Risk Management Capability Model

A diagnostic tool

Table of contents

About the Treasury Board Risk Management Capability Model

Organizations need to reflect on their integrated risk management approach. Comparing risk management approaches with those implemented in other departments and agencies may not provide insight or meaningful information due to the tailored approaches adopted by each individual organization.

As a result, organizations may want to consider using a benchmarking tool to gauge their own capability in key areas of risk management. 

What does the Risk Management Capability Model do?

The Risk Management Capability Model is a diagnostic tool that allows organizations to benchmark their current risk management capability. This Model is part of the suite of guides and tools that accompany the Treasury Board Framework for the Management of Risk, including the 2010 Guide to Integrated Risk Management.

The Risk Management Capability Model may be used to create a picture of an organization's current risk management approach, which can be used to inform a discussion on whether resources need to be allocated or diverted to fill gaps or improve capability in key areas of risk management excellence. 

How to use the Risk Management Capability Model

The levels of capability are designed as profiles against which organizations are encouraged to self-identify. The table format gives organizations flexibility in mapping their current capability against a number of key risk management areas of excellence.  It is expected that organizations will have a spectrum of capabilities, based on their objectives, size and complexity of mandate. For example, "governance, leadership and accountability" may be developing, while "training" may be initiated. 

Recognizing and addressing differing levels of capability in key areas may lead to a discussion on where an ideal state has been achieved and where focused attention may be required.  Organizations should be asking themselves if they are operating at the right level for any given risk management activity.

The Capability Model is not intended to be used in a linear fashion. It is not necessary, or suitable, for an organization to meet the highest tier in every area.  In addition, capability levels in some areas may change over time depending on the organization's objectives and priorities.

What is meant by "initiated", "developing" and "systematic"?

"Initiated", "developing" and "systematic" are terms used to describe an organization's capability in key areas of risk management excellence.


Is a term that applies to risk management activities that are still in the planning phase and therefore not in place yet or that have been recently introduced in parts of the organization.  The term recognizes that while the concept of risk management has been adopted by a few key employees, an organizational approach has yet to be developed.


Is a term that applies to risk management activities that may be in place and are evolving.  Developing risk management activities may not yet be consistently practiced across the organization. The term recognizes that efforts may be underway to advance some risk management activities in order to achieve a more systematic approach.


Is a term that applies to risk management activities that are part of a broader planned and methodical approach to integrated risk management.   The term recognizes the proactive and adaptive nature of a more complete and robust integrated risk management approach.

Key considerations when using the Risk Management Capability Model

  • The Capability Model is a diagnostic tool meant to provide insight and act as a reference for discussion. The Model's purpose is to help organizations self-identify at what stage they are in terms of certain risk management activities and to promote discussion on advancing its approach.
  • The five activities identified are meant to help senior management focus on key areas of risk management excellence. The three tiers are designed to express an attainable level of capability applicable to micro, small and large organizations.
  • The most appropriate level of capability for an organization will depend on the nature of risks identified and managed, the complexity of the organization's mandate and the organization's size.  For more information on developing a tailored approach to risk management, please refer to section 2.3 and 4.1 in the 2010 Guide to Integrated Risk Management
  • Achieving "systematic" across the table may not be appropriate or suitable.  Organizations should allocate efforts carefully based on their current and emerging priorities. 
  • An organization's capability in any given area of risk management activity may change over time.

Contact information

For more information, please contact TBS Public Enquiries.

The Treasury Board Risk Management Capability Model

Areas of Risk Management Excellence Initiated Developing Systematic
Governance, leadership and accountability

RM is identified as a result of necessity. RM governance activities may cease once issue is managed. Tolerance for risk is concentrated at the individual level.

RM practice is encouraged but not always required or does not always occur.   

Some accountability for RM is identified on some projects and governance mechanisms are beginning to include risk information.

Some staff in parts of the organization are risk-aware; remaining staff may regard RM as a process burden.

RM is identified as a priority for the organization.  Roles, responsibilities and accountabilities are clearly defined in all parts of the organization.

Resources are dedicated and risk awareness is promoted.

Senior management proactively communicates risk tolerance.

Priority setting and decision-making

Risk information is informally noted and occasionally considered, depending on issue management requirements. 

Decisions may be based on an inconsistent understanding of risk.

Risk information is periodically considered as part of operational and/or corporate processes.

The organization is developing a consistent understanding of risk to support decision-making.

Consistent and coherent risk information is integrated into operational and corporate processes.

The Corporate Risk Profile or similar tool acts as a strategic framework for priority setting and decision-making activities, including the seizing of opportunities to advance new policies and programs
Monitoring, performance and outcomes

Limited monitoring of risk responses may occur.

The monitoring of RM practice occurs informally as a result of individual inquiry.

RM practice may need tailoring in order to reflect the size and mandate of the organization.

There is some evidence of monitoring of risk responses.

The organization may make adjustments to its RM approach as a result of occasional reviews. The reviews may not always be communicated across the organization.

The organization is developing indicators to measure the performance of risk responses over time. There is some evidence of improved outcomes as a result of RM practice.

Monitoring of risk responses occurs on a routine basis with clear and measurable evidence of improved outcomes as a result of RM practice.

Accountable parties routinely assess the performance of the organization's RM approach to incorporate improvements and lessons learned. The results of reviews are communicated across the organization.

Performance indicators are embedded in key RM activities.
Training and continuous learning

Training opportunities are available to staff based on individual interest and access to self-directed learning.

RM training is targeted to some staff within the organization, with limited learning resources available. 

RM training is promoted to all staff within the organization and in personal learning plans, including plans for senior management.

Informal networks are in place to support best practices and continuous learning.

Stakeholder engagement and communication

There is limited internal engagement and communication of cross-sectoral risks.

The organization rarely engages its external stakeholders and partners on interdepartmental risks.

There is periodic engagement on cross-sectoral risks within the organization.

The organization recognizes the need to engage its external partners and stakeholders on interdepartmental risks and is developing a risk communication plan or strategy.

There is proactive engagement on cross-sectoral risks within the organization.

External partners and stakeholders are proactively consulted on interdepartmental risks.

Risk communication is identified as part of the RM approach and enhances the organization's risk culture.

Page details

Date modified: