This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Practise integrated risk management up, down, and across the organization for a full picture in a way that makes sense for the organization.
Organizations practise integrated risk management to improve achievement of their objectives and to generate better information for decisions. It is essential, therefore, to link risk management directly with achieving objectives at every level of the organization. If risk management does not appear to be helping Decision-making, it might come to be seen as an additional administrative requirement that can be ignored.
This section is about integrating the practice of risk management throughout an organization within the guiding framework, philosophy, and practices the organization has established. Local risk management thinking and practices must inform and be informed by the integrated view—the key risk areas and mitigating strategies identified in the corporate risk profile. To specialist groups well versed in managing specific local risks, it may seem at first that introducing integrated risk management changes little. Over time, however, the evolving context for their work will change information flows into and out of the broader picture. This in turn will influence local work and behaviour as interrelationships become apparent, individual and collective benefits accrue, and individuals see the value of their own contribution. Responsibility and accountability will also be clarified and improved.
The common risk management process reproduced in Appendix B can be adopted or adapted for identification, assessment, response to, and monitoring and evaluation of key, high-level risks linked to the achievement of corporate objectives, as well as for risks at all other levels of an organization. Emphasis on various points in the process may vary, as may the type, rigour, or extent of actions considered, but the basic steps are similar.
The practice of integrated risk management involves top-down direction (setting objectives and results) and bottom-up risk assessment (ranking and aggregating risks).
The logical, commonsense, and intuitive nature of the process allows this to occur smoothly as long as there is sustained commitment from employees, with direction from senior management. Hence, organizations will be ready to practise integrated risk management when the corporate culture has achieved the following:
Once the corporate risks are known and the infrastructure has been identified and mobilized, the key actions for practising integrated risk management are to:
Practising integrated risk management begins with top-down direction to put the organizational approach into practice—the policy or framework, objectives, operating principles, common language, and process approved by senior management. The organizational approach has been broadly tailored to fit the organization, based on the key risk areas, mitigating strategies, and capacity strengths and gaps identified in the corporate risk profile. The risk champion or specialist group now provides implementation advice about how and when to introduce and practise integrated risk management and co-ordinates its implementation.
When working well in mature practice, integrated risk management is seamless. For initial implementation, it helps to think of three levels of practice: corporate (organization-wide, highest level), business line (major functional area or unit), and all other areas (programs, major projects, activities, and processes). Some approaches characterize these levels as strategic, management, and operational or use other terms suited to their situation. Some organizations may include additional levels or categories, for example, they may consider programs and major projects separately.
No matter what terms are used, organizations find a layered perspective useful in describing and carrying out integrated risk management. At the highest corporate level, risk management results and key corporate risks are aggregated in the corporate risk profile to inform an organization-wide strategy for managing risk to achieve corporate objectives. The corporate risk profile generally derives from business line risk profiles developed at the next level below the corporate level, that is, in branches and functional units, typically led by assistant deputy ministers or, in smaller departments and agencies, directors general or executive directors. The third or operational level is the lowest level of risk assessment and aggregation. Results from this level are fed into business line and corporate risk profiles. People working at the operational level know their operations and risks best and are positioned to take any action required. Their involvement and input are therefore essential in gaining access to their knowledge, ownership, and action.
Promote use of the common language, framework, and process the organization chose when establishing the integrated risk management function (see Element 2 and Appendix B). This means using the organization's risk terminology consistently in corporate policy, planning, and reporting documents and in upward reporting and horizontal sharing of local risk management results. Specialists do not have to abandon their professional or scientific risk terminologies, but they should use the organization's common language in presenting or feeding their results into the corporate view so that results are meaningful and useful across business lines. Better communication and understanding increase the value of one unit's work to other units and reveal links or the previously unrecognized need for links.
The risk management specialist or working group and local change sponsors work with or advise managers to ensure appropriate fit of the process with particular local requirements.
Ensure that all levels of the organization actually use risk management concepts in their Decision-making and reporting in order to increase the linkages between workload, resource allocation, and risk across the organization.
The risk champion or specialist group provides overall direction and co-ordination for integrating risk management with corporate planning and priority setting. Use the risk management committee or working group as a sounding board and information source.
Local risk champions or change sponsors lead and facilitate alignment throughout the organization, working to make the important micro-level changes to all polices and local procedures, daily activities, processes, and systems.
Decision makers and specialists have distinct roles in implementing integrated risk management: decision makers need to understand their responsibilities and place a premium on integrated analysis and advice, while specialists must understand operations and provide relevant and credible information and analysis. To ensure that the right information is available at the right time for value-based, results-oriented decisions, information must be brought together from many sources; this in turn requires partnership between specialists and decision makers.
Management of risk, like comptrollership, is a mindset. Managers should be conscious of risk management and integrate it with their other management practices. Risk management will be more relevant to the extent that overly bureaucratic and complex processes are avoided. Managers need flexibility to use techniques that make sense for them and their operations. However, techniques must allow for roll-up and comparison of operating unit results at the corporate level.
The accompanying diagram was adapted from an approach used by Indian and Northern Affairs Canada. It illustrates the point that risk management in general and the application of the decision-making process in particular do not occur in isolation. They take place in the context of and can inform and be informed by continuing operational activities at all levels of the organization.
Individual Factors: elements of an individual's experience, personality, background, and preferences that affect his or her propensity to take risks
Group Factors: how others in the immediate situation can affect an individual's willingness to take a risk
Organizational Factors: the direct and indirect messages an organization sends its members about the ground rules for risk taking in general
Environmental Factors: the elements outside the organization that have a stake in or an impact on a particular risk decision or risk taking in general
Enable people to practise risk management locally in a way that informs and is informed by organization-wide integrated risk management.
The organization should ensure that all staff have adequate training, access to proven tools for risk management, and a clear understanding of common risk management language to facilitate communication. The terminology must balance clarity with usefulness to ensure that tools are easy to understand and use. Key tools include risk maps and modelling tools.
A risk management model (such as the IRMF model reproduced in Appendix C) can be used to assess where a particular risk falls in terms of likelihood (low, medium, high) and impact (significant, moderate, minor). The results of the risk assessment help determine the risks of highest importance. The model can also be used to ascertain or facilitate discussion of risk tolerance by establishing a zone defining acceptable and unacceptable risk. Finally, the model can be used to present a summary map of risks—plotting each risk's likelihood and impact—for purposes of comparison or ranking.
Using a common approach not only facilitates the process but supports comparability when results are aggregated and considered at the corporate level.
Approaches and methods that are easy to understand are more likely to be used correctly. Consider existing tools or those available from professional associations; employees may already be familiar with them or find them useful in other contexts.
The deputy head, risk champion, and senior managers need to provide continuing support for managing the key risks identified in the corporate risk profile and keeping the profile current. These leaders should visibly encourage the practice of risk management and information sharing across business lines and functional units.
Support from senior leaders should include collective executive-level discussion of corporate risks and strategies and monitoring of and input into strategic and business planning and performance reporting. The extent to which senior leaders model the principles of risk management sets the tone for a sustained integrated risk management culture throughout the organization.
Develop and implement a communications strategy, monitor results, and adjust accordingly. For example, the risk champion and local change sponsors should establish regular information feedback loops with all units and areas and promote opportunities to share risk management information across disciplines and functions. Set up information tools (intranet sites, newsletters) to share risk management techniques, tools, and information. Encourage and track the number of risk management forums or workshops held and whether sessions have identified risks, proposed mitigation strategies, and discussed best practices. Conduct periodic surveys to determine whether all staff are aware of key risks, risk escalation procedures, and contingency plans. Have there been timely, useful stakeholder consultations with respect to risk management and have consultation processes been consistent with the Communications Policy of the Government of Canada?
Appendix D provides sample templates for identifying, assessing, recording, and reporting risk information. Additional examples are available on or through links at the TBS Web site and more will be added as they become available.