Integrated Risk Management Framework

Tools & Resources

President's Message
In March 2000, I had the pleasure of tabling the Government of Canada's ne
management frameor!, entitled Results for Canadians" It outlines ho e are
moderni#ing management practices in order to ma!e the Government of Canada more
citi#en$focused and better prepared to meet Canadians'changing needs and priorities"
This Integrated Risk Management Framework is an essential part of these moderni#ation
efforts"
In an increasingl% comple& public polic% environment, it is important that 'ublic (ervice
emplo%ees are encouraged to approach their or! ith creativit% and a desire to
innovate" )t the same time, hoever, e must recogni#e and respect the need to be
prudent in protecting the public interest and maintaining public trust" )chieving this
balance is hat this Integrated Risk Management Framework is all about"
This frameor! is a practical guide to assist public service emplo%ees in their decision$
ma!ing" )t the organi#ational level, it ill help departments and agencies to thin! more
strategicall% and improve their abilit% to set common priorities" )t the individual level, it
ill help all emplo%ees to develop ne s!ills and ill strengthen their abilit% to anticipate,
assess and manage ris!"
I invite %ou to read the frameor! and ma!e use of the concepts, guidelines and
e&amples that relate to %our particular needs" I am confident that this frameor! ill
lead to the adoption of a more holistic approach to ris! management and foster a or!ing
environment hich supports emplo%ees in pursuing ne and innovative a%s to better
serve Canadians"
The paper version as signed b%
*ucienne Robillard
'resident of the Treasur% +oard
Introduction
The Integrated Ris! Management ,rameor! delivers on the commitment set out in
Results for Canadians-A Management Framework for the Government of Canada -March
2000. to strengthen ris! management practices ithin the 'ublic (ervice" In doing so,
the Integrated Ris! Management ,rameor! supports the four management
commitments outlined in Results for Canadians/ citi#en focus, values, results and
responsible spending" The Integrated Ris! Management ,rameor! advances a citi#en
focus b% strengthening decision$ma!ing in the public interest and placing more emphasis
on consultation and communication" (imilarl%, it respects core public service values such
as honest%, integrit% and probit% at all levels, and contributes to improved results b%
managing ris! proactivel%" Integrated ris! management also supports a hole$of$
government vie grounded in rational priorit% setting and principles of responsible
spending"
The need for more affordable and effective government combined ith trends toards
revitali#ing human resources capacit% and redesigning service deliver% are dramaticall%
affecting the structure and culture of public organi#ations" The faster pace and need for
innovation, combined ith significant ris!$based events from computer failures to natural
disasters, has focused attention on ris! management as essential in sound decision$
ma!ing and accountabilit%"
Responding to the need to strengthen ris! management as a priorit% on the government
management agenda, the Treasur% +oard of Canada (ecretariat -the (ecretariat. led
research and consultations on ris! management in collaboration ith federal
organi#ations, academics and private interests" The results highlighted the need for a
common understanding of ris! management and a more corporate, s%stematic approach"
Informed b% !noledge and e&perience from the public and private sectors in Canada
and internationall%, the (ecretariat and its partners collaborated on the development of
an Integrated Ris! Management ,rameor!"
This ,rameor! is designed to advance the development and implementation of modern
management practices and to support innovation throughout the federal 'ublic (ervice" It
provides a comprehensive approach to better integrate ris! management into strategic
decision$ma!ing"
The ,rameor! provides an organi#ation ith a mechanism to develop an overall
approach to manage strategic ris!s b% creating the means to discuss, compare and
evaluate substantiall% different ris!s on the same page" It applies to an entire
organi#ation and covers all t%pes of ris!s faced b% that organi#ation -e"g", polic%,
operational, human resources, financial, legal, health and safet%, environment,
reputational."
The purpose of the Integrated Ris! Management ,rameor! is to/
provide guidance to advance the use of a more corporate and s%stematic
approach to ris! management0
contribute to building a ris!$smart or!force and environment that allos for
innovation and responsible ris!$ta!ing hile ensuring legitimate precautions are
ta!en to protect the public interest, maintain public trust, and ensure due
diligence0 and
propose a set of ris! management practices that departments can adopt, or
adapt, to their specific circumstances and mandate"
)pplication of the ,rameor! is designed to strengthen management practices, decision$
ma!ing and priorit% setting to better respond to citi#ens'needs" Moreover, practising
integrated ris! management is e&pected to support the desired cultural shift to a ris!$
smart or!force and environment" More specificall%, it is anticipated that implementation
of the ,rameor! ill/
support the government's governance responsibilities b% ensuring that
significant ris! areas associated ith policies, plans, programs and operations are
identified and assessed, and that appropriate measures are in place to address
unfavourable impacts and to benefit from opportunities0
improve results through more informed decision$ma!ing, b% ensuring that
values, competencies, tools and a supportive environment form the foundation for
innovation and responsible ris!$ta!ing, and b% encouraging learning from
e&perience hile respecting parliamentar% controls0
strengthen accountability b% demonstrating that levels of ris! associated ith
policies, plans, programs and operations are e&plicitl% understood, and that
investment in ris! management measures and sta!eholder interests are optimall%
balanced0 and
enhance stewardship b% strengthening public service capacit% to safeguard
people, government propert% and interests"
Integrated ris! management respects and builds on core public service values" 1utcomes
of applied integrated ris! management must be ethical, honest and fair0 respect las,
government authorities and departmental policies0 and result in prudent use of resources"
The Integrated Ris! Management ,rameor! responds to the recommendations
contained in the Report of the Independent Review Panel on Modernization of
Comptrollership in the Government of Canada -2334., hich ere approved b% Treasur%
+oard ministers" The report highlights a ne guiding philosoph% for comptrollership" This
ne philosoph% combines a strong commitment to four !e% elements/ performance
reporting -financial and non$financial.0 sound ris! management0 the application of an
appropriate s%stem of control and reporting0 and values and ethics" In identif%ing as a
priorit% the strengthening of ris! management across the 'ublic (ervice, the report
stressed the need for/
5""" e&ecutives and emplo%ees 6to be7 ris! attuned$not onl% identif%ing but also
managing ris!s """50
5""" matching more creative and client$driven decision ma!ing and business
approaches ith solid ris! management"""50 and
5""" creating an environment in hich ta!ing ris!s and the conse8uences of doing
so are handled ithin a mature frameor! of delegation, reards and sanctions"5
The ,rameor! builds on e&isting ris! management practices, reflects current thin!ing,
best practices and the value of ell$recogni#ed principles for ris! management" It is
lin!ed ith other federal ris! management initiatives across government, including recent
efforts to strengthen internal audit and increase focus on monitoring" Ris! management
frameor!s are also being developed in areas such as legal ris! management and the
precautionar% approach" In addition, the Integrated Ris! Management ,rameor!
