Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Review of Canadian Best Practices in Risk Management


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Summary of Findings

Executive Summary


Purpose

Creating and sustaining a mature risk management environment was one of the crucial components of modernizing comptrollership as recommended in the 1997 Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices - a modern, integrated approach.

As the basis for this work, background research on best practices in risk management was required in the Canadian private sector and provincial public sectors and in the private and public sectors internationally.

Methodology

Thirteen (13) Canadian organizations with ongoing management of risk initiatives were interviewed and Canadian literature on management of risk was reviewed. Nine (9) of the thirteen (13) organizations were from the private sector and four (4) were from the public sector. They covered a broad spectrum of business and public activities. Organizations were asked to identify best practices as something that was "particularly effective in helping an organization achieve its objectives for managing risk and would be of value to other organizations".

A Best Practices Framework was used to focus discussions with participating organizations. The Best Practices Framework contained a listing of suggested strategies where best practices would be expected to be of common interest to a variety of organizations.

This study was conducted in close collaboration with a study of International Best Practices in Risk Management and a Coordinated Conclusions Report was jointly issued by the two studies.

Key Findings

Twenty-one (21) best practices were identified and all have value and relevance for the Canadian federal government. The strategies set out in the Best Practice Framework are logically associated with developing a new initiative. Grouping by strategy element was therefore considered a good method for presenting and analyzing the best practices. Organizations at the front end or somewhat progressed in their risk management initiative will be able to readily reference the best practices most relevant to their stage of development. The groupings are presented below.

Best Practice Framework Strategies

Best Practices

Structural Strategies:  
a) Objectives and values communicated
  • Commitment from the top
  •  
  • Face-to-face workshops for developing senior management support
  • Messaging about foundations and monitoring
b) Shared responsibility for managing risk and fostering commitment
  •  
  • Risk Management Committee
  • Independent Office
c) Organization-wide  
d) Various strategies  
e) Monitored and reported to senior management, governing body and stakeholders
  •  
  • Planning / reporting on risks
  • Regular attention to the risk management process
Implementation Strategies:  
  •  
  • Defined framework
  •  
  • Risk Framework (Identifying sources)
  •  
  • Policy
  •  
  • Risk Management Policy Framework
  •  
  • Risk Champion
 
  •  
  • Task Force
  •  
  • Targeting "natural fit"
  • Developing a core competency first
  • Experienced, committed senior managers to lead initiative
  • Utilizing the best of existing structure to work with
  •  
  • Guidelines / training
  •  
  • "Learning by doing" method of training and support
  • Comprehensive Risk Management Handbook
  • Customized training program
  •  
  • Standard process
  •  
  • Control/Risk Self-Assessment sessions
  • Regular attention to the risk management process
  • Scenario planning
  • Risk perception and risk communications
  •  
  • Software
 
  •  
  • Defined parameters
  •  
  • Clearly defining "risk"

The following best practices were identified by two or more organizations interviewed and are therefore seen to have enhanced significance:

  • Commitment from the top;
  • Face to face workshops for developing senior management support;
  • Targeting "natural fit" areas;
  • Risk/Control Self-Assessment sessions;
  • "Learning by doing" method of training and support;
  • Risk perception and risk communications; and,
  • Clearly defining "risk".

From a concurrent TBS study of risk management practices in federal departments, cultural change was frequently identified as the foremost challenge in moving toward a mature risk management environment. Eleven (11) of the best practices would be helpful in addressing this issue. A listing of best practices that have priority applicability to the Canadian federal government was developed (Exhibit 5, page 19) using Facilitating Cultural Shift as the first of nine (9) ranked criteria.

Key Conclusions

The Drive Toward More Systematic Management of Risk Makes a Lot of Sense

Factors such as the global pace of change, resource restraint, growing openness, transparency and accountability and significant continual organizational change present a demanding case for better management of risk.

Benefits are There Even Though They are Not Easily Measured

Organizations were not yet able to precisely quantify all of their benefits but were very satisfied with the qualitative value of the benefits they perceived from their investments of time, money and staff resources in more systematic management of risk. No one expressed regrets at having embarked upon this course of action.

Leadership and Support Must be Visible

Leadership and support is necessary to promote an "environment of support" for innovation and more conscious risk taking with the corollary recognition that there would be "misses" as well as "hits".

Develop Competency First

While the long term goal for most is an organizational-wide approach where everyone takes responsibility for managing risk, starting by developing competency in "natural fit" areas will permit initial success upon which to build.

Care Must be Taken in Defining and Explaining "Risk"

A more traditional understanding of risk was that it related to the potential for harm. More recently some authorities and risk practitioners are defining risk as a concept that embodies both harm and reward such that their definitions are stated in more neutral terms. Care must be taken to decide which definition to use and to explain that both are used to address opportunities and hazards.

Ongoing Investments Are Necessary

Management of risk cannot take hold and be practiced routinely by management and staff without dedicated up-front ongoing investments. Investment will be required in training, communication, promotion, and process support. There should be a dedicated responsibility centre to serve as both the source of "expert" support and to sustain the process and ongoing communications of both successes and lessons learned.

Recommendations

  1. The Best Practices Framework should be refined into a Management of Risk Framework for providing guidance to departments on how to address the organizational / strategy implication and the risk management process implications of any initiative they would undertake.
  2. Messaging about Management of Risk from Treasury Board Secretariat should address:
  • Benefits are there even though they are not easily measured; and,
  • People, systems and processes are valued as the current "foundation" to move toward more systematic management of risk.
  1. Treasury Board Secretariat vision for management of risk should promote departments developing management of risk on a blend of organizational-wide initiatives (e.g. linkage to planning / reporting, assessment of high risks) and targeted initiatives (e.g. continuous risk management of a major project).
  2. Treasury Board Secretariat should provide a definition of risk which is supported by an explanation of how the definition is implemented to address both opportunities and hazards.

1.0Introduction

1.1Background

The government is continuing to implement recommendations from the Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. The Panel's report identified four key elements of modern comptrollership:

  • performance information - financial and non-financial, historical and prospective;
  • risk management;
  • control systems; and,
  • ethics, ethical practices and values.

Creating and sustaining a mature risk management environment was one of the crucial components of the approach recommended by the Panel. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices - a modern, integrated approach. The result of this work is expected to be an umbrella policy that sets the context for federal risk management along with guidance, tools, techniques and training for use in federal departments.

As the basis for this work, background research on best practices in risk management was required in the Canadian private sector and provincial public sectors and in the private and public sectors internationally.

1.2 Objective and Scope

1.2.1 Objective

The objective of the project was to identify Canadian risk management best practices including strategies, approaches, methods, tools and techniques and how they could be used in the Canadian federal government.

1.2.2 Scope

The research included the private sector and the provincial/municipal public sectors. The scope included contacts with:

  • corporations;
  • provincial/municipal departments and agencies;
  • associations, academics and consultants involved with risk management; and,
  • other research study groups assisting TBS implement its Risk Management Action Plan.

This study was coordinated with the related study of best practices in the private and public sectors internationally.

2.0 Methodology

2.1 Our Methodology

This study was one of a suite of four studies commissioned concurrently by TBS. The related studies were:

  • Study of the Status of Risk Management Practices in Federal Departments and Agencies [awarded to Consulting and Audit Canada (CAC)]
  • Study of the Risk Management Principles / Themes in the Federal Public Service [awarded to Otto Brodtrick (OB)]
  • Study of International Best Practices in Risk Management [awarded to KPMG]

The fact that there were related studies commissioned at the same time meant that the first step of our methodology involved Establishing an Arrangement for Project Management and Coordination with Related Studies as illustrated in Exhibit 1 on the following page.

A fundamental part of the methodology was the need to coordinate our study techniques with the study on International Best Practices being done by KPMG. We began working together at the outset to ensure comparable and useful results would be produced. Accordingly, the second major step of the methodology was to create a Best Practice Definition, Framework and Applicability Criteria. These items are discussed in detail below. They were created jointly with KPMG and were reviewed and commented on by an Advisory Committee TBS had created in relation to its initiatives on management of risk. PMN and KPMG then jointly developed an Interview Guide for use in focussing the discussions with participating organizations.

The next four steps consisted of Interviews, Literature Review, Preliminary Findings and Draft Report and were completed separately by PMN and KPMG.

As a result of time constraints we chose to target our potential private sector interview respondents to 18 organizations where we knew there were risk initiatives in process. We did not have similar knowledge of where there were risk initiatives in provincial / municipal public sector organizations. Requests were sent to Auditors General / Provincial Auditors (12) and municipal Chief Administrative Officers / City Managers (6) for assistance in identifying potential public sector respondents. See Appendix A for a list of Participating Organizations.

Exhibit 1: Illustrated Study Methodology

A review of Canadian literature and other reference sources was conducted concurrently with the interviews. Summaries were prepared of the interviews and key documents. The Interview Summaries highlight the context for risk management in the organization. This generally covers the objective, approach and benefits for the organization's risk management initiatives. The Interview Summaries (see Appendix B) then highlight the best practices that were identified by the organization and in some cases organizations also identified some "good" practices. The Key Document Summaries (see Appendix C) constitute more of a general synopsis of what the document contains. Most of the key documents were not written to address the issue of "best practices". However they were selected as key because they provide some information, opinions or suggestions on the best practices identified in the interviews.

The information in the Interview and Key Document Summaries was then analyzed for applicability to the federal public sector using the Applicability Criteria (see Section 2.5). Information on benefits, examples, preliminary observations and examples of best practices was reported to TBS in a Preliminary Findings Report.

