Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Getting Started—Committing and Sustaining Senior Management Support

This is about building the will and capacity for change—leading the initiative and managing the change.

Expected Results

  • Organizational readiness is assessed—understanding the organizational culture and the workforce's capacity for change, in light of the organization's mandate and resources.
  • Key risks (threats and opportunities) in achieving overall corporate objectives are considered initially by an executive forum from an organization-wide perspective; senior management discusses roles and approaches to address the risks collectively.
  • A senior management risk champion is identified who can exercise strong leadership to inspire and manage the required change and who believes in the value of integrated risk management and has a clear vision of how it links to corporate objectives.

Managing the Initiative—Key Drivers of Success

Implementing an integrated approach to risk management requires sustained effort. This section identifies key factors for departmental and agency risk champions, senior managers, and others to consider when planning implementation. Whether the process has been underway for some time or is just beginning, how they deal with these factors and how they set and adjust the course has a significant impact on the speed and success of implementation.

Recognize at the outset that the organization is undertaking a cultural change by moving away from a silo approach to a more corporate one. Readiness—where the organization is now and its capacity to adapt—affects how fast and far it will progress. Borrow and use the lessons and practices of change management to foster the will and capacity for change.

For example, consider the concepts and strategies outlined in Changing Management Culture: Models and Strategies to Make It Happen (TBS, March 2003). The paper focusses on modern comptrollership, but its approach is generic and can be applied to any attempt to change management culture in support of modernizing and enhancing excellence in the Public Service. As well, The Conference Board of Canada's report, Integrating Risk Management Through a Change Management Process (2001), shows how change initiatives progress through a series of steps. It describes how change management can be a valuable guide to developing, implementing, and maintaining an integrated risk management program tailored to the organization.

Also recognize that there will be start-up costs (time, attention, training, systems, and communications) until the practice becomes an integral part of departmental planning and business processes.

Risk management is done—well or poorly—throughout organizations whether or not they recognize it.

Today's operating environment demands a systematic and more integrated risk management approach. It is no longer sufficient to manage risk at the individual activity level or in functional silos. Organizations around the world are benefiting from a more comprehensive approach to dealing with all their risks.

Raising Executive Awareness and Discussing Organizational Readiness and Roles

Opening the Risk Dialogue

Initial discussion at the executive table will centre on gaining a common understanding of what integrated risk management is and what it means specifically for the organization. Many departments and agencies are undergoing or have completed a modern comptrollership capacity check2 and implementing integrated risk management is likely part of the organizational response or action plan to advance the modern management agenda. Since integrated risk management is to be incorporated into existing decision-making processes, it is important to consider from the beginning how to align it with other corporate initiatives and priorities. Early discussion will also consider factors such as organizational readiness, capacity for change, and senior management roles, including a risk champion, as well as the champion's location and support/resources.

Understanding and Support of Senior Management

The deputy head and senior management set the tone. The engagement of senior managers signals organizational commitment, and their active, continuing support is vital for implementation. They must understand integrated risk management and its potential contribution to achieving corporate objectives. Risk-aware executives understand the key corporate risks and how they are being managed for the organization as a whole and for their areas of responsibility. Risk-aware executives appreciate the interdependencies and connections among the different types of risk—the source and level of control of the risk and the opportunities to innovate within the boundaries of responsible risk-taking.

It will help for senior managers to be familiar with the Integrated Risk Management Framework, as well as risk management reports and guidance developed by the Privy Council Office and the Canadian Centre for Management Development (CCMD). Risk awareness can also be raised by briefings, seminars, and retreats and by formal courses, such as those offered by CCMD.

For information on which to base briefings for the executive team, departmental officials may wish to consult the TBS Risk Management Centre of Expertise about the concepts contained in the IRMF, the thinking around integrated risk management and the state of implementation government-wide. It is also important to seek information from other departments and agencies or other external sources that have similar interests or operating environments.

Assigning a Risk Champion

Executive Leadership—Identifying Key Roles. Strong leadership is essential. The deputy head and senior management risk champion must ensure executive support on the part of leaders at various levels who will legitimize and sanction implementation of integrated risk management with their words and actions. This can be done in many ways as the organization's integrated risk management approach and practice matures.

The chosen risk champion will be an enthusiastic and knowledgeable supporter of integrated risk management. The champion must be able to show how integrated risk management will help executives meet corporate objectives in the short term and better position the organization for the future, as well as how to communicate these benefits broadly. Consider the current level of executive awareness and engagement in integrated risk management and the role senior managers will play in making it come alive by leading, supporting, and communicating progress.

