Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Appendix A

Who Does What in Implementing Integrated Risk Management

See also the Integrated Risk Management Framework (April 2001),
Appendix: Shared Leadership—Suggested Roles and Responsibilities.

Elements/Results in Implementing Integrated Risk Management Deputy Heads or Equivalent and Senior Management Corporate Risk Champion/Focal Point Managers Functional Advisors and Specialists, Review, Internal Audit All Public Service Employees
Getting Started—Committing and Sustaining Senior Management Support (Commit) Commit—build the will and capacity for change, lead the initiative, and manage the change.

Expected Results:

Organizational readiness is assessed.

Key risks are considered initially by an executive forum.

Roles and approaches to address risks are discussed collectively by senior management team.

A senior management risk champion is identified.

Assess organizational readiness.

Place integrated risk management on the executive team agenda; give it time at the executive table.

Assign a risk champion.

Demonstrate commitment and support to create momentum across the organization.

Become or stay current to talk knowledgeably about integrated risk management in the context of achieving corporate objectives.

Raise executives' risk awareness.

Lead and facilitate development and dissemination of implementation plans and necessary guidance.

Participate in assessing organizational readiness.

Contribute to organization's risk awareness.

Be agents of change.

Advise on and participate in assessment of organizational readiness.

Support managers in their role as agents of change.

Understand and be open to upcoming change.

Developing the Corporate Risk Profile (Think)

Think strategically—take stock of the organization's operating environment and its capacity to deal with the key high-level risks linked to achievement of its objectives.

Expected Results:

The organization's risks are identified through environmental scanning.

The current status of risk management in the organization is assessed.

The organization's risk profile is identified.

Set strategic direction.

Consistently challenge assumptions.

Encourage managers to renew their perspectives, keep their analysis current.

Make and communicate decisions around priorities and risk acceptance so employees have a shared sense of risk and context for their individual judgements.

Lead development of the corporate risk profile or work with corporate planners in leading its development. Contribute to environmental scan, threat and opportunity identification, analysis, and assessment, including internal risk management capacity. Help managers identify and assess risk and effectiveness, efficiency, and economy of existing measures to manage risk. Stay aware of and attentive to risk management issues.
Establishing the Integrated Risk Management Function (Prepare) Prepare—establish appropriate infrastructure for integrated risk management by building on what exists.

Expected Results:

Management direction on risk management is communicated, understood, and applied.

The approach to operationalizing integrated risk management is implemented through existing decision-making and reporting structures.

Capacity is built through the development of learning plans and tools.

Ensure risk management is anchored at the deputy head level and that the right people are involved in or leading implementation.

Encourage timely design and implementation.

Approve policy, approach, operating principles, and governance structure.

Support the use or development of appropriate information/IT systems.

Advise on implementation approaches and change management strategies.

Maintain support for function development, which can take time, e.g. demonstrating benefits to the organization (measurable gains/cost savings and better management of previously neglected risks).

Comment and advise on proposed approaches and strategies in light of local and corporate systems and issues.

Understand and communicate corporate direction and employee/ local advice and issues.

Advise on design and whether the function being established or already established will meet the stated vision and objectives. Understand the corporate approach to establishing the function and contribute to advice on its design and implementation.
Practising Integrated Risk Management (Act) Act —practise integrated risk management up, down, and across the organization for a full picture in a way that makes sense for the organization.

Expected Results:

A common risk management process is applied consistently at all levels.

Results of risk management practices at all levels are integrated into informed Decision-making and priority setting.

Tools and methods are applied.

Consultation and communication with stakeholders is ongoing.

Provide strategic leadership that endorses the corporate risk profile, strategic and business plans, drives identification and review of top risks, and models the principles of good risk management.

Continue to show support, devote time to planning and operational meetings.

Communicate to reinforce the desired risk culture, aiming risk messages at target audiences as required.

Facilitate and advise, such as risk management centre of expertise approach, e.g. deal with organization-wide policies and direction, developed by or with the units with functional expertise and to gain acceptance; co-ordinate for an overview (trends/changes) and to avoid duplication.

Systematically identify and manage risk strategically in functional units.

Always know who is managing.

Ensure employees are familiar with the latest risk management guidance.

Ensure particular risk management responsibilities are reflected in employees' work objectives.

Help managers design and implement tools for more effective risk management.

Advise on whether the function is operating as intended, whether it is meeting the stated vision and objectives, and whether local or systemic changes are required.

Know that you are a risk manager.

Understand how you contribute in your area and to the organization.

Identify and assess risks.

Report, respond to, monitor, and evaluate risks as required by your manager or organization.

Document decisions and supporting information.

Ensuring Continuous Risk Management Learning (Improve) Improve—leverage and build on the existing knowledge and capacity base to achieve the desired cultural shift to a risk-smart workforce and operating environment.

Expected Results:

A supportive work environment is established where learning from experience is valued and lessons are shared.

Learning plans are built into an organization's risk management practices.

Results of risk management are evaluated to support innovation, learning, and continuous improvement.

Experience and best practices are shared internally and across government.

Set the tone: integrated risk management is valuable and everyone can and must contribute.

Ensure uniform metrics across the organization.

Explain to stakeholders that risk is a part of managing to get a net reward, that innovation requires experimentation and learning from experience supported by sound risk management.

Celebrate the successes of individuals and teams.

Ensure that communication and training considers "What's in it for me?" for every person.

Ensure that training is in context and shows people the big picture, where they fit in, where they can help, and how IRM contributes to results for Canadians.

Put into operation the necessary practices, actions, and events to achieve the expected results of continuous learning.

Track and report on lessons learned from corporate and functional perspectives.

Conduct independent assessments of risk management strategies and practices.

Request and contribute to individual learning plans.

Document decisions and supporting information.