As illustrated in Exhibit 1, on the previous page, the final steps consisted of the Draft Report, Coordinated Conclusions (consensus between PMN and KPMG), a Presentation of results to TBS and the Advisory Committee, and a Final Report. The Final Report took into consideration the results of the CAC and OB draft reports.

2.2 Best Practice Definition

In order to provide comparability and usefulness to the collection of information regarding "best practices" in risk management, it was necessary to first define "best practice" in the context of this project. This definition was developed jointly with KPMG to be used as well in its international study.

Not all risk management practices are best practices, nor would all good practices have relevance or be readily adaptable to the federal public service. It was concluded that a best practice would be a strategy, approach, method, tool or technique that was particularly effective in helping an organization achieve its objectives for managing risk. A best practice would also be one that was expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to many other organizations, including the Treasury Board of Canada Secretariat (TBS) as the provision of guidance to federal departments is one of their important objectives

2.3 Best Practice Framework

A best practice framework sets out the areas where best practices would be expected to be of common interest to a variety of organizations. This framework was developed jointly with KPMG to be used as well in its international study. The basic assumption is that an organization invests resources in managing its risks, both strategic and operational, in order to achieve anticipated benefits. These benefits, which are often defined as objectives for managing risk could be any combination of:

  • communication for commitment;
  • enhancement of stakeholder value, achievement of corporate objectives;
  • measurement for improved management;
  • support for effective accountability and governance;
  • strengthening of planning and decision processes (synergy, communications, etc.);
  • measurable returns on investments; and,
  • increased confidence of stakeholders.

The best practices framework we have constructed is illustrated as Exhibit 2 on the following page and provided in detail in Appendix D.

It should be seen as only one possible configuration, selected for its ability to complement other work being done for TBS. It is by no means an exhaustive list. Acknowledging this, if a practice in a participating organization was been found to be beneficial, either in achieving its objectives for managing risk, or in the overall achievement of corporate business objectives, but didn't seem to fit into this selected configuration we still recorded it. The ultimate test of it as a best practice is whether it may have some value for another organization in achieving their risk management objectives.

Exhibit 2: Best Practices Framework Model

Exhibit 1: Best Practices Framework Model

2.4 Interview Guide

Our Interview Guide (attached as Appendix E) was developed in coordination with KPMG in order to ensure comparability and usefulness of findings. The Guide was based upon the framework with a series of probing questions outlined under the main sections of Components, Integration Strategies, and Disciplines and Functions. Some small differences in the PMN and KPMG Guides were necessary to accommodate ease of conducting the interviews in other countries.

2.5 Applicability Criteria

During our analysis we determined that some of the criteria related very well to the best practices. When organizations would explain their best practice it became evident they were applying many of our original criteria. However some of these criteria did not relate well to any of the best practices. These criteria appear to relate to "risk management" but not to a best practice for risk management. Our original criteria were as follows:

  • Has broad applicability, beyond the protection of assets and people
  • Fosters a supportive work environment
  • Supports innovation
  • Improves service delivery, e.g., efficiency, effectiveness
  • Improves access to government / government services
  • Facilitates management decision-making
  • Promotes sound resource allocation
  • Is easily understood and used (plain language, user-friendliness)
  • Helps managers understand the context and implications of risk
  • Demonstrates communication / involvement with stakeholders
  • Facilitates cultural shifts and change management
  • Builds on existing knowledge, lessons learned in the organization
  • Considers opportunity costs
  • Has a clear and potentially applicable accountability or governance framework
  • Makes effective use of audit and evaluation resources
  • Links horizontally in the organization
  • Integrates well with the existing management framework, processes and practices

We reviewed the above criteria in light of preliminary findings from the Consulting and Audit Canada (CAC) study as well. CAC reported that departments have several "needs" in relation to risk management. The criteria related to some but not all of the needs. Accordingly, some additional criteria have been considered in our study. Linkage to departmental needs was considered a valid reason to include a criterion.

The revised set of criteria is set out below:

  • Facilitates cultural shift;
  • Fosters supportive environment "walk the talk";
  • Supports accountability;
  • Addresses benefits / resources issues (added re: departmental needs);
  • Demonstrates communication / involvement with stakeholders;
  • Builds on existing knowledge and practices;
  • Addresses tools, training, and expert advice issues (added re: departmental needs);
  • Provides common language (added re: departmental needs); and,
  • Helps understand risk.

3.0 Our Findings

3.1 Introduction

The purpose of this study was to research and document the "best practices" of Canadian organizations which had developed the kind of "mature risk management environment" recommended by the Comptrollership Modernization Panel for application in the federal public service. We set out to identify a selected number of leading Canadian private and public sector organizations. Our objective was to investigate both the context of their current management of risk practice, and also to ask them to identify those practices and processes which they felt had been particularly effective for their organizations in achieving their current level of managing risk within their organization.

