Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Appendix L  -  "Analyze" Detailed Procedures

Process Overview

Risk analysis follows the identification step and is aimed at obtaining risk information that can be used for decision-making on the Year 2000 Project. The following table provides the details to the analyze step. Detailed procedures for analyzing and determining the contingency planning requirements are provided in Appendix N.

Table L-1: Analysis Steps

Risk Analysis Steps



1. Conduct a Risk Analysis Workshop Identify a subset of stakeholders from the various risk identification workshops in order to conduct a risk analysis workshop intended to analyze each risk. Year 2000 Project Manager
2. Conduct Tri-level Attribute Evaluations for each Risk.

During the risk analysis workshop, determine the following qualitative attributes for each risk:

Probability: High, Medium, or Low;
Impact: High, Medium, or Low; and
Timeframe: Near, Mid, or Far;

(Refer to risk information sheet for details –
Appendix I)

Year 2000 Project Manager
3. Determine the Source of the Risk. During the risk analysis workshop, determine the source for each risk as follows:
  • Lack of information:
    This source of risk implies that the project/department has a lack of information regarding the likelihood of the event (risk) and/or its consequence. (e.g. risks related to the use of new technologies are often the result of a lack of information about the potential/performance of these technologies);
  • Lack of control:
    This source of risk implies that the project/department has a lack of control over the likelihood of the event (risk) and/or its consequence (e.g. lack of control over resources, budget, authority etc.); or
  • Lack of time:
    This source of risk implies that the project/department does/will not have the time to identify the risks associated with the project or a given course of action. It can also imply that the project will not have the time to assess the probability of occurrence or the impact of a given risk.
Year 2000 Project Manager
4. Determine the Response to the Risk. During the risk analysis workshop, determine the response to each risk as follows:
  • Assume:
    Let the risk occur, do nothing about it, and accept the consequences;
  • Avoid:
    Develop and implement mitigation strategies/risk action plans prior to the risk occurring;
  • Control:
    Develop risk mitigation strategies/risk action plans to be implemented after the risk occurs; and
  • Transfer:
    Transfer the responsibility of mitigating the risk to a third party, however, the department still has to track and control this risk since there is no guarantee that the transferee will be successful in mitigating the risk.
  • Escalate
    Escalate the responsibility of the risk to another organization/management level such as:
    • Other – Another organization/party who can help manage the risk
    • TBS – Treasury Board of Canada Secretariat
    • DDM– Deputy Minister
    • ADM – Associate Deputy Minister
      Steer. Com. – Year 2000 Steering Committee
Year 2000 Project Manager
5. Determine the Risk Rank. During the risk analysis workshop, conduct a risk ranking activity using one of the following three techniques:
  1. Comparative risk ranking (refer to the CRM Guidebook) – a method for comparing each risk against each other and determining which risk is more significant;
  2. Multivoting (refer to the CRM Guidebook) – an average of all individual voting/ranking; or
  3. Top N (refer to the CRM Guidebook) – the top risks which are significant, with a probability and impact of "medium" or "high"

As a guideline, risks with "low" probability and "low" impact should be discarded from the prioritization exercise. In order to conduct efficient risk management, it is important to deal with the risks that have medium to high probability and impact.

Year 2000 Project Stakeholder (Year 2000 PO resources plus others from within the department)
6. Approve the new Risks The Year 2000 Project Manager approves the risks identified on the final risk list. Year 2000 Project Manager
7. Develop the Risk Information Sheets. Once the risks are approved, document the risks using a Risk Information Sheet (refer to Appendix I). Each Risk Information Sheet will form the basis for managing each risk identified. Year 2000 Project Manager

Note: The responsibility currently assigned to the Year 2000 Project Manager can be delegated to other members of the organization including audit.