Treasury Board of Canada Secretariat
Symbol of the Government of Canada


ARCHIVED - Integrated Risk Management Implementation Guide


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Developing and Implementing
Integrated Risk Management:
an Overview

Getting Started—Commit and Sustain Senior Management Support

The deputy head and senior management set the tone. To build the will and capacity for implementation, they must understand integrated risk management and its contribution to achieving corporate objectives. Their engagement signals organizational commitment, while their active, continuing support is vital to success.

  • Discuss organizational readiness, roles, and approaches at the executive table to gain commitment to lead and manage the necessary change. Executives' risk awareness can be raised through briefings, retreats, workshops, and courses.
  • Assign a senior executive risk champion to lead and facilitate development of implementation plans and guidance on integrating risk management with existing Decision-making.
  • Create or use an existing executive forum for risk management chaired by the deputy head; consider an organization-wide working group to propose and advise on corporate approaches, plans, systems, and practices.
  • Develop and communicate an action plan for implementing integrated risk management and report on progress.

Develop the Corporate Risk Profile

Understand the operating environment—threats and opportunities, strengths and weaknesses—to help set strategic direction for integrated risk management. Take stock to create a corporate snapshot of key risks and the capacity to deal with them.

  • Conduct internal and external environmental scans to identify and assess types and sources of risk and what is at risk, taking into account interdependencies in risk areas cutting across the organization and significant individual events or activities.
  • Understand risk tolerance to appreciate what sorts of risks and levels of risk stakeholders are willing to accept.
  • Assess current risk management capacity (i.e. the usefulness of existing organizational tools, techniques, skills, expertise, and resources for managing risk) to determine current abilities to control risks and to identify gaps.
  • Develop the initial risk response by identifying mitigating strategies and consulting and refining the results of the scan and response.
  • Portray the corporate risk profile (i.e. the results of the scan, assessment and response) in ways useful to stakeholders, including top management. For example, present a one-page risk map and snapshots by headquarters and regions, business lines, and programs.

Establish an Integrated Risk Management Function to Integrate Risk Management into Existing Decision-making Processes and Reporting

Establish and communicate organizational direction and infrastructure, building on what exists.

  • Establish a corporate focus using existing structures or building new ones under the guidance of an executive forum, with initial resources for mobilization and a designated corporate risk champion.
  • Communicate corporate direction throughout the organization. The risk champion leads the development of written guidance, such as an integrated risk management policy or framework and operating principles, to support individual units in building risk management into day-to-day operations. Identify and provide guidance on roles and responsibilities, program targets, critical success factors, performance measures, and sources and kinds of risk; make this guidance available on the organization's intranet.
  • Integrate risk management with existing decision-making structures in a seamless fashion. Establish a common risk language and process or model; align the approach with corporate planning; show how it supports the organization's objectives.
  • Build organizational capacity. Identify risk management skills, processes, and practices that need to be developed and strengthened; build on existing capacity, tailoring it as needed.

Practise Integrated Risk Management

Manage risks at the organizational level and in functional units, programs, projects, activities, and processes.

  • Engage the whole organization. Align integrated risk management fully with objectives in all policies, plans, and operations. Encourage active leadership of the deputy head and champion, as well as executive discussion of corporate and business-line risk profiles. Feed integrated risk management plans and results into corporate planning and priority-setting processes.
  • Enable people with processes, tools, and techniques, making available effective and proven resources and tools.
  • Sustain the initiative by building a supportive culture and processes that develop participation, trust, and swift action on issues; continue to show executive support, devoting time in planning and operational meetings; keep the corporate risk profile current; report on performance; document risks, processes, decisions, plans, actions, and results.
  • Consult and communicate with internal and external stakeholders throughout the process.

Ensure Continuous Risk Management Learning

Create and maintain a supportive work environment for evaluation, feedback, and sharing of lessons. Support innovation and encourage learning for people and processes at the individual, team, and organizational levels.

  • Cultivate a supportive work environment. Show management commitment to learning by linking learning to the departmental strategy and priorities; value knowledge, new ideas, new relationships, and experimentation; get the incentives right by building in rewards and recognition; celebrate success stories and significant contributions.
  • Build capacity. Build risk management into employee learning plans and learning plans into risk management practices; leverage external learning; develop courses and provide learning events on departmental approaches; include a range of perspectives (those of stakeholders and citizens) in Decision-making; actively seek input and feedback as a basis for further action.
  • Learn from experience. Monitor, evaluate, and adjust systems, processes, and practices; document and share lessons and best practices internally and externally; encourage learning from experience rather than assigning blame.