ARCHIVED - Review of Canadian Best Practices in Risk Management

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Review of Canadian Best Practices in Risk Management

April 26, 1999

Summary of Findings

Final Report

Prepared by:
Performance Management Network Inc.

Summary of Findings

Executive Summary

Purpose

Creating and sustaining a mature risk management environment was one of the crucial components of modernizing comptrollership as recommended in the 1997 Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices - a modern, integrated approach.

As the basis for this work, background research on best practices in risk management was required in the Canadian private sector and provincial public sectors and in the private and public sectors internationally.

Methodology

Thirteen (13) Canadian organizations with ongoing management of risk initiatives were interviewed and Canadian literature on management of risk was reviewed. Nine (9) of the thirteen (13) organizations were from the private sector and four (4) were from the public sector. They covered a broad spectrum of business and public activities. Organizations were asked to identify best practices as something that was "particularly effective in helping an organization achieve its objectives for managing risk and would be of value to other organizations".

A Best Practices Framework was used to focus discussions with participating organizations. The Best Practices Framework contained a listing of suggested strategies where best practices would be expected to be of common interest to a variety of organizations.

This study was conducted in close collaboration with a study of International Best Practices in Risk Management and a Coordinated Conclusions Report was jointly issued by the two studies.

Key Findings

Twenty-one (21) best practices were identified and all have value and relevance for the Canadian federal government. The strategies set out in the Best Practice Framework are logically associated with developing a new initiative. Grouping by strategy element was therefore considered a good method for presenting and analyzing the best practices. Organizations at the front end or somewhat progressed in their risk management initiative will be able to readily reference the best practices most relevant to their stage of development. The groupings are presented below.

Best Practice Framework Strategies	Best Practices
Structural Strategies:	�
a) Objectives and values communicated	Commitment from the top Face-to-face workshops for developing senior management support Messaging about foundations and monitoring
b) Shared responsibility for managing risk and fostering commitment	Risk Management Committee Independent Office
c) Organization-wide	�
d) Various strategies	�
e) Monitored and reported to senior management, governing body and stakeholders	Planning / reporting on risks Regular attention to the risk management process
Implementation Strategies:	�
Defined framework	Risk Framework (Identifying sources)
Policy	Risk Management Policy Framework
Risk Champion	�
Task Force	Targeting "natural fit" Developing a core competency first Experienced, committed senior managers to lead initiative Utilizing the best of existing structure to work with
Guidelines / training	"Learning by doing" method of training and support Comprehensive Risk Management Handbook Customized training program
Standard process	Control/Risk Self-Assessment sessions Regular attention to the risk management process Scenario planning Risk perception and risk communications
Software	�
Defined parameters	Clearly defining "risk"

The following best practices were identified by two or more organizations interviewed and are therefore seen to have enhanced significance:

Commitment from the top;
Face to face workshops for developing senior management support;
Targeting "natural fit" areas;
Risk/Control Self-Assessment sessions;
"Learning by doing" method of training and support;
Risk perception and risk communications; and,
Clearly defining "risk".

From a concurrent TBS study of risk management practices in federal departments, cultural change was frequently identified as the foremost challenge in moving toward a mature risk management environment. Eleven (11) of the best practices would be helpful in addressing this issue. A listing of best practices that have priority applicability to the Canadian federal government was developed (Exhibit�5, page 19) using Facilitating Cultural Shift as the first of nine (9) ranked criteria.

Key Conclusions

The Drive Toward More Systematic Management of Risk Makes a Lot of Sense

Factors such as the global pace of change, resource restraint, growing openness, transparency and accountability and significant continual organizational change present a demanding case for better management of risk.

Benefits are There Even Though They are Not Easily Measured

Organizations were not yet able to precisely quantify all of their benefits but were very satisfied with the qualitative value of the benefits they perceived from their investments of time, money and staff resources in more systematic management of risk. No one expressed regrets at having embarked upon this course of action.

Leadership and Support Must be Visible

Leadership and support is necessary to promote an "environment of support" for innovation and more conscious risk taking with the corollary recognition that there would be "misses" as well as "hits".

Develop Competency First

While the long term goal for most is an organizational-wide approach where everyone takes responsibility for managing risk, starting by developing competency in "natural fit" areas will permit initial success upon which to build.

Care Must be Taken in Defining and Explaining "Risk"

A more traditional understanding of risk was that it related to the potential for harm. More recently some authorities and risk practitioners are defining risk as a concept that embodies both harm and reward such that their definitions are stated in more neutral terms. Care must be taken to decide which definition to use and to explain that both are used to address opportunities and hazards.

Ongoing Investments Are Necessary

Management of risk cannot take hold and be practiced routinely by management and staff without dedicated up-front ongoing investments. Investment will be required in training, communication, promotion, and process support. There should be a dedicated responsibility centre to serve as both the source of "expert" support and to sustain the process and ongoing communications of both successes and lessons learned.

Recommendations

The Best Practices Framework should be refined into a Management of Risk Framework for providing guidance to departments on how to address the organizational / strategy implication and the risk management process implications of any initiative they would undertake.
Messaging about Management of Risk from Treasury Board Secretariat should address:

Benefits are there even though they are not easily measured; and,
People, systems and processes are valued as the current "foundation" to move toward more systematic management of risk.

Treasury Board Secretariat vision for management of risk should promote departments developing management of risk on a blend of organizational-wide initiatives (e.g. linkage to planning / reporting, assessment of high risks) and targeted initiatives (e.g. continuous risk management of a major project).
Treasury Board Secretariat should provide a definition of risk which is supported by an explanation of how the definition is implemented to address both opportunities and hazards.

1.0Introduction

1.1Background

The government is continuing to implement recommendations from the Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. The Panel's report identified four key elements of modern comptrollership:

performance information - financial and non-financial, historical and prospective;
risk management;
control systems; and,
ethics, ethical practices and values.

Creating and sustaining a mature risk management environment was one of the crucial components of the approach recommended by the Panel. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices - a modern, integrated approach. The result of this work is expected to be an umbrella policy that sets the context for federal risk management along with guidance, tools, techniques and training for use in federal departments.

1.2 Objective and Scope

1.2.1 Objective

The objective of the project was to identify Canadian risk management best practices including strategies, approaches, methods, tools and techniques and how they could be used in the Canadian federal government.

1.2.2 Scope

The research included the private sector and the provincial/municipal public sectors. The scope included contacts with:

corporations;
provincial/municipal departments and agencies;
associations, academics and consultants involved with risk management; and,
other research study groups assisting TBS implement its Risk Management Action Plan.

This study was coordinated with the related study of best practices in the private and public sectors internationally.

2.0 Methodology

2.1 Our Methodology

This study was one of a suite of four studies commissioned concurrently by TBS. The related studies were:

Study of the Status of Risk Management Practices in Federal Departments and Agencies [awarded to Consulting and Audit Canada (CAC)]
Study of the Risk Management Principles / Themes in the Federal Public Service [awarded to Otto Brodtrick (OB)]
Study of International Best Practices in Risk Management [awarded to KPMG]

The fact that there were related studies commissioned at the same time meant that the first step of our methodology involved Establishing an Arrangement for Project Management and Coordination with Related Studies as illustrated in Exhibit 1 on the following page.

A fundamental part of the methodology was the need to coordinate our study techniques with the study on International Best Practices being done by KPMG. We began working together at the outset to ensure comparable and useful results would be produced. Accordingly, the second major step of the methodology was to create a Best Practice Definition, Framework and Applicability Criteria. These items are discussed in detail below. They were created jointly with KPMG and were reviewed and commented on by an Advisory Committee TBS had created in relation to its initiatives on management of risk. PMN and KPMG then jointly developed an Interview Guide for use in focussing the discussions with participating organizations.

The next four steps consisted of Interviews, Literature Review, Preliminary Findings and Draft Report and were completed separately by PMN and KPMG.

As a result of time constraints we chose to target our potential private sector interview respondents to 18 organizations where we knew there were risk initiatives in process. We did not have similar knowledge of where there were risk initiatives in provincial / municipal public sector organizations. Requests were sent to Auditors General / Provincial Auditors (12) and municipal Chief Administrative Officers / City Managers (6) for assistance in identifying potential public sector respondents. See Appendix A for a list of Participating Organizations.

A review of Canadian literature and other reference sources was conducted concurrently with the interviews. Summaries were prepared of the interviews and key documents. The Interview Summaries highlight the context for risk management in the organization. This generally covers the objective, approach and benefits for the organization's risk management initiatives. The Interview Summaries (see Appendix B) then highlight the best practices that were identified by the organization and in some cases organizations also identified some "good" practices. The Key Document Summaries (see Appendix C) constitute more of a general synopsis of what the document contains. Most of the key documents were not written to address the issue of "best practices". However they were selected as key because they provide some information, opinions or suggestions on the best practices identified in the interviews.

The information in the Interview and Key Document Summaries was then analyzed for applicability to the federal public sector using the Applicability Criteria (see Section 2.5). Information on benefits, examples, preliminary observations and examples of best practices was reported to TBS in a Preliminary Findings Report.

As illustrated in Exhibit 1, on the previous page, the final steps consisted of the Draft Report, Coordinated Conclusions (consensus between PMN and KPMG), a Presentation of results to TBS and the Advisory Committee, and a Final Report. The Final Report took into consideration the results of the CAC and OB draft reports.

2.2 Best Practice Definition

In order to provide comparability and usefulness to the collection of information regarding "best practices" in risk management, it was necessary to first define "best practice" in the context of this project. This definition was developed jointly with KPMG to be used as well in its international study.

Not all risk management practices are best practices, nor would all good practices have relevance or be readily adaptable to the federal public service. It was concluded that a best practice would be a strategy, approach, method, tool or technique that was particularly effective in helping an organization achieve its objectives for managing risk. A best practice would also be one that was expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to many other organizations, including the Treasury Board of Canada Secretariat (TBS) as the provision of guidance to federal departments is one of their important objectives

2.3 Best Practice Framework

A best practice framework sets out the areas where best practices would be expected to be of common interest to a variety of organizations. This framework was developed jointly with KPMG to be used as well in its international study. The basic assumption is that an organization invests resources in managing its risks, both strategic and operational, in order to achieve anticipated benefits. These benefits, which are often defined as objectives for managing risk could be any combination of:

communication for commitment;
enhancement of stakeholder value, achievement of corporate objectives;
measurement for improved management;
support for effective accountability and governance;
strengthening of planning and decision processes (synergy, communications, etc.);
measurable returns on investments; and,
increased confidence of stakeholders.

The best practices framework we have constructed is illustrated as Exhibit 2 on the following page and provided in detail in Appendix D.

It should be seen as only one possible configuration, selected for its ability to complement other work being done for TBS. It is by no means an exhaustive list. Acknowledging this, if a practice in a participating organization was been found to be beneficial, either in achieving its objectives for managing risk, or in the overall achievement of corporate business objectives, but didn't seem to fit into this selected configuration we still recorded it. The ultimate test of it as a best practice is whether it may have some value for another organization in achieving their risk management objectives.

Exhibit 2: Best Practices Framework Model

Exhibit 1: Best Practices Framework Model

2.4 Interview Guide

Our Interview Guide (attached as Appendix E) was developed in coordination with KPMG in order to ensure comparability and usefulness of findings. The Guide was based upon the framework with a series of probing questions outlined under the main sections of Components, Integration Strategies, and Disciplines and Functions. Some small differences in the PMN and KPMG Guides were necessary to accommodate ease of conducting the interviews in other countries.

