Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

2. Establishing an Integrated Risk Management Function—Integrating Risk Management into Existing Decision-making Processes and Reporting

Integrated risk management means establishing appropriate infrastructure by building on what exists.

Expected Results

  • Management direction on risk management is communicated, understood, and applied—vision, policies, and operating principles.
  • Integrated risk management is operationalized through existing decision-making structures: governance, clear roles and responsibilities, and performance reporting.
  • Building capacity—learning plans and tools are developed for use throughout the organization.

This section is about integrating risk management into existing decision-making processes and using what is known about corporate risk and risk tolerance to begin changing the culture.

Under this element of the framework, organizations identify or design appropriate corporate infrastructure to ensure clear communication of risk issues, practices, and procedures throughout the organization. This aligns the corporate risk profile (Element 1) with the organization's overall objectives, vision, strategic direction, and operating practices. Risk management principles are integrated into governance structures and decision-making and reporting systems.

The Fundamentals

Integrating risk management into existing governance structures, decision-making processes, and reporting requires that:

  • risk management be anchored at the deputy head level with senior management commitment;
  • a corporate risk champion or unit be identified;
  • management direction for integrated risk management be communicated; and
  • a corporate risk profile be developed.

Integrated risk management becomes a key agenda item for executive committees, helping to communicate senior management commitment throughout the organization. Demonstrating executive commitment promotes staff engagement at all levels in a risk management culture and helps ensure a common understanding of what integrated risk management entails. Leading by example, senior managers raise awareness and communicate the importance of the practice, while improving horizontal linkages, enhancing team spirit, and creating collective ownership. This helps sustain integrated risk management when corporate-wide risk issues, approaches, and performance are considered.

The deputy head and risk champion must ensure support by managers at various levels who will legitimize and sanction implementation of integrated risk management with their words and actions. The champion speaks authoritatively about integrated risk management in the context of achieving corporate objectives and is an enthusiastic and knowledgeable supporter. The champion will be most effective by leading, supporting, and broadly communicating benefits and reporting progress.

The corporate risk profile (Element 1) provides fundamental guidance for establishing an integrated risk management function. A key component of the profile is the assessment of the readiness of the organization's governance, decision-making and accountability structures, and mechanisms. The profile allows senior management to make strategic plans for expanding capacity in terms of human resources, tools, and processes at both the corporate and the local level.

How to Do It

Clarifying who, what, and how is the first step in creating the groundwork for integrated risk management. Four key actions are involved in establishing the function and integrating risk management into existing decision-making systems:

  • establish a corporate focus for risk management;
  • communicate corporate direction for risk management;
  • integrate risk management into existing decision-making structures; and
  • build organizational capacity.

Establish a Corporate Focus for Risk Management

Integrated risk management requires a corporate focus, whether an existing structure or a new one. The groundwork may have been laid in action plans for getting started and in developing the corporate risk profile. The following steps can help establish a corporate focus for risk management.

Designate an Executive Forum to Direct and
Sustain Integrated Risk Management

Integrated risk management should be placed under the guidance of an executive forum chaired by the deputy head. Direction at this level is critical in ensuring that corporate risk issues and approaches are integrated with planning, Decision-making, and performance measurement. This forum could be an existing committee, such as the executive committee or another organization-wide executive committee convened for the express purpose of corporate risk management. Alternatively, a new integrated risk management forum could be set up to steer implementation initially and, as the practice matures, guide corporate strategy for risk management and innovative thinking.

One or more working groups should also be established to support the executive forum with cross-functional and organizational analyses of corporate risk issues.

Identify Resources as an Initial Investment

Departments that have made substantial progress in implementing integrated risk management have recognized the need for an initial investment of dedicated resources. This has usually entailed reprofiling resources to cover the costs of gearing up. It takes time and effort to gain momentum, train managers and specialists, and establish good tools and processes. In the longer run, integrated risk management should be resource-neutral; this initial investment sets the process in motion and signals the degree of commitment in the organization.

Designate and Support a Corporate Risk Champion

Designating an effective champion, ideally at the deputy head level, was identified as a fundamental step in initiating integrated risk management. The lead is also commonly assigned to a corporate function at the assistant deputy head level, for example, in the strategic and business planning unit or corporate services branch. The risk champion has a crucial role in creating and sustaining the shift to a risk-smart corporate culture. At this early stage, personal interest and natural fit with an existing corporate role might be relevant selection criteria; knowledge and enthusiasm in communicating the message are also important.

The corporate risk champion should be supported with appropriate resources; this might include specialists to provide expertise on and a systematic approach to the process of integrating risk management. The champion will also need time at the executive table to sustain the focus on integrating risk management as a priority in the organization's culture.

Select the Corporate Focal Point

The focal point selected initially will usually be where the expertise resides. While a number of departments are being supported by their internal audit unit in the implementation of integrated risk management, the responsibility and accountability for implementation nonetheless remains with management. This recognizes the need for departmental internal auditors to maintain objectivity and provide independent advice and assurance on the effectiveness of integrated risk management within their organization. It is not uncommon for the focal point to migrate subsequently to areas such as strategic planning, as the function matures and integrated risk management becomes ingrained in corporate planning and priority-setting processes. Regardless of location, it will be important to build linkages between the focal point and existing centres of functional expertise throughout the organization.

Communicate Corporate Direction for Risk Management

To create a culture in which all employees value risk management, senior management commitment and vision must be communicated throughout the organization.

Develop guidance tools

Overall direction on integrated risk management requires written guidance—a policy, framework, or operating principles to tailor the approach to the particular needs of the organization's operating environment. Guidance can be communicated by developing a departmental or agency risk management policy or framework or by updating existing corporate policies. In either case, it will be important to outline clear roles and responsibilities, accountability lines and mechanisms for reporting on performance. An integrated risk management policy or framework enables individual units to build risk management into their day-to-day operations.

Build a network of local change sponsors or risk champions

Policies and frameworks are fundamental tools to ready an organization for integrated risk management, but it is the people in the organization that make the practice work. Empowering individuals in operational areas as leaders or local risk champions—and connecting them through a working group to share experiences and deal with common implementation issues—will help ensure success in establishing the function.

This network of interested individuals can assist senior management in developing work plans that reflect a corporate perspective on risk-related issues. It is also an appropriate channel for communicating implementation concepts and timing throughout the organization.

Integrate Risk Management into
Existing Decision-making Structures

A critical aspect of successful implementation is weaving integrated risk management seamlessly into existing departmental processes—annual corporate planning, performance reporting, and training development and delivery must all be risk-attuned.

Aligning risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees. As implementation progresses, individuals should come to understand managing risk as part of their daily work, not something superimposed on their usual activities. Acceptance of the concepts of integrated risk management will be commensurate with the extent that the organization has been successful in establishing and using common risk terminology in corporate tools and documentation.

Throughout the strategic planning process, the risk champion or specialist group should act as a catalyst in guiding both the process and the officials involved. Corporate planners must drive the process by integrating risk awareness and thinking to support senior managers in carrying out corporate-wide planning, priority setting, and resource allocation.

Build Organizational Capacity

Just as risk management must be integrated with existing processes, so must organizational capacity for practising it be built on what exists. The corporate risk profile provides a baseline assessment of organizational capacity. Continued environmental scanning will reveal changes in the profile that require further enhancement of risk management skills, processes, and practices.

Assessing and building on existing capacity helps tailor the approach to deal with the department's or agency's specific situation and risk exposure. Guidance and advice can be sought as required from the TBS Centre of Expertise and through liaison with other federal organizations to share their lessons learned.

Human Resources

The IRMF identifies four principal areas that may require attention in building human resources capacity:

  • building awareness of risk management initiatives and culture;
  • broadening the skills base through formal training (including appropriate applications and tools);
  • increasing the knowledge base by sharing best practices and experiences; and
  • building capacity, capabilities, and skills to work in teams.
Tools and Processes

Similarly, the IRMF outlines how risk management tools and processes can enhance capacity:

  • developing and adopting corporate risk management tools, techniques, practices, and processes;
  • providing guidance on the application of tools and techniques;
  • allowing for the development and/or use of alternative tools and techniques that might be better suited to managing risk in specialized applications; and
  • adopting processes to ensure integration of risk management across the organization.

The section on Element 3 (Practising Integrated Risk Management) provides more detail on the range of tools departments and agencies are using.

Proven tools from IRMF implementation leaders

  • Use brainstorming sessions, scenario-playing, and focus groups.
  • Develop frameworks to communicate strategic risk management direction.
  • Hold regular meetings of formal and informal committees to discuss corporate risks and mitigation strategies.
  • Incoporate risk management into corporate-level priority setting and resource allocation.
  • Drive risk management down through the organization by incorporating risk management expectations into key performance indicators, employee performance agreements, and work descriptions. the organization.

Questions to Consider

  1. Is there a designated departmental risk champion or unit to oversee the implementation of integrated risk management?
  2. Is risk management communicated, understood, and applied throughout organizational processes? Is risk management integrated into existing governance and decision-making structures and performance-reporting systems? Have risk assessments been conducted for proposed business process or program innovations?
  3. Have control and accountability systems been adapted to account for risk management processes? Have key performance indicators and critical success factors been identified and included in departmental reports? Does reporting on risk and risk management take place through existing management processes (e.g. performance reporting, ongoing monitoring, appraisals, internal auditing)?
  4. Is there sufficient capacity to manage risk within the organization? Has the department put in place effective initiatives to build risk management awareness? Have employee workshops been run to disseminate risk management knowledge and techniques? Do the managers make use of knowledgeable resources in the types of issues they are facing?


Important lessons can be learned from the experiences of lead departments and agencies that belong to the IRMF Implementation Council.

Management Direction and Commitment

One department drafted a framework for integrated risk management, as well as an implementation plan and an action plan with strong support from the deputy minister. The approach was developed through extensive interviews and discussions across the organization, including a half-day workshop on risk with the deputy and senior executive committee. The deputy was personally involved in the risk assessment exercise and ensured that it was treated as an organizational priority.

Success Factors

One lead department has identified eight factors that contributed to its success in establishing an integrated risk management function:

  1. Create a supportive environment.
  2. Ensure commitment to the IRM concept.
  3. Have a designated group of specialists.
  4. Be prepared to make the necessary initial investment in integrated risk management infrastructure.
  5. There must be clear but distributed responsibility for integrated risk management.
  6. The organization must have senior management reporting requirements.
  7. Ensure appropriate corporate planning and priority-setting processes.
  8. Implementation of the integrated risk management function should be scalable.

Working Groups

One department established an ADM-level departmental risk committee with the deputy minister's approval. As well, a risk management working group was established at the management level with representation from all sectors. Its principal mandate is to foster organization-wide risk awareness and attentiveness, to promote achievement of a risk-smart organization, and to train local champions within business lines. The working group gives sectors a forum for discussion; advises on initiatives to develop a department-wide risk program; makes recommendations to the departmental risk committee; and shares lessons learned and informs sectors of risk management activities.

Advisory Committee on the Management of Risk

Another organization established a department-wide advisory committee to provide support and guidance on the general direction of the risk management initiative. The committee's goal is to facilitate more systematic application of risk management where warranted by decisions involving high costs and/or high impacts. Committee members share lessons learned and information about risk management activities in their areas.

Transition from Audit to Corporate Planning

One organization established a mechanism to integrate risk management with corporate planning and priority setting. The risk management function was located initially in the audit and evaluation area and later reassigned to corporate planning once dedicated resources were made available, demonstrating the commitment of the risk champion.

Additional examples of success in establishing an integrated risk management function are available from the TBS Centre of Expertise.