Risk Management
Uploaded by
Mian Muhammad HaseebRisk Management
Uploaded by
Mian Muhammad HaseebRISK MANAGEMENT
Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or
negative). Risk management can therefore be considered the identification, assessment, and
prioritization of risks followed by coordinated and economical application of resources to
minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to
maximize the realization of opportunities. Risks can come from uncertainty in financial
markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as
well as deliberate attacks from an adversary. Several risk management standards have been
developed including the Project Management Institute, the National Institute of Science and
Technology, actuarial societies, and ISO standards.[2][3] Methods, definitions and goals vary
widely according to whether the risk management method is in the context of project
management, security, engineering, industrial processes, financial portfolios, actuarial
assessments, or public health and safety.
The strategies to manage risk include transferring the risk to another party, avoiding the risk,
reducing the negative effect of the risk, and accepting some or all of the consequences of a
particular risk.
Certain aspects of many of the risk management standards have come under criticism for
having no measurable improvement on risk even though the confidence in estimates and
decisions increase.[1]
Contents
[hide]
• 1 Introduction
o 1.1 Method
o 1.2 Principles of risk management
• 2 Process
o 2.1 Establishing the context
o 2.2 Identification
o 2.3 Assessment
o 2.4 Potential risk treatments
2.4.1 Risk avoidance
2.4.1.1 Hazard Prevention
2.4.2 Risk reduction
2.4.3 Risk sharing
2.4.4 Risk retention
o 2.5 Create a risk-management plan
o 2.6 Implementation
o 2.7 Review and evaluation of the plan
• 3 Limitations
• 4 Areas of risk management
o 4.1 Enterprise risk management
o 4.2 Risk management activities as applied to project management
o 4.3 Risk management techniques in petroleum and natural gas
• 5 Risk management and business continuity
• 6 Risk communication
o 6.1 Bow Tie diagrams
PRE: SAQIB ALI
RISK MANAGEMENT
o 6.2 Seven cardinal rules for the practice of risk communication
• 7 See also
• 8 References
• 9 Further reading
• 10 External links
[edit] Introduction
This section provides an introduction to the principles of risk management. The vocabulary of
risk management is defined in ISO Guide 73, "Risk management. Vocabulary."[2]
In ideal risk management, a prioritization process is followed whereby the risks with the
greatest loss and the greatest probability of occurring are handled first, and risks with lower
probability of occurrence and lower loss are handled in descending order. In practice the
process can be very difficult, and balancing between risks with a high probability of
occurrence but lower loss versus a risk with high loss but lower probability of occurrence can
often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability of
occurring but is ignored by the organization due to a lack of identification ability. For
example, when deficient knowledge is applied to a situation, a knowledge risk materializes.
Relationship risk appears when ineffective collaboration occurs. Process-engagement risk
may be an issue when ineffective operational procedures are applied. These risks directly
reduce the productivity of knowledge workers, decrease cost effectiveness, profitability,
service, quality, reputation, brand value, and earnings quality. Intangible risk management
allows risk management to create immediate value from the identification and reduction of
risks that reduce productivity.
Risk management also faces difficulties allocating resources. This is the idea of opportunity
cost. Resources spent on risk management could have been spent on more profitable
activities. Again, ideal risk management minimizes spending and minimizes the negative
effects of risks.
[edit] Method
For the most part, these methods consist of the following elements, performed, more or less,
in the following order.
1. identify, characterize, and assess threats
2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected consequences of specific types of attacks on
specific assets)
4. identify ways to reduce those risks
5. prioritize risk reduction measures based on a strategy
[edit] Principles of risk management
PRE: SAQIB ALI
RISK MANAGEMENT
The International Organization for Standardization identifies the following principles of risk
management:[4]
Risk management should:
• create value.
• be an integral part of organizational processes.
• be part of decision making.
• explicitly address uncertainty.
• be systematic and structured.
• be based on the best available information.
• be tailored.
• take into account human factors.
• be transparent and inclusive.
• be dynamic, iterative and responsive to change.
• be capable of continual improvement and enhancement.
[edit] Process
According to the standard ISO 31000 "Risk management -- Principles and guidelines on
implementation,"[3] the process of risk management consists of several steps as follows:
[edit] Establishing the context
Establishing the context involves:
1. Identification of risk in a selected domain of interest
2. Planning the remainder of the process.
3. Mapping out the following:
o the social scope of risk management
o the identity and objectives of stakeholders
o the basis upon which risks will be evaluated, constraints.
4. Defining a framework for the activity and an agenda for identification.
5. Developing an analysis of risks involved in the process.
6. Mitigation of risks using available technological, human and organizational
resources.
[edit] Identification
After establishing the context, the next step in the process of managing risk is to identify
potential risks. Risks are about events that, when triggered, cause problems. Hence, risk
identification can start with the source of problems, or with the problem itself.
• Source analysis[citation needed] Risk sources may be internal or external to the system that
is the target of risk management.
Examples of risk sources are: stakeholders of a project, employees of a company or the
weather over an airport.
PRE: SAQIB ALI
RISK MANAGEMENT
• Problem analysis[citation needed] Risks are related to identified threats. For example: the
threat of losing money, the threat of abuse of privacy information or the threat of
accidents and casualties. The threats may exist with various entities, most important
with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events
that can lead to a problem can be investigated. For example: stakeholders withdrawing during
a project may endanger funding of the project; privacy information may be stolen by
employees even within a closed network; lightning striking a Boeing 747 during takeoff may
make all people onboard immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development of
templates for identifying source, problem or event. Common risk identification methods are:
• Objectives-based risk identification[citation needed] Organizations and project teams have
objectives. Any event that may endanger achieving an objective partly or completely
is identified as risk.
• Scenario-based risk identification In scenario analysis different scenarios are
created. The scenarios may be the alternative ways to achieve an objective, or an
analysis of the interaction of forces in, for example, a market or battle. Any event that
triggers an undesired scenario alternative is identified as risk - see Futures Studies for
methodology used by Futurists.
• Taxonomy-based risk identification The taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources. Based on the taxonomy and
knowledge of best practices, a questionnaire is compiled. The answers to the
questions reveal risks.[5]
• Common-risk checking In several industries lists with known risks are available.
Each risk in the list can be checked for application to a particular situation.[6]
• Risk charting[7] This method combines the above approaches by listing resources at
risk, Threats to those resources Modifying Factors which may increase or decrease the
risk and Consequences it is wished to avoid. Creating a matrix under these headings
enables a variety of approaches. One can begin with resources and consider the threats
they are exposed to and the consequences of each. Alternatively one can start with the
threats and examine which resources they would affect, or one can begin with the
consequences and determine which combination of threats and resources would be
involved to bring them about.
[edit] Assessment
Once risks have been identified, they must then be assessed as to their potential severity of
loss and to the probability of occurrence. These quantities can be either simple to measure, in
the case of the value of a lost building, or impossible to know for sure in the case of the
probability of an unlikely event occurring. Therefore, in the assessment process it is critical to
make the best educated guesses possible in order to properly prioritize the implementation of
the risk management plan.
The fundamental difficulty in risk assessment is determining the rate of occurrence since
statistical information is not available on all kinds of past incidents. Furthermore, evaluating
the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset
PRE: SAQIB ALI
RISK MANAGEMENT
valuation is another question that needs to be addressed. Thus, best educated opinions and
available statistics are the primary sources of information. Nevertheless, risk assessment
should produce such information for the management of the organization that the primary
risks are easy to understand and that the risk management decisions may be prioritized. Thus,
there have been several theories and attempts to quantify risks. Numerous different risk
formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate of occurrence multiplied by the impact of the event equals risk
Later research[citation needed] has shown that the financial benefits of risk management are less
dependent on the formula used but are more dependent on the frequency and how risk
assessment is performed.
In business it is imperative to be able to present the findings of risk assessments in financial
terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial
terms.[8] The Courtney formula was accepted as the official risk analysis method for the US
governmental agencies. The formula proposes calculation of ALE (annualised loss
expectancy) and compares the expected loss value to the security control implementation
costs (cost-benefit analysis).
[edit] Potential risk treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one
or more of these four major categories:[9]
• Avoidance (eliminate, withdraw from or not become involved)
• Reduction (optimise - mitigate)
• Sharing (transfer - outsource or insure)
• Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that
are not acceptable to the organization or person making the risk management decisions.
