Guide to Corporate Risk Profiles
A recommended approach for developing a Corporate Risk Profile
Table of Contents
- Integrated Risk Management
- The Corporate Risk Profile
- Using This Guide
- A Recommended Approach For Developing A Corporate Risk Profile
- Contact Information
Integrated Risk Management
As noted in the 2010 Guide to Integrated Risk Management and the 2010 Framework for the Management of Risk, integrated risk management is recognized as a core element of effective public administration. In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate, and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making, better allocation of resources and, ultimately, better results for Canadians.
One of the first activities typically associated with the practice of integrated risk management is the development of a Corporate Risk Profile or similar tool. A Corporate Risk Profile enables an organization to obtain an overview of its key risks including an understanding of the organization's operational context and objectives with respect to managing risk. By the time an organization has embarked on developing a Corporate Risk Profile, it is assumed that a foundation for integrated risk management has already been established.
For an overview of integrated risk management and guidance on planning, designing and putting in place a risk management approach and process, please refer to chapters 3 to 6 of the 2010 Guide to Integrated Risk Management.
The Corporate Risk Profile
A Corporate Risk Profile describes an organization's key risks, which include both threats and opportunities. In the Government of Canada, a risk is defined as "the effect of uncertainty on objectives". Risk is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization's objectives. As an output from a risk assessment process, a Corporate Risk Profile enhances senior management's analysis and decision making related to priority setting and resource allocation. A Corporate Risk Profile also provides staff, external partners, and advisors with a clear 'snapshot' of the organization's key risks and, when implemented, can help identify areas of efficiency and potential opportunity. This, in turn, supports strategic priority setting and resource allocation, informed decisions with respect to risk tolerance, and improved results.
In building the corporate view of risks, information and knowledge at both the corporate and operational levels is collected to assist organizations understand the range of risks they face, their likelihood and their potential impacts. In addition, identifying and assessing the existing organization's risk management capacity and capability is another critical component of developing a Corporate Risk Profile. Obtaining an understanding of the organization's risk management capacity and capability will inform the Corporate Risk Profile development process and enrich the contextual analysis.
As is the case with other risks identified on an ongoing basis, once key risks are documented, the key focus is to integrate risk information into existing departmental governance structures and planning and reporting cycles in a way that is simple and that can communicate key risks effectively.
How an organization presents its corporate risks differs from organization to organization, however, all Corporate Risk Profiles include fundamental qualities that make them a valuable management tool. These include:
- A Corporate Risk Profile identifies risks that affect the achievement of objectives. Risks, including threats and opportunities, must be forward looking and relate to future uncertainty. A risk is not a business condition or a current issue or problem. Sometimes, reoccurring issues may be interpreted as risks. In this instance, organizations should identify the risks associated with managing those reoccurring issues, rather than describing the issues themselves.
- A Corporate Risk Profile must reflect the organization's particular circumstances and objectives. It should reflect the current business conditions of the organization as well as the size of the organization and the complexity of its mandate.
- A Corporate Risk Profile should be presented in a balanced way with enough detail to provide context and a clear description of risks, including how these risks are being managed within the organization. There should not be so much detail that it overwhelms the reader or is not easily used to support effective decision-making.
The Corporate Risk Profile is recommended as both a learning tool and as an instrument that supports decision-making.
Helpful Tips:
- Senior management leadership is a key driver for the development, implementation and ongoing improvement of an organization's Corporate Risk Profile.
- When developing a Corporate Risk Profile, it is important to establish a consistent methodology that clarifies how risks are aggregated from program areas to the corporate level. (For assistance in categorizing risks, please refer to the TBS Guide to Risk Taxonomies, available on the TBS website).
- It is recommended that organizations focus senior management attention on a manageable number of key risks (e.g. five to ten), in alignment with the organization's mandate, objectives, and resources.
- Risks should be articulated clearly and distinguished from their drivers and related issues. As much as possible, the risk identification and assessment methodology should be consistent throughout the organization.
- Transparency is recommended for the risk prioritization process, so that all staff within the organization are aware of how risks are rated by senior management. Openness and transparency in this regard will support ongoing risk tolerance awareness.
- Organizations are encouraged to establish and communicate the frequency of updates to, and senior management approval of, the Corporate Risk Profile so that it remains relevant, evergreen, and continuously adds value to the decision-making process.
- Organizations are encouraged to develop their Corporate Risk Profiles in a manner that is relative to the size of the organization and the complexity of its mandate. For some organizations, a more extensive document may be appropriate. For other organizations, a more abbreviated document may suffice.