Our study collected detailed information and documentation on best practices from senior representatives of thirteen (13) Canadian organizations across the country which cover a broad spectrum of business and public activities. From the private sector, we interviewed executives from the financial services industry (2), the natural resources sector (2), manufacturing (2), as well as two (2) major utilities and one (1) major hospital. Within the public sector, we interviewed senior officials from two (2) municipalities and two (2) provinces.

We also approached and made initial contacts with several other public and private sector organizations which had confirmed they were investing in more strategic corporate risk management. However, they regretted not being able to participate, most often citing insufficient time to prepare and fully participate in our study.

Overall, our findings of best practices from the organizations we interviewed have value and relevance for the federal public sector. All of the organizations interviewed recognized they were not immune to the broad pressures which gave rise to their strategic investments in more systematic risk management: the global pace of change; a resource restraint; demands from stakeholders for growing openness, transparency and accountability; and, continued pressures for organizational change (downsizing, empowerment, alternative forms of delivery, etc.). These same kinds of pressures are no less significant for the departments and agencies of the federal government, and indeed may be more so.

Before proceeding to describe our findings on benefits, examples and best practices it is important to note that a very important context for the federal public sector is the cultural environment where managing risk can initially take hold and become effective. As was noted in the study on Risk, Innovation and Values, there needs to be flexibility, empowerment and encouragement in order for innovation and intelligent risk taking to be effective in a public service environment. As was noted in the study of the Status of Risk Management Implementation in Federal Departments, many departments expressed concerns that the current culture "from the centre" is not yet perceived to be conducive to flexibility and support for innovation or intelligent risk taking. Despite talk of the centre wanting to encourage new ways of doing things in government, the feedback from many departments was "walk the talk" before we start taking innovative risks. In other words, a culture shift of some significance will be a prerequisite for more effectively managing risk.

Factors Demanding Management of Risk

  • Global pace of change
  • Resource restraint
  • Growing openness, transparency and accountability
  • Continual organizational change:

-- smaller government
-- alternative service delivery
-- systems replacing people

Beyond the recent regulatory and policy change imperatives, there are many factors which make a culture shift necessary for the federal public sector, and most of these same factors were recognized as influencing similar culture shifts in the organizations we interviewed as they adopted a broader approach to managing their risks. There was certainly an awareness that as the impacts of their reductions and restructuring worked their way through their organizations, over time there was increased likelihood of greater numbers of errors, lapses and breakdowns with the status quo. They recognized that unless they changed their approach to understanding and managing their strategic risks, and in doing so, forced their corporate cultures to change, the magnitude of these inevitable problems would compromise the attainment of their overall business objectives.

It was fortuitous that the federal government delayed most of its significant restructuring until several years after the private sector's similar actions. There are lessons which can be learned, and problems which can be avoided by now moving to more broadly understand and manage risk. However, regarding the current readiness for a culture shift, the expectations of federal stakeholders may not yet be at this point, because the risks and consequences of restructuring and downsizing were not fully assessed and understood at the time the decisions were made. Further, the current and future trade-offs may not yet have been explained to stakeholders in such a way that they can better understand the risks, opportunities and options. It is very conflicting for public servants who must now make choices involving trade-offs affecting public interests, knowing that their key stakeholders (public, media, politicians) may not yet understand or be prepared to accept these choices, even though there is no possible return to the past zero-risk environment.

3.2 Benefits and Examples

One of the questions most often asked on behalf of those organizations who are at the front end of their investigation of management of risk is "What are the benefits of broadly managing risk and provide us some good examples?" Any conscientious manager needs to ask this question before making a decision to invest financial or human resources in any new initiative. It is driven in part by the need to judiciously steward their already-invested corporate resources. Further, all good managers need to ensure they have, and can communicate to others, a sound rationale of the basis for their embarking on (or even investigating) a course of action which may result in significant shifts in the way in which they go about achieving their business objectives.

These two questions have several relatively straightforward responses gleaned from our findings:

  •  
  • By developing a greater awareness and understanding of the inherent or emerging risks (in relation to both the achievement of current business objectives or the pursuit of other potential benefits), it ensures more thorough management strategies to address the significant potential liabilities and obstacles to achieving objectives and delivering expected results.

For example, several organizations have established senior or executive level risk oversight bodies which monitor the process and investments in systematic management of risk within their respective organizations. In most cases, they also take on responsibility for reviewing and assessing (or challenging the corporate assessments) of risks and mitigation strategies involved in any major new corporate initiatives.

  •  
  • By working with our partners to identify and understand the common risks we share with them, it builds trust into our shared working relationships, and all parties are better able to proceed individually to achieve their mutual business objectives.

