Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Best Practices in Risk Management: Private and Public Sectors Internationally


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Executive Summary

This Executive Summary of the "Best Practices in Risk Management: Private and Public Sectors Internationally" report highlights the study background, best practices and observations and conclusions of the study.

A. Study background

KPMG was engaged to identify best practices in risk management in the private and public sectors internationally. The study objective was to identify risk management best practices including strategies, approaches, methods, tools and techniques and how they can be used in the Canadian federal government. The study was conducted in parallel with a study on best practices in Canadian private and public sector organizations carried out by another consulting firm. Our teams worked closely together to have a common understanding of the study requirements and to ensure that we would be able to present a coordinated summary.

The study focuses on the "best" practices, i.e., practices that were particularly effective in helping an organization achieve its objectives for managing risk and are deemed to be of value to other organizations. The study focuses on risk management practices that have been integrated into other management practices such as those for planning and decision-making. It also looks at the strategies for planning, developing, implementing and monitoring risk management.

Exhibit 1 shows our study approach which consisted of four components: a literature review and contact with our KPMG offices abroad; contact with organizations to obtain their interest in participating; our interviews and data collection; and analysis and reporting. We used our international KPMG network to identify organizations in the countries of interest that have good risk management practices.

Our study sample consisted of 228 relevant publications and interviews with eighteen organizations from Australia, France, Germany, Sweden, Switzerland, the United Kingdom, New Zealand, South Africa, Taiwan, and the United States. Organizations from Western Europe, Australia and New Zealand accounted for almost 80 per cent of the sample. The sample included twelve private sector and six public sector organizations. We interviewed companies in these industries: manufacturing; mining and natural resources; financial services; pharmaceuticals; technology and communications; and utilities.

Exhibit 1 Approach

Exhibit 1: Approach

 

B. Benefits of managing risk

The organizations reported many benefits of managing risk. The benefits, overall, relate to organizational objectives and the management process. The key benefit is the achievement of organizational objectives. Other reported benefits are better focus on business priorities, strengthening of the planning process and the means to help management identify opportunities. The reported benefits to the management process include: a cultural change that supports open discussion about risks and potentially damaging information; improved financial and operational management by ensuring that risks are adequately considered in the decision-making process; and increased accountability of management.

C. Best practices

Exhibit 2 provides an overview of the eleven best practices that we identified in the study. The "hub," from which all other practices derive, is the organizational philosophy. All practices provide the movement to integrate risk management within the organization. Approaches, tools and techniques are the interface with the "road", or the direction and objectives of the organization. Many of the practices are inter-related. For example, "teaming" requires "open communication".

Exhibit 2Overview of best practices


Exhibit 2: Overview of Best Practices

Source: KPMG
KPMG

  • Promoting an organizational philosophy and culture that says everybody is a risk manager: By far, the predominant practice for integrating risk management is to build an organizational culture in which everybody is a risk manager. Some organizations indicated that this is more important than developing and issuing extensive policies and procedures. Employees that take responsibility for their actions and outcomes become risk managers. Ideally, the employees intuitively understand the organization's goals and work towards them.
  • Senior management and/or governing bodies champion risk management and define and communicate acceptable levels of risk: The responsibility for driving risk management is placed high in the organization. Senior management (and/or the governing bodies such as the Board of Directors) must be aware of, understand and support risk management. Senior management and the board sends the message internally and externally about the importance of managing risk. Also, it is important that other managers, stakeholders, and employees see their involvement.

Some organizations set specific responsibilities in risk management for the Board and senior management. The Board may provide guidance such as identifying the principal risks to the business, ensuring that appropriate systems are implemented to manage the risks, ensuring the integrity of the control and management systems, and defining responsibilities and monitoring major risks. Management is accountable for coordinating the risk management and identifying, evaluating, controlling and reporting risks. The Board of Directors or senior management may define, develop and approve a Risk Policy. The Risk Policy states the level of risk that the operation is willing to accept. It might also state roles and responsibilities and practices for managing risk.

  • Establishing open communication channels: Open communication is necessary for risk management to succeed. Without open communication risk management cannot be "everybody's business". Managers require direct communication channels up, down and across their business units to help identify risks and take appropriate actions. Information must be shared.
  • Using teams and committees: Informal and formal teams are a mechanism that many organizations use to manage risks. Teaming brings together various risk attitudes and brings fresh thinking to issues and solutions. It also focuses diverse disciplines on common objectives.
  • Using a simple, common business risk language: A common business risk language enables managers to talk with individuals from the boardroom to the boiler room in terms that everybody understands. This is important also in cases where everybody is expected to manage risks. The designers of the approaches must balance simplicity with usefulness.
  • Setting up a corporate risk management function: Many organizations have set up a responsibility centre for risk management. Some units are headed by a Chief Risk Officer (CRO) who defines consistent approaches to managing risk. The CRO is the organizational risk champion and is responsible for providing leadership and establishing and maintaining risk awareness across the organization. The CRO might also set up risk control objectives, a risk framework, and design ways to measure risk.
  • Communicating risk management performance: A handful of organizations report to management and stakeholders/shareholders on risks and risk management performance. For example, in one organization, Business Unit Managers are required to report three times annually to the Finance and Risk subcommittee of the Board. The reports outline the units' top ten risks and how they are managed.
  • Internal Audit and/or the Audit Committee assists in implementing risk management: The internal audit function plays a key role in implementing risk management throughout an organization. Examples of their assistance are: facilitating self-assessment workshops; monitoring and reporting on the management of significant risks; providing advice; raising awareness of risk management; reviewing processes for managing risks; and sitting on the risk management committee.
  • Guidance: Guidance is provided indirectly (documents, such as "tool kits") or directly (advice, such as internal consulting services).
  • Risk management training: Risk management training, as part of a corporate training curriculum, helps integrate risk. Topic areas include: risk assessments; best practices; legislative requirements; safety; objectives for managing risk; risk-awareness training to ensure that all managers consider risk.
  • Approaches, tools and techniques: Organizations are using a number of approaches, tools and techniques for managing risk. Many are developing business risk maps which help the organization identify, understand and address its business risks. The use of a broad scope framework can influence a discussion on the sources and types of risks, for example, external, economic, market, credit, information, human resources and strategic. This brings a multi-disciplinary perspective for looking at the risks. Modeling tools, such as scenario analysis and forecast models, enable managers to manage uncertainty. By using scenario analysis, decision makers can see the range of possibilities and build the scenarios into the organization's contingency plans. Techniques for identifying and assessing risks help managers identify where they should be focusing their attention and resources. Techniques include workshops, questionnaires, self-assessment, risk scans and assessment templates. The internet/intranet is increasingly being used to: promote risk awareness and management; obtain information on risk in specific areas; communicate with employees; share information on risk management across agencies; and communicate risk management objectives.

D. Observations

We offer the following observations concerning risk management from our analysis of best practices:

Risk management, like comptrollership, is a mind-set:
Managers should be conscious of risk management and integrate it into their other management practices. Overly bureaucratic and complex processes will submerge risk management into irrelevance. Managers need the flexibility to use techniques that make sense for them and their operation. However, the technique must allow for the roll up and comparison of operating unit results at the corporate level. Specialists need to be available to assist managers.
Risk management and corporate ethics functions should work together:
The information we gathered indicates that risk management programs and ethics programs are related. For example, a written code of ethics is a mechanism to communicate the values of the organization and the related risks. An ethics program for government employees is viewed as a way to sensitize employees to ethical issues or risks affecting the key entity's values.
Risk management is a dynamic process:
As the business needs and business risks change, new processes or tools for managing the risks are required. How organizations are performing at managing risk must also be monitored and continuously improved. Risk assessments are not a "one-off" exercise.
Many functional specialists will play a role in risk management:
Our review of best practises indicates that many functional specialists will play a role in managing risk. These include specialists in information technology, human resources, communications and financial management.
Risk management must be adequately resourced:
Senior management must be committed to supporting the initiative with the required resources. Investments will be required in training, developing processes and techniques, management systems and setting up specialist groups.

E. Conclusions

We conclude that the best practices are generally applicable to the federal government context. Exhibit 3 maps the best practices to the assessment criteria. The practices are consistent with the current direction for risk management in the government. Most will contribute to improving service delivery. By managing risks, managers are more likely to achieve their objectives. Hence, they would be more likely to meet service delivery objectives and targets. Practices such as the organizational philosophy, open communication channels, teams and committees, guidance, and training contribute to a supportive work environment. These practices also support innovation.

While the practices do facilitate management decision-making and planning, the link to sound resource allocation is less strong. However, the tools for mapping, modelling, identifying and assessing risks do help focus the resources on key risks and, in this way, allocate the resources to the most critical areas.

There may be significant barriers to implementing those best practices that are very different from the status quo. Most federal departments and agencies operate with traditional organizational structures having a defined reporting and management hierarchy. Hence, implementing a philosophy and culture that everybody is a risk manager may be a stretch target. Similarly, the current environments do not welcome bad news or open communication channels.

Departments and agencies will need to adopt the practices that make sense for the organization and are linked with the benefit targeted by the organization. There are many different ways that these practices can be implemented in organizations.

Exhibit Assessment of practices


Exhibit 3: Assessment of practices


I Study Background

This chapter summarizes the purpose of the study and its objectives. We set the context for the study and describe our approach. Finally, we report on the study sample.

A. Study purpose and objectives

This section describes the purpose and objectives for this study on best practices in risk management in public and private sector organizations internationally.

1. Study purpose

The Canadian federal government is continuing to implement recommendations from the Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. The Panel's report identified four key elements of modern comptrollership:

  • Performance information-financial and non-financial, historical and prospective.
  • Risk management.
  • Control systems.
  • Ethics, ethical practices and values.

Creating and sustaining a mature risk management environment was one of the crucial components of the approach recommended by the Panel. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices-a modern, integrated approach. The result of this work is expected to be an umbrella policy that sets the context for federal risk management along with guidance, tools, techniques and training for use in federal departments.

This study is one of four concurrent studies which are helping provide background research on best practices in risk management. This study examines the private and public sectors internationally.

2. Objective and scope

The objective of the project is to identify risk management best practices including strategies, approaches, methods, tools and techniques and how they can be used in the Canadian federal government.

The study is being conducted in two parts concurrently by two firms. KPMG was engaged to identify best practices in the private and public sectors internationally. In accordance with the study terms of reference, we collected information on best practices in Western Europe (the United Kingdom, France, Germany, Switzerland), Australia, New Zealand and the United States. We also collected information from organizations in South Africa and Taiwan. Our statement of work is included as Appendix A.

B. Context and approach

In this section, we describe the context and approach for the study. It is important to understand this, since it influenced the information that we collected in the course of the study and discuss in this report.

1. Context

As indicated above, this study on international best practices was conducted in parallel with a study on best practices in Canadian private and public sector organizations carried out by another consulting firm. Our respective terms of reference required that we present a coordinated summary of our conclusions and recommendations to the Project Authority. Thus, early on in the project, our teams worked closely together to have a common understanding of the study requirements and to ensure that we would be able to integrate the information collected so we could present a coordinated summary. For example, we defined "best practice" and the elements of managing risk that were pertinent to the study.

It is important to note that the study does not document the full range of risk management practices.

  • First, the study focuses on the deemed "best" practices, as compared to "good" practices. We defined a "best practice" as a strategy, approach, method, tool or technique that was particularly effective in helping an organization achieve its objectives for managing risk. A best practice is also one which is expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to any other organization that has a responsibility to provide guidance.
  • Second, the study focuses on risk management practices that have been integrated into other management practices such as those for planning and decision-making. It also looks at the strategies for planning, developing, implementing and monitoring risk management. Specifically, we collected best practices in three areas:
  • Integrating risk management into other management practices.
  • Tools for integrating risk management.
  • Key disciplines and functions which use risk management.

We elaborated on these areas in our interview guide.

Hence, although there may be many "good" practices in an organization, we do not report on them. Nor do we report on a complete process or system for managing risk.

2. Approach

Exhibit I-1 shows the approach we used to conduct the study.

Exhibit I-1n Approach


Exhibit I-1: Approach

Our approach consisted of:

  • Literature review and contact with KPMG offices abroad: At the project start, we reviewed relevant literature to prepare a preliminary list of organizations abroad that were recognized as good risk management practitioners. We used our international KPMG network to identify other organizations (through our local practices) and to provide introductions and contact names to open the doors for us. These offices have a broad knowledge of the public and private sector organizations in their marketplace. Hence, they would be aware of organizations that have good risk management practices. We targeted organizations in Western Europe, Australia, New Zealand and the United States. We also targeted organizations in Asia. All in all, this was the most difficult part of the study since we had to communicate across time zones and deal with absences from offices. We continued our review of literature published outside Canada to collect best practice information. Again, we used our resources in KPMG offices abroad to identify and help obtain the publications of interest. Appendix B is the bibliography of the publications reviewed for this study. We reviewed 228 articles published outside of Canada.
  • Contact organizations for their interest in participating: Throughout these initial steps in the project, we respected the requests of our international colleagues in KPMG offices abroad. For example, some colleagues preferred that they contact the organizations directly to obtain their participation. Also, some requested that they conduct the interviews in person on our behalf. In all other cases, we contacted the organizations directly and scheduled telephone interviews.
  • Obtain information from interviews: For interviews that were conducted out of Canada, we sent, in advance of the interview, the study background documentation and the interview guide shown in Appendix C. In order to ensure that the interviews conducted by our colleagues abroad were consistent with those conducted by phone from Canada, we provided guidance documents to these colleagues as well as the background documentation and interview guide to forward to the contact in advance of the meeting.
  • Analysis and reporting: We synthesized our findings from the interviews and our extensive literature review to identify the best practices and lessons learned. We also made a preliminary assessment of the extent to which the best practices are applicable to the Canadian federal government.

3. Applicability of best practices to the Canadian public sector

Our study terms of reference required that we document the identified best practices and make recommendations on their usefulness and applicability in the Canadian federal government context. Jointly with the other contractor, we prepared a list of criteria for assessing the applicability of the best practices to the Canadian federal government. The final set of criteria, included as Appendix D, incorporates input from an internal advisory committee of departmental representatives. To the extent possible, we have assessed the applicability of the practices against these criteria.

4. Study sample

Our study sample consisted of:

  • Interviews with eighteen organizations.
  • A review of 228 relevant publications.