complements the concepts and approach described in the 'riv% Council 1ffice report$Risk
Management for Canada and Canadians: Report of the AM !orking Group on Risk
Management -2000." Collectivel%, these individual initiatives are contributing to
strengthening ris! management across the federal government in line ith modern
comptrollership and to improving practices in managing ris! from a hole$of$government
perspective"
Management Challenges
In toda%'s orld, change and uncertaint% are constants" 9ith increased demand b%
parliamentarians for greater transparenc% in decision$ma!ing, better educated and
discerning citi#ens, globali#ation, technological advances, and numerous other factors,
adapting to change and uncertaint% hile striving for operating efficienc% is a
fundamental part of the 'ublic (ervice" (uch an environment re8uires a stronger focus on
integrated ris! management practices ithin organi#ations in order to strategicall% deal
ith uncertaint%, capitali#e upon opportunities, and inform and increase involvement of
sta!eholders -including parliamentarians., to ensure better decisions in the future"
The challenge for the 'ublic (ervice of Canada is to approach ris! management in a more
integrated and s%stematic a% that includes greater emphasis on consultation and
communication ith sta!eholders and the public at large" In meeting this challenge, the
'ublic (ervice can fulfill its increased responsibilit% to demonstrate sound decision$
ma!ing, in line ith increasing e&pectations of due diligence, more intense public and
media scrutin%, and initiatives for transparenc% and open government" Ris! management
is no seen as an organi#ation$ide issue that, as one of several co$ordinated initiatives,
ill improve decision$ma!ing, enabling the shift to results$based management"
Integrated ris! management re8uires loo!ing across all aspects of an organi#ation to
better manage ris!" 1rgani#ations that manage ris! organi#ation$ide have a greater
li!elihood of achieving their ob:ectives and desired results" ;ffective ris! management
minimi#es losses and negative outcomes and identifies opportunities to improve services
to sta!eholders and the public at large"
) s%stematic, integrated but adaptable approach to ris! management re8uires an
organi#ation to build capacit% to address ris! e&plicitl%, to increase the organi#ation's and
sta!eholders'confidence in its abilit% to achieve its goals" It contributes to better use of
time and resources, improved teamor! and strengthened trust through sharing anal%ses
and actions ith partners" In emphasi#ing the need for more active and fre8uent
consultation and ris! communication, an integrated approach to ris! management leads
to shared responsibilit% for managing ris!" It also increases confidence in the
organi#ation's process, and improves public and sta!eholder understanding of trade$offs"
Developing a Risk-mart !ork"orce and #nvironment
)pplication of the Integrated Ris! Management ,rameor!, in con:unction ith related
ris! management activities, ill support a cultural shift to a ris!$smart or!force and
environment in the 'ublic (ervice" (uch an environment is one that supports responsible
ris! management, here ris! management is built into e&isting governance and
organi#ational structures, and planning and operational processes" )n essential element
of a ris!$smart environment is to ensure that the or!place has the capacit% and tools to
be innovative hile recogni#ing and respecting the need to be prudent in protecting the
public interest and maintaining public trust"
<epartments hose core mandate focuses directl% on public health and safet% have
traditionall% been ver% proactive in practising s%stematic ris! management" These
departments have a long histor% of addressing the public's lo ris! tolerance in the areas
of health and safet% and have, as a result, developed an effective ris! management
culture" The emerging trends in the public sector environment and challenges associated
ith the need to adapt to change and uncertaint% are contributing to the increased
interest in ris! management in other public polic% areas" This higher level of aareness
around ris! management and the need to better understand and manage different t%pes
of ris!s in addition to health and safet% ris!s re8uires a cultural shift" The aim of this
cultural shift is to develop a ris!$smart or!force throughout the 'ublic (ervice b%
ensuring that public servants at all levels are more ris! aare and ris! attentive, that
mitigation measures are proportionate to the issue at hand, and that the necessar% tools
and processes are in place to support them"
)chieving this cultural change ill re8uire sustained commitment throughout the 'ublic
(ervice over a number of %ears as practices evolve"
$ey Concepts
There are three critical concepts that are cornerstones of the Integrated Ris!
Management ,rameor!/ ris!, ris! management and integrated ris! management" These
concepts are elaborated on belo"
Risk
Ris! is unavoidable and present in virtuall% ever% human situation" It is present in our
dail% lives, public and private sector organi#ations" <epending on the conte&t, there are
man% accepted definitions of ris!
627
in use"
The common concept in all definitions is uncertaint% of outcomes" 9here the% differ is in
ho the% characteri#e outcomes" (ome describe ris! as having onl% adverse
conse8uences, hile others are neutral"
9hile this ,rameor! recogni#es the importance of the negative connotation of outcomes
associated ith the description of ris! -i"e", ris! is adverse., it is ac!noledged that
definitions are evolving" Indeed, there is considerable debate and discussion on hat
ould be an acceptable generic definition of ris! that ould recogni#e the fact that, hen
assessed and managed properl%, ris! can lead to innovation and opportunit%" This
situation appears more prevalent hen dealing ith operational ris!s and in the conte&t
of technological ris!s" ,or e&ample, Government 1n$*ine -G1*. represents an
opportunit% to significantl% increase the efficienc% of public access to government
services" It is ac!noledged in advance that the benefits of pursuing G1* ould
outeigh, in the long term, potential negative outcomes, hich are foreseen to be
manageable"
To date, no consensus has emerged, but after much research and discussion, the
folloing description of ris! has been developed for the federal 'ublic (ervice in the
conte&t of the Integrated Ris! Management ,rameor!/
Risk re"ers to the uncertainty that surrounds "uture events and outcomes% It is
the e&pression o" the likelihood and impact o" an event with the potential to
in"luence the achievement o" an organi'ation's ob(ectives%
The phrase 5the e&pression of the li!elihood and impact of an event5 implies that, as a
minimum, some form of 8uantitative or 8ualitative anal%sis is re8uired for ma!ing
decisions concerning ma:or ris!s or threats to the achievement of an organi#ation's
ob:ectives" ,or each ris!, to calculations are re8uired/ its li!elihood or probabilit%0 and
the e&tent of the impact or conse8uences"
,inall%, it is recogni#ed that for some organi#ations, ris! management is applied to issues
predetermined to result in adverse or unanted conse8uences" ,or these organi#ations,
the definition of ris! in the 'riv% Council 1ffice report
627
, hich refers to ris! as 5a
function of the probabilit% -chance, li!elihood. of an adverse or unanted event, and the
severit% or magnitude of the conse8uences of that event5 ill be more relevant to their
particular public decision$ma!ing conte&ts" )lthough this definition of ris! refers to the
negative impact of the issue, the report ac!noledges that there are also positive
opportunities arising from responsible ris!$ta!ing, and that innovation and ris! co$e&ist
fre8uentl%"
Risk Management
Ris! management is not ne in the federal public sector" It is an integral component of
good management and decision$ma!ing at all levels" )ll departments manage ris!
continuousl% hether the% reali#e it or not$sometimes more rigorousl% and
s%stematicall%, sometimes less so" More rigorous ris! management occurs most visibl% in
departments hose core mandate is to protect the environment and public health and
safet%"
)s ith the definition of ris!, there are e8uall% man% accepted definitions of ris!
management in use" (ome describe ris! management as the decision $ma!ing process,
e&cluding the identification and assessment of ris!, hereas others describe ris!
management as the complete process, including ris! identification, assessment and
decisions around ris! issues" ,or e&ample, the 'riv% Council 1ffice's report refers to ris!
management as 5the process for dealing ith uncertaint% ithin a public polic%
environment5
6=7
,or the purposes of the Integrated Ris! Management ,rameor!/
Risk management is a systematic approach to setting the best course o" action
under uncertainty by identi"ying) assessing) understanding) acting on and
communicating risk issues%
In order to appl% ris! management effectivel%, it is vital that a ris! management culture
be developed" The ris! management culture supports the overall vision, mission and
ob:ectives of an organi#ation" *imits and boundaries are established and communicated
concerning hat are acceptable ris! practices and outcomes"
(ince ris! management is directed at uncertaint% related to future events and outcomes,
it is implied that all planning e&ercises encompass some form of ris! management" There
is also a clear implication that ris! management is ever%one's business, since people at
all levels can provide some insight into the nature, li!elihood and impacts of ris!"
Ris! management is about ma!ing decisions that contribute to the achievement of an
organi#ation's ob:ectives b% appl%ing it both at the individual activit% level and in
functional areas" It assists ith decisions such as the reconciliation of science$based
evidence and other factors0 costs ith benefits and e&pectations in investing limited
public resources0 and the governance and control structures needed to support due
diligence, responsible ris!$ta!ing, innovation and accountabilit%"
Integrated Risk Management
The current operating environment is demanding a more integrated ris! management
approach" It is no longer sufficient to manage ris! at the individual activit% level or in
functional silos" 1rgani#ations around the orld are benefiting from a more
comprehensive approach to dealing ith all their ris!s"
Toda%, organi#ations are faced ith man% different t%pes of ris! -e"g", polic%, program,
operational, pro:ect, financial, human resources, technological, health, safet%, political."
Ris!s that present themselves on a number of fronts as ell as high level, high $impact
ris!s demand a co$ordinated, s%stematic corporate response"
Integrated Ris! Management
59hatever name the% put on it$business """ holistic """ strategic """ enterprise$leading
organi#ations around the orld are brea!ing out of the 'silo mentalit%'and ta!ing a
comprehensive approach to dealing ith all the ris!s the% face"5
$Toers 'errin
,or the purposes of the Integrated Ris! Management ,rameor!/
Integrated risk management is a continuous) proactive and systematic process
to understand) manage and communicate risk "rom an organi'ation-wide
perspective% It is about making strategic decisions that contribute to the
achievement o" an organi'ation's overall corporate ob(ectives%
Integrated ris! management re8uires an ongoing assessment of potential ris!s for an
organi#ation at ever% level and then aggregating the results at the corporate level to
facilitate priorit% setting and improved decision$ma!ing" Integrated ris! management
should become embedded in the organi#ation's corporate strateg% and shape the
organi#ation's ris! management culture" The identification, assessment and management
of ris! across an organi#ation helps reveal the importance of the hole, the sum of the
ris!s and the interdependence of the parts"
Integrated ris! management does not focus onl% on the minimi#ation or mitigation of
ris!s, but also supports activities that foster innovation, so that the greatest returns can
be achieved ith acceptable results, costs and ris!s" Integrated ris! management strives
for the optimal balance at the corporate level"
The Government of Canada has alread% used an integrated ris! management approach to
manage ris! related to >2? and is currentl% appl%ing the approach to other ma:or
initiatives such as Government 1n$*ine and 'rogram Integrit%"
*n Integrated Risk Management Framework
The Integrated Ris! Management ,rameor! provides guidance to adopt a more holistic
approach to managing ris!" The application of the ,rameor! is e&pected to enable
emplo%ees and organi#ations to better understand the nature of ris!, and to manage it
more s%stematicall%"
Four #lements and +heir #&pected Results
The Integrated Ris! Management ,rameor! is comprised of four related elements" The
elements, and a s%nopsis of the e&pected results for each, are presented belo" ,urther
details on the conceptual and functional aspects of the ,rameor! are provided in
subse8uent sections of this document"
#lement ,- Developing the Corporate Risk Pro"ile
the organi#ation's ris!s are identified through environmental scanning0
current status of ris! management ithin the organi#ation is assessed0 and
the organi#ation's ris! profile is identified"
#lement .- #stablishing an Integrated Risk Management Function
management direction on ris! management is communicated, understood and
applied0
approach to operationali#e integrated ris! management is implemented through
e&isting decision$ma!ing and reporting structures0 and
capacit% is built through development of learning plans and tools"
#lement /- Practising Integrated Risk Management
a common ris! management process is consistentl% applied at all levels0
results of ris! management practices at all levels are integrated into informed
decision$ma!ing and priorit% setting0
tools and methods are applied0 and
consultation and communication ith sta!eholders is ongoing"
#lement 0- #nsuring Continuous Risk Management 1earning
a supportive or! environment is established here learning from e&perience is
valued, lessons are shared0
learning plans are built into an organi#ation's ris! management practices0
results of ris! management are evaluated to support innovation, learning and
continuous improvement0 and
e&perience and best practices are shared, internall% and across government"
The four elements of the Integrated Ris! Management ,rameor! are presented as the%
might be applied/ loo!ing outard and across the organi#ation as ell as at individual
activities" This comprehensive approach to managing ris! is intended to establish the
relationship beteen the organi#ation and its operating environment, revealing the
interdependencies of individual activities and the hori#ontal lin!ages"
9hile it is ac!noledged that some departments are more advanced than others in
moving toards the implementation of an integrated ris! management approach, there is
groing appreciation across the 'ublic (ervice of the need to strengthen ris!
management practices and develop a more strategic and corporate$ide focus"
Implementing integrated ris! management ill depend largel% on an organi#ation's state
of readiness, overall priorities and the level of effort necessar% to implement the various
elements" )s a result, developing a more mature ris! management environment ill
re8uire sustained commitment and ill evolve over time" This ,rameor! is a step in
establishing the foundation for integrated ris! management in the public sector" It is
ac!noledged that to support and facilitate implementation, the development of specific
tools and guidelines as ell as sharing of best practices and lessons learned ill be
re8uired"
#lement ,- Developing the Corporate Risk Pro"ile
) broad understanding of the operating environment is an important first step in
developing the corporate ris! profile" <eveloping the ris! profile at the corporate level is
intended to e&amine both threats and opportunities in the conte&t of an organi#ation's
mandate, ob:ectives and available resources"
In building the corporate ris! profile, information and !noledge at both the corporate
and operational levels is collected to assist departments in understanding the range of
ris!s the% face, both internall% and e&ternall%, their li!elihood and their potential impacts"
In addition, identif%ing and assessing the e&isting departmental ris! management
capacit% and capabilit% is another critical component of developing the corporate ris!
profile"
)n organi#ation can e&pect three !e% outcomes as a result of developing the corporate
ris! profile/
Threats and opportunities are identified through ongoing internal and e&ternal
environmental scans, anal%sis and ad:ustment"
Current status of ris! management ithin the organi#ation is assessed$
challenges@opportunities, capacit%, practices, culture$ and recogni#ed in planning
organi#ation$ide management of ris! strategies"
The organi#ation's ris! profile is identified$!e% ris! areas, ris! tolerance, abilit%
and capacit% to mitigate, learning needs"
#&ternal and Internal #nvironment
Through the environmental scan, !e% e&ternal and internal factors and ris!s influencing
an organi#ation's polic% and management agenda are identified" Identif%ing ma:or trends
and their variation over time is particularl% relevant in providing potential earl% arnings"
(ome e&ternal factors to be considered for potential ris!s include/
Political- the influence of international governments and other governing bodies0
#conomic- international and national mar!ets, globali#ation0
ocial- ma:or demographic and social trends, level of citi#en engagement0 and
+echnological- ne technologies"
Internall%, the folloing factors are considered relevant to the development of an
organi#ation's ris! profile/ the overall management frameor!0 governance and
accountabilit% structures0 values and ethics0 operational or! environment0 individual
and corporate ris! management culture and tolerances0 e&isting ris! management
e&pertise and practices0 human resources capacit%0 level of transparenc% re8uired0 and
local and corporate policies, procedures and processes"
The environmental scan increases the organi#ation's aareness of the !e% characteristics
and attributes of the ris!s it faces" These include/
type o" risk- technological, financial, human resources -capacit%, intellectual
propert%., health, safet%0
source o" risk- e&ternal -political, economic, natural disasters.0 internal
-reputation, securit%, !noledge management, information for decision ma!ing.0
what is at risk- area of impact@t%pe of e&posure -people, reputation, program
results, materiel, real propert%.0 and
level o" ability to control the risk- high -operational.0 moderate -reputation.0
lo -natural disasters."
)n organi#ation's ris! profile identifies !e% ris! areas that cut across the organi#ation
-functions, programs, s%stems. as ell as individual events, activities or pro:ects that
could significantl% influence the overall management priorities, performance, and
reali#ation of organi#ational ob:ectives"
The environmental scan assists the department in establishing a strategic direction for
managing ris!, ma!ing appropriate ad:ustments in decisions and actions" It is an ongoing
process that reinforces e&isting management practices and supports the attainment of
overall management e&cellence"
*ssessing Current Risk Management Capacity
In assessing internal ris! management capacit%, the mandate, governance and decision$
ma!ing structures, planning processes, infrastructure, and human and financial resources
are e&amined from the perspective of ris!" The assessment re8uires an e&amination of
the prevailing ris! management culture, ris! management processes and practices to
determine if ad:ustments are necessar% to deal ith the evolving ris! environment"
,urthermore, the folloing factors are considered !e% in assessing an organi#ation's
current ris! management capacit%/ individual factors -!noledge, s!ills, e&perience, ris!
tolerance, propensit% to ta!e ris!.0 group factors -the impact of individual ris! tolerances
and illingness to manage ris!.0 organi#ational factors -strategic direction, stated or
implied ris! tolerance.0 as ell as e&ternal factors -elements that affect particular ris!
decisions or ho ris! is managed in general."
Risk +olerance
)n aareness and understanding of the current ris! tolerances of various sta!eholders is
a !e% ingredient in establishing the corporate ris! profile" The environmental scan ill
identif% sta!eholders affected b% an organi#ation's decisions and actions, and their degree
of comfort ith various levels of ris!" Anderstanding the current state of ris! tolerance of
citi#ens, parliamentarians, interest groups, suppliers, as ell as other government
departments ill assist in developing a ris! profile and ma!ing decisions on hat ris!s
must be managed, ho, and to hat e&tent" It ill also help identif% the challenges
associated ith ris! consultations and communication"
In the 'ublic (ervice, citi#ens'needs and e&pectations are paramount" ,or e&ample, most
citi#ens ould li!el% have a lo ris! tolerance for public health and safet% issues -in:uries,
fatalities., or the loss of Canada's international reputation" 1ther ris! tolerances for
issues such as pro:ect dela%s and sloer service deliver% ma% be less obvious and ma%
re8uire more consultation"
In general, there is loer ris! tolerance for the un!non, here impacts are ne,
unobservable or dela%ed" There are higher ris! tolerances here people feel more in
control -for e&ample, there is usuall% a higher ris! tolerance for automobile travel than
for air travel."
Ris! tolerance can be determined through consultation ith affected parties, or b%
assessing sta!eholders'response or reaction to var%ing levels of ris! e&posure" Ris!
tolerances ma% change over time as ne information and outcomes become available, as
societal e&pectations evolve and as a result of sta!eholder engagement on trade$offs"
+efore developing management strategies, a common approach to the assessment of ris!
tolerance needs to be understood organi#ation$ide"
<etermining and communicating an organi#ation's on ris! tolerance is also an essential
part of managing ris!" This process identifies areas here minimal levels of ris! are
permissible, as ell as those that should be managed to higher, %et reasonable levels of
ris!"
#lement .- #stablishing an Integrated Risk
Management Function
;stablishing an integrated ris! management function means setting up the corporate
5infrastructure5 for ris! management that is designed to enhance understanding and
communication of ris! issues internall%, to provide clear direction and demonstrate senior
management support" The corporate ris! profile provides the necessar% input to establish
corporate ris! management ob:ectives and strategies" To be effective, ris! management
needs to be aligned ith an organi#ation's overall ob:ectives, corporate focus, strategic
direction, operating practices and internal culture" In order to ensure ris! management is
a consideration in priorit% setting and revenue allocation, it needs to be integrated ithin
e&isting governance and decision$ma!ing structures at the operational and strategic
levels"
To ensure that ris! management is integrated in a rational, s%stematic and proactive
manner, an organi#ation should see! to achieve three related outcomes/
Management dire"tion on risk management is "ommuni"ated# understood and
applied-vision# poli"ies# operating prin"iples$
Approa"h to operationalize integrated risk management is implemented through
e%isting de"ision-making stru"tures: governan"e# "lear roles and responsi&ilities#
and performan"e reporting$
'uilding "apa"it(-learning plans and tools are developed for use throughout the
organization$
trategic Risk Management Direction
The establishment and communication of the organi#ation's ris! management vision,
ob:ectives and operating principles are vital to providing overall direction, and ensure the
successful integration of the ris! management function into the organi#ation" Asing these
instruments can reinforce the notion that ris! management is ever%one's business"
It is essential that management provides a clear statement of its commitment to ris!
management and determines the best a% to implement ris! management in its
organi#ation" This includes establishing a corporate focus and communicating internal
parameters, priorities, and practices for the implementation of ris! management" To
reinforce the corporate focus on ris! management, organi#ations ma% dedicate a small
number of resources to provide both advisor% and challenge functions, and to specificall%
integrate these responsibilities into an e&isting unit -for e&ample, Corporate 'lanning and
'olic%, Comptrollership (ecretariat, Internal )udit."
In establishing the strategic ris! management direction, internal and e&ternal concerns,
perceptions and ris! tolerances are ta!en into account" It is also imperative to identif%
acceptable ris! tolerance levels so those unfavourable outcomes can be remedied
promptl% and effectivel%" Clear communication of the organi#ation's strategic direction
ill help foster the creation and promotion of a supportive corporate ris! management
culture"
1b:ectives and strategies for ris! management are designed to complement the
organi#ation's e&isting vision and goals" In establishing an overall ris! management
direction, a clear vision for ris! management is articulated and supported b% policies and
operating principles" The polic% ould guide emplo%ees b% describing the ris!
management process, establishing roles and responsibilities, providing methods for
managing ris!, as ell as providing for the evaluation of both the ob:ectives and results
of ris! management practices"
Integrating Risk Management into Decision Making
;ffective ris! management cannot be practised in isolation, but needs to be built into
e&isting decision$ma!ing structures and processes" )s ris! management is an essential
component of good management, integrating the ris! management function into e&isting
strategic management and operational processes ill ensure that ris! management is an
integral part of da%$to$da% activities" In addition, organi#ations can capitali#e on e&isting
capacit% and capabilities -e"g", communications, committee structures, e&isting roles and
responsibilities, etc".
9hile each organi#ation ill find its on a% to integrate ris! management into e&isting
decision$ma!ing structures, the folloing are factors that ma% be considered/
aligning ris! management ith ob:ectives at all levels of the organi#ation0
introducing ris! management components into e&isting strategic planning and
operational processes0
communicating corporate directions on acceptable level of ris!0 and
improving control and accountabilit% s%stems and processes to ta!e into account
ris! management and results"
The integration of ris! management into decision$ma!ing is supported b% a corporate
philosoph% and culture that encourages ever%one to manage ris!s" This can be
accomplished in a number of a%s, such as/
see!ing e&cellence in management practices, including ris! management0
having senior managers champion ris! management0
encouraging innovation, hile providing guidance and assistance in situations that
do not turn out favourabl%0
encouraging managers to develop !noledge and s!ills in ris! management0
including ris! management as part of emplo%ees'performance appraisals0
introducing incentives and reards0 and
recruiting on ris! management abilit% as ell as e&perience"
Reporting on Per"ormance
The development of evaluation and reporting mechanisms for ris! management activities
provides feedbac! to management and other interested parties in the organi#ation and
government$ide" The results of these activities ensure that integrated ris! management
is effective in the long term" (ome of these activities could fall to functional groups in the
organi#ation responsible for revie and audit" Responsibilit% ma% also be assigned to
operational managers and emplo%ees to ensure that information affecting ris! that is
collected as part of local reporting or practices is incorporated into the environmental
scanning process" Reporting could ta!e place through normal management channels
-performance reporting, ongoing monitoring, appraisal. as part of the advisor% and
challenge functions associated ith ris! management"
Reporting facilitates learning and improved decision$ma!ing b% assessing both successes
and failures, monitoring the use of resources, and disseminating information on best
practices and lessons learned" 1rgani#ations should evaluate the effectiveness of their
integrated ris! management processes on a periodic basis" In collaboration ith
departments, the Treasur% +oard of Canada (ecretariat ill revie the effectiveness of
the Integrated Ris! Management ,rameor! and ma!e the necessar% ad:ustments to
ensure sustained progress in building a ris!$smart or!force and environment"
2uilding 3rgani'ational Capacity
+uilding ris! management capacit% is an ongoing challenge even after integrated ris!
management has become firml% entrenched" ;nvironmental scanning ill continue to
identif% ne areas and activities that re8uire attention, as ell as the ris! management
s!ills, processes, and practices that need to be developed and strengthened"
1rgani#ations need to develop their on capacit% strategies based on their specific
situation and ris! e&posure" The implementation of the Integrated Ris! Management
,rameor! ill be further supported b% the Treasur% +oard of Canada (ecretariat, hich,
through a centre of e&pertise, ill provide overall guidance, advice and share best
practices"
To build capacit% for ris! management, there needs to be a focus on to !e% areas/
human resources, and tools and processes at both the corporate and local levels" The ris!
profile ill identif% the organi#ation's e&isting strengths and ea!nesses vis$B$vis
capacit%" )reas that ma% re8uire attention include/
4uman Resources
building aareness of ris! management initiatives and culture0
broadening s!ills base through formal training including appropriate applications
and tools0
increasing !noledge base b% sharing best practices and e&periences0 and
building capacit%, capabilities and s!ills to or! in teams"
+ools and Processes
developing and adopting corporate ris! management tools, techni8ues, practices
and processes0
providing guidance on the application of tools and techni8ues0
alloing for development and@or the use of alternative tools and techni8ues that
ma% be better suited to managing ris! in speciali#ed applications0 and
adopting processes to ensure integration of ris! management across the
organi#ation"
#lement /- Practising Integrated Risk Management
Implementing an integrated ris! management approach re8uires a management decision
and sustained commitment, and is designed to contribute to the reali#ation of
organi#ational ob:ectives" Integrated ris! management builds on the results of an
environmental scan and is supported b% appropriate corporate infrastructure"
The folloing outcomes are e&pected for practising integrated ris! management/
A departmental risk management pro"ess is "onsistentl( applied at all levels#
where risks are understood# managed and "ommuni"ated$
Results of risk management pra"ti"es at all levels are integrated into informed
de"ision-making and priorit( setting-strategi"# operational# management and
performan"e reporting$
)ools and methods are applied as aids to make de"isions$
Consultation and "ommuni"ation with stakeholders is ongoing-internal and
e%ternal$
* Common Process
) common, continuous ris! management process assists an organi#ation in
understanding, managing and communicating ris!" Continuous ris! management has
several steps" ;mphasis on various points in the process ma% var%, as ma% the t%pe,
rigour or e&tent of actions considered, but the basic steps are similar" In the e&hibits that
follo, ;&hibit 2 illustrates an e&ample of a continuous ris! management process that
focuses on an integrated approach to ris! management, hile ;&hibit 2 presents a ris!
management decision$ma!ing process in the conte&t of public polic%"
#&hibit ,- * Common Risk Management Process
<ispla% full si#e graphic
Internal and e&ternal communication and continuous learning improve understanding and
s!ills for ris! management practice at all levels of an organi#ation, from corporate
through to front$line operations" The process provides common language, guides
decision$ma!ing at all levels, and allos organi#ations to tailor their activities at the local
level" <ocumenting the rationale for arriving at decisions strengthens accountabilit% and
demonstrates due diligence"
The common ris! management process and related activities are/
Risk Identi"ication
,% Identi"ying Issues) etting Conte&t
<efining the problems or opportunities, scope, conte&t -social, cultural, scientific
evidence, etc". and associated ris! issues"
<eciding on necessar% people, e&pertise, tools and techni8ues -e"g", scenarios,
brainstorming, chec!lists."
'erforming a sta!eholder anal%sis -determining ris! tolerances, sta!eholder
position, attitudes."
Risk *ssessment
.% *ssessing $ey Risk *reas
)nal%#ing conte&t@results of environmental scan and determining t%pes@categories
of ris! to be addressed, significant organi#ation$ide issues, and vital local issues"
/% Measuring 1ikelihood and Impact
<etermining degree of e&posure, e&pressed as li!elihood and impact, of assessed
ris!s, choosing tools"
Considering both the empirical@scientific evidence and public conte&t"
0% Ranking Risks
Ran!ing ris!s, considering ris! tolerance, using e&isting or developing ne criteria
and tools"
Responding to Risk
5% etting Desired Results
<efining ob:ectives and e&pected outcomes for ran!ed ris!s, short@long term"
6% Developing 3ptions
Identif%ing and anal%#ing options$a%s to minimi#e threats and ma&imi#e
opportunities$approaches, tools"
7% electing a trategy
Choosing a strateg%, appl%ing decision criteria$results$oriented,
problem@opportunit% driven"
)ppl%ing, here appropriate, the precautionar% approach@principle as a means of
managing ris!s of serious or irreversible harm in situations of scientific
uncertaint%"
8% Implementing the trategy
<eveloping and implementing a plan"
Monitoring and #valuation
9% Monitoring) #valuating and *d(usting
*earning, improving the decision$ma!ing@ris! management process locall% and
organi#ation$ide, using effectiveness criteria, reporting on performance and
results"
1rgani#ations ma% var% the basic steps and supporting tas!s most suited to achieving
common understanding and implementing consistent, efficient and effective ris!
management" ) focused, s%stematic and integrated approach recogni#es that all
decisions involve management of ris!, hether in routine operations or for ma:or
initiatives involving significant resources" It is important that the ris! management
process be applied at all levels, from the corporate level to programs and ma:or pro:ects
to local s%stems and operations" 9hile the process allos tailoring for different uses,
having a consistent approach ithin an organi#ation assists in aggregating information to
deal ith ris! issues at the corporate level"
#&hibit .- Risk Management in Public Policy- * Decision-Making Process
<ispla% full si#e graphic
;&hibit 2 presents the model, developed b% the 'C1$led )<M 9or!ing Group on Ris!
Management, hich addresses the issue of ris! management in the conte&t of public
polic% development" This model presents a basis for e&ploring issues of interest to
government polic%$ma!ers, and provides a conte&t in hich to discuss, e&amine, and
see! out interrelationships beteen issues associated ith public polic% decisions in an
environment of uncertaint% and ris! -i"e", a model of public ris! management."
)s in ;&hibit 2, this model recogni#es si& basic steps/ identification of the issue0 anal%sis
or assessment of the issue0 development of options0 decision0 implementation of the
decision0 and evaluation and revie of the decision"
6C7
In this model, several !e% elements ere identified as influencing the public polic%
environment surrounding ris! management/
There is a pu&li" element to virtuall% all government decision$ma!ing, and it is a
central and legitimate input to the process"
Ancertaint% in science, together ith competing polic% interests -including
international obligations. has led to increased focus on the pre"autionar(
approa"h"
) decision$ma!ing process does not o""ur in isolation$the public nature and
comple&it% of man% government polic% issues means that certain factors, such as
communications and consultation activities, legal considerations, and ongoing
operational activities, re8uire active consideration at each stage of the process"
Integrating Results "or Risk Management into Practices at all
1evels
The results of ris! management are to be integrated both hori#ontall% and verticall% into
organi#ational policies, plans and practices" Dori#ontall%, it is important that results be
considered in developing organi#ation$ide policies, plans and priorities" Eerticall%,
functional units, such as branches and divisions, need to incorporate these results into
programs and ma:or initiatives"
In practice, the ris! assessment and response to ris! ould be considered in developing
local business plans at the activit%, division or regional level" These plans ould then be
considered at the corporate level, and significant ris!s -hori#ontal or high$impact ris!s.
ould be incorporated into the appropriate corporate business, functional or operational
plan"
The responsibilit% centre providing the advisor% and 5corporate challenge5 functions can
add value to this process, since ne ris!s might be identified and ne ris! management
strategies re8uired after the roll$up" There needs to be a s%nerg% beteen the overall ris!
management strateg% and the local ris! management practices of the organi#ation"
;ach function or activit% ould have to be e&amined from three standpoints/
its purpose- ris! management ould loo! at decision$ma!ing, planning, and
accountabilit% processes as ell as opportunities for innovation0
its level- different approaches are re8uired based on hether a function or
activit% is strategic, management or operational0 and
the relevant discipline- the ris!s involved ith technolog%, finance, human
resources, and those regarding legal, scientific, regulator%, and@or health and
safet% issues"
+ools and Methods
)t a technical level, various tools and techni8ues can be used for managing ris!" The
folloing are some e&amples/
risk maps- summar% charts and diagrams that help organi#ations identif%,
discuss, understand and address ris!s b% portra%ing sources and t%pes of ris!s
and disciplines involved@needed0
modelling tools- such as scenario anal%sis and forecasting models to sho the
range of possibilities and to build scenarios into contingenc% plans0
"ramework on the precautionary approach- a principle$based frameor! that
provides guidance on the precautionar% approach in order to improve the
predictabilit%, credibilit% and consistenc% of its application across the federal
government0
:ualitative techni:ues- such as or!shops, 8uestionnaires, and self
$assessment to identif% and assess ris!s0 and
Internet and organi'ational Intranets- promote ris! aareness and
management b% sharing information internall% and e&ternall%"
;&hibit = provides an e&ample of a ris! management model" In this model, one can
assess here a particular ris! falls in terms of li!elihood and impact and establish the
organi#ational strateg%@response to manage the ris!"
#&hibit /- * Risk Management Model
<ispla% full si#e graphic
In developing methods to provide guidance on ris! management, the different levels of
readiness and e&perience in a department, as ell as variations in available resources
need to be recogni#ed" Therefore, methods need to be fle&ible and simple using clear
language to ensure open channels of communication"
(everal practical methods that could be used to provide guidance are/
a managers'"orum- here ris!s are identified, proposed actions are discussed
and best practices are shared0
an internal risk management advisory "unction- dedicated to ris!
management, either as a special unit or associated ith an e&isting functional
unit0 and
tool kits- a collection of effective ris! management tools such as chec!lists,
8uestionnaires, best practices"
Communication and Consultation
Communication of ris! and consultation ith interested parties are essential to supporting
sound ris! management decisions" In fact, communication and consultation must be
considered at ever% stage of the ris! management process"
) fundamental re8uirement for practising integrated ris! management is the development
of plans, processes and products through ongoing consultation and communication ith
sta!eholders -both internal and e&ternal. ho ma% be involved in or affected b% an
organi#ation's decisions and actions"
Consultation and proactive citi#en engagement ill assist in bridging gaps beteen
statistical evidence and perceptions of ris!" It is also important that ris! communication
practices anticipate and respond effectivel% to public concerns and e&pectations" )
citi#en's re8uest for information presents an opportunit% to communicate about ris! and
the management of ris!"
In the public sector conte&t, some high$profile ris! issues ould benefit from proactivel%
involving parliamentarians in particular forums of discussion thus creating opportunities
for e&changing different perspectives" In developing public polic%, input from both the
empirical and public conte&ts ensures that a more complete range of information is
available, therefore, leading to the development of more relevant and effective public
polic% options" Internall%, ris! communication promotes action, continuous learning,
innovation and teamor!" It can demonstrate ho management of a locali#ed ris!
contributes to the overall achievement of corporate ob:ectives"
Ris! communication involves a range of activities, including issue identification and
assessment, anal%sis of the public environment -including sta!eholder interests and
concerns., development of consultation and communications strategies, message
development, or!ing ith the media, and monitoring and evaluating the public dialogue"
The public sector has the additional responsibilit% of reporting to and communicating ith
'arliament"
9ithin the federal 'ublic (ervice, it is e&pected that consultation activities, including
those related to ris! management, ill be underta!en in a manner that is consistent ith
the Government Communi"ations Poli"($
#lement 0- #nsuring Continuous Risk Management
1earning
Continuous learning is fundamental to more informed and proactive decision$ma!ing" It
contributes to better ris! management, strengthens organi#ational capacit% and facilitates
integration of ris! management into an organi#ational structure" To ensure continuous
ris! management learning, pursue the folloing outcomes/
*earning from e%perien"e is valued# lessons are shared-a supportive work
environment$
*earning plans are &uilt into organization+s risk management pra"ti"es$
Results of risk management are evaluated to support innovation# "apa"it(
&uilding and "ontinuous improvement-individual# team and organization$
,%perien"e and &est pra"ti"es are shared-internall( and a"ross government$
Creating a upportive !ork #nvironment
) supportive or! environment is a !e% component of continuous learning" Ealuing
learning from e&perience, sharing best practices and lessons learned, and embracing
innovation and responsible ris!$ta!ing characteri#e an organi#ation ith a supportive
or! environment" )n organi#ation ith a supportive or! environment ould be
e&pected to/
Promote learning
b% fostering an environment that motivates people to learn0
b% valuing !noledge, ne ideas and ne relationships as vital aspects of the
creativit% that leads to innovation0 and
b% including and emphasi#ing learning in strategic plans"
1earn "rom e&perience
b% valuing e&perimentation, here opportunities are assessed for benefits and
conse8uences0
b% sharing learning on past successes and failures0 and
b% using 5lessons learned5 and 5best practices5 in planning e&ercises"
Demonstrate management leadership
b% selecting leaders ho are coaches, teachers and good steards0
b% demonstrating commitment and support to emplo%ees through the provision of
opportunities, resources, and tools0 and
b% ma!ing time, allotting resources and measuring success through periodic
revies -e"g", learning audits."