2.5 Applicability Criteria

During our analysis we determined that some of the criteria related very well to the best practices. When organizations would explain their best practice it became evident they were applying many of our original criteria. However some of these criteria did not relate well to any of the best practices. These criteria appear to relate to "risk management" but not to a best practice for risk management. Our original criteria were as follows:

Has broad applicability, beyond the protection of assets and people
Fosters a supportive work environment
Supports innovation
Improves service delivery, e.g., efficiency, effectiveness
Improves access to government / government services
Facilitates management decision-making
Promotes sound resource allocation
Is easily understood and used (plain language, user-friendliness)
Helps managers understand the context and implications of risk
Demonstrates communication / involvement with stakeholders
Facilitates cultural shifts and change management
Builds on existing knowledge, lessons learned in the organization
Considers opportunity costs
Has a clear and potentially applicable accountability or governance framework
Makes effective use of audit and evaluation resources
Links horizontally in the organization
Integrates well with the existing management framework, processes and practices

We reviewed the above criteria in light of preliminary findings from the Consulting and Audit Canada (CAC) study as well. CAC reported that departments have several "needs" in relation to risk management. The criteria related to some but not all of the needs. Accordingly, some additional criteria have been considered in our study. Linkage to departmental needs was considered a valid reason to include a criterion.

The revised set of criteria is set out below:

Facilitates cultural shift;
Fosters supportive environment "walk the talk";
Supports accountability;
Addresses benefits / resources issues (added re: departmental needs);
Demonstrates communication / involvement with stakeholders;
Builds on existing knowledge and practices;
Addresses tools, training, and expert advice issues (added re: departmental needs);
Provides common language (added re: departmental needs); and,
Helps understand risk.

3.0 Our Findings

3.1 Introduction

The purpose of this study was to research and document the "best practices" of Canadian organizations which had developed the kind of "mature risk management environment" recommended by the Comptrollership Modernization Panel for application in the federal public service. We set out to identify a selected number of leading Canadian private and public sector organizations. Our objective was to investigate both the context of their current management of risk practice, and also to ask them to identify those practices and processes which they felt had been particularly effective for their organizations in achieving their current level of managing risk within their organization.

Our study collected detailed information and documentation on best practices from senior representatives of thirteen (13) Canadian organizations across the country which cover a broad spectrum of business and public activities. From the private sector, we interviewed executives from the financial services industry (2), the natural resources sector (2), manufacturing (2), as well as two (2) major utilities and one (1) major hospital. Within the public sector, we interviewed senior officials from two (2) municipalities and two (2) provinces.

We also approached and made initial contacts with several other public and private sector organizations which had confirmed they were investing in more strategic corporate risk management. However, they regretted not being able to participate, most often citing insufficient time to prepare and fully participate in our study.

Overall, our findings of best practices from the organizations we interviewed have value and relevance for the federal public sector. All of the organizations interviewed recognized they were not immune to the broad pressures which gave rise to their strategic investments in more systematic risk management: the global pace of change; a resource restraint; demands from stakeholders for growing openness, transparency and accountability; and, continued pressures for organizational change (downsizing, empowerment, alternative forms of delivery, etc.). These same kinds of pressures are no less significant for the departments and agencies of the federal government, and indeed may be more so.

Before proceeding to describe our findings on benefits, examples and best practices it is important to note that a very important context for the federal public sector is the cultural environment where managing risk can initially take hold and become effective. As was noted in the study on Risk, Innovation and Values, there needs to be flexibility, empowerment and encouragement in order for innovation and intelligent risk taking to be effective in a public service environment. As was noted in the study of the Status of Risk Management Implementation in Federal Departments, many departments expressed concerns that the current culture "from the centre" is not yet perceived to be conducive to flexibility and support for innovation or intelligent risk taking. Despite talk of the centre wanting to encourage new ways of doing things in government, the feedback from many departments was "walk the talk" before we start taking innovative risks. In other words, a culture shift of some significance will be a prerequisite for more effectively managing risk.

Factors Demanding Management of Risk

Global pace of change
Resource restraint
Growing openness, transparency and accountability
Continual organizational change:

-- smaller government
-- alternative service delivery
-- systems replacing people

Beyond the recent regulatory and policy change imperatives, there are many factors which make a culture shift necessary for the federal public sector, and most of these same factors were recognized as influencing similar culture shifts in the organizations we interviewed as they adopted a broader approach to managing their risks. There was certainly an awareness that as the impacts of their reductions and restructuring worked their way through their organizations, over time there was increased likelihood of greater numbers of errors, lapses and breakdowns with the status quo. They recognized that unless they changed their approach to understanding and managing their strategic risks, and in doing so, forced their corporate cultures to change, the magnitude of these inevitable problems would compromise the attainment of their overall business objectives.

It was fortuitous that the federal government delayed most of its significant restructuring until several years after the private sector's similar actions. There are lessons which can be learned, and problems which can be avoided by now moving to more broadly understand and manage risk. However, regarding the current readiness for a culture shift, the expectations of federal stakeholders may not yet be at this point, because the risks and consequences of restructuring and downsizing were not fully assessed and understood at the time the decisions were made. Further, the current and future trade-offs may not yet have been explained to stakeholders in such a way that they can better understand the risks, opportunities and options. It is very conflicting for public servants who must now make choices involving trade-offs affecting public interests, knowing that their key stakeholders (public, media, politicians) may not yet understand or be prepared to accept these choices, even though there is no possible return to the past zero-risk environment.

3.2 Benefits and Examples

One of the questions most often asked on behalf of those organizations who are at the front end of their investigation of management of risk is "What are the benefits of broadly managing risk and provide us some good examples?" Any conscientious manager needs to ask this question before making a decision to invest financial or human resources in any new initiative. It is driven in part by the need to judiciously steward their already-invested corporate resources. Further, all good managers need to ensure they have, and can communicate to others, a sound rationale of the basis for their embarking on (or even investigating) a course of action which may result in significant shifts in the way in which they go about achieving their business objectives.

These two questions have several relatively straightforward responses gleaned from our findings:

By developing a greater awareness and understanding of the inherent or emerging risks (in relation to both the achievement of current business objectives or the pursuit of other potential benefits), it ensures more thorough management strategies to address the significant potential liabilities and obstacles to achieving objectives and delivering expected results.

For example, several organizations have established senior or executive level risk oversight bodies which monitor the process and investments in systematic management of risk within their respective organizations. In most cases, they also take on responsibility for reviewing and assessing (or challenging the corporate assessments) of risks and mitigation strategies involved in any major new corporate initiatives.

By working with our partners to identify and understand the common risks we share with them, it builds trust into our shared working relationships, and all parties are better able to proceed individually to achieve their mutual business objectives.

For example, within one organization, they bring groups together with appropriate experts at their "training by doing" sessions (e.g. engineers, operators, maintenance staff, legal, etc.). Not only is their varied experience and expertise useful to the risk analysis, but also their involvement supports the objective of integrating risk-based decision-making into day-to-day thinking and activities at all levels of the organization. They state that the involvement of the specialists and generalist perspectives of the various interest groups helps them all better understand, using real world scenarios they can relate to, whether to use a quantitative, semi-quantitative or intuitive approach to decision-making. It also ensures greater buy-in for the decisions when they are taken.

Another organization has used the approach of assessing risks and undertaking front-end planning with a prospective partner organization to reach a conclusion that the proposed partnership would not be in their best interests. Had they not taken this approach, they might have found themselves contractually tied in an untenable situation, possibly incurring significant additional costs to extricate themselves after-the-fact.

By anticipating scenarios before they arrive on our doorsteps as problems or crises, we can better prepare for them, achieving both financial savings through more effectively planned investments in advance, and through preventing (or at least attenuating) potential losses of property or life.

For example, implementation of a formal risk management process has led to reduction of public safety-related incidents in one participating organization from 21 to 2 per year in the first year after implementation (and the level has remained the same since then). Spin-offs for them include reduction in claims and litigation and their corresponding legal work, reduced insurance premiums, increased confidence of front-line staff through greater empowerment and control over decisions. They have also found that users are approaching the Risk Management centre requesting more "tools" and support to apply to other aspects in their workplace instead of waiting to be instructed to do these assessments.

Another organization uses scenario planning to anticipate how its global sources of risk (over which they have virtually no control) may unfold elsewhere in the world. They can then use the more likely of these scenarios as contexts to develop their annual business and other operational plans.

By consciously and regularly looking for "what else might happen" scenarios, and by discovering possible unintended consequences in advance of choosing a particular course of action, our decision-making will obviously be based upon more relevant and complete information, and we will significantly decrease the chances of being "blindsided" by some unforeseen scenario or potential crises. We will also have better contingency plans prepared should one of the risk scenarios come to pass.

For example, in one organization, their formal process has lead them to accreditation as a leader in "looking ahead" within their industry (with spin-off benefits of lower insurance premiums and increased stakeholder confidence).

By communicating our awareness of significant risks and how these are being managed, shareholder value is demonstrably improved according to private sector comment and data. For the public sector, with different sensitivities and success indicators, increased stakeholder (politicians, media, taxpayers, etc.) confidence through understanding and acknowledging the trade-offs is the corollary benefit.

For example, one organization has developed an interconnected external and internal communications strategy for its reporting on risks. Its belief is that the more its key stakeholders and the public it serves know about how it prioritizes and manages its risks, the more confidence they will have in contracting for its products and services. They publish their five year strategic plan and their annual business plan for the information of shareholders and clients. They then have linked these to internal planning and reporting regimes so that each sector and unit is aware of how its particular management of its own localized risks contributes to the overall achievement of the corporate business objectives.

Many private sector organizations are now reporting in extensive detail on their key risks and management strategies as part of their annual reports to shareholders and regulators. One organization devoted over 10% of its annual report (11 pages) to reporting on its particular risks and how each of these are being addressed, covering elements such as corporate structure, different risk categorizations and their risk management process.

Regrettably, the above relatively brief and mostly qualitative descriptions of intuitively self-evident benefits do not fully satisfy some managers. They continue to request ever-increasing levels of certainty, supporting data, certifications, assurances and replicable proof that this more systematic approach will work for each of their particular situations, everywhere in their particular environments. These innate demands for ever greater certainty are partly in themselves evidence of the need for a change to a management approach where people can better understand and thereby become more accepting of the inherent and emerging risks in their environment before they can begin to prioritize and manage their trade-offs more effectively. They are also an indication that the conventional mindset (of minimizing risks at all costs before acting) is in some areas still alive and well, and that this is itself an obstacle to embarking upon a more systematic management of risk paradigm.

While what follows is unlikely to convince the more rooted of these "show me first" people, it was evident from each of the public and private sector organizations which we contacted that they are convinced that their investments of time, money and staff resources in more systematic management of risk have been beneficial to achieving their respective corporate objectives. Not one of our respondents expressed regrets at having embarked upon this course of action. And none has suggested any suspicion that management of risk is merely a 1990's version of "the emperor's new clothes". They are continuing to see both medium and longer term benefits and causal results which are sufficient to satisfy them and their key stakeholders of the value of the investments they have already made and are continuing to make.

In the private sector there has been some pressure to be more open and transparent about reporting on managing risk as a result of governance guidelines of Canadian stock exchanges (see Key Document Summary No.11). While the governance guideline may have been one of the background motivators for some private sector organizations, none of the respondents mentioned this as their organization's reason for starting their initiative and none noted meeting the governance guideline as a benefit. The Auditor General has for a number of years now been similarly encouraging federal departments and agencies to be both more aware of their risks and how they are being managed, and to be more open in their reporting.

3.3 Summary of Be Practices

All but one of the organizations interviewed suggested one or more best practices as being of possible interest to the federal government. In total twenty-five (25) best practices were put forward. However, due to more than one respondent advancing the same or similar practices, there were actually nineteen (19) separate best practices proposed.

Our literature review revealed five (5) best practices from recent Canadian publications and other reference sources. Three (3) of these were also repeated in our interviews, however, two (2) best practices were unique to the literature review.

In total, therefore, we found 21 (19 + 2) separate best practices. To permit readers to more thoroughly review the context and description of each practice, we have prepared Exhibit 3, which cross-references each of the best practices to the Interview Summary Reports and / or the Key Document Summaries contained in Appendices B and C respectively.

Exhibit 3: Best Practices Reference Chart

Best Practices	Interview Summary Reports	Key Document Summaries
1. Commitment from the top	1, 3, 5	2
2. Face-to-face workshops for developing senior management support	1,4	�
3. Targeting "natural fit" areas	12, 13	�
4. Risk/Control Self-Assessment sessions	4, 8	�
5. "Learning by doing" method of training and support	6, 13	�
6. Planning / reporting on risks	3	�
7. Developing a core competency first	6	�
8. Messaging about foundations and monitoring	10	�
9. Risk Management Policy Framework	10	2
10. Experienced, committed senior managers to lead initiative	1	�
11. Risk perception and risk communication	�	3, 4, 6, 8, 10
12. Risk framework	�	2
13. Regular attention to the risk management process	5	�
14. Risk management committee	2	�
15. Utilizing the best of existing structure to work with	11	�
16. Independent office	3	�
17. Comprehensive Risk Management Handbook	2	�
18. Customized training program	2	�
19. Clearly defining "risk"	5	2, 3, 9
20. Scenario planning	9	�
21. Planning with Partners	9	�

3.3.1 Grouping of Best Practices

It appeared to us that twenty-one (21) best practices would be seen as daunting in number and variety. We have not excluded any suggested best practices as virtually all can meet the test of one or more of the originally specified applicability criteria as reviewed by the Advisory Group. However it is obvious there needs to be some grouping of the best practices and an identification of higher priority groups of practices before a prospective department or agency can begin to assess their applicability to their particular circumstances.

The Best Practices Framework represents a good initial basis for grouping the best practices. The Framework has two groupings: components (managerial structures); and, implementation strategies for risk management. The Framework also has a third group of disciplines and functions where risk management is often applied at the operational level before it is adopted as an organization-wide strategy.

The organizations interviewed generally considered themselves to be at an early stage of developing improved risk management practices. As such, the kinds of issues they are addressing revolve around establishing appropriate Components (management structures) and Implementation Strategies for risk management.

Many of the organizations interviewed found the elements set out in the Best Practices Framework logical but they generally did not use the Framework as a prompt to identify their best practices. Nor did they indicate which element of the Best Practices Framework related to the best practice they were identifying.

Nonetheless, because the Structural and Implementation Strategies are logically associated with developing a new initiative, we have identified below in Exhibit 4 best practices linked with Framework elements as best determined by the study team (see Appendix D for a detailed description of each element). Those departments at the front end of considering their own future risk management initiative will, by referring to the relevant Framework elements, be able to readily reference the best practices most applicable to their stage of development.

Exhibit 4

Best Practice Framework Strategies	Best Practices
Structural Strategies:	�
a) Objectives and values communicated	Commitment from the top Face-to-face workshops for developing senior management support Messaging about foundations and monitoring
b) Shared responsibility for managing risk and fostering commitment	Risk Management Committee Independent Office
c) Organization-wide	�
d) Various strategies	�
e) Monitored and reported to senior management, governing body and stakeholders	Planning / reporting on risks Regular attention to the risk management process
Implementation Strategies:	�
Defined framework	Risk Framework (Identifying sources)
Policy	Risk Management Policy Framework
Risk Champion	�
Task Force	Targeting "natural fit" Developing a core competency first Experienced, committed senior managers to lead initiative Utilizing the best of existing structure to work with
Guidelines / training	"Learning by doing" method of training and support Comprehensive Risk Management Handbook Customized training program
Standard process	Control/Risk Self-Assessment sessions Regular attention to the risk management process Scenario planning Risk perception and risk communications
Software	�
Defined parameters	Clearly defining "risk"
Disciplines and Functions:	Planning was mentioned most often as the area where work has begun integrating risk management

3.3.2 Priority Best Practices

Each best practice reported by respondents was obviously seen as a priority to its identifying organization / author. However, in the context of the federal public service overall, or with reference to any given individual agency, not all of the reported best practices would necessarily have the same weight or value. Priority depends on many factors including an organization's mandate, their existing competence in risk management, the way in which the pace of change impacts on the organization, the relationships and expectations of their stakeholders, etc.

As noted earlier, the original "applicability criteria" proved to be of limited value when attempting to rank and group the twenty-one reported best practices. The criteria were simply too wide-ranging and not sufficiently gradated to either rank, group or even to exclude any of the reported practices. Yet clearly, if the Treasury Board Secretariat and other government departments are to be able to sort through and make use of the findings, there must be some other criteria against which the 21 best practices can be gauged.

For the federal public sector, and for most departments and agencies, we believe the issue of a cultural shift from risk avoidance and control to broader risk management is the most profound challenge in regards to creating and sustaining a "mature risk management environment". Accordingly, we consider Facilitating Cultural Shift as the most important criterion on which to judge the applicability of the reported best practices. Eleven (11) of the best practices were judged to be "helpful" in supporting this criterion. This was also seen as important by many of the departments whose summary results were presented in the Consulting and Audit Canada study.

Eight other criteria were developed by the study team, in part from the original list, in part from the feedback on departmental needs and barriers as reported in the CAC study, in part from the literature, and finally from the study team's knowledge of and work with other federal departments in this field. Exhibit 5 illustrates a suggested order of the other criteria. These criteria may be of future value in refining and focussing any additional best practices, but this would likely need to be done with further interdepartmental consultation.

Exhibit 5: Best Practices / Applicability Criteria Matrix

Applicability Criteria � Best Practices (Interviews / Literature Review)	1. Facilitates Cultural Shift	2. Fosters Supportive Environment - "walk the talk"	3. Supports Accountability	4. Addresses Benefits / Resources Issues	5. Develops stakeholder communications	6. Builds on existing knowledge and practices	7. Addresses tools, training, expert advice issues	8. Provides common language	9. Helps understand risk
1. Commitment from the top (3) ¹ (1) ²	U	U	U	�	�	�	�	�	U
2. Face-to-face workshops for developing senior management support (2) ¹	U	U	U	�	�	U	�	U	U
3. Targeting "natural fit" (2) ¹	U	�	�	U	�	U	U	�	U
4. Control/Risk Self-Assessment Sessions (2) ¹	�	�	�	U	�	U	U	�	U
5. "Learning by doing" method of training and support (2) ¹	U	�	�	U	�	U	U	U	U
6. Planning / Reporting on Risks	U	U	U	�	U	�	�	U	U
7. Developing a Core Competency first	U	U	�	U	�	U	U	U	U
8. Messaging about foundations and monitoring	U	U	U	�	U	U	�	�	U
9. Risk Management Policy Framework (1) ¹ (1) ²	U	U	U	�	�	�	�	U	U
10. Experienced, committed senior managers to lead initiative	U	U	U	U	�	U	�	�	U
11. Risk Perception and Risk Communication (5) 2	U	�	U	�	U	�	�	�	U
12. Risk Framework (Identifying sources)	U	�	�	�	�	�	�	U	U
13. Regular attention to the risk management process	�	U	�	�	�	�	U	�	�
14. Risk Management Committee	�	U	�	�	�	�	�	�	�
15. Utilizing the best of existing structure to work with	�	�	�	U	�	U	�	�	U
16. Independent Office	�	�	�	U	�	�	�	�	�
17. Comprehensive Risk Management Handbook	�	�	�	�	�	U	U	U	U
18. Customized training program	�	�	�	�	�	U	U	�	�
19. Clearly defining "risk" (1) ¹ (3) ²	�	�	�	�	�	�	�	U	U
20. Scenario planning	�	�	�	�	�	�	�	�	U
21. Planning with Partners	�	�	�	�	U	�	�	�	U

¹ Indicates number of times this best practice is identified in interviews

² Indicates number of times this best practice is identified in literature review of key documents

3.4 Conclusions and Recommendations

3.4.1Conclusions

What follows are some of the key conclusions which the study team felt were worthwhile highlighting from the volumes of data and documentation that were brought to light through this study.

1. It Makes Sense to Head the Factor Demanding Management of Risk

Factors such as the global pace of change, resource restraint, growing openness, transparency and accountability and significant continual organizational change present a demanding case for better management of risk.
2. Benefits are There Even Though They are Not Easily Measured

It is a difficult (albeit impossible) exercise to attempt to determine or accrue tangible benefits that measure the distance from a course followed to a course not followed. However, it was evident from each of the public and private sector organizations contacted that they are convinced that their investments of time, money and staff resources in more systematic management of risk have been beneficial to achieving their respective corporate objectives. Not one of our respondents expressed regrets at having embarked upon this course of action. These organizations are continuing to see both medium and longer term benefits and causal results which are sufficient to satisfy them and their key stakeholders of the value of the investments they have already made and are continuing to make.
3. Best Practices Very Instructive

For the federal Public Service to successfully implement a more comprehensive approach to management of risk the best practices and lessons gleaned from other public and private sector organizations will prove to be instructive and will reduce the need to "re-invent the wheel". However, it must be acknowledged that each federal agency will nonetheless need to customize and adapt these best practices and lessons to suit its own particular culture and environment. It should also be acknowledged that a Westminster parliamentary environment does present its own formidable challenges not having to be faced by private sector risk managers, and that these will generally be less susceptible to fully rational, systematic approaches. In addressing such challenges, a healthy blend of both intuitive and systematic management of risk is the suggested prescription.
4. Leadership and Support Must be Visible

Leadership and support must be visibly and regularly demonstrated from the top. It was also explicitly recognized by most of the organizations examined that moving toward more systematic management of risk required a change in their organizational culture. More particularly they needed to develop and promote an environment of support for innovation and more conscious risk-taking, with the corollary recognition that there would be "misses" as well as "hits".
5. Develop Competency First

While it is clear that across Canada, the private sector had generally initiated its investments in more systematic comprehensive management of risk two to three years in advance of the federal public sector, the gap between these two sectors' current state of practice is not all that great. Seven (7) of nine (9) private sector organizations participating were not yet developing systems for organizational-wide management of risk, and most were concentrating first on developing a competency in risk management within a specific discipline. While the long term goal for most is an organization-wide approach where everyone takes responsibility for managing risk, especially in an environment where new resources are limited, starting by targeting "natural fits" in a more focussed fashion and building on some early "successes" in these areas is a preferred strategy.
6. Care Must be Taken in Explaining and Defining "Risk"

Clearly defining "risk" (Best Practice # 19) requires special consideration, whether it is for an individual organization, or for the federal Public Service as a whole. There are many proponents who would define risk as having the potential for either harm or reward - something referred to as "downside" and "upside". And there are others who argue that it is best to stay with a more traditional view that risk is only a negative orientated concept and to try and include opportunity "strains the commonly understood meaning of risk" (Key Document # 1). Even within recent Treasury Board documents, this dichotomy is occasionally noted. In the organizations interviewed, the discipline where risk was defined as both upside and downside most often was the planning function. The link to planning draws in the link to opportunities. Risk management is seen as a tool to help exploit opportunities as well as a tool to manage hazards. However, each organization, and the Treasury Board Secretariat in particular, should carefully consider whether it is necessary to include both sides in the corporate definition in order to both exploit opportunities and manage hazards.

