ARCHIVED - Review of Canadian Best Practices in Risk Management

• Previous Page
• Table of Contents
•  

This page has been archived.

Appendix A Participating Organizations

Canada Trust Toronto ON	CCL Industries Inc. Willowdale ON
Hospital for Sick Children Toronto ON	Hydro-Québec Montréal, QC
Bank of Montreal Toronto ON	NAV CANADA Ottawa ON
Noranda Inc. Toronto ON	NOVA Chemicals Inc. Calgary AB
Government of Ontario Management Board of Cabinet, Toronto ON   Ministry of the Attorney General, Ottawa and Orillia, ON	City of Ottawa Ottawa ON
Petro-Canada Calgary AB	Gouvernement du Québec édifice du vérificateur général du Québec Québec QC
City of Winnipeg Winnipeg MB

Appendix B Interview Summaries

---

Interview Summary Report No. 1: Private Sector Entity

---

This organization has several efforts underway to enhance its management of risk. These efforts are not guided by a single, strategic organizational-wide management of risk objective against which one would be able to discern best practices. Nonetheless, managing risk is very important to the organization and there were some of its practices that were judged as "best practices" on the basis of their portability and their very important contribution to the progress to date in enhancing the management of risk in this organization.

Best Practices

Commitment from the top was identified by this organization as their first best practice. The commitment was expressed to all staff in correspondence from the Chief Executive Officer (CEO) and it was explained further in the organization's strategic planning document. The commitment was expressed in several ways, not the least of which was to note that this initiative is one which requires the breaking down of traditional "silos" and is being developed over a three-year planning horizon.

Developing senior management support through face-to-face workshops was also considered a best practice for this organization. The face to face approach was found to be very effective in helping the organization's leaders to understand the initiative so that they could commit themselves to providing a supportive environment built upon this understanding.

Finally, this organization identified the fact that they had an experienced, committed senior manager to lead the initiative as a best practice. An atmosphere of risk-taking from the top exists by the very fact that a managing risk initiative is formally put in motion. In one sense, this was seen as the CEO "walking the talk" by promoting the initiative. The experienced senior manager in charge of the initiative is the CEO's method of managing his risk. It was commented that there was quite a bit of trust developing.

Good Practices

Good practices in support of the initiative were also discussed. The first was that there were to be changes in the process requirements for projects and initiatives whereby risk assessments were going to be required before changes/decisions were to be implemented, given certain $ thresholds. The other was the use of Canadian Standards Association (CSA) Q850 process. Adopting Q850 saves time from building one's own methodology and it has an emphasis on risk communications that is important to this organization.

---

Interview Summary Report No. 2: Public Sector Entity

---

This public sector organization, began its move from insurance-based risk management to a more comprehensive pro-active approach in 1992. The evolution of their thinking passed through several stages beginning with a Policy on Personal Safety and culminating in a Policy on Risk Management. Their risk management objective is focussed on reducing liability and claims. Their training package, developed in-house and customized for separate departments, has been sold to other Canadian and American public sector entities.

Best Practices

Arising from the approved Risk Management Policy Statement, development of a comprehensive Risk Management Handbook that is annually updated was considered a best practice in helping achieve their risk management objective. This Handbook, much of it related to examples of controls and checklists for staff to use (and retain as documentation), covers almost every aspect of their operations and is distributed throughout the organization and made available on their Intranet.

A customized training program which is mandatory for front-line and management staff was also identified as a best practice. It has several interesting features including case studies, a video produced in-house, training delivered at the work-site, and senior managers involved in presentations to staff (thereby demonstrating "commitment from the top"). Their training delivery is interactive to engage staff, and they use in-house experts to deliver the bulk of the subject matter. A risk management game has been developed as part of the training, and is also used as a general refresher for "graduates".

The whole risk management process is overseen by a Risk Management Committee comprised of a broad cross-section of senior personnel, some of whom are participating on a rotational basis. This body meets twice yearly to review trends and incident summaries, to identify the need for future risk management measures and controls, and also to undertake post-mortem reviews of major incidents to determine lessons learned.

Good Practices

The Senior Management Committee approved an internal Risk Management Policy Statement at the beginning of the implementation process. The lead person responsible for most of the conceptual development and implementation of the organization-wide approach is a broadly experienced and highly dedicated risk management practitioner. Their risk management expertise was gained initially from the insurance and security perspectives within the organization, but is currently operating with strong management support from within the legal context.

---

Interview Summary Report No. 3: Private Sector Entity

---

This private sector corporation made its move to invest more directly in managing its key risk areas when it set up a new organizational group to guide such efforts in December, 1997. They consider themselves to be at the beginning stages of organisation-wide implementation but have a clear game plan and have invested in a strong internal process base. They are developing specific strategies to broaden implementation beginning with the initial involvement of management personnel across the whole corporation and eventually involving all employees.

Best Practices

The reporting of risks on an integrated and tiered basis is considered to be a best practice for this organization. Their reporting begins at the highest level with a Strategic Plan which takes a 5-year horizon. "Risks & Opportunities" are identified and corporate risks to be managed are prioritised. Each unit and each manager produces their own annual internal report which specifies their particular area's specific risks and opportunities and how they will attenuate/pursue these and how they will measure the impacts of their interventions. At least one formal risk management report is prepared annually for the Board of Directors. Also, Risk Management reports on the priority strategic risks are prepared 3 to 4 times per year for the Finance and Audit Sub-committee of the Board.

Commitment from the top was also considered a best practice. The initial successes achieved here were driven by two powerful Risk Champions on the Board (Chair and President). It takes this level of commitment when the initiative in question represents a strategic change in the organization's approach to managing and involves a change in corporate culture.

The final best practice identified by this organization was their independent office for risk management. Not affiliated with either Audit or the Comptroller's office, it was created in 1997 and reports to the Vice-President of Finance. They approach managers throughout the corporation working as "consulting partners" to help them with their Risk Management issues and with the processes of identification and assessment. They have set up an internal advisory working group with broad representation and have recently begun a communications and information program to inform all employees. They are also establishing an Intranet site and working to develop training packages to support the overall initiative as it rolls out to the balance of the corporation to ensure that everyone understands this new concept as it applies to their area of responsibility.