- It is recommended that organizations consider the guiding principles outlined in the Framework for the Management of Risk when developing risk responses and implementing the Corporate Risk Profile.
- Organizations are encouraged to refer to the TBS Risk Management Capability Model, a diagnostic tool that may inform a discussion on an organization's overall risk management approach, and the use of their Corporate Risk Profile.
Using This Guide
This guide is intended to provide support to organizations in developing their Corporate Risk Profile. It is scalable and intended for use by all departments and agencies. This guide does not, however, describe the methodology for completing a risk assessment.
Organizations that already have a robust Corporate Risk Profile may refer to this guide for additional information which may inform future iterations. Organizations without an established approach may use this guide as a template for developing the content in their Corporate Risk Profile.
Formatting your Corporate Risk Profile
Organizations are encouraged to choose a format that will allow for easy presentation of both text and graphics, including tables and that meets their needs. For example, an organization may choose to present the Corporate Risk Profile information in a presentation or table format rather than a document format.
A Recommended Approach For Developing A Corporate Risk Profile
Each section of this guide provides key considerations on how to develop and present content in a Corporate Risk Profile. Some sections are identified as "essential", while others are "recommended". The sections identified as "essential" are considered necessary elements of a high quality Corporate Risk Profile because they provide clarity and context. Sections identified as "recommended" are included for consideration and, while not considered "essential", may add value to the overall usability of the Corporate Risk Profile.
It is recommended that essential information be included in the Corporate Risk Profile and presented in a concise, clear manner.
The Centre of Excellence on Risk Management recognizes that organizations may choose to group essential information into sections that are based on their Corporate Risk Profile format and document structure. In all cases, the depth and breadth of analysis included in a Corporate Risk Profile should be tailored to the size of the organization and the complexity of its mandate.
Executive Summary
Organizations may choose to include an Executive Summary in their Corporate Risk Profile. The Executive Summary provides an overview of the organization's key risks and considerations and is usually communicated by a member of the organization's senior management. The Executive Summary also has the advantage of providing readers with a concise view of the key risks to the organization.
The following items may be included in an Executive Summary:
- A summary of the background and methodology section;
- Key risks and, if space allows, a risk statement or short description;
- A risk matrix that illustrates the residual risk exposure to the organization;
- A summary of risk responses; and
- A summary of next steps.
Given that the Executive Summary provides an overview of the Corporate Risk Profile in a brief, concise manner, this section is recommended.
Introduction
The Introduction should position the Corporate Risk Profile within the organization and briefly describe the factors that have informed its development.
The Introduction should include the following sections:
- Background; and
- Summary of Methodology.
Background
The Background provides a brief description of integrated risk management within the organization and the purpose of the Corporate Risk Profile.
The Background may include the following information:
- Purpose, scope and intended audience (staff, senior management, external partners, etc); and
- Rationale for integrated risk management in the organization and key messages from a senior management representative; for example, the organization's Chief Risk Officer.
This section is considered essential.
Summary of Methodology
The Summary of Methodology section is intended to provide a summary of the risk assessment methodology that was used to produce the Corporate Risk Profile. In this section, organizations should provide the reader with a clear explanation of how the risk assessment was conducted and why the approach was well-suited and relevant to the organization.
Section contents may include the following:
- A description of how the organization identified, assessed and evaluated its key risks and how the organization determined how to respond to those risks;
- A description of the frequency and timing of updates to the Corporate Risk Profile, including senior management review and approval process;
- A rationale that addresses why the organization selected the approach it took or employed particular techniques and how they are relevant to the needs of the organization.
Useful tips:
- Keep this section short and focus on the essential information that will help the reader understand the approach. Additional details can be included in Appendices.
- Explain why the approach was taken and the techniques used, so that readers (including Treasury Board, DAAC members) can understand their suitability.
- Address the scope of the Corporate Risk Profile (i.e. did the risk assessment consider all types of risks?).
- Include a description of the level of consultation (i.e. did the risk assessment include consultation throughout the organization? e.g.regions, all staff, all management).
- If the applied approach and techniques have changed since the last Corporate Risk Profile was written, explain the differences and why they were adopted. Consider including or referencing recent reviews that the organization may have undertaken and the relevant findings.
Given the importance of developing a common understanding of risk within the organization, which includes how the Corporate Risk Profile was developed, this section is considered essential.
Context
The Corporate Risk Profile should include information that situates the organization's risks in relation to its overall strategic objectives and operating environment. This section may be organized into the following two sections:
- Strategic Outcomes; and
- Operating Environment.
Strategic Outcomes
This section provides a summary of the organization's strategic objectives and outcomes and is considered essential. The information presented in this section may include a description of the organization's mandate, mission or vision statement, a list of its objectives and outcomes, and a list of senior management priorities, if available.