Another source, from the US Department of Defense, Defense Acquisition University, calls
these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT
acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense
industry procurements, in which Risk Management figures prominently in decision making
and planning.
[edit] Risk avoidance
Includes not performing an activity that could carry risk. An example would be not buying a
property or business in order to not take on the liability that comes with it. Another would be
not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may
seem the answer to all risks, but avoiding risks also means losing out on the potential gain
that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk
of loss also avoids the possibility of earning profits.
[edit] Hazard Prevention
Main article: Hazard prevention
PRE: SAQIB ALI
RISK MANAGEMENT
Hazard prevention refers to the prevention of risks in an emergency. The first and most
effective stage of hazard prevention is the elimination of hazards. If this takes too long, is too
costly, or is otherwise impractical, the second stage is mitigation.
[edit] Risk reduction
Risk reduction or "optimisation" involves reducing the severity of the loss or the likelihood of
the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the
risk of loss by fire. This method may cause a greater loss by water damage and therefore may
not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be
prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimising risks means finding a
balance between negative risk and the benefit of the operation or activity; and between risk
redution and effort applied. By an offshore drilling contractor effectively applying HSE
Management in its organisation, it can optimise risk to achieve levels of residual risk that are
tolerable.[10]
Modern software development methodologies reduce risk by developing and delivering
software incrementally. Early methodologies suffered from the fact that they only delivered
software in the final phase of develpment; any problems encountered in earlier phases meant
costly rework and often jeopardized the whole project. By developing in iterations, software
projects can limit effort wasted to a single iteration.
could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or
.[11] For example, a company may outsource only its software development, the manufacturing of hard goods,
upport needs to another company, while handling the business management itself. This way, the company
ate more on business development without having to worry as much about the manufacturing process,
development team, or finding a physical location for a call center.
[edit] Risk sharing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you
can transfer a risk to a third party through insurance or outsourcing. In practice if the
insurance company or contractor go bankrupt or end up in court, the original risk is likely to
still revert to the first party. As such in the terminology of practitioners and scholars alike, the
purchase of an insurance contract is often described as a "transfer of risk." However,
technically speaking, the buyer of the contract generally retains legal responsibility for the
losses "transferred", meaning that insurance may be described more accurately as a post-
event compensatory mechanism. For example, a personal injuries insurance policy does not
transfer the risk of a car accident to the insurance company. The risk still lies with the policy
holder namely the person who has been in the accident. The insurance policy simply provides
that if an accident (the event) occurs involving the policy holder then some compensation
may be payable to the policy holder that is commensurate to the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically
retaining the risk for the group, but spreading it over the whole group involves transfer
PRE: SAQIB ALI
RISK MANAGEMENT
among individual members of the group. This is different from traditional insurance, in that
no premium is exchanged between members of the group up front, but instead losses are
assessed to all members of the group.
[edit] Risk retention
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance
falls in this category. Risk retention is a viable strategy for small risks where the cost of
insuring against the risk would be greater over time than the total losses sustained. All risks
that are not avoided or transferred are retained by default. This includes risks that are so large
or catastrophic that they either cannot be insured against or the premiums would be
infeasible. War is an example since most property and risks are not insured against war, so
the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk)
over the amount insured is retained risk. This may also be acceptable if the chance of a very
large loss is small or if the cost to insure for greater coverage amounts is so great it would
hinder the goals of the organization too much.
[edit] Create a risk-management plan
Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to
be approved by the appropriate level of management. For example, a risk concerning the
image of the organization should have top management decision behind it whereas IT
management would have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for
managing the risks. For example, an observed high risk of computer viruses could be
mitigated by acquiring and implementing antivirus software. A good risk management plan
should contain a schedule for control implementation and responsible persons for those
actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk assessment
phase consists of preparing a Risk Treatment Plan, which should document the decisions
about how each of the identified risks should be handled. Mitigation of risks often means
selection of security controls, which should be documented in a Statement of Applicability,
which identifies which particular control objectives and controls from the standard have been
selected, and why.
[edit] Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks.
Purchase insurance policies for the risks that have been decided to be transferred to an
insurer, avoid all risks that can be avoided without sacrificing the entity's goals, reduce
others, and retain the rest.
[edit] Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and actual loss
results will necessitate changes in the plan and contribute information to allow possible
different decisions to be made in dealing with the risks being faced.
PRE: SAQIB ALI
RISK MANAGEMENT
Risk analysis results and management plans should be updated periodically. There are two
primary reasons for this:
1. to evaluate whether the previously selected security controls are still applicable and
effective, and
2. to evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.
[edit] Limitations
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of
losses that are not likely to occur. Spending too much time assessing and managing unlikely
risks can divert resources that could be used more profitably. Unlikely events do occur but if
the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the
result if the loss does in fact occur. Qualitative risk assessment is subjective and lacks
consistency. The primary justification for a formal risk assessment process is legal and
bureaucratic.
Prioritizing the risk management processes too highly could keep an organization from ever
completing a project or even getting started. This is especially true if other work is suspended
until the risk management process is considered complete.
It is also important to keep in mind the distinction between risk and uncertainty. Risk can be
measured by impacts x probability.
[edit] Areas of risk management
As applied to corporate finance, risk management is the technique for measuring,
monitoring and controlling the financial or operational risk on a firm's balance sheet. See
value at risk.
The Basel II framework breaks risks into market risk (price risk), credit risk and operational
risk and also specifies methods for calculating capital requirements for each of these
components.
[edit] Enterprise risk management
Main article: Enterprise Risk Management
In enterprise risk management, a risk is defined as a possible event or circumstance that can
have negative influences on the enterprise in question. Its impact can be on the very
existence, the resources (human and capital), the products and services, or the customers of
the enterprise, as well as external impacts on society, markets, or the environment. In a
financial institution, enterprise risk management is normally thought of as the combination of
credit risk, interest rate risk or asset liability management, market risk, and operational risk.
In the more general case, every probable risk can have a pre-formulated plan to deal with its
possible consequences (to ensure contingency if the risk becomes a liability).
PRE: SAQIB ALI
RISK MANAGEMENT
From the information above and the average cost per employee over time, or cost accrual
ratio, a project manager can estimate:
• the cost associated with the risk if it arises, estimated by multiplying employee costs
per unit time by the estimated time lost (cost impact, C where C = cost accrual ratio
* S).
• the probable increase in time associated with a risk (schedule variance due to risk, Rs
where Rs = P * S):
o Sorting on this value puts the highest risks to the schedule first. This is
intended to cause the greatest risks to the project to be attempted first so that
risk is minimized as quickly as possible.
o This is slightly misleading as schedule variances with a large P and small S
and vice versa are not equivalent. (The risk of the RMS Titanic sinking vs. the
passengers' meals being served at slightly the wrong time).
• the probable increase in cost associated with a risk (cost variance due to risk, Rc
where Rc = P*C = P*CAR*S = P*S*CAR)
o sorting on this value puts the highest risks to the budget first.
o see concerns about schedule variance as this is a function of it, as illustrated in
the equation above.
Risk in a project or process can be due either to Special Cause Variation or Common Cause
Variation and requires appropriate treatment. That is to re-iterate the concern about extremal
cases not being equivalent in the list immediately above.
[edit] Risk management activities as applied to project management
In project management, risk management includes the following activities:
• Planning how risk will be managed in the particular project. Plan should include risk
management tasks, responsibilities, activities and budget.
• Assigning a risk officer - a team member other than a project manager who is
responsible for foreseeing potential project problems. Typical characteristic of risk
officer is a healthy skepticism.
• Maintaining live project risk database. Each risk should have the following attributes:
opening date, title, short description, probability and importance. Optionally a risk
may have an assigned person responsible for its resolution and a date by which the
risk must be resolved.
• Creating anonymous risk reporting channel. Each team member should have
possibility to report risk that he/she foresees in the project.
• Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of
the mitigation plan is to describe how this particular risk will be handled – what,
when, by who and how will it be done to avoid it or minimize consequences if it
becomes a liability.
• Summarizing planned and faced risks, effectiveness of mitigation activities, and effort
spent for the risk management.
