Guide to Integrated Risk Management
A recommended approach for developing a Corporate Risk Profile
Table of Contents
- 1 Introduction.
- 2 Overview of the TBS Framework for the Management of Risk
- 3 Integrated Risk Management – Overview
- 4 Getting Started – Planning and Designing the Approach and Process
- 5 Putting It in Place – Implementing Integrated Risk Management
- 6 Doing It – Practicing Integrated Risk Management
- 7 Improving it – Continuously Improving Integrated Risk Management
- 8 Contact Information
- Appendix A – Interdepartmental Working Group.
1.1 About this Guide
This Guide is intended to help strengthen Canadian federal public sector integrated risk management practices by providing organizations with guidance in the design, implementation, conduct and continuous improvement of integrated risk management that will result in a risk-informed approach to management throughout the organization ultimately leading to better performance.
The Guide is intended as a companion document to the principles-based TBS Framework for the Management of Risk (2010). It elaborates on the principles in the Framework and provides practical guidance and considerations for operationalizing these principles as part of an organization's integrated risk management strategy. It also provides information about linkages to some generic risk management resources such as processes, practices, tools and templates that may be adapted to the circumstances of specific federal organizations, depending on their size, mandate, organizational structure and lines of business.
How to Use this Guide
This section (section 1) of the Guide presents the purpose of the Guide along with an overview of developments in the area of risk management over the past few years as well as the drivers for renewing and strengthening risk management in the federal government. Section 2 provides an overview of the TBS Framework for the Management of Risk, including an overview of key concepts that underlie both the Framework and this Guide, and an elaboration of the principles, roles and responsibilities that are outlined in the Framework. Section 3 provides general information about establishing risk management practices in an organization while sections 4 through 7 provide practical guidance and considerations in the design, implementation, conduct and continuous improvement of a risk management approach and supporting risk management process for an organization.
Depending on how far an organization has evolved in its implementation of integrated risk management (just starting or using well entrenched risk management processes), it will want to focus on the sections of this Guide that best reflect the areas that can help the organization move closer to a cohesive and consistent approach to risk-informed decision-making and hence better overall performance.
This Guide has been developed through a collaborative, community building, interdepartmental process, led by the TBS Centre of Excellence on Risk Management. It is intended for use by all federal public servants as a source of information regarding the management of risk in federal departments and agencies. For those working more directly in the area of risk management (e.g. risk practitioners, audit community, planning and oversight community, etc.), this Guide provides practical guidance for fulfilling their responsibilities. The Guide updates elements of the Integrated Risk Management Framework (2001) and the Integrated Risk Management Implementation Guide (2004) which have been superseded by the Framework for the Management of Risk (2010) and this Guide respectively. It is also informed by national and international developments in the field of risk management, and the evolving approach within the Government of Canada.
In general, this Guide is intended to help organizations strengthen their overall integrated risk management practices. While this Guide provides organizations with detailed information regarding the various elements that should be considered when designing, implementing, conducting and improving integrated risk management, it does not provide specific requirements regarding risk management practices as the resulting risk management approach and processes will be specific to the requirements of each organization depending on its mandate, priorities, risk exposure, organizational risk culture, risk management capacity, and partner and stakeholder interests among other factors.
It should also be noted that as this Guide provides general guidance on designing and implementing an integrated risk management approach, it is not intended to provide specific details on the elements covered during TBS' assessment of departments' and agencies' performance on integrated risk management as part of the Management Accountability Framework (MAF).
Developments in Risk Management
Risk management is recognized as a core element of effective public administration. In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making, better allocation of resources and, ultimately, better results for Canadians.
Risk management has been identified as a key component of modern management in the Canadian federal government for over a decade. In response to the vision and commitments of the Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada (1997) and Results for Canadians: A Management Framework for the Government of Canada (2000), the Treasury Board of Canada Secretariat (TBS) issued an Integrated Risk Management Framework (IRMF) (2001) and accompanying Integrated Risk Management Implementation Guide (2004). The 2001 Framework and 2004 Guide were developed to help Canadian federal organizations implement basic risk management practices in their organizations.
Following the release of these documents, many federal organizations established integrated risk management functions. In addition, most organizations implemented tools and mechanisms to systematically identify and capture information on key risks to their organization and associated response strategies, often documenting this information in the form of a Corporate Risk Profile (CRP), or other similar document.
Risk management in the federal government also progressed from an oversight and central agency perspective. In 2003, TBS initiated the MAF, a tool for TBS to assess management performance in selected Government of Canada organizations. One of the key management areas that the MAF continues to assess is the effectiveness of integrated risk management.
In addition, the government-wide Web of Rules initiative adopted risk management principles in order to streamline oversight instruments to focus on the right rules, reporting, and administrative processes, and to strengthen the government's capacity to deliver value while protecting against key challenges, preserving accountability, encouraging risk-informed decision-making, and driving better performance.
Risk management capacity and support was also strengthened across the government through the establishment of Department and Agency Audit Committees (DAAC) as required by the Policy on Internal Audit (2009), a TBS Centre of Expertise on Grants and Contributions in 2007, a TBS Centre of Regulatory Expertise (CORE) also in 2007, and, in August 2008, the re-establishment of a TBS Centre of Excellence on Risk Management, which acts as a government focal point to support the risk management efforts of federal organizations.
Beyond the Canadian public sector, risk management standards have evolved at the national (i.e. Canadian Standards Association (CSA)) and international (i.e. International Organization for Standardization (ISO)) levels.
Globally, the risk management field has greatly evolved in recent years providing significant opportunities to further advance risk management practices, processes, and culture across the federal government.
Renewal of Risk Management in the Government of Canada
Given the developments outlined above, a renewed and strengthened approach to risk management in the federal government was encouraged in two reports released in early 2009. The Third Report of the Prime Minister's Advisory Committee on the Public Service (2009) expressed a need to renew the federal risk management approach and strengthen risk management capacity through a principles-based approach. Similarly, the Sixteenth Annual Report from the Clerk to the Prime Minister on the Public Service of Canada (2009) stated that the public service should adopt a "whole of government" principles-based approach to risk management in applying necessary rules and procedures. The Fourth Report of the Prime Minister's Advisory Committee on the Public Service (2010) acknowledged the work done to date in developing a principles-based approach to risk management and noted that developing a culture of innovation, founded on well-considered risk management, is essential to a high-performing public service that is accountable, adaptable and focused on results.
The recommendation to adopt a principles-based approach to risk management was implemented with the release of the TBS Framework for the Management of Risk in 2010. This Framework is part of TBS's Policy Suite Renewal exercise, which is an effort to ensure that the type of TBS policy instrument used to oversee a particular area of administration is proportional to the level of risk associated with that area. As a result, many TBS policies have been renewed with a risk-based approach.
Another activity that demonstrates the adoption of a principles-based approach to risk management in the federal government is the application of a risk-based approach to Budget implementation associated with Canada's Economic Action Plan in 2009 and 2010,whereby a streamlined oversight approach was put in place for proposals with demonstrated lower risk. Also beginning in 2009, a risk-based approach was implemented for all areas of management under the annual MAF process.
These applications of risk-based approaches to management in the federal government have further demonstrated the importance for departments and agencies to continually develop their capacity to effectively manage their risks. This Guide is intended to help departments and agencies in this regard.
2 Overview of the TBS Framework for the Management of Risk
2.1 Key Concepts
Key concepts relating to the management of risk that underlie both the Framework for the Management of Risk and this Guide are outlined below.
Risk is unavoidable and present in virtually every human situation. Public and private sector organizations face risks everyday. The word risk generally connotes the notion of loss, injury or hazard. However, the commonly accepted modern definition of risk is "the effect of uncertainty on objectives". The TBS Framework for the Management of Risk and this Guide explicitly adopt this neutral definition of risk, recognizing that risks involve both threats and opportunities.
