Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.


This guide is a companion to the Government of Canada's Integrated Risk Management Framework (IRMF) of April 2001. It is intended for use with the IRMF in implementing integrated risk management in a federal organization.

The IRMF supports the government agenda of modernizing management practices and supporting innovation through more responsible risk taking. The IRMF embodies principles and practices that follow through on the vision of the 1997 Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada and the commitments made in Results for Canadians: A Management Framework for the Government of Canada, a report issued by the Treasury Board of Canada Secretariat (TBS) in 2000.

The Independent Review Panel highlighted a new philosophy for comptrollership. The philosophy combines a strong commitment to four key components: performance reporting (both financial and non-financial); sound risk management; the application of an appropriate system of control and reporting; and values and ethics. The vision for modern comptrollership is that management decisions, at every level, integrate risk management, financial and non-financial performance information, appropriate controls, and values.

With regard to risk management, the panel report highlighted the need to:

  • ensure that employees are risk-attuned (not only in identifying, but also in managing risks);
  • match more creative and client-driven decision-making and business approaches with solid risk management; and
  • create an environment in which taking risks and the consequences of doing so are handled within a mature framework of delegation, rewards, and sanctions.

The importance of strengthening risk management was reinforced in Results for Canadians, which promised development of an integrated risk management framework. An integrated approach to risk management supports the four management commitments outlined in the report (citizen focus, values, results, and responsible spending) by promoting a more corporate and systematic approach to managing risk, applying sound risk management practices, and fostering a working culture that values learning, innovation, responsible risk taking, and continuous improvement.

In June 2003, TBS released the Management Accountability Framework (MAF), which continues the emphasis on corporate risk management. A key expectation of the MAF is that the executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively as part of achieving management excellence. The MAF presents indicators and measures for risk management and the other expectations placed on modern public service management.

This guide recognizes that managers have many roles and responsibilities. Managers are expected to achieve specific results, while taking into account numerous competing demands. The IRMF and this guide support managers by emphasizing results and priority setting while promoting approaches and tools that build on existing management systems and practices. In fact, a primary aim of integrated risk management is to improve results through more informed strategic and operational decisions that contribute to achieving an organization's overall objectives.

Overview of the IRMF

The IRMF establishes an approach to integrating risk management into an organization's decision-making processes and managing risk on an aggregate basis, while still allowing departments and agencies to develop their own approaches within common parameters.

This section provides an overview of the concepts, purpose, and expected results of the IRMF, offering readers a basic understanding of the underlying risk management concepts and the linkages among the IRMF's four elements. Individuals new to the subject are encouraged to read the framework, available on the TBS risk management Web site at /rm-gr/site/default.aspx. Practitioners and risk champions already familiar with the IRMF may choose to go directly to the sections on implementing the framework's four elements.

There are three critical concepts that are cornerstones of the IRMF: risk, risk management, and integrated risk management. The IRMF adopted the following descriptions, developed for the Public Service of Canada in the context of the IRMF and explained in the framework in greater detail:

Risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization's objectives.

Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on, and communicating risk issues.

Integrated risk management is a continuous, proactive, and systematic process to understand, manage, and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives.

The framework provides guidance on adopting a more holistic approach to managing risk, emphasizing four related elements: Developing the Corporate Risk Profile; Establishing an Integrated Risk Management Function; Practising Integrated Risk Management; and Ensuring Continuous Risk Management Learning. More detail can be found in the IRMF and throughout this guide.

The expected results for the four elements are summarized below:

Element 1: Developing the Corporate Risk Profile

Synopsis: Organizational risks are identified through environmental scanning; the current status of risk management within the organization is assessed; the organization's risk profile is identified.

Element 2: Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting

Synopsis: Management direction on risk management is communicated, understood, and applied; integrated risk management is implemented through existing decision-making processes and reporting structures; capacity is built through the development of learning plans and tools.

(In this guide, Element 2 has been clarified by the addition of the description "Integrating Risk Management into Existing Decision-making Processes and Reporting.")

Element 3: Practising Integrated Risk Management

Synopsis: A common risk management process is applied consistently at all levels; results of risk management practices at all levels are integrated into informed Decision-making and priority setting; tools and methods are applied; there is ongoing consultation and communication with stakeholders.

The IRMF describes a common, continuous risk management process to help organizations understand, manage, and communicate risk. Through nine interrelated steps, the process provides common terminology, guides decision making at all levels, and lets organizations tailor their activities at the local level. The nine steps span risk identification, risk assessment, risk response, and monitoring and evaluation. These steps are presented graphically in Appendix B. (See Exhibit 1 from the IRMF.)

The IRMF also presents a risk management model that lets managers assess where a particular risk falls in terms of likelihood (low, medium, or high) and impact (minor, moderate, or significant) and determine the level and nature of response necessary to manage the risk. This model is reproduced in Appendix C. (See Exhibit 3 from the IRMF.)

Element 4: Ensuring Continuous Risk Management Learning

Synopsis: A supportive work environment is established where learning from experience is valued and lessons are shared; learning plans are built into the organization's risk management practices; results of risk management are evaluated to support innovation, learning, and continuous improvement; experience and best practices are shared internally and across government.