public health and safety. On the other hand, departments implementing administrative programs and central agencies may see more opportunity to innovate and experiment with new approaches to program and service delivery and policy.

Ideally, senior management should be asked to endorse a process model (methodology) that:

• provides a structured and disciplined approach to data collection;
• ensures that the entire executive team shares a common understanding; and
• facilitates engagement of other key managers in developing the corporate risk profile.

This may require separate briefings of individuals or consideration at several meetings, depending on factors such as the team's comfort level with the integrated risk management concept and the anticipated benefits of developing the corporate risk profile.

Briefings of the executive team on integrated risk management to gain support for moving forward on corporate risk profile development would typically cover the following:

• what integrated risk management is, including the four interrelated elements;
• the benefits of integrated risk management in general and specifically for the organization in terms of advancing its priorities (how the organization and its executive team will benefit in the short term and be better positioned for the future);
• a general sense of what exists or is already being done in the organization to manage risk;
• what information needs to be collected to develop the corporate risk profile, how this will be done, and what will be done with the information collected; and
• key roles, reporting relationships, and timelines for development of the profile.

Most organizations can build the corporate risk profile using existing sources. For example, existing information and/or data collection mechanisms can help guide development of the corporate risk profile.

Conducting an Internal and External Environmental Scan

A corporate risk profile identifies key risk areas that cut across the organization (issues, functions, programs, systems), as well as individual events, activities, or projects in the various business lines that could significantly influence overall management priorities, performance, and achievement of corporate objectives.

These internal and external factors and risks are identified through an environmental scan or preliminary data collection and analysis. Major trends and changes to them over time are particularly relevant in providing early warning of potential risks that may adversely affect departmental outputs and ultimately objectives, results, and outcomes.

The IRMF provides several suggestions about risk identification techniques, such as brainstorming, scenario planning, and surveys. Other sources of risk information include audit reports, performance reports, and other management information systems.

Internal Scan

The following sources provide insights that may help to determine the state of the organization in terms of what is at risk and types and sources of risk (threats, opportunities, strengths, and weaknesses).

• Results of the modern comptrollership capacity check and the corresponding action plan. Most departments have completed the capacity check, which provides a wealth of information about managers' perceptions of the organization's status in areas such as risk management, strategic leadership, values and ethics, integrated performance information, stewardship, and accountability. The organization's status is mapped against a maturity model for each area.
• Departmental strategic planning documents: the corporate plan, departmental performance report, report on plans and priorities, audit observations and recommendations, capital assets, and functional plans.
• Performance management reports, information, and systems help determine whether the organization is meeting its performance expectations and targets.

These documents are likely good sources of information on organizational objectives, direction, new projects and initiatives, current performance, and areas needing attention or improvement.

For additional data collection or surveys, an interview guide or model that classifies or groups risk areas (identification of what is at risk, types and/or sources of risk, a ranking scale and methodology) will facilitate consolidation and analysis of information collected. Data can be organized by program, business line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and other relevant categories.

The following activities could supplement the information gathered from the sources already discussed:

• Review central agency and departmental policy instruments to determine direction on risk management. Determine departmental practices related to these policy instruments.
• Consult with corporate planning, policy, audit, and evaluation personnel to identify areas where the organization may be at risk or vulnerable.
• Reach out to branch, program, business line, functional assistant deputy ministers, executives, and key managers to identify risks in their immediate area of responsibility and the organization as a whole.
• Seek key managers' assessments of risk areas, ranking of the risks from highest to lowest priority, and how the risks are currently being managed.

External Scan

Understanding the organization's risk universe helps identify and assess key high-level risks for the corporate risk profile. External factors to be considered include the political, economic, social, and technological environments, as well as trends and changes that could influence the conduct of the organization's activities or achievement of its objectives. The interests and risk tolerance of key external stakeholders are also important considerations in developing the risk profile and establishing the organization's risk tolerance(s).

