Risk Management Essentials: How to Develop a Risk Profile
This job aid is part of the Risk Management Essentials Series, practical guidance on risk management that can be applied in the workplace. This job aid provides general guidelines on how to develop a risk profile at the project, division, directorate and branch levels. For formal guidance on how to conduct a Corporate Risk Profile please refer to the Treasury Board Secretariat's "Guide to Corporate Risk Profile".
- Context and environmental scan
- Risk identification
- Risk measurement and assessment
- Response to risk
- Risk monitoring and control
What is a risk profile?
A risk profile is a description of any set of risks. It involves taking stock of the organization's operating environment and its capacity to deal with significant high-level risks linked to the achievement of objectives at different levels of the organization (i.e., corporate, branch, project). A risk profile is established to enhance senior management's analysis and decision making related to priority setting and resource allocation. There are two key types of risk profiles. The first type is strategic in nature and deals with risks at the corporate level. One of the first activities typically associated with managing risks at this level is the development of a Corporate Risk Profile. The second type is operational in nature and deals with risks at the branch level.
A risk profile:
- Provides staff, external partners, and decision-makers with a clear 'snapshot' of key risks.
- When implemented, it can help identify areas of efficiency and potential opportunity.
- Supports strategic priority setting, resource allocation, informed decision-making and improved results.
- Can be developed formally and/or informally, for different levels of an organization such as at the corporate level, for a sector, work unit or project.
Steps to develop a risk profile
Communicating risks is vital for effective risk management and should be carried out throughout the steps below. Determine the important information to be transmitted in each stage, sort and divide up information to be disseminated to stakeholders including the frequency, importance and urgency and specify communication methods to be used.
- Determine the Objective and the Scope
This will help you accurately identity and assess your risks.
- Determine the ultimate goal and a clear and concise objective statement for the risk profile.
- Establish the scope of the risk profile (i.e., activity, project, division, directorate, branch level etc.)
- Decide how formal your risk management exercise will be.
- Gather Key Participants
This will help you collect good information. Gathering a team of between 6-15 is probably ideal and feasible, though there is no perfect answer. It depends on the scope and objective.
Project lead: leads the risk assessment team and drives each step of the process.
Risk assessment stakeholders: supports the identification, assessment and measurement of risks. A group of knowledgeable stakeholders who have a role in delivering on the stated objective, or who will be affected by the result. Members should reflect a diversity of opinion, independence and specialization.
Management champion (if required): resources; and lends credibility and visibility. The project lead will regularly report back to the management champion.
- Scan your environment
This will help you identify and understand possible drivers and sources of risk that could affect the achievement of your objectives. A best practice involves continuous environmental scanning. This means that you should be regularly alert to news and information relevant to your objective(s).
- Identify the Risks
Document known risks and identify new ones. To do this, look at critical functions, immediate threats, dependencies, bottlenecks, and slow burning issues for risks that could emerge and impact your objective. When identifying risks, also determine the category the risk belongs to (i.e., strategic, financial, operational, human resources, reputational, environmental, legal). Remember, risk refers to the effect of uncertainty (positive or negative) on objectives. Techniques to identify key risks include review of key documents, semi-structured interviews, stakeholder risk session, risk source analysis and risk and control self-assessment.
- Assess and Measure Risks
- Complete the risk register elements in blue
The risk register will contain, for each risk: risk drivers, risk statement, risk events, impacts, key controls, risk ratings (residual likelihood, residual impact, residual exposure), risk response/action plan
- Validate the risk register
After the risk register has been drafted by the project lead, it should be validated with risk assessment stakeholders prior to rating risks. This ensures that all the information is accurate and that the risk register reflects the full input of the group.
- Assess the risks
To support the prioritization of risks and decisions about which ones to address, each member of the risk assessment team can perform independent assessments of each risk. Generally, three dimensions are assessed: (1) control effectiveness (2) residual risk likelihood (3) residual risk impact. When rating risks consider risk appetite and risk tolerance.
- Develop a Risk Matrix
After the risk assessment is complete, the results are aggregated by taking the average of scores from each participant, for each dimension, by risk, and presented on a risk matrix (also known as a heat map). The risk matrix allows everyone to see the relative positioning of the risks, and where the greatest exposures are.
- Validate risk ratings
While the risk assessment results represent an average of the group, you will want to review the results with stakeholders to ensure that they make sense. A stakeholder workshop allows the opportunity to validate ranking results and to have a fulsome discussion about the risks. Based on group consensus, a decision should be made on the final risk matrix and the risk exposure category for each risk should be determined.
- Develop Risk Response(s)
Determine the risk response for each risk identified. Key steps:
- Engage with stakeholders
- Determine resources and requirements
- Develop risk action plans (includes - objectives, initiatives, key supporting activities, target completion dates, performance measures)
- Establish a risk owner for each risk. The risk owner has the overall accountability for the management of a risk. The risk owner can be at any level of the organization.
- Monitor and Report
As time passes, changes in the environment could affect the risks identified as well as your level of exposure to them. Monitoring and reporting periodically will help you keep current, valid, and relevant risk information and decide if a change is required to your risk responses and/or risk action plans, or if there is a need to respond to new risks.