Guide to Risk Statements
TBS’ guide to risk statements is meant to help strengthen risk management practices by providing guidance on how to develop risk statements
Table of Contents
- Introduction
- How to Use This Guide
- What Is a Risk Statement?
- Developing a Risk Statement
- Helpful Tips and Key Considerations
- Examples of Risk Statements
- Business Processes
- Capital Infrastructure
- Communications
- Conflict of Interest
- Financial Management
- Governance and Strategic Direction
- Human Resources Management
- Knowledge Management
- Information Management
- Information Technology
- Legal Considerations
- Change Management
- Policy Development and Implementation
- Privacy and Information Stewardship
- Program Design and Delivery
- Project Management
- Political Considerations
- Reputational Considerations
- Resource Management
- Stakeholders and Partnerships
- Values and Ethics
- Contact Information
- Appendix: Definitions
1. Introduction
Presenting risk information clearly and meaningfully is a challenging but critical element of an organization’s risk management practice. A good risk statement should be concise and readily understood across an organization, as its precision can influence the development of effective risk responses, choices of action plans and the quality of decision making pertaining to the risk. It is important to develop risk statements that accurately identify and convey threats and opportunities in a way that is tailored to each organization.
2. How to Use This Guide
In conjunction with other risk management guides and tools provided by the Treasury Board of Canada Secretariat (TBS), this guide is meant to help strengthen risk management practices by elaborating on how to develop risk statements (see Figure 1 for a visual mapping of TBS’s guides and tools). Risk statements are an essential component in identifying threats and opportunities and are fundamental in supporting the risk management process. The TBS Guide to Integrated Risk Management describes this process as a series of interconnected and interrelated steps, including the identification of threats and opportunities. In order to perform meaningful risk assessments, risks need to be well stated and described in a risk statement.
The principles outlined in this guide focus on helping organizations develop meaningful risk statements for their Corporate Risk Profiles, as well as for other organizational risk assessments at the operational, divisional, project or program level, or for Investment Plans, Memoranda to Cabinet and Treasury Board submissions. The TBS Guide to Corporate Risk Profiles provides guidance on developing Corporate Risk Profiles, including the type and scope of information that help make such a profile a useful tool in managing corporate risks and making decisions. Risks identified in a Corporate Risk Profile should be captured clearly in a risk statement that can be articulated and communicated throughout an organization.
There are numerous ways to identify risks (e.g., workshops, checklists, environmental scans, etc.), depending on the particular context in which risks are being identified. In some cases, risks may be identified though a formal risk assessment exercise; in others, they may be identified on an ongoing basis as part of regular meetings. A risk taxonomy or similar tool (see TBS’s Guide to Risk Taxonomies) may help ensure that those involved in identifying risks have considered a broad range of risks.
3. What Is a Risk Statement?
Risk statements provide an accurate picture of a risk, which is critical for the rest of the risk management process. The Treasury Board Framework for the Management of Risk defines a risk as “the effect of uncertainty on objectives. It is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization’s objectives.”1 As a result, a risk statement in a Corporate Risk Profile, for example, would describe the event and the potential impact (positive or negative) of that event on achieving an organization’s objectives.
It is important to distinguish between an event and an impact:
- An event is a situation, occurrence or change in a particular set of circumstances that has the potential to affect the achievement of an organization’s objectives. An event may be positive or negative.
- An impact is the potential effect of an event. As with an event, an impact may be positive or negative.
Refer to the Appendix for more definitions.
It is important to note that risk is about the effect of uncertainty and therefore concerns the future, not current events. Risks are distinct from existing issues, problems or business conditions, where the likelihood of occurrence is not an issue. Current events or issues are certain because they are taking place now, and organizations should already be addressing such issues.
4. Developing a Risk Statement
A suggested method for developing a risk statement for a threat involves at least two elements: the event itself and the potential negative impact of such an event if left unmanaged:
Risk statement (threat): If (event) occurs, the consequences could result in (negative impact).
Example: The segregation of reporting practices for regional and headquarters inspection activities may leave an oversight gap in compliance, which may allow unregulated materials to enter the country illegally.
Opportunity statements provide an accurate picture of an event that has a positive impact. It is important to note that opportunity statements can be challenging and difficult to craft. Because impacts are typically felt in more than one area or function across an organization, or by multiple stakeholders, opportunities can arise from various situations and approaches. A suggested method for developing a risk statement for an opportunity also involves at least two elements: the event itself and the potential positive impact of such an event if managed appropriately:
Risk statement (opportunity): If (event) occurs, the consequences could result in (positive impact).
Example: In the event of further operational realignment, there is an opportunity to partner with portfolio agencies to achieve efficiencies in delivering support services.
Risk events and their impacts, both positive and negative, should be relevant to the mandate and other objectives of the organization. Risk statements that are too general become vague and can lead to the presentation of risk information that is unclear and potentially misleading. As a result, organizations are encouraged to develop clear and concise risk statements, whether specific or broad in content, and that are relevant to the mandate and business of the organization.
A specific risk statement is a targeted description of a threat or opportunity that includes important details, including the potential impact within an organization that may or may not be common or shared with other organizations and stakeholders. Specific risk statements may change more frequently because they focus on a precise and targeted event. Specific risk statements are often easier to manage, as the precise nature of the risk is transparent to decision makers.
A broader risk statement articulates a risk using language that may reflect common threats or opportunities and the potential impact that could apply broadly throughout the organization. Broader risk statements may provide stability because they could be less likely to change over time and tend to be more horizontal in nature. This may be beneficial when working with information that is sensitive and where specific details cannot be shared.
Risk statements included in the Corporate Risk Profile should be of a high enough level that they outline the potential risk that may significantly impact organizational objectives, as well as being detailed (or specific) enough to effectively manage.
An alternative structure for a risk statement may also include a driver of the event. A driver is an internal or external circumstance that is contributing to (“driving”) an event. Drivers are often identified through environmental scans. In some circumstances, there may be multiple drivers of an event. In such cases, it is recommended that the identified drivers that are most likely to occur be incorporated into the risk statement and that any additional drivers be further articulated within the full risk description section of the Corporate Risk Profile (see TBS’s Guide to Corporate Risk Profiles). A well–articulated risk statement should not list too many drivers, particularly ones that are unrelated. Following are examples of risk statements that incorporate risk drivers:
Risk statement (threat): If (event) occurs due to (driver), the consequences could result in (negative impact).
Example: Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to Access to Information requests and e–discovery exercises.
Risk statement (opportunity): If (event) occurs due to (driver), the consequences could result in (positive impact).
Example: The organization may be able to leverage regional office capacity through the new regional structure to increase the organization’s operational ability to respond to emergencies and support national leadership in emergency management training.
Regardless of the structure chosen, organizations are encouraged to develop well–articulated risk statements, i.e., those that are clear, meaningful and concise, and that can present useful and relevant information to senior management to help support risk–informed decision making.
5. Helpful Tips and Key Considerations
- Clear, concise and well–defined risk statements allow organizations to better utilize risk information to support decision making throughout the organization, particularly in the areas of planning, reporting, policy development, legal, financial, audit and evaluation.
- Quality risk statements that are clear and concise can help raise awareness and educate staff on important organizational priorities. This may also help raise understanding of planned risk responses and improve performance through the use of risk response plans. For further guidance on planning and designing the risk management approach and process, including risk responses, refer to TBS’s Guide to Integrated Risk Management.
- Quality risk statements regarding opportunities are also important for understanding proposed action plans and activities in order to move the organization through next steps to help achieve positive results.
- Avoid including too many threats or opportunities into any single risk statement. Multiple threats or opportunities should result in multiple risk statements. Complex risks may be better articulated and understood if broken down into several succinct statements. Highly interrelated risks may be further explained under relevant sections of an organization’s Corporate Risk Profile. For further guidance on developing a Corporate Risk Profile, refer to TBS’s Guide to Corporate Risk Profiles.
- Draft risk statements using plain, simple language that can be understood by staff at all levels across the organization. Complex or technical terminology can be explained in an appendix.
6. Examples of Risk Statements
The following examples of risk statements have been developed based on the risk categories featured in TBS’s Guide to Risk Taxonomies.
Business Processes
Threats and opportunities associated with business process design or implementation:
- The department may not have a business process in place to adequately manage key programs, which may lead to weakened results.
- Current departmental processes to track, analyze and report on key grants and contributions programs may not support effective risk management and other accountability requirements, leading to weakened performance results.
- The organization could restructure the departmental business processes based on other jurisdictions’ best practices to support more effective risk management and other accountability requirements, leading to improved performance results.
Capital Infrastructure
Threats and opportunities associated with an organization’s capital infrastructure, including hard assets (e.g., buildings, vessels, scientific equipment, fleets) but excluding information technology (IT):
- Some elements of the organization’s real property portfolio are aging and will require ongoing maintenance and life–cycle investment that cannot be delivered as planned. This may result in the department not achieving its key performance targets.
- The organization may not be able to meet the planned requirements for up–to–date laboratory facilities to support scientific activities, leading to a possible compromise or delay in regulatory approvals.
- The organization could explore changes to its current accommodations approach as a result of lacking available office space within the current building, which may result in innovative accommodation solutions for employees.
Communications
Threats and opportunities associated with an organization’s approach and culture of communication, consultation, transparency and information sharing, both within and outside the organization:
- The organization may lack capacity to meet public expectations for information on a timely basis. This may result in a loss of confidence in the organization.
- The department may not be able to meet the public’s expectations for timely access to complete and accurate information in times of crisis, leading to possible health and safety risks and a loss of confidence in the organization.
- The department could develop and implement social media practices to better meet public expectations for timely access to complete and accurate information in times of crisis.
Conflict of Interest
Threats and opportunities associated with perceived or potential conflicts of interest:
- Members of the Advisory Committee may have conflicting interests or may object to certain reforms, which may result in an increased advantage or disadvantage to certain stakeholders.
- Departmental officials may be offered gifts or hospitality from local vendors with whom they have a high volume of business. Accepting such gifts or hospitality may result in a conflict of interest between the department and the vendor community, compromising the public’s confidence in the department’s ability to carry out its mandate fairly and objectively.
Financial Management
Threats and opportunities associated with the structures and processes of an organization to ensure sound management of financial resources and its compliance with financial management policies and standards:
- The organization may conduct insufficient monitoring of partners, recipients or projects to ensure that the funds are used for intended purposes and to achieve stated outcomes, resulting in fraudulent actions.
- A lack of internal controls over financial reporting may result in lapsed funds in the fourth quarter, preventing the organization from making critical capital investments.
- To alleviate reporting burden for partners and recipients, while maintaining effective internal control over funds, the organization could modernize and improve risk–based approaches within the organization’s grants and contribution processes.
Governance and Strategic Direction
Threats and opportunities associated with an organization’s approach to leadership, decision making and management capacity:
- The organizational governance structure may not be able to provide sufficient and appropriate oversight on a timely basis to support effective decision making.
- The segregation of reporting practices for regional and headquarters inspection activities could leave an oversight gap in compliance promotion, which may allow unregulated materials to enter the country illegally.
Human Resources Management
Threats and opportunities associated with staff and management turnover; the employment/work culture; recruitment, retention and staffing processes and practices; succession planning and talent management; and employee development, training and capacity building:
- The organization may be unable to sustain a workforce that has the appropriate competencies, resulting in inadequate support to deliver and manage programs and services.
- Due to retirements and a shortage of qualified senior scientists, the department may be unable to attract and retain senior scientific talent. This may result in an inability to deliver the department’s science and technology agenda.
- Given the large number of retiring qualified senior scientists, some retiring employees could mentor junior scientists and seek alternative work arrangements that could help stagger retirement dates and lessen the impact of senior staff turnover.
Knowledge Management
Threats and opportunities associated with an organization’s knowledge assets, including people, data and information:
- The department’s “silo” approach to managing renewal may result in a loss of information that weakens corporate culture.
- The department may lack capacity to integrate a systematic approach to identify, capture, preserve and share information among new recruits and retirees, which may result in a loss of focus and business intelligence, compromising value for clients.
Information Management
Threats and opportunities associated with the capacity and sustainability of information management procedures and practices:
- The current tools to manage information may make records unobtainable, resulting in delayed responses to official requests.
- Significant delays in retrieving records as a result of current tools for data storage and retrieval practices may leave the department unable to adequately respond to Access to Information requests and e–discovery exercises.
- Improving records management processes and tools through investing in new technologies and liaising with organizations identified as having best practices may lead to more effective management and response to official requests.
Information Technology
Threats and opportunities associated with the capacity and sustainability of IT systems and practices, including infrastructure and use of technological applications:
- The agency’s IT systems may not support the need for key staff to work remotely, leading to process inefficiencies.
- The organization’s remote access servers and enabling software may become increasingly outdated and expensive to operate and cannot be easily updated to respond to changing operational needs of inspectors. This may result in decreased productivity and an inability to meet new regulatory compliance requirements.
Legal Considerations
Threats and opportunities associated with an organization’s management of its legislative, advisory and litigation activities, including the development and renewal of, and compliance with, laws, regulations, international treaties, agreements and policies:
- A delayed response to legal proceedings may affect the department’s ability to work with key stakeholders.
- Failing to respond in a timely manner to an “x” court ruling could impact industry in the “y” sector (and consumers in “z” markets).
Change Management
Threats and opportunities associated with significant structural or behavioural change within an organization related to mandate, operating context, leadership and strategic direction:
- The organization’s transformation agenda may not be well understood or communicated to employees, resulting in lost opportunities for engagement.
- The organization’s transformation agenda may lack a tailored communications plan and implementation strategy, which may prevent employees from fully participating in renewal activities.
- Significant change and business transformation may inspire staff to rethink how they deliver on priorities relating to policy and programs.
Policy Development and Implementation
Threats and opportunities associated with an organization’s design, implementation and compliance with the government–wide policy suite as well as its own internal policies and procedures:
- The department’s policy approach to cost recovery may not be aligned with key stakeholder concerns, leading to inefficiencies and consumer frustration.
- The department’s use of cost recovery in its policy approach to international cargo may place it at odds with current European Union practices, leading to a significant competitive disadvantage for domestic industry.
- Effectively addressing gaps and inefficiencies in trade policy and regulation may result by addressing the organization’s policy approach to cost recovery.
Privacy and Information Stewardship
Threats and opportunities associated with an organization’s protection of intellectual property and personal information:
- The security of departmental networks and records could be seriously compromised if new standards are not implemented.
- Departmental IT and records management processes may not fully protect citizen information holdings and could result in mismanagement of personal information by the organization, leading to personal injury and significant legal exposure to the Crown.
Program Design and Delivery
Threats and opportunities associated with an organization’s design and delivery of specific programs, which may impact the organization’s overall objectives:
- Organizational restructuring and realignment of programs design and delivery could result in partnering with portfolio agencies to achieve efficiencies in delivering support services.
- The design of the “x” program delivered through the “y” branch could become misaligned with changes to emerging standards and best practices, leading to marginal benefit to stakeholders and weakened value for money.
Project Management
Threats and opportunities associated with an organization’s process and practice of developing and managing major projects in support of its overall mandate, as well as risks associated with specific projects that may require ongoing management:
- Without the implementation of a project management and communications approach, the organization may not effectively develop and successfully deliver several key projects in support of the organization’s priorities.
- Without the implementation of recognized project management standards and a supporting communications strategy, the organization may not effectively develop and successfully deliver the Pluto and Mars projects in support of the organization’s priority to explore neighbouring planets.
Political Considerations
Threats and opportunities associated with the political climate and operating context of an organization:
- The organization may be unable to table new legislation given the parliamentary focus on red–tape reduction initiatives.
- The department may not have enough time to table new legislation in advance of a fall election.
Reputational Considerations
Threats and opportunities associated with an organization’s reputation and credibility with its partners, stakeholders and the Canadian public:
- Fraudulent behaviour may result in a loss of reputation for the department and the Government of Canada.
- Fraudulent behaviour associated with misappropriations of funds and the misuse of public assets may result in a loss of reputation for the department and the Government of Canada.
Resource Management
Threats and opportunities associated with the availability and level of resources of an organization to deliver on its mandate, as well as the organization’s management of these resources:
- The organization could leverage resources from the private sector (telecom, finance) to further advance the objectives of the Information Technology Security Strategy.
- The forecasted reductions in departmental budget allocations may affect current regulatory responsibilities, which may expose the department to possible non–compliance with international treaties to which Canada is a signatory.
Stakeholders and Partnerships
Threats and opportunities associated with an organization’s partners and stakeholder demographics, characteristics and activities:
- The organization could enhance its emergency management capacity and improve its ability to work with external partners to prepare for and provide leadership and coordination in the management of public health events on behalf of the federal government.
- The department’s partners in delivering health services and equipment to stakeholders in the north may no longer be capable of meeting their obligations because of unpredictable fluctuations in weather. This may affect the health and safety of stakeholders.
Values and Ethics
Threats and opportunities associated with an organization’s culture and capacity to adhere to the spirit and intent of the Values and Ethics Code for the Public Sector:
- Staff and management may not be fully aware of the department’s values and ethics code, which may result in misconduct.
- A real or perceived breach of the organization’s values and ethics could occur, given the nature of the organization’s mandate and the lack of awareness among staff and management. This may negatively impact innovation and front–line decision making.
Further information on risk management is available on the TBS Risk Management website.
7. Contact Information
For more information, please contact TBS Public Enquiries.
Appendix: Definitions
- Driver:
-
Is an internal or external circumstance that is contributing to (“driving”) a risk. Drivers are often identified through environmental scans.
It is common to confuse drivers and risks. In particular, organizations sometimes refer to certain external circumstances (e.g., social, economic, etc.) as “external risks” when in fact they are drivers. To distinguish the two concepts, it is helpful for an organization to consider why the external circumstance challenges the organization or why it presents an opportunity for the organization.
As an example, an organization might determine that the aging Canadian population is a driver that is contributing to an increase in the number of applications and persons eligible for a particular program and therefore contributing to the risk that the organization may not be able to meet the anticipated increase in program delivery demands.
- Event:
- Is a situation, occurrence or change in a particular set of circumstances that has the potential to affect the achievement of an organization’s objectives. An event may be positive or negative.
- Impact:
- Is the potential effect of an event. As with an event, an impact may be positive or negative.
- Risk:
- Is defined as the effect of uncertainty on objectives. It is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization’s objectives.
- Uncertainty:
- Is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood.
Page details
- Date modified: