ARCHIVED - Best Practices in Risk Management: Private and Public Sectors Internationally

This page has been archived.

Best Practices in Risk Management:
Private and Public Sectors Internationally

April 27, 1999

Table of Contents

• Executive Summary
  • A. Study background
  • B. Benefits of managing risk
  • C. Best practices
  • D. Observations
  • E. Conclusions
• I Study Background
  • A. Study purpose and objectives
  • B. Context and approach
• II Why Implement Risk Management?
  • A. Benefits
  • B. Status of implementing risk management
• III Best Practices
  • A. Integrating risk management into other management practices
  • B. Approaches, tools and techniques for implementing risk management
• IV Observations And Conclusions
  • A. Observations
  • B. Conclusions
• Appendix A Statement of Work
• Appendix B Bibliography
• Appendix C Interview guide
• Appendix D Criteria For Assessing Applicability Of Best Practices To The Canadian Federal Government

Executive Summary

This Executive Summary of the "Best Practices in Risk Management: Private and Public Sectors Internationally" report highlights the study background, best practices and observations and conclusions of the study.

A. Study background

KPMG was engaged to identify best practices in risk management in the private and public sectors internationally. The study objective was to identify risk management best practices including strategies, approaches, methods, tools and techniques and how they can be used in the Canadian federal government. The study was conducted in parallel with a study on best practices in Canadian private and public sector organizations carried out by another consulting firm. Our teams worked closely together to have a common understanding of the study requirements and to ensure that we would be able to present a coordinated summary.

The study focuses on the "best" practices, i.e., practices that were particularly effective in helping an organization achieve its objectives for managing risk and are deemed to be of value to other organizations. The study focuses on risk management practices that have been integrated into other management practices such as those for planning and decision-making. It also looks at the strategies for planning, developing, implementing and monitoring risk management.

Exhibit 1 shows our study approach which consisted of four components: a literature review and contact with our KPMG offices abroad; contact with organizations to obtain their interest in participating; our interviews and data collection; and analysis and reporting. We used our international KPMG network to identify organizations in the countries of interest that have good risk management practices.

Our study sample consisted of 228 relevant publications and interviews with eighteen organizations from Australia, France, Germany, Sweden, Switzerland, the United Kingdom, New Zealand, South Africa, Taiwan, and the United States. Organizations from Western Europe, Australia and New Zealand accounted for almost 80 per cent of the sample. The sample included twelve private sector and six public sector organizations. We interviewed companies in these industries: manufacturing; mining and natural resources; financial services; pharmaceuticals; technology and communications; and utilities.

Exhibit 1 Approach

---

 

B. Benefits of managing risk

The organizations reported many benefits of managing risk. The benefits, overall, relate to organizational objectives and the management process. The key benefit is the achievement of organizational objectives. Other reported benefits are better focus on business priorities, strengthening of the planning process and the means to help management identify opportunities. The reported benefits to the management process include: a cultural change that supports open discussion about risks and potentially damaging information; improved financial and operational management by ensuring that risks are adequately considered in the decision-making process; and increased accountability of management.

C. Best practices

Exhibit 2 provides an overview of the eleven best practices that we identified in the study. The "hub," from which all other practices derive, is the organizational philosophy. All practices provide the movement to integrate risk management within the organization. Approaches, tools and techniques are the interface with the "road", or the direction and objectives of the organization. Many of the practices are inter-related. For example, "teaming" requires "open communication".

Exhibit 2Overview of best practices

---

Source: KPMG
� KPMG

• Promoting an organizational philosophy and culture that says everybody is a risk manager: By far, the predominant practice for integrating risk management is to build an organizational culture in which everybody is a risk manager. Some organizations indicated that this is more important than developing and issuing extensive policies and procedures. Employees that take responsibility for their actions and outcomes become risk managers. Ideally, the employees intuitively understand the organization's goals and work towards them.

• Senior management and/or governing bodies champion risk management and define and communicate acceptable levels of risk: The responsibility for driving risk management is placed high in the organization. Senior management (and/or the governing bodies such as the Board of Directors) must be aware of, understand and support risk management. Senior management and the board sends the message internally and externally about the importance of managing risk. Also, it is important that other managers, stakeholders, and employees see their involvement.

Some organizations set specific responsibilities in risk management for the Board and senior management. The Board may provide guidance such as identifying the principal risks to the business, ensuring that appropriate systems are implemented to manage the risks, ensuring the integrity of the control and management systems, and defining responsibilities and monitoring major risks. Management is accountable for coordinating the risk management and identifying, evaluating, controlling and reporting risks. The Board of Directors or senior management may define, develop and approve a Risk Policy. The Risk Policy states the level of risk that the operation is willing to accept. It might also state roles and responsibilities and practices for managing risk.

• Establishing open communication channels: Open communication is necessary for risk management to succeed. Without open communication risk management cannot be "everybody's business". Managers require direct communication channels up, down and across their business units to help identify risks and take appropriate actions. Information must be shared.

• Using teams and committees: Informal and formal teams are a mechanism that many organizations use to manage risks. Teaming brings together various risk attitudes and brings fresh thinking to issues and solutions. It also focuses diverse disciplines on common objectives.

• Using a simple, common business risk language: A common business risk language enables managers to talk with individuals from the boardroom to the boiler room in terms that everybody understands. This is important also in cases where everybody is expected to manage risks. The designers of the approaches must balance simplicity with usefulness.

• Setting up a corporate risk management function: Many organizations have set up a responsibility centre for risk management. Some units are headed by a Chief Risk Officer (CRO) who defines consistent approaches to managing risk. The CRO is the organizational risk champion and is responsible for providing leadership and establishing and maintaining risk awareness across the organization. The CRO might also set up risk control objectives, a risk framework, and design ways to measure risk.

• Communicating risk management performance: A handful of organizations report to management and stakeholders/shareholders on risks and risk management performance. For example, in one organization, Business Unit Managers are required to report three times annually to the Finance and Risk subcommittee of the Board. The reports outline the units' top ten risks and how they are managed.

• Internal Audit and/or the Audit Committee assists in implementing risk management: The internal audit function plays a key role in implementing risk management throughout an organization. Examples of their assistance are: facilitating self-assessment workshops; monitoring and reporting on the management of significant risks; providing advice; raising awareness of risk management; reviewing processes for managing risks; and sitting on the risk management committee.

• Guidance: Guidance is provided indirectly (documents, such as "tool kits") or directly (advice, such as internal consulting services).

• Risk management training: Risk management training, as part of a corporate training curriculum, helps integrate risk. Topic areas include: risk assessments; best practices; legislative requirements; safety; objectives for managing risk; risk-awareness training to ensure that all managers consider risk.

• Approaches, tools and techniques: Organizations are using a number of approaches, tools and techniques for managing risk. Many are developing business risk maps which help the organization identify, understand and address its business risks. The use of a broad scope framework can influence a discussion on the sources and types of risks, for example, external, economic, market, credit, information, human resources and strategic. This brings a multi-disciplinary perspective for looking at the risks. Modeling tools, such as scenario analysis and forecast models, enable managers to manage uncertainty. By using scenario analysis, decision makers can see the range of possibilities and build the scenarios into the organization's contingency plans. Techniques for identifying and assessing risks help managers identify where they should be focusing their attention and resources. Techniques include workshops, questionnaires, self-assessment, risk scans and assessment templates. The internet/intranet is increasingly being used to: promote risk awareness and management; obtain information on risk in specific areas; communicate with employees; share information on risk management across agencies; and communicate risk management objectives.

D. Observations

We offer the following observations concerning risk management from our analysis of best practices:

Risk management, like comptrollership, is a mind-set:

Managers should be conscious of risk management and integrate it into their other management practices. Overly bureaucratic and complex processes will submerge risk management into irrelevance. Managers need the flexibility to use techniques that make sense for them and their operation. However, the technique must allow for the roll up and comparison of operating unit results at the corporate level. Specialists need to be available to assist managers.

Risk management and corporate ethics functions should work together:

The information we gathered indicates that risk management programs and ethics programs are related. For example, a written code of ethics is a mechanism to communicate the values of the organization and the related risks. An ethics program for government employees is viewed as a way to sensitize employees to ethical issues or risks affecting the key entity's values.

Risk management is a dynamic process:

As the business needs and business risks change, new processes or tools for managing the risks are required. How organizations are performing at managing risk must also be monitored and continuously improved. Risk assessments are not a "one-off" exercise.

Many functional specialists will play a role in risk management:

Our review of best practises indicates that many functional specialists will play a role in managing risk. These include specialists in information technology, human resources, communications and financial management.

Risk management must be adequately resourced:

Senior management must be committed to supporting the initiative with the required resources. Investments will be required in training, developing processes and techniques, management systems and setting up specialist groups.

E. Conclusions

We conclude that the best practices are generally applicable to the federal government context. Exhibit 3 maps the best practices to the assessment criteria. The practices are consistent with the current direction for risk management in the government. Most will contribute to improving service delivery. By managing risks, managers are more likely to achieve their objectives. Hence, they would be more likely to meet service delivery objectives and targets. Practices such as the organizational philosophy, open communication channels, teams and committees, guidance, and training contribute to a supportive work environment. These practices also support innovation.

While the practices do facilitate management decision-making and planning, the link to sound resource allocation is less strong. However, the tools for mapping, modelling, identifying and assessing risks do help focus the resources on key risks and, in this way, allocate the resources to the most critical areas.

There may be significant barriers to implementing those best practices that are very different from the status quo. Most federal departments and agencies operate with traditional organizational structures having a defined reporting and management hierarchy. Hence, implementing a philosophy and culture that everybody is a risk manager may be a stretch target. Similarly, the current environments do not welcome bad news or open communication channels.

Departments and agencies will need to adopt the practices that make sense for the organization and are linked with the benefit targeted by the organization. There are many different ways that these practices can be implemented in organizations.

Exhibit Assessment of practices

---

---

I Study Background

This chapter summarizes the purpose of the study and its objectives. We set the context for the study and describe our approach. Finally, we report on the study sample.

