2024–25 to 2026–27 Corporate Risk Profile - Impact Assessment Agency of Canada

July 2024

This publication may be reproduced for personal or internal use without permission, provided the source is fully acknowledged. However, multiple copy reproduction of this publication in whole or in part for purposes of redistribution requires the prior written permission from the Impact Assessment Agency of Canada, Ottawa, Ontario K1A 0H3, or information@iaac-aeic.gc.ca.

Catalogue Number: En104-31E-PDF

ISSN: 2818-3827

This document has been issued in French under the title: Profil de risque organisationnel de 2024-2025 à 2026-2027

Glossary

Corporate Risk Profile (CRP): A consolidated document providing a snapshot in time of risks facing the organization, used to communicate risk information and to inform planning.
Corporate Risk: An event that may have an effect of uncertainty on the achievement of organizational objectives.
Integrated Risk Management: A continuous, proactive, and systematic process to understand, manage, and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization’s overall corporate objectives.
Risk Control: The means (i.e., process, policy, device, practice) by which an organization reduces the likelihood of a risk occurring or its impact.
Risk Driver: An internal or external condition that can contribute to or modify a risk.
Risk Impact: Assessment of the potential outcome of a risk event, either negative or positive.
Risk Likelihood: An assessment of probability or frequency of a risk materializing.
Risk Mitigation: The most common strategy to address risks; involves developing and implementing a specific course of action to decrease the likelihood and/or impact of risks.

Introduction

The Impact Assessment Agency of Canada (IAAC) operates in an environment that is in constant evolution and growth. As a result, managing risks requires a high degree of oversight, agility, and capacity. The core approaches, methodologies, and processes must reflect the risk environment and contribute to improved decision-making, better allocation of resources and, ultimately, better results for Canada.

As part of IAAC’s integrated Enterprise Risk Management (ERM) approach, the 2024–25 to 2026–27 Corporate Risk Profile (CRP) is a tool that provides an objective assessment of the current exposure to key risks that may affect the achievement of IAAC’s objectives and results.

Context

IAAC is a federal body that reports to the Minister of Environment and Climate Change. Under the Impact Assessment Act (IAA), IAAC is the lead federal organization responsible for conducting and administering environmental and impact assessments. In leading impact assessments, IAAC is responsible for assessing the positive and negative environmental, economic, social, and health effects of designated projects. IAAC is also the Crown Consultation Coordinator for Indigenous consultations on designated projects.

In 2023, following a reference case brought to the Supreme Court of Canada by the Province of Alberta, the Court found the Act was partially unconstitutional but affirmed the right of the Government of Canada to put in place impact assessment legislation and collaborate with the provinces on environmental protection. The Government announced that it would respect the Court’s opinion and work quickly and diligently on targeted and meaningful amendments to the IAA.

Beyond its legislative mandate and responsibilities, IAAC contributes to advancing various government-wide initiatives such as, but not limited to, the Government of Canada’s 2030 Emissions Reduction Plan, Net-Zero by 2050, Clean Canada, the United Nations Declaration on the Rights of Indigenous Peoples Act, Gender-based Analysis Plus, and Canada’s Climate Actions for a Healthy Environment and a Healthy Economy.

Strategic Objectives and Expected Results

The preamble in the IAA, which created IAAC, sets forth a list of strategic objectives that provide its legislative mandate. These objectives are condensed in its core responsibility (Impact Assessment) as follows:

“To foster sustainability, the Agency undertakes high-quality federal assessments of proposed projects based on scientific information and Indigenous Knowledge to assess health, social, economic, and environmental effects, and impacts on Indigenous Peoples and rights. These assessments inform government decisions on whether proposed projects are in the public interest. The Agency conducts compliance and enforcement activities to ensure proponents adhere to the legislation, including the conditions in decision statements.”

By delivering this core responsibility IAAC intends to achieve four departmental results on which IAAC reports publicly, on an annual basis, through its Departmental Plans and Departmental Results Reports to parliamentarians and Canadians:

The risks identified in this CRP will be monitored, and updated as needed, to reflect any major changes in the operating environment. Strategies to mitigate risk exposure outside of IAAC’s tolerance will be pertinent to the achievement of departmental results.

Figure 1: Departmental Results Framework and Program Inventory for 2024-25

Text version

These block list diagrams represent visually the Departmental Results Framework, in one, and the Program Inventory of record for 2024–25. The Departmental Results Framework consists of IAAC’s Core Responsibility: Impact Assessment, and four departmental results, each of which have at least one indicator so that progress can be measured and monitored. The first Departmental Result is Designated projects that proceed foster sustainability. The indicator measuring it is the Percentage of projects for which reporting indicates that the vast majority of mitigation measures set out in the Decision Statement effectively address adverse effects of the project. The second Departmental Result is Stakeholders and Indigenous groups meaningfully participate in the assessment process. The indicator measuring it is the Percentage of stakeholders and Indigenous groups participating in assessment-related engagement / consultation activities who agree they were engaged meaningfully in the assessment process. The third Departmental Result is Scientific and evidence-based information, and Indigenous Knowledge on key health, social, economic, and environmental effects are available to inform project assessment processes, including impact assessment reports, decisions and conditions. The indicator measuring it is the Percentage of stakeholders and Indigenous groups who agree that scientific and evidence-based information and Indigenous Knowledge on key health, social, economic, and environmental effects are accessible. The last Departmental Result is Impact assessment processes respect the rights and culture of Indigenous Peoples, and Canada’s commitment to partner with them. The indicator measuring it is the Percentage of Indigenous groups who agree they have a productive and collaborative relationship with IAAC. The Core Responsibility and all three departmental results are supported by IAAC’s Internal Services.

The Program Inventory of record for 2024–25 consists of two programs: Assessment Administration, Conduct, and Monitoring and Indigenous Relations and Engagement.

Operating Environment

IAAC operates in an increasingly complex environment as a result of the rapid evolution of many internal and external drivers, notably, a rapidly changing global economic landscape and other geo-political events, increasing demands and expectations for projects, and the accelerating global race to build net-zero economies and the industries of tomorrow. This in turn has required IAAC to be agile in the way it operates to respond to evolving challenges and changing circumstances.

Since 2019, when the IAA came into effect, IAAC has continually faced many pressures (foreseen and unforeseen) that have shifted the operational realities and culture that were once the foundation of the organization. Externally driven pressures continue to challenge the scope of IAAC’s mandate, while internal workforce challenges are creating new constraints to effectively respond to the need for surge capacity in an agile manner.

IAAC continues to face new pressures arising from government-wide policy and commitments, ongoing litigation, evolving expectations and complexity of projects, and the ongoing commitment to establish and maintain effective partnerships with Indigenous Peoples, federal partners, provinces, and territories. Related to this, IAAC is supporting the Minister in responding to the October 2023 opinion of the Supreme Court of Canada by developing legislative amendments that will enable IAAC to conduct thorough, timely, and high-quality assessments within federal jurisdiction. Until these amendments are in place, IAAC will continue to advance assessments collaboratively in accordance with the Statement on the Interim Administration of the Impact Assessment Act Pending Legislative Amendments.

IAAC also supports the efforts of the Ministerial Working Group on Regulatory Efficiency for Clean Growth Projects, which was established to address the Budget 2023 commitment to improve the efficiency of the impact assessment process and permitting processes for major projects. This includes collaborating with other federal departments to enhance regulatory coordination federally and with other jurisdictions, clarify and reduce timelines, and mitigate inefficiencies in the regulatory system.

Budget 2024 reinforced the need for significant and sustained private sector investment in clean electricity, critical minerals, and other major projects to put Canada on a path to net zero. In addition to several measures to help drive clean growth and reduce regulatory timelines for major projects, the Government of Canada recognizes the immediate need for regulatory certainty around impact assessments of major projects.

Given the nature of IAAC’s work, there is a strong relationship with global and domestic economic performance. This impacts IAAC’s operations, including the number of designated projects and the ability of Indigenous Peoples and stakeholders to participate in IAA-related processes. Internally, IAAC is continuing to face various unexpected pressures from an increasingly competitive skilled labour market to adjusting to the culture of a hybrid work environment.

At the core of the IAA, consultation and engagement with Indigenous Peoples is fundamental. It is only through these actions that it is possible to capture perspectives, identify issues, assess impacts, and follow-up to evaluate the effectiveness of mitigation measures. As such, IAAC is continually focusing efforts to build innovative, transparent, and effective consultation and engagement mechanisms; while respecting the rights and cultures of Indigenous Peoples and Canada’s commitment to continuing to strengthen relationships.

The following table highlights some of the major and systemic risk drivers that have significantly influenced or contributed to the occurrence and/or severity of the corporate risks identified in this CRP:

Table 1: Overarching Risk Drivers
Internal Risk Drivers: An internal risk driver is a factor that originates within the organization (i.e., internal processes, operations, human capital, etc.)	Insufficient internal capacity to manage surge capacity needs while delivering on essential functions in a timely and sustainable manner Highly competitive skilled labour pool Uncertain financial framework to support IAAC commitments, priorities, objectives and surge capacity needs
External Risk Drivers: An external risk driver stems from external factors outside of the direct control of the organization (i.e., environmental changes, regulatory changes, political and macro-economic changes)	Evolving jurisprudence resulting from judicial reviews of administrative decisions and challenges to the Impact Assessment Act itself, which increase operational complexity and uncertainty. Growing complexity in the environment, including evolving commitments and priorities, nationally and internationally Evolving geopolitical environment creating ongoing pressures on the efficiency and efficacy of the natural resource development process and economic growth High degree of collaboration and coordination across federal departments and agencies, provinces and territories, and other stakeholders with regard to the federal impact assessment regime and government-wide initiatives and commitments Increasing complexity, and demand for efficiency and expectations for project assessments

As such, IAAC is proactively adopting an integrated approach to its risk management practices to ensure existing and emerging risks are effectively managed, understood, and embedded into how the organization works towards achieving common goals and identifying priorities.

2024–25 to 2026–27 Corporate Risk Summary

The following table provides a summary of the top five risks to IAAC achieving its objectives, as of April 2024.

Table 2: 2024–25 to 2026–27 Summary of Corporate Risks
Risk Statement		Risk Exposure	Acceptability & Response
Theme 1: Legal Threats and/or opportunities associated with judicial challenges to laws, regulations, policies and/or decisions.
Risk 1	Delivery of Essential Functions: There is a risk that IAAC may not be able to carry out its essential functions in a timely, sustainable and effective manner.	Moderate-High Risk	Unacceptable & Mitigate
Theme 2: Strategies and reputation Threats and/or opportunities associated with IAAC’s ability to achieve its strategic objectives and priorities while maintaining its reputation and credibility with its partners, stakeholders and the Canadian public.
Risk 2	Maintaining public trust and engagement: There is a risk that IAAC may not be able to maintain public and partner trust and engagement in the delivery of the federal impact assessment regime.	Moderate-High Risk	Unacceptable & Mitigate
Theme 3: Operations Threats and/or opportunities associated with the overarching ability to deliver on operational activities and priorities.
Risk 3	Retaining a skilled, capable, agile, and diverse workforce: There is a risk that IAAC will be unable to attract, hire, and retain an appropriately skilled, capable, agile, and diverse workforce to deliver on its mandate and priorities.	Moderate Risk	Manage & Monitor
Risk 4	Information Management and Information Technology Security and Management: There is a risk that IAAC will not have the appropriate mechanisms and measures in place to maintain the confidentiality, availability, and integrity of data and information.	Low-Moderate Risk	Acceptable & Monitor
Risk 5	Cost recovery and uncertain financial framework: There is a risk that IAAC will be unable to adequately fund IAAC activities and surge capacity requirements in a sustainable and effective manner.	Moderate Risk	Unacceptable & Mitigate

Risk Matrix

A first risk assessment workshop was held on July 12, 2023 during which, Senior Management identified the likelihood of a risk occurring and the impact if it did. On November 8, 2023, following the Supreme Court of Canada opinion on the IAA reference case, IAAC updated the legal and strategic risks (denoted 1 and 2) and performed a risk assessment refresh. The result of which is illustrated in the matrix below.^Footnote 1

Figure 2: Risk Heatmap

Text version

This matrix chart represents the assessment by IAAC’s senior management of the likelihood of a risk being realized and the impact this would have on IAAC’s work if the risk were to happen. On the vertical axis, likelihood is divided into five categories from bottom to top: Exceptionally unlikely, unlikely, possible, likely, and almost certain. On the horizontal axis, the impacts are also divided into five categories from left to right: low, low to moderate, moderate, moderate to high, and high impacts. The matrix is divided into three regions representing the overall risk level of each risk, based where the likelihood and impact ratings intersect. From the chart’s origin point to the diagonal line, a green colored triangle is formed to identify lower-level risks. A risk in this area means that IAAC accepts the risk and will monitor it. The only lower-level risk identified in this area is Risk 4: Information Management and Information Technology Security and Management. A diagonal section from the top left to the bottom right of the matrix is colored yellow to signify medium-level risks that IAAC will manage and monitor. The medium-level risks include Risk 3: Retaining a skilled, capable, agile, and diverse workforce and Risk 5: Cost recovery and uncertain financial framework are in this region. Above the yellow diagonal is an area shaded in red. A risk in this area is a higher-level risk that IAAC will respond to and implement measures to mitigate against it. Two risks fall in this area. These are Risk 1: Delivery of Essential functions and Risk 2: Maintaining Public Trust and Engagement.

Corporate Risk Profile

Theme 1: Legal

Risk 1: Delivery of Essential Functions

Risk 1 - Text version

Risk Statement: There is a risk that IAAC may not be able to carry out its essential functions in a timely, sustainable and effective manner.

Risk Champion or Office of Primary Interest:
Vice-President, Operations

Risk Support or Office of Secondary Interest:
Vice-President, Corporate Services and Chief Financial Officer
Vice-President, Indigenous Relations
Vice-President, Strategic Policy and Programs

Key Risk Drivers

Internal Risk Drivers	External Risk Drivers
Restricted capacity and flexibility due to prescriptive requirements set forth by the IAA Inadequate capacity to manage, maintain and build enduring and reciprocal relationships and trust with Indigenous Peoples, Environmental Non-Governmental Organizations (ENGOs), provinces and territories, proponents and other key stakeholders Limited ongoing, permanent funding to support baseline operational activities Highly competitive labour pool for skilled and qualified candidates to support the delivery of high-quality impact assessments Strong reliance on timely and reliable data from proponents	Evolving jurisprudence resulting from judicial reviews of administrative decisions and challenges to the Impact Assessment Act itself, which increase operational complexity and uncertainty. Growing complexity of the environment as IAAC evolves such as government-wide, IAAC, and international priorities and commitments (i.e., eco-responsibilities, clean growth, critical minerals, net-zero, Call for Justice for Missing and Murdered Indigenous Women and Girls, United Nations Declaration on the Rights of Indigenous Peoples Act, coordination and adherence to modern treaties, etc.) Reduced partner and stakeholder trust, such as Indigenous groups, industry, federal departments and agencies, provinces and territories, the public, proponents, and other national and international partners Increasing external pressures and expectations to tighten project timelines while emphasizing inter-departmental and provincial collaboration, co-development, partnerships, and horizontal initiatives (i.e., cumulative effects, etc.) Increasing complexity of project descriptions/initial project descriptions Increasing frequency and scale of cyber security and data quality threats

Internal Risk Drivers

External Risk Drivers

Restricted capacity and flexibility due to prescriptive requirements set forth by the IAA
Inadequate capacity to manage, maintain and build enduring and reciprocal relationships and trust with Indigenous Peoples, Environmental Non-Governmental Organizations (ENGOs), provinces and territories, proponents and other key stakeholders
Limited ongoing, permanent funding to support baseline operational activities
Highly competitive labour pool for skilled and qualified candidates to support the delivery of high-quality impact assessments
Strong reliance on timely and reliable data from proponents

Evolving jurisprudence resulting from judicial reviews of administrative decisions and challenges to the Impact Assessment Act itself, which increase operational complexity and uncertainty.
Growing complexity of the environment as IAAC evolves such as government-wide, IAAC, and international priorities and commitments (i.e., eco-responsibilities, clean growth, critical minerals, net-zero, Call for Justice for Missing and Murdered Indigenous Women and Girls, United Nations Declaration on the Rights of Indigenous Peoples Act, coordination and adherence to modern treaties, etc.)
Reduced partner and stakeholder trust, such as Indigenous groups, industry, federal departments and agencies, provinces and territories, the public, proponents, and other national and international partners
Increasing external pressures and expectations to tighten project timelines while emphasizing inter-departmental and provincial collaboration, co-development, partnerships, and horizontal initiatives (i.e., cumulative effects, etc.)
Increasing complexity of project descriptions/initial project descriptions
Increasing frequency and scale of cyber security and data quality threats

Current Controls

The following key controls have been implemented to manage the risk:

Developing and implementing new policy instruments to improve efficiencies across the impact assessment process, including planning and post-assessment activities
Providing funding to support Indigenous capacity to maximize leadership in assessments
Using a horizontal and risk-based governance structure (i.e., Assistant Deputy Minister Impact Assessment and Deputy Minister Impact Assessment Committees)
Implementing a five-year financial planning and budget cycle
Implementing cost recovery and flexible collection mechanisms to offset costs
Using various resource management applications, such as the Assessment Management System (AMS) to track projects and report on statutory requirements and time tracking for human resource planning
Proactively implementing new methods and approaches to reduce barriers to engaging with proponents and stakeholders to understand their issues and concerns with IAAC’s processes, and taking these into account when managing projects
Establishing Memoranda of Understanding and bilateral cooperation instruments to harmonize the assessment process with various partner organizations, provinces, and territories
Coordinating the Canadian Impact Assessment Registry (Registry), while publishing project records and managing its online public engagement feature and web-mapping interface, which enables users to explore, visualize, and analyze assessment data for greater transparency, navigation, and accessibility
Leveraging digital/virtual abilities, when and where possible, including digitized human resource forms
Implementing a Grants and Contributions center of excellence that monitors financial compliance, support funding initiatives and explores efficiencies and options to optimize program delivery

Potential Impacts

If the risk was realized, IAAC may experience the following impacts:

Unclear mandate and authority to start new impact assessments or continue existing impact assessments under IAA
Increased and ongoing litigation efforts and pressures hindering the Agencies capacity and the ability to fulfill essential functions and achieve strategic objectives
Inability to meet other statutory requirements (i.e., Modern Treaties, The Canada–United States–Mexico Agreement (CUSMA) Environment Chapter), policies, regulations, and commitments (i.e., Indigenous Reconciliation Framework, Call for Justice for Missing and Murdered Indigenous Women and Girls)
Loss of stakeholder and partner trust, engagement and collaboration, including but not limited to provinces and territories, federal departments and agencies, industry, the public, proponents and other key national and international partners
Inability to produce and approve impact assessments in a timely manner, which may affect national/regional economic health
Adverse changes to the environment and to health, social, or economic conditions
Failure to adequately engage and consult with Indigenous Peoples and the public

Risk Assessment

Risk Exposure:	Impact:	Risk Exposure:
3.36 Possible - Likely	4.0 Moderate - High	Moderate - High Risk

Risk Response

Based on the assessment and existing controls in place, management considers this risk to be unacceptable and will mitigate it in the coming year.

Action Plan & Owners

Actions	Owner
Group A: Legal
1. Amend the IAA to address the SCC decision.	Director, Legislative and Regulatory Affairs, Strategic Policy and Programs
Group B: Enhanced Collaboration
2. Establish and implement a strategic action plan to improve collaboration with provinces during the conduct of impact assessments under an amended Impact Assessment Act.	Regional Directors, Director of Review Panels, Director of Regional and Strategic Assessment, Operations Office of secondary interest: Director, Policy Integration, Strategic Policy and Programs
3. Establish DG-level leadership committee with federal authorities (including Fisheries and Oceans Canada, Environment and Climate Change Canada, Health Canada, Natural Resources Canada, Transport Canada) that meets on a quarterly basis, to facilitate timely resolution of issues in federal impact assessment.	Director General, Regional Operations - East, Operations Office of secondary interest: Director General, National Programs, Strategic Policy and Programs
4. Develop relationships with stakeholders to advance and limit possible future risks	Director General, National Programs, Strategic Policy and Programs
Group C: Resources and References
5. Ensure that internal repositories of reference materials (e.g. IA One-Stop Shop, IA Docs Inventory) used to conduct impact assessment are kept up to date and in a central location to facilitate easy access for practitioners.	Director General, Regional Operations - West, Operations
6. Build up resources for the management of policy to support legal challenges to our assessment process	Director General, National Programs, Strategic Policy and Programs
7. Implement an integrated and formalized Grants and Contributions Risk Management Framework to act as the baseline for all G&C risk management-related activities throughout IAAC.	Director, Indigenous Partnerships, Indigenous Relations Office of secondary interest: Director General, Finance and Planning and Deputy Chief Financial Officer, Corporate Services
8. Develop and implement recipient funding approach for G&C recipients to build capacity, including the utilization of multi-year funding approaches and provision of grants in a timely manner, within a risk management framework.	Director, Indigenous Partnerships, Indigenous Relations

Theme 2: Strategies and reputation

Risk 2: Maintaining public trust and engagement

Risk 2 - Text version

Risk Statement: There is a risk that IAAC may not be able to maintain public and partner trust and engagement in the delivery of the federal impact assessment regime.

Risk Champion or Office of Primary Interest:
Vice-President, Strategic Policy and Programs

Risk Support or Office of Secondary Interest:
Vice President, Corporate Services and Chief Financial Officer
Vice-President, Indigenous Relations Vice-President, Operations

Key Risk Drivers

Internal Risk Drivers	External Risk Drivers
Limited operational capacity to sustainably maintain a reasonable balance between meeting legislative requirements and the expectations of partners and stakeholders, such as Indigenous groups, industry, proponents, and provinces and territories	Supreme Court of Canada decision on the IAA reference case (October 2023) and polarization around the IAA Growing expectations of industry, proponents and Indigenous groups with regard to the federal IA regime Need to balance a complex operating environment (advancing reconciliation with Indigenous Peoples, 2030 Emission Reduction Plan, etc.) with the difficulty in separating the assessment process from the outcomes on the environment, the economy, the health, and rights of Canadians Competing priorities between various partners, other regulatory and assessment bodies

Internal Risk Drivers

External Risk Drivers

Limited operational capacity to sustainably maintain a reasonable balance between meeting legislative requirements and the expectations of partners and stakeholders, such as Indigenous groups, industry, proponents, and provinces and territories

Supreme Court of Canada decision on the IAA reference case (October 2023) and polarization around the IAA
Growing expectations of industry, proponents and Indigenous groups with regard to the federal IA regime
Need to balance a complex operating environment (advancing reconciliation with Indigenous Peoples, 2030 Emission Reduction Plan, etc.) with the difficulty in separating the assessment process from the outcomes on the environment, the economy, the health, and rights of Canadians
Competing priorities between various partners, other regulatory and assessment bodies

Current Controls

The following key controls have been implemented to manage the risk:

Established co-development processes for the framework for Indigenous cooperation agreements, including regulations
Increased partnership, engagement, and collaboration with Indigenous groups including designing new mechanisms to enhance engagement and relationship-building
Increased proactive engagement and collaboration with federal partners, other levels of government, communities, and stakeholders
Implementation of open and transparent communication channels for internal and external access and use (i.e., the Registry)
Establishment and maintenance of robust tools (i.e., AMS), processes and mechanisms to support the impact assessment cycle, engagement and proactive consultation with stakeholders

Potential Impacts

If the risk was realized, IAAC may experience the following impacts:

Failure to deliver IAAC’s strategic objectives and priorities and the achievement of broader Government of Canada and international obligations and commitments
Loss of credibility with IAAC stakeholders and partners, such as Indigenous groups, federal departments and agencies, provinces and territories, industry, the public, proponents, and other national and international partners
Inability to meet the Government of Canada’s commitment to reconciliation
Increased barriers to interdepartmental collaboration and co-development efforts

Risk Assessment

Risk Exposure:	Impact:	Risk Exposure:
3.73 Likely	4.18 Moderate - High	Moderate - High Risk

Risk Response

Based on the assessment and existing controls in place, management considers this risk to be unacceptable and will mitigate it in the coming year.

Action Plan & Owners

Actions	Owner
Group A: Reporting Mechanisms and Performance Enhancements
1. Maintain publication of new and improvements to existing guidance to ensure clear and direct guidance on the IAA process and how IAAC operates, and to increase transparency and promote public confidence	Director General, National Programs, Strategic Policy and Programs Director, Operational Policy Division, Strategic Policy and Programs (Operational Guidance Team)
2. Develop guidance and tools for staff, proponents, Indigenous groups and stakeholders to support alignment with the UN Declaration.	Director, Indigenous Policy Division, Indigenous Relations
3. Develop placemats and reporting mechanisms to capture the pace at which projects move through the IAA and broader regulatory system	Director General, National Programs, Strategic Policy and Programs
4. For each new project requiring an impact assessment, prepare a public-facing report (“Planning Phase Engagement Report”) to describe how public and Indigenous input was used during the planning phase. The report will be posted on the registry within six months of the end of the planning phase.	Regional Directors and Director of Review Panels, Operations
5. Improve the functionality and features of the Registry to provide greater transparency in regulatory permitting.	Executive Director, Communications, Corporate Services Offices of secondary interest: Director, Information Services and Chief Information Officer, and Director General, National Programs, Strategic Policy and Programs
Group B: External Engagement
6. Leverage recurring meetings with FAs, IAC, TAC, MINAC and researchers on variety of policy and guidance topics to emphasize IAAC’s focus on maintaining trust and commitment to engagement in the IAA process	Director, Engagement Division, Strategic Policy and Programs Director, Operational Policy Division, Strategic Policy and Programs Office of secondary interest: Director, Indigenous Policy Division, Indigenous Relations
7. Strategically engage advisory bodies to inform IAAC response to novel challenges (e.g., the response to the Supreme Court of Canada) and facilitate tri-lateral meetings to foster collaboration among groups in order to ensure coordination.	Director, Engagement Division, Strategic Policy and Programs Director, Operational Policy Division, Strategic Policy and Programs Office of secondary interest: Director, Indigenous Partnerships Division, Indigenous Relations
8. Ensure there is IAAC presence at key external stakeholder events to support and enhance transparent communication and increase the collection of informal feedback on IAAC processes outside of assessment processes.	Director, Engagement Division, Strategic Policy and Programs
9. Provide training to the public, Indigenous groups, proponents and stakeholders on the Act and process.	Director, Engagement Division, Strategic Policy and Programs
10. Participate in interdepartmental committees led by Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC), to ensure that whole of Government policy work related to the duty to consult and modern treaty implementation establishes open, transparent, and effective processes to partner with Indigenous peoples in assessments.	Director, Indigenous Policy Division, Indigenous Relations
11. Release discussion paper and engage indigenous peoples and stakeholders on the development of the policy framework and regulatory proposal for indigenous co-administration agreements.	Director, Indigenous Policy Division, Indigenous Relations
Group C: Staff Training
12. Ensure front-line operational staff have spokesperson and/or interest-based negotiation training prior to attendance at information sessions, open houses, consultation meetings and/or meetings with provinces to maintain IAAC reputation and demonstrate leadership.	Director General, Regional Operations - West, Operations Director General, Regional Operations - East, Operations Director General, Review Panels and Regional and Strategic Assessments, Operations Office of secondary interest: Executive Director, Communications, Corporate Services

Theme 3: Operations

Risk 3: Retaining a skilled, capable, agile and diverse workforce

Risk 3 -Text version

Risk Statement: There is a risk that IAAC will be unable to attract, hire, and retain an appropriately skilled, capable, agile and diverse workforce to deliver on its mandate and priorities.

Risk Champion or Office of Primary Interest:
Vice-President, Corporate Services and Chief Financial Officer

Risk Support or Office of Secondary Interest:
Vice-President, Indigenous Relations
Vice-President, Operations
Vice-President, Strategic Policy and Programs

Key Risk Drivers

Internal Risk Drivers	External Risk Drivers
Increasing pressures (on resource capacity and availability) as a result of shared responsibilities between federal, provincial and municipal partners Changing political, legal and operational landscape heightening the need for a flexible, dynamic, and upskilled staffing complement to respond to evolving commitments and surge capacity requirements Ongoing fiscal pressures and commitments High-intensity (emotional and physical) work (i.e., consultation experts, etc.), continual IAAC growth and expansion of activities and priorities Ongoing commitment to ensuring processes promote diversity, equity, inclusion, and accessibility Lack of flexibility with traditional staffing processes to meet market conditions Funding uncertainty and delays in cost recovery consultations require IAAC to acquire additional gap funding from TBS.	Mandatory alignment with governing legislation, and policies and directives, including requirements set forth by Treasury Board of Canada Secretariat (TBS) regarding hybrid work environments Ongoing litigation efforts and polarization of the IAA Increasing competition across the Government of Canada for various classifications and levels Limited workforce availability in various locations with the required language profiles and skillsets Increased appetite to leverage automation tools which may alter the skill requirements and dynamics of the workforce

Internal Risk Drivers

External Risk Drivers

Increasing pressures (on resource capacity and availability) as a result of shared responsibilities between federal, provincial and municipal partners
Changing political, legal and operational landscape heightening the need for a flexible, dynamic, and upskilled staffing complement to respond to evolving commitments and surge capacity requirements
Ongoing fiscal pressures and commitments
High-intensity (emotional and physical) work (i.e., consultation experts, etc.), continual IAAC growth and expansion of activities and priorities
Ongoing commitment to ensuring processes promote diversity, equity, inclusion, and accessibility
Lack of flexibility with traditional staffing processes to meet market conditions
Funding uncertainty and delays in cost recovery consultations require IAAC to acquire additional gap funding from TBS.

Mandatory alignment with governing legislation, and policies and directives, including requirements set forth by Treasury Board of Canada Secretariat (TBS) regarding hybrid work environments
Ongoing litigation efforts and polarization of the IAA
Increasing competition across the Government of Canada for various classifications and levels
Limited workforce availability in various locations with the required language profiles and skillsets
Increased appetite to leverage automation tools which may alter the skill requirements and dynamics of the workforce

Current Controls

The following key controls have been implemented to manage the risk:

Enhancement of the overall talent management approach, leveraged IAAC recognition program and increased IAAC presence, both online and in-person, at recruitment events
Establishment of an Equity Diversity and Inclusion Action Plan, Accessibility Plan, and draft Reconciliation Framework
Application of a new hybrid work model and supporting policies to meet IAAC needs, while ensuring alignment with TBS requirements
Establishment of governing committees to oversee and advise on matters related to ethics, value, health and safety, diversity, equity, inclusion and accessibility
Development, implementation, and ongoing maintenance of mechanisms that effectively promote a diverse, equitable and inclusive workforce
Implementation and maintenance of human resources policies, directives and guidelines to ensure standard, fair, and equitable processes are being applied across all staffing activities
Signing of a three-year service-level agreement with the Accessibility, Accommodations and Adaptive Computer Technology program to enhance the accessibility of digital content for all employees
Development of a succession planning strategy for similar jobs across IAAC
Increased use of targeted and strategic recruitment activities for IAAC positions
Exploration of new technologies, including automation solutions, to increase the efficiency of staffing processes and operational capabilities

Potential Impacts

If the risk was realized, IAAC may experience the following impacts:

Inability to deliver on IAAC’s requirements as a result of loss/hindered capacity
High turnover and loss of skilled personnel and corporate knowledge
Decline in employee morale due to increasing workload, hindering work-life balance
Failure to establish a diverse, equitable, inclusive, and accessible workforce

Risk Assessment

Likelihood:	Impact:	Risk Exposure:
2.73 Possible	3.36 Moderate	Moderate Risk

Risk Response

Based on the assessment and existing controls in place, management considers this risk to be unacceptable and will manage and monitor it in the coming year.

Action Plan & Owners

Actions	Owner
1. Create Human Resource plans with clear goals and ways to measure progress	Director General, Human Resources, Corporate Services

Risk 4: Information Management and Information Technology Security and Management

Risk 4 -Text version

Risk Statement: There is a risk that IAAC will not have the appropriate mechanisms and measures in place to maintain the confidentiality, availability, and integrity of data and information.

Risk Champion or Office of Primary Interest:
Vice-President, Corporate Services and Chief Financial Officer

Risk Support or Office of Secondary Interest:
Not Applicable

Key Risk Drivers

Internal Risk Drivers	External Risk Drivers
Changing requirements to implement and maintain systems and applications owned by Shared Services Canada Shared responsibilities among IAAC and software providers, internet service providers, and others of various applications, which reduces span of control Lack of a system/network to share and store secret information Ongoing requirement to ensure users have the appropriate awareness and training regarding cyber security and information management Vast amounts of market sensitive data with strict protocols and procedures	Increased frequency and complexity of cyber security threats and breaches New emerging technology (i.e., artificial intelligence) High volume of the receipt of external data/information

Internal Risk Drivers

External Risk Drivers

Changing requirements to implement and maintain systems and applications owned by Shared Services Canada
Shared responsibilities among IAAC and software providers, internet service providers, and others of various applications, which reduces span of control
Lack of a system/network to share and store secret information
Ongoing requirement to ensure users have the appropriate awareness and training regarding cyber security and information management
Vast amounts of market sensitive data with strict protocols and procedures

Increased frequency and complexity of cyber security threats and breaches
New emerging technology (i.e., artificial intelligence)
High volume of the receipt of external data/information

Current Controls

The following key controls have been implemented to manage the risk:

Engagement with Environment and Climate Change Canada (ECCC) and Shared Services Canada for monitoring and logging, firewalls, data encryption, regular data backups as well as Intrusion Detection and Prevention Systems (IDPS)
Development of, and updates to, policies and guidelines regarding business continuity and disaster recovery, security incident reporting and escalation, and data classification and handling
Engagement with ECCC’s IT enabling services and facilities to seek access to Government of Canada’s Secret Infrastructure (GCSI) for sensitive information
Implementation and maintenance of information management and information technology systems for access control, secure remote access, patch management, secure email, and messaging and data encryption
Implementation and maintenance of practices for secure software development, application security testing, identity and access management (IAM), data disposal and destruction, security audits and assessments, vendor security management, mobile device management (MDM)
Ongoing maintenance and delivery of training on information management and information technology, including cyber security awareness training
Increased internal capacity related to cyber security

Potential Impacts

If the risk was realized, IAAC may experience the following impacts:

Exposure or loss of sensitive and/or secret information and potential impacts to markets
Stakeholders lack of trust in IAAC’s ability to handle sensitive information, which could damage IAAC’s reputation and relationships
Inability to comply with applicable laws, policies, and regulations with regard to the privacy of information and confidentiality, which could lead to legal actions and reputational damage
Disruption of normal operations as systems may need to be shut down, investigated, and restored. This can lead to downtime, decreased productivity, financial and operational losses and/or delay, and increased costs for recovery

Risk Assessment

Likelihood:	Impact:	Risk Exposure:
2.09 Unlikely - Possible	3.00 Moderate	Low - Moderate Risk

Risk Response

Based on the assessment and existing controls in place, management considers this risk to be acceptable and will monitor it in the coming year.

Action Plan & Owners

Actions	Owner
1. Develop a risk register to document and prioritize identified risks, which includes their potential impact and likelihood. Update the risk register on a regular basis to reflect changes in the environment.	Director, Security & Facilities, Corporate Services Director, Information Services, Corporate Services
2. Engage third-party security experts to perform external security assessments and provide unbiased feedback.	Director, Security & Facilities, Corporate Services Chief Information Officer, Corporate Services

Actions

Owner

1. Develop a risk register to document and prioritize identified risks, which includes their potential impact and likelihood. Update the risk register on a regular basis to reflect changes in the environment.

Director, Security & Facilities, Corporate Services

Director, Information Services, Corporate Services

2. Engage third-party security experts to perform external security assessments and provide unbiased feedback.

Director, Security & Facilities, Corporate Services

Chief Information Officer, Corporate Services

Risk 5: Cost recovery and uncertain financial framework

Risk 5 -Text version

Risk Statement: There is a risk that IAAC will be unable to adequately fund IAAC activities and surge capacity requirements in a sustainable and effective manner.

Risk Champion or Office of Primary Interest:
Vice-President, Corporate Services and Chief Financial Officer

Risk Support or Office of Secondary Interest:
Vice-President, Strategic Policy and Programs

Key Risk Drivers

Internal Risk Drivers	External Risk Drivers
Uncertain financial framework to support IAAC commitments, priorities and objectives Legislative amendment required, as a result of the SCC reference case opinion, creating additional capacity pressures Five-year funding cycle with limited ongoing funding, providing IAAC with minimal ability to create an effective and sustainable financial baseline Ongoing requirement to submit on-and-off-cycle budget requests, straining capacity within the finance function Increasing number of IAAC commitments (i.e., accessibility, EDI, etc.)	Ongoing financial and economic uncertainty (i.e., inflation, rising cost of goods and services, cost of credit, cost of resources, etc.) as a result of COVID-19 and other geo-political events

Internal Risk Drivers

External Risk Drivers

Uncertain financial framework to support IAAC commitments, priorities and objectives
Legislative amendment required, as a result of the SCC reference case opinion, creating additional capacity pressures
Five-year funding cycle with limited ongoing funding, providing IAAC with minimal ability to create an effective and sustainable financial baseline
Ongoing requirement to submit on-and-off-cycle budget requests, straining capacity within the finance function
Increasing number of IAAC commitments (i.e., accessibility, EDI, etc.)

Ongoing financial and economic uncertainty (i.e., inflation, rising cost of goods and services, cost of credit, cost of resources, etc.) as a result of COVID-19 and other geo-political events

Current Controls

The following key controls have been implemented to manage the risk:

Continuous and proactive engagement with central agencies to ensure the status and capabilities of IAAC are communicated and well understood across all parties
Implementation and maintenance of a sound financial management control system to reduce risks in organizational processes, such as financial planning, budgeting and reporting
Ongoing maintenance of strategic relationships with key central agencies, federal and provincial partners, Indigenous groups, and the public

Potential Impacts

If the risk was realized, IAAC may experience the following impacts:

Inability to proactively plan and effectively deliver on all programs, projects, and commitments of IAAC
Inability to remain within the cost recovery levels agreed upon with central agencies
Operational delays and increased pressure on existing human capital

Risk Assessment

Likelihood:	Impact:	Risk Exposure:
2.27 Unlikely - Possible	3.55 Moderate - High	Moderate Risk

Risk Response

Based on the assessment and existing controls in place, management considers this risk to be unacceptable and will mitigate it in the coming year.

Action Plan & Owners

Actions	Owner
1. Early engagement with central agencies on the upcoming IA renewal of 2027-28 to identify and seek required funding levels for the next 5-year period (2028-29 to 2033-34) with a goal of securing the maximum ongoing funding.	Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services
2. Implement a cost recovery framework (i.e., regulations and process) that will align direction on recovery and required reference levels	Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services Director General, Strategic Integration, Strategic Policy and Programs
3. Early engagement with central agencies to determine the appropriate mechanism to implement re-spendable revenues.	Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services

Actions

Owner

1. Early engagement with central agencies on the upcoming IA renewal of 2027-28 to identify and seek required funding levels for the next 5-year period (2028-29 to 2033-34) with a goal of securing the maximum ongoing funding.

Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services

2. Implement a cost recovery framework (i.e., regulations and process) that will align direction on recovery and required reference levels

Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services

Director General, Strategic Integration, Strategic Policy and Programs

3. Early engagement with central agencies to determine the appropriate mechanism to implement re-spendable revenues.

Director General, Finance and Planning, and Deputy Chief Financial Officer, Corporate Services

Risk Monitoring and Reporting

The risks (including risk drivers) identified in this CRP will be monitored on an annual basis, and the CRP updated as necessary, to ensure all enterprise risks maintain relevance and reflect the changes in IAAC’s operating environment and organizational objectives on a year-to-year basis.

Conclusion

IAAC’s 2024–25 to 2026–27 CRP provides an Agency-wide overview of risks to inform effective risk-based decision-making and planning across IAAC. The risks identified in this document represent the greatest potential barriers to the realization of IAAC’s mandate and its ability to fulfill its core responsibilities and priorities from 2024–25 to 2026–27. These risks were reviewed and approved by IAAC’s senior management in March 2024.

Monitoring of IAAC’s enterprise risk management activities helps to maintain a clear, up-to-date understanding of key corporate risks and their status. Potential emerging risks that require senior management attention should be escalated, as and when necessary. Ongoing senior management engagement, together with an inclusive and rigorous methodology, as identified in this CRP, will result in a focused and principled approach, sending clear signals of the importance of risk management within IAAC.

To ensure clearer accountability and action in response to each risk, the 2024–25 to 2026–27 CRP has identified an office of primary interest to provide oversight and management of each risk and report annually on the status and effectiveness of each associated mitigation action.

Annexes

Annex 1: Approach and Methodology

The CRP was developed using the approach and methodology:

Environmental Scan: To commence the development of the Corporate Risk Profile, an environmental scan was conducted to obtain an in-depth understanding of the current context and environment by which IAAC operates. Considering the various drivers (internal and external) and business conditions, IAAC’s risk register and subsequent drivers and impacts was updated.
Risk Identification & Analysis: Leveraging the risk register and risk taxonomy (see Annex 2), a working session with IAAC’s operational management team was facilitated to openly discuss and brainstorm enterprise-level risks. The scope of the conversation focused solely on risks that may impact the achievement of IAAC’s objectives and priorities. Identified risks [including potential causes (drivers) and impacts] were validated, clearly documented, and grouped into categories. After validation and discussion, the risks were finalized through additional conversations with the Senior Leadership team, focusing on the most critical ones, which then became the basis for the subsequent risk assessment and mitigation planning, fostering a proactive approach to risk management.
Risk Assessment: The list of enterprise risks was then assessed by the Senior Leadership team, based the likelihood and impact scales (see Annex 3). Based on the overarching risk exposure score, risks were then ranked and prioritized (highest score = highest risk exposure level). Methodology for calculating likelihood, impact and risk exposure is defined below.
1. Average Likelihood Score = Sum of Likelihood Scores / Number of Voters
2. Average Impact Score = Sum of Likelihood Scores / Number of Voters
3. Risk Exposure = Average Impact Score * Average Likelihood Score
Risk Mitigation and Control: Controls (mitigation mechanisms currently in place to reduce risk) were highlighted across each risk profile. In any cases where risks exceed IAAC’s tolerance thresholds, specific actions may be identified.
Risk Communication: Comprehensive documentation was maintained throughout the process and was leveraged to develop the CRP. The CRP captures the strategic and corporate risks and associated risk drivers within the organization, along with the consequence of these risks, an assessment of risk exposure, mitigation activities and accountabilities.

Annex 2: Risk Taxonomy

The following table describes a standard and stable set of risk categories to facilitate risk identification exercises.

#	Risk Category	Risk Category Description
1	Strategic Risk	Threats and opportunities associated with IAAC’s ability to achieve its mandate, strategic priorities and objectives.
2	Operational Risk	Threats and opportunities associated with the overarching ability to deliver operational activities and non-conforming internal processes to IAAC requirements.
2a	a) Human Capital	Threats and opportunities associated with having the right people in place with the right skillset to meet organizational needs, including attrition, internal hiring processes, talent management, training and development.
2b	b) Information Management and Information Technology	Threats and opportunities associated with the underlying capacity and ability of the IM/IT infrastructure to support the efficient and effective delivery of organizational services.
2c	c) Financial	Threats and opportunities associated with sustainable financial management and practices.
2d	d) Resource Management	Threats and opportunities associated with the capability, capacity and availability of physical resources to deliver on IAAC’s mandate in a sustainable and holistic manner.
2e	e) Project Management & Governance	Threats and opportunities associated with IAAC’s capacity and capability to have adequate governance in place to manage project consultations with its partners, stakeholders and the Canadian public.
3	Reputational Risk	Threats and opportunities associated with IAAC’s reputation and credibility with its environmental partners, stakeholders and the Canadian public.
3a	a) Indigenous Participation & Engagement	Threats and opportunities associated with IAAC’s capacity and capability to involve meaningful Indigenous participation and engagement in project consultations.
4	Organizational transformation and change management	Threats and opportunities associated with ongoing and significant transformational and change activities.
5	Legal	Threats and opportunities associated with compliance with statutory laws, regulations, policies and standards (i.e., Policy on Financial Management, Financial Administration Act, Policy on Transfer Payments, Policy on Results, etc.).

Annex 3: Likelihood and Impact Scales

Risk is the possibility of an event occurring (positive or negative) that will have an impact on the achievement of objectives. It is the expression of the likelihood and impact of an event with the potential to affect the achievement of the organization’s objectives. The tables below outline the criteria and scales for assessing both the likelihood of an event occurring as well as the potential impact on the organization, should the event occur.

Likelihood Scales

Score	Likelihood	Probability	Description
1	Exceptionally unlikely	Less than 5%	The event has never occurred before and is not expected to occur
2	Unlikely	5 to 24%	Event has occurred once before, under exceptional circumstances, and may seldomly occur
3	Possible	25 to 74%	Event has occurred in the past and similar circumstances have been observed
4	Likely	75 to 95%	Event has occurred more than once in the past, and similar circumstances and indicators are frequently observed
5	Almost Certain	Greater than 95%	Event has occurred regularly in the past and is almost certainly expected to occur in the future

Impact Scales

Impact Score	Strategic	Operation	Reputational	Financial
1. Low An event, the consequences of which are extremely low and there is no appreciable impact.	Little to no effect on IAAC’s ability to achieve its mandate, strategic priorities and objectives	Operational excellence remains intact Service delivery is relatively unaffected Minor delays/disruptions in program activities No required resource reallocation or oversight required	Little to no damage to reputation No media coverage Minor criticism by review groups No loss of partners Regular communication channels with Indigenous Partners are maintained	Negligible financial loss and no incremental funding required Cost overrun may be absorbed within reference levels
2. Medium-Low An event where the consequences of which can be absorbed but some management effort and oversight are required to reduce the impact.	Minor impact on IAAC’s ability to achieve certain strategic priorities and objectives, but still able to meet its mandate	Operational integrity is partially compromised Minor delays in the delivery of services Re-prioritizing of deliverables and program activities may be required Review of some operations and possible internal activities Management efforts can be absorbed through regular oversight and monitoring activities	Short-term damage to reputation Negative media attention Criticism by review groups (e.g. OAG etc.) Media coverage at the regional level Loss of some partners Some communication channels with Indigenous Partners are maintained	Minor financial loss but does not require incremental funding to address the impact and can be absorbed within reference levels Minor cost overruns for non-essential programs
3. Medium An event of moderate importance that needs management effort and oversight to reduce the impact into tolerable levels.	A moderate reduction in IAAC’s ability to achieve various strategic priorities and objectives, with a potential impact on the achievement of the organization’s mandate	Operational integrity is compromised Moderate delays in the delivery of services Re-prioritizing of deliverables and program activities is required Review of operations and possible internal activities Management oversight and monitoring are explicitly required with some dedicated resources to control the risk	Short to medium-term damage to reputation Frontpage coverage in local papers Negative local media attention that is sustained Loss of some partners Less communication channels with Indigenous Partners are maintained	Moderate financial loss and may require some incremental funding to address the impact Reduced financial flexibility for some essential programs
4. Medium-High An important event likely to have a major effect on the organization’s mandate and requires significant management action and dedicated resources.	Significant impact on IAAC’s strategic direction and ability to achieve strategic priorities and objectives, including the mandate	Operational integrity highly compromised Moderate to major delay in the delivery of services Failure to deliver key deliverables and program activities Large-scale, long-term realignment of operations, objectives or resources A high degree of management oversight and monitoring is required with dedicated resources to control the risk	Strong criticism by external review agencies (e.g. OAG, PCH, etc.) Significant loss of reputation Frontpage coverage in regional papers Loss of some major partners Few communication channels with Indigenous Partners are maintained	Significant financial loss and may require major incremental funding to address the impact Reduced financial ability to fund most essential programs and all non-essential programs
5. High A significant event that could lead to permanent (or long-term) damage to the organization’s ability to achieve its mandate, core objectives, and/or priorities.	Catastrophic impact on IAAC’s ability to achieve many, if not all strategic priorities and objectives, and inability to fulfilling its role and mandate	Operational integrity at risk of failing Major delays in the delivery of services Failure to deliver key deliverables and failure of various programs Large-scale, long-term realignment of operations, objectives or resources Extensive oversight and dedicated resources are required to reduce the impact of the risk as much as possible	Strong criticism by external review agencies (e.g. OAG, PCH, etc.) Detrimental loss of reputation Frontpage coverage in national papers (e.g., Globe and Mail, etc.) Loss of major partners/donors Loss of communication channels with Indigenous Partners	Catastrophic financial loss and requires major incremental funding to address the impact Limited to no financial ability to fund all essential and non-essential programs

Page details

Date modified:: 2024-07-25

2024–25 to 2026–27 Corporate Risk Profile - Impact Assessment Agency of Canada

On this page

Glossary

Introduction

Context

Strategic Objectives and Expected Results

Operating Environment

2024–25 to 2026–27 Corporate Risk Summary

Risk Matrix

Corporate Risk Profile

Theme 1: Legal

Risk 1: Delivery of Essential Functions

Key Risk Drivers

Current Controls

Potential Impacts

Risk Assessment

Risk Response

Action Plan & Owners

Theme 2: Strategies and reputation

Risk 2: Maintaining public trust and engagement

Key Risk Drivers

Current Controls

Potential Impacts

Risk Assessment

Risk Response

Action Plan & Owners

Theme 3: Operations

Risk 3: Retaining a skilled, capable, agile and diverse workforce

Key Risk Drivers

Current Controls

Potential Impacts

Risk Assessment

Risk Response

Action Plan & Owners

Risk 4: Information Management and Information Technology Security and Management

Key Risk Drivers

Current Controls

Potential Impacts

Risk Assessment

Risk Response

Action Plan & Owners

Risk 5: Cost recovery and uncertain financial framework

Key Risk Drivers

Current Controls

Potential Impacts

Risk Response

Action Plan & Owners

Risk Monitoring and Reporting

Conclusion

Annexes

Annex 1: Approach and Methodology

Annex 2: Risk Taxonomy

Annex 3: Likelihood and Impact Scales

Likelihood Scales

Impact Scales

Page details