• Consider the following information sources: media monitoring; the government's policy agenda, including the Speech from the Throne; benchmarking of the organization's status against that of other departments; public opinion research; advisory groups, boards, or councils; consumer groups (users of programs and services); Statistics Canada databases; think tanks; associations; interest and lobby groups.
• Consider the following to collect the required information: internal scanning services of an existing corporate function (e.g. the corporate communications group); a targeted or omnibus survey or questionnaire; use of electronic bulletin boards and what-if scenarios to seek reaction and direction from stakeholders; focus testing and pilot approaches to target markets or specific geographic areas.

Understand Risk Tolerance

An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organization's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide Decision-making. Management must determine which risks the organization should accept at which levels, then re-evaluate these choices as circumstances change.

Risk tolerance and performance expectations should be linked directly at the corporate level. Organizations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure.

Consider the following in understanding the organization's risk tolerance level and that of its key stakeholders:

• the operating policy framework, i.e. acts, regulations, TB and departmental policies, directives and guidelines, levels of delegation of authority; the governing instruments generally articulate acceptable departmental practices and expectations in given circumstances;
• the organization's performance expectations and actual performance;
• how the organization or stakeholders have reacted to past risk events and issues;
• formal or informal mechanisms to track, report, and act on performance;
• employees' understanding of the risks taken by themselves, their team or group and the department;
• whether there is a common understanding of risk tolerance and risk management and how effectively it is communicated across the department and to its internal and external stakeholders;
• employees' understanding of the risk tolerances of key stakeholder groups; and
• whether stakeholders have been consulted on risk tolerances and performance targets.

The following diagram presents risk tolerance in relation to the cost of managing to different levels of risk. Source: presentation by Kevin W. Knight, Ottawa, June 2003.

Assess Current Risk Management Capacity

It is important to identify the nature, adequacy, and usefulness of existing organizational tools, techniques, human resources skills, and expertise for managing risk.

By taking stock of the risk management tools and techniques now in use, as well as the risk management skills available in the organization, it will be possible to assess the state of risk infrastructure in terms of organizational stability and system capacity. Management must ensure that this infrastructure is capable of supporting the organization's current and anticipated integrated risk management needs.

Developing the Initial Risk Response

Once information has been collected (environmental scan, capacity to manage risk, stakeholders' risk tolerance) and findings and assumptions have been validated, it needs to be analyzed, aggregated, and presented to the executive committee. The deputy head and the executive committee should collectively assess the broad spectrum of risks facing the organization in terms of likelihood and impact on achievement of corporate objectives. They can then decide which of the key high-level risks need to be managed at the corporate level and which should or could be managed by other levels.

Each member of the executive committee should rank the key high-level risks by priority and be prepared to explain the ranking and linkages to corporate objectives and other risks. Anonymous voting technology or similar approaches can be used to rank risks. Based on the discussion, the executive committee can decide on the corporate ranking of risks and determine the steps the organization will take to manage the risks. These steps should be informed by the findings of the environmental scan, the organization's capacity to manage risk, and stakeholders' risk tolerance, as well as the management team's knowledge and experience.

In developing the initial risk response, the organization should ideally seek to engage key stakeholders in dialogue to gain their support for the proposed steps. The organization should attempt to strengthen and ensure a common understanding of the possible options and trade-offs and seek stakeholders' help in formulating plans that contribute to the achievement of organizational objectives to the greatest extent possible.

The results of the risk assessment and ranking must be linked to the department's priority setting and resource allocation processes so that management attention and resources flow to the highest risks.

Portray the Corporate Risk Profile

The final step is to produce a document depicting the corporate risk profile. It sets out the results of the environmental scans, risk assessment, and analysis and identifies areas requiring corporate decisions or direction regarding risk management strategies. Organizations have developed various ways to present results, including matrices, risk maps, and reports with summaries by risk area. The reader may find it useful to refer to the sample risk map reproduced in Appendix D.

Questions to Consider

Ask the following questions to confirm that the organization is achieving the expected results of developing a corporate risk profile.

1. Are the key high-level risks for the department identified?
2. Is there evidence that the deputy head and departmental executive are engaged and committed to corporate risk profile development and related action? (That is, have they made it a departmental priority? Have start-up resources been allocated? Will findings be linked to decision-making processes, including priority setting and resource allocation exercises?)
3. In determining the initial departmental response and action to manage key high-level risks, has consideration been given to the risk tolerance of key stakeholders and is senior management mindful of the organization's capacity to manage such risks? (Are employees aware of risk management theory and practices? Are systematic risk management processes already being applied and can the organization leverage this knowledge and expertise? Do employees have the necessary knowledge, skills, and tools to manage risks within their areas of responsibility?)