[edit] Risk management techniques in petroleum and natural gas
For the offshore oil and gas industry, operational risk management is regulated by the safety
case regime in many countries. Hazard identification and risk assessment tools and
PRE: SAQIB ALI
RISK MANAGEMENT
techniques are described in the international standard ISO 17776:2000, and organisations
such as the IADC (International Association of Drilling Contractors) publish guidelines for
HSE Case development which are based on the ISO standard. Further, diagrammatic
representations of hazardous events are often expected by governmental regulators as part of
risk management in safety case submissions; these are known as bow-tie diagrams. The
technique is also used by organisations and regulators in mining, aviation, health, defence,
industrial and finance. [12]’
[edit] Risk management and business continuity
Risk management is simply a practice of systematically selecting cost effective approaches
for minimising the effect of threat realization to the organization. All risks can never be fully
avoided or mitigated simply because of financial and practical limitations. Therefore all
organizations have to accept some level of residual risks.
Whereas risk management tends to be preemptive, business continuity planning (BCP) was
invented to deal with the consequences of realised residual risks. The necessity to have BCP
in place arises because even very unlikely events will occur if given enough time. Risk
management and BCP are often mistakenly seen as rivals or overlapping practices. In fact
these processes are so tightly tied together that such separation seems artificial. For example,
the risk management process creates important inputs for the BCP (assets, impact
assessments, cost estimates etc). Risk management also proposes applicable controls for the
observed risks. Therefore, risk management covers several areas that are vital for the BCP
process. However, the BCP process goes beyond risk management's preemptive approach and
moves on from the assumption that the disaster will realize at some point.
[edit] Risk communication
Risk communication is a complex cross-disciplinary academic field. Problems for risk
communicators involve how to reach the intended audience, to make the risk comprehensible
and relatable to other risks, how to pay appropriate respect to the audience's values related to
the risk, how to predict the audience's response to the communication, etc. A main goal of
risk communication is to improve collective and individual decision making. Risk
communication is somewhat related to crisis communication.
[edit] Bow Tie diagrams
A popular solution to the quest to communicate risks and their treatments effectively is to use
bow-tie diagrams. These have been effectively, for example, in a public forum to model
perceived risks and communicate precautions, during the planning stage of offshore oil and
gas facilities in Scotland. Equally, the technique is used for HAZID (Hazard Identification)
workshops of all types, and results in a high level of engagement. For this reason (amongst
others) an increasing number of government regulators for major hazard facilities (MHFs),
offshore oil & gas, aviation, etc. welcome safety case submissions which use diagrammatic
representation of risks at their core.
Communication advantages of BowTies: [13]’
PRE: SAQIB ALI
RISK MANAGEMENT
• Visual illustration of the hazard, its causes, consequences, controls, and how controls
fail.
• The BowTie diagram can be readily understood at all personnel levels.
• A “picture paints a thousand words”.
[edit] Seven cardinal rules for the practice of risk communication
(as first expressed by the U.S. Environmental Protection Agency and several of the field's
founders[14])
• Accept and involve the public as a legitimate partner.
• Plan carefully and evaluate your efforts.
• Listen to the public's specific concerns.
• Be honest, frank, and open.
• Coordinate and collaborate with other credible sources.
• Meet the needs of the media.
• Speak clearly and with compassion.
Integrated Risk Management Framework
Tools & Resources
President's Message
PRE: SAQIB ALI
RISK MANAGEMENT
In March 2000, I had the pleasure of tabling the Government of Canada's new management
framework, entitled Results for Canadians. It outlines how we are modernizing management
practices in order to make the Government of Canada more citizen-focused and better
prepared to meet Canadians'changing needs and priorities. This Integrated Risk Management
Framework is an essential part of these modernization efforts.
In an increasingly complex public policy environment, it is important that Public Service
employees are encouraged to approach their work with creativity and a desire to innovate. At
the same time, however, we must recognize and respect the need to be prudent in protecting
the public interest and maintaining public trust. Achieving this balance is what this
Integrated Risk Management Framework is all about.
This framework is a practical guide to assist public service employees in their decision-
making. At the organizational level, it will help departments and agencies to think more
strategically and improve their ability to set common priorities. At the individual level, it will
help all employees to develop new skills and will strengthen their ability to anticipate, assess
and manage risk.
I invite you to read the framework and make use of the concepts, guidelines and examples
that relate to your particular needs. I am confident that this framework will lead to the
adoption of a more holistic approach to risk management and foster a working environment
which supports employees in pursuing new and innovative ways to better serve Canadians.
The paper version was signed by
Lucienne Robillard
President of the Treasury Board
Introduction
The Integrated Risk Management Framework delivers on the commitment set out in Results
for Canadians-A Management Framework for the Government of Canada (March 2000) to
strengthen risk management practices within the Public Service. In doing so, the Integrated
Risk Management Framework supports the four management commitments outlined in
Results for Canadians: citizen focus, values, results and responsible spending. The Integrated
Risk Management Framework advances a citizen focus by strengthening decision-making in
the public interest and placing more emphasis on consultation and communication. Similarly,
it respects core public service values such as honesty, integrity and probity at all levels, and
contributes to improved results by managing risk proactively. Integrated risk management
also supports a whole-of-government view grounded in rational priority setting and principles
of responsible spending.
The need for more affordable and effective government combined with trends towards
revitalizing human resources capacity and redesigning service delivery are dramatically
affecting the structure and culture of public organizations. The faster pace and need for
innovation, combined with significant risk-based events from computer failures to natural
disasters, has focused attention on risk management as essential in sound decision-making
and accountability.
PRE: SAQIB ALI
RISK MANAGEMENT
Responding to the need to strengthen risk management as a priority on the government
management agenda, the Treasury Board of Canada Secretariat (the Secretariat) led research
and consultations on risk management in collaboration with federal organizations, academics
and private interests. The results highlighted the need for a common understanding of risk
management and a more corporate, systematic approach. Informed by knowledge and
experience from the public and private sectors in Canada and internationally, the Secretariat
and its partners collaborated on the development of an Integrated Risk Management
Framework.
This Framework is designed to advance the development and implementation of modern
management practices and to support innovation throughout the federal Public Service. It
provides a comprehensive approach to better integrate risk management into strategic
decision-making.
The Framework provides an organization with a mechanism to develop an overall approach
to manage strategic risks by creating the means to discuss, compare and evaluate substantially
different risks on the same page. It applies to an entire organization and covers all types of
risks faced by that organization (e.g., policy, operational, human resources, financial, legal,
health and safety, environment, reputational).
The purpose of the Integrated Risk Management Framework is to:
• provide guidance to advance the use of a more corporate and systematic approach to
risk management;
• contribute to building a risk-smart workforce and environment that allows for
innovation and responsible risk-taking while ensuring legitimate precautions are taken
to protect the public interest, maintain public trust, and ensure due diligence; and
• propose a set of risk management practices that departments can adopt, or adapt, to
their specific circumstances and mandate.
Application of the Framework is designed to strengthen management practices, decision-
making and priority setting to better respond to citizens'needs. Moreover, practising
integrated risk management is expected to support the desired cultural shift to a risk-smart
workforce and environment. More specifically, it is anticipated that implementation of the
Framework will:
• support the government's governance responsibilities by ensuring that significant
risk areas associated with policies, plans, programs and operations are identified and
assessed, and that appropriate measures are in place to address unfavourable impacts
and to benefit from opportunities;
• improve results through more informed decision-making, by ensuring that values,
competencies, tools and a supportive environment form the foundation for innovation
and responsible risk-taking, and by encouraging learning from experience while
respecting parliamentary controls;
• strengthen accountability by demonstrating that levels of risk associated with
policies, plans, programs and operations are explicitly understood, and that
investment in risk management measures and stakeholder interests are optimally
balanced; and
• enhance stewardship by strengthening public service capacity to safeguard people,
government property and interests.
PRE: SAQIB ALI
RISK MANAGEMENT
Integrated risk management respects and builds on core public service values. Outcomes of
applied integrated risk management must be ethical, honest and fair; respect laws,
government authorities and departmental policies; and result in prudent use of resources.
The Integrated Risk Management Framework responds to the recommendations contained in
the Report of the Independent Review Panel on Modernization of Comptrollership in the
Government of Canada (1997), which were approved by Treasury Board ministers. The
report highlights a new guiding philosophy for comptrollership. This new philosophy
combines a strong commitment to four key elements: performance reporting (financial and
non-financial); sound risk management; the application of an appropriate system of control
and reporting; and values and ethics. In identifying as a priority the strengthening of risk
management across the Public Service, the report stressed the need for:
• "... executives and employees [to be] risk attuned-not only identifying but also
managing risks ...";
• "... matching more creative and client-driven decision making and business
approaches with solid risk management..."; and
• "... creating an environment in which taking risks and the consequences of doing so
are handled within a mature framework of delegation, rewards and sanctions."
The Framework builds on existing risk management practices, reflects current thinking, best
practices and the value of well-recognized principles for risk management. It is linked with
other federal risk management initiatives across government, including recent efforts to
strengthen internal audit and increase focus on monitoring. Risk management frameworks are
also being developed in areas such as legal risk management and the precautionary approach.
In addition, the Integrated Risk Management Framework complements the concepts and
approach described in the Privy Council Office report-Risk Management for Canada and
Canadians: Report of the ADM Working Group on Risk Management (2000). Collectively,
these individual initiatives are contributing to strengthening risk management across the
federal government in line with modern comptrollership and to improving practices in
managing risk from a whole-of-government perspective.
Management Challenges
In today's world, change and uncertainty are constants. With increased demand by
parliamentarians for greater transparency in decision-making, better educated and discerning
citizens, globalization, technological advances, and numerous other factors, adapting to
change and uncertainty while striving for operating efficiency is a fundamental part of the
Public Service. Such an environment requires a stronger focus on integrated risk management
practices within organizations in order to strategically deal with uncertainty, capitalize upon
opportunities, and inform and increase involvement of stakeholders (including
parliamentarians), to ensure better decisions in the future.
The challenge for the Public Service of Canada is to approach risk management in a more
integrated and systematic way that includes greater emphasis on consultation and
communication with stakeholders and the public at large. In meeting this challenge, the
Public Service can fulfill its increased responsibility to demonstrate sound decision-making,
in line with increasing expectations of due diligence, more intense public and media scrutiny,
and initiatives for transparency and open government. Risk management is now seen as an
organization-wide issue that, as one of several co-ordinated initiatives, will improve decision-
PRE: SAQIB ALI
RISK MANAGEMENT
making, enabling the shift to results-based management. Integrated risk management requires
looking across all aspects of an organization to better manage risk. Organizations that manage
risk organization-wide have a greater likelihood of achieving their objectives and desired
results. Effective risk management minimizes losses and negative outcomes and identifies
opportunities to improve services to stakeholders and the public at large.
A systematic, integrated but adaptable approach to risk management requires an organization
to build capacity to address risk explicitly, to increase the organization's and
stakeholders'confidence in its ability to achieve its goals. It contributes to better use of time
and resources, improved teamwork and strengthened trust through sharing analyses and
actions with partners. In emphasizing the need for more active and frequent consultation and
risk communication, an integrated approach to risk management leads to shared responsibility
for managing risk. It also increases confidence in the organization's process, and improves
public and stakeholder understanding of trade-offs.
Developing a Risk-Smart Workforce and Environment
Application of the Integrated Risk Management Framework, in conjunction with related risk
management activities, will support a cultural shift to a risk-smart workforce and
environment in the Public Service. Such an environment is one that supports responsible risk
management, where risk management is built into existing governance and organizational
structures, and planning and operational processes. An essential element of a risk-smart
environment is to ensure that the workplace has the capacity and tools to be innovative while
recognizing and respecting the need to be prudent in protecting the public interest and
maintaining public trust.
Departments whose core mandate focuses directly on public health and safety have
traditionally been very proactive in practising systematic risk management. These
departments have a long history of addressing the public's low risk tolerance in the areas of
health and safety and have, as a result, developed an effective risk management culture. The
emerging trends in the public sector environment and challenges associated with the need to
adapt to change and uncertainty are contributing to the increased interest in risk management
in other public policy areas. This higher level of awareness around risk management and the
need to better understand and manage different types of risks in addition to health and safety
risks requires a cultural shift. The aim of this cultural shift is to develop a risk-smart
workforce throughout the Public Service by ensuring that public servants at all levels are
more risk aware and risk attentive, that mitigation measures are proportionate to the issue at
hand, and that the necessary tools and processes are in place to support them.
Achieving this cultural change will require sustained commitment throughout the Public
Service over a number of years as practices evolve.
Key Concepts
There are three critical concepts that are cornerstones of the Integrated Risk Management
Framework: risk, risk management and integrated risk management. These concepts are
elaborated on below.
Risk
PRE: SAQIB ALI
RISK MANAGEMENT
Risk is unavoidable and present in virtually every human situation. It is present in our daily
lives, public and private sector organizations. Depending on the context, there are many
accepted definitions of risk [1] in use.
The common concept in all definitions is uncertainty of outcomes. Where they differ is in
how they characterize outcomes. Some describe risk as having only adverse consequences,
while others are neutral.
While this Framework recognizes the importance of the negative connotation of outcomes
associated with the description of risk (i.e., risk is adverse), it is acknowledged that
definitions are evolving. Indeed, there is considerable debate and discussion on what would
be an acceptable generic definition of risk that would recognize the fact that, when assessed
and managed properly, risk can lead to innovation and opportunity. This situation appears
more prevalent when dealing with operational risks and in the context of technological risks.
For example, Government On-Line (GOL) represents an opportunity to significantly increase
the efficiency of public access to government services. It is acknowledged in advance that the
benefits of pursuing GOL would outweigh, in the long term, potential negative outcomes,
which are foreseen to be manageable.
To date, no consensus has emerged, but after much research and discussion, the following
description of risk has been developed for the federal Public Service in the context of the
Integrated Risk Management Framework:
Risk refers to the uncertainty that surrounds future events and outcomes. It is the
expression of the likelihood and impact of an event with the potential to influence the
achievement of an organization's objectives.
The phrase "the expression of the likelihood and impact of an event" implies that, as a
minimum, some form of quantitative or qualitative analysis is required for making decisions
concerning major risks or threats to the achievement of an organization's objectives. For each
risk, two calculations are required: its likelihood or probability; and the extent of the impact
or consequences.
Finally, it is recognized that for some organizations, risk management is applied to issues
predetermined to result in adverse or unwanted consequences. For these organizations, the
definition of risk in the Privy Council Office report [2], which refers to risk as "a function of
the probability (chance, likelihood) of an adverse or unwanted event, and the severity or
magnitude of the consequences of that event" will be more relevant to their particular public
decision-making contexts. Although this definition of risk refers to the negative impact of the
issue, the report acknowledges that there are also positive opportunities arising from
responsible risk-taking, and that innovation and risk co-exist frequently.
Risk Management
Risk management is not new in the federal public sector. It is an integral component of good
management and decision-making at all levels. All departments manage risk continuously
whether they realize it or not-sometimes more rigorously and systematically, sometimes less
so. More rigorous risk management occurs most visibly in departments whose core mandate
is to protect the environment and public health and safety.
PRE: SAQIB ALI
RISK MANAGEMENT
As with the definition of risk, there are equally many accepted definitions of risk
management in use. Some describe risk management as the decision -making process,
excluding the identification and assessment of risk, whereas others describe risk management
as the complete process, including risk identification, assessment and decisions around risk
issues. For example, the Privy Council Office's report refers to risk management as "the
process for dealing with uncertainty within a public policy environment" [3]
For the purposes of the Integrated Risk Management Framework:
Risk management is a systematic approach to setting the best course of action under
uncertainty by identifying, assessing, understanding, acting on and communicating risk
issues.
In order to apply risk management effectively, it is vital that a risk management culture be
developed. The risk management culture supports the overall vision, mission and objectives
of an organization. Limits and boundaries are established and communicated concerning what
are acceptable risk practices and outcomes.
Since risk management is directed at uncertainty related to future events and outcomes, it is
implied that all planning exercises encompass some form of risk management. There is also a
clear implication that risk management is everyone's business, since people at all levels can
provide some insight into the nature, likelihood and impacts of risk.
Risk management is about making decisions that contribute to the achievement of an
organization's objectives by applying it both at the individual activity level and in functional
areas. It assists with decisions such as the reconciliation of science-based evidence and other
factors; costs with benefits and expectations in investing limited public resources; and the
governance and control structures needed to support due diligence, responsible risk-taking,
innovation and accountability.
Integrated Risk Management
The current operating environment is demanding a more integrated risk management
approach. It is no longer sufficient to manage risk at the individual activity level or in
functional silos. Organizations around the world are benefiting from a more comprehensive
approach to dealing with all their risks.
Today, organizations are faced with many different types of risk (e.g., policy, program,
operational, project, financial, human resources, technological, health, safety, political). Risks
that present themselves on a number of fronts as well as high level, high -impact risks
demand a co-ordinated, systematic corporate response.
Integrated Risk Management
"Whatever name they put on it-business ... holistic ... strategic ... enterprise-leading
organizations around the world are breaking out of the 'silo mentality'and taking a
comprehensive approach to dealing with all the risks they face."
-Towers Perrin
PRE: SAQIB ALI
RISK MANAGEMENT
For the purposes of the Integrated Risk Management Framework:
Integrated risk management is a continuous, proactive and systematic process to
understand, manage and communicate risk from an organization-wide perspective. It is
about making strategic decisions that contribute to the achievement of an organization's
overall corporate objectives.
Integrated risk management requires an ongoing assessment of potential risks for an
organization at every level and then aggregating the results at the corporate level to facilitate
priority setting and improved decision-making. Integrated risk management should become
embedded in the organization's corporate strategy and shape the organization's risk
management culture. The identification, assessment and management of risk across an
organization helps reveal the importance of the whole, the sum of the risks and the
interdependence of the parts.
Integrated risk management does not focus only on the minimization or mitigation of risks,
but also supports activities that foster innovation, so that the greatest returns can be achieved
with acceptable results, costs and risks. Integrated risk management strives for the optimal
balance at the corporate level.
The Government of Canada has already used an integrated risk management approach to
manage risk related to Y2K and is currently applying the approach to other major initiatives
such as Government On-Line and Program Integrity.
An Integrated Risk Management Framework
The Integrated Risk Management Framework provides guidance to adopt a more holistic
approach to managing risk. The application of the Framework is expected to enable
employees and organizations to better understand the nature of risk, and to manage it more
systematically.
Four Elements and Their Expected Results
The Integrated Risk Management Framework is comprised of four related elements. The
elements, and a synopsis of the expected results for each, are presented below. Further details
on the conceptual and functional aspects of the Framework are provided in subsequent
sections of this document.
Element 1: Developing the Corporate Risk Profile
• the organization's risks are identified through environmental scanning;
• current status of risk management within the organization is assessed; and
• the organization's risk profile is identified.
Element 2: Establishing an Integrated Risk Management Function
• management direction on risk management is communicated, understood and applied;
• approach to operationalize integrated risk management is implemented through
existing decision-making and reporting structures; and
PRE: SAQIB ALI
RISK MANAGEMENT
• capacity is built through development of learning plans and tools.
Element 3: Practising Integrated Risk Management
• a common risk management process is consistently applied at all levels;
• results of risk management practices at all levels are integrated into informed
decision-making and priority setting;
• tools and methods are applied; and
• consultation and communication with stakeholders is ongoing.
Element 4: Ensuring Continuous Risk Management Learning
• a supportive work environment is established where learning from experience is
valued, lessons are shared;
• learning plans are built into an organization's risk management practices;
• results of risk management are evaluated to support innovation, learning and
continuous improvement; and
• experience and best practices are shared, internally and across government.
The four elements of the Integrated Risk Management Framework are presented as they
might be applied: looking outward and across the organization as well as at individual
activities. This comprehensive approach to managing risk is intended to establish the
relationship between the organization and its operating environment, revealing the
interdependencies of individual activities and the horizontal linkages.
While it is acknowledged that some departments are more advanced than others in moving
towards the implementation of an integrated risk management approach, there is growing
appreciation across the Public Service of the need to strengthen risk management practices
and develop a more strategic and corporate-wide focus. Implementing integrated risk
management will depend largely on an organization's state of readiness, overall priorities and
the level of effort necessary to implement the various elements. As a result, developing a
more mature risk management environment will require sustained commitment and will
evolve over time. This Framework is a step in establishing the foundation for integrated risk
management in the public sector. It is acknowledged that to support and facilitate
implementation, the development of specific tools and guidelines as well as sharing of best
practices and lessons learned will be required.
Element 1: Developing the Corporate Risk Profile
A broad understanding of the operating environment is an important first step in developing
the corporate risk profile. Developing the risk profile at the corporate level is intended to
examine both threats and opportunities in the context of an organization's mandate, objectives
and available resources.
In building the corporate risk profile, information and knowledge at both the corporate and
operational levels is collected to assist departments in understanding the range of risks they
face, both internally and externally, their likelihood and their potential impacts. In addition,
identifying and assessing the existing departmental risk management capacity and capability
is another critical component of developing the corporate risk profile.
PRE: SAQIB ALI
RISK MANAGEMENT
An organization can expect three key outcomes as a result of developing the corporate risk
profile:
• Threats and opportunities are identified through ongoing internal and external
environmental scans, analysis and adjustment.
• Current status of risk management within the organization is assessed-
challenges/opportunities, capacity, practices, culture- and recognized in planning
organization-wide management of risk strategies.
• The organization's risk profile is identified-key risk areas, risk tolerance, ability and
capacity to mitigate, learning needs.
External and Internal Environment
Through the environmental scan, key external and internal factors and risks influencing an
organization's policy and management agenda are identified. Identifying major trends and
their variation over time is particularly relevant in providing potential early warnings. Some
external factors to be considered for potential risks include:
• Political: the influence of international governments and other governing bodies;
• Economic: international and national markets, globalization;
• Social: major demographic and social trends, level of citizen engagement; and
• Technological: new technologies.
Internally, the following factors are considered relevant to the development of an
organization's risk profile: the overall management framework; governance and
accountability structures; values and ethics; operational work environment; individual and
corporate risk management culture and tolerances; existing risk management expertise and
practices; human resources capacity; level of transparency required; and local and corporate
policies, procedures and processes.
The environmental scan increases the organization's awareness of the key characteristics and
attributes of the risks it faces. These include:
• type of risk: technological, financial, human resources (capacity, intellectual
property), health, safety;
• source of risk: external (political, economic, natural disasters); internal (reputation,
security, knowledge management, information for decision making);
• what is at risk: area of impact/type of exposure (people, reputation, program results,
materiel, real property); and
• level of ability to control the risk: high (operational); moderate (reputation); low
(natural disasters).
An organization's risk profile identifies key risk areas that cut across the organization
(functions, programs, systems) as well as individual events, activities or projects that could
significantly influence the overall management priorities, performance, and realization of
organizational objectives.
The environmental scan assists the department in establishing a strategic direction for
managing risk, making appropriate adjustments in decisions and actions. It is an ongoing
PRE: SAQIB ALI
RISK MANAGEMENT
process that reinforces existing management practices and supports the attainment of overall
management excellence.
Assessing Current Risk Management Capacity
In assessing internal risk management capacity, the mandate, governance and decision-
making structures, planning processes, infrastructure, and human and financial resources are
examined from the perspective of risk. The assessment requires an examination of the
prevailing risk management culture, risk management processes and practices to determine if
adjustments are necessary to deal with the evolving risk environment.
Furthermore, the following factors are considered key in assessing an organization's current
risk management capacity: individual factors (knowledge, skills, experience, risk tolerance,
propensity to take risk); group factors (the impact of individual risk tolerances and
willingness to manage risk); organizational factors (strategic direction, stated or implied risk
tolerance); as well as external factors (elements that affect particular risk decisions or how
risk is managed in general).
Risk Tolerance
An awareness and understanding of the current risk tolerances of various stakeholders is a
key ingredient in establishing the corporate risk profile. The environmental scan will identify
stakeholders affected by an organization's decisions and actions, and their degree of comfort
with various levels of risk. Understanding the current state of risk tolerance of citizens,
parliamentarians, interest groups, suppliers, as well as other government departments will
assist in developing a risk profile and making decisions on what risks must be managed, how,
and to what extent. It will also help identify the challenges associated with risk consultations
and communication.
In the Public Service, citizens'needs and expectations are paramount. For example, most
citizens would likely have a low risk tolerance for public health and safety issues (injuries,
fatalities), or the loss of Canada's international reputation. Other risk tolerances for issues
such as project delays and slower service delivery may be less obvious and may require more
consultation.
In general, there is lower risk tolerance for the unknown, where impacts are new,
unobservable or delayed. There are higher risk tolerances where people feel more in control
(for example, there is usually a higher risk tolerance for automobile travel than for air travel).
Risk tolerance can be determined through consultation with affected parties, or by assessing
stakeholders'response or reaction to varying levels of risk exposure. Risk tolerances may
change over time as new information and outcomes become available, as societal
expectations evolve and as a result of stakeholder engagement on trade-offs. Before
developing management strategies, a common approach to the assessment of risk tolerance
needs to be understood organization-wide.
Determining and communicating an organization's own risk tolerance is also an essential part
of managing risk. This process identifies areas where minimal levels of risk are permissible,
as well as those that should be managed to higher, yet reasonable levels of risk.
PRE: SAQIB ALI
RISK MANAGEMENT
Element 2: Establishing an Integrated Risk Management
Function
Establishing an integrated risk management function means setting up the corporate
"infrastructure" for risk management that is designed to enhance understanding and
communication of risk issues internally, to provide clear direction and demonstrate senior
management support. The corporate risk profile provides the necessary input to establish
corporate risk management objectives and strategies. To be effective, risk management needs
to be aligned with an organization's overall objectives, corporate focus, strategic direction,
operating practices and internal culture. In order to ensure risk management is a consideration
in priority setting and revenue allocation, it needs to be integrated within existing governance
and decision-making structures at the operational and strategic levels.
To ensure that risk management is integrated in a rational, systematic and proactive manner,
an organization should seek to achieve three related outcomes:
• Management direction on risk management is communicated, understood and
applied-vision, policies, operating principles.
• Approach to operationalize integrated risk management is implemented through
existing decision-making structures: governance, clear roles and responsibilities, and
performance reporting.
• Building capacity-learning plans and tools are developed for use throughout the
organization.
Strategic Risk Management Direction
The establishment and communication of the organization's risk management vision,
objectives and operating principles are vital to providing overall direction, and ensure the
successful integration of the risk management function into the organization. Using these
instruments can reinforce the notion that risk management is everyone's business.
It is essential that management provides a clear statement of its commitment to risk
management and determines the best way to implement risk management in its organization.
This includes establishing a corporate focus and communicating internal parameters,
priorities, and practices for the implementation of risk management. To reinforce the
corporate focus on risk management, organizations may dedicate a small number of resources
to provide both advisory and challenge functions, and to specifically integrate these
responsibilities into an existing unit (for example, Corporate Planning and Policy,
Comptrollership Secretariat, Internal Audit).
In establishing the strategic risk management direction, internal and external concerns,
perceptions and risk tolerances are taken into account. It is also imperative to identify
acceptable risk tolerance levels so those unfavourable outcomes can be remedied promptly
and effectively. Clear communication of the organization's strategic direction will help foster
the creation and promotion of a supportive corporate risk management culture.
Objectives and strategies for risk management are designed to complement the organization's
existing vision and goals. In establishing an overall risk management direction, a clear vision
for risk management is articulated and supported by policies and operating principles. The
PRE: SAQIB ALI
RISK MANAGEMENT
policy would guide employees by describing the risk management process, establishing roles
and responsibilities, providing methods for managing risk, as well as providing for the
evaluation of both the objectives and results of risk management practices.
Integrating Risk Management into Decision Making
Effective risk management cannot be practised in isolation, but needs to be built into existing
decision-making structures and processes. As risk management is an essential component of
good management, integrating the risk management function into existing strategic
management and operational processes will ensure that risk management is an integral part of
day-to-day activities. In addition, organizations can capitalize on existing capacity and
capabilities (e.g., communications, committee structures, existing roles and responsibilities,
etc.)
While each organization will find its own way to integrate risk management into existing
decision-making structures, the following are factors that may be considered:
• aligning risk management with objectives at all levels of the organization;
• introducing risk management components into existing strategic planning and
operational processes;
• communicating corporate directions on acceptable level of risk; and
• improving control and accountability systems and processes to take into account risk
management and results.
The integration of risk management into decision-making is supported by a corporate
philosophy and culture that encourages everyone to manage risks. This can be accomplished
in a number of ways, such as:
• seeking excellence in management practices, including risk management;
• having senior managers champion risk management;
• encouraging innovation, while providing guidance and assistance in situations that do
not turn out favourably;
• encouraging managers to develop knowledge and skills in risk management;
• including risk management as part of employees'performance appraisals;
• introducing incentives and rewards; and
• recruiting on risk management ability as well as experience.
Reporting on Performance
The development of evaluation and reporting mechanisms for risk management activities
provides feedback to management and other interested parties in the organization and
government-wide. The results of these activities ensure that integrated risk management is
effective in the long term. Some of these activities could fall to functional groups in the
organization responsible for review and audit. Responsibility may also be assigned to
operational managers and employees to ensure that information affecting risk that is collected
as part of local reporting or practices is incorporated into the environmental scanning process.
Reporting could take place through normal management channels (performance reporting,
ongoing monitoring, appraisal) as part of the advisory and challenge functions associated
with risk management.
PRE: SAQIB ALI
RISK MANAGEMENT
Reporting facilitates learning and improved decision-making by assessing both successes and
failures, monitoring the use of resources, and disseminating information on best practices and
lessons learned. Organizations should evaluate the effectiveness of their integrated risk
management processes on a periodic basis. In collaboration with departments, the Treasury
Board of Canada Secretariat will review the effectiveness of the Integrated Risk Management
Framework and make the necessary adjustments to ensure sustained progress in building a
risk-smart workforce and environment.
Building Organizational Capacity
Building risk management capacity is an ongoing challenge even after integrated risk
management has become firmly entrenched. Environmental scanning will continue to identify
new areas and activities that require attention, as well as the risk management skills,
processes, and practices that need to be developed and strengthened.
Organizations need to develop their own capacity strategies based on their specific situation
and risk exposure. The implementation of the Integrated Risk Management Framework will
be further supported by the Treasury Board of Canada Secretariat, which, through a centre of
expertise, will provide overall guidance, advice and share best practices.
To build capacity for risk management, there needs to be a focus on two key areas: human
resources, and tools and processes at both the corporate and local levels. The risk profile will
identify the organization's existing strengths and weaknesses vis-à-vis capacity. Areas that
may require attention include:
Human Resources
• building awareness of risk management initiatives and culture;
• broadening skills base through formal training including appropriate applications and
tools;
• increasing knowledge base by sharing best practices and experiences; and
• building capacity, capabilities and skills to work in teams.
Tools and Processes
• developing and adopting corporate risk management tools, techniques, practices and
processes;
• providing guidance on the application of tools and techniques;
• allowing for development and/or the use of alternative tools and techniques that may
be better suited to managing risk in specialized applications; and
• adopting processes to ensure integration of risk management across the organization.
Element 3: Practising Integrated Risk Management
Implementing an integrated risk management approach requires a management decision and
sustained commitment, and is designed to contribute to the realization of organizational
objectives. Integrated risk management builds on the results of an environmental scan and is
supported by appropriate corporate infrastructure.
PRE: SAQIB ALI
RISK MANAGEMENT
The following outcomes are expected for practising integrated risk management:
• A departmental risk management process is consistently applied at all levels, where
risks are understood, managed and communicated.
• Results of risk management practices at all levels are integrated into informed
decision-making and priority setting-strategic, operational, management and
performance reporting.
• Tools and methods are applied as aids to make decisions.
• Consultation and communication with stakeholders is ongoing-internal and external.
A Common Process
A common, continuous risk management process assists an organization in understanding,
managing and communicating risk. Continuous risk management has several steps. Emphasis
on various points in the process may vary, as may the type, rigour or extent of actions
considered, but the basic steps are similar. In the exhibits that follow, Exhibit 1 illustrates an
example of a continuous risk management process that focuses on an integrated approach to
risk management, while Exhibit 2 presents a risk management decision-making process in the
context of public policy.
Exhibit 1: A Common Risk Management Process
Display full size graphic
PRE: SAQIB ALI
RISK MANAGEMENT
Internal and external communication and continuous learning improve understanding and
skills for risk management practice at all levels of an organization, from corporate through to
front-line operations. The process provides common language, guides decision-making at all
levels, and allows organizations to tailor their activities at the local level. Documenting the
rationale for arriving at decisions strengthens accountability and demonstrates due diligence.
The common risk management process and related activities are:
Risk Identification
1. Identifying Issues, Setting Context
• Defining the problems or opportunities, scope, context (social, cultural, scientific
evidence, etc.) and associated risk issues.
• Deciding on necessary people, expertise, tools and techniques (e.g., scenarios,
brainstorming, checklists).
• Performing a stakeholder analysis (determining risk tolerances, stakeholder position,
attitudes).
Risk Assessment
2. Assessing Key Risk Areas
• Analyzing context/results of environmental scan and determining types/categories of
risk to be addressed, significant organization-wide issues, and vital local issues.
3. Measuring Likelihood and Impact
• Determining degree of exposure, expressed as likelihood and impact, of assessed
risks, choosing tools.
• Considering both the empirical/scientific evidence and public context.
4. Ranking Risks
• Ranking risks, considering risk tolerance, using existing or developing new criteria
and tools.
Responding to Risk
5. Setting Desired Results
• Defining objectives and expected outcomes for ranked risks, short/long term.
6. Developing Options
• Identifying and analyzing options-ways to minimize threats and maximize
opportunities-approaches, tools.
7. Selecting a Strategy
PRE: SAQIB ALI
RISK MANAGEMENT
• Choosing a strategy, applying decision criteria-results-oriented, problem/opportunity
driven.
• Applying, where appropriate, the precautionary approach/principle as a means of
managing risks of serious or irreversible harm in situations of scientific uncertainty.
8. Implementing the Strategy
• Developing and implementing a plan.
Monitoring and Evaluation
9. Monitoring, Evaluating and Adjusting
• Learning, improving the decision-making/risk management process locally and
organization-wide, using effectiveness criteria, reporting on performance and results.
Organizations may vary the basic steps and supporting tasks most suited to achieving
common understanding and implementing consistent, efficient and effective risk
management. A focused, systematic and integrated approach recognizes that all decisions
involve management of risk, whether in routine operations or for major initiatives involving
significant resources. It is important that the risk management process be applied at all levels,
from the corporate level to programs and major projects to local systems and operations.
While the process allows tailoring for different uses, having a consistent approach within an
organization assists in aggregating information to deal with risk issues at the corporate level.
Exhibit 2: Risk Management in Public Policy: A Decision-Making Process
Display full size graphic
Exhibit 2 presents the model, developed by the PCO-led ADM Working Group on Risk
Management, which addresses the issue of risk management in the context of public policy
PRE: SAQIB ALI
RISK MANAGEMENT
development. This model presents a basis for exploring issues of interest to government
policy-makers, and provides a context in which to discuss, examine, and seek out
interrelationships between issues associated with public policy decisions in an environment
of uncertainty and risk (i.e., a model of public risk management).
As in Exhibit 1, this model recognizes six basic steps: identification of the issue; analysis or
assessment of the issue; development of options; decision; implementation of the decision;
and evaluation and review of the decision. [4]
In this model, several key elements were identified as influencing the public policy
environment surrounding risk management:
• There is a public element to virtually all government decision-making, and it is a
central and legitimate input to the process.
• Uncertainty in science, together with competing policy interests (including
international obligations) has led to increased focus on the precautionary approach.
• A decision-making process does not occur in isolation-the public nature and
complexity of many government policy issues means that certain factors, such as
communications and consultation activities, legal considerations, and ongoing
operational activities, require active consideration at each stage of the process.
Integrating Results for Risk Management into Practices at all Levels
The results of risk management are to be integrated both horizontally and vertically into
organizational policies, plans and practices. Horizontally, it is important that results be
considered in developing organization-wide policies, plans and priorities. Vertically,
functional units, such as branches and divisions, need to incorporate these results into
programs and major initiatives.
In practice, the risk assessment and response to risk would be considered in developing local
business plans at the activity, division or regional level. These plans would then be
considered at the corporate level, and significant risks (horizontal or high-impact risks) would
be incorporated into the appropriate corporate business, functional or operational plan.
The responsibility centre providing the advisory and "corporate challenge" functions can add
value to this process, since new risks might be identified and new risk management strategies
required after the roll-up. There needs to be a synergy between the overall risk management
strategy and the local risk management practices of the organization.
Each function or activity would have to be examined from three standpoints:
• its purpose: risk management would look at decision-making, planning, and
accountability processes as well as opportunities for innovation;
• its level: different approaches are required based on whether a function or activity is
strategic, management or operational; and
• the relevant discipline: the risks involved with technology, finance, human
resources, and those regarding legal, scientific, regulatory, and/or health and safety
issues.
Tools and Methods
PRE: SAQIB ALI
RISK MANAGEMENT
At a technical level, various tools and techniques can be used for managing risk. The
following are some examples:
• risk maps: summary charts and diagrams that help organizations identify, discuss,
understand and address risks by portraying sources and types of risks and disciplines
involved/needed;
• modelling tools: such as scenario analysis and forecasting models to show the range
of possibilities and to build scenarios into contingency plans;
• framework on the precautionary approach: a principle-based framework that
provides guidance on the precautionary approach in order to improve the
predictability, credibility and consistency of its application across the federal
government;
• qualitative techniques: such as workshops, questionnaires, and self -assessment to
identify and assess risks; and
• Internet and organizational Intranets: promote risk awareness and management by
sharing information internally and externally.
Exhibit 3 provides an example of a risk management model. In this model, one can assess
where a particular risk falls in terms of likelihood and impact and establish the organizational
strategy/response to manage the risk.
Exhibit 3: A Risk Management Model
Display full size graphic
In developing methods to provide guidance on risk management, the different levels of
readiness and experience in a department, as well as variations in available resources need to
be recognized. Therefore, methods need to be flexible and simple using clear language to
ensure open channels of communication.
Several practical methods that could be used to provide guidance are:
PRE: SAQIB ALI
RISK MANAGEMENT
• a managers'forum: where risks are identified, proposed actions are discussed and
best practices are shared;
• an internal risk management advisory function: dedicated to risk management,
either as a special unit or associated with an existing functional unit; and
• tool kits: a collection of effective risk management tools such as checklists,
questionnaires, best practices.
Communication and Consultation
Communication of risk and consultation with interested parties are essential to supporting
sound risk management decisions. In fact, communication and consultation must be
considered at every stage of the risk management process.
A fundamental requirement for practising integrated risk management is the development of
plans, processes and products through ongoing consultation and communication with
stakeholders (both internal and external) who may be involved in or affected by an
organization's decisions and actions.
Consultation and proactive citizen engagement will assist in bridging gaps between statistical
evidence and perceptions of risk. It is also important that risk communication practices
anticipate and respond effectively to public concerns and expectations. A citizen's request for
information presents an opportunity to communicate about risk and the management of risk.
In the public sector context, some high-profile risk issues would benefit from proactively
involving parliamentarians in particular forums of discussion thus creating opportunities for
exchanging different perspectives. In developing public policy, input from both the empirical
and public contexts ensures that a more complete range of information is available, therefore,
leading to the development of more relevant and effective public policy options. Internally,
risk communication promotes action, continuous learning, innovation and teamwork. It can
demonstrate how management of a localized risk contributes to the overall achievement of
corporate objectives.
Risk communication involves a range of activities, including issue identification and
assessment, analysis of the public environment (including stakeholder interests and
concerns), development of consultation and communications strategies, message
development, working with the media, and monitoring and evaluating the public dialogue.
The public sector has the additional responsibility of reporting to and communicating with
Parliament.
Within the federal Public Service, it is expected that consultation activities, including those
related to risk management, will be undertaken in a manner that is consistent with the
Government Communications Policy.
Element 4: Ensuring Continuous Risk Management
Learning
Continuous learning is fundamental to more informed and proactive decision-making. It
contributes to better risk management, strengthens organizational capacity and facilitates
PRE: SAQIB ALI
RISK MANAGEMENT
integration of risk management into an organizational structure. To ensure continuous risk
management learning, pursue the following outcomes:
• Learning from experience is valued, lessons are shared-a supportive work
environment.
• Learning plans are built into organization's risk management practices.
• Results of risk management are evaluated to support innovation, capacity building
and continuous improvement-individual, team and organization.
• Experience and best practices are shared-internally and across government.
Creating a Supportive Work Environment
A supportive work environment is a key component of continuous learning. Valuing learning
from experience, sharing best practices and lessons learned, and embracing innovation and
responsible risk-taking characterize an organization with a supportive work environment. An
organization with a supportive work environment would be expected to:
Promote learning
• by fostering an environment that motivates people to learn;
• by valuing knowledge, new ideas and new relationships as vital aspects of the
creativity that leads to innovation; and
• by including and emphasizing learning in strategic plans.
Learn from experience
• by valuing experimentation, where opportunities are assessed for benefits and
consequences;
• by sharing learning on past successes and failures; and
• by using "lessons learned" and "best practices" in planning exercises.
Demonstrate management leadership
• by selecting leaders who are coaches, teachers and good stewards;
• by demonstrating commitment and support to employees through the provision of
opportunities, resources, and tools; and
• by making time, allotting resources and measuring success through periodic reviews
(e.g., learning audits).
Building Learning Plans in Practices
Since continuous learning contributes significantly to increasing capacity to manage risk, the
integration of learning plans into all aspects of risk management is fundamental to building
capacity and supporting the strategic direction for managing risk.
As part of a unit's learning strategy, learning plans provide for the identification of training
and development needs of each employee. Effective learning plans, reflecting risk
management learning strategies, are linked to both operational and corporate strategies,
incorporate opportunities for managers to coach and mentor staff, and address competency
gaps (knowledge and skills) for individuals and teams. The inclusion of risk management
PRE: SAQIB ALI
RISK MANAGEMENT
learning objectives in performance appraisals is a useful approach to support continuous risk
management learning.
Supporting Continuous Learning and Innovation
In implementing a continuous learning approach to risk management, it is important to
recognize that not all risks can be foreseen or totally avoided. Procedures are paramount to
ensure due diligence and to maintain public confidence. Goals will not always be met and
innovations will not always lead to expected outcomes. However, if risk management actions
are informed and lessons are learned, promotion of a continuous learning approach will create
incentives for innovation while still respecting organizational risk tolerances. The critical
challenge is to show that risk is being well-managed and that accountability is maintained
while recognizing that learning from experience is important for progress.
In addition to demonstrating accountability, transparency and due diligence, proper
documentation may also be used as a learning tool. Practising integrated risk management
should support innovation, learning, and continuous improvement at the individual, team and
organization level.
An organization demonstrates continuous learning with respect to risk management if:
• an appropriate risk management culture is fostered;
• learning is linked to risk management strategy at many levels;
• responsible risk-taking and learning from experience is encouraged and supported;
• there is considerable information sharing as the basis for decision-making;
• decision-making includes a range of perspectives including the views of stakeholders,
employees and citizens; and
• input and feedback are actively sought and are the basis for further action.
Conclusion
The Integrated Risk Management Framework advances a more systematic and integrated
approach for risk management. By focusing on the importance of risk communication and
risk tolerance, it looks outside the organization for the views of Canadians. Internally, it
emphasizes the importance of people and leadership and the need for departments and
agencies to more clearly define their roles. The Framework provides a tool that helps
organizations communicate a vision and objectives for management of risk based on
government values and priorities, lessons learned best practices and consultation with
stakeholders.
The Framework is a fundamental part of the federal management agenda and Modern
Comptrollership. It is designed to support the optimization of resource allocation and
responsible spending, paramount for achieving results. It also builds on public sector values,
knowledge management and continuous learning for innovation. The Integrated Risk
Management Framework is the first step in establishing the foundation for more strategic and
corporate integrated risk management in departments and in government. In the future, the
Framework will be supported by tools and guidance documents as well as complemented by
other risk management initiatives.
PRE: SAQIB ALI
RISK MANAGEMENT
The Treasury Board of Canada Secretariat intends to work closely with departments and
agencies in implementing the Integrated Risk Management Framework and in tracking
progress toward building a risk-smart workforce and environment in the Public Service.
PRE: SAQIB ALI
You might also like
- CMI Level 7 Diploma in Strategic Management & Leadership: See Assignment Submission PolicyNo ratings yetCMI Level 7 Diploma in Strategic Management & Leadership: See Assignment Submission Policy4 pages
- Offshore Contractors Partnership Agreement 2019 - 2020100% (1)Offshore Contractors Partnership Agreement 2019 - 202027 pages
- IJPM - Collyer Warren 2009 - PM Approaches Dynamic EnvironmentsNo ratings yetIJPM - Collyer Warren 2009 - PM Approaches Dynamic Environments10 pages
- Smart 3D Plant Curriculum Path Training Guidelines 2019No ratings yetSmart 3D Plant Curriculum Path Training Guidelines 201928 pages
- Level 5 Extended Diploma in Business and ManagementNo ratings yetLevel 5 Extended Diploma in Business and Management4 pages
- Level 5 Diploma in Hospitality and Tourism ManagementNo ratings yetLevel 5 Diploma in Hospitality and Tourism Management4 pages
- Successful Management of Strategic Intentions Through Multiple ProjectsNo ratings yetSuccessful Management of Strategic Intentions Through Multiple Projects6 pages
- L5 Mod 2 - CMI Unit 502 Assessment BriefNo ratings yetL5 Mod 2 - CMI Unit 502 Assessment Brief7 pages
- Prashanti Technologies: A Workplace Romance Ethical Dilemma and ETHICSNo ratings yetPrashanti Technologies: A Workplace Romance Ethical Dilemma and ETHICS11 pages
- Tools and Techniques of Project ManagementNo ratings yetTools and Techniques of Project Management2 pages
- OTHM Level 7 Diploma Human Resource Management Spec2No ratings yetOTHM Level 7 Diploma Human Resource Management Spec24 pages
- Level 5 Diploma in Human Resource Management100% (1)Level 5 Diploma in Human Resource Management3 pages
- Applicaiton of Project Management in Higher InstitutionsNo ratings yetApplicaiton of Project Management in Higher Institutions26 pages
- 11.3.2.6 - MOP - Risk Probability and Impact MatrixNo ratings yet11.3.2.6 - MOP - Risk Probability and Impact Matrix9 pages
- 4quality Tools Technique Used by Company WiproNo ratings yet4quality Tools Technique Used by Company Wipro10 pages
- Ethics and Facial Recognition Technology An Integrative ReviewNo ratings yetEthics and Facial Recognition Technology An Integrative Review10 pages
- PMP Project Management Professional Training Brochure WitskillsNo ratings yetPMP Project Management Professional Training Brochure Witskills9 pages
- ENM448-Project Planning and Management ExamplesNo ratings yetENM448-Project Planning and Management Examples28 pages
- MSC Dissertation Project Guidelines - CE - 2014-15No ratings yetMSC Dissertation Project Guidelines - CE - 2014-1517 pages
- PDF Management of Risk 3d Edition Ruth Murray-Webster Download100% (5)PDF Management of Risk 3d Edition Ruth Murray-Webster Download84 pages
- Initiating Planning Executing Closing: Develop Project Charter100% (1)Initiating Planning Executing Closing: Develop Project Charter5 pages
- A Simulation Model For Incremental Software Development Life Cycle ModelNo ratings yetA Simulation Model For Incremental Software Development Life Cycle Model7 pages
- Dell in China: Muhammad Haseeb Abdul Haseeb ShahNo ratings yetDell in China: Muhammad Haseeb Abdul Haseeb Shah28 pages
- Development of Leadership Potential: I'm Tough, Ambitious, and I Am The ChangeNo ratings yetDevelopment of Leadership Potential: I'm Tough, Ambitious, and I Am The Change3 pages
- Sources of Shariah: Muhammad Afraz Muhammad Atif Muhammad Junaid Muhammad HaseebNo ratings yetSources of Shariah: Muhammad Afraz Muhammad Atif Muhammad Junaid Muhammad Haseeb29 pages
- Comparison Between KFC & Chief: Group Members: Zartashiya Arshad Shafaq Sherwani Nyla Nizam Umair DurraniNo ratings yetComparison Between KFC & Chief: Group Members: Zartashiya Arshad Shafaq Sherwani Nyla Nizam Umair Durrani21 pages
- Software Engineering:: - Software Maintenance & Reliability IssuesNo ratings yetSoftware Engineering:: - Software Maintenance & Reliability Issues20 pages
- 3mensio Report 30% S F DR Huseyin Yazici Clinique Princesse Sarah Ouagadougou Burkina Faso Corelab.No ratings yet3mensio Report 30% S F DR Huseyin Yazici Clinique Princesse Sarah Ouagadougou Burkina Faso Corelab.13 pages
- KING, Ulysses CV Updated 12-Apr-2023 EN-GBNo ratings yetKING, Ulysses CV Updated 12-Apr-2023 EN-GB6 pages
- Arithmetic Progressions - Practice Sheet PDFNo ratings yetArithmetic Progressions - Practice Sheet PDF4 pages
- Augmented Reality For Education A ReviewNo ratings yetAugmented Reality For Education A Review7 pages
- SAS 1 Fuel Tank Safety Phase 2 Recurrent VDGNo ratings yetSAS 1 Fuel Tank Safety Phase 2 Recurrent VDG103 pages
- Sri Lankan Recommended MV System Fault LevelsNo ratings yetSri Lankan Recommended MV System Fault Levels1 page
- Syllabus: Fundamentals of Construction: Mr. MossholderNo ratings yetSyllabus: Fundamentals of Construction: Mr. Mossholder7 pages
