ARCHIVED - Integrated Risk Management Implementation Guide
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
A Common Risk Management Process
A common, continuous risk management process helps organizations understand,
manage, and communicate risk. Continuous risk management has several steps.
Emphasis on various points in the process may vary, as may the type, rigour, or
extent of actions considered, but the basic steps are similar. The accompanying
diagram illustrates a sample continuous risk management process that focuses on
an integrated approach to risk management. The diagrams and description are
taken from the Integrated Risk Management Framework.
Internal and external communication and continuous learning improve risk
management understanding and skills at all levels of an organization. The
process provides common language, guides Decision-making at all levels, and
allows organizations to tailor their activities at the local level. Documenting
the rationale for decisions strengthens accountability and demonstrates due
diligence.
The common risk management process and related activities are as follows:
Risk Identification
1. Identifying Issues, Setting Context
- Define the problems or opportunities, scope,
context (social, cultural, scientific, etc.), and associated risk issues.
- Decide on necessary people, expertise, tools,
and techniques (e.g. scenarios, brainstorming, checklists).
- Perform a stakeholder analysis
(determine risk tolerances, stakeholders' position, attitudes).
Risk Assessment
2. Assessing Key Risk Areas
- Analyze the context and results of the
environmental scan and determine the types and categories of risk to be
addressed, significant organization-wide issues, and vital local issues.
3. Measuring Likelihood and Impact
- Determine the degree of exposure, expressed as
likelihood and impact, of assessed risks and choose the appropriate tools.
- Consider both the empirical evidence and public
context.
4. Ranking Risks
- Rank risks, considering risk tolerance
and using existing or new criteria and tools.
Risk Response
5. Setting Desired Results
- Define objectives and expected outcomes
for ranked risks for the short and long term.
6. Developing Options
- Identify and analyze options (i.e. ways
to minimize threats and maximize opportunities), approaches, and tools.
7. Selecting a Strategy
- Choose a strategy and apply decision criteria
that are results-oriented and problem- or opportunity-driven.
- Apply, where appropriate, the
precautionary approach as a means of managing risks of serious or irreversible
harm in situations of scientific uncertainty.
8. Implementing the Strategy
- Develop and implement a plan.
Monitoring and Evaluation
9. Monitoring, Evaluating, and Adjusting
- Learn to improve the decision-making
and risk management process locally and organization-wide, using effectiveness
criteria, reporting on performance and results.
Organizations can vary the basic steps and supporting tasks most suited to
achieving common understanding and implementing consistent, efficient, and
effective risk management. A focussed, systematic, and integrated approach
recognizes that all decisions involve management of risk, whether in routine
operations or for major initiatives involving significant resources. It is
important that the risk management process be applied at all levels, from the
corporate level to programs and major projects to local systems and operations.
While the process allows tailoring for different uses, having a consistent
approach within an organization assists in aggregating information to deal with
risk issues at the corporate level.
Many other common processes for risk management are available, including the
Australian/New Zealand Standard, the Canadian Standards Association's Q850, and
those of the Software Engineering Institute. (Links to these organizations' Web
sites are available on the TBS Web site). Regardless of the process, number of
steps, or terminology, all processes cover the same four components:
- risk identification;
- risk assessment;
- risk response; and
- monitoring and evaluation.
Most models also emphasize the importance of communication throughout the
process.
The following advice on applying a risk management process supplements the
guidance provided in the IRMF.
Risk Identification
Search for and locate risks before they become problems.
Ways to do it
- brainstorming
- strength-weakness-opportunity-threat (SWOT)
analysis
- risk forms/identification sheets
- surveys and questionnaires
- interviews and focus groups
Questions to consider
- What is at risk?
- What are the major objectives?
- What are the risks associated with each
objective?
- Who are the stakeholders?
Tips
- Include contextual information, as well as the
risk itself.
- Multi-disciplinary teams improve the chances of
identifying new risks.
- Open communication and a forward-looking view
are key.
- Include stakeholder risk tolerances,
positions, and attitudes.
Risk Assessment
Transform risk data into decision-making information by examining risks in
detail to assess key risk areas, determine the likelihood and impact of the
risks, how they relate to each other, and which are the most important.
Ways to do it
- Determine the degree of exposure based on
likelihood, impact, and time frame.
- Qualitative methods include brainstorming,
evaluation using multi-disciplinary groups, specialist judgement, structured
interviews, and questionnaires.
- Quantitative techniques include consequence
analysis, decision trees, life cycle cost analysis, simulation or computer
modelling, statistical analysis, and market research.
- Rank risks to determine which to deal with
first.
Questions to consider
- What is the acceptable level of risk?
- What are the current controls?
- What are the potential consequences if the risk
occurs?
Tips
- Assess key risk areas by grouping risks based
on shared characteristics, by source, impact, or some other measure.
- Impact and likelihood matrices can help
visualize all risks together.
- Consider both the empirical evidence and the
public context.
Risk Response
Decide what to do about the risks identified by translating risk information
into decisions and mitigating actions.
Ways to do it
- Set desired results and define objectives and
expected outcomes for ranked risks over the short and long term.
- Develop options to minimize threats and
maximize opportunities. Consider ways to avoid the risk; mitigate its impact or
likelihood; transfer it to another party; accept and monitor it.
- Select and implement a strategy.
Questions to consider
- What is the feasibility and cost-effectiveness
of each option?
- What resources are required?
Tips
- The objective is to take a balanced approach in
developing mitigation strategies. Do not over-plan or oversimplify.
- Do not lose sight of the end product when
developing mitigation plans.
Monitoring and Evaluation
Monitor risks and mitigation strategies, adjusting your approach as required.
Learn from the approach to improve the decision-making and risk management
process locally and organization-wide.
Ways to do it
- periodic status reports
- analysis of trends and patterns
- reports on performance and results
Questions to consider
- Based on the effectiveness of the mitigation
strategy, has the status of any risk changed?
- Are initial assumptions still valid?
- What improvements to the current strategies and
processes can be made?
Tips
- Have contingency plans in place to invoke if
needed.
- Communicate best practices and lessons learned
from both successes and failures.
- Understand that risk management is a continuous
process; new risks may emerge requiring assessment and response.
Provide Effective Resources, Tools, and Techniques
Resources
Consider information on resources listed in the Selected References section
of this guide and information on or links to risk management resources on the
TBS Web site. For example, the CCMD document, A
Foundation for Developing Risk Management Learning Strategies in the Public
Service, provides useful information from several
perspectives, such as understanding risks, competencies required, sample risk
identification lists, and barriers and solutions to good risk management.
Tools and techniques
- software tools
- self-assessment tools
- risk scorecard tool kits
- modelling tools, such as scenario analysis and
forecasting models
- functional frameworks, e.g. Precautionary
Approach (A Framework for the Application of
Precaution in Science-based Decision-making about Risk),
Legal Risk Management
- systematic processes, e.g. Canadian Standards
Association Q850
- Internet and intranet to promote risk awareness
by sharing information internally and externally
- qualitative techniques, e.g. workshops,
questionnaires
Consultation and communication
This is essential in supporting sound risk management decisions and must be
considered at every stage of the risk management process.
Internal communication is necessary to provide efficient transfer of
information between all levels in an organization.
Tips for Communicating with Managers
- Give the big picture first.
- Answer key questions.
- Provide a qualitative description, not just a
number.
- Use real-life stories and powerful analogies.
- Tell not only what you know, but also what you
suspect.
- Spare the minute details.
- Point out where data are weak.
- Indicate where there is uncertainty.
- Identify the positions of stakeholders.
External communication involves key stakeholders at all stages of the risk
management process, as appropriate, respecting the Communications
Policy of the Government of Canada. The following
tips apply to communication at each of the four stages of the risk management
process.
Risk Identification
- Define the issue and identify potential
stakeholders.
- Explore stakeholders' needs, issues, and
concerns.
- Decide how to communicate with stakeholders.
- Formulate initial messages and identify a
spokesperson.
- Develop initial briefing material for key
officials, as appropriate.
Risk Assessment
- Research background information on the risk
issue and the history of stakeholders' concerns.
- Determine stakeholders' concerns,
expectations, perceptions, knowledge levels, and needs.
- Anticipate possible incidents, events, or
allegations that may arise and plan responses.
- Ensure rapid response mechanisms are in place
to respond to media stories and stakeholders' concerns.
- Develop a media strategy to support the public
consultation process.
Risk Response
When developing and analyzing options:
- facilitate continuing communication with and
between stakeholders;
- share the concerns of stakeholders with others;
- determine acceptability to stakeholders of
options for responding to the risk; and
- develop a proactive media strategy to assess
public reaction to potential options.
When implementing a chosen option:
- implement a broad-based communications
strategy, including a proactive media plan;
- adopt a high-visibility strategy in key
locations to get the message out and to respond to public concerns about the
action plan;
- finalize the media strategy;
- prepare information material for stakeholders
and key government officials; and
- develop a rapid response mechanism for public
comments.
Monitoring and Evaluation
- Monitor public reaction.
- Conduct polling to gauge public concerns and
reactions.
- Analyze media coverage to determine trends.
- Fine-tune and rework key communications
messages accordingly.
- Communicate findings internally and externally
and flag emerging or potential issues.
- Conduct a formal evaluation and develop
contingency plans for the future.
- Assess the impact of the action plan on
affected stakeholders and compare to what was predicted.
Tips:
- Common understanding does not necessarily lead
to consensus.
- Credibility and trust take a long time to
develop but can be destroyed in an instant.
- Base all discussions on fact.
- Independent third-party support enhances
credibility.
- Perceived risk often differs dramatically from
objectively measured risk.
- Communicate early and often.
Departments and agencies have been sharing information on risk communication
and consultation. Readers interested in additional information are directed to
the TBS Web site or individual departmental or agency Web sites. For example,
the Canadian Food Inspection Agency prepared a paper entitled Risk
Communication and Government: Theory and Application for the Canadian Food
Inspection Agency (available on-line at www.inspection.gc.ca). The paper, which includes an extensive reference list,
was designed to explore risk communication from a government perspective,
including a review of some of the recent theory on risk communication with a
focus on food risk and science-based communication.