Examples

Developing a Corporate Risk Profile: Framework for Engagement

To develop a corporate risk profile, one department, using the risk expertise within its internal audit group, developed Frameworks for Engagement (a Memorandum of Understanding) between the audit group and the departmental branches. The framework acts as the mechanism for outlining the roles and responsibilities for the identification and assessment of risks, development of corresponding mitigation strategies, and reporting. After a number of facilitated risk identification and assessment sessions conducted over nine months, followed by a period of regional consultations, key risks were identified and initial management strategies were suggested. These were subsequently used to develop a profile of corporate risk areas and a variety of mitigation strategies. Both the risks and the strategies are now important components of the organization's corporate plan.

Developing a Corporate Risk Profile: Environmental Scanning

Another department uses environmental scanning as the basis for developing its corporate risk profile. The scan includes the following:

• the identification and description of internal and external risks that significantly influence the achievement of the organization's objectives (key risk areas);
• an overview of the department's capacity to manage risk in terms of existing competencies and systematic processes;
• an identification of target risk units (activities, operating groups, systems, and programs that require specific attention because they entail significant potential risks); and
• systematic methods of managing risk for the priority target risk units.

The corporate risk profile also sets out an organization-wide view of risk tolerances and how they are communicated to managers and employees. The department's executive board reviews all components of the profile annually.

Use of a Corporate Risk Profile

One department, with a significant regional presence in program delivery, depends on its corporate risk profile to explain how its two types of risk (inherent risks arising from its department's mandate and risks arising from the changing operating environment) interact dynamically to affect the achievement of business objectives.

The corporate risk profile is also intended to inform staff and stakeholders about the following:

• the prevailing departmental perspective on inherent risks (key risk areas) arising from the mandate;
• risks emerging from the changing operating environment;
• priority target risk units and how their risks are to be mitigated and managed;
• risk tolerances and how they are to be communicated;
• current capacity of the department overall to manage and mitigate significant risks; and
• learning and support needs, structures, and actions to sustain integrated management of risk within the organization.

The corporate risk profile is updated annually and approved by senior management.

Integration with Planning

Senior management of the department described immediately above has committed to implement operational plans for all sectors and regions each year. The process includes internal and external environmental scans of risks, pressures, opportunities and other factors that could influence the department's policy and management agendas, with risk being one of the elements considered and addressed within the integrated planning process. There is also a commitment to develop what the department is calling a "dashboard" of key operational indicators that can serve as an early warning system for environmental changes.

Recently, all regions and sectors of this department have been asked to identify two projects and/or programs where risk tools could be applied beneficially. In doing so, regions and sectors are required to review their risks. In 1998 and again in 2000, all senior managers were interviewed and asked to identify their top risks. In 2002, there was an identification of areas where risk would be applied and an operational planning exercise involving a 'SWOT' assessment (strengths, weaknesses, opportunities, and threats) for each region and sector. The results covered operations and business lines within each region or sector.

Another department undertakes an extensive environmental scanning process at the start of each annual planning cycle. This scan is intended to provide intelligence and context for setting priorities as well as planning and decision making over the next year. Such a broad scan allows for consistent analysis of horizontal trends across sectors and regions and provides an important vehicle for reaching consensus within the department on key trends (political, economic, social, and technical), opportunities and threats that could influence the department.

One of the smaller departments uses environmental scanning to identify internal and external risks, which supports the development of risk profiles for each of the business lines. The risk profiles and scan results are integrated into a corporate risk profile and then discussed by the departmental senior executive committee at a strategic planning retreat. The environmental scanning is conducted under the co-lead of their strategic planning and corporate services groups. To get started more quickly, the department decided on a simple approach, avoiding overly elaborate methodology. This learning-by-doing approach is expected to build organizational commitment and result in a more integrated set of tools.

Many other examples exist among lead implementation departments. The TBS risk management Web site links readers with updated information on progress in these and other federal organizations.