For example, within one organization, they bring groups together with appropriate experts at their "training by doing" sessions (e.g. engineers, operators, maintenance staff, legal, etc.). Not only is their varied experience and expertise useful to the risk analysis, but also their involvement supports the objective of integrating risk-based decision-making into day-to-day thinking and activities at all levels of the organization. They state that the involvement of the specialists and generalist perspectives of the various interest groups helps them all better understand, using real world scenarios they can relate to, whether to use a quantitative, semi-quantitative or intuitive approach to decision-making. It also ensures greater buy-in for the decisions when they are taken.

Another organization has used the approach of assessing risks and undertaking front-end planning with a prospective partner organization to reach a conclusion that the proposed partnership would not be in their best interests. Had they not taken this approach, they might have found themselves contractually tied in an untenable situation, possibly incurring significant additional costs to extricate themselves after-the-fact.

  •  
  • By anticipating scenarios before they arrive on our doorsteps as problems or crises, we can better prepare for them, achieving both financial savings through more effectively planned investments in advance, and through preventing (or at least attenuating) potential losses of property or life.

For example, implementation of a formal risk management process has led to reduction of public safety-related incidents in one participating organization from 21 to 2 per year in the first year after implementation (and the level has remained the same since then). Spin-offs for them include reduction in claims and litigation and their corresponding legal work, reduced insurance premiums, increased confidence of front-line staff through greater empowerment and control over decisions. They have also found that users are approaching the Risk Management centre requesting more "tools" and support to apply to other aspects in their workplace instead of waiting to be instructed to do these assessments.

Another organization uses scenario planning to anticipate how its global sources of risk (over which they have virtually no control) may unfold elsewhere in the world. They can then use the more likely of these scenarios as contexts to develop their annual business and other operational plans.

  •  
  • By consciously and regularly looking for "what else might happen" scenarios, and by discovering possible unintended consequences in advance of choosing a particular course of action, our decision-making will obviously be based upon more relevant and complete information, and we will significantly decrease the chances of being "blindsided" by some unforeseen scenario or potential crises. We will also have better contingency plans prepared should one of the risk scenarios come to pass.

For example, in one organization, their formal process has lead them to accreditation as a leader in "looking ahead" within their industry (with spin-off benefits of lower insurance premiums and increased stakeholder confidence).

  •  
  • By communicating our awareness of significant risks and how these are being managed, shareholder value is demonstrably improved according to private sector comment and data. For the public sector, with different sensitivities and success indicators, increased stakeholder (politicians, media, taxpayers, etc.) confidence through understanding and acknowledging the trade-offs is the corollary benefit.

For example, one organization has developed an interconnected external and internal communications strategy for its reporting on risks. Its belief is that the more its key stakeholders and the public it serves know about how it prioritizes and manages its risks, the more confidence they will have in contracting for its products and services. They publish their five year strategic plan and their annual business plan for the information of shareholders and clients. They then have linked these to internal planning and reporting regimes so that each sector and unit is aware of how its particular management of its own localized risks contributes to the overall achievement of the corporate business objectives.

Many private sector organizations are now reporting in extensive detail on their key risks and management strategies as part of their annual reports to shareholders and regulators. One organization devoted over 10% of its annual report (11 pages) to reporting on its particular risks and how each of these are being addressed, covering elements such as corporate structure, different risk categorizations and their risk management process.

Regrettably, the above relatively brief and mostly qualitative descriptions of intuitively self-evident benefits do not fully satisfy some managers. They continue to request ever-increasing levels of certainty, supporting data, certifications, assurances and replicable proof that this more systematic approach will work for each of their particular situations, everywhere in their particular environments. These innate demands for ever greater certainty are partly in themselves evidence of the need for a change to a management approach where people can better understand and thereby become more accepting of the inherent and emerging risks in their environment before they can begin to prioritize and manage their trade-offs more effectively. They are also an indication that the conventional mindset (of minimizing risks at all costs before acting) is in some areas still alive and well, and that this is itself an obstacle to embarking upon a more systematic management of risk paradigm.

While what follows is unlikely to convince the more rooted of these "show me first" people, it was evident from each of the public and private sector organizations which we contacted that they are convinced that their investments of time, money and staff resources in more systematic management of risk have been beneficial to achieving their respective corporate objectives. Not one of our respondents expressed regrets at having embarked upon this course of action. And none has suggested any suspicion that management of risk is merely a 1990's version of "the emperor's new clothes". They are continuing to see both medium and longer term benefits and causal results which are sufficient to satisfy them and their key stakeholders of the value of the investments they have already made and are continuing to make.

In the private sector there has been some pressure to be more open and transparent about reporting on managing risk as a result of governance guidelines of Canadian stock exchanges (see Key Document Summary No.11). While the governance guideline may have been one of the background motivators for some private sector organizations, none of the respondents mentioned this as their organization's reason for starting their initiative and none noted meeting the governance guideline as a benefit. The Auditor General has for a number of years now been similarly encouraging federal departments and agencies to be both more aware of their risks and how they are being managed, and to be more open in their reporting.

