Library and Archives Canada
Symbol of the Government of Canada

Institutional links


Archived Content

This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.

Risk Management

Audit Report
November 2009

Audits and Evaluations

2.2 Operational and Support Practices

  • Risk Management
  • Citizen-Focused Service
  • Stewardship
  • People
  • Learning, Innovation & Change Management


LAC has been active in strengthening its operational and support practices for risk management. All operational and departmental groups had some examples of developing formal approaches and procedures for risk management of exposure areas. In addition, there has been some training and progress toward drafting guidance documents. However, these initiatives are not part of a coordinated overall strategy to identify priority exposure areas, develop and maintain appropriate capabilities including attention to stakeholder risk communication needs, and to provide appropriate tools and guidance. Timely and effective communications about risk based on a developed common understanding, and intelligent (information-based) risk taking are two key future benefits of advanced risk management maturity that can accrue from further strengthening operational and support practices.

In Section 2.1 the observation was made that LAC has reached the risk aware level of maturity in part because of a greater use of formal risk management practices. Figure 4 below illustrates examples of formal risk management practices from across the department.

A review of these practices revealed a range in the level of detailed risk analysis performed. While some incorporated a fairly general analysis (e.g., items 4 and 7 in Figure 4) and others a more detailed analysis (e.g., items 1 and 8), all were considered to reflect an appropriate level of analysis for the decision needs.

Figure 4: Formal Risk Management Practices

Formal Risk Management Practices
Organization Formal Risk Management Practice
Strategic Level 1. Initial Corporate Risk Profile

2. Innovation Fund Selection Analysis
Documentary Heritage 3. Risk Management Framework to support LAC Loans/Exhibitions Policy and Procedures

4. Audiovisual Mitigation Strategy
Government Records 5. Risk-based Approach for the Disposition of Legacy Records
Corporate Operations 6. LAC Project Charter & Business Case Templates

7. The Governance Network™ (TGN) Preliminary Assessment of Risks

8. Amican Project Risk Management Plan

9. Risk Management Framework for Assessing ATIP Records

Most of the formal practices examined, incorporated a technique known as expert estimation based on criteria established for levels of Impact and Likelihood. The expert estimation technique fits very well in public sector decision making where data for more quantitative analysis are generally not available. Also, in the public sector, new initiatives are a regular part of evolving stakeholder expectations. The risks of these initiatives must be estimated given little prior data on which to conduct quantitative analysis.

Particular mention must be made that some of the formal tools incorporate fairly advanced techniques (in comparison to other departments and agencies) such as customized assessment criteria (item #3, Figure 4) and inclusion of stakeholder analysis (items # 1, 3, and 9, Figure 4).

There was also one example observed of the technique known as risk factoring. The risk factoring technique was used to assess the level of risk associated with projects proposed for the Innovation Fund using three (3) weighted risk factors as shown below in Figure 5.

Figure 5: Example of Risk Factoring Technique



This is an excellent method whenever there exists a finite universe of units to which a quick risk assessment is needed for each unit. The risk factoring technique generally has a wide scope of use as most parts of an organization have some sort of universe on which they could apply risk factoring to quickly establish a risk level for each unit.

The above examples represent an excellent start but there was no approach being used to understand which examples are the most critical risk exposure areas of the department where an effective balance of formal and informal risk management practices would be very important. These areas can be referred to as Priority Risk Areas (PRAs). The PRA approach would ensure that further investments in strengthening operational risk management is better calculated and addressed systematically.

A key criterion for attaining the risk aware level of maturity is the integration of risk into annual business planning. LAC started this integration last year and augmented it this year. The template used by all parts of the organization for planning 2009-2010 is set out in Figure 6 below.

Figure 6: Risk Integrated into the Planning Template

Image of the Risk Integrated into the Planning Template document


Integrating risk and planning is a very natural concept because both risks and planning are future orientated. Risks are events and circumstances that may occur in the future. Risks are also characterized by uncertainty-in other words, they may occur fully as expected or they may occur to a lesser or a greater degree. Risks are critical to consider when setting plans in order to be proactive on those considered "high" so that plans can succeed.

Plans must address problems as well as risks-the difference being that problems describe existing issues to which the impact is fully known (if counter measures are not taken). There is no uncertainty with problems as there is with risks. In completing planning templates, many people mistakenly describe problems instead of risks. They describe a current issue, whereas the risk information being requested relates to future events that may happen over the planning horizon so that strategies can be devised to mitigate the risks and thereby avoid disruption of plans.

A review of the 2009-2010 completed planning templates indicated the expected range of some templates were done well, and some were needing improvement. Inclusion of problems instead of risks was a typical deficiency and items were not described in terms of its future orientation and uncertainty ("will likely" happen instead of "will" happen).

The opportunity to practice identifying and describing risks through the planning process is excellent given that stewardship requirements of risk management are expanding. The TBS Policy on Transfer Payments (October 2008) has specific risk management requirements as does the Policy on Financial Management Governance (April 2009). Through MAF assessments and other sources such as the Prime Minister's Advisory Committee on the Public Service, LAC is aware that strengthening risk management is a priority and an area where more specific accountabilities should be expected in all future policies from TBS.

Many of the staff members interviewed during the audit expressed that they had little, if any, risk management training and they recognized this as an important gap relative to the new formal processes they have noticed coming into force. Some risk management training was provided to planning network staff in 2005 and in 2008 there was an orientation session on risk management for selected managers. In addition, a risk management presentation was planned for the Management Forum in May 2009. Overall, the extent of risk management training has been quite limited and reflects the confusion between problems and risks in completing annual business plans.

Another point related to the planning process is reporting. As reporting against plans is further refined at LAC, there should be consideration as to how information on the progress of risk management can be reported. Reporting of progress on performance and risk should be integrated.

As risk assessment continues to become increasingly important to good management and policy compliance, it will be critical to establish a solid common understanding of risks and risk management. This can be addressed in part by training and hands-on practice but also by guidance documents, tools and information systems. During the audit it was noted that a Risk Management Guide had been drafted but had not been fully reviewed, translated, published and disseminated across the department. This guide is an important initiative in establishing common understanding. The guide was initiated before ISO 31000 was available. Accordingly, the document can be strengthened by another update to align it with ISO 31000. In addition, making the guide available electronically, via a risk management portal, would be effective for quick reference.


LAC has been active in strengthening its operational and support practices for risk management across all criteria areas examined. Formal approaches and procedures are being developed to complement informal risk management, inclusion of stakeholder interests in formal methods is being recognized, there is awareness of risk stewardship requirements reflected in TBS policies, and there has been some training and progress toward drafting guidance documents. However, these initiatives are not part of a coordinated overall strategy to develop and maintain appropriate capabilities, methods, tools and guidance.

Without further efforts to continue strengthening operational and support practices, key benefits such as timely and effective communications about risk and intelligent (information-based) risk taking may not accrue to LAC.


  1. LAC should ensure that the strengthening of risk management operational and support practices are included in the overall strategy, including:
    1. Establishing a listing of Priority Risk Areas identifying high exposure areas of the department as a means of focusing attention on the most critical areas that need an effective balance of formal and informal practices for risk management;
    2. Establishing and implementing a knowledge transfer plan incorporating training courses customized for LAC covering orientation to more advance skills for those who will provide leadership and support roles;
    3. Ensuring the Risk Management Guide is updated in line with ISO 31000, translated and issued across the department (including electronic posting via a risk management portal);
    4. Establishing an approach for monitoring and reporting on progress in managing risk integrated with overall performance monitoring and reporting at LAC.

Previous | Table of Contents | Next