Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.


3. Practising Integrated Risk Management

Practise integrated risk management up, down, and across the organization for a full picture in a way that makes sense for the organization.

Expected Results

  • A departmental risk management process is applied consistently at all levels so that risks are understood, managed, and communicated.
  • Results of risk management practices at all levels are integrated into informed decision making and priority setting—strategic, operational, management, and performance reporting.
  • Tools and methods are applied as aids to decision making.
  • Consultation and communication with stakeholders is ongoing—internal and external.

Organizations practise integrated risk management to improve achievement of their objectives and to generate better information for decisions. It is essential, therefore, to link risk management directly with achieving objectives at every level of the organization. If risk management does not appear to be helping Decision-making, it might come to be seen as an additional administrative requirement that can be ignored.

This section is about integrating the practice of risk management throughout an organization within the guiding framework, philosophy, and practices the organization has established. Local risk management thinking and practices must inform and be informed by the integrated view—the key risk areas and mitigating strategies identified in the corporate risk profile. To specialist groups well versed in managing specific local risks, it may seem at first that introducing integrated risk management changes little. Over time, however, the evolving context for their work will change information flows into and out of the broader picture. This in turn will influence local work and behaviour as interrelationships become apparent, individual and collective benefits accrue, and individuals see the value of their own contribution. Responsibility and accountability will also be clarified and improved.

The common risk management process reproduced in Appendix B can be adopted or adapted for identification, assessment, response to, and monitoring and evaluation of key, high-level risks linked to the achievement of corporate objectives, as well as for risks at all other levels of an organization. Emphasis on various points in the process may vary, as may the type, rigour, or extent of actions considered, but the basic steps are similar.

The Fundamentals

The practice of integrated risk management involves top-down direction (setting objectives and results) and bottom-up risk assessment (ranking and aggregating risks).

The logical, commonsense, and intuitive nature of the process allows this to occur smoothly as long as there is sustained commitment from employees, with direction from senior management. Hence, organizations will be ready to practise integrated risk management when the corporate culture has achieved the following:

  • a corporate-wide focus for risk management has been established;
  • the direction for risk management has been communicated to all levels and the seeds have been sown for risk-smart thinking;
  • corporate decision-making structures and processes have incorporated risk management in a seamless fashion; and
  • sufficient capacity has been achieved as a result of developing and providing the necessary guidance, tools, and staff training for integrated risk management.

How to Do It

Once the corporate risks are known and the infrastructure has been identified and mobilized, the key actions for practising integrated risk management are to:

  • engage the whole organization;
  • enable people with tools and techniques;
  • sustain a supportive culture and processes; and
  • consult and communicate throughout the process.

Characteristics of Good Risk Management

  • Risk management consistently questions assumptions.
  • Risk management requires a multi-disciplinary approach and is nourished by cross-pollination; boundaries are the enemy of good risk management.
  • It is essential to get the incentives right—to encourage desired and discourage unwanted practices and behaviours.

Engage the Whole Organization

Top-Down Direction, Bottom-Up Assessment—
Building on What Exists

Practising integrated risk management begins with top-down direction to put the organizational approach into practice—the policy or framework, objectives, operating principles, common language, and process approved by senior management. The organizational approach has been broadly tailored to fit the organization, based on the key risk areas, mitigating strategies, and capacity strengths and gaps identified in the corporate risk profile. The risk champion or specialist group now provides implementation advice about how and when to introduce and practise integrated risk management and co-ordinates its implementation.

When working well in mature practice, integrated risk management is seamless. For initial implementation, it helps to think of three levels of practice: corporate (organization-wide, highest level), business line (major functional area or unit), and all other areas (programs, major projects, activities, and processes). Some approaches characterize these levels as strategic, management, and operational or use other terms suited to their situation. Some organizations may include additional levels or categories, for example, they may consider programs and major projects separately.

No matter what terms are used, organizations find a layered perspective useful in describing and carrying out integrated risk management. At the highest corporate level, risk management results and key corporate risks are aggregated in the corporate risk profile to inform an organization-wide strategy for managing risk to achieve corporate objectives. The corporate risk profile generally derives from business line risk profiles developed at the next level below the corporate level, that is, in branches and functional units, typically led by assistant deputy ministers or, in smaller departments and agencies, directors general or executive directors. The third or operational level is the lowest level of risk assessment and aggregation. Results from this level are fed into business line and corporate risk profiles. People working at the operational level know their operations and risks best and are positioned to take any action required. Their involvement and input are therefore essential in gaining access to their knowledge, ownership, and action.

Use Common Language, Framework, and Process

Promote use of the common language, framework, and process the organization chose when establishing the integrated risk management function (see Element 2 and Appendix B). This means using the organization's risk terminology consistently in corporate policy, planning, and reporting documents and in upward reporting and horizontal sharing of local risk management results. Specialists do not have to abandon their professional or scientific risk terminologies, but they should use the organization's common language in presenting or feeding their results into the corporate view so that results are meaningful and useful across business lines. Better communication and understanding increase the value of one unit's work to other units and reveal links or the previously unrecognized need for links.

The risk management specialist or working group and local change sponsors work with or advise managers to ensure appropriate fit of the process with particular local requirements.

Integrate Risk Management into Practices at all Levels

Ensure that all levels of the organization actually use risk management concepts in their Decision-making and reporting in order to increase the linkages between workload, resource allocation, and risk across the organization.

The risk champion or specialist group provides overall direction and co-ordination for integrating risk management with corporate planning and priority setting. Use the risk management committee or working group as a sounding board and information source.

Local risk champions or change sponsors lead and facilitate alignment throughout the organization, working to make the important micro-level changes to all polices and local procedures, daily activities, processes, and systems.

  • Consider risk management in developing organization-wide policies, plans, and priorities.
  • Encourage people to assess the ripple effect of their work.
  • Feed integrated risk management plans and results into corporate planning and priority-setting processes.
  • Functional units (branches, divisions) should incorporate risk management into programs and major initiatives.
  • Define what risk means in terms of managers' roles and accountabilities (e.g. conducting a risk assessment before major decisions, integrating risk assessments into business case analyses).
  • Build risk assessment and response into local business plans at the activity, division, and regional level.
  • Use new accountability mechanisms such as Risk-Based Audit Frameworks and Results-Based Management and Accountability Frameworks to help build risk management into planning.
  • Ensure synergy between overall departmental risk management strategy and local risk management practices.

Decision makers and specialists have distinct roles in implementing integrated risk management: decision makers need to understand their responsibilities and place a premium on integrated analysis and advice, while specialists must understand operations and provide relevant and credible information and analysis. To ensure that the right information is available at the right time for value-based, results-oriented decisions, information must be brought together from many sources; this in turn requires partnership between specialists and decision makers.

Management of risk, like comptrollership, is a mindset. Managers should be conscious of risk management and integrate it with their other management practices. Risk management will be more relevant to the extent that overly bureaucratic and complex processes are avoided. Managers need flexibility to use techniques that make sense for them and their operations. However, techniques must allow for roll-up and comparison of operating unit results at the corporate level.

The accompanying diagram was adapted from an approach used by Indian and Northern Affairs Canada. It illustrates the point that risk management in general and the application of the decision-making process in particular do not occur in isolation. They take place in the context of and can inform and be informed by continuing operational activities at all levels of the organization.

Image of embedded circles representing different risk management factors;
From innermost to outermost circle the factors are: Individual, Group, Organizational,

Individual Factors: elements of an individual's experience, personality, background, and preferences that affect his or her propensity to take risks

Group Factors: how others in the immediate situation can affect an individual's willingness to take a risk

Organizational Factors: the direct and indirect messages an organization sends its members about the ground rules for risk taking in general

Environmental Factors: the elements outside the organization that have a stake in or an impact on a particular risk decision or risk taking in general

Knowledge Management

  • Is core knowledge captured and related to strategic priorities and linked to key risk areas?
  • Is there timely access to the "people in the know" for better re-use and creation of knowledge?
  • Is technology used to maximize flow and know-how?
  • Is there a culture of trust that supports the sharing of knowledge with knowledge associates and senior champions?
  • Is knowledge management supported by a learning and teaching environment?
Dawn Nicholson-O'Brien, Senior Visiting Fellow on Knowledge Creation and Innovation, CCMD

Enable People

Enable people to practise risk management locally in a way that informs and is informed by organization-wide integrated risk management.

Tools and Techniques

The organization should ensure that all staff have adequate training, access to proven tools for risk management, and a clear understanding of common risk management language to facilitate communication. The terminology must balance clarity with usefulness to ensure that tools are easy to understand and use. Key tools include risk maps and modelling tools.

A risk management model (such as the IRMF model reproduced in Appendix C) can be used to assess where a particular risk falls in terms of likelihood (low, medium, high) and impact (significant, moderate, minor). The results of the risk assessment help determine the risks of highest importance. The model can also be used to ascertain or facilitate discussion of risk tolerance by establishing a zone defining acceptable and unacceptable risk. Finally, the model can be used to present a summary map of risks—plotting each risk's likelihood and impact—for purposes of comparison or ranking.

Using a common approach not only facilitates the process but supports comparability when results are aggregated and considered at the corporate level.

Approaches and methods that are easy to understand are more likely to be used correctly. Consider existing tools or those available from professional associations; employees may already be familiar with them or find them useful in other contexts.

Sustain a Supportive Culture and Processes

Active Leadership of the Deputy Head,
Executive Team, and Risk Champion

The deputy head, risk champion, and senior managers need to provide continuing support for managing the key risks identified in the corporate risk profile and keeping the profile current. These leaders should visibly encourage the practice of risk management and information sharing across business lines and functional units.

Support from senior leaders should include collective executive-level discussion of corporate risks and strategies and monitoring of and input into strategic and business planning and performance reporting. The extent to which senior leaders model the principles of risk management sets the tone for a sustained integrated risk management culture throughout the organization.

Successful Practitioners:

  • take people and how they behave into account;
  • ensure people have the right skills and characteristics for the job and project—pushing people into jobs they are not qualified to do costs time, money, effort and reputation;
  • start small, if necessary, to ensure early successes; the practice will grow when its value is seen.

Consult and Communicate

Tell People about Risk Management Practices

Develop and implement a communications strategy, monitor results, and adjust accordingly. For example, the risk champion and local change sponsors should establish regular information feedback loops with all units and areas and promote opportunities to share risk management information across disciplines and functions. Set up information tools (intranet sites, newsletters) to share risk management techniques, tools, and information. Encourage and track the number of risk management forums or workshops held and whether sessions have identified risks, proposed mitigation strategies, and discussed best practices. Conduct periodic surveys to determine whether all staff are aware of key risks, risk escalation procedures, and contingency plans. Have there been timely, useful stakeholder consultations with respect to risk management and have consultation processes been consistent with the Communications Policy of the Government of Canada?

Questions to Consider

  1. Has the organization adopted a common process for risk management? Is there a common understanding of risk and risk management in the organization? Is a common risk management language being used?
  2. How are risk management tools and methods being applied to decision-making? What risk management tool kits are available (e.g. checklists, maps, electronic questionnaires, and best practices)? Do they make use of existing guidance, such as the Values and Ethics Code for the Public Service (2003)? Are they being used effectively and consistently? Have scenario analysis and/or forecasting models been used to understand various scenarios relating to business and contingency planning?
  3. Do all business and operational plans consider risks and incorporate measures to mitigate those risks and/or to maximize opportunities? Are systems and processes in place to monitor risks and the effectiveness of risk mitigation strategies? Is management accountable for risks and risk management processes?
  4. Are processes in place to support regular communication with stakeholders on risks, risk perception, and risk tolerances?


Appendix D provides sample templates for identifying, assessing, recording, and reporting risk information. Additional examples are available on or through links at the TBS Web site and more will be added as they become available.