Build the will and capacity for change—lead the initiative and manage the
change.
What
What your department or agency has already done or needs to do:
|
How
There are a variety of ways to do it. Try these proven techniques.
|
The executive team discusses organizational readiness,
roles, and approaches to get the commitment to lead and manage the
necessary change. Managers need to believe in the value of integrated risk
management.
|
- Brief and train senior management to gain understanding and
commitment, using internal expertise or in collaboration with an
external practitioner, implementation leader, or consultant.
- Consider executive retreats, seminars, workshops, and formal
courses.
- Encourage awareness of the IRMF and available material from the
Privy Council Office, CCMD, and departments.
- Initial discussion of readiness, key factors (other corporate
initiatives and priorities, location of the risk champion, etc.).
|
The deputy head assigns a risk champion, with
appropriate resources, who leads the development and implementation of an
integrated risk management framework and policy or guidance. The risk
champion role reflects the need for central co-ordination and advice.
|
- A risk champion at the deputy head level is most effective; it is
also common and effective to place the lead in a corporate function,
at the assistant deputy head level, such as strategic and business
planning or corporate services.
- Invest in start-up—the champion is supported with employee(s) and
funds. Effort is required to gain momentum, ensure training of
managers and specialists, and establish good tools and processes.
- Designate a group of specialists to provide expertise and promote a
systematic approach to the process of integrating risk management.
Begin where some expertise resides (e.g. corporate services) and
migrate as necessary (e.g. to strategic planning).
- With the champion, the group can provide direction and co-ordination
for integration with corporate planning and priority setting and for
common processes to set priorities among major risk areas and to
allocate resources, as well as for a corporate-level environmental
scanning process.
|
The deputy head establishes and chairs a forum for risk
management to build the will and capacity for implementation, to
manage the change, and for ongoing consideration of risk issues,
implementation approaches, capacity, and performance. |
- Create a separate executive forum or use an existing one, such as
the departmental executive committee.
- Demonstrate personal commitment and engagement. The executive
committee is useful to drive progress by establishing events with and
requiring reports to this most senior management level.
- Emphasize that deputy and senior executives must be willing to take
ownership. Although it is centrally co-ordinated, responsibility is
clear and distributed, since corporate risks are often managed by
business line.
- Establish a representative, cross-functional working group to
propose and advise on corporate approaches, plans, systems, and
practices.
|
Assess organizational readiness and roles to prepare
for this major change initiative that will require an investment of time
and resources over the longer term.
|
- Use results of the modern comptrollership capacity check and the
organizational response/plan.
- Ask fundamental questions: how will integrated risk management (IRM)
help us meet our objectives, how do we ensure success, how will
employees react?
- Apply high-level assessment tools to assess general readiness:
change models, organizational assessment processes, cultural maps and
surveys, situational analysis tools, focus groups (see sources in the
Selected References section of this guide).
- Borrow and use the practices of change management.
- Use departmental or agency lessons learned and tools already
developed (e.g. Human Resources Development Canada's IRM benchmarking
and diagnostic tool).
- Use the risk management committee or working group as a sounding
board and information source.
- Hold sessions with management and other stakeholders, using outside
facilitators.
- Consult external sources and advisors.
- Use reference libraries (e.g. TBS, Risk and Insurance Management
Society—RIMS).
|
Develop and communicate an action plan for
implementing integrated risk management, based on the assessment of
readiness and roles.
|
- Prepare an action plan (TBS template available).
- Plan for scalable implementation. IRM will likely progress in
stages; consider pilots.
- Have a strategy to move from pilots to full-scale integration to
help keep implementation on track over longer periods.
- Use the organization-wide risk management framework self-assessment
tool.
- Establish cross-functional advisory groups.
- Target and support early adopters whose acceptance and demonstration
of tangible benefits will engender support from other management
teams.
- Develop partnerships with others, e.g. change sponsors (business
line leaders) to keep IRM a priority and change agents to implement
the change in all policies and daily activities, systems, and
processes.
- Build in training and learning plans.
- Provide examples and benchmarks from similar outside organizations,
as follows:
- use reference libraries (TBS, CCMD, Conference Board of Canada,
RIMS);
- see the TBS Progress Review Plan for progress indicators and
tracking approaches; and
- use self-assessment tools (see Selected References).
|
Ongoing: Consult and communicate, communicate,
communicate with all employees, stakeholders, and clients.
|
- Establish cross-functional advisory groups.
- Disseminate current work and provide tools to seek and capture
feedback.
- Make effective use of current performance information systems.
- Introduce IRM-related training and learning.
|
The corporate risk profile is a snapshot of the organization's operating
environment and its capacity to deal with key high-level risks linked to the
achievement of corporate objectives and results.
What
What your department or agency has already done or needs to do:
|
How
There are a variety of ways to do it. Try these proven techniques.
|
Plan and Prepare
Engage senior management in corporate risk profile
development, including the development of a process model.
|
- Brief and train senior management on integrated risk management and
seek input and endorsement of the process model to develop the
corporate risk profile.
- The process model should include some basic classification of risk
areas and a rating scale; possible categories of risk include health
and safety; financial/economic; social; environmental; operational;
public trust and confidence; asset; project; liability; security; IT;
HR; political).
- Use internal expertise to develop a process model or develop it in
collaboration with an external practitioner or consultant.
- Benchmark the organization's risk management status.
- Assess relevance of other approaches to your organization.
|
Use the guiding departmental forum or committee.
|
- Use the executive forum or committee to guide development of the
corporate risk profile.
- Consider use of a working group to support the executive committee.
|
Communicate the approved approach and progress.
|
- Circulate an internal newsletter or memo.
- Hold a management information or briefing session.
- Hold a town hall session.
- Have a management retreat.
- Solicit specific information through interviews, call letters, an
open forum, or facilitated session.
|
Gather data for key elements of the profile
|
Conduct an environmental scan.
|
- Build on what already exists.
- Validate findings, assumptions, and perceptions with key managers
and the executive committee.
Internal Scan
- Review results of the modern comptrollership capacity check and the
corresponding action plan.
- Review strategic planning documents, audit observations, and
recommendations.
- Consider performance reports and information.
- Review the policy framework.
- Consult with corporate planning, policy, audit, and evaluation
groups.
- Reach out to branch, program, business line, and functional
executives and key managers.
- Consider the use of interviews, surveys, questionnaires, focus
groups, and/or facilitated sessions.
- Consider collecting risk data by program, business line, discipline
or functional area, geographic location, type of risk, sources of
risk, or a combination of these and other relevant categories.
External Scan
- Consider media monitoring and public opinion research.
- Establish advisory groups, boards, or councils.
- Solicit input from consumer groups (users of programs or services).
- Review the government's policy agenda, including the Speech from the
Throne.
- Benchmark organizational status against that of other departments.
- Review Statistics Canada survey results to establish trends.
- Consult with think tanks, associations, as well as interest and
lobby groups.
Consider the following to collect the required information:
- Use the internal scanning services of an existing corporate function
(e.g. the corporate communication group).
- Consult an external service provider for media monitoring or
research services.
- Consider targeted or omnibus survey or questionnaire.
- Make use of electronic bulletin boards, what-if scenarios, and
facilitated workshops to seek the reaction of stakeholders.
- Develop focus test and pilot approaches to target particular markets
or geographic areas.
|
Understand risk tolerance.
|
Consider the following:
- Review the policy framework (governing instruments, acts,
regulations, etc.).
- Review performance expectations and performance results.
- Determine employees' understanding of the risks taken by themselves,
their team, and the department.
- Determine whether there is a common understanding of risk tolerance.
- Consult key stakeholders to gain a better understanding of their
risk tolerance.
|
Assess current risk management capacity.
|
- Identify risk management tools and techniques now in use and where.
- Determine the level of human resources expertise in risk management
(current knowledge and skills).
- Assess infrastructure, i.e. organizational stability and capacity of
systems.
|
Develop the risk response.
|
- Analyze information collected (environmental scan, capacity to
manage risk, and stakeholders' risk tolerance) and present an
aggregate picture to the executive committee for consideration.
- The executive committee collectively assesses the broad spectrum of
risks facing the organization in terms of likelihood and impact on
achievement of corporate objectives.
- The executive committee decides on five to ten key high-level risks
that need to be managed at the corporate level.
- The executive committee ranks key high-level risks and determines
steps the organization will take to manage these risks.
- Seek to engage key stakeholders to garner support for planned steps.
|
Portray the corporate risk profile.
|
- Consider incorporating corporate key risk and related information
into departmental documents (strategic plan, performance reports,
etc.).
- Think of developing a separate document to list corporate key risks
and related information and mitigation measures.
|
Set up an organizational infrastructure—the why, what, who, and how—to
position risk management as integral to organizational strategy and operations.
Use the corporate risk profile to shape risk management objectives and
strategies that align with the organization's objectives. Build in risk
management so that it becomes part of day-to-day efforts to achieve objectives
and is not seen as an additional requirement.
What
What your department or agency has already done or needs to do:
|
How
There are a variety of ways to do it. Try these proven techniques.
|
Establish a corporate focus for risk management, using
existing structures or building new ones.
|
- Situate integrated risk management under the guidance of a
high-level executive forum chaired by the deputy head.
- Dedicate an initial investment of resources for mobilization.
- Designate a corporate risk champion and provide appropriate support
in terms of executive time and specialist resources.
- Give integrated risk management an appropriate corporate focal point
from which natural linkages can be built to functional areas.
|
Communicate corporate direction on risk management
throughout all levels of the organization to create a risk-smart corporate
culture.
|
- The corporate risk champion leads development of an integrated risk
management policy or framework, using internal expertise or working
with a consultant; show how integrated risk management links to and
supports the organization's objectives.
- Written guidance (framework, policy, or operating principles)
communicated throughout the organization supports individual units in
building risk management into day-to-day operations, making it
meaningful and relevant to all employees.
- Identify and provide guidance on roles and responsibilities, program
targets, critical success factors, performance measures, and sources
and kinds of risk.
- Use a network of local risk champions as a sounding board,
information source, and channel for communicating corporate risk
messages.
|
Integrate risk management into existing decision-making
structures in a seamless fashion.
|
- Establish a common risk language (such as what is meant by risk,
risk management, legal risk management) and use it consistently in
organizational guidance and documents.
- Establish a common risk management process.
- A goal of the process is to make risk management an integral part of
business practices, so that employees do not see it as additional
work.
- Align the approach with corporate planning. The risk champion or
specialist group provides direction and co-ordination for integration
with corporate planning and priority setting, for common processes to
set priorities and allocate resources among major risk areas, and for
a corporate-level environmental scanning process.
- Use the representative, cross-functional working group to propose
and advise on corporate approaches, plans, systems, and practices,
including resource allocation.
|
Build organizational capacity: dentify risk management
skills, processes, and practices that need to be developed and
strengthened, by building on existing capacity, tailoring it as needed.
|
- Build awareness of risk management initiatives and culture; broaden
the skills base through formal training; increase the knowledge base
by sharing best practices and experiences; build capacity for
teamwork.
- Develop, adapt, and adopt corporate risk management tools,
techniques, practices, and processes; provide guidance on the
application of tools and techniques; allow for the development and/or
use of alternative tools and techniques that might be better suited to
managing risk in specialized applications; adopt processes to ensure
integration of risk management across the organization.
|
Implement flexible, dynamic approaches and processes to embed risk management
in policies, plans, operations, and day-to-day Decision-making. Practise risk
management up, down, and across the organization so the corporate view informs
and is informed by local practices.
What
What your department or agency has already done or needs to do:
|
How
There are a variety of ways to do it. Try these proven techniques.
|
Engage the whole organization by aligning integrated
risk management fully with objectives in all policies, plans, and
operations and integrating results of risk management into practices at
all levels.
|
Guided by the corporate risk profile and the direction provided in
establishing the integrated risk management function:
- The risk champion or specialist group provides direction and
co-ordination for integration with corporate planning and priority
setting and for common processes to set priorities and allocate
resources among major risk areas and for a corporate-level
environmental scanning process.
- Align with objectives at all levels so that people can see the
benefits individually and collectively and how they contribute—this
also clarifies and improves accountability.
- Alignment is done or facilitated by local champions or change
sponsors who work to make the important micro-level changes to all
policies, local procedures, daily activities, processes, and systems.
- Use the risk management committee or working group as a sounding
board and information source.
|
Enable people with processes, tools, and techniques,
making available effective and proven resources and tools.
|
- Use the common risk management process to identify, assess, respond
to, monitor, and evaluate risk.
- Encourage people to assess the ripple effects of their work.
- Use a common risk management language to facilitate communication.
- Provide training tools to enhance knowledge of risk management,
including common risk management processes and special processes, such
as control and risk self-assessment.
|
Sustain a supportive culture and build processes that
develop participation, trust, and swift action on issues.
|
- Active leadership of the deputy head, risk champion, and senior
managers, e.g. one-on-one discussion of key risks between the deputy
head and ADM/business line leaders; collective executive discussion of
corporate and business line risk profiles; senior managers actively
show commitment and support by devoting time in planning and
operational meetings.
- Use the representative, cross-functional working group to propose
and advise on corporate approaches, plans, systems, and practices.
- Keep the corporate risk profile current.
- Report on performance (e.g. against risk management expectations in
key performance indicators, employee performance agreements, and work
descriptions).
- Document risks, processes, decisions, plans, actions, and results.
|
Consult and communicate with internal and external
stakeholders throughout the process.
|
- Use the organization's intranet to promote risk awareness and tools
and to obtain and share risk information, e.g. on risk in specific
areas.
- Aim specific risk messages at target audiences—think "What's
in it for me?" for every person or group.
- Understand and communicate effectively to the public that risk—whether
seen as good, bad or neutral—is inherent and government needs to
manage risk to get a net reward.
- Make use of organizational reports to advance risk messages, e.g.
how risk is being managed.
- Respect the Communications Policy of the Government of Canada.
|
Leverage and build on existing knowledge and capacity to achieve the desired
cultural shift to a risk-smart workforce and operating environment.
What
What your department or agency has already done or needs to do:
|
How
There are a variety of ways to do it. Try these proven techniques.
|
Create a supportive work environment.
|
- Demonstrate management commitment to and support for learning by
linking learning to departmental risk management priorities.
- Value knowledge, new ideas, new relationships, and experimentation.
- Celebrate success stories and significant contributions.
- Develop, use, assess, and refine risk management tools.
|
Build capacity.
|
- Include risk management in formal training plans for individuals and
teams.
- Incorporate risk management thinking in existing training programs,
as appropriate.
- Leverage and capitalize on external learning opportunities.
- Develop courses to focus on departmental approaches and priorities.
|
Learn from experience.
|
- Establish an effective process to document and share lessons learned
internally and more broadly in the federal community.
- Consider decisions, events, and actions that do not turn out as
planned opportunities for learning.
- Evaluate results of risk management decisions to determine
effectiveness. (Would the same action be taken in similar
circumstances in future?)
|