Helpful tips:
- Summarize objectives and outcomes and reference other organizational documents in an Appendix if more detail is required.
- Objectives and outcomes are typically defined in an organization's Program Activity Architecture, Management Resources and Results Structure, Performance Management Frameworks, Annual Report, or other similar documents. Choose the document that best reflects the organization's current objectives or outcomes.
- Small organizations may have less numerous, complex or diverse strategic outcomes resulting in a section that may be relatively brief and concise.
Operating Environment
This section provides a summary of the environment in which the organization operates and may include both internal and external influences. A description of the operating environment allows for a greater understanding of the conditions which exist, why the risks identified are important to the organization, and why the risk responses are appropriate and relevant. Depending on the organization, a brief description of the operating environment is recommended but not considered essential.
Section contents may include:
- A description of the organization in terms of its social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment; this may include key drivers or trends that have an impact on the objectives and/or operations of the organization;
- A description of the organization's governance structure, policy framework, strategies, capabilities, relationships, culture, information, business models, etc; this may include key drivers or trends that have an impact on the objectives and/or operations of the organization.
Helpful tips:
- Keep this section short and focused.
- Refer to appendices and/or other organizational documents such as business plans and environmental scans as required.
- Large organizations, and small organizations with highly complex mandates, may require more detailed descriptions to describe their operations.
Corporate Risk Profile Summary
The Corporate Risk Profile Summary provides readers with a concise view of the organization's top risks. This guide describes two key sections of the Summary. Depending on the organization's preference, this information may be outlined in this section of the Corporate Risk Profile or separately.
The sections are:
- Key Risks; and
- Key Risk Matrix.
Key Risks
This section identifies the key risks to which the organization is exposed and provides a description of each risk. This section also provides an overview of the risks to which senior management should divert most of their attention and gives staff, external partners and advisors a clear 'snapshot' of the organization's key risks. As a result, this section is considered to be essential.
Top risks should be listed according to their residual risk exposure. Risks should be labelled or named and accompanied by a risk description.
Helpful tips:
- This section may also include the attributes that describe the risk in more detail. Alternatively, organizations may prefer to develop a separate section; please refer to section 4.5 .
- Each department and agency should identify the key risks to their organization in the context of their strategic objectives and outcomes; key risks are those that have the greatest potential to impact the achievement of the organization's objectives and outcomes.
- Key risks can be listed alone or alongside the risk matrix.
Key Risk Matrix
The Risk Matrix is a tool that illustrates the ranking of risks based on an assessment of their likelihood and impact. The size of the matrix will depend on the organization's preference; some organizations use a 3x3 matrix while others use a 5x5 matrix. The Centre of Excellence on Risk Management recognizes that some Treasury Board Secretariat policies require a 3x3 matrix when reporting on risks. Organizations are encouraged to select a matrix size according to their needs and translate between matrices if required.
Given that the matrix demonstrates visually how each risk is ranked in accordance with likelihood and impact criteria, and where risks stand in relation to other risks, it is considered essential.
Useful Tips:
- Use a legend stating which risk corresponds to each dot or label on the matrix.
- Scales for likelihood and impact usually include a display of colour to represent exposure.
- Formatting the risk matrix (colours, number of cells in the grids, etc.) should reflect the methodology and approach that was followed and be tailored to the needs of the organization. There is no expectation that all organizations will present their risk matrix in the format illustrated below.
Example
| Risk Category | Risk Description |
|---|---|
| 1. Legal | There is a risk that insufficient legal and drafting support will be available to the program. |
| 2. HR Capacity | There is a risk that there will be insufficient HR capacity for scientific research. |
| 3. Program Delivery | There is a risk that research quality will diminish. |
| 4. Project Design | There is a risk that project design will not meet stakeholder and industry requirements. |
| 5. Business Processes | There is a risk that contractual instruments will be used inappropriately. |
Understanding Our Risks
This section may be merged with section 4.4 "Corporate Risk Profile Summary" should the organization prefer. Section 4.5 provides the opportunity for an organization to describe in greater detail its key corporate risks, how those risks are mapped to the organization's strategic outcomes and where there are potential inter-relationships between key corporate risks. Organizations may choose to group these three areas of analysis together under "Risk Details" or discuss them separately, depending on the depth and breadth of the information collected.
Risk Details
A description of Risk Details is considered essential. Organizations are encouraged to provide:
- A short risk statement that describes each risk. Risk statements are about future events, not current issues, and must identify those events in a clear and concise fashion. If issues are reoccurring, then the risks associated with managing those reoccurring issues should be stated.
- A reference to a relevant taxonomy that categorizes risks, if available. If a taxonomy is part of an organization's approach, then the applicable category to which the risk belongs should be identified.
- A description of the sources of risk (drivers, factors, trends) that influence the organization's exposure to risk. Include both internal and external sources which predispose the organization to the risk.
- A brief statement of the impact and outcomes of the risk should it materialize. Refer to "Mapping Risks to Strategic Outcomes" in this section for more detail.
- An assessment of the organization's inherent risk exposure.
- An assessment of the residual exposure in terms of likelihood and impact (as outlined in the risk matrix).
- A list of existing risk responses that are already in place or that require implementation, and that reduce the organization's exposure to the risk.
- Relevant risk indicators, performance indicators for risk responses, and relevant action plans.
- The Risk Owner(s) and related accountabilities; these should be identified as individual(s) or role(s) but not a committee.
Organizations are encouraged to link risk responses to other corporate documents as appropriate, (for example, investment plans, audit plans, etc.).
Example Risk Description
Human Resources
Risk I.D. and Statement
Risk F1. There is a risk that the organization may not be able to maintain the current number of staff in scientific job categories.
Risk Category
This risk belongs to the Human Resource Capacity category. The risk refers to insufficient HR capacity for scientific research.
Risk Sources
The organization is exposed to this risk due to the following factors:
- Increased private sector demand in the science and technology field;
- Increased demand for staff in scientific field within the federal government; and
- Insufficient retention and recruitment activities specific to the science and technology field.
Inherent Risk Exposure
If the risk were to materialize, consequences would be severe and could not be endured by the organization without sustaining extensive delays to research targets.
Existing Controls
The organization currently employs the following strategies to mitigate the risk:
- Communication with local colleges and universities to promote the organization as an employer of choice.
Residual Risk Exposure
If the risk were to materialize consequences would be significant, however, they could be endured by the organization by adjusting the research agenda and setting new targets. This may result in some activities being subject to review to address shortfalls.
Consequences & Strategic Outcome
- If not mitigated, the research targets would not be met;
- If not mitigated, the reputation of research excellence would be compromised;
- If not mitigated, the organization may lose the ability to provide the scientific community with timely, relevant information;
- If not mitigated, the organizational objectives may not be met.
Risk Evaluation
The organization's tolerance for human resource risks is within the moderate-high risk level. The organization evaluated the risk and the residual exposure remains outside our tolerance. Additional risk responses are proposed to increase the retention and recruitment rate over the next 2 years.
Risk Responses
Additional risk responses include renewal of staffing and retention policies, and accessing broader pools of qualified candidates to fulfil the scientific requirements of the organization.
- The organization will implement staffing policies that are streamlined and efficient.
- The organization will develop a retention program that will encourage long-term commitment.
- The organization will create a formal graduate recruitment program with universities across the country.
- The organization will create an internship program with colleges and universities to promote the organization.
Action Plan and Timelines
- Identify and establish partnerships with colleges and universities – Fall 2010;
- Develop communication and stakeholder engagement strategy – Fall, Winter 2010
- Establish and implement policy changes with the HR Branch – Spring, Summer 2011.
Indicators
- Organizational turnover rate in the science and technology category.
- Organizational retention and recruitment rates over the next two years.
- Analysis of research targets over the next 3 to 5 years.
Risk Owner & related Accountabilities
Owner: ADM, Research and Policy Branch
Related Accountabilities: ADM, HR Branch
Mapping Risks to Strategic Outcomes
As identified in Risk Details above, organizations should provide a statement which describes what the impact, result or effect would be if a key risk is not mitigated, including the consequences to an organization's strategic outcomes. These outcomes may be articulated as they relate to an organization's Program Activity Architecture, logic model or similar tool.
Mapping risks to strategic outcomes is essential as it provides additional insight for managers to understand which outcomes are susceptible to which risks. This information may be identified as part of the Risk Details or in a separate section, if preferred.
Helpful tips:
- Identify which strategic outcomes are exposed to which risks.
- Explain the significance of the analysis.
- Use the strategic outcomes identified in section 4.3 to anchor the mapping.
- The format of this information may vary depending on the organization. Diagrams may be used, a narrative may be used, or some combination of both.
- The format of the content may reflect the complexity of the organization and the sophistication of the analysis. There is no expectation that all organizations must present their analysis in a similar manner.
A chart may be used to map risks to strategic outcomes.
| Strategic Outcome | Risk Category | Risk Description |
|---|---|---|
| Security and Safety of Intellectual Property | Legal HR Capacity Program Delivery Project Design Business Processes |
|
| Environmental Safety | Program Delivery Program Design |
|
| Leading Research and Technology | Legal HR Capacity Program Delivery Program Design |
|
Risk Inter-Relationships
An organization may choose to provide a description and / or visual representation of how one risk may be influenced by the occurrence of another. Risk inter-relationships provide additional insight for managers to determine where they should focus their risk response and monitoring activities. It also allows readers to see risks in a holistic, horizontal manner. As such, the description of risk inter-relationships is recommended, but not essential.
Helpful tips:
- Describe the results of the analysis regarding which risks may influence other risks.
- Explain the significance of the outcome to the organization.
- Not all risks need to be inter-related.
- Organizations may wish to consider risks housed in program area registers, or the risks of an organization's portfolio or community of practice.
- The format of this section may include a narrative and / or matrix diagrams, charts, etc. The format of the risk inter-relationship section may reflect the complexity of the organization and the sophistication of the analysis. There is no expectation that all organizations must present the analysis in a similar manner.
| Corporate Risks | ||||||
|---|---|---|---|---|---|---|
| Legal | HR Capacity | Program Delivery | Program Design | Business Processes | ||
| Compounded Risk | Legal | N/A | No | Yes | Yes | Yes |
| HR Capacity | Yes | N/A | Yes | Yes | No | |
| Program Delivery | No | Yes | N/A | Yes | Yes | |
| Program Design | Yes | Yes | No | N/A | No | |
| Business Processes | Yes | No | No | Yes | N/A | |
Monitoring Our Risks
This section provides a description of how risks will be monitored and how the organization will report on the status and performance of the implementation of risk responses or action plans.
This section is essential.
Organizations should include a description of who is responsible for the monitoring and reporting function, as well as a description of how the Corporate Risk Profile will be updated when there are changes to:
- Business conditions.
- Internal governance structures.
- Risk exposure.
- Risk tolerance.
- Risk action plans.
- Changes to key risk indicators.
Organizations are encouraged to describe the governance for ongoing risk monitoring. The format of this section may include the use of diagrams and / or narratives, and may include the articulation of changes year over year, as outlined in the example below.
| Risk | Change | Rationale | Governance |
|---|---|---|---|
| HR Capacity | Decrease from high to moderate residual risk exposure from 2008-2009 to 2009-2010. |
Successful implementation of staffing policy amendments, and retention and recruitment program. |
ADM, Research & Policy ADM, HR Branch |
The year over year analysis may also be mapped to a risk matrix.
Key Trends 2008-2009 to 2009-2010
Example Legend: S-10, HR Capacity, decreases in likelihood and impact.
Using Risk Information
This section describes how the risk assessment information outlined in the Corporate Risk Profile will be incorporated into corporate planning, reporting and other decision-making functions. This section is considered essential as it describes how the Corporate Risk Profile promotes risk-informed decision-making.
Organizations should describe how the Corporate Risk Profile will be used and how risk information will be integrated into key decision-making processes within the organization; this may include planning, reporting, policy development, legal analysis, financial analysis, audit and evaluation.
How organizations choose to use risk information will vary, depending on their mandate and core business functions. For example, organizations with a focus on grants and contributions may routinely refer to and report on key financial, project management and stakeholder management risks when developing briefings or reports. Similarly, organizations with a strong science-based mandate or those with a regulatory mandate may routinely refer to and report on risks relating to research and development, values and ethics and legal risks.
The articulation of risks, mitigations, benefits and drawbacks are fundamental elements in the development of key policy documents, including memos and briefings to senior management, memoranda to cabinet, Treasury Board submissions, and other strategic analytical tools.
As such, the Corporate Risk Profile provides access to timely risk information that is important to the development of policy. Risk information is vital in the development of policy and program options, because it adds value to the articulation of policy or program benefits and drawbacks, which improves the decision-making process. For example, the integration of risk information to highlight the benefits and drawbacks of new developments or technologies may highlight great implementation challenges but at the same time, highlight to decision-makers the opportunity to add value to the lives Canadians and the economy.
Organizations should make full use of their Corporate Risk Profile to improve their decision-making processes, improve the quality of their briefings to senior management and Central Agencies and to improve their overall management practice.
Appendices
It is recommended that appendices be used to reference detailed information such as policies, risk assessment methodology, and secondary risk registers. The Appendix should also include a glossary of key terminology. Other examples of recommended reference material could include likelihood and impact scales, which depict the criteria of how the likelihood and impact of each risk was assessed in the context of the organization.
Contact Information
For more information, please contact TBS Public Enquiries.
Page details
- Date modified: