Treasury Board of Canada Secretariat
Symbol of the Government of Canada


ARCHIVED - Integrated Risk Management Implementation Guide


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

 

Summary of What and How for Establishing Each Element of the Integrated Risk Management Framework

Getting Started—Commit and Sustain Senior Management Support

Build the will and capacity for change—lead the initiative and manage the change.

What

What your department or agency has already done or needs to do:

How

There are a variety of ways to do it. Try these proven techniques.

The executive team discusses organizational readiness, roles, and approaches to get the commitment to lead and manage the necessary change. Managers need to believe in the value of integrated risk management.

  • Brief and train senior management to gain understanding and commitment, using internal expertise or in collaboration with an external practitioner, implementation leader, or consultant.
  • Consider executive retreats, seminars, workshops, and formal courses.
  • Encourage awareness of the IRMF and available material from the Privy Council Office, CCMD, and departments.
  • Initial discussion of readiness, key factors (other corporate initiatives and priorities, location of the risk champion, etc.).

The deputy head assigns a risk champion, with appropriate resources, who leads the development and implementation of an integrated risk management framework and policy or guidance. The risk champion role reflects the need for central co-ordination and advice.

  • A risk champion at the deputy head level is most effective; it is also common and effective to place the lead in a corporate function, at the assistant deputy head level, such as strategic and business planning or corporate services.
  • Invest in start-up—the champion is supported with employee(s) and funds. Effort is required to gain momentum, ensure training of managers and specialists, and establish good tools and processes.
  • Designate a group of specialists to provide expertise and promote a systematic approach to the process of integrating risk management. Begin where some expertise resides (e.g. corporate services) and migrate as necessary (e.g. to strategic planning).
  • With the champion, the group can provide direction and co-ordination for integration with corporate planning and priority setting and for common processes to set priorities among major risk areas and to allocate resources, as well as for a corporate-level environmental scanning process.
The deputy head establishes and chairs a forum for risk management to build the will and capacity for implementation, to manage the change, and for ongoing consideration of risk issues, implementation approaches, capacity, and performance.
  • Create a separate executive forum or use an existing one, such as the departmental executive committee.
  • Demonstrate personal commitment and engagement. The executive committee is useful to drive progress by establishing events with and requiring reports to this most senior management level.
  • Emphasize that deputy and senior executives must be willing to take ownership. Although it is centrally co-ordinated, responsibility is clear and distributed, since corporate risks are often managed by business line.
  • Establish a representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices.

Assess organizational readiness and roles to prepare for this major change initiative that will require an investment of time and resources over the longer term.

  • Use results of the modern comptrollership capacity check and the organizational response/plan.
  • Ask fundamental questions: how will integrated risk management (IRM) help us meet our objectives, how do we ensure success, how will employees react?
  • Apply high-level assessment tools to assess general readiness: change models, organizational assessment processes, cultural maps and surveys, situational analysis tools, focus groups (see sources in the Selected References section of this guide).
  • Borrow and use the practices of change management.
  • Use departmental or agency lessons learned and tools already developed (e.g. Human Resources Development Canada's IRM benchmarking and diagnostic tool).
  • Use the risk management committee or working group as a sounding board and information source.
  • Hold sessions with management and other stakeholders, using outside facilitators.
  • Consult external sources and advisors.
  • Use reference libraries (e.g. TBS, Risk and Insurance Management Society—RIMS).

Develop and communicate an action plan for implementing integrated risk management, based on the assessment of readiness and roles.

  • Prepare an action plan (TBS template available).
  • Plan for scalable implementation. IRM will likely progress in stages; consider pilots.
  • Have a strategy to move from pilots to full-scale integration to help keep implementation on track over longer periods.
  • Use the organization-wide risk management framework self-assessment tool.
  • Establish cross-functional advisory groups.
  • Target and support early adopters whose acceptance and demonstration of tangible benefits will engender support from other management teams.
  • Develop partnerships with others, e.g. change sponsors (business line leaders) to keep IRM a priority and change agents to implement the change in all policies and daily activities, systems, and processes.
  • Build in training and learning plans.
  • Provide examples and benchmarks from similar outside organizations, as follows:
    • use reference libraries (TBS, CCMD, Conference Board of Canada, RIMS);
    • see the TBS Progress Review Plan for progress indicators and tracking approaches; and
    • use self-assessment tools (see Selected References).

Ongoing: Consult and communicate, communicate, communicate with all employees, stakeholders, and clients.

  • Establish cross-functional advisory groups.
  • Disseminate current work and provide tools to seek and capture feedback.
  • Make effective use of current performance information systems.
  • Introduce IRM-related training and learning.

Developing a Corporate Risk Profile

The corporate risk profile is a snapshot of the organization's operating environment and its capacity to deal with key high-level risks linked to the achievement of corporate objectives and results.

What

What your department or agency has already done or needs to do:

How

There are a variety of ways to do it. Try these proven techniques.

Plan and Prepare

Engage senior management in corporate risk profile development, including the development of a process model.

  • Brief and train senior management on integrated risk management and seek input and endorsement of the process model to develop the corporate risk profile.
  • The process model should include some basic classification of risk areas and a rating scale; possible categories of risk include health and safety; financial/economic; social; environmental; operational; public trust and confidence; asset; project; liability; security; IT; HR; political).
  • Use internal expertise to develop a process model or develop it in collaboration with an external practitioner or consultant.
  • Benchmark the organization's risk management status.
  • Assess relevance of other approaches to your organization.

Use the guiding departmental forum or committee.

  • Use the executive forum or committee to guide development of the corporate risk profile.
  • Consider use of a working group to support the executive committee.

Communicate the approved approach and progress.

  • Circulate an internal newsletter or memo.
  • Hold a management information or briefing session.
  • Hold a town hall session.
  • Have a management retreat.
  • Solicit specific information through interviews, call letters, an open forum, or facilitated session.
Gather data for key elements of the profile

Conduct an environmental scan.

  • Build on what already exists.
  • Validate findings, assumptions, and perceptions with key managers and the executive committee.
Internal Scan
  • Review results of the modern comptrollership capacity check and the corresponding action plan.
  • Review strategic planning documents, audit observations, and recommendations.
  • Consider performance reports and information.
  • Review the policy framework.
  • Consult with corporate planning, policy, audit, and evaluation groups.
  • Reach out to branch, program, business line, and functional executives and key managers.
  • Consider the use of interviews, surveys, questionnaires, focus groups, and/or facilitated sessions.
  • Consider collecting risk data by program, business line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and other relevant categories.
External Scan
  • Consider media monitoring and public opinion research.
  • Establish advisory groups, boards, or councils.
  • Solicit input from consumer groups (users of programs or services).
  • Review the government's policy agenda, including the Speech from the Throne.
  • Benchmark organizational status against that of other departments.
  • Review Statistics Canada survey results to establish trends.
  • Consult with think tanks, associations, as well as interest and lobby groups.

Consider the following to collect the required information:

  • Use the internal scanning services of an existing corporate function (e.g. the corporate communication group).
  • Consult an external service provider for media monitoring or research services.
  • Consider targeted or omnibus survey or questionnaire.
  • Make use of electronic bulletin boards, what-if scenarios, and facilitated workshops to seek the reaction of stakeholders.
  • Develop focus test and pilot approaches to target particular markets or geographic areas.

Understand risk tolerance.

Consider the following:

  • Review the policy framework (governing instruments, acts, regulations, etc.).
  • Review performance expectations and performance results.
  • Determine employees' understanding of the risks taken by themselves, their team, and the department.
  • Determine whether there is a common understanding of risk tolerance.
  • Consult key stakeholders to gain a better understanding of their risk tolerance.

Assess current risk management capacity.

  • Identify risk management tools and techniques now in use and where.
  • Determine the level of human resources expertise in risk management (current knowledge and skills).
  • Assess infrastructure, i.e. organizational stability and capacity of systems.

Develop the risk response.

  • Analyze information collected (environmental scan, capacity to manage risk, and stakeholders' risk tolerance) and present an aggregate picture to the executive committee for consideration.
  • The executive committee collectively assesses the broad spectrum of risks facing the organization in terms of likelihood and impact on achievement of corporate objectives.
  • The executive committee decides on five to ten key high-level risks that need to be managed at the corporate level.
  • The executive committee ranks key high-level risks and determines steps the organization will take to manage these risks.
  • Seek to engage key stakeholders to garner support for planned steps.

Portray the corporate risk profile.

  • Consider incorporating corporate key risk and related information into departmental documents (strategic plan, performance reports, etc.).
  • Think of developing a separate document to list corporate key risks and related information and mitigation measures.

Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing
Decision-making Processes and Reporting

Set up an organizational infrastructure—the why, what, who, and how—to position risk management as integral to organizational strategy and operations. Use the corporate risk profile to shape risk management objectives and strategies that align with the organization's objectives. Build in risk management so that it becomes part of day-to-day efforts to achieve objectives and is not seen as an additional requirement.

What

What your department or agency has already done or needs to do:

How

There are a variety of ways to do it. Try these proven techniques.

Establish a corporate focus for risk management, using existing structures or building new ones.

  • Situate integrated risk management under the guidance of a high-level executive forum chaired by the deputy head.
  • Dedicate an initial investment of resources for mobilization.
  • Designate a corporate risk champion and provide appropriate support in terms of executive time and specialist resources.
  • Give integrated risk management an appropriate corporate focal point from which natural linkages can be built to functional areas.

Communicate corporate direction on risk management throughout all levels of the organization to create a risk-smart corporate culture.

  • The corporate risk champion leads development of an integrated risk management policy or framework, using internal expertise or working with a consultant; show how integrated risk management links to and supports the organization's objectives.
  • Written guidance (framework, policy, or operating principles) communicated throughout the organization supports individual units in building risk management into day-to-day operations, making it meaningful and relevant to all employees.
  • Identify and provide guidance on roles and responsibilities, program targets, critical success factors, performance measures, and sources and kinds of risk.
  • Use a network of local risk champions as a sounding board, information source, and channel for communicating corporate risk messages.

Integrate risk management into existing decision-making structures in a seamless fashion.

  • Establish a common risk language (such as what is meant by risk, risk management, legal risk management) and use it consistently in organizational guidance and documents.
  • Establish a common risk management process.
  • A goal of the process is to make risk management an integral part of business practices, so that employees do not see it as additional work.
  • Align the approach with corporate planning. The risk champion or specialist group provides direction and co-ordination for integration with corporate planning and priority setting, for common processes to set priorities and allocate resources among major risk areas, and for a corporate-level environmental scanning process.
  • Use the representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices, including resource allocation.

Build organizational capacity: dentify risk management skills, processes, and practices that need to be developed and strengthened, by building on existing capacity, tailoring it as needed.

  • Build awareness of risk management initiatives and culture; broaden the skills base through formal training; increase the knowledge base by sharing best practices and experiences; build capacity for teamwork.
  • Develop, adapt, and adopt corporate risk management tools, techniques, practices, and processes; provide guidance on the application of tools and techniques; allow for the development and/or use of alternative tools and techniques that might be better suited to managing risk in specialized applications; adopt processes to ensure integration of risk management across the organization.

Practising Integrated Risk Management

Implement flexible, dynamic approaches and processes to embed risk management in policies, plans, operations, and day-to-day Decision-making. Practise risk management up, down, and across the organization so the corporate view informs and is informed by local practices.

What

What your department or agency has already done or needs to do:

How

There are a variety of ways to do it. Try these proven techniques.

Engage the whole organization by aligning integrated risk management fully with objectives in all policies, plans, and operations and integrating results of risk management into practices at all levels.

Guided by the corporate risk profile and the direction provided in establishing the integrated risk management function:

  • The risk champion or specialist group provides direction and co-ordination for integration with corporate planning and priority setting and for common processes to set priorities and allocate resources among major risk areas and for a corporate-level environmental scanning process.
  • Align with objectives at all levels so that people can see the benefits individually and collectively and how they contribute—this also clarifies and improves accountability.
  • Alignment is done or facilitated by local champions or change sponsors who work to make the important micro-level changes to all policies, local procedures, daily activities, processes, and systems.
  • Use the risk management committee or working group as a sounding board and information source.

Enable people with processes, tools, and techniques, making available effective and proven resources and tools.

  • Use the common risk management process to identify, assess, respond to, monitor, and evaluate risk.
  • Encourage people to assess the ripple effects of their work.
  • Use a common risk management language to facilitate communication.
  • Provide training tools to enhance knowledge of risk management, including common risk management processes and special processes, such as control and risk self-assessment.

Sustain a supportive culture and build processes that develop participation, trust, and swift action on issues.

  • Active leadership of the deputy head, risk champion, and senior managers, e.g. one-on-one discussion of key risks between the deputy head and ADM/business line leaders; collective executive discussion of corporate and business line risk profiles; senior managers actively show commitment and support by devoting time in planning and operational meetings.
  • Use the representative, cross-functional working group to propose and advise on corporate approaches, plans, systems, and practices.
  • Keep the corporate risk profile current.
  • Report on performance (e.g. against risk management expectations in key performance indicators, employee performance agreements, and work descriptions).
  • Document risks, processes, decisions, plans, actions, and results.

Consult and communicate with internal and external stakeholders throughout the process.

  • Use the organization's intranet to promote risk awareness and tools and to obtain and share risk information, e.g. on risk in specific areas.
  • Aim specific risk messages at target audiences—think "What's in it for me?" for every person or group.
  • Understand and communicate effectively to the public that risk—whether seen as good, bad or neutral—is inherent and government needs to manage risk to get a net reward.
  • Make use of organizational reports to advance risk messages, e.g. how risk is being managed.
  • Respect the Communications Policy of the Government of Canada.

Ensuring Continuous
Risk Management Learning

Leverage and build on existing knowledge and capacity to achieve the desired cultural shift to a risk-smart workforce and operating environment.

What

What your department or agency has already done or needs to do:

How

There are a variety of ways to do it. Try these proven techniques.

Create a supportive work environment.

  • Demonstrate management commitment to and support for learning by linking learning to departmental risk management priorities.
  • Value knowledge, new ideas, new relationships, and experimentation.
  • Celebrate success stories and significant contributions.
  • Develop, use, assess, and refine risk management tools.

Build capacity.

  • Include risk management in formal training plans for individuals and teams.
  • Incorporate risk management thinking in existing training programs, as appropriate.
  • Leverage and capitalize on external learning opportunities.
  • Develop courses to focus on departmental approaches and priorities.

Learn from experience.

  • Establish an effective process to document and share lessons learned internally and more broadly in the federal community.
  • Consider decisions, events, and actions that do not turn out as planned opportunities for learning.
  • Evaluate results of risk management decisions to determine effectiveness. (Would the same action be taken in similar circumstances in future?)