Technically speaking, a risk is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization's objectives. The phrase "the expression of the likelihood and impact of an event" implies that, as a minimum, some form of quantitative and/or qualitative analysis is required for assessing risks. For each risk, two calculations are required: its likelihood or probability of occurring and the extent of the impact or consequences, should it occur. It should be emphasized that as risk is about the effect of uncertainty, and therefore future-oriented, risks are distinct from existing issues, problems, or business conditions, where likelihood of occurrence would not be an issue.
The risk level prior to taking into account existing controls and any existing risk responses is referred to as the "inherent" risk level. The remaining risk level after taking into account existing controls and any existing risk responses is referred to as the "residual" risk level.
Risk management, which involves a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on, and communicating risk issues, is an integral component of good management. It does not necessarily mean risk avoidance in the case of potential threats. Rather, risk management equips organizations to make decisions that are informed by an understanding of their risks, and ultimately to respond proactively to change by mitigating the threats, and capitalizing on the opportunities, that uncertainty presents to an organization's objectives.
Sound risk management can lead to more effective, results-based, and high performance government. In turn, increased capacity and demonstrated ability to assess, communicate and respond to risks builds trust and confidence, both within the government and with the public.
Integrated Risk Management
Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review. Integrated risk management involves the use of these aggregated results to inform decision-making and business practices within the organization.
In order to foster a risk-informed culture and capacity to fully realize performance improvements within federal organizations, proactive risk management must be reflected across all business practices. A risk-informed approach to management builds risk management into existing governance and organizational structures, including business planning, decision-making and operational processes. It also ensures that the workplace has the capacity and tools to be innovative while protecting the public interest and maintaining public trust.
Risk culture refers to the attitudes and behaviours found within an organization that are associated with risk management. This includes elements such as whether an organization views risk management as an inherent part of good decision-making, or simply as a reporting requirement; whether an organization tends to be risk averse, or views risks as including potential opportunities; and whether risk management is embedded at all levels of an organization, or is a top-down process only.
Risk tolerance is the willingness of an organization to accept or reject a given level of residual risk. Risk tolerance may differ across the organization, based on operating environment, stakeholders, etc., but must be clearly understood by the individuals making risk-related decisions on a given issue. Clarity on risk tolerance at all levels of the organization is necessary to support risk-informed decision-making and foster risk-informed approaches.
2.2 About the Framework for the Management of Risk
As stated in section 1.2, in response to key drivers for a renewed government-wide risk management approach, TBS developed a Framework for the Management of Risk (2010) which provides Deputy Heads with principles to embed risk management as a critical element in all areas of work, at all levels of their organization. The Framework is a core element of TBS' renewed policy suite, along with the Foundation Framework for Treasury Board Policies and the Framework for the Management of Compliance. The Framework for the Management of Risk complements the conceptual model for policy renewal set out in the Foundation Framework, as well as the considerations for managing compliance identified in the Framework for the Management of Compliance. These three core frameworks enable effective management of federal organizations by promoting accountability and transparency.
More specifically, the Framework for the Management of Risk provides broad risk management principles and clarifies the roles and responsibilities of Deputy Heads and TBS with respect to risk management. The principles, roles and responsibilities articulated in the Framework inform the development of, and apply to, all Treasury Board policy instruments, some of which have embedded risk management requirements specific to their policy coverage. In addition to informing the development of Treasury Board policy instruments, the Framework also sets out expectations for Deputy Heads, and their departments and agencies, in leading the implementation of effective risk management practices in federal government organizations. This Guide provides further guidance in this area to help federal organizations operationalize those expectations.
The Framework reaffirms the core principles and approaches for risk management that have been in place in the Government of Canada since 2001 and reflects, where appropriate, international and national standards related to risk management including the ISO 31000 Risk Management Standard.
The principles, roles and responsibilities that are articulated in the Framework are further elaborated in sections 2.3 and 2.4.
2.3 Risk Management Principles
The Framework's principles, listed below, guide organizations towards effective risk management. Effective risk management in the federal government should:
- support government-wide decision making and priorities as well as the achievement of organizational objectives and outcomes, while maintaining public confidence;
- This principle encourages organizations to implement risk management in a manner that contributes to the whole-of-government agenda. In general, the risk management practices should allow for the identification of risk information throughout the organization that can be used to support government-wide decision-making, and should also be flexible enough to evolve with changing government priorities.
- The risk management approach adopted by an organization should also support internal decision-making by enabling organizations to identify and manage risks which are specific to their own objectives and expected outcomes. Using risk-informed decision-making in the achievement of federal and organizational objectives can help maintain public confidence in federal public sector management. See also section 5.1 – Implementing the Risk Management Approach and Process.
- be tailored and responsive to the organization's external and internal context including its mandate, priorities, organizational risk culture, risk management capacity, and partner and stakeholder interests;
- This principle encourages organizations to implement risk management in a manner that is tailored to their organization's specific environment and needs and in a manner that is also responsive to changes in the environment and needs. There is no "one-size-fits-all" approach to risk management and organizations should consider their own context when determining an appropriate approach.
- This also means that the risk management approach should reflect and consider both the input of employees and managers as well as external partners and stakeholders. See also sections 4.1 – General – and 4.2 – Understanding the Organization and its Context.
- add value as a key component of decision-making, business planning, resource allocation and operational management;
- This principle encourages organizations to use their risk management processes and resulting risk information to support all of their management practices and to enhance the decision-making process. Risk management should not be a stand-alone practice; instead, it should be embedded into organizational structures and processes. See also section 5.1 – Implementing the Risk Management Approach and Process.
- achieve a balance between the level of risk responses and established controls and support for flexibility and innovation to improve performance and outcomes;
- This principle encourages organizations to adopt strategies which appropriately respond to threats while not being overly restrictive, and to consider opportunities. With this balance, the risk management approach can contribute to the improvement of the organization's overall performance, outcomes, and results in an effective manner. See also section 4.6 – Defining the Risk Management Process.
- be transparent, inclusive, integrated and systematic; and
- This principle encourages organizations to conduct risk management in a manner that is:
- transparent in its execution, including transparency about the results of risk management processes so that they may inform decision-making throughout the organization;
- inclusive by involving all relevant stakeholders and decision makers at all levels of the organization in the overall risk management approach and in risk assessment processes;
- integrated in that risk management should be an integral part of all decision-making and applied throughout the organization; and
- systematic in that risk management processes are explicitly defined and structured to enable consistency, effectiveness, and timeliness.
See also sections 4.7 – Establishing Communications and Reporting Mechanisms – and 5.1 – Implementing the Risk Management Approach and Process.
- continuously improve the culture, capacity and capability of risk management in federal organizations.
This principle encourages organizations to continually monitor, review and improve their specific risk management approach and processes to ensure their effectiveness, efficiency and relevance in supporting the organization's overall performance. This will enable risk management to mature within the organization. In general, risk management should evolve in order to bring about improvements in the risk management culture, capacity and capability over time. See also sections 5.2 – Providing the Environment and Infrastructure – and 7 – Continuously Improving Integrated Risk Management.
While not directly applicable to the implementation of risk management in individual departments and agencies, the Framework also provides guidance to TBS with respect to Treasury Board policy instruments and associated oversight activities. In addition to being aligned with the above principles, Treasury Board policy instruments and associated oversight activities are also guided by the following principles:
- Treasury Board policy instruments should target risks linked to achieving federal government management objectives;
- This principle encourages TBS, as a central agency, to develop and renew policy instruments so that they contain risk-based approaches. This means that policy instruments should set expectations to encourage departmental performance that minimizes threats to federal government management objectives and maximizes opportunities for improvement.
