Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Integrated Risk Management Implementation Guide

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Appendix B

A Common Risk Management Process

A common, continuous risk management process helps organizations understand, manage, and communicate risk. Continuous risk management has several steps. Emphasis on various points in the process may vary, as may the type, rigour, or extent of actions considered, but the basic steps are similar. The accompanying diagram illustrates a sample continuous risk management process that focuses on an integrated approach to risk management. The diagrams and description are taken from the Integrated Risk Management Framework.

Diagram of a common risk management process, the essence of which is detailed in the text that follows.

Internal and external communication and continuous learning improve risk management understanding and skills at all levels of an organization. The process provides common language, guides Decision-making at all levels, and allows organizations to tailor their activities at the local level. Documenting the rationale for decisions strengthens accountability and demonstrates due diligence.

The common risk management process and related activities are as follows:

Risk Identification

1. Identifying Issues, Setting Context

  • Define the problems or opportunities, scope, context (social, cultural, scientific, etc.), and associated risk issues.
  • Decide on necessary people, expertise, tools, and techniques (e.g. scenarios, brainstorming, checklists).
  • Perform a stakeholder analysis (determine risk tolerances, stakeholders' position, attitudes).

Risk Assessment

2. Assessing Key Risk Areas

  • Analyze the context and results of the environmental scan and determine the types and categories of risk to be addressed, significant organization-wide issues, and vital local issues.

3. Measuring Likelihood and Impact

  • Determine the degree of exposure, expressed as likelihood and impact, of assessed risks and choose the appropriate tools.
  • Consider both the empirical evidence and public context.

4. Ranking Risks

  • Rank risks, considering risk tolerance and using existing or new criteria and tools.

Risk Response

5. Setting Desired Results

  • Define objectives and expected outcomes for ranked risks for the short and long term.

6. Developing Options

  • Identify and analyze options (i.e. ways to minimize threats and maximize opportunities), approaches, and tools.

7. Selecting a Strategy

  • Choose a strategy and apply decision criteria that are results-oriented and problem- or opportunity-driven.
  • Apply, where appropriate, the precautionary approach as a means of managing risks of serious or irreversible harm in situations of scientific uncertainty.

8. Implementing the Strategy

  • Develop and implement a plan.

Monitoring and Evaluation

9. Monitoring, Evaluating, and Adjusting

  • Learn to improve the decision-making and risk management process locally and organization-wide, using effectiveness criteria, reporting on performance and results.

Organizations can vary the basic steps and supporting tasks most suited to achieving common understanding and implementing consistent, efficient, and effective risk management. A focussed, systematic, and integrated approach recognizes that all decisions involve management of risk, whether in routine operations or for major initiatives involving significant resources. It is important that the risk management process be applied at all levels, from the corporate level to programs and major projects to local systems and operations. While the process allows tailoring for different uses, having a consistent approach within an organization assists in aggregating information to deal with risk issues at the corporate level.

Many other common processes for risk management are available, including the Australian/New Zealand Standard, the Canadian Standards Association's Q850, and those of the Software Engineering Institute. (Links to these organizations' Web sites are available on the TBS Web site). Regardless of the process, number of steps, or terminology, all processes cover the same four components:

  • risk identification;
  • risk assessment;
  • risk response; and
  • monitoring and evaluation.

Most models also emphasize the importance of communication throughout the process.

The following advice on applying a risk management process supplements the guidance provided in the IRMF.

Risk Identification

Search for and locate risks before they become problems.

Ways to do it

  • brainstorming
  • strength-weakness-opportunity-threat (SWOT) analysis
  • risk forms/identification sheets
  • surveys and questionnaires
  • interviews and focus groups

Questions to consider

  • What is at risk?
  • What are the major objectives?
  • What are the risks associated with each objective?
  • Who are the stakeholders?


  • Include contextual information, as well as the risk itself.
  • Multi-disciplinary teams improve the chances of identifying new risks.
  • Open communication and a forward-looking view are key.
  • Include stakeholder risk tolerances, positions, and attitudes.

Risk Assessment

Transform risk data into decision-making information by examining risks in detail to assess key risk areas, determine the likelihood and impact of the risks, how they relate to each other, and which are the most important.

Ways to do it

  • Determine the degree of exposure based on likelihood, impact, and time frame.
  • Qualitative methods include brainstorming, evaluation using multi-disciplinary groups, specialist judgement, structured interviews, and questionnaires.
  • Quantitative techniques include consequence analysis, decision trees, life cycle cost analysis, simulation or computer modelling, statistical analysis, and market research.
  • Rank risks to determine which to deal with first.

Questions to consider

  • What is the acceptable level of risk?
  • What are the current controls?
  • What are the potential consequences if the risk occurs?


  • Assess key risk areas by grouping risks based on shared characteristics, by source, impact, or some other measure.
  • Impact and likelihood matrices can help visualize all risks together.
  • Consider both the empirical evidence and the public context.

Risk Response

Decide what to do about the risks identified by translating risk information into decisions and mitigating actions.

Ways to do it

  • Set desired results and define objectives and expected outcomes for ranked risks over the short and long term.
  • Develop options to minimize threats and maximize opportunities. Consider ways to avoid the risk; mitigate its impact or likelihood; transfer it to another party; accept and monitor it.
  • Select and implement a strategy.

Questions to consider

  • What is the feasibility and cost-effectiveness of each option?
  • What resources are required?


  • The objective is to take a balanced approach in developing mitigation strategies. Do not over-plan or oversimplify.
  • Do not lose sight of the end product when developing mitigation plans.

Monitoring and Evaluation

Monitor risks and mitigation strategies, adjusting your approach as required. Learn from the approach to improve the decision-making and risk management process locally and organization-wide.

Ways to do it

  • periodic status reports
  • analysis of trends and patterns
  • reports on performance and results

Questions to consider

  • Based on the effectiveness of the mitigation strategy, has the status of any risk changed?
  • Are initial assumptions still valid?
  • What improvements to the current strategies and processes can be made?


  • Have contingency plans in place to invoke if needed.
  • Communicate best practices and lessons learned from both successes and failures.
  • Understand that risk management is a continuous process; new risks may emerge requiring assessment and response.

Provide Effective Resources, Tools, and Techniques


Consider information on resources listed in the Selected References section of this guide and information on or links to risk management resources on the TBS Web site. For example, the CCMD document, A Foundation for Developing Risk Management Learning Strategies in the Public Service, provides useful information from several perspectives, such as understanding risks, competencies required, sample risk identification lists, and barriers and solutions to good risk management.

Tools and techniques

  • software tools
  • self-assessment tools
  • risk scorecard tool kits
  • modelling tools, such as scenario analysis and forecasting models
  • functional frameworks, e.g. Precautionary Approach (A Framework for the Application of Precaution in Science-based Decision-making about Risk), Legal Risk Management
  • systematic processes, e.g. Canadian Standards Association Q850
  • Internet and intranet to promote risk awareness by sharing information internally and externally
  • qualitative techniques, e.g. workshops, questionnaires

Consultation and communication

This is essential in supporting sound risk management decisions and must be considered at every stage of the risk management process.

Internal communication is necessary to provide efficient transfer of information between all levels in an organization.

Tips for Communicating with Managers
  • Give the big picture first.
  • Answer key questions.
  • Provide a qualitative description, not just a number.
  • Use real-life stories and powerful analogies.
  • Tell not only what you know, but also what you suspect.
  • Spare the minute details.
  • Point out where data are weak.
  • Indicate where there is uncertainty.
  • Identify the positions of stakeholders.

External communication involves key stakeholders at all stages of the risk management process, as appropriate, respecting the Communications Policy of the Government of Canada. The following tips apply to communication at each of the four stages of the risk management process.

Risk Identification
  • Define the issue and identify potential stakeholders.
  • Explore stakeholders' needs, issues, and concerns.
  • Decide how to communicate with stakeholders.
  • Formulate initial messages and identify a spokesperson.
  • Develop initial briefing material for key officials, as appropriate.
Risk Assessment
  • Research background information on the risk issue and the history of stakeholders' concerns.
  • Determine stakeholders' concerns, expectations, perceptions, knowledge levels, and needs.
  • Anticipate possible incidents, events, or allegations that may arise and plan responses.
  • Ensure rapid response mechanisms are in place to respond to media stories and stakeholders' concerns.
  • Develop a media strategy to support the public consultation process.
Risk Response

When developing and analyzing options:

  • facilitate continuing communication with and between stakeholders;
  • share the concerns of stakeholders with others;
  • determine acceptability to stakeholders of options for responding to the risk; and
  • develop a proactive media strategy to assess public reaction to potential options.

When implementing a chosen option:

  • implement a broad-based communications strategy, including a proactive media plan;
  • adopt a high-visibility strategy in key locations to get the message out and to respond to public concerns about the action plan;
  • finalize the media strategy;
  • prepare information material for stakeholders and key government officials; and
  • develop a rapid response mechanism for public comments.
Monitoring and Evaluation
  • Monitor public reaction.
  • Conduct polling to gauge public concerns and reactions.
  • Analyze media coverage to determine trends.
  • Fine-tune and rework key communications messages accordingly.
  • Communicate findings internally and externally and flag emerging or potential issues.
  • Conduct a formal evaluation and develop contingency plans for the future.
  • Assess the impact of the action plan on affected stakeholders and compare to what was predicted.


  • Common understanding does not necessarily lead to consensus.
  • Credibility and trust take a long time to develop but can be destroyed in an instant.
  • Base all discussions on fact.
  • Independent third-party support enhances credibility.
  • Perceived risk often differs dramatically from objectively measured risk.
  • Communicate early and often.

Departments and agencies have been sharing information on risk communication and consultation. Readers interested in additional information are directed to the TBS Web site or individual departmental or agency Web sites. For example, the Canadian Food Inspection Agency prepared a paper entitled Risk Communication and Government: Theory and Application for the Canadian Food Inspection Agency (available on-line at The paper, which includes an extensive reference list, was designed to explore risk communication from a government perspective, including a review of some of the recent theory on risk communication with a focus on food risk and science-based communication.