Risk management in public sector

research: approach and lessons

learned at a national research
organization
Flavia Leung1 and Frances Isaacs2
1
National Research Council Canada, 1200 Montreal Road, Building M-23A, Ottawa, ON, Canada.
fl[email protected]
2
National Research Council of Canada, 100 Sussex Drive, Ottawa, ON, Canada.
[email protected]

As the Canadian federal government’s main research body and a public sector agency, the
National Research Council (NRC) must manage numerous strategic as well as operational
risks, including those at the project, program and portfolio levels. Such risks might arise from
political and other stakeholder interests, intellectual property ownership and policy, funding
structures, public perceptions of science and technology, occupational health and safety,
management of highly qualified personnel, availability of receptor capacity for research being
undertaken, and unknown markets for very new research areas, to name a few. Varying risk
management practices have existed across NRC institutes and programs in the past as a result
of the relative autonomy afforded to these groups. In seeking a more systematic approach,
driven by both external and internal interests, NRC researched best practices, models and
frameworks for risk management. NRC needed an appropriate model and approach for
managing risk that could be applied throughout different levels and within the various arenas
of its activities. The approach selected is based on the concept of enterprise risk management,
allowing NRC to look not only at specific areas of risk but the larger picture – effectively
assessing, controlling, exploiting and monitoring risks from all sources that might threaten the
achievement of its goals. At the same time, such an approach also ensures that potential
opportunities that could facilitate achievement of its goals are not missed. This paper shares
some of NRC’s findings of its research (including best practices), describes its current
framework and approach, as well as some of its challenges.

1. Overview of the National Research its establishment in 1916 under the National
Council (NRC) Research Council Act legislation, NRC has pur-
sued a broad mandate, conducting a wide range of

W ithin Canada, NRC is one of approximately

22 federal government science-based depart-
ments and agencies (SDBAs). Of these, NRC is the
activities including in large part, undertaking, as-
sisting and promoting scientific and industrial
research in the national interest of Canada.
largest research and development (R&D) perfor- NRC helps bridge the gap between knowledge
mer with expenditures of approximately C$847M generation by universities and commercial inno-
during 2006–2007, and over 4,100 employees. Since vation by industrial R&D performers by virtue of

510 R&D Management 38, 5, 2008. r 2008 Her Majesty The Queen In Right of Canada. Journal compilation r 2008
Blackwell Publishing Ltd, 9600 Garsington Road, Oxford, OX4 2DQ, UK and 350 Main St, Malden, MA, 02148, USA
 Risk management in public sector research

S&T Activities Undertaken By SBDAs

R&D Producers S&T in support of S&T for Regulatory Providers of R&D

Programs Frameworks Support

Basic research S&T advice—policy/ S&T advice— Research funding

Applied research program frameworks regulatory policy/ (grants to 3 parties)
Basic research frameworks Support/facilitation
Technology develop-
ment and Applied research (incl. Applied research for economic/social
demonstration ext. partners/ (incl. some external development
contracts) partners/contracts)
Support for
innovation (tech- Technology Support for develop-
nology transfer, spin development ment/maintenance of
offs) Support for innovation regulations
Support for develop- (technology transfer, Support for develop-
ment/maintenance of spin offs) ment/maintenance of
standards Testing services standards
STI dissemination STI dissemination Testing services
Support/facilitation for STI dissemination
economic/social
development

1. Many departments conduct S&T activities in support of both Program and Regulatory roles.
2. Applicable to some departments but not others.
3. Relative significance varies by department, ranging from a primary role to non-applicable.

Figure 1. Scientific and technical activities undertaken by science-based departments and agencies (SDBAs). Source: KPMG,
Integrated Performance Management Framework for Science Based Departments and Agencies, March 2004.

its national presence and the positioning of its Research Assistance Program offices Canada-
S&T activities. These span a wide range from wide additionally help small and medium-sized
sector-specific applied R&D work in collabora- technology-based companies start up through
tion with companies (e.g., aerospace, industrial advisory and support services, and funding. Con-
materials) to the development of new technology sidering the activities and functions of each of
platforms and knowledge generation in emerging these programs and structures – including under-
areas with universities and other partners (e.g., taking leading-edge research through uncharted
bio/info/nanotechnology). While some of its S&T technological territory, to major investments in
activities do have regulatory aspects, NRC’s national S&T infrastructure and supporting new
research activities are not predominantly in sup- Canadian start-up companies – the breadth and
port of a regulatory system, as is the case for complexity of potential risks increases further.
most SBDAs (e.g., Health, Fisheries and Oceans,
Natural Resources, and Environment). NRC
covers, to some extent, all areas of SBDA activ- 2. Drivers for greater risk management
ities, as shown in Figure 1. As such, NRC’s range
of risk spans a wider spectrum, covering issues Risk is pervasive then, in various forms, for NRC.
beyond regulatory health and safety, including Related to its research specifically, risk has long been
industry- and commercialization-related issues managed as ‘part of doing the science.’ Depending
among others. Risks further arise from extensions on the institute, this might be in the form of more
of relationships between researchers and with formalized processes, particularly for the engineer-
stakeholders (industries, universities, other gov- ing-oriented institutes closely aligned with industry,
ernment and political groups, and not-for-profit or more intuitively in other cases, and mainly at the
organizations) regionally, nationally and interna- project level. While innovation necessarily involves
tionally to deliver multi-disciplinary programs risk, this orientation can sometimes be considered in
and services addressing challenges of national conflict with the stewardship role of a public sector
and socio-economic interest. agency. Taken to the extreme, a very safe approach
Organizationally, NRC’s research activities are that involves low risk and funding projects that only
housed in 19 institutes across the country (see have a high chance of success can stifle more radical
Figure 2). Many are co-located with university innovations – this in itself is a risk. Nevertheless,
campuses in the regions, and also include Indus- there is a growing external expectation for more
trial Partnership Facilities that facilitate more systematic risk management in recent years, and
effective collaboration and interactions with looking more holistically at the ‘big picture’ for the
industry by providing scientific infrastructure, organization rather than simply very focused issues/
collaborative workspace and access to technical areas. In particular, from the perspective of the
expertize among other things. NRC’s Industrial Canadian government’s central agencies, there is

r 2008 Her Majesty The Queen In Right of Canada R&D Management 38, 5, 2008 511
Journal compilation r 2008 Blackwell Publishing Ltd
Flavia Leung and Frances Isaacs

Figure 2. National Research Council facilities across Canada.

growing interest in accountability, value-for-money Based on the Modern Comptrollership elements,

and results for Canadians – hence risk assessments TBS subsequently followed up with the develop-
are increasingly valued as a decision making tool. ment of the Management Accountability Frame-
Starting in 2001/2002, the Treasury Board work. This framework currently establishes the
Secretariat of Canada (TBS), largely responsible expectations for all Deputy Ministers in the federal
for financial and management oversight of federal government. Effective and integrated risk manage-
organizations, spearheaded a government-wide ment continues to be one of the major elements, the
‘Modern Comptrollership’ initiative requiring definitions for which are shown in Figure 3.
all federal departments and agencies to undertake Some regulatory science areas additionally
an assessment1 of their management practices. work on a precautionary principle – where the
Risk management was one of the key elements risk of what is not yet known is treated as having
of the framework used for the assessment, with potentially high impact in the health and safety
others including strategic leadership, performance area. Policy established since 2003 indicates that
information, accountability and human resource ‘. . . the absence of full scientific certainty shall not
management (motivated people). be used as a reason for postponing decisions
The action plan from NRC’s assessment where there is a risk of serious or irreversible
launched a special project focused on developing harm.’2 Managing within this principle, then, also
a more systematic and integrated risk manage- implies growing importance of good risk manage-
ment approach, some main activities from which ment with foresight in order to best anticipate the
included the following: potential impact under different scenarios.
These accountability requirements were com-
 Establishment of an interdepartmental net- pounded with changes in other aspects of NRC’s
work and workshops/meetings for knowledge environment, both scientific and organizational,
exchange among SDBAs in risk management. to drive more systematic and integrated risk
 Research and compilation of best practices in management:
risk management.
 Development of a generic S&T risk manage-  S&T convergence leading to multi-disciplined
ment framework for SDBAs. science and melding of traditional disciplines
(e.g., horizontal programs in genomics; fuel
These are further described later in this paper. cells).

512 R&D Management 38, 5, 2008 r 2008 Her Majesty The Queen In Right of Canada
Journal compilation r 2008 Blackwell Publishing Ltd
 Risk management in public sector research

EXPECTATION INDICATORS MEASURES

Figure 3. Risk management definition within TBS’s Management Accountability Framework (MAF). Source: Treasury Board
Secretariat MAF, http://www.tbs-sct.gc.ca/rm-gr/maf-crg/maf_e.asp

 New models for supporting economic and 3. Finding the ‘right’ model
social development at regional and local levels
(e.g., Technology Clusters, Industrial Partner- The integrated risk management (IRM) project
ships). that followed NRC’s management practices self-
 Organizational renewal and re-alignment with assessment set the foundation for NRC’s further
a new strategy. work in establishing a model/approach and
 New organizational and accountability struc- framework.
ture (establishment of a portfolio structure). The initial research conducted as part of the
 Financial and funding pressures. project identified best practices from Canadian
SBDAs such as Agriculture and Agri-food, Fish-
Beyond these external requirements and dri- eries and Oceans, Food Inspection Agency, Health,
vers, NRC’s management also recognized that Space Agency, Natural Resources and Human
additional benefits were possible internally. These Resources Development, and from international
included improved decision making around op- organizations such as the US General Accounting
tions and funding; better planning, forecasting Office, NASA and National Science Foundation,
and financial management; and improved project and the Commonwealth Scientific and Industrial
management. NRC proceeded to look for an Research Organization (CSIRO), Australia.
appropriate model and approach that could be Selected best practices identified include:
piloted and rolled out as appropriate to more
broadly implement risk management. A summary  Ensuring alignment of IRM policies and pro-
of the evolution of risk management at NRC is cedures with the corporate code of values and
shown in Figure 4. ethics.

2001 2002 2003 2004 2005 2006 2007++

TBS Modern NRC • Integrated RM • Identification • NRC’s first • Release of • Integration of

Comptroller- Response – Framework of NRC RM Corporate NRC RM into
ship & MMP for SBDAs Framework Risk Profile Strategy corporate and
Integrated Capacity • S&T Risk and • Pilot and • Development business
Risk Assessment Management Approach rollout of risk of NRC activities:
Management & Action Network • NRC Pilots management Corporate • Corporate and
Framework Plan • Management approach Business institute
Accountability and training Plan business plans
Framework • Project selection
and overall
project
management
• Risk-based audit
plan

Central Agency NRC Response Risk NRC Strategy Integration

Requirements Research and Identification Management & Business
Trigger of Approach & Framework Pilots Plan

Figure 4. Evolution of risk management at the National Research Council.

r 2008 Her Majesty The Queen In Right of Canada R&D Management 38, 5, 2008 513
Journal compilation r 2008 Blackwell Publishing Ltd
Flavia Leung and Frances Isaacs

SBDAsGeneric IRM Framework

Value Creation Horizontal Planning &

Integration Direction
Corporate
Objectives
Results
and
Governance
Commitment Capability Monitoring & Performance
Learning
Strategic
Direction

Figure 5. Science-based departments and agencies’ generic integrated risk management (IRM) framework. Source: Interis,
Integrated Risk Management Framework for SBDAs, May 2004.

 Defining, clearly articulating and document- Discussion within this informal group indicated
ing IRM objectives and using them to guide that there was consensus on three specific attri-
IRM activities. butes that were subsequently used to guide NRC’s
 Developing a Corporate Risk Profile (CRP) as continued search for the ‘right’ model. These were
a starting point in implementing IRM, and (i) simplicity, (ii) practicality/low administrative
subsequently also monitoring and maintain- burden, and (iii) alignment with other manage-
ing the CRP. ment practices underway such as planning and
 Developing an IRM implementation plan. performance management. These attributes were
 Implementing IRM training and building considered to be critical to the acceptance of a risk
capacity. management model, recognizing that researchers
 Ensuring managerial oversight. within NRC’s scientific culture, not unlike other
scientific and technical cultures, will prefer to put
A generic framework for IRM was also devel- their time into research activities rather than other
oped, as shown in Figure 5. While this framework administrative-type activities.This group reviewed
identified the organizational elements required for and examined a number of different risk manage-
effective risk management, there still needed to be ment frameworks, including the Australian–New
an appropriate process and approach that could Zealand Standard,3 the Committee of Sponsoring
be applied to the many different aspects of NRC’s Organizations of the Treadway Commission
activities and at its various organizational levels. (COSO),4 the Institute for Risk Management
It was generally agreed that something more (IRM),5 Canadian Standards Association,6 the
fundamental was needed. US Department of Energy (DOE)7 and the Net-
Given the variation of research areas and activ- work for Environmental Risk Assessment and
ities within NRC, a major challenge was to achieve Management (NERAM),8 the last two being spe-
agreement on a common risk management lan- cifically science-oriented organizations. As shown
guage and approach at an enterprise level. An in Figure 5, the key steps (indicated with a round
informal committee of interested senior managers bullet) and sub-steps under these (indicated by
from several diverse institutes gathered to examine a dash) of each of these frameworks share
potential models for enterprise risk management some similarities, but there is also some variability
(ERM) (often used interchangeably with the term in the complexity of the approaches. Several of
IRM, and espousing the same principles). the frameworks include steps that are ongoing

514 R&D Management 38, 5, 2008 r 2008 Her Majesty The Queen In Right of Canada
Journal compilation r 2008 Blackwell Publishing Ltd
 Risk management in public sector research

AS/NZS COSO IRM CSA DOE NERAM

• Organiz-
• Objective ation’s
Setting Strategic
• Initiation • Context
Objectives
• Risk
• Establish • Event • Preliminary Planning
• Risk
Context Modification Assessment Analysis • Preliminary
Analysis

Risk Communication / Stakeholders

• Risk • Risk
Communication and Consultation

• Risk
Identification • Risk Analysis • Risk Assess- - Risk
Monitoring and Review

Assessment Estimation ment estimation

Risk Communication

Risk Documentation
• Risk - Evaluation
• Risk • Risk

Formal Audit
- Risk
Modification
Evaluation - Options
Assess- • Risk Evaluation Identification
ment Response • Risk • Priority Risks
• Risk Control - Risk
Reporting
- Risk (ISO Risk Analysis
Analysis • Control treatment) • Risk
• Decision Estimation
- Risk Activities
Evaluation • Risk
• Risk • Evaluation
• Action / Handling
Treatment
• Information Monitoring
• Risk and • Treatment
• Residual
Treatment Communi- • Risk Options
Risk
cation • Implemen- Monitoring
tation plan • Decisions
• Reporting
• Monitoring
• Monitoring

Figure 6. Risk management framework overview comparison.

throughout the process, as indicated by the vertical number of steps, the Australian/New Zealand
text (Figure 6). Standard appeared to satisfy the three original
In comparing the models, the COSO and IRM criteria identified by the NRC managers.
versions tended to be perceived as having a To pilot the approach before fuller implemen-
predominantly private sector financial perspective tation, three managers from the original informal
and less suited to the public sector scientific committee volunteered. Each manager worked
environment. While more comprehensive for a within a different environment with a different
wide-ranging public sector science organization, focus: a chemicals institute that was concerned
the CSA standard also had a number of more with demonstrating health and safety; an aero-
complex steps and was viewed to be less practical space institute with project risk management as a
with the additional time required to undertake. priority; and a marine institute with infrastructure
The NERAM and DOE models appeared to maintenance issues.Development of the pilot pro-
match NRC’s scientific needs more closely but jects was undertaken by each institute separate
were still considered to be overly complex when from the others, but all in coordination with
studied in more detail. While all had strengths NRC’s Corporate Services Planning and Perfor-
and weaknesses, NRC ultimately chose a risk mance Management group, in order to provide a
management approach based on the Australia– consistent approach. The result was consistency
New Zealand Risk Management Standard (AS– within diversity, with each institute benefiting
NZS 4360). One of the main reasons was that this from the application of the model to its own
standard had been successfully used at the CSIRO unique operating environment and research
in Australia for about a decade. CSIRO is an areas. Finally, in order to move from facing
organization that is very comparable in mandate, inward toward an individual institute and begin
activities and environment as NRC, and often used to face outward toward corporate NRC as
as a benchmark. Considering this, NRC managers a whole, management and evaluation of the
agreed that the AS–NZS 4360 model had proven 6-month pilots moved to a more formal steer-
itself in a similar S&T government organization, ing committee, with the development of models
and furthermore, appeared to address the require- for planning, performance and risk management
ment for relative ease of use with sufficient robust- mandated by NRC’s senior executive. A CRP
ness to be applicable across a wide range of diverse for NRC as a whole was also developed for the
research fields, sizes of research units and research first time, around the same piloting timeframe,
cultures. As one of the models with a simpler to look at the landscape of risks facing the organi-

r 2008 Her Majesty The Queen In Right of Canada R&D Management 38, 5, 2008 515
Journal compilation r 2008 Blackwell Publishing Ltd
Flavia Leung and Frances Isaacs

zation and establish the actions needed to address

such risks.

4. Model description
The selected model is based on the concept of
‘ERM’ – taking a more holistic approach, gather-
ing risks from all areas of an organization in order
to manage less in ‘silos’ and more in an integrated
manner. This is in contrast to what has tradition-
ally been done, with risk management focused
Figure 7. Risk assessment matrix. Source: Wyndarra Consult-
more on one area of risk impact or effect (e.g., ing, National Research Council Corporate Risk Profile, Octo-
financial risks in the banking and insurance ber 2005.
industries, health risks in medical fields).
A key element of this selected model is the accept Accept the risk and do nothing
notion that risk is managed at the level at which it
occurs. That is, project or health and safety risks
in a laboratory are managed at the project or lab consequence
Reduce either one
level. Risks to a particular research institute – reduce or both
likelihood
such as operational risks or those of taking a
Options

Spread the risk to

particular strategic direction – are dealt with by a third party
spread
the Institute’s management team. Risks at the share
corporate level – those affecting the wider orga- Develop contingency
arrangements
nization as a whole – are managed by the senior transfer Insure for financial
loss
executive. While risks are not ‘rolled up’ as such,
from one level to another, a compilation of risks avoid Do not participate with the activity
from the Institute pilots compared with NRC
organizational risks had several areas of com- Figure 8. Risk treatment options. Source: Wyndarra Consult-
monality. These included political context, part- ing, National Research Council Corporate Risk Profile, Octo-
ber 2005.
nerships and collaborations, funding pressures,
and hiring and retention among others.
In general, this approach involves four main on their probability or likelihood and on their
steps (one with two sub-steps): impact or consequence.
A 5  5 matrix was used in this pilot process,
1. Establish the context.
an updated version of which is shown in Figure 7.
2. Identify risks within this context.
This matrix allows for greater level of distinction in
3. Assess risks:
estimating the relative impact or likelihood of the
– analyze risks (in terms of probability and
identified risks (more so, than a 3  3 matrix some-
impact);
times used in other models) to help establish whether
– evaluate risks (including estimate risk level,
a risk is ‘very high’, ‘high’, ‘medium’ or ‘low.’
evaluate controls and risk tolerance level).
Understanding the unit or organization’s risk
4. Develop risk treatment.
tolerance then means knowing where to ‘draw the
The vital first step involves establishing the line’ on this matrix in terms of how much prob-
level of assessment (e.g., project, unit, organiza- able impact could be tolerated and where risk
tion, etc.) and any decision being made. It is based treatment action might be needed. A key compo-
on achieving the objectives of the project, unit or nent lies in evaluating the controls and strategies
organization and the assessment is made under- that are already in place for an inherent risk and
standing that risks change depending on context. that reduces either the probability or the impact
The second step includes identifying the risk to more manageable levels.
issues – the general areas affected or issues Finally, a risk treatment plan with associated
important to the context that needs to be managed risk mitigation strategies is developed to target
– as well as potential effects or loss if the risk were risk factors and to reduce very high or high risks.
to be realized and the risk factors that contribute Risk treatment options might include accepting
to the potential effects. Risks are assessed based the risk, avoiding risk altogether and sharing or

516 R&D Management 38, 5, 2008 r 2008 Her Majesty The Queen In Right of Canada
Journal compilation r 2008 Blackwell Publishing Ltd
 Risk management in public sector research

transferring the risk (see Figure 8). Such a plan in order to assess the level of risk. Using Figure 7
also defines risk ownership, roles and responsi- these could be very high, high, medium or low.
bilities, and timeframes to implement mitigation Consideration was given to risk tolerance levels
strategies. In the process, opportunities may also and the very high and high risks were prioritized
be identified, which positively affect the achieve- for risk treatment. Participants generated further
ment of stated objectives or goals – these should mitigation strategies through interviews or group
be considered as the action plan is developed. discussion sessions.
In the actual implementation of this approach, it Some challenges and lessons from NRC’s pilot
was found that there was some flexibility in how experience include
the steps were undertaken. For example, a ‘risk I. Undertake the necessary groundwork and
wheel’ was often developed as an overview tool to preparation to help ensure support:
capture initially identified risks from a number of
 Research best practices, share knowledge
areas of the organization. This ‘rough draft’ was
and experiences to build credibility among
used as a place of departure for risk identification
research staff – this is important for imple-
interviews and also informed initial versions of
menting any new process.
the risk profile. One pilot used an anonymous
 Develop the approach and process to fit
survey approach for risk identification. Further,
the organization – a best practice might
during the risk identification interview process,
not be ‘the’ best practice for your organiza-
participants often offered their assessment of the
tion.
risks they identified as well as some strategies for
 Build interest with early successes – demon-
mitigation. While these steps would be formally
strate value and it will have a greater like-
undertaken at a later workshop, this information
lihood of being picked up.
was captured. The risk profile invariably under-
 Gain senior management support to cham-
went several iterations.
pion the initiative and get them involved in the
process – this will help ensure that risk man-
agement is on the agenda, and there is follow-
5. NRC’s pilot experience and lessons
through on key actions.
learned
 Have a focal point (e.g., planning, audit) as an
initial driver.
Fuller documentation of the model, framework and
 Use outside experts with extensive related
process, including a common lexicon, was developed
knowledge and experience – they can be a
and subsequently used for pilot testing. Formal
valuable resource.
pilots using the framework were conducted at four
different levels within NRC: the corporate or orga- II. Stay flexible yet consistent:
nizational level, the institute or business unit level,
the program level and the research project level. It  The value of risk assessment lies in the discus-
was understood that risks are most effectively man- sion and realization of the participants (less on
aged – that is, identified, assessed and treated – whether a 5  5 or 3  3 matrix is used).
within these levels and within their particular con-  Maintain balance between flexibility and using
text. A CRP, nevertheless, allows for identification a standardized framework.
of risk areas that affect the organization as a whole  Consider options around risk as much as reward
and where a more systemic risk strategy might be and opportunity to facilitate decision making.
taken.
III. Recognize the limitations of any risk man-
A common process was involved at all four
agement approach:
levels. Management teams identified risks through
an individual interview process or through facili-  Identifying and assessing risk means identify-
tated workshops. One institute added identifica- ing and assessing the perceptions of risk –
tion of risks through a written survey. Identified because these events have not yet taken place,
risks were consolidated into a risk wheel, risk and are only ‘best guesses.’
register or risk profile and were validated through  Numbers and the matrix are used to prioritize
a management team workshop. In the same or a risk during an assessment – they provide a
subsequent workshop, participants assessed risks, relative assessment rather than a precise mea-
including evaluating the reduction of inherent risk sure.
through controls already in place. Risks were then  Risk identification and assessment is under-
mapped on a 5  5 likelihood/consequence matrix, taken to manage risk.

r 2008 Her Majesty The Queen In Right of Canada R&D Management 38, 5, 2008 517
Journal compilation r 2008 Blackwell Publishing Ltd
Flavia Leung and Frances Isaacs

 Tools and software can be helpful, but com- strategies and accountabilities is now also devel-
munications and discussion is critical: oped annually with broad input from the senior
executive, NRC management and Council mem-
– there is no magic risk management solution
bers. The document serves as a resource for
that will give the ‘right’ answer;
planning and decision making both at the insti-
– even with a software tool in place, results are
tute and corporate levels.
only as good as the assumptions used.
Nevertheless, there is still much progress to be
IV. Treating risks: made in learning from NRC’s experiences, fine-
tuning its process and recognizing the level of risk
 Risks do not necessarily ‘roll up’ for treatment
taking that is appropriate for a government
and can change depending on context – risks
research organization, including how it can best
should generally be treated at the level and
manage its various operational and strategic risks.
context within which they are incurred;
Mechanisms and means for greater sharing of
 Target risk factors in treatment – tackling the
institute experiences across the organization will
underlying cause will allow the organization
allow better decision making around risk and
to address several potentially related risks,
opportunity.
and is an effective strategy;
Currently, risk management is an optional
 Key risks, when viewed together, can often point
decision making and management support tool
out next steps that were not previously clear.
at the institute level, although it is a management
 Identification and assessment of risks is rela-
expectation for all departments and agencies as a
tively simple (based on NRC’s pilot experi-
whole. Looking ahead, NRC will continue to
ence), but organizations typically have more
build better understanding across the organiza-
difficulty in following through with the devel-
tion to encourage the practice and use of risk
opment of an action plan for risk management
management, integrating it into other organiza-
and the related details around key actions,
tional management activities such as planning
responsibilities and timeframe – having these
and project management. The process, related
in place helps monitor progress and ensures
thinking and mindset still need to percolate
follow-through.
more broadly to some groups. As with any change
V. Integration is critical: initiative, time is needed to continue to develop the
practice and for it to engrain itself into the culture
 Risk management is not a standalone activity
and activities of NRC.
– to be effective, it needs to be integrated with
Subsequent to the initial pilots, it was recog-
other organizational processes as relevant
nized that the incorporation of scenarios, or
(e.g., strategic planning; project management).
options, is a further potential enhancement to
 Training and establishment of common refer-
the chosen model. Other opportunities for further
ences and understanding of risk management
development include better linking of risk and
is critical for effective implementation of risk
opportunity – effectively assessing opportunities
management – in particular, if risk is to be
alongside risks in a systematic manner with
managed not only at the operational level but
the benefit of clarifying the value, for example,
also at a strategic level.
of pursuing a particular research direction. In
support of strategic planning, risk assessments
also can be more visibly linked with environmen-
6. Conclusions and future directions tal scanning and internal self-assessment exercises
to have an overall 3601 view. Integration of risk
Over the past several years, NRC has made good management into the business planning cycle is
progress in establishing more consistent under- underway in two areas: analyzing and assessing
standing in risk management and integrating the risks to the organization at the strategic planning
practices more broadly into various aspects of stage and development of contingency plans
its activities. For example, NRC’s model and during operational planning.
approach have already been integrated into in- Finally, it must be kept in mind that all risk
stitute project management approaches; it is being management activities, including reporting and
used at the corporate and institute levels to monitoring, should be as streamlined as possible
support business planning; and customized cor- to limit administrative burden. To that end, a
porate-wide training is being made available to all web-enabled organization-wide software is being
institutes. A CRP with related risk mitigation investigated as a supplementary resource to help

518 R&D Management 38, 5, 2008 r 2008 Her Majesty The Queen In Right of Canada
Journal compilation r 2008 Blackwell Publishing Ltd
 Risk management in public sector research

reduce efforts associated with monitoring and 4. COSO, Enterprise Risk Management (2004), http://
reporting of risk-related activities. As with other www.coso.org/Publications/ERM/COSO_ERM_
management practices, the ultimate benefit ExecutiveSummary.pdf
derived from implementing the practices should 5. IRM, A Risk Management Standard (2002), http://
be greater than the efforts involved, particularly www.theirm.org/publications/PUstandard.html
6. J.H. Shortreed, Basic Frameworks for Risk Man-
given the characteristics of the scientific environ-
agement, Final Report (2003)
ment. Moving forward, NRC is continuing to
7. US Department of Energy, ‘Risk Management,’
track its successes to build on their momentum, http://www.oecm.energy.gov/Portals/2/RiskMana-
capturing feedback and lessons learned for im- gement.pdf
provement along the way. 8. J.H. Shortreed, Basic Frameworks for Risk Man-
agement (2003), http://www.irr-neram.ca/risktools/
psf.html

References Flavia Leung is a Certified Management Consul-

tant with the Strategy and Development Branch
Australian Standards: AS–NZS 4360: 1999, Australia. of the National Research Council Canada
Interis. (2004) Integrated Risk Management Framework (NRC), Ottawa. She has an MBA and BSc
for SBDAs, Prepared for NRC and S&T Risk Man- (Biochemistry), both from the University of
agement SBDA Network. Ottawa, Canada: Interis. Ottawa. She has presented at such conferences
KPMG. (2001) Comptrollership Capacity Check, Pre-
as: International Engineering Management Con-
pared for Treasury Board Secretariat. Ottawa,
Canada: KPMG. ference, International Association for Manage-
KPMG. (2004) Integrated Performance Management ment of Technology, R&D Management,
Framework for Science Based Departments and Agen- American Evaluation Association, and Perfor-
cies, Prepared for NRC. Ottawa, Canada: KPMG. mance and Planning Exchange. She works closely
Privy Council Office, Government of Canada. (2003) A with scientific institutes in assessing and improv-
Framework for the Application of Precaution in ing their management practices, processes, and
Science-Based Decision Making about Risk. Ottawa, structures. She acts in an advisory capacity to
Canada: Privy Council Office, Government of senior management and executives on related
Canada. issues, and provides integrated planning, risk
Shortreed, J., Hicks, J. and Craig, L. (2003) Basic and performance management support to NRC
Frameworks for Risk Management, NERAM Work-
at the corporate and institute levels. Previous to
shop Final Report. Toronto, Canada.
Treasury Board of Canada Secretariat. (2005) Manage- NRC, she was with KPMG Consulting (Ottawa),
ment Accountability Framework. Ottawa, Canada: and Banque Nationale de Paris, Capital Markets
Treasury Board of Canada Secretariat. Ltd. (Hong Kong).

Frances Isaacs is Manager, Strategy and Devel-

opment for the International Relations Office of
Notes the National Research Council of Canada
(NRC), Ottawa. She has an MBA from Royal
1. KPMG (2001), ‘Comptrollership Capacity Check,’ Roads University, Victoria, Canada. She has
management practices self-assessment criteria for the made presentations on risk management in
Canadian federal government, http://www.tbs-sct.gc. 2005–2006 to the Integrated Risk Management
ca/cmo_mfc/Toolkit2/cap_check/cap_check_e.asp for Government Conference, International Qual-
2. Privy Council Office, Government of Canada ity and Productivity Canada, the American Eva-
(2003): A Framework for the Application of Pre-
luation Association and the Canadian Evaluation
caution in Science-based Decision Making about
Society. Her current work focuses on strategic
Risk, http://www.pco-bcp.gc.ca/docs/information/
Publications/precaution/Precaution_e.pdf management, international S&T and innovation
3. Australian Standard: Risk Management, AS/NZS systems and she has contributed to NIFU STEP’s
4360:1999, http://www.wales.nhs.uk/ihc/documents/ 2007 Role of Technological Research Institutes in
A.4.1.4_ Australia_and_New_Zealand_Methodolo- Innovation Systems Workshop, and to Innovation,
gy_AS_NZ%204360_1999.pdf Science, Environment 2008–2009.

r 2008 Her Majesty The Queen In Right of Canada R&D Management 38, 5, 2008 519
Journal compilation r 2008 Blackwell Publishing Ltd