A. Study purpose and objectives

This section describes the purpose and objectives for this study on best practices in risk management in public and private sector organizations internationally.

1. Study purpose

The Canadian federal government is continuing to implement recommendations from the Report of the Independent Review Panel on Modernization of Comptrollership in the Government of Canada. The Panel's report identified four key elements of modern comptrollership:

• Performance information-financial and non-financial, historical and prospective.
• Risk management.
• Control systems.
• Ethics, ethical practices and values.

Creating and sustaining a mature risk management environment was one of the crucial components of the approach recommended by the Panel. To enable such an environment, the Treasury Board Secretariat (TBS), with federal departments and other interested parties, is developing a results-oriented approach to risk management to help employees better understand, manage and communicate risk and the related choices-a modern, integrated approach. The result of this work is expected to be an umbrella policy that sets the context for federal risk management along with guidance, tools, techniques and training for use in federal departments.

This study is one of four concurrent studies which are helping provide background research on best practices in risk management. This study examines the private and public sectors internationally.

2. Objective and scope

The objective of the project is to identify risk management best practices including strategies, approaches, methods, tools and techniques and how they can be used in the Canadian federal government.

The study is being conducted in two parts concurrently by two firms. KPMG was engaged to identify best practices in the private and public sectors internationally. In accordance with the study terms of reference, we collected information on best practices in Western Europe (the United Kingdom, France, Germany, Switzerland), Australia, New Zealand and the United States. We also collected information from organizations in South Africa and Taiwan. Our statement of work is included as Appendix A.

B. Context and approach

In this section, we describe the context and approach for the study. It is important to understand this, since it influenced the information that we collected in the course of the study and discuss in this report.

1. Context

As indicated above, this study on international best practices was conducted in parallel with a study on best practices in Canadian private and public sector organizations carried out by another consulting firm. Our respective terms of reference required that we present a coordinated summary of our conclusions and recommendations to the Project Authority. Thus, early on in the project, our teams worked closely together to have a common understanding of the study requirements and to ensure that we would be able to integrate the information collected so we could present a coordinated summary. For example, we defined "best practice" and the elements of managing risk that were pertinent to the study.

It is important to note that the study does not document the full range of risk management practices.

• First, the study focuses on the deemed "best" practices, as compared to "good" practices. We defined a "best practice" as a strategy, approach, method, tool or technique that was particularly effective in helping an organization achieve its objectives for managing risk. A best practice is also one which is expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to any other organization that has a responsibility to provide guidance.

• Second, the study focuses on risk management practices that have been integrated into other management practices such as those for planning and decision-making. It also looks at the strategies for planning, developing, implementing and monitoring risk management. Specifically, we collected best practices in three areas:

• Integrating risk management into other management practices.

• Tools for integrating risk management.

• Key disciplines and functions which use risk management.

We elaborated on these areas in our interview guide.

Hence, although there may be many "good" practices in an organization, we do not report on them. Nor do we report on a complete process or system for managing risk.

2. Approach

Exhibit I-1 shows the approach we used to conduct the study.

Exhibit I-1n Approach

---

Our approach consisted of:

• Literature review and contact with KPMG offices abroad: At the project start, we reviewed relevant literature to prepare a preliminary list of organizations abroad that were recognized as good risk management practitioners. We used our international KPMG network to identify other organizations (through our local practices) and to provide introductions and contact names to open the doors for us. These offices have a broad knowledge of the public and private sector organizations in their marketplace. Hence, they would be aware of organizations that have good risk management practices. We targeted organizations in Western Europe, Australia, New Zealand and the United States. We also targeted organizations in Asia. All in all, this was the most difficult part of the study since we had to communicate across time zones and deal with absences from offices. We continued our review of literature published outside Canada to collect best practice information. Again, we used our resources in KPMG offices abroad to identify and help obtain the publications of interest. Appendix B is the bibliography of the publications reviewed for this study. We reviewed 228 articles published outside of Canada.

• Contact organizations for their interest in participating: Throughout these initial steps in the project, we respected the requests of our international colleagues in KPMG offices abroad. For example, some colleagues preferred that they contact the organizations directly to obtain their participation. Also, some requested that they conduct the interviews in person on our behalf. In all other cases, we contacted the organizations directly and scheduled telephone interviews.

• Obtain information from interviews: For interviews that were conducted out of Canada, we sent, in advance of the interview, the study background documentation and the interview guide shown in Appendix C. In order to ensure that the interviews conducted by our colleagues abroad were consistent with those conducted by phone from Canada, we provided guidance documents to these colleagues as well as the background documentation and interview guide to forward to the contact in advance of the meeting.

• Analysis and reporting: We synthesized our findings from the interviews and our extensive literature review to identify the best practices and lessons learned. We also made a preliminary assessment of the extent to which the best practices are applicable to the Canadian federal government.

3. Applicability of best practices to the Canadian public sector

Our study terms of reference required that we document the identified best practices and make recommendations on their usefulness and applicability in the Canadian federal government context. Jointly with the other contractor, we prepared a list of criteria for assessing the applicability of the best practices to the Canadian federal government. The final set of criteria, included as Appendix D, incorporates input from an internal advisory committee of departmental representatives. To the extent possible, we have assessed the applicability of the practices against these criteria.

4. Study sample

Our study sample consisted of:

• Interviews with eighteen organizations.

• A review of 228 relevant publications.

Hence, we are confident in our base for drawing on best practices.

The organizations interviewed represent Australia, Western Europe (France, Germany, Sweden, Switzerland, the United Kingdom), New Zealand, South Africa, Taiwan, and the United States. Exhibit I-2(a) shows the distribution by location. The sample is predominantly comprised of organizations from Western Europe, Australia and New Zealand.

Exhibit I-2(a)
Distribution of organizations by location

---

The organizations represent twelve private sector and six public sector organizations. Exhibit I-2(b) shows the distribution of organizations by industry. Organizations from government represent 32 per cent of the sample (six organizations). Five of these represent the federal level; one, other levels of government. The remainder represent a variety of industries: manufacturing, mining and natural resources, financial services, pharmaceuticals, technology and communications, and utilities. We are satisfied that we have achieved a solid balance of geographic and industry representation in the timeframe available for the study.

Exhibit I-2(b)
Distribution of organizations by industry

---

We found in our interviews that these public and private sector organizations were facing similar issues as the Canadian federal public sector: environments of constraint, pressures for innovation, and changing organizational cultures.

Our extensive literature search provided information on best practices in numerous other organizations. A practice reported in a publication is a "best practice", according to the definition used in this study. Clearly, the practice is deemed to be effective and of value to other organizations if it is discussed publicly.

---

II Why Implement Risk Management?

This chapter provides an overview of the benefits from implementing risk management. Also, we briefly discuss the status of the implementation in the organizations.

A. Benefits

There is certainly a strong case for implementing risk management. The reported benefits of managing risk include:

• Achievement of organizational objectives.

• Better focus on business priorities. Additionally, it enables managers to focus their resources on the primary objectives. Resources are not re-directed to deal with problems. This results in increased confidence of shareholders and ministers. Taking action to prevent and reduce loss, rather than cleaning up after the fact, is an effective risk strategy.

• A cultural change that supports open discussion about risks and potentially damaging information. The new culture tolerates mistakes but does not tolerate hiding errors. Also, the culture emphasizes learning from the mistakes.

• Improved financial and operational management by ensuring that risks are adequately considered in the decision-making process. Improved operational management will result in more effective and efficient service delivery. By anticipating problems, managers may have more opportunity to react and take action. The organization will be able to deliver on its service promise.

• Strengthening of the planning process and a way to help management identify opportunities.

• Increased accountability of management in the short term. In the longer term, increased overall management capabilities.

• Increased value (private sector comment).

B. Status of implementing risk management

This section briefly talks about the status of implementing risk management including its extent and definition.

1. Extent of risk management

All the organizations that we interviewed had always been practicing some form of risk management - for example, risk management in specific disciplines such as finance. Some organizations were adding more substance to their existing processes. About a third were now focusing on implementing risk management to deal with business or organization risk.

The practices from the literature review related to implementations of business risk and discipline risk.

The interest in implementing business risk management is growing.

2. Definition of risk

For the most part, risks are perceived as any thing or event that could stand in the way of the organization achieving its objectives.

Hence, for these organizations, risk management is not about being 'risk averse'. Risk management is not aimed at avoiding risks. Its focus is on identifying, evaluating, controlling and "mastering" risks. Risk management also means taking advantage of opportunities and taking risks based on an informed decision and analysis of the outcomes.

---

III Best Practices

This chapter reports on the best practices that we identified in our literature reviews and interviews. We report them in two categories: integrating risk management into management practices, and approaches, tools and techniques for managing risk.

Exhibit III-1 provides an overview of the best practices. The "hub," from which all other practices derive, is the organizational philosophy. Taken together, all practices provide the movement to integrate risk management within the organization. Tools and techniques are the interface with the "road", or the direction and objectives of the organization.

Exhibit III-1 Overview of best practices

---

Source: KPMG
� KPMG

A. Integrating risk management into other management practices

This section reports on the best practices for integrating risk management into management practices.

1. Promoting an organizational philosophy and culture that says everybody is a risk manager

By far, the predominant practice for integrating risk management is to build an organizational culture in which everybody is a risk manager. Some organizations indicated that this is more important than developing and issuing extensive policies and procedures. Management of risk is embedded in the management philosophy. Employees that take responsibility for their actions and outcomes become risk managers. Ideally, the employees intuitively understand the organization's goals and work towards them. One organization noted that the culture originated in the employee ranks and eventually flowed up to the senior management.

Examples of this practice are:

• Installing restroom mirrors that remind employees that "you are looking at your safety manager".

• Instilling a "sense of excellence" in the culture which encourages people to seeks solutions and talk honestly about where they need help.

• Involving all staff in risk management activities through committees and holding meetings at different work sites.

Sometimes, the culture has to be developed. Practices to achieve this include:

• Setting up the risk management department as a centre of excellence to spread risk management procedures and practices across the organization. The aim is to encourage people to be their own risk managers with the risk management department acting in a support capacity.

• Recruiting on attitude instead of experience, in order to provide outstanding customer service. This helps manage customer risk.

• Introducing penalties. One government introduced a "corporate killing" offense designed to punish corporate directors when they fail to correct unsafe practices that result in death.

• Setting up recognition and reward initiatives that encourage employees to manage risks and take advantage of opportunities.

• Implementing remuneration packages that discourage excessive risk taking. For example, some securities traders have moved to basing traders' remuneration on a formula which compares their profits to those of a benchmark reflecting returns in the market as a whole. In another organization, a "sustainability index" is used to calculate management's bonus. The index is calculated using the cost of electricity, affirmative action achievement and the technical performance of the plant, transmissions and grid.

• Evaluating employees' performance in managing risks, through the performance appraisal process.

• Defining risk management as part of the requirement for all management positions.

• Reinforcing ethics and values by issuing a written code of ethics or communicating them through training, meetings or workshops.

The reported benefit of a risk management culture is that organizations can change more rapidly and can manage risks more effectively.

2. Senior management and/or governing bodies champion risk management and define and communicate acceptable levels of risk

The responsibility for driving risk management is placed high in the organization. This is also a tool for embedding risk management in the culture. The support of senior management (and/or the governing bodies such as the Board of Directors) is essential. As a start, senior management and the Board must be aware of and understand risk management. There is a wide variety of ways in which the senior leaders are involved in risk management. However, underlying these ways is the role of senior management and the board to send the message internally and externally about the importance of managing risk. Also, it is important that other managers, stakeholders, and employees see their involvement. Managing risk is not just a discussion item for management committees behind closed doors.

Ways that the senior management and Boards lead risk management initiatives include:

• The risk management group uses senior management as sponsors to ensure the risk management message is taken up by their direct reports.

• The Chief Executive Officer attended each meeting for implementing risk management processes. The Chief Financial Officer of the organization was the first senior manager to develop an action plan for an item emerging from a risk workshop.

• Senior Management devotes a day of its annual strategic planning process to identifying and quantifying risks at a strategic level.

• Senior executives sit on an internal control committee and are tasked with providing their department heads with the appropriate internal control mechanisms.

• Board members were asked to think of one risk that kept them awake at night. Then, they were charged with overseeing the management of that risk.

• A safety supervisory board, a subsidiary of the main Board of Directors, reports monthly to the Board of Directors on performance in health, safety and environment.

• Board sign off for new business cases which must include a risk analysis.

• A (external) Council has set the parameters which the risk assessment team uses.

Some organizations report that they set specific responsibilities in risk management for the Board and senior management. The Board may provide guidance such as identifying the principal risks to the business, ensuring that appropriate systems are implemented to manage the risks, ensuring the integrity of the control and management systems, and defining responsibilities and monitoring major risks. Management is accountable for coordinating the risk management and identifying, evaluating, controlling and reporting risks. Most importantly, the Board of Directors or senior management, defines, develops and approves a Risk Policy.

The key message of the Risk Policy is the level of risk that the operation is willing to accept. The policy might also state roles and responsibilities and practices for managing risk. Managers require clear direction on risk tolerance. That direction must come from the governing body or senior management. Workshops are another way to communicate the tolerances.

3. Establishing open communication channels

The practices reported demonstrate that open communication is necessary for risk management to succeed. For example, teams rely on communication to address risks and achieve objectives. Also, many report that open communication is a way to easily integrate risk management into existing processes. If communication is not there, risk management cannot be "everybody's business". Managers require direct communication channels up, down and across their business units to help identify risks and take appropriate actions. New looser-information based structures are replacing traditional organization structures with defined reporting relationships. Information must be shared.

Examples of open and good communication are:

• Using the intranet to communicate the organization's efforts and involve all employees in managing risk. It is also used to communicate objectives.

• Appointing managers whose only task is to communicate risks to employees.

• Holding quarterly meetings of a risk management committee to review and discuss the organization's exposure and protection measures.

• Using the risk management function to communicate objectives.

• Promoting awareness of risk management issues through monthly, quarterly and annual reports. The reports focus on areas that require help from the risk management group.

• Making presentations to senior management and/or the governing body on the risk management process.

• Encouraging people to discuss mistakes.

4. Using teams and committees

Informal and formal teams are a mechanism that many organizations report they are using to manage risks. Teams were cited in a number of situations such as the management of financial risk, construction projects, workers' compensation, health and safety, insurance, contract management, transport, treasury management, project management, new product development. Teaming brings to light the dynamics between disciplines, brings together various risk attitudes, and brings fresh thinking to issues, opportunities, strategies and solutions. It is perceived as a way to focus diverse disciplines on common objectives, one of which is minimizing risk. Teams provide balance. Also, teams pollinate a concern for risk management throughout the organization, rather than being the concern of a function or discipline. While the practice of teaming is recognized as a "best practice", there was no common practice concerning the composition of the team.

The composition of formal risk management teams included:

• Line management, treasury, audit, compliance, public relations, human resources and risk management professionals.

• Specific risk management teams for each of contract management control, health and safety, insurance, transport and treasury management.

• Multi-disciplinary teams for projects and product development.

• Seeding management teams with individuals with varying risk attitudes.

• A cross-functional risk management committee with representation from operating units and treasury/finance, human resources and risk management.

• A risk management strategy steering group where all major functions are represented.

• A risk management committee composed of division heads.

In other cases, various disciplines are encouraged to work together, such as:

• The audit group, the Chief Financial Officer, senior management, and treasury.

• A workers' compensation claims department, medical department, corporate ethics department, security, human resources and legal department jointly taking on risk management responsibilities.

• A claims coordinator working closely with the human resources department.

• A team of loss control specialists and claim handlers available during construction projects.

• A project team of corporate audit, finance and control, and a chartered accountant which supports managers' self-assessment of risk.

Teams provide a wider perspective and look at various angles of risks and consequences. To operate, teams require open communication.

5. Using a simple, common business risk language

In order to integrate risk management into other management processes, the terminology should be easily understandable by managers. The approaches should also be simple to understand and use. By developing a common business risk language, managers can talk with individuals from the boardroom to the boiler room in terms that everybody understands. This is important also in cases where everybody is expected to manage risks. The risk management approaches and processes must be simple to be accepted by business management. Organizations have reported that complex, intellectual tools have proven to be unsuccessful. Others caution that the approaches must also be flexible to be meaningful across business units. Though the process must be simple and useful across units, the process should not be oversimplified. The designers of the process must balance simplicity with usefulness.

6. Setting up a corporate risk management function

Many organizations have set up a responsibility centre for risk management. Some units are headed by a Chief Risk Officer (CRO) who defines consistent approaches to managing risk. As the organizational risk champion, the CRO is responsible for providing leadership and establishing and maintaining risk awareness across the organization. The CRO might also set up risk control objectives, a risk framework, and design ways to measure risk. These senior risk managers must have strong persuasion skills. The risk manager must deal with business risks, not just insurable risks. In this way, their importance within the organization increases.

7. Communicating risk management performance

A handful of organizations report to management and stakeholders/shareholders on risks and risk management performance. Ways of reporting are:

• The Internal Control department presents two reports annually to the President. The reports communicate the results of monitoring risk. Each Operating Division is required to prepare an annual report on its monitoring results for the Internal Control Department.

• Business Unit Managers are required to report three times annually to the Finance and Risk subcommittee of the Board. The reports outline the units' top ten risks and how they are managed.

• Managers advise the Board on the risks of their ventures and key shareholders/stakeholders have their say.

8. Internal Audit and/or the Audit Committee assists in implementing risk management

The internal audit function plays a key role in implementing risk management throughout an organization. Examples of this practice are:

• Facilitating self-assessment workshops.

• Monitoring and reporting on the management of significant risks.

• Providing advice.

• Raising awareness of risk management among managers.

• Identifying critical risks and preparing "watching briefs" on them.

• Monitoring compliance in key areas, such as legislative requirements.

• Reviewing processes for managing risks.

• Communicating objectives for managing risk.

• Sitting on the risk management committee.

9. Guidance

Providing guidance is an important practice for integrating risk management. Guidance is provided indirectly (documents) or directly (advice). Examples of this practice are:

• A guidance paper for government departments that are preparing public sector construction projects. "Essential Requirements for Construction Procurement" integrates value and risk management with project management.

• A tool kit for agencies of the government. The kit enables agencies to self-assess their position relative to current best practices. It also helps them move to the best practice using generic improvement strategies.

• Internal consulting services provided by the risk management unit.

• A forum of managers. Managers are able to identify their problems/risks. The forum allows the sharing of best practices. Action items are proposed to deal with the risk. Another advantage is all line managers are now aware of the risk and the action items.

• A legislative agency that makes recommendations to agency management for reducing risk. The recommendations have been proven successful in other agencies.

10. Risk management training

Risk management training, as part of a corporate training curriculum, helps integrate risk. Topic areas include: risk assessments; best practices; legislative requirements; safety; objectives for managing risk; risk-awareness training to ensure that all managers consider risk.

B. Approaches, tools and techniques for implementing risk management

1. Business risk mapping

Organizations are developing business risk maps to identify key business risks to the organization. This helps the organization understand and address its risks. Management must quantify the magnitude of the risks and measure their potential impact. The use of a broad scope framework permits the consideration of different types of potential risk in risk mapping. The use of a framework can influence a discussion on the sources and types of risks, for example, external, economic, market, credit, information, human resources and strategic. This brings a multi-disciplinary perspective for looking at the risks.

Examples of this practice are:

• Listing the various business risks. Then, the risks are charted into four quadrants depending on whether an event has a high or low probability of occurrence and whether it could result in a highly severe loss or a low severity loss.

• Developing a risk map on one sheet of paper. The map provides a comparative evaluation of all operational, financial, hazard and strategic risks that the organization faces. By comparing risks on a single matrix of severity and frequency, senior managers can see a complete picture of all the risks facing the company and their interrelationship.

• Developing a 'major matrix of risks'. It captures the most damaging threats to the corporation. Senior management and the Board can use it in decision-making.

Simplicity underlies these approaches.

2. Modeling tools

Modeling tools enable managers to manage uncertainty. Scenario analysis and forecast models are the predominant tools. Examples of using modeling tools are:

• Using scenario analysis, decision makers can see the range of possibilities and consider changes that they would otherwise ignore. These scenarios can also be built into the organization's contingency plans. Scenarios can be documented and analysed using computer spreadsheet software.

• Using statistical analysis and Value at Risk techniques, managers can estimate the variability of future losses. They measure the impact of a potential loss on earnings or cash flow, include sensitivity analysis, stress testing, and various types of simulations.

• Financial models which dynamically simulate the various financial risks and the impact of various scenarios on portfolios of debt and equity.

• Anticipating hazards in the production process that could make the product defective, and then identifying the points at which they can be controlled.

• Assessing technical risks during new product development by identifying, early on in the project, the potential errors in the manufacturing process. This gives the time to address the consequences.

• Accumulating past project experience and extrapolating it to provide a synthesis of the likely risk impact of a particular project.

Some tools, such as scenario analysis, modeling, technical risk analysis, have broad applicability to management areas. Others, such as financial models, are less applicable to other disciplines.

3. Risk identification and assessment techniques

Techniques for identifying and assessing risks help managers identify where they should be focusing their attention and resources. There is no predominant technique.

Various techniques are:

• Brainstorming groups. Staff from multiple business units meet to brainstorm issues.

• Workshops. Organizations are starting to develop risk-focused facilitated workshops that help operating personnel determine and prioritize their objectives and identify and assess risks. Management in attendance would generally span a variety of areas.

• Questionnaires. Operating units are tasked with completing questionnaires on objectives and risks. For example, managers may annually update risks and progress on managing them.

• Self-assessment. Managers self-assess with support from Audit, Finance and an external accountant.

• Control self-assessment (CSA). CSA provides assurance that an end-point business objective will be met, taking into account controls and risks. Risk-focused workshops help operating managers determine and prioritize their objectives.

• Filters. Risks are evaluated against four filters: non-core function, low impact, risk well-managed, and low probability of occurrence.

• Boston Squares. Boston Squares is used to chart the impact/severity of risks.

• Risk Quick Scan. This is a technique for presenting risks (cost, timing, specifications, etc.) in such a way that the risks can be easily compared to each other in terms of probability and consequences. This is especially useful in projects.

• Matrix to assess supplier capability. The matrix is used to make an overall assessment of the ability of a potential supplier to deliver successfully the services/products specified in a contract. The matrix considers: the history and development of the supplier's business; legal background and capital structure; critical performance elements of the contract; management and employees; commitment, contingencies and litigation; financial viability.

• Assessment matrix. The matrix consists of a series of questions covering elements of risk management and internal controls. It also includes descriptions of best practices.

• Risk identification templates. Business units are given templates. These assist them in identifying and evaluating risks during their business planning process.

• "Bottom up" risk assessments. Operating managers identify and evaluate risks. These are then rolled up at the corporate level.

• Value at Risk (VAR) model and worst case model. These models are used to assess risk. The (VAR) model looks at the estimated potential loss in value of a position or portfolio within a specified period based on market factors. It allows the simultaneous trend comparison of, for example, currency fluctuations.

• Prioritizing risks. Based on their rank, the risks are addressed.

4. The internet/intranet

The internet/intranet is increasingly being used to manage risks. It is used to: promote risk awareness and management; obtain information on risk in specific areas; communicate with employees; share information on risk management across agencies; and communicate risk management objectives.

---

IV Observations And Conclusions

This chapter summarizes our observations and conclusions from our review of best practices.

A. Observations

We offer the following observations concerning risk management from our analysis of best practices:

1. Risk management, like comptrollership, is a mind-set

Managers can be made aware of risk and risk management. Risk management can be taught and reinforced. However, risk management is most effective when managers and employees are attuned to risk management. Risk management cannot be imposed. Managers should be conscious of risk management and integrate it into their other management practices. Risks should be taken into account in decision-making. Managers are more likely to buy-in to the practice if it is positioned as a normal management activity. Overly bureaucratic and complex processes will submerge risk management into irrelevance. There is a balance required between flexibility and consistency. Managers need the flexibility to use techniques that make sense for them and their operation. However, the technique must also allow for the roll up and comparison of the operating unit results at the corporate level. Specialists need to be available to assist managers.

2. Risk management and corporate ethics functions should work together

The information we gathered indicates that risk management programs and ethics programs are related. For example, a written code of ethics is a mechanism to communicate the values of the organization and the related risks. An ethics program for government employees is viewed as a way to sensitize employees to ethical issues or risks affecting the key entity's values. Risk managers may increasingly be required to collaborate with the ethics function in order to understand and resolve information risks. Another organization also reported that a business ethics initiative revealed information hazards resulting from a "culture of secrecy". Internal policies and standards were not written down or consistently communicated to employees. The ethics manager worked with the risk management function to develop steps to prevent future violations of standards. Many components of a corporate ethics program are aimed at improving the organization's information flows. These include broad communication programs, senior management's commitment and communication of values and principles, and monitoring of business practices. We have already discussed that communication and information flows are a key practice for managing risk.

3. Risk management is a dynamic process

As the business needs and business risks change, new processes or tools for managing the risks are required. For example, increased use of the Internet can be a source of risk and can, at the same time, be a tool for managing the risk. The practices must continually adapt to a changing environment. How organizations are performing at managing risk must also be monitored and continuously improved. Employees and managers need to be informed if there are changes. Risk assessments should be reviewed as circumstances change. It is not a "one-off" exercise.

4. Many functional specialists will play a role in risk management

Our review of best practises indicates that many functional specialists will play a role in managing risk. These specialists include information technology specialists, human resources specialists, communications specialists and financial specialists.

Information technology specialists have always had a preoccupation with risk management. They have had to manage the risks of IT projects. Now, their role may be expanding to provide specialist support to risk management specialists and managers. As new technologies are accepted (e.g., the internet, electronic commerce), the IT specialists will be required to help others understand and deal with potential business and technology risks. They will be involved in identifying, assessing, and managing risks where there is a technology component. They will be a key member of teams and committees.

Information technology specialists will also be called upon to set up systems for managing risk. These include modelling software, systems to monitor risk and systems to monitor performance in managing risks.

Human resources specialists will be called upon to design appropriate mechanisms for evaluating the performance of managers in managing risk. Also, they will be called upon to design learning strategies and training programs. They may also be involved in change management and initiatives aimed at changing the culture of organizations.

Communications specialists will play a role in establishing the appropriate communication channels. They will likely also be involved in reporting on risks and risk management performance.

Financial specialists will have a role in identifying and assessing the financial implications of various scenarios when managers model uncertainty.

5. Risk management must be adequately resourced

Implementing risk management requires resources. Investments will be required in: training, developing processes and techniques, management systems, specialist groups. Senior management must be committed to supporting the initiative with the required resources.

B. Conclusions

This section discusses our conclusions about the applicability of the best practices to the Canadian federal government. Exhibit IV-1 maps the best practices to the assessment criteria.

The exhibit shows that:

• All practices have broad applicability beyond the protection of assets and people. They are suitable for all business risk management. Hence, the practices are consistent with the current direction for risk management in the government.

• Most of these practices will contribute to improving service delivery. By managing risks, managers are more likely to achieve their objectives. Hence, they would be more likely to meet service delivery objectives and targets.

• Many of the practices contribute to a supportive work environment. These are: the organizational philosophy; open communication channels; teams and committees; guidance; and training.

• Innovation is supported. However, it is primarily the "soft" practices (philosophy, communication, teams, internet) that contribute to this requirement since they create an environment of open discussion and exchange of ideas. Also, they tolerate mistakes.

• These practices do facilitate management decision-making and planning. However, the link to sound resource allocation is less strong. However, the tools for mapping, modelling, identifying and assessing risks do focus the resources on key risks. In this way, the resources are allocated where most critical.

• The practices easily build on existing knowledge and lessons learned in the organization. The experience of management and employees is a component of identifying and assessing risks. Similarly, many link horizontally in the organization and integrate well with the management framework.

• Only two of the practices have a clear and potentially applicable accountability or governance framework: senior management/Board leadership and communicating performance.

• Only four of the best practices demonstrate communication/involvement with stakeholders.

We conclude that the best practices are applicable to the federal government context, given the criteria against which they were assessed. However, there may be significant barriers to implementing those best practices that are very different from the status quo. Most federal departments and agencies operate with traditional organizational structures. There is a defined reporting and management hierarchy. Hence, implementing a philosophy and culture that everybody is a risk manager may be a stretch target. Similarly, the current environments do not welcome bad news or open communication channels.

Exhibit IV-1 Assessment of practices

---

Appendix A

Statement of Work

---

The following work applies to scope parts a) and b) and will take into account information available from TBS, such as the work already done by the Financial Management Standards Division in preparing papers on Financial Risk Management Strategy and Guide to Business Risk Management and the Assessment Framework for Modernizing Comptrollership prepared by the Comptrollership Modernization Office.

1. Literature Review-The contractor will identify and review literature on risk management practices, as appropriate to the project scope a) or b).
2. Identification of Best Practices-The contractor will identify companies and organizations that appear to be using innovative or best practice approaches to risk management.
3. Focused Research-Additional information will be collected on the strategies, approaches, methods, tools and techniques in use by the companies and organizations identified in Step 2 through interviews, telephone interviews, and/or requests for documentation.
4. Report Writing-The contractor will document the identified best practices in the form of a draft and final report and make recommendations on their usefulness and applicability in the Canadian federal government context.

---

Appendix B

Bibliography

---

A CFO'S View. Vol. 44, Risk Management, New York, September 1997, pp. 21-27.

A change at the helm. Vol. 44, Risk Management, New York, April 1997, pp. R26-R28.

A Texas-Size. Risk Management, December 1998, pp. 16-17.

A World of Risk. Risk Management, January 1998, pp. 11.

Abbott, Howard. Food for Thought. Vol. 5, No. 9, International Risk Management, October 1998, p. 31.

Abbott, Howard. Taking the Rap. Vol. 5, No. 4, International Risk Management, April 1998, p. 24.

Adopting an Enterprise-Wide Approach to Risk. Risk Management, January 1998, pp. 16-17.

Aftermath of Bank Crisis - Better Supervision is Needed. Financial Times, Reuter Textline, March 14, 1997.

Age-old problem improving. Vol. 44, Risk Management, New York, August 1997, p. 6.

Allen, Anne B. Ghostly tales of opportunities for change: A legislative carol. Vol. 44, Risk Management, New York, December 1997, p. 66.

Allen, Anne B. Toward a better standard. Vol. 44, Risk Management, New York, January 1997, p. 54.

Anonymous. Job and family in balance. Risk Management, New York, November 1996.

Australia: Corporate Treasurers Lack Adequate Systems. Australian Banking and Finance, December 1997.

Bagneschi, Linda. Pollution prevention: The best-kept secret in loss control. Vol. 45, Risk Management, New York, July 1998, pp. 31-38.

Balcer, Georges. A forum for quality. Vol. 44, Risk Management, New York, January 1997, p. 62.

Baldry, David. The evaluation of risk management in public sector capital projects. Vol. 16, No. 1, International Journal of Project Management, 1998, pp. 35-41.

Barbuti, Jim. A new philosophy: Risk financing for the middle market. Risk Management, New York, Apr. 1996.

Barlow, Douglas. The Essence of Risk Management. Risk Management, September 1998, p. 88.

Barrett, Pat. Better Practice Principles for Performance Information. Australian National Audit Office.

Barrett, Pat. Selecting Suppliers-Managing the Risk. Australian National Audit Office, October 1998.

Beer, Stan. Australia: News - Bug-battle Bill Blows Out By Billions. Australian Financial Review, December 2, 1998, p. 1.

Bernens, Robert. Establishing Expected Practices. Risk Management, January 1997, pp. 14-16.

Berry, Andrew and Phillips, Julian. Pulling it together. Vol. 45, Risk Management, New York, September 1998, pp. 53-58.

Bieber, Robert. Bridging the Gap: Using Effective Communications to Improve Corporate Risk Management. Risk Management, February 1997, pp. 39-41.

Borst, JJ. Value at Risk in the Dutch Steel Industry. Tijdschrift Voor Corporate Finance (The Netherlands), Fall 1997.

Bryson, Nancy S. and Donohue, Brian G. Improving risk management decisions: A new road map and some specific destinations of interest. Vol. 6, No. 4, Environmental Quality Management, Summer 1997, pp. 85-89.

CBRA Methodology Guide.

CFOs on financial hiring. Vol. 45, Risk Management, New York, September 1998, p. 8.

Chand, Sooran and James, Sbrolla. A Director's Nightmare. Ivey Business Quarterly, Winter 1998.

Chapman, C. and Ward, S. Project Risk Management: Processes, Techniques and Insights. John Wiley and Sons, Chichester, 1997.

City of Santa Clara Moving Ahead: Silicon Valley Power, Engage Energy From Alliance. BUSINESS WIRE PR Newswire Reuter Textline.

Clack, Peter. Australia: Business Declares War on Fraud. Reuters Business Briefing, Jan. 25, 1999.

Clayton, Michelle. RMA releases risk survey. Vol. 7, No. 12, UMI, Inc. America's Community Bankers, 1998, p.7.

Coastal Corporation Re: Joint Venture's Alliance. Regulatory News Service, BUSINESS WIRE PR Newswire Reuter Textline, Dec. 17, 1997.

Collier, Rick. A better approach: Wrap-ups deliver construction savings. Vol. 45, Risk Management, New York, March 1998, pp. 26-30.

Company Directors Want Risk Protection. Sydney Morning Herald, Reuter Textline, July 30, 1996.

Comptroller General of the United States. Major Management Challenges and Program Risks: A Government wide Perspective. January 1999.

Cornford, Andrew. Some recent innovations in international finance: Different faces of risk management and control. Vol. 30, No. 2, Journal of Economic Issues, June 1996, pp. 493-508.

Corporate culture a concern for job seekers. Vol. 43, Risk Management, New York, Aug. 1996, p. 9.

Country Briefing. BAe rethinks risk management. EIU Country Alerts Economist Intelligence Unit, Sept. 4, 1998.

Covello, Dr. Vince. Crims '98 New Frontiers: Explore, Chart and Conquer. Risk Communication (Plenary Session), October 4-7, 1998.

Crockett, James, Pare, Carolyn, Montanez, William, Anello, Angelo, and et al. The future of employee benefits. Vol. 44, Risk Management, New York, June 1997, pp. 28-34.

Curbing sexual harassment complaints. Vol. 44, Risk Management, New York, January 1997, p. 52.

Davenport, John A. Loss control technologies. Vol. 44, Risk Management, New York, March 1997, pp. 30-34.

Davies, Anthony. New Zealand: Compliance - Keeping up with the Regulators. Independent Business Weekly (NZ), September 30, 1998.

Deanna Bellandi. The Expanding Reach of Risk Management: Suburban Heights Medical Center: Judges. 1997 Crain Communications Inc.

DePinto, Gary. Managing factory risk to improve customer satisfaction. Semiconductor International, June 1997, pp. 179-186.

Dickson, Thomas R. The evolution of risk financing. Vol. 43, Risk Management, New York, August 1996, p. 15.

Dorn, Mark. Vendors sell peanuts partners sell solutions. Vol. 45, Risk Management, New York, October 1998, pp. 14-16.

Driving change. Vol. 45, Risk Management, New York, December 1998, pp. 56-57.

Duden, David P. From data to decisions: Selecting risk management software. Vol. 43, Risk Management, New York, December 1996, pp. 33-35.

Edlin, Bob. New Zealand: Luxton Lunges at Red Tape While Business Champs at Bit. Independent Business Weekly (NZ), October 10, 1997.

Environmental Risk Management becoming a concern to Hospital Executives. Vol. 13, No. 1, 1998 Information Access Company, a Thomson Corporation Company, IAC (SM) Newsletter Database Business Word, Inc.

Ernst & Young. The Hidden Risks of Risk Management. Ernst & Young 1998.

Ewing, Lance. How to make a difference. Risk Management, New York, November 1998, Vol. 45, p. 12.

Fatal distractions. Vol. 45, Risk Management, New York, October 1998, p. 9.

Fed's Meyer calls for better bank capital Standard. BUSINESS WIRE PR Newswire Reuter Textline, March 2, 1998.

Feldman, Paul. Risk Managers' Global Concerns. Risk Management, June 1998, p. 64.

Feldman, Paul. The case for peer review. Vol. 45, Risk Management, New York, April 1998, p. 104.

Fenelle, Cheryl. "Partnerships-mirage or reality?". Risk Management, New York, May 1996.

First aid for disaster-struck businesses. Vol. 44, Risk Management, New York, May 1997, p. 8.

Fixing broken bucks: Fidelity proposes new captive use. Vol. 44, Risk Management, New York, December 1997, p. 42.

From the ground up. Vol. 45, Risk Management, New York, December 1998, pp. 48-52.

Gal, T. and H.J. Greenberg (eds) Advances in Sensitivity Analysis and Parametric Programming. Kluwer Academic Press, London, 1997.

Gentile, Mary C. Setting the right course: Business ethics. Vol. 45, Risk Management, New York, September 1998, pp. 26-34.

Gerber, Joseph A. and Glazer, Richard C. Seeking responsibility: Recovery for risk managers. Vol. 45, Risk Management, New York, February 1998, pp. 40-44.

Getting people involved. Vol. 43, Risk Management, New York, September 1996, p. 56.

Gluyas, Richard. Australia: Governance Bombshell - Only 1 in 10 Up to Scratch. Australian, April 17, 1997, p. 17.

Grabowski, Martha and Roberts, Karlene. Risk mitigation in large-scale systems: lessons from high reliability organizations. Vol. 39, No. 4, 1997 Information Access Company, a Thomson Corporation Company, 1997 Regents of the University of California, California Management Review, p.152.

Grapperhaus, Roberta. Management's Perspectives on Risk. Risk Management, September 1997, pp. 11-16.

Grapperhaus, Roberta. Measuring up: How risk managers apply the cost of risk survey results. Vol. 45, Risk Management, New York, January 1998, pp. 27-29.

Group Success. Risk Management, December 1998, pp. 53-54.

Guidelines for Managing Risk in the Australian Public Service. Joint publication of the Management Advisory Board and its Management Improvement Advisory Committee, MAB/MIAC Report No. 22, October 1996.

Hackett, Lloyd. Mastering disasters in Canada. Vol. 45, Risk Management, New York, April 1998, p. 98.

Haines, Joe. Not up to Scratch. Vol. 1, No. 2, Public Sector Risk Management, an Emap Business Publication, Autumn 1996, p. 23.

Hallam, Kristen. Healthcare International: Taking a Global Risk; MMI Cos Sees Gold in Foreign Malpractice Insurance. Modern Healthcare, November 2, 1998, p.40.

Hanley, Mike. Assured of a Greener Future. Vol. 5, No. 4, International Risk Management, An Emap Business Publication, April 1998, p. 27.

Hanley, Mike. Bespoke Solutions. Vol. 5, No. 8, International Risk Management, An Emap Business Publication, September 1998, p. 27.

Hanley, Mike. Chain Reactions. Vol. 6, No. 1, International Risk Management, An Emap Business Publication, December 1998/January 1999, p. 23.

Hanley, Mike. Containing the Colossus. Vol. 5, No. 4, International Risk Management, An Emap Business Publication, April 1998, p.18.

Hanley, Mike. Made to Measure. Vol. 5, No. 7, International Risk Management, July/August 1998, An Emap Business Publication, p. 22.

Hansen, Larry. Loss Control Strategies for. Risk Management, October 1998, pp. 38-41.

Hansen, Mark D. and Kysar, David S. Making the right moves: Implementing effective ergonomics management. Vol. 44, Risk Management, New York, February 1997, pp. 50-54.

Harper, Timothy F. Sharing our sandbox: Commonsense advice from an aviation risk manager. Vol. 44, Risk Management, New York, October 1997, pp. 35-40.

Harpole, Tom. Weathering the storm. Vol. 46, Risk Management, New York, January 1999, pp. 47-49.

Have Financial Institutions put the Development of Better Risk Management Systems on the Back Burner? American Banker, Reuter Textline, March 4, 1996.

Hawkins, Kyleen W. and Bill Huckaby. Using CSA to Implement COSO; Control Self-Assessment. Vol. 55, No.3, Institute of Internal Auditors, p.50.

Head, George L. Risk management education goes global. Risk Management, New York, June 1996.

Hedging profits weather or not. Vol. 45, Risk Management, New York, February 1998, p. 9.

Hein, Eric P. and O'Malley, Michael J. Two birds with one stone. Risk Management, New York, April 1996.

Hendriks, Martien. Project Risk-mapping. No. 19, Projectie (The Netherlands), September 1997.

HK Banks Remain Strong Despite Loan Losses - Study. Reuter News Service-Far East, Reuter Textline, May 8, 1997.

HM Treasury - Better Value for Money in Public Sector Construction Contracts. Hermes - UK Government Press Releases Reuter Textline, September 26, 1997.

Hodges, Alan. Towards a National Disaster-Mitigation Strategy. Australasian Fire Authorities Council 1997 Annual Conference, October 12, 1997.

Hohmann, Samuel F. Healthcare Cost of Risk Initiative: Preliminary findings. Vol. 50, No. 6, 1999 UMI., Healthcare Financial Management, June 1996, pp. 60-67.

Hopkins, Deborah C. Case Study-Introducing Business Risk Management, Global Council on Risk Management. General Motors Corporation, June 5, 1997.

How the damage is done. Vol. 45, Risk Management, New York, May 1998, p. 32.

Hunt, Ben, and Peto, Hugh. Forward Thinking. Vol. 5, No. 7, International Risk Management, An Emap Business Publication, July/August 1998, p. 32.

Hunt, Ben. Balancing Risk and Reward. Vol. 5, No. 9, International Risk Management, October 1998, An Emap Business Publication, p. 22.

Hunt, Ben. Colin Witheat. Vol. 6, No. 2, International Risk Management, An Emap Business Publication, February 1999, p. 30.

Hunt, Ben. On the Crest of a Global Wave. Vol. 4, No. 13, International Risk Management, March 1998, An Emap Business Publication, p. 21.

Hunt, Ben. Profile: Ray Matholie. Vol. 5, No. 9, International Risk Management, October 1998, An Emap Business Publication, p. 28.

Hunt, Ben. Staying out of Court. Vol. 6, No. 2, International Risk Management, An Emap Business Publication, February 1999, p. 20.

Improving ethical standards. Vol. 45, Risk Management, New York, June 1998, p. 9.

Increasing the odds. Vol. 45, Risk Management, New York, December 1998, pp. 32-34.

Institute of Interal Auditors-Australia, Australian Control Criteria: Effective Internal Control to Achieve Business Objectives within an Acceptable Degree of Risk. Exposure draft, March 1998.

Integrating. Risk Management, December 1997, pp. 48-49.

Investing in employee's futures. Vol. 44, Risk Management, New York, April 1997, p. 14.

Irvine, Julia. Taking a calculated risk. Vol. 122, No. 1263, 1998 UMI, Inc., Institute of Chartered Accountants in England & Wales 1998, Accountancy, pp.42-43.

Jegher, Simon. Flexible Structure: Managing Financial Risk. Risk Management, January 1999, pp. 29-33

Jorgensen, Lori. Connection to risk? Managing the exposures of cyberspace. Vol. 45, Risk Management, New York, February 1998, pp. 14-19.

Kelly, William J. The role of management consultant. Vol. 45, Risk Management, New York, January 1998, p. 50.

Kelly, William. Policies for the Real World. Vol. 4, No. 13, International Risk Management, March 1998, An Emap Business Publication, p. 25.

Kirby, Anne. Controlling Comp Costs? Risk Management, March 1997, pp. 37-44.

Kirkwood, Don. Australia: Smaller Companies Risk Financial Loss. Business Queensland, 1998 Business Newspapers Australia Pty Ltd., April 20, 1998.

Knight, Curtis. Statement on best practices. Vol. 80, No.6, Journal of Lending & Credit Risk Management, Feb. 1998, p. 79.

Knight, Rory F. and Pretty, Deborah J. Value at risk: The effects of catastrophes on share price. Vol. 45, Risk Management, New York, May 1998, p. 39-41.

Knowledge Management: Leveraging Information. GartnerGroup, Conference Presentation, 1998.

Kroll, Karen M. Integrated Risk - Corporate Insurance. Vol. 247, No.2, Industry Week, p.77.

Lam, James C. and Kawamoto, Brian M. Emergence of the Chief Risk Officer. Risk Management, September 1997, pp. 30-35.

Lange, Scott. Disaster planning: The challenge within. Vol. 45, Risk Management, New York, May 1998, pp. 34-37.

Larner, Digby. Benchmark or Impediment? Vol. 5, No. 7, International Risk Management, An Emap Business Publication, July/August 1998, p. 35.

Levin, Michael R. and Rubenstein, Michael L. A Unique Balance: The Essence of Risk Management. Risk Management, September 1997, pp. 37-40.

Liethhead, Barry S. Managing "people" risks. Vol. 55, No. 6, 1998 UMI, Inc., Institute of Internal Auditors Inc. 1998, Internal Auditor, pp.66-67.

Limperis, John. EDI Bringing workers' comp up to speed. Vol. 45, Risk Management, New York, October 1998, pp. 29-30.

Logue, Dennis. Australia: Supplement - Managing Currency Risk in a Volatile World. Australian Financial review, November 25, 1998, p. 6.

Mair, David L. Quality through diversity. Vol. 44, Risk Management, New York, November 1997, p. 68.

Managing risk, FNB, p. 67.

Managing Risks - Top-down Coordination is Crucial. Business Times (Singapore) Reuter Textline, October 22, 1997.

Matheson, David and Matheson, Jim. Get Smart About Big Risks. Risk Management, September 1998, pp. 73-76.

McGahern, Rachael. Super Highway Bandits. Vol. 5, No. 9, International Risk Management, An Emap Business Publication, October 1998, p. 25.

McGuaig, Bruce. Auditing, Assurance, & CSA; Control Self-Assessment. Includes Related Articles on CSA Approaches, Assurance Strategies and Definition of Controls, Vol. 55, No. 3, Institute of Internal Auditors, p. 43.

McNamee, David. Risk Management Today and Tomorrow, Management Control Concepts.

McNamee, David. Risk-based auditing. Includes related article on risk-based audits at Royal Bank of Canada, 1997 Information Access Company, a Thomson Corporation Company, 1997 Institute of Internal Auditors.

Meet the risk manager. Vol. 43, Risk Management, New York, August 1996, p. 41.

Meltzer, Susan. Limits on a company's ability to manage risk.Vol. 44, Risk Management, New York, January 1997, pp. 18-20.

Mendzela, Elisa. Managing Customer Risk. Chartered Accountants Journal, April 1998, p. 27-29.

Miccolis, Jerry A. and Quinn, Timothy P. What's your appetite for risk? Determining the optimal retention. Risk Management, New York, April 1996.

Millonzi, Kay and Passannante, William G. Beware of the pirates: How to protect intellectual property. Vol. 43, Risk Management, New York, August 1996, p. 39.

Mills, Evan, Deering, Ann and Vine, Edward. Energy Efficiency: Proactive Strategies for Risk Managers. Risk Management, March 1998, pp. 12-16.

Nichols, David. A changing landscape: Construction risk management. Vol. 43, Risk Management, New York, November 1996, pp. 17-20.

Norton, Phillip N. D&O: Past, present and future. Vol. 45, Risk Management, New York, February 1998, pp. 21-27.

Parry, John. Profile: Endesa's Vincente Martin. Vol. 5, No. 6, International Risk Management, An Emap Business Publication, June 1998, p. 23.

Paul-Choudury, Sumit and Alison. Firm-wide risk management: summing it all up - EIU/SPECIAL REPORT, Corporate Research. Report, September 1998

Pearson, Judith. Preventing sexual harassment: Risk management tools.Vol. 44, Risk Management, New York, January 1997, pp. 25-28.

Pelland, Dave. Emerging markets, emerging risks. Vol. 44, Risk Management, New York, February 1997, p. 60.

Pelland, Dave. Extortion risk awareness increasing: Exporting products, importing risk. Risk Management, New York, October 1997, Vol. 44, p. 10.

Pelland, Dave. Globalization Changing Roles, Shrinking Industries. Risk Management, April 1998, p. 96.

Pelland, Dave. Greater emphasis on financial skills: Changing face of risk management. Vol. 44, Risk Management, New York, April 1997, p. 108.

Pelland, Dave. Planning to survive. Vol. 43, Risk Management, New York, September 1996, p. 10.

Pelland, Dave. Resources for international risk managers: Global guidance. Vol. 44, Risk Management, New York, August 1997, p. 12.

Pelland, Dave. Risk manager applies quality: Litigation management. Vol. 44, Risk Management, New York, December 1997, p. 68.

Pelland, Dave. Several Trends Influencing Risk Management: Future Success Stories? Risk Management, December 1997, p. 72.

Pelland, Dave. Standing guard against fraud. Vol. 45, Risk Management, New York, February 1998, p. 6.

Perkins, Pia. An Integrated Solution. Vol. 4, No. 13, International Risk Management, An Emap Business Publication, March 1998, p. 28

Perkins, Pia. Break for the Border. Vol. 6, No. 1, International Risk Management, An Emap Business Publication, December 1998/January 1999, p. 26.

Perkins, Pia. Leading Lights. Vol. 5, No. 5, International Risk Management, An Emap Business Publication, May 1998, p. 18.

Perkins, Pia. What Do You Think Chief? Vol. 5, No. 7, International Risk Management, An Emap Business Publication, July/August 1998, p. 22.

Perkins, Pia. You keep me hanging on. Vol. 5, No. 4, International Risk Management, An Emap Business Publication, April 1998, p. 30.

Perkins, Pia. Profile: Judith Hanratty. International Risk Management, July/August 1998.

Peto, Hugh. Customised Solutions. Vol. 6, No. 2, International Risk Management, An Emap Business Publication,February 1999, p. 25

Pittsburgh gives it their best. Vol. 44, Risk Management, New York, December 1997, p. 50.

Promoting healthy living. Vol. 44, Risk Management, New York, October 1997, p. 8.

Pryor, Shepard. Balancing the Extremes of the Credit Process with a 'Best Practices' Orientation. Vol. 85, No. 4, Credit World, pp.24-28.

Public Cost of Risk Rising. Risk Management, November 1998.

Putting words to work. Vol. 45, Risk Management, New York, November 1998, p. 18.

Rahardjo, Kay and Dowling, Mary Ann. A Broader Vision: Strategic Risk Management. Risk Management, September 1998, pp. 44-50.

Recognizing excellence. Vol. 44, Risk Management, New York, June 1997, pp. 24-25.

Risk management activities found lacking. Vol. 55, No. 3, 1998 UMI, Inc., Copyright Institute of Internal Auditors Inc. 1998 Internal Auditor, p.14.

Risk Management Communications. Risk Management, February 1997, p. 40.

Risk Management in the Australian Customs Service, Australian Customs Service.

Risk Management, Australian/New Zealand Standard, AS/NZS 4360:1995.

Risk Management: The role of the internal audit. Vol. 75, No. 8, 1997 UMI, Inc. and Chartered Institute of Management Accountants 1997, pp.42-43.

Risk Monitoring: Is the Process of Ensuring That Risks are Competently Managed within Approved Structures, Policies, Parameters and Authorities. NedBank - Annual Report, 1997.

Risk Report. Risk Management, December 1998, p. 8.

Rolin, Gary. Nuclear Fusion. Vol. 1, No. 2, Public Sector Risk Management, an Emap Business Publication, Autumn 1996, p. 12.

Rosser, Bill. Knowledge Management: Applying and Leveraging Information. Gartner Group, October 1998.

Sanderson, Scott. Taking stock of your risks, includes related article. Vol. 13; No. 4, 1997 Information Access Company, a Thomson Corporation Company, 1997 Financial Executives Institute Financial Executive, p.42.

Sanderson, Scott. Taking stock of your risks; includes related article. Vol. 13; No. 4, 1997 Information Access Company, a Thomson Corporation Company; 1997 Financial Executives Institute Financial Executive, p. 42.

Sandri, Praveen, Guin, Jayanta and Richardson, Beth. Catastrophe Modeling: A New Tool for Risk Managers. Risk Management, May 1998, pp. 29-31.

Sandwell risk manager makes full use of internet; Government information services. Vol. 1, No. 2, Public Sector Risk Management an Emap Business Publication, Autumn 1996, p. 6.

Saul, Jonathan. Tools or Toys. Vol. 5, No. 6, International Risk Management, June 1998, An Emap Business Publication, p. 29.

Saul, Jonathan. Trade Doubt for Certainty. Vol. 5, No. 8, International Risk Management, An Emap Business Publication, September 1998, p. 33.

Sawyer, Lawrence B. When the problem is management. Vol. 55, No. 4, 1998 UMI, Inc., Institute of Internal Auditors Inc. 1998, Internal Auditor, pp.33-38.

Saylor, Richard. Meet the risk manager. Risk Management, New York, October 1996.

Scherzer, Martin H. and Mackay, Robert. Risky business. Vol. 14, No. 5, 1998 UMI, Inc., Financial Executives Institute 1998, Financial Executive, pp.30-32.

Schneier, Robert and Jerry Miccolis. Enterprise Risk Management. Vol. 26, No. 2, Strategy & Leadership, p.10.

Schroeder, Stephanie. Alternative dispute resolution resources. Vol. 45, Risk Management, New York, June 1998, p. 10.

Schroeder, Stephanie. Risk management key notes. Vol. 46, Risk Management, New York, January 1999, p. 56.

Schroeder, Stephanie. The human factor. Vol. 46, Risk Management, New York, January 1999, p. 1.

Scott Lange. Going Full Bandwidth at Microsoft, Microsoft Corporation, Presented to the Global Council on Risk Management, The Conference Board, November 21, 1996.

Serb, Chris. Uncalculated risks. Vol. 71, No. 13, 1997 UMI, Inc. American Hospital Publishing Inc. 1997 Hospitals & Health Networks, pp.28-30.

Sharman, Richard. Revealing Risk Patterns. Vol. 5, No. 10, International Risk Management, An Emap Business Publication, November 1998, p. 29.

Shelley, Suzanne, David L. Russell and P.E., Global Environmental Operations. Getting a Handle On Risk Management. Vol. 105, No. 13; Engineering Practice; p. 114.

Sime Bank CEO Leaves, Sparking Talk of Friction. Business Times (Singapore), Reuter Textline, January 20, 1998.

Skilled, trained workers in short supply. Vol. 43, Risk Management, New York, October 1996, p. 9.

Small, Sheila L. What you can expect. Vol. 43, Risk Management, New York, October 1996, pp. R11-R13.

Smit, Barbara. Ahead of the Game. Vol. 6, No. 1, International Risk Management, An Emap Business Publication, December 1998/January 1999, p. 30.

Smit, Barbara. Profile: Alain Lemaire. Vol. 5, No. 8, International Risk Management, September 1998, An Emap Business Publication, p. 39.

Smit, Barbara. Profile: Pierre Sonigo. Vol. 5, No. 5, International Risk Management, An Emap Business Publication, May 1998, p. 35.

Sparrow, Adrian. Business Risk Management. Chartered Accountants Journal, April 1998, pp. 11-13.

Spies, John A. Advice from a risk manager. Vol. 44, Risk Management, New York, March 1997, pp. C3-C4.

Spinner, Karen. Institutions put value on risk practices; software for risk management and valuation methods; Industry Trend or Event. Vol. 15, No. 6, 1997 Information Access Company, Thomson Corporation Company, 1997 Miller Freeman Inc. Wall Street & Technology, p. 56.

Strickland, Katrina. Australia: CBA Criticism of Wallis Report "Almost Absurd", Australian, April 28, 1997, p. 19.

Study backs supports. Vol. 44, Risk Management, New York, April 1997, p. 14.

Study: Work pressures prompt unethical acts. Vol. 44, Risk Management, New York, September 1997, p. 6.

Terry Paradine. All Systems Go. Vol. 5, No. 10, International Risk Management, An Emap Business Publication, November 1998, p. 32.

The Auditor General. Comment by the Auditor General. Australian National Audit Office.

The Boston Consulting Group. Scenario Planning, Noranda Inc.

The business meeting is alive and well for now. Vol. 44, Risk Management, New York, September 1997, p. 6.

The Changing Face of Risk Management. Vol. 55, No.5, Internal Audit, pp.11-12.

Thomas, Tony. Australia: A Treasury of Cost-Efficiency. Business Review Weekly, December 7, 1998, p. 46.

Toxopolis, S. Risk Management in New Product Development: The Case of DAF Trucks. Vol. 6, Sigma (The Netherlands), December 1998, pp. 20-24.

Vaughan, Patricia C. Risk managers: Creating public policy and influencing legislation. Risk Management, New York, June 1996.

Vitale, Lou. The invisible threat. Vol. 45, Risk Management, New York, July 1998, pp. 42-45.

Wansink, Drs DE and Thijssen, VJ Integral Risk Management: Beyond V.A.R.No. 3, Controllers Magazine (The Netherlands), June/July 1997.

Waring, Dr. Alan. Iran: Facts and Fables. Vol. 4, No. 13, International Risk Management, An Emap Business Publication, March 1998, p. 35.

Warning Signs Diagnostic Exercise, 1996 Arthur Andersen LLP

Weinstein, Edward A. and Dennis C. Carey. 10 Best Practices. Vol. 22, No. 4, 1999 UMI., Directors & Boards, Summer 1998, p. 40.

West, Kathryn Z. Can they afford not to? Risk Management, New York, April 1996.

West, Kathryn Z. Part-time risk managers full-time risks. Risk Management, New York, June 1996.

West, Kathryn Z. Unlock the Power of Global Risk Management. Risk Management, October 1996, p. 4.

When in doubt, simulate. Vol. 45, Risk Management, New York, November 1998, pp. 44-49.

When Things Go Bad, Fast. Risk Management, December 1998, pp. 22-24.

White, Earl. New Zealand: Letter - Diary Board Defends its Forex Management. Independent business Weekly (NZ), September 9, 1998.

Williams, Todd L. An integrated approach to risk management. Vol. 43, Risk Management, New York, July 1997, p. 22.

World's Seventh Largest Electric Utility Selects Infinity's Panorama for Trading and Risk Management. BUSINESS WIRE PR Newswire Reuter Textline, July 2, 1998.

Zomer, Heather. The education of a rookie risk manager. Risk Management, New York, June 1996.

---

Appendix C

Interview Guide

---

Thank you very much for agreeing to participate in this important study. This document describes the study and the areas that we would like to discuss with you.

A. Study background

The federal government of Canada has recently initiated a project to provide guidance on risk management tools, techniques and practices to federal departments. Ultimately, this will help government employees to better understand, manage and communicate the risks (and related choices) encountered in providing service to Canadians.

The Treasury Board Secretariat has engaged KPMG Canada to identify best practices in risk management in private and public sector organizations in other countries. The focus of the study is on risk management practices that have been integrated into an organization's management, planning and decision-making processes. It is also interested in the strategies for planning, developing, implementing and monitoring risk management.

Not all risk management practices are "best practices". A "best practice" for risk management is a strategy, approach, method, tool or technique that was particularly effective in helping an organization achieve its objectives for managing risk. A best practice is also one which is expected to be of value to other organizations. For example, a practice that was particularly helpful in establishing guidance would be of value to any other organization that has a responsibility to provide guidance.

We are collecting best practice information in three areas:

• Integrating risk management into other management practices.
• Tools for integrating risk management.
• Key disciplines and functions which use risk management.

We do not expect that your organization will have best practices in all the areas described above and further elaborated in Section B. There may be many "good practices". However, we would like to concentrate on the "best practices" in your organization. Also, we are looking for "lessons learned" from practices that proved to be more difficult than initially anticipated. We will ask you a few questions about your organization's overall approach to managing risk so we can understand the context for the best practices.

The information you provide about your operations will remain confidential. The focus of our report will be on the practices, not on the organizations. We would like your permission to identify the name of your organization as a participant in this study. Even if we cannot use your name, we appreciate your input in this study.

B. Potential best practices

We have listed below some practices under each area that would be of common interest. There may be other practices that we have not identified that may help your organization manage risk or achieve objectives. Even if the practice does not seem to fit into the structure we define below, please share it with us. Ultimately, a best practice is one which may have some value for another organization in managing risk.

1. Integrating risk management into management practices

These are practices for integrating risk management into your organization's management practices. For example, these would include practices for ensuring that:

• The objectives and benefits of managing risk are defined and communicated throughout the organization.
• There is shared responsibility for managing risks and for fostering commitment at each administrative level of the organization and at the level of its governing body.
• The organization-wide risks are identified and evaluated to support management processes (planning, resource allocation and decision-making).
• Managing risks may be achieved through a series of strategies ranging from:
• For those risks that can be directly controlled, reducing the risk using an internal system of control (and the continuous improvement of this control system).
• For those risks that can only be indirectly addressed, indirectly influencing the risks, sharing or partnering.
• For those risks that cannot be controlled or influenced, accepting and monitoring them.
• Managing risks is monitored and there is communication and reporting to senior management, governing bodies and key stakeholders.

Appendix A provides more detail on these practices.

2. Tools for integrating risk management in the organization

Tools are generally used for integrating risk management in an organization.

Examples of tools which could be of common interest are:

• Conceptualizing and defining the sources of key business risks to the organization. It serves as a communication and reporting tool for the organization. This leads to a common understanding of its risk context which, in turn, promotes consistent and coherent analysis and communication of risks.
• Establishing a Management of Risk Policy (or similar authoritative communication tool) to define the organization's overall approach to managing risks, responsibilities, reporting structures and periodic reviews.
• Identifying a "Risk Champion" to provide leadership to risk management initiatives.
• Using task forces, pilot projects and consultant advisors.
• Issuing guidelines, providing training and developing coaches to help employees and local work teams to manage their risks.
• Creating your own or using an existing standard such as the Canadian Standards Council Q850/97 Risk Management: Guideline for Decision-Makers.
• Using automated (software) tools to aid in risk analysis.
• Defining corporate parameters on risk concepts such as likelihood and severity.

3. Disciplines and functions that manage risks

There are many specialized disciplines and functions that manage risks at an operational level. The practices used to integrate risk management into these specialized disciplines and functions (and, in turn, into the overall organization) are of common interest.

Examples of these disciplines and functions are:

• Planning
• Auditing
• Project management
• Finance
• Security
• Insurance and asset management
• Environmental protection
• Hazardous waste management
• Materiel management
• Real property management
• Information technology
• Legal
• Human resources
• Intangibles (e.g., Goodwill)
• Compliance and enforcement
• Service delivery.

The study is interested in the management process used to initiate and implement specialized risk management within a given function, not the details of the actual specialized practice.

C. Interview guide

Here are the questions that we would like to discuss with you regarding your organization's risk management best practices.

1. Overview and context for risk management

1. How does your organization define risk in the context of its business or environment?
2. Does your organization have a general risk management objective which guides risk management activities?
3. Do the objectives and values of managing risk represent a new way of doing business in your organization?
4. What are the benefits of managing risk for your organization or area? (Consider: communication for commitment; enhancement of stakeholder value or achievement of objectives; measurement for improved management; support for accountability and governance; strengthening of the planning and decision-making process (such as communication or synergy); increased confidence of stakeholders; measurable returns on investments).

2. Integrating risk management into the management practices of your organization

Are there some best practices or lessons learned (obstacles overcome) that you would like to tell us about, keeping in mind the items we defined in Section B1 above, and in our Appendix, or any other practice for integration.

1. Can you describe in general terms how your organization defines the objectives and values for managing risk and communicates them in the organization?
2. Does your organization have a formal risk management policy?
3. What are the key features/messages conveyed? (Consider:
   • Objectives/principles
   • Opportunity and risk taking
   • Risk coverage
   • Risk tolerances and risk limits
   • A supportive work environment (i.e. Tolerance for mistakes)
   • Integrating risk management with other management processes)
4. How are risk tolerances established and managed (i.e. at the corporate or local level)?
5. Can you describe in general terms how your organization reflects shared responsibility for managing risks and fostering commitment in your organization's governance and administrative bodies?
6. What responsibilities do governing bodies of your organization (e.g., Board of Directors, Senior Management Committees, Ministers, etc.) and senior management have for managing risks? Are they held accountable? If so, how?
7. How does the responsibility/accountability for managing risks flow through the organization (e.g., through management/administration levels, to all employees)? How are people held accountable?
8. Are significant risks communicated to stakeholders? If so, how often, and in what context? Who communicates these to the stakeholders?
9. a) Can you describe in general terms how your organization identifies and evaluates organization-wide risks?
   b) Once the risks are identified, how does this information support the management process (planning, resource allocation and decision-making)?
10. What techniques and methods are used for identifying and evaluating risks? (Consider:
    • The types of risks
    • How risks are identified
    • How risks are quantified
    • How risks are prioritized)
11. Are the techniques and methods easily understood and used by managers? (Consider: use of plain language and user-friendliness).
12. Are the results of the evaluation integrated into existing management processes (e.g., planning, resource allocation and decision-making)? How?
13. Does the evaluation consider stakeholders' view of risk and the opportunity costs of a risk that is not taken?
14. To what extent has risk management supported change and cultural shifts in your organization?
15. Can you describe in general terms how your organization manages or reduces risk through an internal system of control and other strategies?
16. Have your strategies or processes for managing risks been changing? In what way?
17. Are stakeholders, customers, suppliers or other external bodies involved in your risk management process? In what way?
18. Can you describe in general terms how your organization monitors the process of managing risks and communicates and reports on this to senior management, the governing body and key stakeholders?
19. Is the success in achieving risk management objectives monitored and measured?
20. Does your organization use a specific structure/medium to report on risk management?
21. What is the role of internal audit in your risk management program? (Consider: monitoring compliance; compliance and providing best practices improvement or advice, best practices, methods, etc.)

3. Implementing risk management in your organization

Are there some best practices or lessons learned (obstacles overcome) that you would like to relate to us, reflecting on the practices listed in Section B2 above and in our Appendix, or any other practice for implementation? Do you have examples of tools that should not be used?

1. Can you describe in general terms how your organization implements risk management? (Refer to the tools described in Section B pages 3 and 4).
2. Have any tools been particularly effective? Why?

4. Disciplines and functions that manage risks

1. Are there disciplines and functions within your organization which manage risks at an operational level? Which ones?
2. Are there best practices/lessons learned (obstacles overcome) associated with the management process used to initiate and implement risk management in this/these disciplines and functions?

Are there any documents that you can provide to us to help us understand your risk management practices?

Can we call you again if we need to clarify or elaborate on your responses?

Are there any articles or publications that you found particularly useful in your risk management activities? (List)

---

Components of Risk Management

This elaborates on the practices for integrating risk management into the management practices of an organizaton.

The practices should ensure that:

• The objectives and benefits of managing risk are defined and communicated throughout the organization:
  • Risk tolerance and limits
  • Opportunity and risk taking
  • Risk Coverage
  • Integration in management processes.

• There is shared responsibility for managing risks and for fostering commitment at each administrative level of the organization and at the level of its governing body:
  • Role and responsibilities
  • Governance
  • Commitment.

• The organization-wide risks are identified and evaluated to support the management processes (planning, resource allocation and decision-making):
  • Scope: types of risks
  • Identification of risks
  • Evaluation of probability of frequency and of impact
  • Quantification and prioritization.

• The internal system of control and its continuous improvement is used to lessen or manage risks:
  • Control Framework (e.g. CoCo, COSO, etc.)
  • Strategies to directly mitigate risks while following-up/pursuing opportunities
  • Strategies to indirectly influence or to share risks by partnering, insuring, etc.
  • Decisions to accept risks beyond control or influence, and simply enhance monitoring and reporting frequency, while putting contingency plans in place
  • Continuous reassessment of residual risks, plus ongoing updating of strategies.

• Risk management is monitored and there is communication and reporting to senior management, to the governing body and to the key stakeholders:
  • Quality of information
  • Communication
  • Internal and external audit
  • Reporting: to senior management, to governing body, to external stakeholders.

---

Appendix D

Criteria For Assessing Applicability Of Best Practices To The Canadian Federal Government

---

• Has broad applicability, beyond the protection of assets and people
• Fosters a supportive work environment
• Supports innovation
• Improves service delivery, e.g., efficiency, effectiveness
• Improves access to government/government services
• Facilitates management decision-making
• Promotes sound resource allocation
• Is easily understood and used (plain language, user-friendliness)
• Helps managers understand the context and implications of risk
• Demonstrates communication/involvement with stakeholders
• Facilitates cultural shifts and change management
• Builds on existing knowledge, lessons learned in the organization
• Considers opportunity costs
• Has a clear and potentially applicable accountability or governance framework
• Makes effective use of audit and evaluation resources
• Links horizontally in the organization
• Integrates well with the existing management framework, processes and practices