- these instruments should be proportional to the degree of impact and likelihood of the risks identified; and
- This principle encourages TBS, as a central agency, to renew policy instruments so that their oversight and compliance components are flexible enough to reflect the severity of potential risks. As such, policy instruments would allow for more stringent controls in areas of potentially severe impact, while flexible authorities may be granted to areas where risks are less severe.
- oversight should be adjusted to correspond to an organization's capacity for managing risk, where circumstances permit.
- This principle encourages TBS, as a central agency, to tailor its oversight activities to individual organizational needs by taking into account an organization's risks and capacity and demonstrated ability to manage these risks. In doing so, resources and oversight activities should be targeted to areas with higher levels of threat.
2.4 Roles and Responsibilities of Deputy Heads and TBS
Deputy Heads are responsible for managing their organization's risks by leading the implementation of effective risk management practices, both formal and informal. This includes establishing the organization's overall risk management approach and ensuring that supporting processes are in place. In doing so, Deputy Heads are encouraged to apply the principles outlined in section 2.3.
A key role of the Deputy Head is to ensure that risk management principles and practices are understood and integrated into the various activities of his/her organization. Deputy Heads are also responsible for monitoring risk management practices in their organizations, as well as considering risks that arise when partnering with organizations within and external to the federal public service. This includes ensuring that issues affecting the organization's risk management approach, whether identified through assessments or internal and external monitoring, are examined, reviewed and addressed effectively.
In addition, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization. Through their leadership, Deputy Heads foster a risk-informed organizational culture that supports risk-informed decision-making, enables dialogue on risk tolerance, focuses on results and enables the consideration of both opportunity and innovation.
Treasury Board and Treasury Board of Canada Secretariat (TBS)
The Treasury Board and TBS also have a role to play in strengthening risk management in federal departments and agencies. A key element of the Treasury Board's role, as well as the role of TBS, is to encourage management excellence in government through leadership, guidance, monitoring, review and oversight, pursuant to the authority outlined in the Financial Administration Act.
To fulfill this role in the domain of risk management, the Treasury Board and TBS are responsible for providing guidance, tools and expertise to support departments and agencies in implementing a risk-informed approach to management. This role also includes performing a leadership role by sharing information and fostering good practices on risk management and risk-informed approaches.
TBS is also responsible for monitoring and assessing departmental and agency performance on risk management through such means as the MAF, and reviews of internal and external audits. These assessments may be used to inform discussions between the Secretary of the Treasury Board and Deputy Heads.
Evidence that a federal department or agency has effective risk management practices in place may lead to Treasury Board and TBS oversight being adjusted to an organization's capacity for managing risk, where circumstances permit. Conversely, ineffective risk management may lead to additional controls and oversight. Where necessary, TBS may encourage Deputy Heads to undertake appropriate remedial measures in support of their responsibilities for the monitoring of risk management within their organization.
3 Integrated Risk Management – Overview
Risk management should be a fundamental underpinning of good management and decision-making at all levels of an organization. Risk management does not operate in isolation but needs to be built into existing decision-making structures and processes in order to support planning, priority setting, program management, financial reporting, audits and evaluations, the development of corporate business plans, business continuity, operations and performance assessment and other key functions throughout an organization at the departmental, branch and program levels. Embedding risk management into an organization's structures and programs using a consistent risk management process creates a cohesive integrated risk management environment.
Organizations that practice risk management in an integrated manner generate better information for decisions thereby improving on the achievement of their objectives. It is essential, therefore, to link risk management directly with the achievement of objectives at every level of the organization. If risk management does not appear to be helping decision-making, it might come to be seen as an additional administrative requirement that can be ignored.
The steps taken to implement integrated risk management in various organizations may differ greatly as will the resulting risk management approach and process. However, at a high level, there are a number of elements that could be considered when designing, implementing, conducting and improving integrated risk management in any organization. These elements are presented in the following sections and provide guidance to help organizations strengthen their overall integrated risk management practices. They are organized as follows:
- Getting Started – Planning and Designing the Approach and Process
- Putting It in Place – Implementing Integrated Risk Management
- Doing It – Practicing Integrated Risk Management
- Improving it – Continuously Improving Integrated Risk Management
In providing this guidance, two key components of an organization's integrated risk management strategy are focused upon: the risk management approach See footnote 1, which provides the overall framework for the management of risk within an organization, and the risk management process, which provides the organization with a specific set of steps for managing risks in a consistent manner.
Risk Management Approach
The success of integrated risk management is dependent on the effectiveness of the risk management approach which provides the overall context for integrated risk management in the organization along with the various instruments required to design, implement, monitor, review and continually improve risk management throughout all levels of an organization in a cohesive and consistent manner. A risk management approach is not a particular management system or methodology and is dependent on the organization's specific needs. The risk management approach adopted by an organization will provide the framework for embedding the risk management process and effectively managing risks at all levels of an organization. The result is a risk-informed approach to management.
A risk management approach provides a picture of risk management within the overall policy, program, planning, and audit and evaluation processes for the organization. Depending on the size, needs and complexity of an organization, the instruments of a risk management approach may include such things as policies, objectives, plans, relationships, accountabilities, resources, processes and activities which are used for designing, implementing, conducting, monitoring, reviewing and continually improving risk management throughout the organization.
The risk management approach establishes the context of the risk management process by providing a framework and adequate resources.
Risk Management Process
Generically, the risk management process can be thought of as a series of inter-connected and inter-related steps that are repeatable and verifiable. It offers a systematic way to structure the identification, assessment, response, communication and monitoring of significant risks through an established governance structure. In addition to assisting individuals in their day-to-day decision-making, such a process can also bring a strategic and comprehensive focus to addressing the broader key risks that require sustained attention by senior management in any organization.
4 Getting Started – Planning and Designing the Approach and Process
The purpose of this section is to provide guidance to federal departments and agencies in designing: 1) a risk management approach which will develop, structure and strengthen risk management within their organizations by embedding risk management into their organizational structures and processes and 2) a risk management process needed to operationalize risk management across the organization.
While the risk management principles outlined in the TBS Framework for the Management of Risk (see section 2.3) represent the minimum requirements or considerations that should underlie any approach, departments and agencies should use elements of this Guide to design a risk management approach and process that are tailored to their organizational needs. Not all elements will be applicable in the design of every risk management approach and process nor will the same level of detail be required for any particular element. As a result, the structure of risk management approaches and processes will vary considerably among organizations.
In general, the resulting risk management approach and process should be documented in some manner to facilitate their implementation (outlined in the next section) as well as provide a means to communicate the approach to all stakeholders, thereby ensuring a common and clear understanding.
To assist with the design process, staff should be provided with the training and other resources needed to ensure that they have the appropriate skills, competencies and experience to carry out their responsibilities. General competencies for staff involved in the design activities may include:
- knowledge of an organization's overall management framework including roles, responsibilities, accountabilities, reporting structures and escalation procedures;
- understanding of risk management and how to apply it to their area of responsibility; and
- ability to engage in discussions about risk.
Regardless of the process used to design a risk management approach and process, there are several activities which are likely to occur at some point in the design process. They include:
- developing an understanding of the organization and its context in order to identify factors that could significantly influence the design of the approach and process;
- developing an overall risk management policy statement that is organization specific and supported by senior management;
- specifying accountabilities for risk management within the organization;
- allocating resources for implementing and supporting risk management within the organization;
- outlining a standard risk management process including common terminology; and
- establishing communication and reporting mechanisms for risk management.
These activities are described in sections 4.2 through 4.7.
4.2 Understanding the Organization and its Context
When designing a risk management approach and process, it is important to examine the internal and external context of the organization. By establishing the context, the organization articulates its objectives, and defines the external and internal parameters to be taken into account when managing risk. These internal and external factors may be identified through a scan which can be used to shape the design of the risk management approach and process.
In conducting an internal and external scan, organizations may want to look at:
- results of audits, evaluations, reviews or other documentation that provide information regarding the organization's risk management, strategic leadership, values and ethics, integrated performance information, stewardship, and accountability;
- departmental strategic planning documents such as the corporate plan, departmental performance report (DPR), report on plans and priorities (RPP), capital assets, and functional plans;
- input from affected and interested parties such as Parliament, clients, the public and other stakeholders; and
- key external scanning factors (e.g., social, economic, etc.).
In addition to information collected during the scan, it is important to develop an understanding of the organization's willingness to accept the possibility of negative events and its openness to opportunities in the pursuit of an objective or outcome. An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. Risk tolerance can be determined through consultation with affected parties, or by assessing stakeholders' response or reaction to varying levels of risk exposure. Consideration may be given to the following elements to get an understanding of the organization's risk tolerance level:
- the organization's overall risk culture;
- how risk tolerance may have influenced the design of existing tools (e.g., heat maps, risk assessment scales, escalation processes, etc.);
- how the organization has reacted to past risk events and issues including the type and extent of risk responses, and employees' understanding of the risks taken by themselves, their team or group and the department;
- how stakeholders have reacted to past risk events and issues, and employees' understanding of the risk tolerances of key stakeholder groups and/or consultations with stakeholders on risk tolerances;
- the operating policy framework (i.e., acts, regulations, TB and departmental policies, directives and guidelines, and levels of delegation of authority) as governing instruments generally articulate acceptable departmental practices and expectations in given circumstances; and
- other organizational information such as the organization's performance expectations and actual performance.
Under the leadership of senior management, an organization may choose to express tolerance from the perspective of the organization as a whole or for different types of risks, which may then be applied to individual risks during the risk management process and inform the type and extent of risk response for a given risk (see section 4.6 for further discussion of risk tolerance within the risk management process). When starting out, it is important to note that risk tolerance may vary between and even within organizations, and can be influenced by mandate, stakeholder views, and organizational culture.
Note: See section 5.2 for discussion on advancing risk tolerance within the organization.
4.3 Establishing and Articulating Direction for Integrated Risk Management
The establishment and articulation of the organization's overall direction for integrated risk management, including vision, objectives and operating principles, supports the successful integration of the risk management function into the organization. A clear articulation of the vision, objectives and operating principles could also help foster the creation and promotion of a supportive risk management culture. The organization should consider making a statement that clearly articulates the organization's objectives for integrated risk management activities, and demonstrates a commitment to implementing integrated risk management throughout the organization. This statement may be a specific risk management policy or similar document but, in support of risk management as an integral part of all the organization's structures and processes, it may best be included in existing corporate policies regarding the organization's objectives and commitments. Establishing and articulating the organization's direction for integrated risk management provides the high-level framework for further design activities.
When establishing and articulating the overall direction for integrated risk management, an organization may wish to consider:
- the rationale for managing risk, including internal and external contexts;
- links between the organization's mandate and objectives and the risk management objectives;
- the necessary and appropriate accountabilities and responsibilities for managing risks;
- the way in which conflicting interests are managed;
- the commitment to adequately resource risk management activities;
- the manner in which risk management will be integrated into the organization;
- mechanisms for escalating risks and reporting on risks;
- the methodology in which risk management performance will be measured and the avenues for reporting risk management performance; and
- the commitment to review and update the risk management approach as appropriate, whether in response to an event or based on an appropriate periodic cycle.
Aligning the risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees.
As mentioned in section 2.4, Deputy Heads are ultimately accountable for the implementation of risk management within their organization. However, other accountabilities throughout the governance structure can ensure that key risks have been appropriately managed (identified, assessed, responded to, communicated, monitored, adjusted as required, and reported on), including quality assurance mechanisms. In the design of an approach and process, clear risk management roles, responsibilities and networks should be defined at appropriate levels within the organization, relative to its size and complexity. In determining and documenting the appropriate accountabilities, organizations should consider:
- specifying appropriate risk owners that have the accountability and authority to manage risks;
- ensuring the organization's governance structures support the required levels of accountability and authority for the risk owners;
- identifying the appropriate office for the development, implementation, and maintenance of the risk management approach and associated processes;
- communicating that all staff have a role to play in identifying and managing risks;
- establishing performance measurement and internal and/or external reporting and escalation processes; and
- ensuring appropriate levels of recognition, reward, approval and sanction.
Appropriate resources (people, tools, etc.) need to be allocated for the design, implementation and maintenance of the risk management approach and process as well as for the ongoing conducting of risk management activities. With respect to resourcing, upfront investments could be necessary for the initial phases of design and implementation. Departments that have made substantial progress in implementing risk management have recognized the need for an initial investment of dedicated resources. Start-up costs (time, attention, training, systems, and communications) may be incurred until the practice becomes an integral part of organizational structures and processes. It may take time and effort to gain momentum, train managers and specialists, and establish good tools and processes. Once fully implemented, initial start-up investments may be re-allocated as appropriate.
There is no standard size or allocation of resources for integrated risk management activities. Departments and agencies are encouraged to determine their own specific needs based on their current situation and make adjustments accordingly. In order to assess resource requirements for establishing and maintaining a risk management approach and process, it is important to identify the nature, adequacy, and usefulness of existing organizational tools, techniques, human resources skills, and expertise for managing risk to determine incremental requirements. Key resource considerations could include, but are not limited to:
- the people, skills, experience and competence necessary to design and implement the risk management approach and process throughout the organization including determining the most appropriate approach and process, working with staff to embed risk management into their structures and processes, educating staff, putting tools in place, etc.;
- the people, skills, experience and competence necessary to conduct risk management activities on an ongoing basis;
- the people, skills, experience and competence necessary to maintain the approach and process along with supporting procedures;
- the organization's existing processes, methods and tools (including systems and technologies) that can to be used for managing risk;
- incremental requirements with respect to processes, methods and tools (including systems and technologies) needed for managing risk;
- the necessary training programs for the organization's staff to ensure a common understanding of and approach to risk management (e.g. common language and terminology); and
- any resource constraints that could require trade-offs during the development and execution of risk management processes.
In the ongoing management of risks, specific attention should be given to the allocation of resources for risk response activities. While the identification and analyzing of risks is much easier to embed into day-to-day decision-making activities, specific resources may need to be assigned to risk response action items. These resources should be at the appropriate level given the severity of the risk and should take into account any necessary trade-offs due to resource constraints. It is important to note that resource allocations should be aligned with the level of risk to be managed with resources being focused on the main risks – not necessarily every risk.
Also refer to section 5.2 (Providing the Environment and Infrastructure) to help identify resource requirements.
4.6 Defining the Risk Management Process
A risk management process is needed to operationalize integrated risk management across the organization in a consistent manner. The development of a cohesive and integrated set of mechanisms for identifying, assessing, responding to, communicating and monitoring risk in the form of a "risk management process", informed by the organization's risk management approach, can enable federal organizations to better understand the nature of the risks that affect their mandate and to manage these risks more systematically.
The risk management process, once defined, would be used to conduct formal risk assessments (such as the preparation of a CRP) and would also be embedded into existing structures and processes (as described in the next section) in order to support risk-informed decision-making.
The risk management process is designed to identify potential events or conditions and to then manage risk at all levels of an organization within established or evolving risk tolerances (see section 4.2 for further discussion on risk tolerance), and to provide reasonable assurance regarding the achievement of objectives and desired outcomes.
As with the risk management approach, the risk management process should be reflective of the organizational culture, corporate processes and stakeholder base of a given department or agency. Consideration of these factors in the development of the overall approach will facilitate the development and implementation of the risk management process by setting the tone at the top of the organization and building engagement and consensus at the strategic, operational and business/project levels.
The risk management process provides common language and allows organizations to tailor their activities at the local level. The risk management process should be flexible enough to be applied at different levels in a department or agency and to programs, sub-activities or projects. The process should also endeavour to incorporate the concept of opportunity, where possible. While the process allows tailoring for different uses, having a consistent framework for managing risks throughout the organization assists in aggregating information to deal with risk issues at the corporate level.
The following sections outline a generic risk management process and provide an overview of elements an organization may consider when defining their risk management process. Organizations are encouraged to select or develop a process, including terminology, best suited to its environment.
During risk identification, risks are identified and a solid understanding of the risk is developed. This includes any risks with the potential to significantly affect the achievement of objectives at various levels of the organization (corporate, program, project, etc.) depending on the context of the risk identification activity.
Organizations should provide staff with clear direction regarding expectations with respect to identifying risks and provide the necessary tools to support this activity. There are numerous tools and techniques for identifying risks (e.g. workshops, checklists, etc.) and organizations may have a range available so that an appropriate method can be selected depending on the particular context in which risks are being identified. In some cases, risks may be identified using a structured approach as part of a formal risk assessment exercise while in other cases they may be identified on an ongoing basis as part of regular meetings. A risk taxonomy or similar tool (see TBS' Guide to Risk Taxonomies) may help to ensure that those involved in risk identification have considered a broad range of risks.
In defining risk identification activities within the risk management process, organizations may wish to provide direction regarding:
- who should be involved in the identification of risks;
- how much rigour is required for particular risk identification exercises;
- what type of information needs to the collected and what level of detail is required; and
- how identified risks should be documented for assessment purposes.
During the assessment of risk, risks are analyzed and prioritized. At a minimum, analyzing the risks typically involves assessing the likelihood of the risk occurring and the impact on objectives should the risk occur. The likelihood and impact can be quantified as appropriate based on risk criteria See footnote 2. Risk assessment typically focuses on residual risk (i.e., the risk level after taking into account existing controls and any existing risk responses), but may also involve assessing inherent risk (i.e., the risk level prior to taking into account existing controls and any existing risk responses).
The analysis of risks helps to prioritize them, which typically involves ranking risks that need responses in order to focus effort and resources on the most appropriate risks. The prioritizing of risks should take into consideration the organization's risk tolerance as, for each risk, the organization's risk tolerance will indicate whether there is a gap between the assessed risk level and what the organization would consider to be an acceptable risk level, and the extent of this gap.
Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment.
In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:
- who should be involved in the assessment of risks;
- how much rigour is required for a particular risk assessment exercise;
- what type of information needs to the collected and what level of detail is required; and
- how assessed risks should be documented for response purposes.
Risk response is the process of selecting and implementing measures to respond to a risk. Typically, a general response strategy is selected (accept risk, monitor risk, transfer risk, avoid threat, reduce likelihood and/or impact of threat or increase likelihood and/or impact of opportunity, etc.). The organization's tolerance for the risk should determine the type and extent of the response.
If it is decided that action will be taken (i.e., the risk is not accepted), a plan is put in place outlining specific actions, responsibilities and timelines. The strategy should include all the activities that would accompany the response, including communications, outreach, etc.
In defining risk response activities within the risk management process, organizations may wish to provide direction regarding:
- consideration of the wider context of the risk, including defined objectives and expected outcomes;
- the tolerability of risks by stakeholders inside and outside the organization; and
- corporate priorities with respect to resource allocation.
A major factor in developing any process, risk management or otherwise, is often resource limits. It is understood that resource constraints may limit risk response and that trade-offs may be necessary between risk response efforts and levels of risk tolerance.
Risk communication is an integral part of the decision-making process and refers to the communication and reporting of risk information See Footnote 3 to the appropriate levels of the organizations at the right times to support decision-making. Risk communication occurs throughout the risk management process and is important to ensure that those responsible for managing risks and those who may be affected by the risks or associated risk responses understand the basis on which decisions are made and why particular actions are required. This includes communicating risk information internally, in a useful and meaningful way, with staff across different operational areas of the organization, as well as externally with clients and stakeholders who may be involved in, or affected by, an organization's decisions and actions. An important aspect of effective risk communication is providing individuals with enough information to allow them to contribute to the decision-making process in an informed way, where possible,.
Risk communication also allows for the re-use of risk information for other processes thereby avoiding the need to conduct multiple risk assessments on the same area for different purposes (e.g. for planning, for auditing, for resource allocations, etc.).
As is the case for risk identification and assessment, there are numerous tools and techniques for communicating risk information and an organization should consider implementing a standardized mechanism to communicate risks. For example, corporate, sector and division level risk registers, dashboards or profiles can provide an opportunity to effectively communicate important risks across the department in a routine manner, thereby making the connections between and among risks with respect to the sectors, programs, projects, processes, regions and stakeholders.
In defining risk communication activities within the risk management process, organizations may wish to provide direction regarding:
- what type of information needs to be communicated at various stages (i.e. what type of information do interested and affected parties need and want);
- who is the audience for the various types of information (internal staff, management, external stakeholders, including the public and Parliament, etc.); and
- what means should be used to communicate the information to the intended audience.
It should be noted that within the federal public sector, it is expected that communication activities, including those related to risk management, be undertaken in a manner that is consistent with the Policy on Communications and Federal Identity.
The ongoing monitoring of risks is essential to ensuring that risk information remains relevant. It involves the regular review of risk information to ensure that the impact of changing circumstances on existing risk responses is considered. It also involves the review of the risk responses to ensure that they are effectively implemented and achieve their planned results.
The monitoring of risks also provides an opportunity to identify potential improvements to the risk management process (as discussed in section 7).
In defining risk monitoring activities within the risk management process, organizations may wish to provide direction regarding:
- who should be involved in the monitoring of risks;
- how changes to the nature and level of risks due to evolving circumstances should be monitored, and how the continuing relevance of risk responses should be monitored;
- how progress on implementing risk responses should be monitored;
- how the effectiveness of risk responses in terms of moving risks toward tolerable levels should be monitored;
- what indicators are required for monitoring and how they can be integrated with other performance measurement indicators;
- how often risk information should be reviewed; and
- who is responsible for making changes or taking corrective action if required.
4.7 Establishing Communications and Reporting Mechanisms
The communication of risk, as described in section 4.6, is only one factor in the communications, consultations and reporting involving external and internal stakeholders. Other communications, consultations and reporting mechanisms are needed to successfully implement and conduct integrated risk management in an inclusive manner. Establishing communications and reporting mechanisms serves the purpose of maintaining a continuous means for keeping stakeholders informed of organizational risk management processes, practices, and risk responses. It helps maintain momentum to ensure that risk interest remains strong. It involves generating and sharing relevant information among the right people, anticipating and responding effectively to public concerns and expectations, achieving understanding of risks, getting action (voluntary or otherwise); and, the reciprocal: receiving feedback. In the interest of openness and transparency, an organization should be able to provide interested stakeholders with a snapshot of the organization's key risks and what is being done to manage them at any time.
As applicable, communications, consultations and reporting activities occur as an organization is establishing its approach and process and on an ongoing basis during all stages of the risk management process when practicing integrated risk management. Specific considerations related to these activities are included throughout this Guide as they relate to the various aspects of integrated risk management (e.g. communicating the risk management approach and process to employees is covered when discussing the implementation of integrated risk management, communicating risks with stakeholders is covered when discussing the risk management process, etc.). However, to ensure that the mechanisms necessary to support these activities are in place, plans for communication, consultation and reporting should be developed at an early stage.
The following are some elements to take into consideration when identifying or designing the appropriate corporate infrastructure to ensure clear communication of risk issues, practices, and procedures throughout the organization:
- the consultation with internal and external stakeholders in the design of the risk management approach and process (section 4.2);
- the communication of senior management commitment to and vision of risk management throughout the organization (section 4.3);
- the communication of key components of the risk management approach (section 5.1), and their modifications (section 7) in a timely manner;
- the communication of the risk management process (section 4.6) and any modifications (section 7) in a timely manner;
- the consultation with internal and external stakeholders during the risk management process (to identify risks, to assess risks, to determine response strategies, etc.) (section 4.6);
- the communication and reporting of risk information (identified risks, response strategies, etc.) resulting from the application of the risk management processes to the appropriate levels of the organizations at the right times to support decision-making (section 4.6);
- the reporting of the effectiveness and outcomes of the risk management approach (section 7);
- the sharing of good practices and lessons learned and the collaborative development of risk resources for continuous improvement (section 7);
- the use of departmental reporting tools (e.g. RPP and DPR) to report on risks; and
- the establishment of linkages, where possible, with the Values and Ethics Code for the Public Service, the Policy on Communications and Federal Identity, the official languages policy and other core principles.
An organization may consider developing a communications strategy or plan to accompany its risk management approach and process. In developing risk communication and reporting mechanisms, departments and agencies may consider working with communication experts internally and within its portfolio and other centers of expertise to ensure that messaging is coherent, and easily understood. Communications practices should involve clear and simple messaging to help ensure a common understanding of the information provided.
5 Putting It in Place – Implementing Integrated Risk Management
5.1 Implementing the Risk Management Approach and Process
Once the risk management approach and process have been designed they will need to be implemented.
Implementing the Risk Management Approach
Implementing the risk management approach involves ensuring that the overall risk management strategy (i.e., approach and process) is applied throughout the organization within the guiding approach the organization has established. When implementing the risk management approach in an organization, consideration could be given to conducting the following activities:
- defining an implementation strategy and plan that responds to compliance requirements (e.g., policy, program, legislative), addresses organizational capacity and capability priorities, and is proportionate to an organization's risks;
- tracking and reporting on the progress being made in the implementation of the risk management approach;
- establishing a performance measurement strategy for measuring the success of the integrated risk management strategy and practices within the organization including indicators for determining whether or not risk responses have been successful;
- demonstrating that planning, decision-making, and performance management are informed by risk management principles and practices in a tangible, cohesive and consistent manner;
- educating and enabling staff to raise awareness and improve their understanding of the organization's risk management approach and their roles and responsibilities; and
- communicating to, and consulting with, internal and external stakeholders in a timely and relevant manner.
Embedding the Risk Management Process
In order to take a risk-informed approach to management, risk management activities should be embedded into existing organizational structures and processes at both the operational and strategic levels. Integrating the risk management function into existing strategic management and operational processes will ensure that risk management is a key component of decision-making, business planning, resource allocation, and operational management. It also allows organizations to capitalize on existing capacity and capabilities (e.g., communications, committee structures, existing roles and responsibilities, etc.).
Risk-informed decision making can be applied at the department, program or any underlying activity level. Each time a resource allocation decision takes place, a plan should be prepared with performance targets and risk management should be integrated into that planning exercise. Risk-informed decision-making occurs when the risks are identified and responses developed and prioritized. Priorities are inserted into the business plan and are then implemented, monitored and evaluated as part of the business planning cycle.
The organization should determine the points for embedding risk management into the organization's existing governance and organizational structures, decision-making processes, business practices and reporting systems, including the organization's execution of key Government of Canada processes. When integrated into the execution of Government of Canada processes, risk management works with other key organizational planning, reporting, audit and other control cycles. Specifically, the integration of risk management within the internal business processes of a federal department or agency would contribute to various government-wide processes.
Some areas where incorporating risk management could be considered include:
- governance structures such as senior management committees, cross-functional committees and working groups, Department and Agency Audit Committees (DAACs), etc.;
- planning and reporting processes such as integrated business planning, the parliamentary planning cycle, investment planning, operational and budget planning (at the department, program and project levels), Business case development, preparation of the organization's Report on Plans and Priorities (RPP) and Departmental Performance Report (DPR), etc.
- oversight processes such as audit, evaluation and review activities;
- strategic policy development processes such as memoranda to cabinet (MCs), Treasury Board Submissions, deputy and ministerial briefings, etc.;
- program design and management processes such as grants and contributions, contracting, regulatory prioritization, etc; and
- staff work plans and senior management accountability accords.
- While reviewing these areas to identify points for embedding risk management to support risk-informed decision-making, organizations may want to consider:
- the reflection of risk management practices in the context of evolving trends and expectations under the Management Accountability Framework (MAF);
- the alignment of risk management activities with Government of Canada models such as the Management, Resources and Results Structure (MRRS), including the Program Activity Architecture (PAA);
- the alignment of risk management activities with the organization's overall performance management strategy; and
- ensuring compliance with relevant legislation, regulations and policies (e.g. Policy on Transfer Payments, etc.).
While the organization's defined risk management process would be embedded into various processes and structures to ensure the use of a common approach, activities would be tailored to meet the specific needs of that process or structure. The structure or process would be reviewed to determine what, if any, risk management activities are already incorporated and what, if any, adjustments are required. If changes are required, they may involve simply adding risk management activities into the structure or process or they may also involve making other adjustments to the structure or process in order to accommodate the risk management activities.
Using the guidance provided by the defined risk management process, organizations would consider during the embedding process:
- how will risks, including threats and opportunities, be identified?
- how will risks, including threats and opportunities, be assessed using the defined criteria?
- how will risk tolerance be determined?
- how will risk responses be determined and managed?
- how will risk information be communicated?
- how will risks be monitored?
A successful implementation will be characterized by individuals making risk-informed decisions as part of their daily work and not seeing risk management as something superimposed on their usual activities.
5.2 Providing the Environment and Infrastructure
The organization may wish to determine the environment and infrastructure needed to support the successful implementation of the approach and process and their ongoing execution and improvement (as described in the next two sections).
In ensuring that an appropriate environment and infrastructure are in place, the organization may wish to consider its culture and capacity.
Creating the Culture
In some organizations, making risk management an integral part of decision-making may involve a cultural change. How ready an organization is, and its ability to adapt, may affect how fast and far it will progress in its implementation of integrated risk management. Assessing readiness is essential if integrated risk management is to be aligned with management initiatives already underway and built on existing systems and processes. It will also contribute to better management of the discomfort inherent in change and will help people move beyond simple compliance and embrace the underlying purpose.
When implementing the risk management approach and process, organizations may want to look at the current organizational culture for risk management and determine how the culture may need to change. In doing so, organizations may wish to consider:
- how are employees going to react to the changes being made (readiness)? This will depend, in part, on:
- the extent to which risk management is already incorporated into strategic or business planning and operations;
- staff awareness of and/or capacity to manage the risks; and
- the existence of systems and protocols to respond to potential threats or opportunities.
- how can the organization help employees practice integrated risk management despite any potential discomfort for change? This may involve:
- borrowing and using the lessons and practices of change management to foster the will and capacity for change; and
- ensuring regular interaction between those overseeing the implementation and ongoing maintenance of the risk management approach and process, and those involved in overseeing departmental processes (i.e. planning, etc.).
A key component to ensuring a supportive culture is active leadership from the organization's Deputy Head and senior management. Management should visibly encourage the practice of risk management and information sharing across all business lines and functional units. The extent to which senior leaders model the principles of integrated risk management sets the tone for a sustained integrated risk management culture throughout the organization. To support senior management engagement, organizations may consider:
- ensuring that risks and their risk responses reflect management priorities;
- providing assurances that operational risks are being adequately managed so that management can focus on the organization's key risks;
- demonstrating the linkages between operational risks and the organization's key risks to facilitate managerial decision-making;
- ensuring risk management is part of ongoing discussions at management meetings and committees;
- using existing departmental approval bodies and committee structures to engage management on risk;
- demonstrating that shared risks with other departments, organizations and stakeholders are being considered in the organization's risk management process;
- linking risk management to senior management performance agreements;
- keeping senior management informed of the results of performance measurement as it relates to the risk management approach, including the benefits of the approach to the organization (see section 7 for further discussion).
As stated in section 4.2, an organization's risk tolerance is an important aspect of its culture and discussions regarding risk tolerance should be encouraged. Advancing risk tolerance within an organization should include:
- focusing on senior management in order to set the tone and provide leadership and support;
- ensuring the risk management approach includes a strategy for setting the risk tolerance;
- increasing awareness by including risk tolerance in risk management training; and
- including discussions on risk tolerance as part of the risk management process in decision-making.
Organizations will need to develop their own capacity strategies based on their specific situation and risk exposure. Just as risk management must be integrated with existing processes, organizational capacity for practicing integrated risk management should be built on what already exists. Assessing and building on existing capacity helps tailor the approach to deal with the organization's specific needs.
To build the necessary capacity, organizations may want to: determine what already exists, identify where changes, enhancement or improvements are required and make the required changes. To build sustainable capacity for integrated risk management within an organization, consideration may be given to two key areas: human resources, and tools and processes.
Some consideration in building human resources capacity include:
- determining the existing understanding of risk or risk management;
- building awareness of risk management initiatives and culture;
- broadening the skills base through formal training (including guidance on the application of tools and techniques) taking into consideration staff turnover;
- increasing the knowledge base by sharing best practices and experiences; and
- building capacity, capabilities, and skills to work in teams.
In general, an organization should consider ensuring that all staff members have adequate training, access to proven tools for risk management, and a clear understanding of the common risk management language in order to facilitate communication.
Tools and Techniques
There are numerous tools and techniques available that can be used for managing risk. Some examples include:
- risk heat maps, risk registers/dashboards and action plans: summary charts and diagrams that help organizations identify, discuss, understand and address risks by portraying sources and types of risks and disciplines involved/needed;
- modelling tools: such as scenario analysis and forecasting models to show the range of possibilities and to build scenarios into contingency plans;
- frameworks on the precautionary approach, including the use of scientific information: a principle-based framework that provides guidance on the precautionary approach in order to improve the predictability, credibility and consistency of its application across the federal government;
- qualitative techniques such as workshops, questionnaires, and self-assessment to identify and assess risks; and
- internet and organizational intranets: promote risk awareness and management by sharing information internally and externally.
Some considerations in building capacity to use tools and techniques include:
- the use of existing committees, systems, and processes (executive and operational committees, planning and reporting processes);
- the use of common risk management language and a framework or parts of it;
- allowing for the development and/or the use of alternative tools and techniques that may be better suited to managing risk in specialized applications.
Building risk management capacity is an ongoing challenge even after integrated risk management has become firmly entrenched. Activities conducted as part of monitoring and review, described in section 7, can continue to identify new areas and activities that require attention, as well as the risk management skills, processes, and practices that need to be developed and strengthened.
6 Doing It – Practicing Integrated Risk Management
6.1 Ongoing Integrated Risk Management
With the risk management approach and process defined and implemented, organizations would begin to practice integrated risk management as they use those organizational structures and processes that now have the risk management process embedded in them. The defined departmental risk management process would now be applied to all relevant levels and functions of an organization through these organizational structures and processes. Applying the risk management process would ensure that risks are understood, managed, communicated and integrated into informed decision making and priority setting (strategic, operational, management, and performance reporting) in a consistent and cohesive manner. Organizational acceptance of integrated risk management will depend on the extent to which an organization has been successful in using the risk management approach and risk management process to achieve results.
In practicing integrated risk management on an ongoing basis as part of organizational structures and processes, organizations may want to consider:
- documenting the decision-making process and the outcome of key decision points as this demonstrates accountability, transparency and due diligence (reasonable efforts should be made without generating excessive administrative burden);
- ensuring the effort applied to risk management is commensurate with the nature, scope and scale of the risk being addressed.
- involving all interested and affected parties (including partners, the public, and other stakeholders) throughout the process so that all key risks are identified including risks shared with other departments, organizations and stakeholders;
- ensuring that risk information is not only used in decision-making related specifically to the area where risks are identified and assessed but that risk information is also made available for ongoing use in other areas (i.e. for planning, for identifying audit candidates, etc.); and
- maintaining a list of the organization's key risk, regularly reporting on them, and indicating what is being done to manage them.
In addition to managing (identifying, assessing, responding to and monitoring) risk on an ongoing basis as part of organizational decision-making processes which now have the risk management process embedded in them, other key activities in the execution of integrated risk management include creating a corporate view of risk and continuous risk management learning.
6.2 Creating a Corporate View of Risk
One of the first activities typically conducted when practicing integrated risk management is the development of a Corporate Risk Profile (CRP) or similar document in order to obtain a corporate view of the organization's risks at a specific point in time.
In building the corporate view of risk, information and knowledge at both the corporate and operational levels is collected and aggregated to assist organizations in understanding the key risks they face, both internally and externally, their likelihood and their potential impacts. In addition, identifying and assessing the existing organization's risk management capacity and capability is another critical component of developing the corporate view.
For the most part, creating a corporate view of risk is similar to conducting any other risk assessment in the organization in that it is done using the defined risk management process to identify, assess/prioritize and communicate risks as well as develop response strategies. However, there are some elements that are specific to the preparation of a corporate view of risk which should be taken into consideration including:
- only the key risks that could significantly influence overall organizational priorities, performance, and achievement of corporate objectives should be documented in the corporate view. Risks at the operational level should be aggregated, if applicable, and then prioritized to create a succinct list of the organization's key risks that require senior management attention;
- as part of the risk management process for preparing a corporate view, there should be clear, transparent and standard methods for:
- aggregating operational risks into the organization's key risks, which may be facilitated by using risk taxonomy or similar tool (see TBS' Guide to Risk Taxonomies);
- determining which risks would require senior management attention (prioritizing of risks) and determining tolerance to risks; and
- communicating and reporting the organization's key risks to all relevant stakeholders to inform their decision-making.
- in identifying the organization's key risks, organizations may wish to consider:
- using a risk taxonomy or a similar tool to help ensure that a wide range of potential risks have been considered (see TBS' Guide to Risk Taxonomies);
- collecting risk information from a number of different sources; and
- paying specific attention to the timeframes related to the risks (i.e. when are they likely to occur or need to be addressed) as the corporate view is not the means to address short-term operational risks but rather those of a more strategic nature.
- senior management should be involved in the monitoring and oversight of the key risks outlined in the corporate view and may have specific accountabilities with respect to corporate risk responses; and
- the corporate view of risk should be reviewed and updated regularly (potentially based on the operating context of the organization such as the annual business planning and the mid-year performance review) so that the organization always has a clear and up to date understanding of its key risks and their status to inform decision-making. If there are emerging risks that require attention in between these established cycles, an organization may wish to consider developing a mechanism that allows staff to escalate risks as appropriate.
As is the case with other risks identified on an ongoing basis, once the organization's key risks are documented, the key focus is to integrate the essence of this risk information into departmental planning and reporting cycles in a way that is simple and that communicates key risks effectively.
For more information on preparing this corporate view of risk, refer to the Guide to Corporate Risk Profiles.
6.3 Ensuring Continuous Risk Management Learning
As stated in the Framework for the Management of Risk, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization.
Continuous risk management learning is fundamental to supporting an organizational culture of risk-informed and proactive decision-making. Continuous learning is about achieving and maintaining the desired culture of a risk-smart workforce and operating environment. It is done by increasing risk management awareness, knowledge, and skills at the individual, team, and organizational levels. The approach taken, including the development of any courses if applicable, should address specific organizational needs.
To ensure continuous risk management learning, organizations may want to consider what they can do to:
- encourage learning at the individual, team, and organizational levels. This may include: building learning plans into the risk management approach and processes and employee agreements; developing internal and external training courses; membership in associations or institutes; conference participation; employee deployments to develop skills and knowledge; etc.
- share experience and best practices internally and across the government to monitor and learn from situations where risk management has become a valued and well-integrated part of the organization. This may include: looking at processes and tools used by other departments; celebrating success stories; documenting and communicating lessons learned, case studies, and best practices within the department and the broader community; using various mechanisms (e.g. intranet/Internet, learning events, information sessions, a newsletter, publications, etc.) to share specific lessons learned; encouraging and rewarding the sharing of information; etc.
- support an environment of responsible risk-taking while still respecting organizational risk tolerances. This may include: creating incentives for identifying opportunities; recognizing that learning from experience (including those that did not lead to expected outcomes) is important for progress; etc.
7 Improving it – Continuously Improving Integrated Risk Management
As stated in the Framework for the Management of Risk, Deputy Heads have specific responsibilities related to the continuous improvement of risk management in their organization namely, responsibility for monitoring risk management practices and responsibility for ensuring issues affecting the organization's risk management approach, whether identified through assessments or internal and external monitoring, are examined, reviewed and acted upon effectively. Deputy Heads of larger departments and agencies are supported by DAAC members who have been appointed to provide Deputy Heads with objective advice and review of their department's spending control and accountability processes including providing oversight with respect to risk management.
Having a responsive and adaptive risk management approach is a key element in building and sustaining ongoing support within the organization. As the risk management approach and process are updated to incorporate improvements, it will be important to communicate these changes to all relevant stakeholders in a timely manner.
Monitoring and Review of the Approach and Process
Monitoring and review is an important aspect of continuous improvement. Ongoing monitoring and periodic reviews of the risk management approach and process are essential to ensure their effectiveness, efficiency, and relevance in supporting the organization's overall performance. They also provide feedback to management and other interested parties, both in the organization and government-wide. Feedback, observations, and recommendations gathered during monitoring and review activities helps an organization determine whether or not the risk management approach and process are achieving expected outcomes and helps identify potential gaps, inefficiencies, and opportunities for improvement.
In determining the strategy for ongoing monitoring and periodic reviews of the risk management approach and process, organizations may want to consider:
- roles and responsibilities, including ensuring that senior management is involved in the monitoring and review of the performance of the risk management approach and process;
- the use of existing oversight functions such as internal audit, evaluation and quality assurance functions;
- the timing of the reviews;
- reporting mechanisms to communicate lessons learned, as appropriate, from the monitoring and review of an organization's risk management approach and process to internal and external stakeholders; and
- engagement with DAAC members.
To support monitoring and review activities, organizations should consider having in place:
- documented expected outcomes related to the management of risks, whether minimizing negative events or capitalizing on opportunities; and
- indicators for measuring performance that are aligned with the organization's overall performance management framework and that are reviewed periodically for appropriateness.
In conducting ongoing monitoring and periodic reviews, some activities to consider doing include:
- measuring and reporting on progress of the risk management approach and process against the overall implementation strategy;
- measuring and reporting on performance of the risk management approach and process to:
- confirm that risk management is adding value as a key component of decision-making, business planning, resource allocation, and operational management given the internal and external environment;
- validate that an organization's risk management approach and process are appropriate to its risk management needs and remains responsive to its external and internal context including its mandate, priorities, organizational risk culture, risk management capacity, and partner and stakeholder interests; and
- ensure ongoing relevance, effectiveness and efficiency of the risk management approach and process (including relevant policies and supporting tools), in relation to its mandate and key outcomes and evolving risk management principles See Footnote 4 and practices.
- assessing where the department is situated on a risk management capability model, based on implementation efforts and progress to date;
- conducting periodic environmental scans for new approaches, tools and ideas; and
- assessing compliance with relevant laws, regulations and policies.
Key to the monitoring and review of the risk management approach and process is the measurement of performance See Footnote 5. An organization should consider performance measurement as it relates to its risk management approach and process and in parallel, the performance of its risk response activities. In both situations, some considerations may include:
- frequency and nature of risk management decisions highlighted on senior management agendas, and tracking and reporting on outcomes of the decisions taken. This demonstrates evidence of senior management oversight of risk management activities, including the success and/or failure of risk responses; See Footnote 6
- clearly defined and transparent risk management accountabilities, roles and responsibilities;
- demonstration of the impact of risk responses (e.g., on risk levels, risk indicators and program/activity performance indicators) (see also the sub-section on Risk Monitoring under section 4.6);
- detailed cost-benefit analysis comparing the potential costs of a risk identified, compared to direct risk response costs, and the benefits or assessment of the costs avoided;
- explicit integration of risk priorities and risk responses into business plans, performance management and evaluation reports;
- the return on investment, both qualitative and quantitative, of resources, tools and events directed to employee awareness and training on risk matters, and other tangible outcomes of consistent application of risk management practices across the department (e.g. such as the delivery of structured, facilitated workshops);
- performance history as a result of compliance with central agency requirements for risk management (e.g. MAF assessment by TBS);
- awareness among staff of the risk management approach, as demonstrated by survey results or polls, and the increased incorporation of risk-informed decision-making into other processes;
- feedback from key stakeholders (e.g., staff, managers, central agencies, Parliament) on relevance, usefulness and cost-effectiveness of risk management; and
- the development of risk-based policies, guidelines and frameworks and/or the ongoing elimination of red tape.
Documentation and communication of monitoring and review activities contributes to an organization's capacity to record and report on results and improve risk management performance in relation to the organization's planning, reporting and performance management processes. Reporting on results facilitates learning and improved decision-making by assessing both successes and failures and helps disseminate information on best practices and lessons learned.
Other Activities to Support Continuous Improvement
In addition to monitoring and review, other activities an organization could consider to help improve the risk management approach and process include:
- renewing and revising policy, guidelines, training, tools and procedures on a periodic basis;
- addressing feedback, observations and recommendations from internal and external stakeholders including DAACs, Chief Financial Officers (CFOs), Chief Audit Executives (CAEs), Chief Risk Officers (CROs), etc.;
- consulting and sharing best practices with outside sources, including other government departments, private sector, academia, networks, and communities of practice;
- engaging and leveraging internal organizational networks, systems, communities of practice, central agencies, etc. to acquire best practices and lessons learned;
- realigning risk management approaches with evolving principles and practices; and
- applying lessons learned from the monitoring of risks conducted as part of the risk management process.
To support continuous learning, consult TBS' Risk Management Capability Model, which has been developed as a self-assessment tool against which organizations can assess their current risk management capacity in relation to their desired end state. Organizations should consider documenting lessons learned and related outcomes from self-assessment exercises.
8 Contact Information
For more information, please contact TBS Public Enquiries.
Appendix A – Interdepartmental Working Group
This Guide was developed by an interdepartmental working group led by the TBS Centre of Excellence on Risk Management.
Contributors to the working group included:
- Charlene Budnisky, Public Works and Government Services Canada
- Wes Darou, Canadian International Development Agency
- Alain Goudreau, Defence Research and Development Canada
- Emily Graves, Canadian Food Inspection Agency
- Paule Labbé, Health Canada
- Awad Loubani, Public Works and Government Services Canada
- Wendy Matheson, Veterans Affairs Canada
- Colin Nicholson, Natural Resources Canada
- Liane Sauer, Canada Revenue Agency
- Ron Sisk, Fisheries and Oceans Canada
- Mario Vendittoli, Health Canada
TBS is grateful to the above individuals for their contributions. TBS would also like to thank the many others that provided comments on the draft version of the Guide during the government-wide consultation.
- Date modified: