Integrated Risk Management Framework

Tools & Resources

President's Message
In March 2000, I had the pleasure of tabling the Government of Canada's new
management framework, entitled Results for Canadians. It outlines how we are
modernizing management practices in order to make the Government of Canada more
citizen-focused and better prepared to meet Canadians'changing needs and priorities.
This Integrated Risk Management Framework is an essential part of these modernization
efforts.

In an increasingly complex public policy environment, it is important that Public Service

employees are encouraged to approach their work with creativity and a desire to
innovate. At the same time, however, we must recognize and respect the need to be
prudent in protecting the public interest and maintaining public trust. Achieving this
balance is what this Integrated Risk Management Framework is all about.

This framework is a practical guide to assist public service employees in their decision-
making. At the organizational level, it will help departments and agencies to think more
strategically and improve their ability to set common priorities. At the individual level, it
will help all employees to develop new skills and will strengthen their ability to anticipate,
assess and manage risk.

I invite you to read the framework and make use of the concepts, guidelines and
examples that relate to your particular needs. I am confident that this framework will
lead to the adoption of a more holistic approach to risk management and foster a working
environment which supports employees in pursuing new and innovative ways to better
serve Canadians.

The paper version was signed by

Lucienne Robillard

President of the Treasury Board

Introduction
The Integrated Risk Management Framework delivers on the commitment set out in
Results for Canadians-A Management Framework for the Government of Canada (March
2000) to strengthen risk management practices within the Public Service. In doing so,
the Integrated Risk Management Framework supports the four management
commitments outlined in Results for Canadians: citizen focus, values, results and
responsible spending. The Integrated Risk Management Framework advances a citizen
focus by strengthening decision-making in the public interest and placing more emphasis
on consultation and communication. Similarly, it respects core public service values such
as honesty, integrity and probity at all levels, and contributes to improved results by
managing risk proactively. Integrated risk management also supports a whole-of-
government view grounded in rational priority setting and principles of responsible
spending.
The need for more affordable and effective government combined with trends towards
revitalizing human resources capacity and redesigning service delivery are dramatically
affecting the structure and culture of public organizations. The faster pace and need for
innovation, combined with significant risk-based events from computer failures to natural
disasters, has focused attention on risk management as essential in sound decision-
making and accountability.

Responding to the need to strengthen risk management as a priority on the government

management agenda, the Treasury Board of Canada Secretariat (the Secretariat) led
research and consultations on risk management in collaboration with federal
organizations, academics and private interests. The results highlighted the need for a
common understanding of risk management and a more corporate, systematic approach.
Informed by knowledge and experience from the public and private sectors in Canada
and internationally, the Secretariat and its partners collaborated on the development of
an Integrated Risk Management Framework.

This Framework is designed to advance the development and implementation of modern

management practices and to support innovation throughout the federal Public Service. It
provides a comprehensive approach to better integrate risk management into strategic
decision-making.

The Framework provides an organization with a mechanism to develop an overall

approach to manage strategic risks by creating the means to discuss, compare and
evaluate substantially different risks on the same page. It applies to an entire
organization and covers all types of risks faced by that organization (e.g., policy,
operational, human resources, financial, legal, health and safety, environment,
reputational).

The purpose of the Integrated Risk Management Framework is to:

provide guidance to advance the use of a more corporate and systematic

approach to risk management;
contribute to building a risk-smart workforce and environment that allows for
innovation and responsible risk-taking while ensuring legitimate precautions are
taken to protect the public interest, maintain public trust, and ensure due
diligence; and
propose a set of risk management practices that departments can adopt, or
adapt, to their specific circumstances and mandate.

Application of the Framework is designed to strengthen management practices, decision-

making and priority setting to better respond to citizens'needs. Moreover, practising
integrated risk management is expected to support the desired cultural shift to a risk-
smart workforce and environment. More specifically, it is anticipated that implementation
of the Framework will:

support the government's governance responsibilities by ensuring that

significant risk areas associated with policies, plans, programs and operations are
identified and assessed, and that appropriate measures are in place to address
unfavourable impacts and to benefit from opportunities;
improve results through more informed decision-making, by ensuring that
values, competencies, tools and a supportive environment form the foundation for
innovation and responsible risk-taking, and by encouraging learning from
experience while respecting parliamentary controls;
 strengthen accountability by demonstrating that levels of risk associated with
policies, plans, programs and operations are explicitly understood, and that
investment in risk management measures and stakeholder interests are optimally
balanced; and
enhance stewardship by strengthening public service capacity to safeguard
people, government property and interests.

Integrated risk management respects and builds on core public service values. Outcomes
of applied integrated risk management must be ethical, honest and fair; respect laws,
government authorities and departmental policies; and result in prudent use of
resources.

The Integrated Risk Management Framework responds to the recommendations

contained in the Report of the Independent Review Panel on Modernization of
Comptrollership in the Government of Canada (1997), which were approved by Treasury
Board ministers. The report highlights a new guiding philosophy for comptrollership. This
new philosophy combines a strong commitment to four key elements: performance
reporting (financial and non-financial); sound risk management; the application of an
appropriate system of control and reporting; and values and ethics. In identifying as a
priority the strengthening of risk management across the Public Service, the report
stressed the need for:

"... executives and employees [to be] risk attuned-not only identifying but also
managing risks ...";
"... matching more creative and client-driven decision making and business
approaches with solid risk management..."; and
"... creating an environment in which taking risks and the consequences of doing
so are handled within a mature framework of delegation, rewards and sanctions."

The Framework builds on existing risk management practices, reflects current thinking,
best practices and the value of well-recognized principles for risk management. It is
linked with other federal risk management initiatives across government, including recent
efforts to strengthen internal audit and increase focus on monitoring. Risk management
frameworks are also being developed in areas such as legal risk management and the
precautionary approach. In addition, the Integrated Risk Management Framework
complements the concepts and approach described in the Privy Council Office report-Risk
Management for Canada and Canadians: Report of the ADM Working Group on Risk
Management (2000). Collectively, these individual initiatives are contributing to
strengthening risk management across the federal government in line with modern
comptrollership and to improving practices in managing risk from a whole-of-government
perspective.

Management Challenges

In today's world, change and uncertainty are constants. With increased demand by
parliamentarians for greater transparency in decision-making, better educated and
discerning citizens, globalization, technological advances, and numerous other factors,
adapting to change and uncertainty while striving for operating efficiency is a
fundamental part of the Public Service. Such an environment requires a stronger focus on
integrated risk management practices within organizations in order to strategically deal
with uncertainty, capitalize upon opportunities, and inform and increase involvement of
stakeholders (including parliamentarians), to ensure better decisions in the future.
The challenge for the Public Service of Canada is to approach risk management in a more
integrated and systematic way that includes greater emphasis on consultation and
communication with stakeholders and the public at large. In meeting this challenge, the
Public Service can fulfill its increased responsibility to demonstrate sound decision-
making, in line with increasing expectations of due diligence, more intense public and
media scrutiny, and initiatives for transparency and open government. Risk management
is now seen as an organization-wide issue that, as one of several co-ordinated initiatives,
will improve decision-making, enabling the shift to results-based management.
Integrated risk management requires looking across all aspects of an organization to
better manage risk. Organizations that manage risk organization-wide have a greater
likelihood of achieving their objectives and desired results. Effective risk management
minimizes losses and negative outcomes and identifies opportunities to improve services
to stakeholders and the public at large.

A systematic, integrated but adaptable approach to risk management requires an

organization to build capacity to address risk explicitly, to increase the organization's and
stakeholders'confidence in its ability to achieve its goals. It contributes to better use of
time and resources, improved teamwork and strengthened trust through sharing analyses
and actions with partners. In emphasizing the need for more active and frequent
consultation and risk communication, an integrated approach to risk management leads
to shared responsibility for managing risk. It also increases confidence in the
organization's process, and improves public and stakeholder understanding of trade-offs.

Developing a Risk-Smart Workforce and Environment

Application of the Integrated Risk Management Framework, in conjunction with related

risk management activities, will support a cultural shift to a risk-smart workforce and
environment in the Public Service. Such an environment is one that supports responsible
risk management, where risk management is built into existing governance and
organizational structures, and planning and operational processes. An essential element
of a risk-smart environment is to ensure that the workplace has the capacity and tools to
be innovative while recognizing and respecting the need to be prudent in protecting the
public interest and maintaining public trust.

Departments whose core mandate focuses directly on public health and safety have
traditionally been very proactive in practising systematic risk management. These
departments have a long history of addressing the public's low risk tolerance in the areas
of health and safety and have, as a result, developed an effective risk management
culture. The emerging trends in the public sector environment and challenges associated
with the need to adapt to change and uncertainty are contributing to the increased
interest in risk management in other public policy areas. This higher level of awareness
around risk management and the need to better understand and manage different types
of risks in addition to health and safety risks requires a cultural shift. The aim of this
cultural shift is to develop a risk-smart workforce throughout the Public Service by
ensuring that public servants at all levels are more risk aware and risk attentive, that
mitigation measures are proportionate to the issue at hand, and that the necessary tools
and processes are in place to support them.

Achieving this cultural change will require sustained commitment throughout the Public
Service over a number of years as practices evolve.

Key Concepts
There are three critical concepts that are cornerstones of the Integrated Risk
Management Framework: risk, risk management and integrated risk management. These
concepts are elaborated on below.

Risk

Risk is unavoidable and present in virtually every human situation. It is present in our
daily lives, public and private sector organizations. Depending on the context, there are
many accepted definitions of risk [1] in use.

The common concept in all definitions is uncertainty of outcomes. Where they differ is in
how they characterize outcomes. Some describe risk as having only adverse
consequences, while others are neutral.

While this Framework recognizes the importance of the negative connotation of outcomes
associated with the description of risk (i.e., risk is adverse), it is acknowledged that
definitions are evolving. Indeed, there is considerable debate and discussion on what
would be an acceptable generic definition of risk that would recognize the fact that, when
assessed and managed properly, risk can lead to innovation and opportunity. This
situation appears more prevalent when dealing with operational risks and in the context
of technological risks. For example, Government On-Line (GOL) represents an
opportunity to significantly increase the efficiency of public access to government
services. It is acknowledged in advance that the benefits of pursuing GOL would
outweigh, in the long term, potential negative outcomes, which are foreseen to be
manageable.

To date, no consensus has emerged, but after much research and discussion, the
following description of risk has been developed for the federal Public Service in the
context of the Integrated Risk Management Framework:

Risk refers to the uncertainty that surrounds future events and outcomes. It is
the expression of the likelihood and impact of an event with the potential to
influence the achievement of an organization's objectives.

The phrase "the expression of the likelihood and impact of an event" implies that, as a
minimum, some form of quantitative or qualitative analysis is required for making
decisions concerning major risks or threats to the achievement of an organization's
objectives. For each risk, two calculations are required: its likelihood or probability; and
the extent of the impact or consequences.

Finally, it is recognized that for some organizations, risk management is applied to issues
predetermined to result in adverse or unwanted consequences. For these organizations,
the definition of risk in the Privy Council Office report [2], which refers to risk as "a
function of the probability (chance, likelihood) of an adverse or unwanted event, and the
severity or magnitude of the consequences of that event" will be more relevant to their
particular public decision-making contexts. Although this definition of risk refers to the
negative impact of the issue, the report acknowledges that there are also positive
opportunities arising from responsible risk-taking, and that innovation and risk co-exist
frequently.

Risk Management
Risk management is not new in the federal public sector. It is an integral component of
good management and decision-making at all levels. All departments manage risk
continuously whether they realize it or not-sometimes more rigorously and
systematically, sometimes less so. More rigorous risk management occurs most visibly in
departments whose core mandate is to protect the environment and public health and
safety.

As with the definition of risk, there are equally many accepted definitions of risk
management in use. Some describe risk management as the decision -making process,
excluding the identification and assessment of risk, whereas others describe risk
management as the complete process, including risk identification, assessment and
decisions around risk issues. For example, the Privy Council Office's report refers to risk
management as "the process for dealing with uncertainty within a public policy
environment" [3]

For the purposes of the Integrated Risk Management Framework:

Risk management is a systematic approach to setting the best course of action

under uncertainty by identifying, assessing, understanding, acting on and
communicating risk issues.

In order to apply risk management effectively, it is vital that a risk management culture
be developed. The risk management culture supports the overall vision, mission and
objectives of an organization. Limits and boundaries are established and communicated
concerning what are acceptable risk practices and outcomes.

Since risk management is directed at uncertainty related to future events and outcomes,
it is implied that all planning exercises encompass some form of risk management. There
is also a clear implication that risk management is everyone's business, since people at
all levels can provide some insight into the nature, likelihood and impacts of risk.

Risk management is about making decisions that contribute to the achievement of an

organization's objectives by applying it both at the individual activity level and in
functional areas. It assists with decisions such as the reconciliation of science-based
evidence and other factors; costs with benefits and expectations in investing limited
public resources; and the governance and control structures needed to support due
diligence, responsible risk-taking, innovation and accountability.

Integrated Risk Management

The current operating environment is demanding a more integrated risk management

approach. It is no longer sufficient to manage risk at the individual activity level or in
functional silos. Organizations around the world are benefiting from a more
comprehensive approach to dealing with all their risks.

Today, organizations are faced with many different types of risk (e.g., policy, program,
operational, project, financial, human resources, technological, health, safety, political).
Risks that present themselves on a number of fronts as well as high level, high -impact
risks demand a co-ordinated, systematic corporate response.

Integrated Risk Management

"Whatever name they put on it-business ... holistic ... strategic ... enterprise-leading
organizations around the world are breaking out of the 'silo mentality'and taking a
comprehensive approach to dealing with all the risks they face."

-Towers Perrin

For the purposes of the Integrated Risk Management Framework:

Integrated risk management is a continuous, proactive and systematic process

to understand, manage and communicate risk from an organization-wide
perspective. It is about making strategic decisions that contribute to the
achievement of an organization's overall corporate objectives.

Integrated risk management requires an ongoing assessment of potential risks for an

organization at every level and then aggregating the results at the corporate level to
facilitate priority setting and improved decision-making. Integrated risk management
should become embedded in the organization's corporate strategy and shape the
organization's risk management culture. The identification, assessment and management
of risk across an organization helps reveal the importance of the whole, the sum of the
risks and the interdependence of the parts.

Integrated risk management does not focus only on the minimization or mitigation of
risks, but also supports activities that foster innovation, so that the greatest returns can
be achieved with acceptable results, costs and risks. Integrated risk management strives
for the optimal balance at the corporate level.

The Government of Canada has already used an integrated risk management approach to
manage risk related to Y2K and is currently applying the approach to other major
initiatives such as Government On-Line and Program Integrity.

An Integrated Risk Management Framework

The Integrated Risk Management Framework provides guidance to adopt a more holistic
approach to managing risk. The application of the Framework is expected to enable
employees and organizations to better understand the nature of risk, and to manage it
more systematically.

Four Elements and Their Expected Results

The Integrated Risk Management Framework is comprised of four related elements. The
elements, and a synopsis of the expected results for each, are presented below. Further
details on the conceptual and functional aspects of the Framework are provided in
subsequent sections of this document.

Element 1: Developing the Corporate Risk Profile

the organization's risks are identified through environmental scanning;

current status of risk management within the organization is assessed; and
the organization's risk profile is identified.

Element 2: Establishing an Integrated Risk Management Function

 management direction on risk management is communicated, understood and
applied;
approach to operationalize integrated risk management is implemented through
existing decision-making and reporting structures; and
capacity is built through development of learning plans and tools.

Element 3: Practising Integrated Risk Management

a common risk management process is consistently applied at all levels;

results of risk management practices at all levels are integrated into informed
decision-making and priority setting;
tools and methods are applied; and
consultation and communication with stakeholders is ongoing.

Element 4: Ensuring Continuous Risk Management Learning

a supportive work environment is established where learning from experience is

valued, lessons are shared;
learning plans are built into an organization's risk management practices;
results of risk management are evaluated to support innovation, learning and
continuous improvement; and
experience and best practices are shared, internally and across government.

The four elements of the Integrated Risk Management Framework are presented as they
might be applied: looking outward and across the organization as well as at individual
activities. This comprehensive approach to managing risk is intended to establish the
relationship between the organization and its operating environment, revealing the
interdependencies of individual activities and the horizontal linkages.

While it is acknowledged that some departments are more advanced than others in
moving towards the implementation of an integrated risk management approach, there is
growing appreciation across the Public Service of the need to strengthen risk
management practices and develop a more strategic and corporate-wide focus.
Implementing integrated risk management will depend largely on an organization's state
of readiness, overall priorities and the level of effort necessary to implement the various
elements. As a result, developing a more mature risk management environment will
require sustained commitment and will evolve over time. This Framework is a step in
establishing the foundation for integrated risk management in the public sector. It is
acknowledged that to support and facilitate implementation, the development of specific
tools and guidelines as well as sharing of best practices and lessons learned will be
required.

Element 1: Developing the Corporate Risk Profile

A broad understanding of the operating environment is an important first step in
developing the corporate risk profile. Developing the risk profile at the corporate level is
intended to examine both threats and opportunities in the context of an organization's
mandate, objectives and available resources.

In building the corporate risk profile, information and knowledge at both the corporate
and operational levels is collected to assist departments in understanding the range of
risks they face, both internally and externally, their likelihood and their potential impacts.
In addition, identifying and assessing the existing departmental risk management
capacity and capability is another critical component of developing the corporate risk
profile.

An organization can expect three key outcomes as a result of developing the corporate
risk profile:

Threats and opportunities are identified through ongoing internal and external
environmental scans, analysis and adjustment.
Current status of risk management within the organization is assessed-
challenges/opportunities, capacity, practices, culture- and recognized in planning
organization-wide management of risk strategies.
The organization's risk profile is identified-key risk areas, risk tolerance, ability
and capacity to mitigate, learning needs.

External and Internal Environment

Through the environmental scan, key external and internal factors and risks influencing
an organization's policy and management agenda are identified. Identifying major trends
and their variation over time is particularly relevant in providing potential early warnings.
Some external factors to be considered for potential risks include:

Political: the influence of international governments and other governing bodies;

Economic: international and national markets, globalization;
Social: major demographic and social trends, level of citizen engagement; and
Technological: new technologies.

Internally, the following factors are considered relevant to the development of an

organization's risk profile: the overall management framework; governance and
accountability structures; values and ethics; operational work environment; individual
and corporate risk management culture and tolerances; existing risk management
expertise and practices; human resources capacity; level of transparency required; and
local and corporate policies, procedures and processes.

The environmental scan increases the organization's awareness of the key characteristics
and attributes of the risks it faces. These include:

type of risk: technological, financial, human resources (capacity, intellectual

property), health, safety;
source of risk: external (political, economic, natural disasters); internal
(reputation, security, knowledge management, information for decision making);
what is at risk: area of impact/type of exposure (people, reputation, program
results, materiel, real property); and
level of ability to control the risk: high (operational); moderate (reputation);
low (natural disasters).

An organization's risk profile identifies key risk areas that cut across the organization
(functions, programs, systems) as well as individual events, activities or projects that
could significantly influence the overall management priorities, performance, and
realization of organizational objectives.
The environmental scan assists the department in establishing a strategic direction for
managing risk, making appropriate adjustments in decisions and actions. It is an ongoing
process that reinforces existing management practices and supports the attainment of
overall management excellence.

Assessing Current Risk Management Capacity

In assessing internal risk management capacity, the mandate, governance and decision-
making structures, planning processes, infrastructure, and human and financial resources
are examined from the perspective of risk. The assessment requires an examination of
the prevailing risk management culture, risk management processes and practices to
determine if adjustments are necessary to deal with the evolving risk environment.

Furthermore, the following factors are considered key in assessing an organization's

current risk management capacity: individual factors (knowledge, skills, experience, risk
tolerance, propensity to take risk); group factors (the impact of individual risk tolerances
and willingness to manage risk); organizational factors (strategic direction, stated or
implied risk tolerance); as well as external factors (elements that affect particular risk
decisions or how risk is managed in general).

Risk Tolerance

An awareness and understanding of the current risk tolerances of various stakeholders is

a key ingredient in establishing the corporate risk profile. The environmental scan will
identify stakeholders affected by an organization's decisions and actions, and their degree
of comfort with various levels of risk. Understanding the current state of risk tolerance of
citizens, parliamentarians, interest groups, suppliers, as well as other government
departments will assist in developing a risk profile and making decisions on what risks
must be managed, how, and to what extent. It will also help identify the challenges
associated with risk consultations and communication.

In the Public Service, citizens'needs and expectations are paramount. For example, most
citizens would likely have a low risk tolerance for public health and safety issues (injuries,
fatalities), or the loss of Canada's international reputation. Other risk tolerances for
issues such as project delays and slower service delivery may be less obvious and may
require more consultation.

In general, there is lower risk tolerance for the unknown, where impacts are new,
unobservable or delayed. There are higher risk tolerances where people feel more in
control (for example, there is usually a higher risk tolerance for automobile travel than
for air travel).

Risk tolerance can be determined through consultation with affected parties, or by

assessing stakeholders'response or reaction to varying levels of risk exposure. Risk
tolerances may change over time as new information and outcomes become available, as
societal expectations evolve and as a result of stakeholder engagement on trade-offs.
Before developing management strategies, a common approach to the assessment of risk
tolerance needs to be understood organization-wide.

Determining and communicating an organization's own risk tolerance is also an essential

part of managing risk. This process identifies areas where minimal levels of risk are
permissible, as well as those that should be managed to higher, yet reasonable levels of
risk.
Element 2: Establishing an Integrated Risk
Management Function
Establishing an integrated risk management function means setting up the corporate
"infrastructure" for risk management that is designed to enhance understanding and
communication of risk issues internally, to provide clear direction and demonstrate senior
management support. The corporate risk profile provides the necessary input to establish
corporate risk management objectives and strategies. To be effective, risk management
needs to be aligned with an organization's overall objectives, corporate focus, strategic
direction, operating practices and internal culture. In order to ensure risk management is
a consideration in priority setting and revenue allocation, it needs to be integrated within
existing governance and decision-making structures at the operational and strategic
levels.

To ensure that risk management is integrated in a rational, systematic and proactive

manner, an organization should seek to achieve three related outcomes:

Management direction on risk management is communicated, understood and

applied-vision, policies, operating principles.
Approach to operationalize integrated risk management is implemented through
existing decision-making structures: governance, clear roles and responsibilities,
and performance reporting.
Building capacity-learning plans and tools are developed for use throughout the
organization.

Strategic Risk Management Direction

The establishment and communication of the organization's risk management vision,

objectives and operating principles are vital to providing overall direction, and ensure the
successful integration of the risk management function into the organization. Using these
instruments can reinforce the notion that risk management is everyone's business.

It is essential that management provides a clear statement of its commitment to risk

management and determines the best way to implement risk management in its
organization. This includes establishing a corporate focus and communicating internal
parameters, priorities, and practices for the implementation of risk management. To
reinforce the corporate focus on risk management, organizations may dedicate a small
number of resources to provide both advisory and challenge functions, and to specifically
integrate these responsibilities into an existing unit (for example, Corporate Planning and
Policy, Comptrollership Secretariat, Internal Audit).

In establishing the strategic risk management direction, internal and external concerns,
perceptions and risk tolerances are taken into account. It is also imperative to identify
acceptable risk tolerance levels so those unfavourable outcomes can be remedied
promptly and effectively. Clear communication of the organization's strategic direction
will help foster the creation and promotion of a supportive corporate risk management
culture.

Objectives and strategies for risk management are designed to complement the
organization's existing vision and goals. In establishing an overall risk management
direction, a clear vision for risk management is articulated and supported by policies and
operating principles. The policy would guide employees by describing the risk
management process, establishing roles and responsibilities, providing methods for
managing risk, as well as providing for the evaluation of both the objectives and results
of risk management practices.

Integrating Risk Management into Decision Making

Effective risk management cannot be practised in isolation, but needs to be built into
existing decision-making structures and processes. As risk management is an essential
component of good management, integrating the risk management function into existing
strategic management and operational processes will ensure that risk management is an
integral part of day-to-day activities. In addition, organizations can capitalize on existing
capacity and capabilities (e.g., communications, committee structures, existing roles and
responsibilities, etc.)

While each organization will find its own way to integrate risk management into existing
decision-making structures, the following are factors that may be considered:

aligning risk management with objectives at all levels of the organization;

introducing risk management components into existing strategic planning and
operational processes;
communicating corporate directions on acceptable level of risk; and
improving control and accountability systems and processes to take into account
risk management and results.

The integration of risk management into decision-making is supported by a corporate

philosophy and culture that encourages everyone to manage risks. This can be
accomplished in a number of ways, such as:

seeking excellence in management practices, including risk management;

having senior managers champion risk management;
encouraging innovation, while providing guidance and assistance in situations that
do not turn out favourably;
encouraging managers to develop knowledge and skills in risk management;
including risk management as part of employees'performance appraisals;
introducing incentives and rewards; and
recruiting on risk management ability as well as experience.

Reporting on Performance

The development of evaluation and reporting mechanisms for risk management activities
provides feedback to management and other interested parties in the organization and
government-wide. The results of these activities ensure that integrated risk management
is effective in the long term. Some of these activities could fall to functional groups in the
organization responsible for review and audit. Responsibility may also be assigned to
operational managers and employees to ensure that information affecting risk that is
collected as part of local reporting or practices is incorporated into the environmental
scanning process. Reporting could take place through normal management channels
(performance reporting, ongoing monitoring, appraisal) as part of the advisory and
challenge functions associated with risk management.
Reporting facilitates learning and improved decision-making by assessing both successes
and failures, monitoring the use of resources, and disseminating information on best
practices and lessons learned. Organizations should evaluate the effectiveness of their
integrated risk management processes on a periodic basis. In collaboration with
departments, the Treasury Board of Canada Secretariat will review the effectiveness of
the Integrated Risk Management Framework and make the necessary adjustments to
ensure sustained progress in building a risk-smart workforce and environment.

Building Organizational Capacity

Building risk management capacity is an ongoing challenge even after integrated risk
management has become firmly entrenched. Environmental scanning will continue to
identify new areas and activities that require attention, as well as the risk management
skills, processes, and practices that need to be developed and strengthened.

Organizations need to develop their own capacity strategies based on their specific
situation and risk exposure. The implementation of the Integrated Risk Management
Framework will be further supported by the Treasury Board of Canada Secretariat, which,
through a centre of expertise, will provide overall guidance, advice and share best
practices.

To build capacity for risk management, there needs to be a focus on two key areas:
human resources, and tools and processes at both the corporate and local levels. The risk
profile will identify the organization's existing strengths and weaknesses vis-à-vis
capacity. Areas that may require attention include:

Human Resources

building awareness of risk management initiatives and culture;

broadening skills base through formal training including appropriate applications
and tools;
increasing knowledge base by sharing best practices and experiences; and
building capacity, capabilities and skills to work in teams.

Tools and Processes

developing and adopting corporate risk management tools, techniques, practices

and processes;
providing guidance on the application of tools and techniques;
allowing for development and/or the use of alternative tools and techniques that
may be better suited to managing risk in specialized applications; and
adopting processes to ensure integration of risk management across the
organization.

Element 3: Practising Integrated Risk Management

Implementing an integrated risk management approach requires a management decision
and sustained commitment, and is designed to contribute to the realization of
organizational objectives. Integrated risk management builds on the results of an
environmental scan and is supported by appropriate corporate infrastructure.
The following outcomes are expected for practising integrated risk management:

← A departmental risk management process is consistently applied at all levels,

where risks are understood, managed and communicated.
← Results of risk management practices at all levels are integrated into informed
decision-making and priority setting-strategic, operational, management and
performance reporting.
← Tools and methods are applied as aids to make decisions.
← Consultation and communication with stakeholders is ongoing-internal and
external.

A Common Process

A common, continuous risk management process assists an organization in

understanding, managing and communicating risk. Continuous risk management has
several steps. Emphasis on various points in the process may vary, as may the type,
rigour or extent of actions considered, but the basic steps are similar. In the exhibits that
follow, Exhibit 1 illustrates an example of a continuous risk management process that
focuses on an integrated approach to risk management, while Exhibit 2 presents a risk
management decision-making process in the context of public policy.

Exhibit 1: A Common Risk Management Process

Display full size graphic

Internal and external communication and continuous learning improve understanding and
skills for risk management practice at all levels of an organization, from corporate
through to front-line operations. The process provides common language, guides
decision-making at all levels, and allows organizations to tailor their activities at the local
level. Documenting the rationale for arriving at decisions strengthens accountability and
demonstrates due diligence.

The common risk management process and related activities are:

Risk Identification

1. Identifying Issues, Setting Context

Defining the problems or opportunities, scope, context (social, cultural, scientific

evidence, etc.) and associated risk issues.
Deciding on necessary people, expertise, tools and techniques (e.g., scenarios,
brainstorming, checklists).
Performing a stakeholder analysis (determining risk tolerances, stakeholder
position, attitudes).

Risk Assessment

2. Assessing Key Risk Areas

 Analyzing context/results of environmental scan and determining types/categories
of risk to be addressed, significant organization-wide issues, and vital local issues.

3. Measuring Likelihood and Impact

Determining degree of exposure, expressed as likelihood and impact, of assessed

risks, choosing tools.
Considering both the empirical/scientific evidence and public context.

4. Ranking Risks

Ranking risks, considering risk tolerance, using existing or developing new criteria
and tools.

Responding to Risk

5. Setting Desired Results

Defining objectives and expected outcomes for ranked risks, short/long term.

6. Developing Options

Identifying and analyzing options-ways to minimize threats and maximize

opportunities-approaches, tools.

7. Selecting a Strategy

Choosing a strategy, applying decision criteria-results-oriented,

problem/opportunity driven.
Applying, where appropriate, the precautionary approach/principle as a means of
managing risks of serious or irreversible harm in situations of scientific
uncertainty.

8. Implementing the Strategy

Developing and implementing a plan.

Monitoring and Evaluation

9. Monitoring, Evaluating and Adjusting

Learning, improving the decision-making/risk management process locally and

organization-wide, using effectiveness criteria, reporting on performance and
results.

Organizations may vary the basic steps and supporting tasks most suited to achieving
common understanding and implementing consistent, efficient and effective risk
management. A focused, systematic and integrated approach recognizes that all
decisions involve management of risk, whether in routine operations or for major
initiatives involving significant resources. It is important that the risk management
process be applied at all levels, from the corporate level to programs and major projects
to local systems and operations. While the process allows tailoring for different uses,
having a consistent approach within an organization assists in aggregating information to
deal with risk issues at the corporate level.

Exhibit 2: Risk Management in Public Policy: A Decision-Making Process

Display full size graphic

Exhibit 2 presents the model, developed by the PCO-led ADM Working Group on Risk
Management, which addresses the issue of risk management in the context of public
policy development. This model presents a basis for exploring issues of interest to
government policy-makers, and provides a context in which to discuss, examine, and
seek out interrelationships between issues associated with public policy decisions in an
environment of uncertainty and risk (i.e., a model of public risk management).

As in Exhibit 1, this model recognizes six basic steps: identification of the issue; analysis
or assessment of the issue; development of options; decision; implementation of the
decision; and evaluation and review of the decision. [4]

In this model, several key elements were identified as influencing the public policy
environment surrounding risk management:

There is a public element to virtually all government decision-making, and it is a

central and legitimate input to the process.
Uncertainty in science, together with competing policy interests (including
international obligations) has led to increased focus on the precautionary
approach.
A decision-making process does not occur in isolation-the public nature and
complexity of many government policy issues means that certain factors, such as
communications and consultation activities, legal considerations, and ongoing
operational activities, require active consideration at each stage of the process.
Integrating Results for Risk Management into Practices at all
Levels

The results of risk management are to be integrated both horizontally and vertically into
organizational policies, plans and practices. Horizontally, it is important that results be
considered in developing organization-wide policies, plans and priorities. Vertically,
functional units, such as branches and divisions, need to incorporate these results into
programs and major initiatives.

In practice, the risk assessment and response to risk would be considered in developing
local business plans at the activity, division or regional level. These plans would then be
considered at the corporate level, and significant risks (horizontal or high-impact risks)
would be incorporated into the appropriate corporate business, functional or operational
plan.

The responsibility centre providing the advisory and "corporate challenge" functions can
add value to this process, since new risks might be identified and new risk management
strategies required after the roll-up. There needs to be a synergy between the overall risk
management strategy and the local risk management practices of the organization.

Each function or activity would have to be examined from three standpoints:

its purpose: risk management would look at decision-making, planning, and

accountability processes as well as opportunities for innovation;
its level: different approaches are required based on whether a function or
activity is strategic, management or operational; and
the relevant discipline: the risks involved with technology, finance, human
resources, and those regarding legal, scientific, regulatory, and/or health and
safety issues.

Tools and Methods

At a technical level, various tools and techniques can be used for managing risk. The
following are some examples:

risk maps: summary charts and diagrams that help organizations identify,
discuss, understand and address risks by portraying sources and types of risks
and disciplines involved/needed;
modelling tools: such as scenario analysis and forecasting models to show the
range of possibilities and to build scenarios into contingency plans;
framework on the precautionary approach: a principle-based framework that
provides guidance on the precautionary approach in order to improve the
predictability, credibility and consistency of its application across the federal
government;
qualitative techniques: such as workshops, questionnaires, and self
-assessment to identify and assess risks; and
Internet and organizational Intranets: promote risk awareness and
management by sharing information internally and externally.
Exhibit 3 provides an example of a risk management model. In this model, one can
assess where a particular risk falls in terms of likelihood and impact and establish the
organizational strategy/response to manage the risk.

Exhibit 3: A Risk Management Model

Display full size graphic

In developing methods to provide guidance on risk management, the different levels of

readiness and experience in a department, as well as variations in available resources
need to be recognized. Therefore, methods need to be flexible and simple using clear
language to ensure open channels of communication.

Several practical methods that could be used to provide guidance are:

← a managers'forum: where risks are identified, proposed actions are discussed

and best practices are shared;
← an internal risk management advisory function: dedicated to risk
management, either as a special unit or associated with an existing functional
unit; and
← tool kits: a collection of effective risk management tools such as checklists,
questionnaires, best practices.

Communication and Consultation

Communication of risk and consultation with interested parties are essential to supporting
sound risk management decisions. In fact, communication and consultation must be
considered at every stage of the risk management process.

A fundamental requirement for practising integrated risk management is the

development of plans, processes and products through ongoing consultation and
communication with stakeholders (both internal and external) who may be involved in or
affected by an organization's decisions and actions.

Consultation and proactive citizen engagement will assist in bridging gaps between
statistical evidence and perceptions of risk. It is also important that risk communication
practices anticipate and respond effectively to public concerns and expectations. A
citizen's request for information presents an opportunity to communicate about risk and
the management of risk.

In the public sector context, some high-profile risk issues would benefit from proactively
involving parliamentarians in particular forums of discussion thus creating opportunities
for exchanging different perspectives. In developing public policy, input from both the
empirical and public contexts ensures that a more complete range of information is
available, therefore, leading to the development of more relevant and effective public
policy options. Internally, risk communication promotes action, continuous learning,
innovation and teamwork. It can demonstrate how management of a localized risk
contributes to the overall achievement of corporate objectives.

Risk communication involves a range of activities, including issue identification and

assessment, analysis of the public environment (including stakeholder interests and
concerns), development of consultation and communications strategies, message
development, working with the media, and monitoring and evaluating the public dialogue.
The public sector has the additional responsibility of reporting to and communicating with
Parliament.

Within the federal Public Service, it is expected that consultation activities, including
those related to risk management, will be undertaken in a manner that is consistent with
the Government Communications Policy.

Element 4: Ensuring Continuous Risk Management

Learning
Continuous learning is fundamental to more informed and proactive decision-making. It
contributes to better risk management, strengthens organizational capacity and facilitates
integration of risk management into an organizational structure. To ensure continuous
risk management learning, pursue the following outcomes:

← Learning from experience is valued, lessons are shared-a supportive work

environment.
← Learning plans are built into organization's risk management practices.
← Results of risk management are evaluated to support innovation, capacity
building and continuous improvement-individual, team and organization.
← Experience and best practices are shared-internally and across government.

Creating a Supportive Work Environment

A supportive work environment is a key component of continuous learning. Valuing

learning from experience, sharing best practices and lessons learned, and embracing
innovation and responsible risk-taking characterize an organization with a supportive
work environment. An organization with a supportive work environment would be
expected to:
Promote learning
← by fostering an environment that motivates people to learn;
← by valuing knowledge, new ideas and new relationships as vital aspects of the
creativity that leads to innovation; and
← by including and emphasizing learning in strategic plans.

Learn from experience

← by valuing experimentation, where opportunities are assessed for benefits and
consequences;
← by sharing learning on past successes and failures; and
← by using "lessons learned" and "best practices" in planning exercises.

Demonstrate management leadership

← by selecting leaders who are coaches, teachers and good stewards;
← by demonstrating commitment and support to employees through the provision of
opportunities, resources, and tools; and
← by making time, allotting resources and measuring success through periodic
reviews (e.g., learning audits).

Building Learning Plans in Practices

Since continuous learning contributes significantly to increasing capacity to manage risk,

the integration of learning plans into all aspects of risk management is fundamental to
building capacity and supporting the strategic direction for managing risk.

As part of a unit's learning strategy, learning plans provide for the identification of
training and development needs of each employee. Effective learning plans, reflecting
risk management learning strategies, are linked to both operational and corporate
strategies, incorporate opportunities for managers to coach and mentor staff, and
address competency gaps (knowledge and skills) for individuals and teams. The inclusion
of risk management learning objectives in performance appraisals is a useful approach to
support continuous risk management learning.

Supporting Continuous Learning and Innovation

In implementing a continuous learning approach to risk management, it is important to

recognize that not all risks can be foreseen or totally avoided. Procedures are paramount
to ensure due diligence and to maintain public confidence. Goals will not always be met
and innovations will not always lead to expected outcomes. However, if risk management
actions are informed and lessons are learned, promotion of a continuous learning
approach will create incentives for innovation while still respecting organizational risk
tolerances. The critical challenge is to show that risk is being well-managed and that
accountability is maintained while recognizing that learning from experience is important
for progress.

In addition to demonstrating accountability, transparency and due diligence, proper

documentation may also be used as a learning tool. Practising integrated risk
management should support innovation, learning, and continuous improvement at the
individual, team and organization level.
An organization demonstrates continuous learning with respect to risk management if:

← an appropriate risk management culture is fostered;

← learning is linked to risk management strategy at many levels;
← responsible risk-taking and learning from experience is encouraged and
supported;
← there is considerable information sharing as the basis for decision-making;
← decision-making includes a range of perspectives including the views of
stakeholders, employees and citizens; and
← input and feedback are actively sought and are the basis for further action.

Conclusion
The Integrated Risk Management Framework advances a more systematic and integrated
approach for risk management. By focusing on the importance of risk communication and
risk tolerance, it looks outside the organization for the views of Canadians. Internally, it
emphasizes the importance of people and leadership and the need for departments and
agencies to more clearly define their roles. The Framework provides a tool that helps
organizations communicate a vision and objectives for management of risk based on
government values and priorities, lessons learned, best practices and consultation with
stakeholders.

The Framework is a fundamental part of the federal management agenda and Modern
Comptrollership. It is designed to support the optimization of resource allocation and
responsible spending, paramount for achieving results. It also builds on public sector
values, knowledge management and continuous learning for innovation. The Integrated
Risk Management Framework is the first step in establishing the foundation for more
strategic and corporate integrated risk management in departments and in government.
In the future, the Framework will be supported by tools and guidance documents as well
as complemented by other risk management initiatives.

The Treasury Board of Canada Secretariat intends to work closely with departments and
agencies in implementing the Integrated Risk Management Framework and in tracking
progress toward building a risk-smart workforce and environment in the Public Service.

Appendix: Shared Leadership-Suggested Roles and

Responsibilities
In moving toward an integrated risk management function, everyone has a role to play.
Combining shared leadership with a team approach will help contribute to the success of
integrated risk management throughout the organization. Suggested roles and
responsibilities that could be considered by the different parties involved in integrated
risk management are outlined below.

Treasury Board of Canada Secretariat

← communicating and explaining the Integrated Risk Management Framework;

 ← providing guidance, training and a centre of expertise in support of the Integrated
Risk Management Framework;
← providing Treasury Board, other central agencies and Parliament with risk
management information and advice appropriate to their responsibilities; and
← periodically examining and evaluating the effectiveness of the Integrated Risk
Management Framework, tracking progress and reporting on best practices.

Deputy Heads or Equivalent

← setting the tone from the top that systematic and integrated risk management is
valuable for understanding uncertainty in decision-making and for demonstrating
accountability to stakeholders;
← determining the best way to implement the Integrated Risk Management
Framework in their organization;
← ensuring that a supportive learning environment exists for risk management,
including sensible risk taking and learning from experience;
← ensuring, from a corporate perspective, that risks are prioritized, and that
appropriate risk management strategies are in place to respond to identified risks;
and
← ensuring the capacity to report on the performance of the risk management
function (i.e., knowing how well the department or agency is managing risk).

Senior Management

← integrating risk management into overall departmental strategy and management

frameworks;
← providing managers and employees with learning opportunities and training to
build competencies; and
← allocating resources for investment in more systematic risk management.

Managers

← considering risk as a part of their decision-making process; and

← ensuring there is appropriate ongoing operational and corporate-related risk
management action, planning, training, control, monitoring and documentation.

Functional Advisors and Specialists

← ensuring that policy and related advice, guidance and assistance is in line with
central agency and departmental policies on risk management and senior
management's objectives;
← helping managers identify and assess risk and the effectiveness, efficiency and
economy of existing measures to manage risk; and
← helping managers design and implement tools for more effective risk
management.

Review, Internal Audit

← reporting to the Deputy Head on the department's or agency's performance under

the Integrated Risk Management Framework.
All Public Servants

← staying aware of and attentive to risk management issues;

← risk-smart behaviours and outcomes-considering limitations, key risk areas and
fundamental rules to understand risks they can and cannot take (i.e.,
understanding where there is allowance for honest mistakes and where prudence
is paramount); and
← documenting decisions and supporting information.