2uilding 1earning Plans in Practices
(ince continuous learning contributes significantl% to increasing capacit% to manage ris!,
the integration of learning plans into all aspects of ris! management is fundamental to
building capacit% and supporting the strategic direction for managing ris!"
)s part of a unit's learning strateg%, learning plans provide for the identification of
training and development needs of each emplo%ee" ;ffective learning plans, reflecting ris!
management learning strategies, are lin!ed to both operational and corporate strategies,
incorporate opportunities for managers to coach and mentor staff, and address
competenc% gaps -!noledge and s!ills. for individuals and teams" The inclusion of ris!
management learning ob:ectives in performance appraisals is a useful approach to
support continuous ris! management learning"
upporting Continuous 1earning and Innovation
In implementing a continuous learning approach to ris! management, it is important to
recogni#e that not all ris!s can be foreseen or totall% avoided" 'rocedures are paramount
to ensure due diligence and to maintain public confidence" Goals ill not ala%s be met
and innovations ill not ala%s lead to e&pected outcomes" Doever, if ris! management
actions are informed and lessons are learned, promotion of a continuous learning
approach ill create incentives for innovation hile still respecting organi#ational ris!
tolerances" The critical challenge is to sho that ris! is being ell$managed and that
accountabilit% is maintained hile recogni#ing that learning from e&perience is important
for progress"
In addition to demonstrating accountabilit%, transparenc% and due diligence, proper
documentation ma% also be used as a learning tool" 'ractising integrated ris!
management should support innovation, learning, and continuous improvement at the
individual, team and organi#ation level"
)n organi#ation demonstrates continuous learning ith respect to ris! management if/
an appropriate ris! management culture is fostered0
learning is lin!ed to ris! management strateg% at man% levels0
responsible ris!$ta!ing and learning from e&perience is encouraged and
supported0
there is considerable information sharing as the basis for decision$ma!ing0
decision$ma!ing includes a range of perspectives including the vies of
sta!eholders, emplo%ees and citi#ens0 and
input and feedbac! are activel% sought and are the basis for further action"
Conclusion
The Integrated Ris! Management ,rameor! advances a more s%stematic and integrated
approach for ris! management" +% focusing on the importance of ris! communication and
ris! tolerance, it loo!s outside the organi#ation for the vies of Canadians" Internall%, it
emphasi#es the importance of people and leadership and the need for departments and
agencies to more clearl% define their roles" The ,rameor! provides a tool that helps
organi#ations communicate a vision and ob:ectives for management of ris! based on
government values and priorities, lessons learned, best practices and consultation ith
sta!eholders"
The ,rameor! is a fundamental part of the federal management agenda and Modern
Comptrollership" It is designed to support the optimi#ation of resource allocation and
responsible spending, paramount for achieving results" It also builds on public sector
values, !noledge management and continuous learning for innovation" The Integrated
Ris! Management ,rameor! is the first step in establishing the foundation for more
strategic and corporate integrated ris! management in departments and in government"
In the future, the ,rameor! ill be supported b% tools and guidance documents as ell
as complemented b% other ris! management initiatives"
The Treasur% +oard of Canada (ecretariat intends to or! closel% ith departments and
agencies in implementing the Integrated Ris! Management ,rameor! and in trac!ing
progress toard building a ris!$smart or!force and environment in the 'ublic (ervice"
*ppendi&- hared 1eadership-uggested Roles and
Responsibilities
In moving toard an integrated ris! management function, ever%one has a role to pla%"
Combining shared leadership ith a team approach ill help contribute to the success of
integrated ris! management throughout the organi#ation" (uggested roles and
responsibilities that could be considered b% the different parties involved in integrated
ris! management are outlined belo"
+reasury 2oard o" Canada ecretariat
communicating and e&plaining the Integrated Ris! Management ,rameor!0
providing guidance, training and a centre of e&pertise in support of the Integrated
Ris! Management ,rameor!0
providing Treasur% +oard, other central agencies and 'arliament ith ris!
management information and advice appropriate to their responsibilities0 and
periodicall% e&amining and evaluating the effectiveness of the Integrated Ris!
Management ,rameor!, trac!ing progress and reporting on best practices"
Deputy 4eads or #:uivalent
setting the tone from the top that s%stematic and integrated ris! management is
valuable for understanding uncertaint% in decision$ma!ing and for demonstrating
accountabilit% to sta!eholders0
determining the best a% to implement the Integrated Ris! Management
,rameor! in their organi#ation0
ensuring that a supportive learning environment e&ists for ris! management,
including sensible ris! ta!ing and learning from e&perience0
ensuring, from a corporate perspective, that ris!s are prioriti#ed, and that
appropriate ris! management strategies are in place to respond to identified ris!s0
and
ensuring the capacit% to report on the performance of the ris! management
function -i"e", !noing ho ell the department or agenc% is managing ris!."
enior Management
integrating ris! management into overall departmental strateg% and management
frameor!s0
providing managers and emplo%ees ith learning opportunities and training to
build competencies0 and
allocating resources for investment in more s%stematic ris! management"
Managers
considering ris! as a part of their decision$ma!ing process0 and
ensuring there is appropriate ongoing operational and corporate$related ris!
management action, planning, training, control, monitoring and documentation"
Functional *dvisors and pecialists
ensuring that polic% and related advice, guidance and assistance is in line ith
central agenc% and departmental policies on ris! management and senior
management's ob:ectives0
helping managers identif% and assess ris! and the effectiveness, efficienc% and
econom% of e&isting measures to manage ris!0 and
helping managers design and implement tools for more effective ris!
management"
Review) Internal *udit
reporting to the <eput% Dead on the department's or agenc%'s performance under
the Integrated Ris! Management ,rameor!"
*ll Public ervants
sta%ing aare of and attentive to ris! management issues0
ris!$smart behaviours and outcomes$considering limitations, !e% ris! areas and
fundamental rules to understand ris!s the% can and cannot ta!e -i"e",
understanding here there is alloance for honest mista!es and here prudence
is paramount.0 and
documenting decisions and supporting information"