The most effective lead for implementing integrated risk management is certainly at the deputy head level, but it is also common to place the lead in a corporate function at the assistant deputy head level, for example, in the strategic or business planning unit or corporate services branch. The risk champion is not a figurehead. Implementing integrated risk management involves major change requiring significant leadership capacity to show the value of change and inspire enthusiasm and support for a common vision.

Time and effort are needed to gain momentum, provide training for managers and specialists, and establish good tools and processes. Consider an initial investment in start-up to support the champion with appropriate resources, such as time at the executive table, people, and funds. For example, a group of specialists can be formed to provide expertise and promote a systematic approach to the process of integrating risk management. This can begin where the expertise resides (e.g. finance or internal audit) and migrate as appropriate (e.g. to strategic planning). The group can provide direction and co-ordination for integration with corporate planning and priority setting, along with guidance for common processes to set priorities among major risk areas, allocate resources, and conduct a corporate-level environmental scan. Organizations without an internal source of expertise on integrated risk management often collaborate with an external consultant or practitioner.

Creating or Using an Existing Executive Forum
Chaired by the Deputy Head

A new or existing executive forum chaired by the deputy head can direct and sustain integrated risk management by considering corporate risk issues, approaches, and performance. Organizations do this by making integrated risk management a key agenda item for an existing committee chaired by the deputy head or by convening the executive committee as a departmental risk management committee. First discussions are an opportunity to get a sense of the senior management team's risk culture and knowledge and for the risk champion to take stock of where alliances can be created and where more work is needed to ensure a common understanding, purpose, and goals. As the organization's practice matures, discussion will move toward implementation strategy and progress in light of the organization's key high-risk areas. The departmental audit committee, in its broad oversight role, could also review departmental risk management strategies and practices.

To support the executive team in its decision-making and advisory roles, larger departments typically create or use an existing department-wide working group (director general, director, or senior officer levels) to propose and advise on corporate approaches, implementation plans, systems, and practices. This is an opportunity to raise awareness in the organization and communicate the importance of the practice, while improving horizontal linkages, enhancing team spirit, and creating collective ownership.

Assessing Organizational Readiness and Roles

Implementation approaches must recognize that the shift to a risk-smart mindset will place demands on a workforce already operating in an environment characterized by considerable competition for change. Assessing readiness is essential if integrated risk management is to be aligned with management initiatives already underway and built on existing systems and processes. It will also contribute to better management of the discomfort inherent in change and can help people go beyond simple compliance and embrace the underlying purpose. (For additional guidance on roles, see Appendix A.) Several factors will be helpful in assessing readiness.

Modern Comptrollership Capacity Check. The capacity check provides a useful assessment across a range of interrelated management initiatives. Use assessment results to align integrated risk management with comptrollership initiatives already underway. It is expected that assessment results, combined with other management reports and performance information, will be used to identify departmental priorities for improvements and to develop action plans to address them. Priorities will vary with departmental circumstances, businesses, client needs, and other considerations.

The Workforce and Organizational Culture. To assess readiness, consider several areas as a starting point; these are considered more fully as implementation progresses. Organizations take into account the current organizational culture for risk management and how the culture needs to change. Consider how employees are going to react and how the organization will help them succeed despite the discomfort of change. This will depend in part on the extent to which risk management is already incorporated into strategic or business planning and operations, for example, whether current plans identify sources of risk and the extent of identification and knowledge of important strategic, operational, and financial risks; staff awareness of and/or capacity to manage the risks; the existence of systems and protocols to respond to potential threats, opportunities, or risk events.

Existing Knowledge and Systems. Consider whether existing committees, systems, and processes can be used (executive and operational committees, planning and reporting processes). Some organizations already have a common risk management language and framework or parts of it. Consider whether people are using a common language and process and build on existing understanding of risk or risk management. It may be helpful to transfer such knowledge and skills. Put the current culture and system to the acid tests: Is risk management factored into policies and advice to ministers? Does failure to address risk management prevent plans from being approved?

Change Management

Integrated risk management (IRM) requires a healthy risk culture, leadership, and innovation. It enhances a proactive climate of problem solving, communication, and risk taking that is essential for the economic growth of an organization. Implementing IRM, however, is not without its growing pains. It requires long-term commitment that involves a strategic and functional overhaul of all policies, processes, and systems, followed by management of its impact on the workforce and corporate performance.

Assessing Readiness for Change

An organization needs to ask fundamental questions and apply strategic assessment tools that will help to assess its general readiness for IRM and build the will to change. The results, in turn, will allow organizations to determine how information will flow into an organization's existing structures.

Integrating Risk Management Through a Change Management Process, The Conference Board of Canada, 2001

Developing and Communicating an Action Plan

Develop and communicate an action plan for implementing integrated risk management. The plan should include organizational context, approach, priorities, desired outcomes and performance measures, activities, responsibilities, and timelines. The implementation approach must suit the organization's culture and be based on an assessment of organizational readiness and roles, with advice from the executive team.

The risk champion leads preparation of the departmental or agency action plan. Since implementation progresses in phases of focussed effort, with each phase providing significant information and requiring key decisions, the plan is updated and detail added as implementation progresses.

In collaboration with the IRMF Implementation Council, TBS has developed the Illustrative Template for Developing Action Plans for Federal Departments and Agencies Implementing the Integrated Risk Management Framework. The template builds on the Modern Comptrollership Action Plan template and is available on the TBS risk management Web site. It proposes an action plan consisting of six sections:

  1. context and background;
  2. approach and priorities;
  3. alignment with the IRMF;
  4. accountability for integrated risk management;
  5. challenges; and
  6. implementation plan time frame.

As outlined in the following paragraphs, the action plan should provide direction, consider the challenges commonly encountered in implementation, and identify the areas where focussing first efforts is most useful.

Consultation and Communication. The risk champion ensures consultation on the action plan and communication of the final plan, as approved by the executive team, throughout the organization. Communication can take many forms and should, at a minimum, outline the vision, objectives, and expectations for integrated risk management implementation. Directions should be consistent with existing decision-making processes and structures and establish and communicate implementation goals (and timelines, where appropriate). Create opportunities for input as documents providing direction are being developed and use a common risk management language and consistent messages in all communications.

Common Challenges. Major challenges identified to date through the experiences of departments and agencies leading implementation fall into three broad categories.

Breaking down Barriers. Many departments' mandates include markedly different areas of responsibility that often operate independently. Departments' ability to restructure, realign, and integrate corporate planning and priority-setting processes is likely to speed up integration of risk management throughout the organization.

Building Bridges. Since departments generally see that their daily business is about managing risk, the challenge is to take what may seem obvious at the program delivery level and translate it into broader organizational management language and thinking. Departments need to encourage intellectual bridges between operational specialists and management specialists on how risk management principles and tools will improve operations.

Staying on Track. Recognizing the potential for unexpected events or demands, departments seek flexible approaches to implementing integrated risk management. The challenge is to stay the course and not lose sight of the ultimate goal.

First Areas of Focus. Organizations beginning integrated risk management find it most useful to focus initial efforts in three areas.

Developing a Corporate Risk Profile. Developing a corporate risk profile is a strong signal of senior management's commitment to establish infrastructure, tools, and processes for managing risk. It sets the stage for good performance measurement, enhanced accountability, and ultimately better management practices. It recognizes the interrelationships that mean that some high-level risks require a horizontal view and solution.

Incorporating Integrated Risk Management into Strategic and Business Planning. Success in establishing an integrated risk management function in the departments leading implementation does not appear to be directly correlated with either organizational size or the location selected for the champion. The risk management message is communicated throughout these organizations through key corporate and strategic planning processes. Business and operational plans, viewed through the lens of integrated risk management, recognize risks, incorporate measures to avoid adverse consequences, and embrace opportunities for innovation.

Building Capacity. Providing tools and training based on the analysis and results of the corporate risk profile are important ways to strengthen risk management capacity and communicate expectations and direction.

Pitfalls to Avoid

  • Reinventing the wheel—much material and advice are available.
  • Imposing or implementing generic models, processes, and systems without ensuring fit with stakeholders—consult and adapt.
  • Depending on outside consultants to do most of the strategic thinking - learn from others but do the work yourself.
  • Working with only a subset of management or functional groups.
  • Excluding people or groups considered difficult.
  • Practising selective hearing and selective thinking.
  • Listing every possible risk or treating all risks as equal. Without links to strategy and priorities, effort can be diverted to creating and reporting on risk lists, rather than managing the risk portfolio most effectively. Worse, top management may think risk is being managed when it is not.
  • Talking about the risks without also talking about the risk response (even if it is not perfect).
  • Attempting to quantify all risks the first time.
  1. An assessment tool known as The Capacity Check is available to departments and agencies to perform a self-assessment of current capabilities relative to modern comptrollership management practices. Risk management is one of seven key areas assessed. This baseline assessment, involving interviews with executives and managers, allows for the identification of priority areas for improvement (e.g. processes, competencies, systems, etc.).