This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Developing a corporate risk profile involves taking stock of the organization's operating environment and its capacity to deal with key high-level risks linked to achievement of corporate objectives.
Developing a risk profile is a logical starting point in implementing integrated risk management. Organizations take stock of their operating environment, identify key risks, and review the organization's capacity to deal with these risks.
A corporate risk profile helps a department or agency establish a direction for managing corporate risks. The profile presents a snapshot of the organization's risk status at a particular point in time by addressing the following questions from a risk perspective: where is the organization now (threats, opportunities, strengths, and weaknesses); where is it going (organizational objectives and expected results); and what are the key high-level risks that need to be managed at the senior management level to enable the organization to achieve its corporate objectives and results?
To develop the profile, risk information at both the corporate and operational levels is analyzed to understand the key characteristics of the broad range of internal and external risks facing the organization. Senior management attention is focussed on a manageable number of risks (five to ten) in the context of the organization's mandate, objectives, available resources, and capacity for integrated risk management. In managing key risks, decision makers must also take into account risk tolerances of key stakeholders.
There is a significant interrelationship between developing a corporate risk profile and the strategic planning process. Risk management underlies all aspects of priority setting, planning, and resource allocation; in addition, the corporate risk profile, with two-way linkages from and into each of these areas, provides a vehicle to integrate them at the corporate level. Thus, the corporate risk profile is informed by and feeds back into departmental strategic planning documents and processes. In a mature practice of integrated risk management, a robust strategic and business planning process should assimilate the corporate risk profile, eliminating the need to present it separately.
The deputy head and executive committee should:
Developing a corporate risk profile involves activities under six general headings:
The focus and approach to developing the corporate risk profile are influenced by and linked to the organization's operating environment and state of readiness. Several factors can influence profile development, including the organization's mandate, resource base, and size; whether the organization is a central agency, a science-based or a regulatory department; whether the organization is largely operational or predominantly involved in policy development or learning; whether it is highly centralized; and how many program responsibilities it has. For example, regulators in science-based departments will naturally be more sensitive to and likely influenced by Canadians' low tolerance for risks to public health and safety. On the other hand, departments implementing administrative programs and central agencies may see more opportunity to innovate and experiment with new approaches to program and service delivery and policy.
Ideally, senior management should be asked to endorse a process model (methodology) that:
This may require separate briefings of individuals or consideration at several meetings, depending on factors such as the team's comfort level with the integrated risk management concept and the anticipated benefits of developing the corporate risk profile.
Briefings of the executive team on integrated risk management to gain support for moving forward on corporate risk profile development would typically cover the following:
Most organizations can build the corporate risk profile using existing sources. For example, existing information and/or data collection mechanisms can help guide development of the corporate risk profile.
A corporate risk profile identifies key risk areas that cut across the organization (issues, functions, programs, systems), as well as individual events, activities, or projects in the various business lines that could significantly influence overall management priorities, performance, and achievement of corporate objectives.
These internal and external factors and risks are identified through an environmental scan or preliminary data collection and analysis. Major trends and changes to them over time are particularly relevant in providing early warning of potential risks that may adversely affect departmental outputs and ultimately objectives, results, and outcomes.
The IRMF provides several suggestions about risk identification techniques, such as brainstorming, scenario planning, and surveys. Other sources of risk information include audit reports, performance reports, and other management information systems.
The following sources provide insights that may help to determine the state of the organization in terms of what is at risk and types and sources of risk (threats, opportunities, strengths, and weaknesses).
These documents are likely good sources of information on organizational objectives, direction, new projects and initiatives, current performance, and areas needing attention or improvement.
For additional data collection or surveys, an interview guide or model that classifies or groups risk areas (identification of what is at risk, types and/or sources of risk, a ranking scale and methodology) will facilitate consolidation and analysis of information collected. Data can be organized by program, business line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and other relevant categories.
The following activities could supplement the information gathered from the sources already discussed:
Understanding the organization's risk universe helps identify and assess key high-level risks for the corporate risk profile. External factors to be considered include the political, economic, social, and technological environments, as well as trends and changes that could influence the conduct of the organization's activities or achievement of its objectives. The interests and risk tolerance of key external stakeholders are also important considerations in developing the risk profile and establishing the organization's risk tolerance(s).
An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. An organization's risk tolerance and that of its key stakeholders must be understood, because both will influence and guide Decision-making. Management must determine which risks the organization should accept at which levels, then re-evaluate these choices as circumstances change.
Risk tolerance and performance expectations should be linked directly at the corporate level. Organizations should understand the correlation between the degree and duration of unfavourable variances from established performance expectations or targets and the level of risk exposure.
Consider the following in understanding the organization's risk tolerance level and that of its key stakeholders:
The following diagram presents risk tolerance in relation to the cost of managing to different levels of risk. Source: presentation by Kevin W. Knight, Ottawa, June 2003.
It is important to identify the nature, adequacy, and usefulness of existing organizational tools, techniques, human resources skills, and expertise for managing risk.
By taking stock of the risk management tools and techniques now in use, as well as the risk management skills available in the organization, it will be possible to assess the state of risk infrastructure in terms of organizational stability and system capacity. Management must ensure that this infrastructure is capable of supporting the organization's current and anticipated integrated risk management needs.
Once information has been collected (environmental scan, capacity to manage risk, stakeholders' risk tolerance) and findings and assumptions have been validated, it needs to be analyzed, aggregated, and presented to the executive committee. The deputy head and the executive committee should collectively assess the broad spectrum of risks facing the organization in terms of likelihood and impact on achievement of corporate objectives. They can then decide which of the key high-level risks need to be managed at the corporate level and which should or could be managed by other levels.
Each member of the executive committee should rank the key high-level risks by priority and be prepared to explain the ranking and linkages to corporate objectives and other risks. Anonymous voting technology or similar approaches can be used to rank risks. Based on the discussion, the executive committee can decide on the corporate ranking of risks and determine the steps the organization will take to manage the risks. These steps should be informed by the findings of the environmental scan, the organization's capacity to manage risk, and stakeholders' risk tolerance, as well as the management team's knowledge and experience.
In developing the initial risk response, the organization should ideally seek to engage key stakeholders in dialogue to gain their support for the proposed steps. The organization should attempt to strengthen and ensure a common understanding of the possible options and trade-offs and seek stakeholders' help in formulating plans that contribute to the achievement of organizational objectives to the greatest extent possible.
The results of the risk assessment and ranking must be linked to the department's priority setting and resource allocation processes so that management attention and resources flow to the highest risks.
The final step is to produce a document depicting the corporate risk profile. It sets out the results of the environmental scans, risk assessment, and analysis and identifies areas requiring corporate decisions or direction regarding risk management strategies. Organizations have developed various ways to present results, including matrices, risk maps, and reports with summaries by risk area. The reader may find it useful to refer to the sample risk map reproduced in Appendix D.
Ask the following questions to confirm that the organization is achieving the expected results of developing a corporate risk profile.
To develop a corporate risk profile, one department, using the risk expertise within its internal audit group, developed Frameworks for Engagement (a Memorandum of Understanding) between the audit group and the departmental branches. The framework acts as the mechanism for outlining the roles and responsibilities for the identification and assessment of risks, development of corresponding mitigation strategies, and reporting. After a number of facilitated risk identification and assessment sessions conducted over nine months, followed by a period of regional consultations, key risks were identified and initial management strategies were suggested. These were subsequently used to develop a profile of corporate risk areas and a variety of mitigation strategies. Both the risks and the strategies are now important components of the organization's corporate plan.
Another department uses environmental scanning as the basis for developing its corporate risk profile. The scan includes the following:
The corporate risk profile also sets out an organization-wide view of risk tolerances and how they are communicated to managers and employees. The department's executive board reviews all components of the profile annually.
One department, with a significant regional presence in program delivery, depends on its corporate risk profile to explain how its two types of risk (inherent risks arising from its department's mandate and risks arising from the changing operating environment) interact dynamically to affect the achievement of business objectives.
The corporate risk profile is also intended to inform staff and stakeholders about the following:
The corporate risk profile is updated annually and approved by senior management.
Senior management of the department described immediately above has committed to implement operational plans for all sectors and regions each year. The process includes internal and external environmental scans of risks, pressures, opportunities and other factors that could influence the department's policy and management agendas, with risk being one of the elements considered and addressed within the integrated planning process. There is also a commitment to develop what the department is calling a "dashboard" of key operational indicators that can serve as an early warning system for environmental changes.
Recently, all regions and sectors of this department have been asked to identify two projects and/or programs where risk tools could be applied beneficially. In doing so, regions and sectors are required to review their risks. In 1998 and again in 2000, all senior managers were interviewed and asked to identify their top risks. In 2002, there was an identification of areas where risk would be applied and an operational planning exercise involving a 'SWOT' assessment (strengths, weaknesses, opportunities, and threats) for each region and sector. The results covered operations and business lines within each region or sector.
Another department undertakes an extensive environmental scanning process at the start of each annual planning cycle. This scan is intended to provide intelligence and context for setting priorities as well as planning and decision making over the next year. Such a broad scan allows for consistent analysis of horizontal trends across sectors and regions and provides an important vehicle for reaching consensus within the department on key trends (political, economic, social, and technical), opportunities and threats that could influence the department.
One of the smaller departments uses environmental scanning to identify internal and external risks, which supports the development of risk profiles for each of the business lines. The risk profiles and scan results are integrated into a corporate risk profile and then discussed by the departmental senior executive committee at a strategic planning retreat. The environmental scanning is conducted under the co-lead of their strategic planning and corporate services groups. To get started more quickly, the department decided on a simple approach, avoiding overly elaborate methodology. This learning-by-doing approach is expected to build organizational commitment and result in a more integrated set of tools.
Many other examples exist among lead implementation departments. The TBS risk management Web site links readers with updated information on progress in these and other federal organizations.