ARCHIVED - Integrated Risk Management Implementation Guide
This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Integrated Risk Management:
Getting Started—Commit and Sustain Senior Management Support
The deputy head and senior management set the tone. To build the will and
capacity for implementation, they must understand integrated risk management and
its contribution to achieving corporate objectives. Their engagement signals
organizational commitment, while their active, continuing support is vital to
organizational readiness, roles, and approaches at the executive table to
gain commitment to lead and manage the necessary change. Executives' risk
awareness can be raised through briefings, retreats, workshops, and courses.
a senior executive risk champion to
lead and facilitate development of implementation plans and guidance on
integrating risk management with existing Decision-making.
or use an existing executive forum for
risk management chaired by the deputy head; consider an organization-wide
working group to propose and advise on corporate approaches, plans, systems, and
and communicate an action plan for
implementing integrated risk management and report on progress.
Develop the Corporate Risk Profile
Understand the operating environment—threats and opportunities, strengths
and weaknesses—to help set strategic direction for integrated risk management.
Take stock to create a corporate snapshot of key risks and the capacity to deal
internal and external environmental scans to
identify and assess types and sources of risk and what is at risk, taking into
account interdependencies in risk areas cutting across the organization and
significant individual events or activities.
risk tolerance to
appreciate what sorts of risks and levels of risk stakeholders are willing to
current risk management capacity (i.e.
the usefulness of existing organizational tools, techniques, skills, expertise,
and resources for managing risk) to determine current abilities to control risks
and to identify gaps.
the initial risk response by identifying
mitigating strategies and consulting and refining the results of the scan and
the corporate risk profile (i.e. the results
of the scan, assessment and response) in ways useful to stakeholders, including
top management. For example, present a one-page risk map and snapshots by
headquarters and regions, business lines, and programs.
Establish an Integrated Risk Management Function to Integrate
Risk Management into Existing Decision-making Processes and Reporting
Establish and communicate organizational direction and infrastructure,
building on what exists.
a corporate focus using existing structures
or building new ones under the guidance of an executive forum, with initial
resources for mobilization and a designated corporate risk champion.
corporate direction throughout the
organization. The risk champion leads the development of written guidance, such
as an integrated risk management policy or framework and operating principles,
to support individual units in building risk management into day-to-day
operations. Identify and provide guidance on roles and responsibilities, program
targets, critical success factors, performance measures, and sources and kinds
of risk; make this guidance available on the organization's intranet.
risk management with existing decision-making structures in
a seamless fashion. Establish a common risk language and process or model; align
the approach with corporate planning; show how it supports the organization's
organizational capacity. Identify risk
management skills, processes, and practices that need to be developed and
strengthened; build on existing capacity, tailoring it as needed.
Practise Integrated Risk Management
Manage risks at the organizational level and in functional units, programs,
projects, activities, and processes.
the whole organization. Align integrated risk
management fully with objectives in all policies, plans, and operations.
Encourage active leadership of the deputy head and champion, as well as
executive discussion of corporate and business-line risk profiles. Feed
integrated risk management plans and results into corporate planning and
- Enable people with processes, tools, and techniques,
making available effective and proven resources and tools.
- Sustain the initiative by building a supportive
culture and processes that develop participation, trust, and swift action on
issues; continue to show executive support, devoting time in planning and
operational meetings; keep the corporate risk profile current; report on
performance; document risks, processes, decisions, plans, actions, and results.
- Consult and communicate with internal and external
stakeholders throughout the process.
Ensure Continuous Risk Management Learning
Create and maintain a supportive work environment for evaluation, feedback,
and sharing of lessons. Support innovation and encourage learning for people and
processes at the individual, team, and organizational levels.
- Cultivate a supportive work environment. Show
management commitment to learning by linking learning to the departmental
strategy and priorities; value knowledge, new ideas, new relationships, and
experimentation; get the incentives right by building in rewards and
recognition; celebrate success stories and significant contributions.
- Build capacity. Build risk management into employee
learning plans and learning plans into risk management practices; leverage
external learning; develop courses and provide learning events on departmental
approaches; include a range of perspectives (those of stakeholders and citizens)
in Decision-making; actively seek input and feedback as a basis for further
- Learn from experience. Monitor, evaluate, and
adjust systems, processes, and practices; document and share lessons and best
practices internally and externally; encourage learning from experience rather
than assigning blame.