Hence, we are confident in our base for drawing on best practices.

The organizations interviewed represent Australia, Western Europe (France, Germany, Sweden, Switzerland, the United Kingdom), New Zealand, South Africa, Taiwan, and the United States. Exhibit I-2(a) shows the distribution by location. The sample is predominantly comprised of organizations from Western Europe, Australia and New Zealand.

Exhibit I-2(a)
Distribution of organizations by location


Exhibit I-2(a): Distribution or Organizations by location

The organizations represent twelve private sector and six public sector organizations. Exhibit I-2(b) shows the distribution of organizations by industry. Organizations from government represent 32 per cent of the sample (six organizations). Five of these represent the federal level; one, other levels of government. The remainder represent a variety of industries: manufacturing, mining and natural resources, financial services, pharmaceuticals, technology and communications, and utilities. We are satisfied that we have achieved a solid balance of geographic and industry representation in the timeframe available for the study.

Exhibit I-2(b)
Distribution of organizations by industry


Exhibit I-2(b): Distribution of organizations by industry

We found in our interviews that these public and private sector organizations were facing similar issues as the Canadian federal public sector: environments of constraint, pressures for innovation, and changing organizational cultures.

Our extensive literature search provided information on best practices in numerous other organizations. A practice reported in a publication is a "best practice", according to the definition used in this study. Clearly, the practice is deemed to be effective and of value to other organizations if it is discussed publicly.


II Why Implement Risk Management?

This chapter provides an overview of the benefits from implementing risk management. Also, we briefly discuss the status of the implementation in the organizations.

A. Benefits

There is certainly a strong case for implementing risk management. The reported benefits of managing risk include:

  • Achievement of organizational objectives.
  • Better focus on business priorities. Additionally, it enables managers to focus their resources on the primary objectives. Resources are not re-directed to deal with problems. This results in increased confidence of shareholders and ministers. Taking action to prevent and reduce loss, rather than cleaning up after the fact, is an effective risk strategy.
  • A cultural change that supports open discussion about risks and potentially damaging information. The new culture tolerates mistakes but does not tolerate hiding errors. Also, the culture emphasizes learning from the mistakes.
  • Improved financial and operational management by ensuring that risks are adequately considered in the decision-making process. Improved operational management will result in more effective and efficient service delivery. By anticipating problems, managers may have more opportunity to react and take action. The organization will be able to deliver on its service promise.
  • Strengthening of the planning process and a way to help management identify opportunities.
  • Increased accountability of management in the short term. In the longer term, increased overall management capabilities.
  • Increased value (private sector comment).

B. Status of implementing risk management

This section briefly talks about the status of implementing risk management including its extent and definition.

1. Extent of risk management

All the organizations that we interviewed had always been practicing some form of risk management - for example, risk management in specific disciplines such as finance. Some organizations were adding more substance to their existing processes. About a third were now focusing on implementing risk management to deal with business or organization risk.

The practices from the literature review related to implementations of business risk and discipline risk.

The interest in implementing business risk management is growing.

2. Definition of risk

For the most part, risks are perceived as any thing or event that could stand in the way of the organization achieving its objectives.

Hence, for these organizations, risk management is not about being 'risk averse'. Risk management is not aimed at avoiding risks. Its focus is on identifying, evaluating, controlling and "mastering" risks. Risk management also means taking advantage of opportunities and taking risks based on an informed decision and analysis of the outcomes.


III Best Practices

This chapter reports on the best practices that we identified in our literature reviews and interviews. We report them in two categories: integrating risk management into management practices, and approaches, tools and techniques for managing risk.

Exhibit III-1 provides an overview of the best practices. The "hub," from which all other practices derive, is the organizational philosophy. Taken together, all practices provide the movement to integrate risk management within the organization. Tools and techniques are the interface with the "road", or the direction and objectives of the organization.

Exhibit III-1 Overview of best practices


Exhibit III-1: Overview of best practices

Source: KPMG
KPMG

A. Integrating risk management into other management practices

This section reports on the best practices for integrating risk management into management practices.

1. Promoting an organizational philosophy and culture that says everybody is a risk manager

By far, the predominant practice for integrating risk management is to build an organizational culture in which everybody is a risk manager. Some organizations indicated that this is more important than developing and issuing extensive policies and procedures. Management of risk is embedded in the management philosophy. Employees that take responsibility for their actions and outcomes become risk managers. Ideally, the employees intuitively understand the organization's goals and work towards them. One organization noted that the culture originated in the employee ranks and eventually flowed up to the senior management.

Examples of this practice are:

  • Installing restroom mirrors that remind employees that "you are looking at your safety manager".
  • Instilling a "sense of excellence" in the culture which encourages people to seeks solutions and talk honestly about where they need help.
  • Involving all staff in risk management activities through committees and holding meetings at different work sites.

Sometimes, the culture has to be developed. Practices to achieve this include:

  • Setting up the risk management department as a centre of excellence to spread risk management procedures and practices across the organization. The aim is to encourage people to be their own risk managers with the risk management department acting in a support capacity.
  • Recruiting on attitude instead of experience, in order to provide outstanding customer service. This helps manage customer risk.
  • Introducing penalties. One government introduced a "corporate killing" offense designed to punish corporate directors when they fail to correct unsafe practices that result in death.
  • Setting up recognition and reward initiatives that encourage employees to manage risks and take advantage of opportunities.
  • Implementing remuneration packages that discourage excessive risk taking. For example, some securities traders have moved to basing traders' remuneration on a formula which compares their profits to those of a benchmark reflecting returns in the market as a whole. In another organization, a "sustainability index" is used to calculate management's bonus. The index is calculated using the cost of electricity, affirmative action achievement and the technical performance of the plant, transmissions and grid.
  • Evaluating employees' performance in managing risks, through the performance appraisal process.
  • Defining risk management as part of the requirement for all management positions.
  • Reinforcing ethics and values by issuing a written code of ethics or communicating them through training, meetings or workshops.

The reported benefit of a risk management culture is that organizations can change more rapidly and can manage risks more effectively.

2. Senior management and/or governing bodies champion risk management and define and communicate acceptable levels of risk

The responsibility for driving risk management is placed high in the organization. This is also a tool for embedding risk management in the culture. The support of senior management (and/or the governing bodies such as the Board of Directors) is essential. As a start, senior management and the Board must be aware of and understand risk management. There is a wide variety of ways in which the senior leaders are involved in risk management. However, underlying these ways is the role of senior management and the board to send the message internally and externally about the importance of managing risk. Also, it is important that other managers, stakeholders, and employees see their involvement. Managing risk is not just a discussion item for management committees behind closed doors.

Ways that the senior management and Boards lead risk management initiatives include:

  • The risk management group uses senior management as sponsors to ensure the risk management message is taken up by their direct reports.
  • The Chief Executive Officer attended each meeting for implementing risk management processes. The Chief Financial Officer of the organization was the first senior manager to develop an action plan for an item emerging from a risk workshop.
  • Senior Management devotes a day of its annual strategic planning process to identifying and quantifying risks at a strategic level.
  • Senior executives sit on an internal control committee and are tasked with providing their department heads with the appropriate internal control mechanisms.
  • Board members were asked to think of one risk that kept them awake at night. Then, they were charged with overseeing the management of that risk.
  • A safety supervisory board, a subsidiary of the main Board of Directors, reports monthly to the Board of Directors on performance in health, safety and environment.
  • Board sign off for new business cases which must include a risk analysis.
  • A (external) Council has set the parameters which the risk assessment team uses.

Some organizations report that they set specific responsibilities in risk management for the Board and senior management. The Board may provide guidance such as identifying the principal risks to the business, ensuring that appropriate systems are implemented to manage the risks, ensuring the integrity of the control and management systems, and defining responsibilities and monitoring major risks. Management is accountable for coordinating the risk management and identifying, evaluating, controlling and reporting risks. Most importantly, the Board of Directors or senior management, defines, develops and approves a Risk Policy.

The key message of the Risk Policy is the level of risk that the operation is willing to accept. The policy might also state roles and responsibilities and practices for managing risk. Managers require clear direction on risk tolerance. That direction must come from the governing body or senior management. Workshops are another way to communicate the tolerances.

3. Establishing open communication channels

The practices reported demonstrate that open communication is necessary for risk management to succeed. For example, teams rely on communication to address risks and achieve objectives. Also, many report that open communication is a way to easily integrate risk management into existing processes. If communication is not there, risk management cannot be "everybody's business". Managers require direct communication channels up, down and across their business units to help identify risks and take appropriate actions. New looser-information based structures are replacing traditional organization structures with defined reporting relationships. Information must be shared.

Examples of open and good communication are:

  • Using the intranet to communicate the organization's efforts and involve all employees in managing risk. It is also used to communicate objectives.
  • Appointing managers whose only task is to communicate risks to employees.
  • Holding quarterly meetings of a risk management committee to review and discuss the organization's exposure and protection measures.
  • Using the risk management function to communicate objectives.
  • Promoting awareness of risk management issues through monthly, quarterly and annual reports. The reports focus on areas that require help from the risk management group.
  • Making presentations to senior management and/or the governing body on the risk management process.
  • Encouraging people to discuss mistakes.

4. Using teams and committees

Informal and formal teams are a mechanism that many organizations report they are using to manage risks. Teams were cited in a number of situations such as the management of financial risk, construction projects, workers' compensation, health and safety, insurance, contract management, transport, treasury management, project management, new product development. Teaming brings to light the dynamics between disciplines, brings together various risk attitudes, and brings fresh thinking to issues, opportunities, strategies and solutions. It is perceived as a way to focus diverse disciplines on common objectives, one of which is minimizing risk. Teams provide balance. Also, teams pollinate a concern for risk management throughout the organization, rather than being the concern of a function or discipline. While the practice of teaming is recognized as a "best practice", there was no common practice concerning the composition of the team.