---

Interview Summary Report No. 4: Public Sector Entity

---

There has been awareness for a few years about the need to manage risk strategically. Initiatives have been started in terms of redesigned planning activities that must also include risk identification and assessment. Overall, they considered themselves to be at the beginning stages and there was much left to do.

In another part of this entity there were local efforts to refine the integration of risk into the planning process. The local initiatives led to their concluding that risk management needs to be done on an on-going basis and be part of the skill set of all staff; it can't just be done at business planning time. They also commented that time spent on educating staff on risk and control is a worthwhile investment as risk management needs to be clearly understood before it can be used effectively.

Best Practices

This organization suggested their "hands-on approach" to developing understanding at the top as a best practice. Support from the top is critical for any new initiative. Meetings with small groups of senior managers have been held to explain the initiative and develop understanding and support.

Control and Risk Assessment (CRA) sessions were suggested as a best practise for helping work units link risk management with business planning. CRA sessions, by design, are a structured way for staff of a work unit to identify risks and controls with the assistance of a facilitator. Using the structured approach, staff were better able to articulate major issues and there was more credibility about the results according to this respondent.

---

Interview Summary Report No. 5: Private Sector Entity

---

This Canadian organization has long been in the practice of managing financial risks. However, they noted that, historically their approach has been very specialized focusing on quantifying risk and relating it to the capital base of the organization. Recently they have begun working with senior management on the identification of other key risks for their organization. In their 1998 annual report, they state that "risk can and should be integrated into all of our business decisions rather than managed as a separate element". This organization identified some best and good practices.

Best Practices

Commitment and regular attention to the risk management process from the top was suggested as a best practice for this organization in broadening out their management of risk. They have established a Senior Executive Risk Management Committee, including the Chief Executive Officer and Chief Financial Officer, who oversee and monitor the process of risk management throughout the organization. They also screen major new initiatives to ensure cross-organizational impacts are managed in pursuit of new opportunities without compromising the overall business objectives.

Another best practice for them was clearly defining risk in the context of achieving their overall business objectives before investing resources to measure and manage it. They have done this and have revamped their organizational structure to monitor, measure and act upon their current and progressive risks.

Good Practices

This organization believes that they must measure their well-defined risks in order that they can be managed. For their major strategic risk areas they incorporate the use of sophisticated and comprehensive measurement indices to both alert management to upcoming issues and to track results of their risk mitigation measures taken. The general outcome of this is reported to stakeholders in the Annual Report.

The 1998 Annual Report contains substantial reporting on risk management, providing considerable detail (11 pages) to shareholders, covering elements from structure, categories and process through to detailed discussion of each of their key risk areas and generally how these are being managed. They see this information as building shareholder and customer confidence in the organization's ability to enhance shareholder value and to protect customer assets.

In support of their risk management strategy, they report having invested in the deployment of dedicated risk specialists in each business unit to assess performance variance and support the business activities.

---

Interview Summary Report No. 6: Private Sector Entity

---

This Canadian corporation has recognized the benefit to managing all business risks in an integrated manner. In broad terms, their objectives for managing risk better is to establish an approach that is holistic, organization-wide, and that ensures external and internal risks are identified and managed through a structured, systematic analysis of risk, consequences and opportunities. A presentation was made to senior management for approval to start the initiative. The corporation is still in early development by their own self-assessment.

Best Practices

Developing a core competency first was a strategy implemented by this organization and they considered this one of their best practices. Get the process going before expanding it too broadly. This enables you to work with less information and resources in the beginning until process and concepts are familiar. Then this can be broadened out. It enables you to "keep your eye on the ball" and not get lost in the sheer magnitude of embarking upon too ambitious a workload. Part of developing a core competency is not getting caught up in identifying all risks at once. They recommended holding back on the tendency to try to formulate a Corporate Risk Profile at the outset.

Another practice which was described as particularly effective was their "learning by doing" method of training and support. Don't worry about concepts and methodologies too much at first. Initial training efforts have been successful because they have been targeted to areas where there would be a natural fit. Initial training efforts are really the core group providing hands-on support so that the target group learns the process by using it in their particular area. Risk Management concepts and tools training courses are offered after the process is shown. Change the way people work and this will facilitate changing the way they think.

Good Practices

Some other practices of note were undertaking this initiative with the right people and the development of a Risk Management Plan. The use of knowledgeable persons with background in and familiarity with risk management at the beginning is critical. These persons typically were found in the financial, legal, and insurance areas. The Risk Management Plan ensures a set of plans and objectives are agreed upon and developed in consultation with senior management.

---

Interview Summary Report No. 7: Private Sector Entity

---

This organization has well-developed practices for managing risks in one of its major operational areas. The organization does not yet manage its risks organizational-wide and holistically but the need for such a broader approach has been discussed. There is a good level of understanding about the benefits of a more holistic approach at the Board of Directors level. Benefits anticipated from this broader approach include assurance about liabilities being adequately covered; reputational loss being adequately addressed, and assurance that all key risks are being considered.

This organization is posed to start developing its more holistic approach and it recognizes that there will be a challenge in marketing the initiative. The group sponsoring this is addressing the marketing issue by establishing a team approach with the operational group that has extensive risk management experience in their specific function.

There were no best practices to suggest because they are just beginning their holistic approach, however they suggested some of the practices they were intending to adopt should be considered good practices.

Good Practices

This organization is planning to undertake a Risk Review. They will conduct a corporate-wide look at the organization with respect to strategic risk management and what its impacts and needs are in each area. The results of this review will be used to assess the gap between needs and existing expertise and processes. This organization already has some well-developed parameters and risk measurement and analysis expertise and tools as well as general risk reporting structures in place. They intent to use what they have in order to build-into these systems not add-on to them

---

Interview Summary Report No. 8: Public Sector Entity

---

In this public sector entity, a systematic risk assessment / risk management methodology has been developed and applied by staff from the Internal Audit Office (IAO). The IAO offers its services as "consultants" who facilitate the application of the systematic methodology. Benefits of using their methodology extends beyond improved analysis of risks and opportunities to include development of better client working relationships and better access to information for planning future audit work. The future audit work would validate the effectiveness of the risk mitigation measures and resource investments chosen by the client.

Best Practices

Risk self-assessment by the management of work groups lead by an external facilitator was suggested as a best practice. Tools and models have been developed to ensure an efficient and effective systematic analysis. The use of consistent tools and models also allows for a comprehensive report summarizing the results of all the work groups. Their structured methodology includes a means of numerically quantifying risks, tailored to the client's operating environment. This aids decision-making on which risk areas to prioritize and to subsequent decisions on where to invest limited resources to manage the priority residual risks.

---

Interview Summary Report No 9: Private Sector Entity

---

This Canadian corporation has made significant use of risk management for its strategic major projects recognizing that it is in a transition toward becoming a more global player. It has not yet started a corporate-wide risk management initiative but has chosen to focus on major projects where it has established broad objectives for re-examining how it manages risk. It has found that more traditional risks such as market and financial risk are adequately managed but there would be benefits from managing all risks including socio-political and technological risks more systematically. Its efforts to examine some of the softer risk areas more systematically has lead to the development of and use of new analysis tools and to being more careful about ensuring it is not under managing new exposures during its current transition.

Best Practices

Scenario planning was suggested as a best practice for this organization. Scenario planning as used by this organization, provides a context for planning but scenarios are different from existing planning tools such as a one-year plan. Scenarios are possible and plausible futures such that scenario planning examines various uncertainties (risks) and which future is the organization most prepared for and which presents the greatest challenges. This technique provides essential views on how the world (risks) will unfold as a basis for investment decisions.

Planning with partners was also suggested as a best practice for this organization. Planning with one's partners brings broader insights to the table which help identify risks and also more experience from having used different techniques to manage a certain risk. Working with one's partners to examine risks brings excellent benefits besides effective risk identification and mitigation strategies. It helps to build communication and trust between partners or it can signal a relationship that would not work out.

Good Practices

This organization noted that it had developed a number of templates to improve its systematic and structure analysis of risk. It has found the templates are a good practice because they facilitate an efficient and consistent process.

---

Interview Summary Report No 10: Private Sector Entity

---

This organization has, like many other private sector organizations, traditionally concentrated on managing its financial risks and has built organizational structures and processes over the year to ensure this is done well. It has now set itself an objective to broaden its systematic management of risk to other business operations and events such as security, informatics, human resources, regulatory, legal, etc. It considers these areas as a brand new frontier and recognizes the key challenge in moving in this direction is the cultural shift involved. Cultural shift takes time and it expects the implementation initiative will require 1 - 2 years.

Best Practices

A best practice for this organization was theirmessaging about existing personnel, systems and controls as valued foundations and that new risk management approaches will require careful testing and monitoring. Essentially, the message is that existing personnel, systems and controls are already supposed to manage all the organization's risks so new risk initiatives should not suggest the foundation is not doing the job. New risk initiatives should message that the foundation is managing the organization's risks but the new initiatives seek to provide more assurance of this against the backdrop of an increasingly challenging world environment. This organization is developing new models and tools to help manage risks better but these models and tools will not be incorporated into the foundation without careful testing and monitoring. This organization suggested that they will be monitoring the new risk initiatives very closely in order to be timely in assessing what is working and what lessons can be learned.

Establishing a risk management policy framework was also a best practice for this organization. Given the cultural shift involved in moving risk management concepts beyond the traditional financial area, a policy framework is important to clarify expectations and roles and responsibilities about this new direction. Their policy framework was built based upon existing well-known models of internal control and risk principles to strengthen its conceptual foundation.

Good Practices

Pilot with centres of competency was identified as a good practice. Their implementation strategy includes targeting groups which already have a good level of competency in risk management for the initial pilot projects.

The idea of building upon what you have was a suggestion worthy of noting as a good practice. For this organization their reporting structure for financial risk was well developed so it was intended that they would build on what they have for financial risks to report on other risks as they broaden out their attention on managing other areas of risk.

---

Interview Summary Report No 11: Public Sector Entity

---

This organization is at the outset of undertaking a formal risk management program with the overall objective of making its departments more accountable for losses as well as allowing for greater public transparency. They would like to empower their staff to become more proactive in the handling of unfavourable events. Challenges ahead include ensuring support from the top and ensuring there is enough information in order to monitor or trace relative outcomes of events. This organization's next step is to complete a needs analysis to understand what it has and what it needs to achieve its risk management objectives.

Best Practice

Utlizing the best of what it already has to work with was suggested as a best practice for achieving its overall risk management objectives. The organization has taken a step in this direction by amalgamating its like processes into one central function. It has combined its existing risk management specialists and knowledge under one roof. In addition, it has assigned a risk professional with a strong competency in this subject matter and in integrating various processes to head up the function.

---

Interview Summary Report No 12: Private Sector Entity

---

This organization did not start out with a specific, clear objective about managing risk better. An initiative to establish an ongoing review and assessment of systems and controls using control and risk self-assessment methodology was started a couple of years ago and a focus on managing risk better has become a feature of this initiative. Control and Risk Self-Assessment (CRSA) sessions now spend more time analyzing risks that had been originally intended.

The culture of the organization is entrepreneurial such that there is a challenge for any new initiatives that starts at the centre and is brought out to the independent-minded operating divisions.

Best Practices

Targeting "natural fit" areas and working with them on small pieces at a time was a best practice for this organization given the cultural resistance to initiatives from the centre and no direct objective yet about managing risk. There has been good results based upon an approach involving the manager responsible for CRSA facilitating interactive / participatory brainstorming sessions. Keeping the process and content simple was also a factor in the success of the sessions.

Good Practices

CRSA sessions are developed around the internal control framework. They feel that it is not necessary to commit their own resources to building a framework from scratch when there is available an existing one that can be easily adapted to suit their particular needs. In order for any framework to be supported it must be customized according to the organization's individual environment.

---

Interview Summary Report No 13: Private Sector Entity

---

This organization has been developing a more "holistic" view of risk associated with its safety, health, environment and risk management disciplines. There were programs and processes in place to analyze risks in these disciplines but separate processes and individuals were involved. Their approach now involves systematic risk analysis by a multi-disciplinary group who compares their analyzed results to "acceptable risk criteria". This organization began with activities in its operational side but is now looking to expand its risk management methodology to a wider scope of business risks with particular focus on financial risks.

Benefits identified for the "holistic" approach include increasing the ability to make better decisions in areas where risk and uncertainty have a key role; assistance in assurance of due diligence; improved understanding of risk and communication of such to the organization's senior management and Board of Directors; and, the development of a cross-functional resource group across the organization now referred to as the "Integrated Risk Centre of Excellence". This centre will lead the continuous improvement of risk management.

Best Practices

Targeting processes or disciplines where there is a "natural fit" was identified as a key best practice for this organization. There was awareness of the need for early demonstration of results and benefits where initial resource investments would be intensive. Targeting disciplines with a natural fit provides access to resources with relevant experience and in this case one of the groups had a standard developed on acceptable risk which was used as a starting point.

Part of the targeting also involved operational activities where highly quantitative analysis was possible. Building on their experience to date they are now developing a semi-quantitative companion tool which can be used by a wider audience and used to assess smaller scale risks.

Training by doing was suggested as another best practice. The approach taken by this organization involved bringing groups together with appropriate experts at the sessions (e.g. engineers, operators, maintenance staff, legal, etc.). Not only is their experience and expertise useful to the analysis but also their involvement supports the objective of integrating risk-based decision-making into day-to-day thinking and activities at all levels of the organization. Their involvement helps them understand, using scenarios they are involved in or can relate to, whether to use the quantitative, semi-quantitative or intuitive approach.

Appendix C Key Document Summaries

---

Key Document Summary No. 1

---

AUTHOR:	William Bradshaw, FCA and Alan Willis, CA
TITLE:	Learning About Risk: Choices, Connections and Competencies
PUBLISHED BY:	The Canadian Institute of Chartered Accountants (CICA) Criteria of Control Board, Toronto
DATE:	June 1998
NUMBER OF PAGES:	134

SUMMARY OF CONTENT:

Learning About Risk (LAR) is the latest in a series of guidance documents on corporate governance from the Criteria of Control Board (CoCo) of the Canadian Institute of Chartered Accountants. LAR is intended to spark thought and discussion that will lead to a better understanding of the nature of risk and of the processes of risk identification and risk assessment. Since bringing the governance community the CoCo internal control framework in 1995, CoCo started drafting a guidance document on how to assess internal control using its internal control framework. LAR has been published while the guide on assessing internal control is under development "to spark thought and discussion" about risk among the governance community which in turn will help CoCo integrate risk into its upcoming guidance document on assessing internal control.

LAR is an important contribution to the body of knowledge on risk in relation to corporate governance. It goes about sparking interest and discussion by introducing seven (7) models which can be used to focus attention on risk. It also provides eleven (11) propositions and a set of questions for directors, managers and service provides.

Interest and discussion is certainly sparked by Proposition No. 1, which defines risk as "the possibility that one or more individuals or organizations will experience adverse consequences from an event or circumstance". The LAR authors acknowledge their definition goes against the grain of current thinking by its focus on harm and not harm and reward. They spend almost five (5) pages explaining their definition and its benefits. They argue that the broader definition strains the commonly understood meaning of risk and has the effect of making risk management encompasses virtually all of management, at which point the words start to lose meaning. The authors suggest opportunity should be addressed separately from risk because it takes two different mindsets to assess risk and to assess opportunity. (Published book reviews have taken the authors to task on their strictly negative definition providing clear evidence of sparks).

Another important contribution is the clarity with which the authors illustrate the need for both intuitive and systematic approaches. "Managers are finding models helpful as support to the decision-making process for three reasons:

• the pace of change makes it less likely that patterns observed in prior experience will be reliable guides to current action;
• decisions require consideration of an increasingly complex web of interrelated factors; and,
• the magnitude of the consequences of faulty decisions makes worthwhile the cost of achieving additional rigour through the use of models".

The seven (7) models described in detail with examples cover virtually all common management decision and situations involving risk assessment. The seven models are:

1. Strategic choices: managing risk strategically global view.
2. Operational risk and control choices: refers to the controllable internal problems of compliance, efficiency, fraud, error and reporting.
3. Crisis choices: these choices precede catastrophes.
4. Resilience and survival choices: resilient organizations have deep pockets in terms of liquid assets, borrowing or new capital capacity, and strong relationships with stakeholders.
5. Leadership choices: involves the ability to accept responsibility when things go wrong and the courage to say 'I'm sorry'.
6. Choosing to be aware: awareness of self and awareness of others.
7. Intuition and the choice to deny or act: the authors argue that the acceptance of intuition is more important than plodding logic.

---

Key Document Summary No. 2

---

AUTHOR:	Lucy Nottingham
TITLE:	A Conceptual Framework for Integrated Risk Management
PUBLISHED BY:	Conference Board of Canada
DATE:	September 1997
NUMBER OF PAGES:	20

SUMMARY OF CONTENT:

This report is considered by far one of the most comprehensive concise discussions on integrating risk management on a broad corporate-wide basis. It was researched using a wide range of international organizations and through discussions of Conference Board executive councils on integrated risk management. It discusses current thinking, approaches to, and implementation of risk management, with examples, in leading Canadian and international organizations.

In the broad view of risk, integrated risk management must cover all aspects of the business and its activities, from strategy to operations, and all types of risk -- operational, legal, reputational and financial. Integrated risk management is defined as "a framework to pull together a variety of disciplines in the organization that address both sides of risk - minimizing uncertainty and maximizing opportunities". The critical difference between traditional risk management and integrated risk management is that integrated risk management is as much directed to grasping new opportunities as to minimizing losses (the traditional focus of risk management).

Some of the factors leading to the implementation of integrated risk management in organizations are: the increasingly rapid pace of change enabled by technological innovation; new organizational structures and management processes; spectacular, high-profile failures; downsizing, mergers, and acquisitions; globalizations; expanding and changing expectations from shareholders and stakeholders; and, calls by regulatory bodies to disclose control frameworks and risk exposure.

This report stresses that there is no single, comprehensive approach to integrated risk management. The risk management approach and the processes and structures selected for risk management are molded in response to the organization's vision, goals and the risk tolerance of shareholders, management and other stakeholders. However, a number of best practices and basic fundamentals are emerging which have these four items in common:

• a framework for risk management;
• a top-down-driven and -supported risk management policy, approach and processes;
• a "champion" or central co-ordination point to ensure the risk management system is implemented and sustained; and,
• organization-wide risk management processes.

A risk management framework should be developed by a multi-disciplinary team to:

•  
• situate an organization in its risk context;
• help an organization to identify and source business risks and their relationship to, and impact on, that organization;
• help to clarify the interdependence of risk and to separate causes and effects; and,
• suggest the necessary organizational controls and the proper allocation of resources to manage the risks.

The risk management policy demonstrates the organization's commitment to the process and demands top-level support. The key objective of any risk management policy should be to make risk management the business of everyone in the organization. The policy should include the following :

• an overview of the risks faced by the company;
• the organization's general approach to risk management;
• the objectives for, and commitment to, risk management;
• key roles, responsibilities and reporting practices; and
• comments on the management of unique classes of risk.

The risk "champion" may be an individual assigned or a group or committee that evaluates key decisions against risk management criteria.

Processes must be structured so each area of the organization and all employees take ownership and are accountable for the risk associated with their function. The policy must also set out the organization's broad tolerance and limits for risk exposure for each area of the organization, as well as the risk assessment processes. Organizations use a number of qualitative, quantitative and semi-quantitative measurements and methodologies to assess risks and their level of acceptance. Once an organization has assessed and prioritized its risks, it can determine the necessary response.

Training is essential to create a common process developed centrally but implemented locally and to build the employees' capacity to take ownership for risk management within their spheres of authority and accountability.

As risk management methodologies are rolled across all departments, it becomes possible to quantify all forms of risk facing an organization to create an overall risk profile and identify total risk exposure. Armed with this figure, management and the board could clearly communicate the risk, reward and dangers of the organizational strategy. Further, comparable quantification of all risks would allow the organization to compare the risks and rewards of different strategies and scenarios.

It was found that organizations with integrated risk management processes have a competitive advantage in being better able to exploit risk opportunities and minimize risk hazards as well as anticipating and responding to change. Examples are given by the Business Development Bank of Canada, Microsoft Corp., Engage Energy U.S., Barclays Bank, Royal Bank of Canada, Standard Chartered Bank, Conference Board of Canada and Syncrude Canada Ltd.

---

Key Document Summary No. 3

---

AUTHOR:	Canadian Standards Association (CSA) Technical Committee on Risk Management
TITLE:	CAN/CSA-Q850-97 Risk Management: Guideline for Decision Makers
PUBLISHED BY:	CSA
DATE:	1997
NUMBER OF PAGES:	46

SUMMARY OF CONTENT:

This guideline provides definitions and a process for managing risk. The definition of risk reflects only negative effects (i.e. chance of injury or loss) but the six-step process for managing risk includes examining benefits and cost as part of the decision-making process.

The Q850 process has six steps:

• Initiation
• Preliminary Analysis
• Risk Estimation
• Risk Evaluation
• Risk Control
• Action / Monitoring

The Q850 guideline pays great attention to incorporating risk perception and risk communication into the decision process. Risk perception and risk communication are addressed in detail to provide the reader a sound understanding of these key concepts. Risk communication is built into the process through steps which advise that the acceptability of risks to stakeholders is vital to risk management.

---

Key Document Summary No. 4

---

AUTHOR:	Powell, D. and Leiss, W.
TITLE:	MAD COWS and Mother's Milk: The Perils of Poor Risk Communication
PUBLISHED BY:	McGill-Queens University Press Magazine
DATE:	1997
NUMBER OF PAGES:	303

SUMMARY OF CONTENT:

Communicating the nature and consequences of environmental and health risks is one of the most problematic areas of public policy in western democracies. Given the perceived risks associated with the food we eat, chemicals in the environment, and modern technologies, consumers need clear, timely and understandable explanations of the nature of those risks - but they rarely get them. Using a series of recent high-profile case studies, Douglas Powell and William Leiss outline the crucial role of risk management in dealing with public controversies and analyze risk communication practices (and malpractice) to provide a set of "lessons learned" for risk managers and communicators.

These studies show that institutions routinely fail to effectively communicate the scientific basis of high-profile risks. These failures to properly inform the public make it difficult for governments, industry and society to manage risk controversies sensibly, thereby resulting in massive and oftentimes unnecessary incremental costs. With its detailed analyses of specific recent risk management controversies, Mad Cows and Mother's Milk may help risk managers avoid similar future mistakes.

---

Key Document Summary No. 5

---

AUTHOR:	Ron S. Dembo and Andrew Freeman
TITLE:	Seeing Tomorrow: Rewriting the Rules of Risk
PUBLISHED BY:	John Wiley & Sons Inc.
DATE:	1998
NUMBER OF PAGES:	253

SUMMARY OF CONTENT:

Seeing Tomorrow is a book about weighing financial risk in everyday life. The authors provide a forward-looking approach to risk management and offer guidance on very specific real life problems, such as buying a house or suing someone, as well as on broad strategy and investing.

The authors define financial risk as "a measure of the potential changes in value that will be experienced in a portfolio as a result of differences in the environment between now and some future point in time". Their main elements of forward-looking risk management are:

Time Horizon:	Over what period of time are we concerned to consider over exposure to risk?
Scenarios:	What events could unfold in the future and how would they affect the value of our investments?
Risk Measure:	What is the unit we are using to gauge our exposure to risk?
Benchmarks:	What are the points of comparison against which we can measure our performance.

The authors also introduce a very interesting risk concept they call "Regret". Regret is associated with the feeling one will have for given outcomes. Regret varies depending on one's circumstances. Most would not regret losing $1 if they do not win on a $1 million lottery. However, most would have greater regret from losing $10,000 if they do not win on a $10 billion lottery, even if there were better odds of winning.

The authors set out a series of risk rules for making decisions. There include: choosing an appropriate time horizon; selecting scenarios; computing Value at Risk (VAR); assessing both the upside and the downside of a potential deal; calculating Regret; and, compiling a reliable Regret matrix.

---

Key Document Summary No. 6

---

AUTHOR:	N.C. Lind, J.S. Nathwani and E. Siddall
TITLE:	Managing Risks in the Public Interest
PUBLISHED BY:	Institute for Risk Research (IRR), University of Waterloo
DATE:	1991
NUMBER OF PAGES:	242

SUMMARY OF CONTENT:

This study takes the position that public resources have often been misallocated on safety issues in the past. The misallocation relates to the diminishing efficiency of risk reduction-- controlling the last 10 percent is much more expensive than the 90 percent portion. The authors suggest that the process by which safety decisions are made is faulty because a rational framework is lacking. The faulty safety management process has the very serious end result that both lives and resources are being wasted.

This study develops the theme that progress in the management of risk is possible if an open accounting is rendered of the risks and benefits. The study goes on to suggest that maximizing net benefits to society among reasonable alternatives should be a guiding principle and provides a framework for the implementation of this principle. Two combined indicators of the expectancy and quality of life are developed to give criteria for decision-making in public policy matters on life saving and safety.

The role of perceived risk is recognized in this study but not explored in detail as a causal factor in the misallocation of resources. The study simply takes the position that objectives and analytical approaches to the assessment of risk should be pursued because actions based upon perceived risk cannot be relied upon for good decisions in the public interest.

---

Key Document Summary No. 7

---

AUTHOR:	Gerald J.S.Wilde
TITLE:	Target Risk
PUBLISHED BY:	PDE Publications, Toronto, Canada
DATE:	1994
NUMBER OF PAGES:	234

SUMMARY OF CONTENT:

Target risk is defined as "the level of risk a person chooses to accept in order to maximize the overall expected benefit from an activity". He defines "risk homeostasis" as "the degree of risk-taking behaviour and the magnitude of loss due to accidents and lifestyle-dependent disease are maintained over time, unless there is a change in the target level of risk". This publication sets out Wilde's theory of Risk Homeostasis along with its supporting arguments and data. This theory provides insights into human risk-taking behaviour. It's arguments are primarily based in the fields of safety and health but its concepts can transcend any discipline. This book gives real-life examples of how we all set a "risk target" and adjust our behavior accordingly. For example, if the theory is correct, giving people better-handling cars or better brakes, etc. will encourage them to drive more dangerously. People will adjust their actions to the same level of risk as before. Dr.Wilde goes as far as to argue that the "three E's" -- enforcement, engineering, and education -- do not improve road safety across a whole population. Of particular interest however are his discussions on human risk-taking and the individual differences in each of us based in part upon personality, attitude and lifestyle.

---

Key Document Summary No. 8

---

AUTHOR:	William Leiss and Christina Chociolko
TITLE:	Risk and Responsibility
PUBLISHED BY:	McGill-Queen's University Press, Montreal & Kingston
DATE:	1994
NUMBER OF PAGES:	379

SUMMARY OF CONTENT:

If there is one lesson in the book say the authors it is that "all of us in modern society have a direct and vital interest in the proper allocation of responsibility for risky activity". There is a "fear of falling victim unfairly to uncompensated loss" when exposure is involuntary. This fear can lead to excessive risk-aversion. The authors point out that both individuals and societies can be exposed to the chance of loss as a result of both risk-taking and risk-averse behaviour.

This book explores the issue of the public's pervasive risk-averse attitudes. In the opinion of the authors "one of the chief sources of citizens' overestimation of risk is a vague, intuitive familiarity with the long history--- stretching back to the origins of the Industrial Revolution-of the calculated under-assessment of risk by our dominant institutions (industry and government), in particular the willful neglect involved in the exposure of workers to hazardous substances and processes". In addition, the authors go on to suggest that there is no venue in which debate over acceptable risk / benefit trade-offs can take place. Furthermore this lack of venue helps each party avoid taking responsibility for the full consequences of the positions they each hold on what are acceptable risk / benefit trade-offs.

The book also discusses concepts for managing risk in the public interest. Quantitative methodologies and issues such as risk perception and risk communication are discussed in detail. Also discussed in detail are the issues surrounding apportioning of responsibility. These include productivity for underestimating risk and how experts and individuals make risk / benefit trade-offs.

Finally, through a series of case studies and conclusion the authors propose some useful lessons about how various risk contingencies (corporate / government, labour / local community, public interest constituencies) could manage risk through negotiated consensus about apportioning responsibility.

---

Key Document Summary No. 9

---

AUTHOR:	FAA Review Team, Financial Management Policy Division, Deputy Comptroller General Branch
TITLE:	Guide on Business Risk Management
PUBLISHED BY:	Treasury Board Secretariat, Government of Canada (Internal Document)
DATE:	July 10, 1998
NUMBER OF PAGES:	15 plus appendices

SUMMARY OF CONTENT:

This guide was published as a complement to the Report from the Independent Review Panel on the Modernization of Comptrollership in the Federal Public Service. It is intended to provide a common basis for understanding the concept of business risk management across the federal government and also to provide departments and agencies with a framework for the integration of business risk management into their decision-making processes.

The guide offers a standardized process for identifying, assessing and managing risks in a federal government context. It is the result of a review of 15 private and public sector models, and is intended to be adapted to suit particular functional and operational circumstances.

While relatively recent, the definitions of risk and related concepts tend to focus mostly on the downside, and do not appear to sufficiently recognize the risk / reward equation or the value of using systematic risk assessment to determine the appropriateness of pursuing opportunities or initiatives. This conceptual omission does not detract from the general process as outlined in the guide, but there is a need to provide more encouragement for its application to the pursuit of opportunities, innovations or new initiatives.

---

Key Document Summary No. 10

---

AUTHOR:	Claire McQuillan
TITLE:	Colloquium on Risk Management: Report and Recommendations
PUBLISHED BY:	Institute on Governance
DATE:	March 30, 1994
NUMBER OF PAGES:	11

SUMMARY OF CONTENT:

On March 23, 1994, twenty-three (23) senior representatives from business, consumer and special interest groups, media, academia, politics and government attended a one-day colloquium to discuss how governments manage risk on behalf of the public, and to suggest improvements. The Colloquium was the idea of the Regulatory Affairs Division of Treasury Board Secretariat. While there was a regulatory backdrop for the events, much of what was brought out by the discussions addresses risk management in the public sector in the broadest context.

Participants pointed out that because there are less financial resources than in previous decades, decisions must take into account the very high cost and low benefit of controlling some risks. Further, they noted that the need to balance costs against benefits must be explained to the public as clearly as possible. Public expectation has been to favour zero risk when they were not explained that it is not a free good.

The participants concluded that governments deal poorly with the Canadian public and media in the area of education and consultation on issues of risk management. According to the participants, governments usually underestimate the ability of these stakeholders to understand such discussions.

The Colloquium report noted that participants identified high expectations of politicians, rigidities in the bureaucracy, a general lack of innovation and the unacceptability of making mistakes as public sector barriers working against making improvements in management of risk. A series of recommendations were made for improving communication with stakeholders and addressing the barriers in order to improve public sector management of risk.

---

Key Document Summary No. 11

---

AUTHOR:	Canadian Institute of Chartered Accountants (CICA)
TITLE:	Corporate Governance: A Review of Disclosure Practices in Canada
PUBLISHED BY:	CICA
DATE:	December 1997
NUMBER OF PAGES:	69

SUMMARY OF CONTENT:

The Toronto Stock Exchange and the Montreal Stock Exchange have required companies to disclose their corporate governance practices since 1995. In 1995 and again in 1996 annual reports of approximately 150 companies listed on these exchanges were reviewed. This report provides examples of good disclosure to help directors and senior management improve their own disclosure.

The Exchanges require the companies to describe their system of corporate governance with reference to fourteen guidelines. Guideline No. 1 refers to the identification of the principal risks of the corporation's business and ensuring the implementation of appropriate systems to manage these risks. The Corporate Governance Report found that 39% of annual reports did a good / very good job on this guideline in 1996 which was down slightly from the 46% assessment in 1995.

The Corporate Governance Report stated:

This Corporate Governance Report gave examples of disclosures for BCE Mobile Communications Inc.; Cara Operations Limited; Tech Corporation and Meridian Technologies Inc.

Appendix D Best Practices Framework

DEFINITIONS

In order to provide focus and comparability to the collection of information regarding "best practices" in risk management, definitions of "best practice" and "best practice framework" are presented below.

BEST PRACTICE

A best practice is a strategy, approach, method, tool or technique which was particularly effective in helping an organization achieve its objectives for managing risk. A best practice is also one which is expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to many other organizations, including the Treasury Board of Canada Secretariat (TBS) as the provision of guidance to federal departments is one of their important objectives.

BEST PRACTICE FRAMEWORK

A best practice framework sets out the areas where best practices would be expected to be of common interest to a variety of organizations. The basic assumption is that an organization invests resources in managing its risks, both strategic and operational, in order to achieve anticipated benefits. These benefits, which are often defined as objectives for managing risk could be any combination of:

• communication for commitment
• enhancement of stakeholder value, achievement of corporate objectives
• measurement for improved management
• support for effective accountability and governance
• strengthening of planning and decision processes (synergy, communications, etc.)
• increased confidence of stakeholders
• measurable returns on investments

The best practices matrix we have constructed is outlined below and should be seen as only one possible configuration, selected for its ability to complement other work being done for TBS. It is by no means an exhaustive list. If a practice in your organization has been found to be beneficial, either in achieving your objectives for managing risk, or in the overall achievement of corporate business objectives, but does not seem to fit into this selected configuration please do not hesitate to share it and describe its essence to us. The ultimate test of it as a best practice is whether it may have some value for another organization in their management of risk framework.

1.    Components of Management of Risk:

These are practices for integrating management of risk into the managerial framework of an organization. For example, these would include generic practices for ensuring:

1. that the objectives and the values for managing risk are defined and communicated throughout the organization;
2. that the governance and accountability functions reflect the shared responsibility for managing risks and for fostering the commitment at each administrative level of the organization and at the level of its governing body;
3. that the organization-wide risks are identified and evaluated to report the management processes (planning, resource allocation and decision-making);
4. that management of risks may be achieved through a series of strategies ranging from:

5. that management of risk is monitored and there is communication and reporting to senior management, to the governing body and to the key stakeholders.

A more detailed listing of components is appended for reference.

2.    Implementation Strategy:

The practices employed to disseminate and integrate management of risk throughout an organization usually are based on a series of "tools". Examples of tools which could be of common interest may include some of the following:

• defining a framework which identifies the sources of key business risks and serves as a communication and reporting tool for the organization leading to a common understanding of its risk context which also aids in consistent and coherent analysis and communication of risks;
• establishing a Management of Risk Policy (or similar authoritative communication tool) to define key implementation strategies such as overall approach, responsibilities, reporting structures and periodic reviews;
• identifying a "Risk Champion" to provide leadership to management of risk initiatives;
• using development strategies such as a Task Force, pilot projects and consultant advisors;
• issuing guidelines, providing training and developing coaches to assist employees and local work teams to manage their risks;
• adopting a standard process or using an existing standard such as the Canadian Standards Council Q850/97 Risk Management: Guideline for Decision-Makers;
• employing the use of automated (software) tools to aid in risk analysis; and,
• defining corporate parameters on risk concepts such as likelihood and severity.

Can you please identify which of these (or other) tools may have been effective in assisting your organization to successfully implement its corporate management of risk objectives?

3.    Disciplines and Functions:

The following are specialized key disciplines and functions where risk management is often applied at an operational level. The practices used to integrate risk management into these specialized disciplines and functions (and in turn into the overall organization) is of common interest. These disciplines and functions would include:

• planning
• auditing
• project management
• finance
• security
• insurance and asset management
• environmental protection
• hazardous waste management
• materiel management
• real property management
• information technology
• legal
• human resources
• intangibles (e.g. goodwill)
• compliance and enforcement
• service delivery

This list is not exhaustive and should another discipline or specialized function have been targetted for integrating risk management, a best practice which achieved this objective would also be of common interest. (Please note that we are looking for the management process used to initiate and implement specialized risk management within a given function, not the details of the actual specialized practice.)

---

Appendix

Components of Management of Risk:

These are practices for integrating management of risk into the managerial framework of an organization. For example, these would include generic practices for ensuring:

1. Policy and Values

That the objectives and the values for managing risk are defined and communicated throughout the organization.

• Risk tolerance and limits
• Opportunity and risk taking
• Risk Coverage
• Integration in management processes

2. Accountability Structure

That the governance and accountability functions reflect the shared responsibility for managing risks and for fostering the commitment at each administrative level of the organization and at the level of its governing body.

• Role and responsibilities
• Governance
• Commitment

3. Risk Profile

That the organization-wide risks are identified and evaluated to support the management processes (planning, resource allocation and decision-making).

• Scope: types of risks
• Identification of risks
• Evaluation of probability of frequency and of impact
• Quantification and prioritization

4. Risk Mitigation

That mitigation or management of risks is achieved through the system of control and through the continuous improvement of this system.

• Control Framework (e.g. CoCo, COSO, etc.)
• Strategies to directly mitigate risks while following-up/pursuing opportunities
• Strategies to indirectly influence or to share risks by partnering, insuring, etc.
• Decisions to accept risks beyond control or influence, and simply enhance monitoring and reporting frequency, while putting contingency plans in place
• Continuous reassessment of residual risks, plus ongoing updating of strategies

5. Monitoring and Reporting

That management of risk is monitored and there is communication and reporting to senior management, to the governing body and to the key stakeholders.

• Quality of information
• Communication
• Internal and external audit
• Reporting: to senior management, to governing body, to external stakeholders

Appendix E
Best Practices Interview Guide

Interviewee Guide

Best Practices in Risk Management

i)    Introduction

1. Please review the materials provided about the nature of the project, the definition of "best practice" and the framework of areas where a best practice may exist.

2. It is not expected there are best practices in all areas of the framework. It may be your judgment that there were very few best practices and many just good practices which got the job done.

3. The study would like to concentrate on the "best practices" and it is not necessary to provide much information about the "good practices". However, you will be asked a few questions about your organization's overall approach to managing risk to provide us baseline information for comparative purposes. It is not intended to name organizations in any published material so any information you provide about your operations will remain confidential. However, we will request permission to identify the name of your organization as a participant in this study.

4. There are some questions about the overview and context for risk management to start the survey. Then each of the three main elements of the framework will be discussed with you individually in regards to whether you have any best practices in each main element and also to obtain some information about your organization regarding each.

ii)    Overview and context for risk management

1. How does your organization define risk in the context of your business or environment?
2. Does your organization have a general risk management objective under which risk management activities take place?
3. Do the objectives and values for managing risk represent a new way of doing business in your organization?
4. What are the benefits of managing risk for your organization or area? (Probe for: communication for commitment; enhancement of stakeholder value or achievement of objectives; measurement for improved management; support for accountability and governance; strengthening of the planning and decision-making process (such as communication or synergy); increased confidence of stakeholders; measurable returns on investments).

---

1.    Practices for integrating management of risk into the managerial framework of an organization

Reflecting on the items we defined from a) to e) and in our Appendix, or any other practice for integration, are there some best practices / lessons learned (obstacles overcome) that you would like to relate to us?

a) Defining the objectives and values for managing risk and communicating them throughout the organization

         1. Can you describe in general terms how your organization addresses this item?

b) Reflecting, in the governance and accountability functions, the shared responsibility for managing risks and for fostering commitment in administrative and governance bodies

c) Identifying and evaluating organization-wide risks to support the management process (planning, resource allocation and decision-making)

d) Mitigating or managing risks through the system of control and other strategies

e) Monitoring the process of managing risks and communicating and reporting to senior management, the governing body and key stakeholders

2. Practices for disseminating and integrating management of risk throughout the organization

Reflecting on the items we defined in our framework and in our Appendix, or any other practice for integration, are there some best practices / lessons learned (obstacles overcome) that you would like to relate to us?

Can you describe in general terms how your organization addresses this area? (Probe for:

• a framework that identifies the sources of key business risks and serves as a communication and reporting tool for the organization. It leads to a common understanding of its risk context which also aids in consistent and coherent analysis and communication of risks
• a control framework that identifies key controls to mitigate risks
• a Management of Risk Policy (or similar authoritative communication tool) to define key implementation strategies such as overall approach, principles, key risk areas, responsibilities, reporting structures and periodic reviews
• identifying a "risk champion" to provide leadership to management of risk initiatives
• using task forces, pilot projects and advisors/consultants
• issuing guidelines or procedures
• providing training to employees and work teams to manage their risks
• providing coaches to employees and local work teams to manage their risks
• adopting a standard process or using an existing standard
• using automated tools (software) to aid in risk analysis
• defining corporate parameters on risk concepts such as likelihood and severity

3. Disciplines and Functions

Appendix F Reference Materials

PUBLICATIONS:

---

---

ARTICLES:

---

---

PRESENTATIONS:

---

---

OTHER REFERENCE MATERIALS:

---

• Previous Page
• Table of Contents
•