Implementation Plan

---

January 2005 to April 2006

Table of Contents

1  Introduction

2  IRM Implementation Plan Overview

3  IRM Organization and Governance

4  IRM Implementation Approach

5  IRM Implementation Workplan

6  Communications Strategy

7  Upon Completion of This Plan

---

1 Introduction

1.1Government-Wide Integrated Risk Management (IRM) Expectations

Over the last few years, government-wide expectations of good governance have emphasized that organizational risks should be considered in all planning and delivery activities, at the strategic and operational levels. In April 2001, the TBS developed the IRM Framework to guide federal government departments in incorporating IRM into management practices through a comprehensive organization-wide approach to managing risks. The Framework establishes the development of a Corporate Risk Profile as a first step in IRM. The main benefit of IRM is to enhance an organization’s ability to achieve objectives.

In June of 2003, the TBS introduced the Management Accountability Framework (MAF) which clearly states that corporate risks must be managed proactively. Integrated Risk Management is an explicit and systematic approach to managing strategic, operational and project risk to organizational objectives, from an organization-wide perspective.

The MAF represents a key step forward in linking risk and performance and embedding IRM into departmental planning and operational practices. A prime requisite within the Framework is the clear definition and incorporation of the organization’s Corporate Risk Profile into existing management and decision-making processes. The Corporate Risk Profile reflects the departmental view of high level risks to the achievement of organizational objectives.

[ Click on picture to enlarge ]

1.2 Departmental IRM Objectives

The goals for instituting IRM within the department are to:

• Recognize that risk management is integral to achieving business objectives and effective governance;
• Establish the discipline of risk management as an organizational strength that is integrated with other management practices and is comprehensive;
• Promote horizontal collaboration and pro-active systematic management of all key risks (strategic, operational and project) to facilitate a unified organization and the achievement of corporate priorities;
• Consistently and explicitly apply risk management in decision-making;
• Build upon existing approaches for managing risk while strengthening the capacity to include stakeholders; and
• Support and provide resources for IRM training and learning plans.

1.3 An Integrated Risk Management Model

In recognition of the importance of advancing organization-wide Integrated Risk Management (IRM) consistent with government-wide expectations, DFO is developing a comprehensive approach to implementation. The following diagram illustrates the key elements of our implementation approach and demonstrates how key components, directly support strategic decision-making. As illustrated, the key elements of DFO’s IRM Implementation Approach include:

• An IRM Policy. DFO’s IRM policy was published in September 2004
• An Initial Corporate Risk Profile (CRP). DFO’s Initial Corporate Risk Profile was approved in December of 2004
• Initial Integrated Risk Management Guidelines. DFO’s Initial Integrated Risk Management Guidelines were approved in December of 2004.
• Implementation Plan. This document is the final element in DFO’s IRM Implementation approach. It has as its objective the articulation of specific activities that must take place to help evolve the department to a state where its IRM regime is mature and effective.

[ Click on picture to enlarge ]

1.4 Transition to Full IRM

The achievement of a fully mature IRM model is a medium-term objective. The transition can be viewed as a continuum, comprised of interim phases that will need to be achieved. It has begun with the development of an initial Corporate Risk Profile, Initial Integrated Risk Management Guidelines and an IRM Policy. The next 18-24 months will include the conduct of a series of pilots, continuous communication and knowledge transfer, updating of the CRP, and the gradual integration of IRM into existing departmental processes and structures, including the departmental Integrated Planning Framework.

The purpose of this Implementation Plan is to provide a high-level overview of the implementation activities that will characterize the IRM Transition period. The detailed IRM implementation objectives are as follows:

• Test and refine the IRM tools through a series of pilots;
• Define the full operational state for IRM, e.g., organizational responsibilities and accountabilities, governance
• Enable knowledge transfer for risk management concepts, tools and practices to management and staff

2 IRM Implementation Plan Overview

2.1 Implementation Plan Objectives

The objective of this implementation plan is to have full implementation of Integrated Risk Management in all regions and sectors, at all levels, in the summer of 2006, so that the planning for 2007-2008 will be carried out in the light of robust, relevant and reliable Integrated Risk Management analyses.

In addition this plan calls for an update to the Initial Integrated Risk Management Guidelines and the Initial Corporate Risk Profile to be done in the spring of 2006, to underpin and support the full department wide implementation.

2.2 Assumptions

The above referenced objective is based on several key assumptions. These include:

Full support from DMC and Senior Management.

Continuing support and direction from the IRM Implementation Committee.

Support from RDG’s and Regional management for the Pilot Projects and the department wide test implementation project in the summer and fall of 2005.

Direction from DMC on risk tolerances for the department

The continuation, for the period of the Implementation Plan, of the Integrated Risk Management Team with a resource level sufficient to accomplish the work that is required.

2.3 Opportunities and Expected Outcomes

Opportunities

The Integrated Risk Management Team has demonstrated that these techniques can and do deliver helpful and simple information that support decision making by senior departmental managers.

The high level of support from DMC and the members of the IRM Committee has provided DFO with the senior level support for Integrated Risk Management that is essential to successful implementation.

The changes in Coast Guard, Science, Fisheries Management and HRCS are being made in the light of comprehensive analyses, like the DAAP, which will facilitate the identification of risks surrounding specific departmental outcomes.

The success of the Canadian Food Inspection Agency (CFIA) in fully implementing Integrated Risk Management represents a key opportunity. CFIA uses their Corporate Risk Profile for all planning and priority setting and has based their 2004 Report on Plans and Priorities entirely on this profile. The proof that Integrated Risk Management analyses can support decision making and planning provides an opportunity to do the same at DFO.

The development of a Corporate Risk Profile for the Coast Guard, and the creation of department wide IRM committees in Coast Guard and in HRCS has created the opportunity of early integration of all these IRM efforts. There have been IRM analyses done in Science, Fisheries Management and Coast Guard, and are planned for Policy and HRCS.

Expected outcomes include:

• The consideration of risk based information in decision making at all levels of the department.
• The ability to more easily compare risks to DFO in different Regions and Sectors so that priority setting is based on a consistent and department wide set of criteria.
• Broad acceptance of IRM across the department as it becomes clear that IRM implementation is cost effective and facilitates directing attention to areas where high risks exist and where risk mitigation steps may be available.
• The creation of a continuing information base on departmental risks and mitigation strategies as DFO proceeds through a period where as many as 50% of departmental managers retire and are replaced. The development of IRM information about all major activity areas will allow for new staff to more easily understand the nature and extent of the risks faced, and the mitigation strategies that have been effective.

2.4 Risks To Success

Risks	Mitigation
Cultural readiness Impact of organizational culture(s) Resistance to change and innovation	DMC support for the initiative. Development of a change management approach, including communication strategy, training and education.
Organizational attention Initiative not perceived as a priority Framework perceived as another administrative burden	Have a risk champion to ensure senior management commitment Ensure the lines of communication are clearly defined. Show dynamic and immediate results
Organization coverage Risk that the IRM becomes a compendium of risk reports from all corporate entities. IRM is about integrating, consolidating and using risk information to develop a holistic approach and a meaningful risk management process for the organization as a whole.	Development and adoption of common tools, processes, terminology, etc. Facilitation of initial processes by IRM Team to ensure consistency Training and education
Resources Limited business resources (people and time)	Development and approval of an implementation plan, with defined objectives and milestones Ensure that staff are provided with the necessary training to meet the needs of the project, including mentoring and cross training Develop internal risk competencies by training employees and involving them in the risk management process

This implementation plan will go a long way to helping to realize the aforementioned opportunities and manage the risks.

3 IRM Organization and Governance

3.1 Integrated Risk Management Team

A key success factor when implementing IRM is to have clear definitions of roles and responsibilities, clear ownership and good representation across all areas and levels of the organization.

For the implementation phase, an IRM Team has been formed that reports directly to the Chief Risk Officer who reports directly to the Associate Deputy Minister. The IRM Team has responsibility for full IRM implementation across the department by the summer of 2006. The organizational capacity and structure needed to address IRM after that time, including responsibilities and reporting relationships, will be developed and defined during IRM implementation.

3.2Committees

IRM Implementation Committee

The IRM Implementation Committee, which is chaired by the Chief Risk Officer, includes members from each Region and Sector of DFO, represented at the DM minus two level. The purpose of the committee is to provide strategic guidance to the work of the IRM Team. The Committee is expected to dissolve in the summer of 2006 coincident with full implementation of IRM in all regions and sectors.

Departmental Management Committee (DMC)

The DMC is responsible for:

• Providing oversight for the department’s fulfillment of management accountability and governance expectations in relation to management of risk, including adherence to the departmental IRM Policy and risk-related policies and regulatory requirements;
• Reviewing and discussing significant risk issues and ensuring horizontal collaboration in the development of mitigation strategies and the establishment of corporate priorities in resource allocation;
• Communication of an IRM vision and promoting an organizational philosophy and culture that embraces risk management as an integral part of all activities; and
• Providing clear direction on the corporate level criteria for assessing levels of risk and direction on tolerable or acceptable levels of risk and expected management actions associated with specific levels of risk.

4 IRM Implementation Approach

4.1 Common Risk Management Methods and Tools

The Initial Integrated Risk Management Guidelines have provided a suite of risk management tools and techniques for the conduct of risk assessment across the department.

4.2 Proof of Concept – Pilots

Pilot projects will be used to further develop and refine the risk tools and practices to better fit the department and its programs. This "proof of concept" approach will involve 5-7 pilots, across a cross-section of sectors and regions.

4.3 Integration with Existing Process and Structures

For IRM to be sustainable, it has to be cost effective and become an integral component of the management control framework of the department. This means that risk management activities must be aligned with the departmental planning and performance measurement, as well as the ongoing operational decision-making processes

The implementation phase will be used to develop and define how risk management will become integrated into existing structures and processes.

4.4 Risk Communication

One of the essential elements of Integrated Risk Management is the effective communication of risks associated with a program or decision, using a standardized framework that allows likelihood and impact to be compared among risks and between analyses.

Beyond the planning benefits of a standardized and integrated risk management, there is also a clear opportunity to more effectively communicate important risks to clients and stakeholders.

In order to achieve the full integration of risk management it will be important for risk communication to be routine within DFO, between and among: regions; sectors; programs; parts of programs, regions and the national capital region.

In addition a key challenge of risk communication will include and integrate risk information into the planning cycle in a way that is simple and that communicates effectively.

5 IRM Implementation Workplan

5.1 Summary of Activities

The activities that are completed include:

• The approval of
  • The Integrated Risk Management Policy.
  • The Initial Integrated Risk Management Guidelines.
  • The Initial Corporate Risk Profile.
• The establishment of
  • The IRM Implementation Committee.
  • Liaison among the IRM activities in Coast Guard, Science, HRCS, Policy and Fisheries Management.
  • Key pilot projects on priority decisions of the department.

The activities that remain include;

• The completion of
  • Six pilot projects representing all Regions and Sectors
  • A comprehensive analysis of these pilot projects as well as the departmental Integrated Planning Framework in order to identify how IRM analyses can best be integrated into the Integrated Planning Framework.
  • A department wide test implementation of IRM in one activity area for the 2006 2007 planning cycle.
• Ongoing activities
  • By the Integrated Risk Management Implementation Committee advising the IRM Team and considering the results and recommendations flowing from analyses and studies.
  • Drawing on the experience of other federal departments who are further along in the implementation of Integrated Risk Management.
  • Liaising with IRM Committees and IRM activities commissioned and managed within Regions and Sectors.
  • Developing and testing Quality Assurance and Quality Control approaches to ensure that the IRM analyses that are done are in keeping with the IRM Policy and use the department wide ranking criteria for likelihood and impact.

5.2 Timelines and Milestones

By March 31, 2005

Approval of the Integrated Risk Management Implementation Plan

• Six Pilot Implementations
  • Chosen to cover all Regions, all Sectors, actual program activity as well as internal service functions (e.g. staffing, procurement)
  • To assess the level of activity and level of spending that can act as a materiality threshold.
  • To determine how the IRM information is consolidated and reported "up the line".
  • To identify where in the planning cycle IRM analysis and reporting can be "installed" so that it becomes a routine and necessary part of annual planning.
• Support key departmental initiatives including the Science Review and the Expenditure Review.

By July 1, 2005

• DMC workshop on Risk Tolerance and Mitigation
• Development of a preferred approach for department wide testing
  • By reviewing the results of the Pilot Projects
  • By reviewing the Integrated Planning Framework
  • By meeting with departmental staff
    • Involved in planning
    • Involved in operations
• Identifying an activity for department wide testing
  • An activity that exists in all Regions.
  • Is a workable scale.
  • Would serve as a valid test of the proposed implementation plan.

By September 1, 2005

• Completion of the regional IRM analyses in the activity area that has been chosen for department-wide testing
• Including all familiarization and training
• Including all Quality Assurance and Quality Control measures

By November 1, 2005

• Integration of the risk based information from the department-wide testing into the departmental planning documents
• With risk information integrated across Regions and Sectors
• With assessments by senior departmental staff on the degree to which the information itself and its manner of communication is supportive of the priority setting and decision making in the Integrated Planning Framework.

By December 1, 2005

• For the activity identified for department-wide testing, DFO’s planning documents include and report on risk information derived from the IRM analyses
• With assessments from DFO staff on the best practices and areas for improvement for the process that has been used.
• With assessments from TBS as to the adequacy of the approach.

By April 1, 2006

• A Department wide approach for implementing IRM has been developed
• With the key elements in place to have IRM implemented in all Regions and all Sectors for the next planning cycle.
• The Corporate Risk Profile is updated based on work conducted by Regions and Sectors on their own Risk Profiles.
• The Integrated Risk Management Guidelines are finalized
• The necessary task specific and activity specific training materials have been identified and are under development
• The center of responsibility for IRM implementation and monitoring is moved out of the Audit and Evaluation Directorate
• An IRM governance framework is put in place and the IRM Implementation Committee is replaced by a departmental committee tasked with IRM Coordination and Monitoring

6 Communications Strategy

A critical success factor when implementing IRM is an effective communications strategy. It is necessary to ensure that all relevant parties share a common understanding of the IRM objectives, approach and outcomes. The communication of IRM benefits is particularly important to ensure that buy-in and commitment prevails.

6.1 Internal Communications

The IRM implementation, in order to be successful, needs to communicate directly with departmental staff, both about what it is and how it can be helpful. Communications material will be prepared for an article in Oceans, and the IRM activities will have a link on the "front page" of DFO’s intranet site.

In addition brochures summarizing the three key documents that have been approved (the Integrated Risk Management Policy, the Initial Corporate Risk Profile and the Integrated Risk Management Guidelines) will be prepared to be circulated as required. The most common distribution channel will be electronic where text documents and "Adobe Acrobat" files will be available on the IRM Web site. This site will also link to the best practices in other departments as well as risk management materials from other organizations that are considered to be relevant and easily understood.

The greatest risk to full IRM implementation in the department is that its value is not understood, and it is considered to be additional work and simply "another bright idea" from NCR or Central Agencies. The true value of IRM must be presented with real examples, including the results of the Pilot Projects and the Department-Wide Testing.

6.2 Communications to Clients

Departmental clients, both commercial and recreational mariners and fish harvesters, are well aware of risks and risk management. Their risk tolerances are not well understood, and may differ for risks that they feel they have control over as compared to risks that flow from departmental decisions. Effective and well thought communications to this group are key to successful implementation of IRM.

The channels for this communication include current consultative arrangements as well as direct contact with DFO staff. This latter communication can only be effective if the internal communications to our own staff are effective and complete.

6.3 Communications with Other Government Departments

DFO is using the Treasury Board Secretariat model to develop and implement Integrated Risk Management. Several departments now include IRM information in planning and reporting documents and DFO’s use of the TB standards will facilitate communications and resource allocation discussions with Central Agencies.

6.4 Communications with First Nations, Provincial and Municipal Governments

Several Provinces and municipalities use IRM analyses for their planning and budgeting and our IRM materials will therefore be familiar to them. In addition IRM provides analyses and documents that are simple and transparent, and it is reasonable to expect that such information will facilitate discussions with First Nations, provincial and municipal governments

6.5 Communications to the Media

DFO needs to have integrated and comprehensive communications materials for the media, and these could build on materials currently available from Treasury Board Secretariat and other government departments (e.g. CFIA, HRDS). The most likely use of this material will be as background for DFO decisions that have been informed by IRM analyses.

The effect of comprehensive IRM work in other departments has been to reinforce that there are always risk, that some risks are intolerable and that some must be managed.

7 Upon Completion of This Plan

DFO will have a functioning mechanism that provides for IRM analyses at all levels of the department and in all sectors. Risk communications will be based on a departmental wide set of standard criteria for likelihood and impact and allow for meaningful comparisons of risk within and between Sectors and Regions.

All IRM analyses will link to the three departmental outcomes and IRM results will be fully integrated into the Integrated Planning Framework. The results of the analyses and the detailed program specific risks will be explicitly recorded so as staff change through time and as new processes and approaches are implemented, explicit recording of the risks, their likelihood and impact and the related mitigation steps will serve to inform new employees and managers.

Training materials, including procedures manuals and training modules relevant to DFO’s mission and activities will be complete and available.

IRM information will be sufficiently robust that planned changes in program funding can be implemented with a full understanding of the risk profile both before and after the funding adjustment.

Programs and activities within the department will have control structures and procedures that provide for robust and continuing mitigation of risks.

Risk communication within DFO will be facilitated by the use of standardized criteria and integrated reporting. Risk communication with clients, other government agencies and with the public will be consistent and transparent.

In all cases, IRM analyses will report against departmental outcomes. The Corporate Risk Profile will identify the broad risk categories for analysis but for some activities not all risks will exist and in many cases a much more detailed breakdown within risks will be required to fully understand the risks and mitigation steps

Currently we have rankings from the Initial Corporate Risk Profile

Key Risk Areas

1. Government Agenda
2. Structural
3. Internal Change and Alignment
4. Clients and Partners
5. Environment
6. Sustainability
7. International
8. Legal and Statutory
9. Communications

When DFO has fully implemented IRM the Key Risk Areas will be mapped against the key departmental outcomes as shown below.

[ Click on picture to enlarge ]