The composition of formal risk management teams included:

  • Line management, treasury, audit, compliance, public relations, human resources and risk management professionals.
  • Specific risk management teams for each of contract management control, health and safety, insurance, transport and treasury management.
  • Multi-disciplinary teams for projects and product development.
  • Seeding management teams with individuals with varying risk attitudes.
  • A cross-functional risk management committee with representation from operating units and treasury/finance, human resources and risk management.
  • A risk management strategy steering group where all major functions are represented.
  • A risk management committee composed of division heads.

In other cases, various disciplines are encouraged to work together, such as:

  • The audit group, the Chief Financial Officer, senior management, and treasury.
  • A workers' compensation claims department, medical department, corporate ethics department, security, human resources and legal department jointly taking on risk management responsibilities.
  • A claims coordinator working closely with the human resources department.
  • A team of loss control specialists and claim handlers available during construction projects.
  • A project team of corporate audit, finance and control, and a chartered accountant which supports managers' self-assessment of risk.

Teams provide a wider perspective and look at various angles of risks and consequences. To operate, teams require open communication.

5. Using a simple, common business risk language

In order to integrate risk management into other management processes, the terminology should be easily understandable by managers. The approaches should also be simple to understand and use. By developing a common business risk language, managers can talk with individuals from the boardroom to the boiler room in terms that everybody understands. This is important also in cases where everybody is expected to manage risks. The risk management approaches and processes must be simple to be accepted by business management. Organizations have reported that complex, intellectual tools have proven to be unsuccessful. Others caution that the approaches must also be flexible to be meaningful across business units. Though the process must be simple and useful across units, the process should not be oversimplified. The designers of the process must balance simplicity with usefulness.

6. Setting up a corporate risk management function

Many organizations have set up a responsibility centre for risk management. Some units are headed by a Chief Risk Officer (CRO) who defines consistent approaches to managing risk. As the organizational risk champion, the CRO is responsible for providing leadership and establishing and maintaining risk awareness across the organization. The CRO might also set up risk control objectives, a risk framework, and design ways to measure risk. These senior risk managers must have strong persuasion skills. The risk manager must deal with business risks, not just insurable risks. In this way, their importance within the organization increases.

7. Communicating risk management performance

A handful of organizations report to management and stakeholders/shareholders on risks and risk management performance. Ways of reporting are:

  • The Internal Control department presents two reports annually to the President. The reports communicate the results of monitoring risk. Each Operating Division is required to prepare an annual report on its monitoring results for the Internal Control Department.
  • Business Unit Managers are required to report three times annually to the Finance and Risk subcommittee of the Board. The reports outline the units' top ten risks and how they are managed.
  • Managers advise the Board on the risks of their ventures and key shareholders/stakeholders have their say.

8. Internal Audit and/or the Audit Committee assists in implementing risk management

The internal audit function plays a key role in implementing risk management throughout an organization. Examples of this practice are:

  • Facilitating self-assessment workshops.
  • Monitoring and reporting on the management of significant risks.
  • Providing advice.
  • Raising awareness of risk management among managers.
  • Identifying critical risks and preparing "watching briefs" on them.
  • Monitoring compliance in key areas, such as legislative requirements.
  • Reviewing processes for managing risks.
  • Communicating objectives for managing risk.
  • Sitting on the risk management committee.

9. Guidance

Providing guidance is an important practice for integrating risk management. Guidance is provided indirectly (documents) or directly (advice). Examples of this practice are:

  • A guidance paper for government departments that are preparing public sector construction projects. "Essential Requirements for Construction Procurement" integrates value and risk management with project management.
  • A tool kit for agencies of the government. The kit enables agencies to self-assess their position relative to current best practices. It also helps them move to the best practice using generic improvement strategies.
  • Internal consulting services provided by the risk management unit.
  • A forum of managers. Managers are able to identify their problems/risks. The forum allows the sharing of best practices. Action items are proposed to deal with the risk. Another advantage is all line managers are now aware of the risk and the action items.
  • A legislative agency that makes recommendations to agency management for reducing risk. The recommendations have been proven successful in other agencies.

10. Risk management training

Risk management training, as part of a corporate training curriculum, helps integrate risk. Topic areas include: risk assessments; best practices; legislative requirements; safety; objectives for managing risk; risk-awareness training to ensure that all managers consider risk.

B. Approaches, tools and techniques for implementing risk management

1. Business risk mapping

Organizations are developing business risk maps to identify key business risks to the organization. This helps the organization understand and address its risks. Management must quantify the magnitude of the risks and measure their potential impact. The use of a broad scope framework permits the consideration of different types of potential risk in risk mapping. The use of a framework can influence a discussion on the sources and types of risks, for example, external, economic, market, credit, information, human resources and strategic. This brings a multi-disciplinary perspective for looking at the risks.

Examples of this practice are:

  • Listing the various business risks. Then, the risks are charted into four quadrants depending on whether an event has a high or low probability of occurrence and whether it could result in a highly severe loss or a low severity loss.
  • Developing a risk map on one sheet of paper. The map provides a comparative evaluation of all operational, financial, hazard and strategic risks that the organization faces. By comparing risks on a single matrix of severity and frequency, senior managers can see a complete picture of all the risks facing the company and their interrelationship.
  • Developing a 'major matrix of risks'. It captures the most damaging threats to the corporation. Senior management and the Board can use it in decision-making.

Simplicity underlies these approaches.

2. Modeling tools

Modeling tools enable managers to manage uncertainty. Scenario analysis and forecast models are the predominant tools. Examples of using modeling tools are:

  • Using scenario analysis, decision makers can see the range of possibilities and consider changes that they would otherwise ignore. These scenarios can also be built into the organization's contingency plans. Scenarios can be documented and analysed using computer spreadsheet software.
  • Using statistical analysis and Value at Risk techniques, managers can estimate the variability of future losses. They measure the impact of a potential loss on earnings or cash flow, include sensitivity analysis, stress testing, and various types of simulations.
  • Financial models which dynamically simulate the various financial risks and the impact of various scenarios on portfolios of debt and equity.
  • Anticipating hazards in the production process that could make the product defective, and then identifying the points at which they can be controlled.
  • Assessing technical risks during new product development by identifying, early on in the project, the potential errors in the manufacturing process. This gives the time to address the consequences.
  • Accumulating past project experience and extrapolating it to provide a synthesis of the likely risk impact of a particular project.

Some tools, such as scenario analysis, modeling, technical risk analysis, have broad applicability to management areas. Others, such as financial models, are less applicable to other disciplines.

3. Risk identification and assessment techniques

Techniques for identifying and assessing risks help managers identify where they should be focusing their attention and resources. There is no predominant technique.

Various techniques are:

  • Brainstorming groups. Staff from multiple business units meet to brainstorm issues.
  • Workshops. Organizations are starting to develop risk-focused facilitated workshops that help operating personnel determine and prioritize their objectives and identify and assess risks. Management in attendance would generally span a variety of areas.
  • Questionnaires. Operating units are tasked with completing questionnaires on objectives and risks. For example, managers may annually update risks and progress on managing them.
  • Self-assessment. Managers self-assess with support from Audit, Finance and an external accountant.
  • Control self-assessment (CSA). CSA provides assurance that an end-point business objective will be met, taking into account controls and risks. Risk-focused workshops help operating managers determine and prioritize their objectives.
  • Filters. Risks are evaluated against four filters: non-core function, low impact, risk well-managed, and low probability of occurrence.
  • Boston Squares. Boston Squares is used to chart the impact/severity of risks.
  • Risk Quick Scan. This is a technique for presenting risks (cost, timing, specifications, etc.) in such a way that the risks can be easily compared to each other in terms of probability and consequences. This is especially useful in projects.
  • Matrix to assess supplier capability. The matrix is used to make an overall assessment of the ability of a potential supplier to deliver successfully the services/products specified in a contract. The matrix considers: the history and development of the supplier's business; legal background and capital structure; critical performance elements of the contract; management and employees; commitment, contingencies and litigation; financial viability.
  • Assessment matrix. The matrix consists of a series of questions covering elements of risk management and internal controls. It also includes descriptions of best practices.
  • Risk identification templates. Business units are given templates. These assist them in identifying and evaluating risks during their business planning process.
  • "Bottom up" risk assessments. Operating managers identify and evaluate risks. These are then rolled up at the corporate level.
  • Value at Risk (VAR) model and worst case model. These models are used to assess risk. The (VAR) model looks at the estimated potential loss in value of a position or portfolio within a specified period based on market factors. It allows the simultaneous trend comparison of, for example, currency fluctuations.
  • Prioritizing risks. Based on their rank, the risks are addressed.

4. The internet/intranet

The internet/intranet is increasingly being used to manage risks. It is used to: promote risk awareness and management; obtain information on risk in specific areas; communicate with employees; share information on risk management across agencies; and communicate risk management objectives.


IV Observations And Conclusions

This chapter summarizes our observations and conclusions from our review of best practices.

A. Observations

We offer the following observations concerning risk management from our analysis of best practices:

1. Risk management, like comptrollership, is a mind-set

Managers can be made aware of risk and risk management. Risk management can be taught and reinforced. However, risk management is most effective when managers and employees are attuned to risk management. Risk management cannot be imposed. Managers should be conscious of risk management and integrate it into their other management practices. Risks should be taken into account in decision-making. Managers are more likely to buy-in to the practice if it is positioned as a normal management activity. Overly bureaucratic and complex processes will submerge risk management into irrelevance. There is a balance required between flexibility and consistency. Managers need the flexibility to use techniques that make sense for them and their operation. However, the technique must also allow for the roll up and comparison of the operating unit results at the corporate level. Specialists need to be available to assist managers.

2. Risk management and corporate ethics functions should work together

The information we gathered indicates that risk management programs and ethics programs are related. For example, a written code of ethics is a mechanism to communicate the values of the organization and the related risks. An ethics program for government employees is viewed as a way to sensitize employees to ethical issues or risks affecting the key entity's values. Risk managers may increasingly be required to collaborate with the ethics function in order to understand and resolve information risks. Another organization also reported that a business ethics initiative revealed information hazards resulting from a "culture of secrecy". Internal policies and standards were not written down or consistently communicated to employees. The ethics manager worked with the risk management function to develop steps to prevent future violations of standards. Many components of a corporate ethics program are aimed at improving the organization's information flows. These include broad communication programs, senior management's commitment and communication of values and principles, and monitoring of business practices. We have already discussed that communication and information flows are a key practice for managing risk.

3. Risk management is a dynamic process

As the business needs and business risks change, new processes or tools for managing the risks are required. For example, increased use of the Internet can be a source of risk and can, at the same time, be a tool for managing the risk. The practices must continually adapt to a changing environment. How organizations are performing at managing risk must also be monitored and continuously improved. Employees and managers need to be informed if there are changes. Risk assessments should be reviewed as circumstances change. It is not a "one-off" exercise.

4. Many functional specialists will play a role in risk management

Our review of best practises indicates that many functional specialists will play a role in managing risk. These specialists include information technology specialists, human resources specialists, communications specialists and financial specialists.

Information technology specialists have always had a preoccupation with risk management. They have had to manage the risks of IT projects. Now, their role may be expanding to provide specialist support to risk management specialists and managers. As new technologies are accepted (e.g., the internet, electronic commerce), the IT specialists will be required to help others understand and deal with potential business and technology risks. They will be involved in identifying, assessing, and managing risks where there is a technology component. They will be a key member of teams and committees.

Information technology specialists will also be called upon to set up systems for managing risk. These include modelling software, systems to monitor risk and systems to monitor performance in managing risks.

Human resources specialists will be called upon to design appropriate mechanisms for evaluating the performance of managers in managing risk. Also, they will be called upon to design learning strategies and training programs. They may also be involved in change management and initiatives aimed at changing the culture of organizations.

Communications specialists will play a role in establishing the appropriate communication channels. They will likely also be involved in reporting on risks and risk management performance.

Financial specialists will have a role in identifying and assessing the financial implications of various scenarios when managers model uncertainty.

5. Risk management must be adequately resourced

Implementing risk management requires resources. Investments will be required in: training, developing processes and techniques, management systems, specialist groups. Senior management must be committed to supporting the initiative with the required resources.

B. Conclusions

This section discusses our conclusions about the applicability of the best practices to the Canadian federal government. Exhibit IV-1 maps the best practices to the assessment criteria.

The exhibit shows that:

  • All practices have broad applicability beyond the protection of assets and people. They are suitable for all business risk management. Hence, the practices are consistent with the current direction for risk management in the government.
  • Most of these practices will contribute to improving service delivery. By managing risks, managers are more likely to achieve their objectives. Hence, they would be more likely to meet service delivery objectives and targets.
  • Many of the practices contribute to a supportive work environment. These are: the organizational philosophy; open communication channels; teams and committees; guidance; and training.
  • Innovation is supported. However, it is primarily the "soft" practices (philosophy, communication, teams, internet) that contribute to this requirement since they create an environment of open discussion and exchange of ideas. Also, they tolerate mistakes.
  • These practices do facilitate management decision-making and planning. However, the link to sound resource allocation is less strong. However, the tools for mapping, modelling, identifying and assessing risks do focus the resources on key risks. In this way, the resources are allocated where most critical.
  • The practices easily build on existing knowledge and lessons learned in the organization. The experience of management and employees is a component of identifying and assessing risks. Similarly, many link horizontally in the organization and integrate well with the management framework.
  • Only two of the practices have a clear and potentially applicable accountability or governance framework: senior management/Board leadership and communicating performance.
  • Only four of the best practices demonstrate communication/involvement with stakeholders.

We conclude that the best practices are applicable to the federal government context, given the criteria against which they were assessed. However, there may be significant barriers to implementing those best practices that are very different from the status quo. Most federal departments and agencies operate with traditional organizational structures. There is a defined reporting and management hierarchy. Hence, implementing a philosophy and culture that everybody is a risk manager may be a stretch target. Similarly, the current environments do not welcome bad news or open communication channels.

Exhibit IV-1 Assessment of practices


Exhibit IV-1: Assessment of practices