3.3 Summary of Be Practices

All but one of the organizations interviewed suggested one or more best practices as being of possible interest to the federal government. In total twenty-five (25) best practices were put forward. However, due to more than one respondent advancing the same or similar practices, there were actually nineteen (19) separate best practices proposed.

Our literature review revealed five (5) best practices from recent Canadian publications and other reference sources. Three (3) of these were also repeated in our interviews, however, two (2) best practices were unique to the literature review.

In total, therefore, we found 21 (19 + 2) separate best practices. To permit readers to more thoroughly review the context and description of each practice, we have prepared Exhibit 3, which cross-references each of the best practices to the Interview Summary Reports and / or the Key Document Summaries contained in Appendices B and C respectively.

Exhibit 3: Best Practices Reference Chart

Best Practices

Interview Summary Reports

Key Document Summaries

1. Commitment from the top

1, 3, 5

2

2. Face-to-face workshops for developing senior management support

1,4

 
3. Targeting "natural fit" areas

12, 13

 
4. Risk/Control Self-Assessment sessions

4, 8

 
5. "Learning by doing" method of training and support

6, 13

 
6. Planning / reporting on risks

3

 
7. Developing a core competency first

6

 
8. Messaging about foundations and monitoring

10

 
9. Risk Management Policy Framework

10

2

10. Experienced, committed senior managers to lead initiative

1

 
11. Risk perception and risk communication  

3, 4, 6, 8, 10

12. Risk framework  

2

13. Regular attention to the risk management process

5

 
14. Risk management committee

2

 
15. Utilizing the best of existing structure to work with

11

 
16. Independent office

3

 
17. Comprehensive Risk Management Handbook

2

 
18. Customized training program

2

 
19. Clearly defining "risk"

5

2, 3, 9

20. Scenario planning

9

 
21. Planning with Partners

9

 

3.3.1 Grouping of Best Practices

It appeared to us that twenty-one (21) best practices would be seen as daunting in number and variety. We have not excluded any suggested best practices as virtually all can meet the test of one or more of the originally specified applicability criteria as reviewed by the Advisory Group. However it is obvious there needs to be some grouping of the best practices and an identification of higher priority groups of practices before a prospective department or agency can begin to assess their applicability to their particular circumstances.

The Best Practices Framework represents a good initial basis for grouping the best practices. The Framework has two groupings: components (managerial structures); and, implementation strategies for risk management. The Framework also has a third group of disciplines and functions where risk management is often applied at the operational level before it is adopted as an organization-wide strategy.

The organizations interviewed generally considered themselves to be at an early stage of developing improved risk management practices. As such, the kinds of issues they are addressing revolve around establishing appropriate Components (management structures) and Implementation Strategies for risk management.

Many of the organizations interviewed found the elements set out in the Best Practices Framework logical but they generally did not use the Framework as a prompt to identify their best practices. Nor did they indicate which element of the Best Practices Framework related to the best practice they were identifying.

Nonetheless, because the Structural and Implementation Strategies are logically associated with developing a new initiative, we have identified below in Exhibit 4 best practices linked with Framework elements as best determined by the study team (see Appendix D for a detailed description of each element). Those departments at the front end of considering their own future risk management initiative will, by referring to the relevant Framework elements, be able to readily reference the best practices most applicable to their stage of development.

Exhibit 4

Best Practice Framework Strategies

Best Practices

Structural Strategies:  
a) Objectives and values communicated
  •  
  • Commitment from the top
  • Face-to-face workshops for developing senior management support
  • Messaging about foundations and monitoring
b) Shared responsibility for managing risk and fostering commitment
  •  
  • Risk Management Committee
  • Independent Office
c) Organization-wide  
d) Various strategies  
e) Monitored and reported to senior management, governing body and stakeholders
  •  
  • Planning / reporting on risks
  • Regular attention to the risk management process
Implementation Strategies:  
  •  
  • Defined framework
  •  
  • Risk Framework (Identifying sources)
  •  
  • Policy
  •  
  • Risk Management Policy Framework
  •  
  • Risk Champion
 
  •  
  • Task Force
  •  
  • Targeting "natural fit"
  • Developing a core competency first
  • Experienced, committed senior managers to lead initiative
  • Utilizing the best of existing structure to work with
  •  
  • Guidelines / training
  •  
  • "Learning by doing" method of training and support
  • Comprehensive Risk Management Handbook
  • Customized training program
  •  
  • Standard process
  •  
  • Control/Risk Self-Assessment sessions
  • Regular attention to the risk management process
  • Scenario planning
  • Risk perception and risk communications
  •  
  • Software
 
  •  
  • Defined parameters
  •  
  • Clearly defining "risk"
Disciplines and Functions: Planning was mentioned most often as the area where work has begun integrating risk management

3.3.2 Priority Best Practices

Each best practice reported by respondents was obviously seen as a priority to its identifying organization / author. However, in the context of the federal public service overall, or with reference to any given individual agency, not all of the reported best practices would necessarily have the same weight or value. Priority depends on many factors including an organization's mandate, their existing competence in risk management, the way in which the pace of change impacts on the organization, the relationships and expectations of their stakeholders, etc.

As noted earlier, the original "applicability criteria" proved to be of limited value when attempting to rank and group the twenty-one reported best practices. The criteria were simply too wide-ranging and not sufficiently gradated to either rank, group or even to exclude any of the reported practices. Yet clearly, if the Treasury Board Secretariat and other government departments are to be able to sort through and make use of the findings, there must be some other criteria against which the 21 best practices can be gauged.

For the federal public sector, and for most departments and agencies, we believe the issue of a cultural shift from risk avoidance and control to broader risk management is the most profound challenge in regards to creating and sustaining a "mature risk management environment". Accordingly, we consider Facilitating Cultural Shift as the most important criterion on which to judge the applicability of the reported best practices. Eleven (11) of the best practices were judged to be "helpful" in supporting this criterion. This was also seen as important by many of the departments whose summary results were presented in the Consulting and Audit Canada study.

Eight other criteria were developed by the study team, in part from the original list, in part from the feedback on departmental needs and barriers as reported in the CAC study, in part from the literature, and finally from the study team's knowledge of and work with other federal departments in this field. Exhibit 5 illustrates a suggested order of the other criteria. These criteria may be of future value in refining and focussing any additional best practices, but this would likely need to be done with further interdepartmental consultation.

Exhibit 5: Best Practices / Applicability Criteria Matrix

Applicability Criteria

 

Best Practices
(Interviews / Literature Review)

1. Facilitates Cultural Shift 2. Fosters Supportive
Environment - "walk the talk"
3. Supports Accountability 4. Addresses Benefits / Resources Issues 5. Develops stakeholder communications 6. Builds on existing knowledge and practices 7. Addresses tools, training, expert advice issues 8. Provides common language 9. Helps understand risk
1. Commitment from the top (3) 1 (1) 2

U

U

U

         

U

2. Face-to-face workshops for developing senior management support (2) 1

U

U

U

   

U

 

U

U

3. Targeting "natural fit" (2) 1

U

   

U

 

U

U

 

U

4. Control/Risk Self-Assessment Sessions (2) 1      

U

 

U

U

 

U

5. "Learning by doing" method of training and support (2) 1

U

   

U

 

U

U

U

U

6. Planning / Reporting on Risks

U

U

U

 

U

   

U

U

7. Developing a Core Competency first

U

U

 

U

 

U

U

U

U

8. Messaging about foundations and monitoring

U

U

U

 

U

U

   

U

9. Risk Management Policy Framework (1) 1 (1) 2

U

U

U

       

U

U

10. Experienced, committed senior managers to lead initiative

U

U

U

U

 

U

   

U

11. Risk Perception and Risk Communication (5) 2

U

 

U

 

U

     

U

12. Risk Framework (Identifying sources)

U

           

U

U

13. Regular attention to the risk management process  

U

       

U

   
14. Risk Management Committee  

U

             
15. Utilizing the best of existing structure to work with      

U

 

U

   

U

16. Independent Office      

U

         
17. Comprehensive Risk Management Handbook          

U

U

U

U

18. Customized training program          

U

U

   
19. Clearly defining "risk" (1) 1 (3) 2              

U

U

20. Scenario planning                

U

21. Planning with Partners        

U

     

U

1 Indicates number of times this best practice is identified in interviews

2 Indicates number of times this best practice is identified in literature review of key documents

3.4 Conclusions and Recommendations

3.4.1Conclusions

What follows are some of the key conclusions which the study team felt were worthwhile highlighting from the volumes of data and documentation that were brought to light through this study.

  1. 1. It Makes Sense to Head the Factor Demanding Management of Risk

    Factors such as the global pace of change, resource restraint, growing openness, transparency and accountability and significant continual organizational change present a demanding case for better management of risk.
  2. 2. Benefits are There Even Though They are Not Easily Measured

    It is a difficult (albeit impossible) exercise to attempt to determine or accrue tangible benefits that measure the distance from a course followed to a course not followed. However, it was evident from each of the public and private sector organizations contacted that they are convinced that their investments of time, money and staff resources in more systematic management of risk have been beneficial to achieving their respective corporate objectives. Not one of our respondents expressed regrets at having embarked upon this course of action. These organizations are continuing to see both medium and longer term benefits and causal results which are sufficient to satisfy them and their key stakeholders of the value of the investments they have already made and are continuing to make.
  3. 3. Best Practices Very Instructive