A corollary to the definition issue above is the need for common terminology so that "everyone is speaking the same language" when risk is being assessed and communicated. This fits in well with the TBS approach of understand-manage-communicate.
7. Risk Communication is Key

One of the findings arising from our review of the Canadian literature was that while the private sector implicitly recognizes the importance of more effectively communicating on and messaging their risks, most of the explicit research done in Canada has been focussed on the public sector. This may have occurred because of the greater ease of access to documentation on issues affecting the public where communications (or lack thereof) were a significant factor in the unfolding of the particular issues being reviewed. In any event, the literature does already offer some valuable lessons learned to guide the federal public service in its risk communications strategies. Further, it is likely that there may exist still other unpublished lessons within the academic community which may be of value to the Treasury Board Secretariat in developing its guidance for departments and agencies. Finally, given the communications and psychological expertise which does exist in Canadian academe, it may be of interest to the Secretariat to more actively pursue some research and advisory partnership arrangements with some of the centres where this expertise and knowledge exists.
8. Ongoing Investments are Necessary

It is also clear that management of risk cannot take hold and be practiced routinely by management and staff in an organization without dedicated up-front and ongoing investments. A framework laying out the strategic elements and specifying the implementation parameters for the particular organization is an essential initial product. Implementation strategies may vary, dependent upon the objectives, but should contain some investments in training, communication, promotion and process support to ensure that there is common understanding, management and communications. Finally there should be a designated responsibility centre to serve as both the source of "expert" support to others within the organization, and to sustain the process and ongoing communications of both successes and lessons learned.

3.4.2 Recommendations

The Best Practices Framework should be refined into a Management of Risk Framework for providing guidance to departments on how to address the organizational / strategy implication and the risk management process implications of any initiative they would undertake.
Messaging about Management of Risk from Treasury Board Secretariat should address:
- Benefits are there even though they are not easily measured; and,
- People, systems and processes are valued as the current "foundation" to move toward more systematic management of risk.
Treasury Board Secretariat vision for management of risk should promote departments developing management of risk on a blend of organizational-wide initiatives (e.g. linkage to planning / reporting, assessment of high risks) and targeted initiatives (e.g. continuous risk management of a major project).
Treasury Board Secretariat should provide a definition of risk which is supported by an explanation of how the definition is implemented to address both opportunities and hazards.

Appendix A Participating Organizations

Canada Trust Toronto ON	CCL Industries Inc. Willowdale ON
Hospital for Sick Children Toronto ON	Hydro-Qu�bec Montr�al, QC
Bank of Montreal Toronto ON	NAV CANADA Ottawa ON
Noranda Inc. Toronto ON	NOVA Chemicals Inc. Calgary AB
Government of Ontario Management Board of Cabinet, Toronto ON Ministry of the Attorney General, Ottawa and Orillia, ON	City of Ottawa Ottawa ON
Petro-Canada Calgary AB	Gouvernement du Qu�bec �difice du v�rificateur g�n�ral du Qu�bec Qu�bec QC
City of Winnipeg Winnipeg MB

Appendix B Interview Summaries

Interview Summary Report No. 1: Private Sector Entity

This organization has several efforts underway to enhance its management of risk. These efforts are not guided by a single, strategic organizational-wide management of risk objective against which one would be able to discern best practices. Nonetheless, managing risk is very important to the organization and there were some of its practices that were judged as "best practices" on the basis of their portability and their very important contribution to the progress to date in enhancing the management of risk in this organization.

Best Practices

Commitment from the top was identified by this organization as their first best practice. The commitment was expressed to all staff in correspondence from the Chief Executive Officer (CEO) and it was explained further in the organization's strategic planning document. The commitment was expressed in several ways, not the least of which was to note that this initiative is one which requires the breaking down of traditional "silos" and is being developed over a three-year planning horizon.

Developing senior management support through face-to-face workshops was also considered a best practice for this organization. The face to face approach was found to be very effective in helping the organization's leaders to understand the initiative so that they could commit themselves to providing a supportive environment built upon this understanding.

Finally, this organization identified the fact that they had an experienced, committed senior manager to lead the initiative as a best practice. An atmosphere of risk-taking from the top exists by the very fact that a managing risk initiative is formally put in motion. In one sense, this was seen as the CEO "walking the talk" by promoting the initiative. The experienced senior manager in charge of the initiative is the CEO's method of managing his risk. It was commented that there was quite a bit of trust developing.

Good Practices

Good practices in support of the initiative were also discussed. The first was that there were to be changes in the process requirements for projects and initiatives whereby risk assessments were going to be required before changes/decisions were to be implemented, given certain $ thresholds. The other was the use of Canadian Standards Association (CSA) Q850 process. Adopting Q850 saves time from building one's own methodology and it has an emphasis on risk communications that is important to this organization.

Interview Summary Report No. 2: Public Sector Entity

This public sector organization, began its move from insurance-based risk management to a more comprehensive pro-active approach in 1992. The evolution of their thinking passed through several stages beginning with a Policy on Personal Safety and culminating in a Policy on Risk Management. Their risk management objective is focussed on reducing liability and claims. Their training package, developed in-house and customized for separate departments, has been sold to other Canadian and American public sector entities.

Best Practices

Arising from the approved Risk Management Policy Statement, development of a comprehensive Risk Management Handbook that is annually updated was considered a best practice in helping achieve their risk management objective. This Handbook, much of it related to examples of controls and checklists for staff to use (and retain as documentation), covers almost every aspect of their operations and is distributed throughout the organization and made available on their Intranet.

A customized training program which is mandatory for front-line and management staff was also identified as a best practice. It has several interesting features including case studies, a video produced in-house, training delivered at the work-site, and senior managers involved in presentations to staff (thereby demonstrating "commitment from the top"). Their training delivery is interactive to engage staff, and they use in-house experts to deliver the bulk of the subject matter. A risk management game has been developed as part of the training, and is also used as a general refresher for "graduates".

The whole risk management process is overseen by a Risk Management Committee comprised of a broad cross-section of senior personnel, some of whom are participating on a rotational basis. This body meets twice yearly to review trends and incident summaries, to identify the need for future risk management measures and controls, and also to undertake post-mortem reviews of major incidents to determine lessons learned.

Good Practices

The Senior Management Committee approved an internal Risk Management Policy Statement at the beginning of the implementation process. The lead person responsible for most of the conceptual development and implementation of the organization-wide approach is a broadly experienced and highly dedicated risk management practitioner. Their risk management expertise was gained initially from the insurance and security perspectives within the organization, but is currently operating with strong management support from within the legal context.

Interview Summary Report No. 3: Private Sector Entity

This private sector corporation made its move to invest more directly in managing its key risk areas when it set up a new organizational group to guide such efforts in December, 1997. They consider themselves to be at the beginning stages of organisation-wide implementation but have a clear game plan and have invested in a strong internal process base. They are developing specific strategies to broaden implementation beginning with the initial involvement of management personnel across the whole corporation and eventually involving all employees.

Best Practices

The reporting of risks on an integrated and tiered basis is considered to be a best practice for this organization. Their reporting begins at the highest level with a Strategic Plan which takes a 5-year horizon. "Risks & Opportunities" are identified and corporate risks to be managed are prioritised. Each unit and each manager produces their own annual internal report which specifies their particular area's specific risks and opportunities and how they will attenuate/pursue these and how they will measure the impacts of their interventions. At least one formal risk management report is prepared annually for the Board of Directors. Also, Risk Management reports on the priority strategic risks are prepared 3 to 4 times per year for the Finance and Audit Sub-committee of the Board.

Commitment from the top was also considered a best practice. The initial successes achieved here were driven by two powerful Risk Champions on the Board (Chair and President). It takes this level of commitment when the initiative in question represents a strategic change in the organization's approach to managing and involves a change in corporate culture.

The final best practice identified by this organization was their independent office for risk management. Not affiliated with either Audit or the Comptroller's office, it was created in 1997 and reports to the Vice-President of Finance. They approach managers throughout the corporation working as "consulting partners" to help them with their Risk Management issues and with the processes of identification and assessment. They have set up an internal advisory working group with broad representation and have recently begun a communications and information program to inform all employees. They are also establishing an Intranet site and working to develop training packages to support the overall initiative as it rolls out to the balance of the corporation to ensure that everyone understands this new concept as it applies to their area of responsibility.

Interview Summary Report No. 4: Public Sector Entity

There has been awareness for a few years about the need to manage risk strategically. Initiatives have been started in terms of redesigned planning activities that must also include risk identification and assessment. Overall, they considered themselves to be at the beginning stages and there was much left to do.

In another part of this entity there were local efforts to refine the integration of risk into the planning process. The local initiatives led to their concluding that risk management needs to be done on an on-going basis and be part of the skill set of all staff; it can't just be done at business planning time. They also commented that time spent on educating staff on risk and control is a worthwhile investment as risk management needs to be clearly understood before it can be used effectively.

Best Practices

This organization suggested their "hands-on approach" to developing understanding at the top as a best practice. Support from the top is critical for any new initiative. Meetings with small groups of senior managers have been held to explain the initiative and develop understanding and support.

Control and Risk Assessment (CRA) sessions were suggested as a best practise for helping work units link risk management with business planning. CRA sessions, by design, are a structured way for staff of a work unit to identify risks and controls with the assistance of a facilitator. Using the structured approach, staff were better able to articulate major issues and there was more credibility about the results according to this respondent.

Interview Summary Report No. 5: Private Sector Entity

This Canadian organization has long been in the practice of managing financial risks. However, they noted that, historically their approach has been very specialized focusing on quantifying risk and relating it to the capital base of the organization. Recently they have begun working with senior management on the identification of other key risks for their organization. In their 1998 annual report, they state that "risk can and should be integrated into all of our business decisions rather than managed as a separate element". This organization identified some best and good practices.

Best Practices

Commitment and regular attention to the risk management process from the top was suggested as a best practice for this organization in broadening out their management of risk. They have established a Senior Executive Risk Management Committee, including the Chief Executive Officer and Chief Financial Officer, who oversee and monitor the process of risk management throughout the organization. They also screen major new initiatives to ensure cross-organizational impacts are managed in pursuit of new opportunities without compromising the overall business objectives.

Another best practice for them was clearly defining risk in the context of achieving their overall business objectives before investing resources to measure and manage it. They have done this and have revamped their organizational structure to monitor, measure and act upon their current and progressive risks.

Good Practices

This organization believes that they must measure their well-defined risks in order that they can be managed. For their major strategic risk areas they incorporate the use of sophisticated and comprehensive measurement indices to both alert management to upcoming issues and to track results of their risk mitigation measures taken. The general outcome of this is reported to stakeholders in the Annual Report.

The 1998 Annual Report contains substantial reporting on risk management, providing considerable detail (11 pages) to shareholders, covering elements from structure, categories and process through to detailed discussion of each of their key risk areas and generally how these are being managed. They see this information as building shareholder and customer confidence in the organization's ability to enhance shareholder value and to protect customer assets.

In support of their risk management strategy, they report having invested in the deployment of dedicated risk specialists in each business unit to assess performance variance and support the business activities.

Interview Summary Report No. 6: Private Sector Entity

This Canadian corporation has recognized the benefit to managing all business risks in an integrated manner. In broad terms, their objectives for managing risk better is to establish an approach that is holistic, organization-wide, and that ensures external and internal risks are identified and managed through a structured, systematic analysis of risk, consequences and opportunities. A presentation was made to senior management for approval to start the initiative. The corporation is still in early development by their own self-assessment.

Best Practices

Developing a core competency first was a strategy implemented by this organization and they considered this one of their best practices. Get the process going before expanding it too broadly. This enables you to work with less information and resources in the beginning until process and concepts are familiar. Then this can be broadened out. It enables you to "keep your eye on the ball" and not get lost in the sheer magnitude of embarking upon too ambitious a workload. Part of developing a core competency is not getting caught up in identifying all risks at once. They recommended holding back on the tendency to try to formulate a Corporate Risk Profile at the outset.

Another practice which was described as particularly effective was their "learning by doing" method of training and support. Don't worry about concepts and methodologies too much at first. Initial training efforts have been successful because they have been targeted to areas where there would be a natural fit. Initial training efforts are really the core group providing hands-on support so that the target group learns the process by using it in their particular area. Risk Management concepts and tools training courses are offered after the process is shown. Change the way people work and this will facilitate changing the way they think.

Good Practices

Some other practices of note were undertaking this initiative with the right people and the development of a Risk Management Plan. The use of knowledgeable persons with background in and familiarity with risk management at the beginning is critical. These persons typically were found in the financial, legal, and insurance areas. The Risk Management Plan ensures a set of plans and objectives are agreed upon and developed in consultation with senior management.

Interview Summary Report No. 7: Private Sector Entity

This organization has well-developed practices for managing risks in one of its major operational areas. The organization does not yet manage its risks organizational-wide and holistically but the need for such a broader approach has been discussed. There is a good level of understanding about the benefits of a more holistic approach at the Board of Directors level. Benefits anticipated from this broader approach include assurance about liabilities being adequately covered; reputational loss being adequately addressed, and assurance that all key risks are being considered.

This organization is posed to start developing its more holistic approach and it recognizes that there will be a challenge in marketing the initiative. The group sponsoring this is addressing the marketing issue by establishing a team approach with the operational group that has extensive risk management experience in their specific function.

There were no best practices to suggest because they are just beginning their holistic approach, however they suggested some of the practices they were intending to adopt should be considered good practices.

Good Practices

This organization is planning to undertake a Risk Review. They will conduct a corporate-wide look at the organization with respect to strategic risk management and what its impacts and needs are in each area. The results of this review will be used to assess the gap between needs and existing expertise and processes. This organization already has some well-developed parameters and risk measurement and analysis expertise and tools as well as general risk reporting structures in place. They intent to use what they have in order to build-into these systems not add-on to them

Interview Summary Report No. 8: Public Sector Entity

In this public sector entity, a systematic risk assessment / risk management methodology has been developed and applied by staff from the Internal Audit Office (IAO). The IAO offers its services as "consultants" who facilitate the application of the systematic methodology. Benefits of using their methodology extends beyond improved analysis of risks and opportunities to include development of better client working relationships and better access to information for planning future audit work. The future audit work would validate the effectiveness of the risk mitigation measures and resource investments chosen by the client.

Best Practices

Risk self-assessment by the management of work groups lead by an external facilitator was suggested as a best practice. Tools and models have been developed to ensure an efficient and effective systematic analysis. The use of consistent tools and models also allows for a comprehensive report summarizing the results of all the work groups. Their structured methodology includes a means of numerically quantifying risks, tailored to the client's operating environment. This aids decision-making on which risk areas to prioritize and to subsequent decisions on where to invest limited resources to manage the priority residual risks.

Interview Summary Report No 9: Private Sector Entity

This Canadian corporation has made significant use of risk management for its strategic major projects recognizing that it is in a transition toward becoming a more global player. It has not yet started a corporate-wide risk management initiative but has chosen to focus on major projects where it has established broad objectives for re-examining how it manages risk. It has found that more traditional risks such as market and financial risk are adequately managed but there would be benefits from managing all risks including socio-political and technological risks more systematically. Its efforts to examine some of the softer risk areas more systematically has lead to the development of and use of new analysis tools and to being more careful about ensuring it is not under managing new exposures during its current transition.

Best Practices

Scenario planning was suggested as a best practice for this organization. Scenario planning as used by this organization, provides a context for planning but scenarios are different from existing planning tools such as a one-year plan. Scenarios are possible and plausible futures such that scenario planning examines various uncertainties (risks) and which future is the organization most prepared for and which presents the greatest challenges. This technique provides essential views on how the world (risks) will unfold as a basis for investment decisions.

Planning with partners was also suggested as a best practice for this organization. Planning with one's partners brings broader insights to the table which help identify risks and also more experience from having used different techniques to manage a certain risk. Working with one's partners to examine risks brings excellent benefits besides effective risk identification and mitigation strategies. It helps to build communication and trust between partners or it can signal a relationship that would not work out.

Good Practices

This organization noted that it had developed a number of templates to improve its systematic and structure analysis of risk. It has found the templates are a good practice because they facilitate an efficient and consistent process.

Interview Summary Report No 10: Private Sector Entity

This organization has, like many other private sector organizations, traditionally concentrated on managing its financial risks and has built organizational structures and processes over the year to ensure this is done well. It has now set itself an objective to broaden its systematic management of risk to other business operations and events such as security, informatics, human resources, regulatory, legal, etc. It considers these areas as a brand new frontier and recognizes the key challenge in moving in this direction is the cultural shift involved. Cultural shift takes time and it expects the implementation initiative will require 1 - 2 years.

Best Practices

A best practice for this organization was theirmessaging about existing personnel, systems and controls as valued foundations and that new risk management approaches will require careful testing and monitoring. Essentially, the message is that existing personnel, systems and controls are already supposed to manage all the organization's risks so new risk initiatives should not suggest the foundation is not doing the job. New risk initiatives should message that the foundation is managing the organization's risks but the new initiatives seek to provide more assurance of this against the backdrop of an increasingly challenging world environment. This organization is developing new models and tools to help manage risks better but these models and tools will not be incorporated into the foundation without careful testing and monitoring. This organization suggested that they will be monitoring the new risk initiatives very closely in order to be timely in assessing what is working and what lessons can be learned.

Establishing a risk management policy framework was also a best practice for this organization. Given the cultural shift involved in moving risk management concepts beyond the traditional financial area, a policy framework is important to clarify expectations and roles and responsibilities about this new direction. Their policy framework was built based upon existing well-known models of internal control and risk principles to strengthen its conceptual foundation.

Good Practices

Pilot with centres of competency was identified as a good practice. Their implementation strategy includes targeting groups which already have a good level of competency in risk management for the initial pilot projects.

The idea of building upon what you have was a suggestion worthy of noting as a good practice. For this organization their reporting structure for financial risk was well developed so it was intended that they would build on what they have for financial risks to report on other risks as they broaden out their attention on managing other areas of risk.

Interview Summary Report No 11: Public Sector Entity

This organization is at the outset of undertaking a formal risk management program with the overall objective of making its departments more accountable for losses as well as allowing for greater public transparency. They would like to empower their staff to become more proactive in the handling of unfavourable events. Challenges ahead include ensuring support from the top and ensuring there is enough information in order to monitor or trace relative outcomes of events. This organization's next step is to complete a needs analysis to understand what it has and what it needs to achieve its risk management objectives.

Best Practice

Utlizing the best of what it already has to work with was suggested as a best practice for achieving its overall risk management objectives. The organization has taken a step in this direction by amalgamating its like processes into one central function. It has combined its existing risk management specialists and knowledge under one roof. In addition, it has assigned a risk professional with a strong competency in this subject matter and in integrating various processes to head up the function.

Interview Summary Report No 12: Private Sector Entity

This organization did not start out with a specific, clear objective about managing risk better. An initiative to establish an ongoing review and assessment of systems and controls using control and risk self-assessment methodology was started a couple of years ago and a focus on managing risk better has become a feature of this initiative. Control and Risk Self-Assessment (CRSA) sessions now spend more time analyzing risks that had been originally intended.

The culture of the organization is entrepreneurial such that there is a challenge for any new initiatives that starts at the centre and is brought out to the independent-minded operating divisions.

Best Practices

Targeting "natural fit" areas and working with them on small pieces at a time was a best practice for this organization given the cultural resistance to initiatives from the centre and no direct objective yet about managing risk. There has been good results based upon an approach involving the manager responsible for CRSA facilitating interactive / participatory brainstorming sessions. Keeping the process and content simple was also a factor in the success of the sessions.

Good Practices

CRSA sessions are developed around the internal control framework. They feel that it is not necessary to commit their own resources to building a framework from scratch when there is available an existing one that can be easily adapted to suit their particular needs. In order for any framework to be supported it must be customized according to the organization's individual environment.

Interview Summary Report No 13: Private Sector Entity

This organization has been developing a more "holistic" view of risk associated with its safety, health, environment and risk management disciplines. There were programs and processes in place to analyze risks in these disciplines but separate processes and individuals were involved. Their approach now involves systematic risk analysis by a multi-disciplinary group who compares their analyzed results to "acceptable risk criteria". This organization began with activities in its operational side but is now looking to expand its risk management methodology to a wider scope of business risks with particular focus on financial risks.

Benefits identified for the "holistic" approach include increasing the ability to make better decisions in areas where risk and uncertainty have a key role; assistance in assurance of due diligence; improved understanding of risk and communication of such to the organization's senior management and Board of Directors; and, the development of a cross-functional resource group across the organization now referred to as the "Integrated Risk Centre of Excellence". This centre will lead the continuous improvement of risk management.

Best Practices

Targeting processes or disciplines where there is a "natural fit" was identified as a key best practice for this organization. There was awareness of the need for early demonstration of results and benefits where initial resource investments would be intensive. Targeting disciplines with a natural fit provides access to resources with relevant experience and in this case one of the groups had a standard developed on acceptable risk which was used as a starting point.

Part of the targeting also involved operational activities where highly quantitative analysis was possible. Building on their experience to date they are now developing a semi-quantitative companion tool which can be used by a wider audience and used to assess smaller scale risks.

Training by doing was suggested as another best practice. The approach taken by this organization involved bringing groups together with appropriate experts at the sessions (e.g. engineers, operators, maintenance staff, legal, etc.). Not only is their experience and expertise useful to the analysis but also their involvement supports the objective of integrating risk-based decision-making into day-to-day thinking and activities at all levels of the organization. Their involvement helps them understand, using scenarios they are involved in or can relate to, whether to use the quantitative, semi-quantitative or intuitive approach.

Appendix C Key Document Summaries

Key Document Summary No. 1

AUTHOR:	William Bradshaw, FCA and Alan Willis, CA
TITLE:	Learning About Risk: Choices, Connections and Competencies
PUBLISHED BY:	The Canadian Institute of Chartered Accountants (CICA) Criteria of Control Board, Toronto
DATE:	June 1998
NUMBER OF PAGES:	134

SUMMARY OF CONTENT:

Learning About Risk (LAR) is the latest in a series of guidance documents on corporate governance from the Criteria of Control Board (CoCo) of the Canadian Institute of Chartered Accountants. LAR is intended to spark thought and discussion that will lead to a better understanding of the nature of risk and of the processes of risk identification and risk assessment. Since bringing the governance community the CoCo internal control framework in 1995, CoCo started drafting a guidance document on how to assess internal control using its internal control framework. LAR has been published while the guide on assessing internal control is under development "to spark thought and discussion" about risk among the governance community which in turn will help CoCo integrate risk into its upcoming guidance document on assessing internal control.

LAR is an important contribution to the body of knowledge on risk in relation to corporate governance. It goes about sparking interest and discussion by introducing seven (7) models which can be used to focus attention on risk. It also provides eleven (11) propositions and a set of questions for directors, managers and service provides.

Interest and discussion is certainly sparked by Proposition No. 1, which defines risk as "the possibility that one or more individuals or organizations will experience adverse consequences from an event or circumstance". The LAR authors acknowledge their definition goes against the grain of current thinking by its focus on harm and not harm and reward. They spend almost five (5) pages explaining their definition and its benefits. They argue that the broader definition strains the commonly understood meaning of risk and has the effect of making risk management encompasses virtually all of management, at which point the words start to lose meaning. The authors suggest opportunity should be addressed separately from risk because it takes two different mindsets to assess risk and to assess opportunity. (Published book reviews have taken the authors to task on their strictly negative definition providing clear evidence of sparks).

Another important contribution is the clarity with which the authors illustrate the need for both intuitive and systematic approaches. "Managers are finding models helpful as support to the decision-making process for three reasons:

the pace of change makes it less likely that patterns observed in prior experience will be reliable guides to current action;
decisions require consideration of an increasingly complex web of interrelated factors; and,
the magnitude of the consequences of faulty decisions makes worthwhile the cost of achieving additional rigour through the use of models".

The seven (7) models described in detail with examples cover virtually all common management decision and situations involving risk assessment. The seven models are:

Strategic choices: managing risk strategically global view.
Operational risk and control choices: refers to the controllable internal problems of compliance, efficiency, fraud, error and reporting.
Crisis choices: these choices precede catastrophes.
Resilience and survival choices: resilient organizations have deep pockets in terms of liquid assets, borrowing or new capital capacity, and strong relationships with stakeholders.
Leadership choices: involves the ability to accept responsibility when things go wrong and the courage to say 'I'm sorry'.
Choosing to be aware: awareness of self and awareness of others.
Intuition and the choice to deny or act: the authors argue that the acceptance of intuition is more important than plodding logic.

Key Document Summary No. 2

AUTHOR:	Lucy Nottingham
TITLE:	A Conceptual Framework for Integrated Risk Management
PUBLISHED BY:	Conference Board of Canada
DATE:	September 1997
NUMBER OF PAGES:	20

SUMMARY OF CONTENT:

This report is considered by far one of the most comprehensive concise discussions on integrating risk management on a broad corporate-wide basis. It was researched using a wide range of international organizations and through discussions of Conference Board executive councils on integrated risk management. It discusses current thinking, approaches to, and implementation of risk management, with examples, in leading Canadian and international organizations.

In the broad view of risk, integrated risk management must cover all aspects of the business and its activities, from strategy to operations, and all types of risk -- operational, legal, reputational and financial. Integrated risk management is defined as "a framework to pull together a variety of disciplines in the organization that address both sides of risk - minimizing uncertainty and maximizing opportunities". The critical difference between traditional risk management and integrated risk management is that integrated risk management is as much directed to grasping new opportunities as to minimizing losses (the traditional focus of risk management).

Some of the factors leading to the implementation of integrated risk management in organizations are: the increasingly rapid pace of change enabled by technological innovation; new organizational structures and management processes; spectacular, high-profile failures; downsizing, mergers, and acquisitions; globalizations; expanding and changing expectations from shareholders and stakeholders; and, calls by regulatory bodies to disclose control frameworks and risk exposure.

This report stresses that there is no single, comprehensive approach to integrated risk management. The risk management approach and the processes and structures selected for risk management are molded in response to the organization's vision, goals and the risk tolerance of shareholders, management and other stakeholders. However, a number of best practices and basic fundamentals are emerging which have these four items in common:

a framework for risk management;
a top-down-driven and -supported risk management policy, approach and processes;
a "champion" or central co-ordination point to ensure the risk management system is implemented and sustained; and,
organization-wide risk management processes.

A risk management framework should be developed by a multi-disciplinary team to:

situate an organization in its risk context;
help an organization to identify and source business risks and their relationship to, and impact on, that organization;
help to clarify the interdependence of risk and to separate causes and effects; and,
suggest the necessary organizational controls and the proper allocation of resources to manage the risks.

The risk management policy demonstrates the organization's commitment to the process and demands top-level support. The key objective of any risk management policy should be to make risk management the business of everyone in the organization. The policy should include the following :

an overview of the risks faced by the company;
the organization's general approach to risk management;
the objectives for, and commitment to, risk management;
key roles, responsibilities and reporting practices; and
comments on the management of unique classes of risk.

The risk "champion" may be an individual assigned or a group or committee that evaluates key decisions against risk management criteria.

Processes must be structured so each area of the organization and all employees take ownership and are accountable for the risk associated with their function. The policy must also set out the organization's broad tolerance and limits for risk exposure for each area of the organization, as well as the risk assessment processes. Organizations use a number of qualitative, quantitative and semi-quantitative measurements and methodologies to assess risks and their level of acceptance. Once an organization has assessed and prioritized its risks, it can determine the necessary response.

Training is essential to create a common process developed centrally but implemented locally and to build the employees' capacity to take ownership for risk management within their spheres of authority and accountability.

As risk management methodologies are rolled across all departments, it becomes possible to quantify all forms of risk facing an organization to create an overall risk profile and identify total risk exposure. Armed with this figure, management and the board could clearly communicate the risk, reward and dangers of the organizational strategy. Further, comparable quantification of all risks would allow the organization to compare the risks and rewards of different strategies and scenarios.

It was found that organizations with integrated risk management processes have a competitive advantage in being better able to exploit risk opportunities and minimize risk hazards as well as anticipating and responding to change. Examples are given by the Business Development Bank of Canada, Microsoft Corp., Engage Energy U.S., Barclays Bank, Royal Bank of Canada, Standard Chartered Bank, Conference Board of Canada and Syncrude Canada Ltd.

Key Document Summary No. 3

AUTHOR:	Canadian Standards Association (CSA) Technical Committee on Risk Management
TITLE:	CAN/CSA-Q850-97 Risk Management: Guideline for Decision Makers
PUBLISHED BY:	CSA
DATE:	1997
NUMBER OF PAGES:	46

SUMMARY OF CONTENT:

This guideline provides definitions and a process for managing risk. The definition of risk reflects only negative effects (i.e. chance of injury or loss) but the six-step process for managing risk includes examining benefits and cost as part of the decision-making process.

The Q850 process has six steps:

Initiation
Preliminary Analysis
Risk Estimation
Risk Evaluation
Risk Control
Action / Monitoring

The Q850 guideline pays great attention to incorporating risk perception and risk communication into the decision process. Risk perception and risk communication are addressed in detail to provide the reader a sound understanding of these key concepts. Risk communication is built into the process through steps which advise that the acceptability of risks to stakeholders is vital to risk management.

Key Document Summary No. 4

AUTHOR:	Powell, D. and Leiss, W.
TITLE:	MAD COWS and Mother's Milk: The Perils of Poor Risk Communication
PUBLISHED BY:	McGill-Queens University Press Magazine
DATE:	1997
NUMBER OF PAGES:	303

SUMMARY OF CONTENT:

Communicating the nature and consequences of environmental and health risks is one of the most problematic areas of public policy in western democracies. Given the perceived risks associated with the food we eat, chemicals in the environment, and modern technologies, consumers need clear, timely and understandable explanations of the nature of those risks - but they rarely get them. Using a series of recent high-profile case studies, Douglas Powell and William Leiss outline the crucial role of risk management in dealing with public controversies and analyze risk communication practices (and malpractice) to provide a set of "lessons learned" for risk managers and communicators.

These studies show that institutions routinely fail to effectively communicate the scientific basis of high-profile risks. These failures to properly inform the public make it difficult for governments, industry and society to manage risk controversies sensibly, thereby resulting in massive and oftentimes unnecessary incremental costs. With its detailed analyses of specific recent risk management controversies, Mad Cows and Mother's Milk may help risk managers avoid similar future mistakes.

Key Document Summary No. 5

AUTHOR:	Ron S. Dembo and Andrew Freeman
TITLE:	Seeing Tomorrow: Rewriting the Rules of Risk
PUBLISHED BY:	John Wiley & Sons Inc.
DATE:	1998
NUMBER OF PAGES:	253

SUMMARY OF CONTENT:

Seeing Tomorrow is a book about weighing financial risk in everyday life. The authors provide a forward-looking approach to risk management and offer guidance on very specific real life problems, such as buying a house or suing someone, as well as on broad strategy and investing.

The authors define financial risk as "a measure of the potential changes in value that will be experienced in a portfolio as a result of differences in the environment between now and some future point in time". Their main elements of forward-looking risk management are:

Time Horizon:	Over what period of time are we concerned to consider over exposure to risk?
Scenarios:	What events could unfold in the future and how would they affect the value of our investments?
Risk Measure:	What is the unit we are using to gauge our exposure to risk?
Benchmarks:	What are the points of comparison against which we can measure our performance.

The authors also introduce a very interesting risk concept they call "Regret". Regret is associated with the feeling one will have for given outcomes. Regret varies depending on one's circumstances. Most would not regret losing $1 if they do not win on a $1 million lottery. However, most would have greater regret from losing $10,000 if they do not win on a $10 billion lottery, even if there were better odds of winning.

The authors set out a series of risk rules for making decisions. There include: choosing an appropriate time horizon; selecting scenarios; computing Value at Risk (VAR); assessing both the upside and the downside of a potential deal; calculating Regret; and, compiling a reliable Regret matrix.

Key Document Summary No. 6

AUTHOR:	N.C. Lind, J.S. Nathwani and E. Siddall
TITLE:	Managing Risks in the Public Interest
PUBLISHED BY:	Institute for Risk Research (IRR), University of Waterloo
DATE:	1991
NUMBER OF PAGES:	242

SUMMARY OF CONTENT:

This study takes the position that public resources have often been misallocated on safety issues in the past. The misallocation relates to the diminishing efficiency of risk reduction-- controlling the last 10 percent is much more expensive than the 90 percent portion. The authors suggest that the process by which safety decisions are made is faulty because a rational framework is lacking. The faulty safety management process has the very serious end result that both lives and resources are being wasted.

This study develops the theme that progress in the management of risk is possible if an open accounting is rendered of the risks and benefits. The study goes on to suggest that maximizing net benefits to society among reasonable alternatives should be a guiding principle and provides a framework for the implementation of this principle. Two combined indicators of the expectancy and quality of life are developed to give criteria for decision-making in public policy matters on life saving and safety.

The role of perceived risk is recognized in this study but not explored in detail as a causal factor in the misallocation of resources. The study simply takes the position that objectives and analytical approaches to the assessment of risk should be pursued because actions based upon perceived risk cannot be relied upon for good decisions in the public interest.

Key Document Summary No. 7

AUTHOR:	Gerald J.S.Wilde
TITLE:	Target Risk
PUBLISHED BY:	PDE Publications, Toronto, Canada
DATE:	1994
NUMBER OF PAGES:	234

SUMMARY OF CONTENT:

Target risk is defined as "the level of risk a person chooses to accept in order to maximize the overall expected benefit from an activity". He defines "risk homeostasis" as "the degree of risk-taking behaviour and the magnitude of loss due to accidents and lifestyle-dependent disease are maintained over time, unless there is a change in the target level of risk". This publication sets out Wilde's theory of Risk Homeostasis along with its supporting arguments and data. This theory provides insights into human risk-taking behaviour. It's arguments are primarily based in the fields of safety and health but its concepts can transcend any discipline. This book gives real-life examples of how we all set a "risk target" and adjust our behavior accordingly. For example, if the theory is correct, giving people better-handling cars or better brakes, etc. will encourage them to drive more dangerously. People will adjust their actions to the same level of risk as before. Dr.Wilde goes as far as to argue that the "three E's" -- enforcement, engineering, and education -- do not improve road safety across a whole population. Of particular interest however are his discussions on human risk-taking and the individual differences in each of us based in part upon personality, attitude and lifestyle.

Key Document Summary No. 8

AUTHOR:	William Leiss and Christina Chociolko
TITLE:	Risk and Responsibility
PUBLISHED BY:	McGill-Queen's University Press, Montreal & Kingston
DATE:	1994
NUMBER OF PAGES:	379

SUMMARY OF CONTENT:

If there is one lesson in the book say the authors it is that "all of us in modern society have a direct and vital interest in the proper allocation of responsibility for risky activity". There is a "fear of falling victim unfairly to uncompensated loss" when exposure is involuntary. This fear can lead to excessive risk-aversion. The authors point out that both individuals and societies can be exposed to the chance of loss as a result of both risk-taking and risk-averse behaviour.

This book explores the issue of the public's pervasive risk-averse attitudes. In the opinion of the authors "one of the chief sources of citizens' overestimation of risk is a vague, intuitive familiarity with the long history--- stretching back to the origins of the Industrial Revolution-of the calculated under-assessment of risk by our dominant institutions (industry and government), in particular the willful neglect involved in the exposure of workers to hazardous substances and processes". In addition, the authors go on to suggest that there is no venue in which debate over acceptable risk / benefit trade-offs can take place. Furthermore this lack of venue helps each party avoid taking responsibility for the full consequences of the positions they each hold on what are acceptable risk / benefit trade-offs.

The book also discusses concepts for managing risk in the public interest. Quantitative methodologies and issues such as risk perception and risk communication are discussed in detail. Also discussed in detail are the issues surrounding apportioning of responsibility. These include productivity for underestimating risk and how experts and individuals make risk / benefit trade-offs.

Finally, through a series of case studies and conclusion the authors propose some useful lessons about how various risk contingencies (corporate / government, labour / local community, public interest constituencies) could manage risk through negotiated consensus about apportioning responsibility.

Key Document Summary No. 9

AUTHOR:	FAA Review Team, Financial Management Policy Division, Deputy Comptroller General Branch
TITLE:	Guide on Business Risk Management
PUBLISHED BY:	Treasury Board Secretariat, Government of Canada (Internal Document)
DATE:	July 10, 1998
NUMBER OF PAGES:	15 plus appendices

SUMMARY OF CONTENT:

This guide was published as a complement to the Report from the Independent Review Panel on the Modernization of Comptrollership in the Federal Public Service. It is intended to provide a common basis for understanding the concept of business risk management across the federal government and also to provide departments and agencies with a framework for the integration of business risk management into their decision-making processes.

The guide offers a standardized process for identifying, assessing and managing risks in a federal government context. It is the result of a review of 15 private and public sector models, and is intended to be adapted to suit particular functional and operational circumstances.

While relatively recent, the definitions of risk and related concepts tend to focus mostly on the downside, and do not appear to sufficiently recognize the risk / reward equation or the value of using systematic risk assessment to determine the appropriateness of pursuing opportunities or initiatives. This conceptual omission does not detract from the general process as outlined in the guide, but there is a need to provide more encouragement for its application to the pursuit of opportunities, innovations or new initiatives.

Key Document Summary No. 10

AUTHOR:	Claire M^cQuillan
TITLE:	Colloquium on Risk Management: Report and Recommendations
PUBLISHED BY:	Institute on Governance
DATE:	March 30, 1994
NUMBER OF PAGES:	11

SUMMARY OF CONTENT:

On March 23, 1994, twenty-three (23) senior representatives from business, consumer and special interest groups, media, academia, politics and government attended a one-day colloquium to discuss how governments manage risk on behalf of the public, and to suggest improvements. The Colloquium was the idea of the Regulatory Affairs Division of Treasury Board Secretariat. While there was a regulatory backdrop for the events, much of what was brought out by the discussions addresses risk management in the public sector in the broadest context.

Participants pointed out that because there are less financial resources than in previous decades, decisions must take into account the very high cost and low benefit of controlling some risks. Further, they noted that the need to balance costs against benefits must be explained to the public as clearly as possible. Public expectation has been to favour zero risk when they were not explained that it is not a free good.

The participants concluded that governments deal poorly with the Canadian public and media in the area of education and consultation on issues of risk management. According to the participants, governments usually underestimate the ability of these stakeholders to understand such discussions.

The Colloquium report noted that participants identified high expectations of politicians, rigidities in the bureaucracy, a general lack of innovation and the unacceptability of making mistakes as public sector barriers working against making improvements in management of risk. A series of recommendations were made for improving communication with stakeholders and addressing the barriers in order to improve public sector management of risk.

Key Document Summary No. 11

AUTHOR:	Canadian Institute of Chartered Accountants (CICA)
TITLE:	Corporate Governance: A Review of Disclosure Practices in Canada
PUBLISHED BY:	CICA
DATE:	December 1997
NUMBER OF PAGES:	69

SUMMARY OF CONTENT:

The Toronto Stock Exchange and the Montreal Stock Exchange have required companies to disclose their corporate governance practices since 1995. In 1995 and again in 1996 annual reports of approximately 150 companies listed on these exchanges were reviewed. This report provides examples of good disclosure to help directors and senior management improve their own disclosure.

The Exchanges require the companies to describe their system of corporate governance with reference to fourteen guidelines. Guideline No. 1 refers to the identification of the principal risks of the corporation's business and ensuring the implementation of appropriate systems to manage these risks. The Corporate Governance Report found that 39% of annual reports did a good / very good job on this guideline in 1996 which was down slightly from the 46% assessment in 1995.

The Corporate Governance Report stated:

"As in the prior year, the disclosures on risk management were varied. In some cases the actual risks were disclosed. In other cases, the disclosures only stated that the risks are identified.

The disclosures show continuing differences in practice as to who is responsible for identifying and managing risk. In some cases, responsibility for providing oversight of risk is allocated among various board committees and the board itself. In others, it is senior management who has responsibility for risk management. Little information was presented that indicated how the board satisfied about the reasonableness of the systems in place or representations being made. Some disclosures indicated that risk management was wrapped up in the strategic planning process."

This Corporate Governance Report gave examples of disclosures for BCE Mobile Communications Inc.; Cara Operations Limited; Tech Corporation and Meridian Technologies Inc.

Appendix D Best Practices Framework

DEFINITIONS

In order to provide focus and comparability to the collection of information regarding "best practices" in risk management, definitions of "best practice" and "best practice framework" are presented below.

BEST PRACTICE

A best practice is a strategy, approach, method, tool or technique which was particularly effective in helping an organization achieve its objectives for managing risk. A best practice is also one which is expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to many other organizations, including the Treasury Board of Canada Secretariat (TBS) as the provision of guidance to federal departments is one of their important objectives.

BEST PRACTICE FRAMEWORK

A best practice framework sets out the areas where best practices would be expected to be of common interest to a variety of organizations. The basic assumption is that an organization invests resources in managing its risks, both strategic and operational, in order to achieve anticipated benefits. These benefits, which are often defined as objectives for managing risk could be any combination of:

communication for commitment
enhancement of stakeholder value, achievement of corporate objectives
measurement for improved management
support for effective accountability and governance
strengthening of planning and decision processes (synergy, communications, etc.)
increased confidence of stakeholders
measurable returns on investments

The best practices matrix we have constructed is outlined below and should be seen as only one possible configuration, selected for its ability to complement other work being done for TBS. It is by no means an exhaustive list. If a practice in your organization has been found to be beneficial, either in achieving your objectives for managing risk, or in the overall achievement of corporate business objectives, but does not seem to fit into this selected configuration please do not hesitate to share it and describe its essence to us. The ultimate test of it as a best practice is whether it may have some value for another organization in their management of risk framework.

1.�� Components of Management of Risk:

These are practices for integrating management of risk into the managerial framework of an organization. For example, these would include generic practices for ensuring:

that the objectives and the values for managing risk are defined and communicated throughout the organization;
that the governance and accountability functions reflect the shared responsibility for managing risks and for fostering the commitment at each administrative level of the organization and at the level of its governing body;
that the organization-wide risks are identified and evaluated to report the management processes (planning, resource allocation and decision-making);
that management of risks may be achieved through a series of strategies ranging from:

i) direct mitigation through an internal system of control (and through the continuous improvement of this control system) for those risks which can be directly controlled;

ii) indirectly influence, or sharing, partnering, etc. for those risks which can only be indirectly addressed;

iii) simple acceptance and then monitoring of those risks which are beyond either direct control or indirect influence; and,

that management of risk is monitored and there is communication and reporting to senior management, to the governing body and to the key stakeholders.

A more detailed listing of components is appended for reference.

2.�� Implementation Strategy:

The practices employed to disseminate and integrate management of risk throughout an organization usually are based on a series of "tools". Examples of tools which could be of common interest may include some of the following:

defining a framework which identifies the sources of key business risks and serves as a communication and reporting tool for the organization leading to a common understanding of its risk context which also aids in consistent and coherent analysis and communication of risks;
establishing a Management of Risk Policy (or similar authoritative communication tool) to define key implementation strategies such as overall approach, responsibilities, reporting structures and periodic reviews;
identifying a "Risk Champion" to provide leadership to management of risk initiatives;
using development strategies such as a Task Force, pilot projects and consultant advisors;
issuing guidelines, providing training and developing coaches to assist employees and local work teams to manage their risks;
adopting a standard process or using an existing standard such as the Canadian Standards Council Q850/97 Risk Management: Guideline for Decision-Makers;
employing the use of automated (software) tools to aid in risk analysis; and,
defining corporate parameters on risk concepts such as likelihood and severity.

Can you please identify which of these (or other) tools may have been effective in assisting your organization to successfully implement its corporate management of risk objectives?

3.�� Disciplines and Functions:

The following are specialized key disciplines and functions where risk management is often applied at an operational level. The practices used to integrate risk management into these specialized disciplines and functions (and in turn into the overall organization) is of common interest. These disciplines and functions would include:

planning
auditing
project management
finance
security
insurance and asset management
environmental protection
hazardous waste management
materiel management
real property management
information technology
legal
human resources
intangibles (e.g. goodwill)
compliance and enforcement
service delivery

This list is not exhaustive and should another discipline or specialized function have been targetted for integrating risk management, a best practice which achieved this objective would also be of common interest. (Please note that we are looking for the management process used to initiate and implement specialized risk management within a given function, not the details of the actual specialized practice.)

Appendix

Components of Management of Risk:

These are practices for integrating management of risk into the managerial framework of an organization. For example, these would include generic practices for ensuring:

1. Policy and Values

That the objectives and the values for managing risk are defined and communicated throughout the organization.

Risk tolerance and limits
Opportunity and risk taking
Risk Coverage
Integration in management processes

2. Accountability Structure

That the governance and accountability functions reflect the shared responsibility for managing risks and for fostering the commitment at each administrative level of the organization and at the level of its governing body.

Role and responsibilities
Governance
Commitment

3. Risk Profile

That the organization-wide risks are identified and evaluated to support the management processes (planning, resource allocation and decision-making).

Scope: types of risks
Identification of risks
Evaluation of probability of frequency and of impact
Quantification and prioritization

4. Risk Mitigation

That mitigation or management of risks is achieved through the system of control and through the continuous improvement of this system.

Control Framework (e.g. CoCo, COSO, etc.)
Strategies to directly mitigate risks while following-up/pursuing opportunities
Strategies to indirectly influence or to share risks by partnering, insuring, etc.
Decisions to accept risks beyond control or influence, and simply enhance monitoring and reporting frequency, while putting contingency plans in place
Continuous reassessment of residual risks, plus ongoing updating of strategies

5. Monitoring and Reporting

That management of risk is monitored and there is communication and reporting to senior management, to the governing body and to the key stakeholders.

Quality of information
Communication
Internal and external audit
Reporting: to senior management, to governing body, to external stakeholders

Appendix E
Best Practices Interview Guide

Interviewee Guide

Best Practices in Risk Management

i) Introduction

Please review the materials provided about the nature of the project, the definition of "best practice" and the framework of areas where a best practice may exist.

It is not expected there are best practices in all areas of the framework. It may be your judgment that there were very few best practices and many just good practices which got the job done.

The study would like to concentrate on the "best practices" and it is not necessary to provide much information about the "good practices". However, you will be asked a few questions about your organization's overall approach to managing risk to provide us baseline information for comparative purposes. It is not intended to name organizations in any published material so any information you provide about your operations will remain confidential. However, we will request permission to identify the name of your organization as a participant in this study.
There are some questions about the overview and context for risk management to start the survey. Then each of the three main elements of the framework will be discussed with you individually in regards to whether you have any best practices in each main element and also to obtain some information about your organization regarding each.

ii)�� Overview and context for risk management

How does your organization define risk in the context of your business or environment?
Does your organization have a general risk management objective under which risk management activities take place?
Do the objectives and values for managing risk represent a new way of doing business in your organization?
What are the benefits of managing risk for your organization or area? (Probe for: communication for commitment; enhancement of stakeholder value or achievement of objectives; measurement for improved management; support for accountability and governance; strengthening of the planning and decision-making process (such as communication or synergy); increased confidence of stakeholders; measurable returns on investments).

1.�� Practices for integrating management of risk into the managerial framework of an organization

Reflecting on the items we defined from a) to e) and in our Appendix, or any other practice for integration, are there some best practices / lessons learned (obstacles overcome) that you would like to relate to us?

a) Defining the objectives and values for managing risk and communicating them throughout the organization

�� 1. Can you describe in general terms how your organization addresses this item?

�� i) Does your organization have a formal risk management policy?

�� ii) What are the key features/messages conveyed? (Probe regarding:

objectives/principles
opportunity and risk taking
risk coverage
risk tolerances and risk limits
a supportive work environment (i.e. tolerance for mistakes)
integration of management of risk with other management processes).

�� iii) How are risk tolerances managed (i.e. corporately and locally)?

b) Reflecting, in the governance and accountability functions, the shared responsibility for managing risks and for fostering commitment in administrative and governance bodies

1. Can you describe in general terms how your organization addresses this item?

2. What responsibilities do governing bodies of your organization (e.g., Board of Directors, Senior Management Committees, CEO, Ministers, etc.) and senior management have for managing risks? Are they held accountable? If so, how?

3. How does the responsibility/accountability for managing risks cascade through the organization (e.g., through management/administration levels, to all employees)? How are people held accountable?

4. Are significant risks communicated to stakeholders? If so, how, how often, and in what context? Who communicates these to the stakeholders?

c) Identifying and evaluating organization-wide risks to support the management process (planning, resource allocation and decision-making)

1. Can you describe in general terms how your organization addresses this item?

2. What techniques and methods are used for identifying and evaluating risks? (Probe for:

the types of risks
how risks are identified
how risks are quantified
how risks are prioritized)

3. Are the results of the evaluation integrated into and systematically referred to in existing management processes (e.g., planning, resource allocation and decision-making)? How?

4. Does the evaluation consider stakeholders' view of risk and the opportunity costs of a risk that is not taken?

5. To what extent has it supported change management and cultural shifts in your organization?

d) Mitigating or managing risks through the system of control and other strategies

1. Can you describe in general terms how your organization addresses this item?

2. Have your strategies or processes for managing risks been changing? Is there an overall strategy for such?

3. Are stakeholders, customers, suppliers or other external bodies involved in your risk management process? In what way?

e) Monitoring the process of managing risks and communicating and reporting to senior management, the governing body and key stakeholders

1. Can you describe in general terms how your organization addresses this item?

2. Is the success in achieving risk management objectives monitored and measured?

3. Is there a specific structure/medium used to report on the management of risk?

4. What is the role of internal audit in your risk management program? (Probe for: monitoring compliance; compliance and providing best practices improvement or advice, best practices, methods, etc.)

2. Practices for disseminating and integrating management of risk throughout the organization

Reflecting on the items we defined in our framework and in our Appendix, or any other practice for integration, are there some best practices / lessons learned (obstacles overcome) that you would like to relate to us?

Can you describe in general terms how your organization addresses this area? (Probe for:

a framework that identifies the sources of key business risks and serves as a communication and reporting tool for the organization. It leads to a common understanding of its risk context which also aids in consistent and coherent analysis and communication of risks
a control framework that identifies key controls to mitigate risks
a Management of Risk Policy (or similar authoritative communication tool) to define key implementation strategies such as overall approach, principles, key risk areas, responsibilities, reporting structures and periodic reviews
identifying a "risk champion" to provide leadership to management of risk initiatives
using task forces, pilot projects and advisors/consultants
issuing guidelines or procedures
providing training to employees and work teams to manage their risks
providing coaches to employees and local work teams to manage their risks
adopting a standard process or using an existing standard
using automated tools (software) to aid in risk analysis
defining corporate parameters on risk concepts such as likelihood and severity

3. Disciplines and Functions

i) Are there disciplines and functions within your organization where risk management is applied at an operational level? Which ones?

ii) Are there best practices / lessons learned (obstacles overcome) associated with the management process used to initiate and implement risk management in this / these areas?

Appendix F Reference Materials

PUBLICATIONS:

Boisclair, J.P., Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada, 1997.

Bradshaw, William, Learning About Risk: Choices, Connections and Competencies, CICA Criteria of Control Board, Toronto, 1998.

Canadian Institute of Chartered Accountants Criteria of Control Board (CoCo), Guidance on Assessing Control - The CoCo Principles, (Exposure Draft), June, 1997.

Canadian Standards Association, CAN/CSA-Q850-97 Risk Management: Guideline for Decision-Makers, October, 1997.

Dembo, Ron S. and Freeman, Andrew, Seeing Tomorrow: Rewriting the Rules of Risk, John Wiley & Sons Inc., New York, 1998.

Leiss, William and Chociolko, Christina, Risk and Responsibility, McGill-Queen's University Press, Montreal, 1994.

Leiss, William and Powell, D., Mad Cows and Mother's Milk: The Perils of Poor Risk Communcation, McGill-Queen's University Press, Montreal, 1997.

Lind, N.C, Nathwani, J.S. and Siddall E., Managing Risks in the Public Interest, Institute for Risk Research (IRR), University of Waterloo, 1991.

Nottingham, Lucy, The Conference Board of Canada, "A Conceptual Framework for Integrated Risk Management," (212-97 Report), September, 1997.

Wilde, Gerald, Target Risk, Queen's University Press, 1996.

ARTICLES:

Beke, C., "Leadership and Risk Management," Risk Management Review Website, September 1998

Dickson, Don, "Implementation of Modern Comptrollership-First Steps," FMI Journal, Vol. 10, No. 1, Fall 1998.

Nottingham, Lucy, "Integrated Risk Management, Canadian Business Review, Summer, 1996, pp. 26-28.

Potts, J.C., "Modern Comptrollership: A New Era of PS Reform," Optimum, Vol. 28, No. 2, July, 1998.

Robertson, Michael, "Getting Perspective on Risk," CMA Magazine, June 1997

Samson, Pierre, "Leap of Faith," CGA Magazine, Vol. 32, No. 4, April 1998.

Weir, Michael, "Federal Comptrollership-The Modernization Challenge," FMI Journal, Vol. 9, No. 2, Winter, 1998.

Wiltshire, Colin, "Managing Risk and Risk Acceptance: A Framework for Reconciling Empowerment," Optimum, Vol. 27, No.�3, 1997, pp. 14-23.

PRESENTATIONS:

B.C. Hydro, Integrated Risk Management: B.C. Hydro Perspective, presentation to the Conference Board of Canada Council on Risk Management, October 9, 1997.

Bank of Montreal, International Risk Management, presentation to the Conference Board of Canada Council on Risk Management.

Business Development Bank of Canada, Risk Management at BDC, presentation to the Conference Board of Canada Council on Risk Management, October 3, 1996.

Canada Trust, Risk Measurement Methods, presentation to the Council on Risk Management, Ottawa, October 15, 1998.

Canada's Chartered Accountants, Transforming Control: A New Way of Managing Risk and Improving Organizational Performance, presentation to the Conference Board of Canada Council on Risk Management, May 6, 1997.

Hydro Qu�bec, Crims' 1998 New Frontiers, Adding Value Beyond the Insurance Box: Hydro-Qu�bec IRM Project, presentation by Andr�-Richard Marcel and Jocelyne Lee.

Laidlaw Inc., presentation to the Conference Board of Canada Council on Risk Management, April 16, 1996.

Integrated Justice Corporate Services, Government of Ontario- Audit Services Branch, "Control Risk Assessment" presentation to the East Region Management Team, November 1998.

Noranda Inc., Strategic Risk Management, presentation to The Conference Board of Canada 1998 International Conference on Risk Management, March 26, 1998.

Nova Chemicals Ltd., Nova's Integrated Risk Assessment Process, presentation to The Conference Board of Canada, March 26, 1998.

NOVA Corp., Measurement and Identification of Risk, presentation to the Conference Board of Canada Council on Risk Management, October 9, 1997.

Ontario Hydro, Business Risk Assessment Framework, presentation to the Conference Board of Canada Council on Risk Management, October 9, 1997.

Petro-Canada, Integrated Risk Management, presentation to the Conference Board of Canada Council on Risk Management, 1997.

OTHER REFERENCE MATERIALS:

Canada Trust Financial Services, 1996 Annual Report.

Canada Trust Financial Services, 1997 Annual Report.

Canada Trust Financial Services, 1998 Annual Report.

City of Ottawa, "Handbook on Risk Management."

City of Ottawa, "Risk Management" (video tape recording of risk management training process).

FAA Review Team, Financial Management Policy Division, Deputy Comptroller General Branch, Treasury Board Secretariat, "Guide on Business Risk Management, July 10, 1998.

Financial Administration Act Review Team, "Financial Risk Management Strategy," Financial Management Policy Division, Deputy Controller Branch, April 9, 1998.

Institute on Governance, Treasury Board Secretariat, "Colloquium on Risk Management", Ottawa, Canada, March 30, 1994.

Integrated Justice Corporate Services, Government of Ontario -- Audit Services Branch: Courts Services Division, "Audit Update: Update for Divisional Management Committee," August 1998.

Kelly, Terry, "Safety Management in the New Millennium: NAV CANADA as a Case Study," November 4-6, 1997.

Ministry of the Attorney General, Audit and Quality Assurance Branch -- Courts Administration Division, "Self-Assessment Questionnaire" and "Guide to Self-Assessment Questionnaire."

Proceedings of the 1998 Conference Board of Canada International Conference on Integrated Risk Management.

Treasury Board of Canada, "Guidelines on Risk Communications," 1995.

Archived Content

Review of Canadian Best Practices in Risk Management

April 26, 1999

Summary of Findings

Final Report

Table of Contents

Summary of Findings

Key Conclusions

Recommendations

Interview Summary Report No. 1: Private Sector Entity

Best Practices

Interview Summary Report No. 2: Public Sector Entity

Best Practices

Interview Summary Report No. 3: Private Sector Entity

Best Practices

Interview Summary Report No. 4: Public Sector Entity

Best Practices

Interview Summary Report No. 5: Private Sector Entity

Best Practices

Interview Summary Report No. 6: Private Sector Entity

Best Practices

Interview Summary Report No. 7: Private Sector Entity

Interview Summary Report No. 8: Public Sector Entity

Best Practices

Interview Summary Report No 9: Private Sector Entity

Best Practices

Interview Summary Report No 10: Private Sector Entity

Best Practices

Interview Summary Report No 11: Public Sector Entity

Best Practice

Interview Summary Report No 12: Private Sector Entity

Best Practices

Good Practices

Interview Summary Report No 13: Private Sector Entity

Best Practices

Key Document Summary No. 1

SUMMARY OF CONTENT:

Key Document Summary No. 2

SUMMARY OF CONTENT:

Key Document Summary No. 3

SUMMARY OF CONTENT:

Key Document Summary No. 4

SUMMARY OF CONTENT:

Key Document Summary No. 5

SUMMARY OF CONTENT:

Key Document Summary No. 6

SUMMARY OF CONTENT:

Key Document Summary No. 7

SUMMARY OF CONTENT:

Key Document Summary No. 8

SUMMARY OF CONTENT:

Key Document Summary No. 9

SUMMARY OF CONTENT:

Key Document Summary No. 10

SUMMARY OF CONTENT:

Key Document Summary No. 11

SUMMARY OF CONTENT:

DEFINITIONS

BEST PRACTICE

BEST PRACTICE FRAMEWORK

Interviewee Guide

Best Practices in Risk Management

PUBLICATIONS:

ARTICLES:

PRESENTATIONS:

OTHER REFERENCE MATERIALS: