This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Integrated risk management means establishing appropriate infrastructure by building on what exists.
This section is about integrating risk management into existing decision-making processes and using what is known about corporate risk and risk tolerance to begin changing the culture.
Under this element of the framework, organizations identify or design appropriate corporate infrastructure to ensure clear communication of risk issues, practices, and procedures throughout the organization. This aligns the corporate risk profile (Element 1) with the organization's overall objectives, vision, strategic direction, and operating practices. Risk management principles are integrated into governance structures and decision-making and reporting systems.
Integrating risk management into existing governance structures, decision-making processes, and reporting requires that:
Integrated risk management becomes a key agenda item for executive committees, helping to communicate senior management commitment throughout the organization. Demonstrating executive commitment promotes staff engagement at all levels in a risk management culture and helps ensure a common understanding of what integrated risk management entails. Leading by example, senior managers raise awareness and communicate the importance of the practice, while improving horizontal linkages, enhancing team spirit, and creating collective ownership. This helps sustain integrated risk management when corporate-wide risk issues, approaches, and performance are considered.
The deputy head and risk champion must ensure support by managers at various levels who will legitimize and sanction implementation of integrated risk management with their words and actions. The champion speaks authoritatively about integrated risk management in the context of achieving corporate objectives and is an enthusiastic and knowledgeable supporter. The champion will be most effective by leading, supporting, and broadly communicating benefits and reporting progress.
The corporate risk profile (Element 1) provides fundamental guidance for establishing an integrated risk management function. A key component of the profile is the assessment of the readiness of the organization's governance, decision-making and accountability structures, and mechanisms. The profile allows senior management to make strategic plans for expanding capacity in terms of human resources, tools, and processes at both the corporate and the local level.
Clarifying who, what, and how is the first step in creating the groundwork for integrated risk management. Four key actions are involved in establishing the function and integrating risk management into existing decision-making systems:
Integrated risk management requires a corporate focus, whether an existing structure or a new one. The groundwork may have been laid in action plans for getting started and in developing the corporate risk profile. The following steps can help establish a corporate focus for risk management.
Integrated risk management should be placed under the guidance of an executive forum chaired by the deputy head. Direction at this level is critical in ensuring that corporate risk issues and approaches are integrated with planning, Decision-making, and performance measurement. This forum could be an existing committee, such as the executive committee or another organization-wide executive committee convened for the express purpose of corporate risk management. Alternatively, a new integrated risk management forum could be set up to steer implementation initially and, as the practice matures, guide corporate strategy for risk management and innovative thinking.
One or more working groups should also be established to support the executive forum with cross-functional and organizational analyses of corporate risk issues.
Departments that have made substantial progress in implementing integrated risk management have recognized the need for an initial investment of dedicated resources. This has usually entailed reprofiling resources to cover the costs of gearing up. It takes time and effort to gain momentum, train managers and specialists, and establish good tools and processes. In the longer run, integrated risk management should be resource-neutral; this initial investment sets the process in motion and signals the degree of commitment in the organization.
Designating an effective champion, ideally at the deputy head level, was identified as a fundamental step in initiating integrated risk management. The lead is also commonly assigned to a corporate function at the assistant deputy head level, for example, in the strategic and business planning unit or corporate services branch. The risk champion has a crucial role in creating and sustaining the shift to a risk-smart corporate culture. At this early stage, personal interest and natural fit with an existing corporate role might be relevant selection criteria; knowledge and enthusiasm in communicating the message are also important.
The corporate risk champion should be supported with appropriate resources; this might include specialists to provide expertise on and a systematic approach to the process of integrating risk management. The champion will also need time at the executive table to sustain the focus on integrating risk management as a priority in the organization's culture.
The focal point selected initially will usually be where the expertise resides. While a number of departments are being supported by their internal audit unit in the implementation of integrated risk management, the responsibility and accountability for implementation nonetheless remains with management. This recognizes the need for departmental internal auditors to maintain objectivity and provide independent advice and assurance on the effectiveness of integrated risk management within their organization. It is not uncommon for the focal point to migrate subsequently to areas such as strategic planning, as the function matures and integrated risk management becomes ingrained in corporate planning and priority-setting processes. Regardless of location, it will be important to build linkages between the focal point and existing centres of functional expertise throughout the organization.
To create a culture in which all employees value risk management, senior management commitment and vision must be communicated throughout the organization.
Overall direction on integrated risk management requires written guidance—a policy, framework, or operating principles to tailor the approach to the particular needs of the organization's operating environment. Guidance can be communicated by developing a departmental or agency risk management policy or framework or by updating existing corporate policies. In either case, it will be important to outline clear roles and responsibilities, accountability lines and mechanisms for reporting on performance. An integrated risk management policy or framework enables individual units to build risk management into their day-to-day operations.
Policies and frameworks are fundamental tools to ready an organization for integrated risk management, but it is the people in the organization that make the practice work. Empowering individuals in operational areas as leaders or local risk champions—and connecting them through a working group to share experiences and deal with common implementation issues—will help ensure success in establishing the function.
This network of interested individuals can assist senior management in developing work plans that reflect a corporate perspective on risk-related issues. It is also an appropriate channel for communicating implementation concepts and timing throughout the organization.
A critical aspect of successful implementation is weaving integrated risk management seamlessly into existing departmental processes—annual corporate planning, performance reporting, and training development and delivery must all be risk-attuned.
Aligning risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees. As implementation progresses, individuals should come to understand managing risk as part of their daily work, not something superimposed on their usual activities. Acceptance of the concepts of integrated risk management will be commensurate with the extent that the organization has been successful in establishing and using common risk terminology in corporate tools and documentation.
Throughout the strategic planning process, the risk champion or specialist group should act as a catalyst in guiding both the process and the officials involved. Corporate planners must drive the process by integrating risk awareness and thinking to support senior managers in carrying out corporate-wide planning, priority setting, and resource allocation.
Just as risk management must be integrated with existing processes, so must organizational capacity for practising it be built on what exists. The corporate risk profile provides a baseline assessment of organizational capacity. Continued environmental scanning will reveal changes in the profile that require further enhancement of risk management skills, processes, and practices.
Assessing and building on existing capacity helps tailor the approach to deal with the department's or agency's specific situation and risk exposure. Guidance and advice can be sought as required from the TBS Centre of Expertise and through liaison with other federal organizations to share their lessons learned.
The IRMF identifies four principal areas that may require attention in building human resources capacity:
Similarly, the IRMF outlines how risk management tools and processes can enhance capacity:
The section on Element 3 (Practising Integrated Risk Management) provides more detail on the range of tools departments and agencies are using.
Important lessons can be learned from the experiences of lead departments and agencies that belong to the IRMF Implementation Council.
One department drafted a framework for integrated risk management, as well as an implementation plan and an action plan with strong support from the deputy minister. The approach was developed through extensive interviews and discussions across the organization, including a half-day workshop on risk with the deputy and senior executive committee. The deputy was personally involved in the risk assessment exercise and ensured that it was treated as an organizational priority.
One lead department has identified eight factors that contributed to its success in establishing an integrated risk management function:
One department established an ADM-level departmental risk committee with the deputy minister's approval. As well, a risk management working group was established at the management level with representation from all sectors. Its principal mandate is to foster organization-wide risk awareness and attentiveness, to promote achievement of a risk-smart organization, and to train local champions within business lines. The working group gives sectors a forum for discussion; advises on initiatives to develop a department-wide risk program; makes recommendations to the departmental risk committee; and shares lessons learned and informs sectors of risk management activities.
Another organization established a department-wide advisory committee to provide support and guidance on the general direction of the risk management initiative. The committee's goal is to facilitate more systematic application of risk management where warranted by decisions involving high costs and/or high impacts. Committee members share lessons learned and information about risk management activities in their areas.
One organization established a mechanism to integrate risk management with corporate planning and priority setting. The risk management function was located initially in the audit and evaluation area and later reassigned to corporate planning once dedicated resources were made available, demonstrating the commitment of the risk champion.
Additional examples of success in establishing an integrated risk management function are available from the TBS Centre of Expertise.