    For the federal Public Service to successfully implement a more comprehensive approach to management of risk the best practices and lessons gleaned from other public and private sector organizations will prove to be instructive and will reduce the need to "re-invent the wheel". However, it must be acknowledged that each federal agency will nonetheless need to customize and adapt these best practices and lessons to suit its own particular culture and environment. It should also be acknowledged that a Westminster parliamentary environment does present its own formidable challenges not having to be faced by private sector risk managers, and that these will generally be less susceptible to fully rational, systematic approaches. In addressing such challenges, a healthy blend of both intuitive and systematic management of risk is the suggested prescription.
  4. 4. Leadership and Support Must be Visible

    Leadership and support must be visibly and regularly demonstrated from the top. It was also explicitly recognized by most of the organizations examined that moving toward more systematic management of risk required a change in their organizational culture. More particularly they needed to develop and promote an environment of support for innovation and more conscious risk-taking, with the corollary recognition that there would be "misses" as well as "hits".
  5. 5. Develop Competency First

    While it is clear that across Canada, the private sector had generally initiated its investments in more systematic comprehensive management of risk two to three years in advance of the federal public sector, the gap between these two sectors' current state of practice is not all that great. Seven (7) of nine (9) private sector organizations participating were not yet developing systems for organizational-wide management of risk, and most were concentrating first on developing a competency in risk management within a specific discipline. While the long term goal for most is an organization-wide approach where everyone takes responsibility for managing risk, especially in an environment where new resources are limited, starting by targeting "natural fits" in a more focussed fashion and building on some early "successes" in these areas is a preferred strategy.
  6. 6. Care Must be Taken in Explaining and Defining "Risk"

    Clearly defining "risk" (Best Practice # 19) requires special consideration, whether it is for an individual organization, or for the federal Public Service as a whole. There are many proponents who would define risk as having the potential for either harm or reward - something referred to as "downside" and "upside". And there are others who argue that it is best to stay with a more traditional view that risk is only a negative orientated concept and to try and include opportunity "strains the commonly understood meaning of risk" (Key Document # 1). Even within recent Treasury Board documents, this dichotomy is occasionally noted. In the organizations interviewed, the discipline where risk was defined as both upside and downside most often was the planning function. The link to planning draws in the link to opportunities. Risk management is seen as a tool to help exploit opportunities as well as a tool to manage hazards. However, each organization, and the Treasury Board Secretariat in particular, should carefully consider whether it is necessary to include both sides in the corporate definition in order to both exploit opportunities and manage hazards.

    A corollary to the definition issue above is the need for common terminology so that "everyone is speaking the same language" when risk is being assessed and communicated. This fits in well with the TBS approach of understand-manage-communicate.
  7. 7. Risk Communication is Key

    One of the findings arising from our review of the Canadian literature was that while the private sector implicitly recognizes the importance of more effectively communicating on and messaging their risks, most of the explicit research done in Canada has been focussed on the public sector. This may have occurred because of the greater ease of access to documentation on issues affecting the public where communications (or lack thereof) were a significant factor in the unfolding of the particular issues being reviewed. In any event, the literature does already offer some valuable lessons learned to guide the federal public service in its risk communications strategies. Further, it is likely that there may exist still other unpublished lessons within the academic community which may be of value to the Treasury Board Secretariat in developing its guidance for departments and agencies. Finally, given the communications and psychological expertise which does exist in Canadian academe, it may be of interest to the Secretariat to more actively pursue some research and advisory partnership arrangements with some of the centres where this expertise and knowledge exists.
  8. 8. Ongoing Investments are Necessary

    It is also clear that management of risk cannot take hold and be practiced routinely by management and staff in an organization without dedicated up-front and ongoing investments. A framework laying out the strategic elements and specifying the implementation parameters for the particular organization is an essential initial product. Implementation strategies may vary, dependent upon the objectives, but should contain some investments in training, communication, promotion and process support to ensure that there is common understanding, management and communications. Finally there should be a designated responsibility centre to serve as both the source of "expert" support to others within the organization, and to sustain the process and ongoing communications of both successes and lessons learned.

3.4.2 Recommendations

  1. The Best Practices Framework should be refined into a Management of Risk Framework for providing guidance to departments on how to address the organizational / strategy implication and the risk management process implications of any initiative they would undertake.
  2. Messaging about Management of Risk from Treasury Board Secretariat should address:

    • Benefits are there even though they are not easily measured; and,
    • People, systems and processes are valued as the current "foundation" to move toward more systematic management of risk.

  3. Treasury Board Secretariat vision for management of risk should promote departments developing management of risk on a blend of organizational-wide initiatives (e.g. linkage to planning / reporting, assessment of high risks) and targeted initiatives (e.g. continuous risk management of a major project).
  4. Treasury Board Secretariat should provide a definition of risk which is supported by an explanation of how the definition is implemented to address both opportunities and hazards.