Enterprise Risk Management - User's Guide
Prepared By: Make IT Inc. 2054 2nd Avenue Whitehorse, YT Y1A 1A8
Contract Number: Project CSSP-CP-2013-1024 Contract Scientific Authority: Shaye Friesen, DRDC Centre for Security Science
The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of Department of National Defence of Canada.
Contract Report DRDC-RDDC-2015-C128 May 2015
IMPORTANT INFORMATIVE STATEMENTS
CSSP-CP-2013-1024 National ERM in the Public Sector was supported by the Canadian Safety and Security Program which is led by Defence Research and Development Canada’s Centre for Security Science, in partnership with Public Safety Canada. The project was led by the Yukon Government in partnership with the Governments of British Columbia, Manitoba, Saskatchewan, New Brunswick, Newfoundland/Labrador, Nunavut, and the North West Territories.
Canadian Safety and Security Program is a federally-funded program to strengthen Canada’s ability to anticipate, prevent/mitigate, prepare for, respond to, and recover from natural disasters, serious accidents, crime and terrorism through the convergence of science and technology with policy, operations and intelligence.
© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015
© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015
Enterprise Risk Management
User’s Guide
Prepared For:
Yukon Government
Make IT Inc.
2054 2nd Ave. Whitehorse, YT Y1A 1A8
Tel: (867) 668-4091
Fax: (867) 668-4092 Email: [email protected]
User’s Guide - Introduction 2
Contents
Introduction ...................................................................................................................................................... 4
Overview of the Risk Assessment Process .......................................................................................................... 4
Creating Assessments ........................................................................................................................................ 6
Creating assessments ..................................................................................................................................... 6
Adding assessment team members ................................................................................................................ 7
Setting the context ........................................................................................................................................ 7
Adding goals .............................................................................................................................................. 8
Adding objectives ....................................................................................................................................... 8
Adding impact category context information.............................................................................................. 9
Viewing the organization’s capabilities ..................................................................................................... 10
Adding links to supporting information .................................................................................................... 10
Editing assessments ..................................................................................................................................... 11
Viewing the Assessment Summary report .................................................................................................... 11
Viewing the Assessment Context report ....................................................................................................... 11
Viewing the Risk Summaries report .............................................................................................................. 12
Archiving assessments ................................................................................................................................. 12
Identifying Risks ............................................................................................................................................... 12
Strategic and Operational assessments – SWOT analyses ............................................................................. 13
Disaster assessments – identifying threats and hazards ............................................................................... 13
Adding risk statements ................................................................................................................................ 14
Prioritizing risks............................................................................................................................................ 16
Developing scenarios ................................................................................................................................... 17
Creating a scenario by copying an existing scenario .................................................................................. 18
Analyzing Risks ................................................................................................................................................ 18
Scheduling workshops.................................................................................................................................. 19
Leading a scenario scoring workshop ........................................................................................................... 20
Documenting a scenario scoring workshop .................................................................................................. 21
Scoring scenarios manually .......................................................................................................................... 24
Participating in a workshop .......................................................................................................................... 24
Risk Evaluation................................................................................................................................................. 25
Reviewing and Updating Risks .......................................................................................................................... 25
User’s Guide - Introduction 3
Managing Mitigations ...................................................................................................................................... 28
Creating mitigations ..................................................................................................................................... 29
Managing mitigations .................................................................................................................................. 29
Viewing Risks and Mitigations where you are a Stakeholder ............................................................................ 31
My Recent Notifications ................................................................................................................................... 31
Receiving notifications by e-mail .................................................................................................................. 31
Capabilities ...................................................................................................................................................... 32
Capabilities .............................................................................................................................................. 32
Activities .................................................................................................................................................. 32
Measures ................................................................................................................................................. 33
Tasks ........................................................................................................................................................ 33
Maturity Ratings ...................................................................................................................................... 33
Managing a Capabilities Inventory ............................................................................................................... 33
Completing Capability Questionnaires.......................................................................................................... 35
Updating Capabilities ................................................................................................................................... 35
Reports ............................................................................................................................................................ 36
Capability Assessment.................................................................................................................................. 36
Organizational Risk Summary ....................................................................................................................... 36
Disaster Scenario and Strategic/Operational Scenario .................................................................................. 37
User Accounts and Permissions........................................................................................................................ 38
Adding user accounts ................................................................................................................................... 38
Categories ....................................................................................................................................................... 41
Geography Structure ....................................................................................................................................... 42
Organizational Structure .................................................................................................................................. 42
More Resources ............................................................................................................................................... 43
User’s Guide - Introduction 4
Introduction
The Enterprise Risk Management (ERM) system assists your organization in managing its risks by identifying,
assessing and monitoring them in accordance with ISO 31000 standards. ERM supports the All Hazards Risk
Assessment (AHRA) methodology and processes developed by Public Safety Canada in partnership with
Defence Research and Development Canada - Centre for Security Science, and was adopted to meet the risk
management requirements of provincial and territorial government institutions in Canada.
This User Guide describes how to use ERM to identify and analyse risk events, how to prioritize risks and
develop treatment strategies, and how to use ERM’s flexible reporting options to analyze your organization’s
risks.
Watch introductory tutorials on ERM and the AHRA methodology
Overview of the Risk Assessment Process
A risk to an organization is an event or circumstance that could prevent it from achieving its objectives. ERM
groups risks into three types: strategic, operational and disaster.
Strategic risks are assessed at upper levels in the organization’s hierarchy. For example, a government
department or ministry may assess risks that prevent it from achieving its strategic objectives.
Operational risks are assessed at lower levels in the organization’s hierarchy, such as at the branch or unit
level. The assessment focuses on identifying risks that affect the organization’s ability to achieve its
operational objectives.
Disaster risks may be assessed at any organizational level.
Risk assessment is broken down into five steps:
Setting the context involves describing the organization’s goals and objectives, and the characteristics of
the environment in which it operates.
Identifying risks is the process of finding, recognizing and recording risks. It may involve a SWOT analysis,
or an analysis of threats and hazards the organization faces.
Analyzing risks requires assessing the severity of a risk event and the likelihood that the event and its
impacts will occur.
Evaluating and prioritizing risks involves comparing the results of the risk analysis with the organization’s
risk tolerance criteria to determine whether action should be taken to mitigate the risks.
User’s Guide - Overview of the Risk Assessment Process 5
Treating prioritized risks means identifying and recommending treatment strategies and options.
Because strategies, priorities and resources often change over time, your organization should also monitor
its risks to ensure that they continue to provide an accurate and complete picture of the threats to the
organization’s objectives. Similarly, the organization should develop a cycle for monitoring the effectiveness
of its risk treatment plans, and updating them when needed.
The five steps of the AHRA risk management methodology as described by Public Safety Canada. (All Hazards Risk Assessment
Methodology Guidelines 2012-2013; p5).
User’s Guide - Creating Assessments 6
Creating Assessments
When your risk office is engaged to assess the risks for an organization, you will need to record basic
information about the task you are setting out to do. For example, you must record the scope of the
assessment - will you be assessing all risks for the organization or risks for a particular branch or unit? What
type of risks – strategic, operational or disaster – will you be assessing? You will also need to record who
requested the analysis.
To track this information in ERM, your first step is to create an assessment. An assessment organizes the
information related to a particular risk analysis, including the operating context of the organization, the risks
that were identified, the results of the analysis, and the strategies created to treat the risks. Each time the
risk office is engaged to assess an organization’s risks, you’ll create a new assessment.
Creating an assessment and gathering the required information is typically done by the Risk Officer,
Operational Manager or whoever is leading the risk analysis process.
Watch a tutorial on creating assessments
Creating assessments
1. Click Assessments on the toolbar.
2. Click Add Assessment .
3. Select the organization the assessment will be carried out for.
4. Select the type of risks you will be assessing. The options available depend on the risk types enabled for the organization.
5. Enter a title for the assessment. For example, if the purpose of the analysis is to identify public health-related risks for a municipality, indicate that in the title.
6. Enter a description of the assessment. The description should summarize the scope of the assessment.
7. Enter the name of the person who requested the assessment.
8. Click Create to save the assessment, or click Cancel.
User’s Guide - Creating Assessments 11
Editing assessments
Once you have created an assessment, you will need to return to it to update details, to analyze and
evaluate the identified risks, to print reports, and so on.
Watch a tutorial on using the Assessments list
1. Click Assessments on the toolbar to display a list of assessments the security settings on your user
account provides access to.
2. Click an assessment to open it, and use the tabs on the left to display the assessment details, workshop
schedules, scenarios and risks.
Viewing the Assessment Summary report
The Assessment Summary report summarizes the results of the scenario scoring sessions, and is a useful
report to send to the requester of the assessment. It includes the assessment dates and description, names
of the team members, and summarizes risks with the associated objectives.
1. Select an assessment. Click Details, then click Assessment Summary .
Viewing the Assessment Context report
The Assessment Context report displays the context information recorded on the Impact Category page.
This report is automatically included as a PDF attachment in the “Welcome” e-mail sent to scenario scoring
participants when they are invited to a workshop, but you can reprint it at any time.
1. Select an assessment. Click Context, then click Assessment Context .
If there are many assessments in the list, you can sort and filter the list to make it easier to find what you
are looking for:
To sort the list, click a column header, and then click the arrows to sort alphabetically in ascending or descending order.
To filter the list, click a column header. Type the text to filter by, or click a value. For example, to display only Operational assessments, click the Risk Type column header, then click Operational.
To clear the filter, clear the checkbox beside the text “Risk Type = ‘Operational’”.
User’s Guide - Identifying Risks 12
Viewing the Risk Summaries report
The Risk Summaries report displays the scenario scoring summary, existing controls and mitigations for all
risks identified throughout the selected assessment.
1. Select an assessment. Click Details, then click Risk Summaries .
Archiving assessments
Archiving completed assessments helps keep your list of assessments manageable. Archived assessments
don’t display on the Assessments list. Strategic and operational assessments must be archived before you
can start a new assessment of that type for the same organization. Because multiple disaster-related risk
assessments for an organization may be in progress at a given time, ERM enables you to manually archive
them.
Archive a strategic or operational assessment. When you create a new strategic or operational
assessment for an organization, ERM checks whether an active assessment of that type already exists. If one
exists, you will be asked to archive the current assessment. Select Yes if you are starting a new assessment.
All of the information from the archived assessment will be copied to the new assessment, including goals,
objectives, SWOT analyses, risk statements, workshops and scenarios. Select No to continue the current
assessment rather than creating a new one.
Archive a disaster assessment. Select the assessment, then click the Edit button beside Assessment
Details. Click Archive, and click Yes to proceed. Archived assessments can’t be “unarchived”.
Identifying Risks
Risk identification is the process of finding and recording the risks an organization faces, given the context in
which it operates. The objective of this process is to identify risks to be considered for analysis and
treatment. This process is typically performed by the Risk Officer or Operational Manager, in collaboration
with subject matter experts on the threats and hazards faced by the organization.
The following definitions may be useful:
SWOT analysis: a planning method used to evaluate the strengths, weaknesses, opportunities and threats
affecting an organization’s ability to achieve its objectives.
Hazard: a potentially damaging event, phenomenon or activity that may cause injury or loss of life, property damage, social and economic disruption or environmental degradation.
User’s Guide - Identifying Risks 13
Exposure pathway: the method, or route, by which a hazard may affect an organization.
Threat: a hazard and an exposure pathway.
Risk statement: a hazard or threat and its major impact.
Risk category: used for grouping and reporting on risks. Different risk categories are assessed differently.
For example, risks due to malicious threats, such as intentional acts, are assessed different than risks due to natural threats such as severe weather events.
If you are assessing strategic or operational risks, your first step should be to work with the organization's
staff to perform a SWOT analysis. If you are assessing disaster risks, assist the organization's staff to analyze
the threats and hazards the organization faces. Follow the steps below to record the results of the analysis
in ERM, and then continue by examining the strengths, weaknesses, opportunities, threats and hazards to
identify risk statements.
Watch a tutorial on identifying risks
Strategic and Operational assessments – SWOT analyses
1. Select the assessment, and click the Identification tab on the left.
2. Click the Add icon beside Strengths, Weaknesses, Opportunities or Threats.
3. Enter a description.
4. Select the category of risks the strength, weakness, opportunity or threat relates to.
5. Click Create, or click Create Another to save and add another strength, weakness, opportunity or
threat. Click Cancel to discard your changes.
Disaster assessments – identifying threats and hazards
1. Select the assessment, and click the Identification tab on the left.
2. Click the Add icon beside Threat or Hazard.
3. Enter a description.
4. Select the category of risks the threat or hazard relates to.
5. Select the time frame in which the impacts of the threat or hazard are expected to occur.
6. If you are recording a threat, describe the exposure pathway.
7. Click Create to save your changes, or click Create Another to save and add another threat or hazard.
Click Cancel to discard your changes.
User’s Guide - Identifying Risks 14
Adding risk statements
The risks an organization faces are a consequence of its particular strengths, weaknesses, opportunities,
threats and hazards. After completing a SWOT analysis (if you are assessing strategic or operational risks) or
reviewing the organization’s threats and hazards (if you are assessing disaster risks), your next step is to
create risks statements.
Try to write your risk statements in the following format:
If (event) occurs, the consequences could result in (negative impact)
Writing risk statements in this format ensures that you capture both the event itself, and the potential
impact of the event if it is left unmanaged.
For example, if you are doing a disaster assessment to analyze the impacts of a hurricane making landfall in
the Halifax area, your risk statement might be “If a category 3 or higher hurricane makes landfall within 200
km of the downtown area, high winds could result in widespread power outages”.
1. Select the assessment, and click the Identification tab on the left.
2. Click Risk Statements.
3. For strategic and operational assessments, the strengths, weaknesses, opportunities and threats will be
listed. For disaster assessments, threats and hazards will be listed. To add a risk statement click Add.
4. Enter a risk statement.
5. Select the category associated with the risk statement.
6. Select the objectives the risk affects. You can select as many objectives as needed.
7. Select a risk owner. The risk owner is the person who accepts responsibility for managing the risk.
8. Under Existing Controls, indicate the control measures currently in place to manage the risk, and the
effectiveness of the controls. If multiple control measures are in place, click Add to append another line.
9. Scoring Method specifies how the risk severity is calculated based on scenario severity. (Scenarios are
specific examples of how a risk may materialize. They are discussed in the next section.) Select Highest if the scenario with the highest score should be automatically used to score the risk. Select Manual to
choose the scenario to be used to score the risk.
10. The risk Security Level setting determines who can view the risk and related information. The options
displayed depend on the organization associated with the assessment. For example, assume the risk
To update a strength, weakness, opportunity, threat or hazard, click on it to display it. Make your
changes and click Save.
To delete an item, edit it and then click Delete.
Click the gray Strengths, Weaknesses, Opportunities, Threats or Hazards bar to expand and
collapse each region, or click Expand All/Collapse All.
User’s Guide - Identifying Risks 15
assessment is for the Public Libraries branch, one of several branches within the Community
Development division, which is one of several divisions within the Community Services department of the Yukon government. The table below shows the options displayed in the Security Level list, and the
results of choosing each.
Option Risk and related mitigations can be viewed by
Open Anyone with access to ERM
Public Libraries People whose organization is the Public Libraries branch, Community
Development division, Community Services department or Yukon.
People in other branches within Community Development cannot see the risk,
and people in other departments and divisions cannot see the risk.
Community Development People whose organization is the Community Development division or any
branch below it, the Community Services department or Yukon.
People in other departments and divisions cannot see the risk.
Community Services People whose organization is the Community Services department or any
organizational level below it, or Yukon.
People in other divisions cannot see the risk.
Yukon People whose organization is Yukon or any organizational level below it.
Ministerial Access People whose user account specifically grants access to Ministerial Advice
Access risks.
Some user roles have access to all risks in the organization. For example, the System Administrator role
overrides the security level setting on a risk. Read more about user account security settings.
11. Click Create to save the risk statement, or click Create Another to save and add another risk statement.
Click Cancel to discard your changes.
User’s Guide - Identifying Risks 17
Once the prioritized risks have been set to In Scope, you are ready to continue by developing scenarios for
analysis and scoring.
Developing scenarios
Scenarios are specific examples of how risk events may materialize. They contain sufficient detail to enable
subject matter experts to determine the impacts of the event occurring, and the likelihood of the event and
its impacts occurring. Each risk event may have multiple scenarios. Each scenario is analyzed and scored
individually.
For example, if you are conducting a disaster assessment to analyze the impacts of a hurricane making
landfall, you may decide to analyze a scenario in which the hurricane makes landfall on a weekday and
another scenario in which it makes landfall on a weekend, because the impacts of high wind speeds, power
outages, flooding and blocked roadways depend on whether the event occurred on a weekday or a
weekend.
As another example, if subject matter experts were asked to rate the severity of the risk event “A lightning
strike in a remote area of the province may result in a large wildfire”, they would ask for detailed information
influencing the outcome, such as the season during which the wildfire occurs, the specific location of the fire
- near a town or in an unpopulated area, and the meteorological conditions leading up to the event. By
developing separate scenarios for these varying conditions, each can be assessed accurately.
This step should be done by the Risk Officer and Operational Manager in collaboration with subject matter
experts.
Watch a tutorial on developing scenarios
1. Select the assessment, and click the Identification tab on the left.
2. Click Scenarios.
3. Click the Add icon beside the risk statement to add a scenario for.
When using scenarios to define variations on risk events, ensure that sufficient detail is captured so that
assumptions and unknowns are limited, and so that the scenarios are as relevant to the organization’s
context as possible. Sound decision-making requires information and conclusions based on analysis of
specific, plausible and relevant scenarios.
To obtain assistance from the requester of the assessment or other participants when defining
scenarios, use the Scenario Template report to create a Word document for each scenario with spaces
to fill in the details of the event. To create the report, click the Identification – Risk Prioritization tab,
select the risks to develop scenarios for, then click Selected Scenario Templates. Once the documents
have been filled out, copy and paste the information back into ERM.
User’s Guide - Analyzing Risks 19
ERM enables you to schedule working groups for the purpose of collaborating on risk analyses. Once you
have started an assessment and developed the scenarios to be assessed, you can add them to workshops.
Each workshop has a documenter, one or more participants, and optionally, a facilitator. After adding
scenarios to a workshop, you can send e-mail notifications to the participants notifying them of the
schedule, workshop location and details on the scenarios to be assessed. You can also proceed directly with
scoring the scenarios drafted in the previous step, rather than scheduling workshops.
Scheduling workshops
1. Select the assessment, and click the Schedule tab on the left.
2. Click Add Workshop.
3. Enter a title for the workshop. The title will display on e-mail notifications sent to participants.
4. If you are scheduling a workshop for a future date, select Scheduled Workshop. Or, select Meet Now if the meeting attendees are in the room and ready to proceed with the scenario analysis.
5. For a scheduled workshop, enter the start and end dates. The start and end dates display on e-mail
notifications sent to participants.
6. Enter the location of the workshop.
7. Select the scenarios to be analysed during the workshop.
8. For a scheduled workshop, click the Scheduled Times tab and choose the day and start and end times
the analysis of each scenario is planned for. Defining day and time slots for each scenario will help workshop participants plan their attendance. For example, not all participants may be required for each
scenario. Scenarios aren’t assigned to time slots in “Meet Now” workshops.
9. Click Create to save the workshop, or click Create Another to save and add another workshop. Click
Cancel to discard your changes.
Add participants to the workshop. Click the Participation tab, then click Add beside Participants to invite
people to the workshop. Select Existing User to add someone with an account in ERM. Type the first few
characters of their name in the space provided. Select Not in the List to invite someone who doesn’t have
an ERM account. Fill in their first and last name, and enter the e-mail address notifications should be sent to.
Under Organization Type, click Internal if the person works in your organization, and select their
organization from the list. Click External if the person doesn’t work in your organization, and then enter
their organization name.
Click and drag a name and drop it on a scenario to invite the person to the scenario. Drop a name on the
workshop title to invite the person to participate in all scenarios. Click Drag All to invite all participants to
all scenarios.
The Add Workshop button is only displayed if unscored scenarios exist which have not already been
assigned to a workshop.
User’s Guide - Analyzing Risks 21
2. Describe the scenario to the group. If additional information or links to supporting information are
available, the documenter should display this information if possible.
3. Introduce the first impact category and invite the group to discuss the first question. The documenter
should display the impact category and question.
4. When the group is ready to vote the documenter will open voting for the question, if mobile voting is
being used. Invite the participants to submit their votes manually or using their mobile devices.
5. As voters submit their responses ERM will display the number of results received.
6. Once all votes have been received the documenter will close the poll, and ERM will display the poll
results in a graph. It will indicate the number of votes received for each response and the confidence levels selected by the voters. Results are anonymous; however, votes submitted by participants who are
subject matter experts in the impact category will be indicated by hashing.
7. The documenter will select a response and confidence level, and will display the next question.
8. After scoring all impact categories, score the likelihood of the event and its impacts occurring.
9. Continue with the next scenario, or conclude the workshop.
Watch a tutorial on facilitating scenario scoring workshops
Documenting a scenario scoring workshop
If you are the documenter in a scenario scoring workshop, your role is to use ERM to display the analysis
questionnaire for each scenario to be scored. If mobile voting is being used, you’ll use ERM’s mobile voting
application to collect participants’ votes and to display the results.
What you’ll need:
A computer with Internet access, so that you can open ERM. Ideally, use a projector to display ERM for
the participants.
You must have a user account in ERM.
You must be assigned as the documenter on the scenarios to be scored during the workshop. Otherwise,
you will not have access to the analysis questionnaire on the scenarios.
If you plan to use mobile voting, participants will need Internet access in order to use ERM’s Mobile
Voting application on their mobile devices.
You can repoll a question as many times as needed. For example, if there is substantial variation in the
responses received, lead the group in further discussion and then ask the participants to vote again.
The documenter will re-open the poll.
User’s Guide - Analyzing Risks 22
Documenting a scenario scoring workshop
1. Select the assessment, and click the Analysis tab. Scenarios developed for the assessment will be
displayed. Your name will be displayed in blue on scenarios for which you are the documenter.
2. Click the scenario to display the analysis questionnaire.
3. To enable participants to vote using their mobile devices, update their attendance status by clicking the
Scenario tab on the left. Set the Attendance Status to Attended for each participant at the workshop.
To send participants with a status of Attended a link to the mobile voting application, click Send Mobile Link.
4. Click the Analysis tab on the left to display the first impact category and question.
5. Open the mobile scoring session by clicking . Participants with mobile devices will see a screen notifying them to wait for a question to open.
6. The facilitator will introduce the scenario and start the analysis, inviting the participants to discuss the
impacts and likelihood of the scenario.
7. When the group is ready to vote on the first question, open the poll by clicking . .
Participants will see the first question on their screen, and will be able to select a response and confidence level, or to abstain from voting.
8. Participants will submit their responses.
9. Close the question and display the results. Results are anonymous; however, votes submitted by
participants who are subject matter experts in the impact category will be indicated by hashing. Position your mouse over an area of the graph to display details of the corresponding results.
10. Select the response to the question by clicking an area of the graph, or by clicking the response itself.
11. Optionally, use the Justification field to enter notes indicating the reason for the group’s response. For example, if the views of the experts in the room differed substantially you may want to make a note of it.
12. If the facilitator decides to repoll a question, click . Existing responses will be discarded, and participants will be asked to submit their responses again.
13. Optionally, use the Notes field for comments related to the impact category such as assumptions the
group made.
14. When all questions for the impact category have been answered, click Next to continue. Click Save to save your responses, or click Exit to discard your changes and return to the Scenario Details page.
15. When all impact and likelihood questions have been answered, click the Summary tab to display an overview of the scoring results by impact category.
16. When the facilitator and group are satisfied with the results of the analysis, click Finalize on the Summary tab. Finalizing a scenario prevents adjustments to the scoring, so ensure the analysis is
complete.
17. Repeat these steps if another scenario is to be analyzed in the workshop; otherwise, the facilitator will
conclude the workshop.
User’s Guide - Analyzing Risks 24
Scoring scenarios manually
ERM enables you to score scenarios with or without mobile devices, and using a combination of the two
methods.
If you want to use mobile voting but not all participants have mobile devices, open the poll and allow the
mobile voters to submit their responses. Close the poll and allow the group to discuss the results, giving
participants without devices an opportunity to weigh in.
If you are not using mobile voting, allow the group to discuss each question, and then manually select the
appropriate response and confidence level.
Participating in a workshop
The role of workshop scoring participants is to contribute their expertise on impact severity and likelihood
for one or more scenarios. A workshop may include multiple subject matter experts, each with knowledge
and experience in one or more areas related to the scenarios to be assessed.
As a group, the participants analyze the scenarios in order to rate the severity of their impacts and the
likelihood of the events and impacts occurring.
ERM includes a mobile voting application, which enables workshop participants to submit anonymous votes
on impact severity and likelihood using their mobile devices.
Watch a tutorial on participating in scenario scoring workshops
Overview of a typical scenario scoring workshop:
The facilitator will provide an overview of the process to be followed throughout the workshop. This may include a summary of the risk management process, and information on how the workshop results
will be used.
The facilitator will introduce the first scenario and start the analysis, inviting the participants to discuss
the impacts and likelihood of the scenario. If a projector is available, the documenter will use ERM to display the scenario details and context information.
When the group is ready to vote on the first question, the documenter will open the mobile scoring session in ERM, making voting available for participants with mobile devices. Participants will submit
their votes, and the group will continue with the next question.
If mobile voting is not being used, participants will discuss each question and will decide on a response
and confidence level as a group.
Once all questions have been discussed and answered, the facilitator will introduce the next scenario or
conclude the workshop.
User’s Guide - Risk Evaluation 25
Risk Evaluation
Risk Evaluation is the process of determining how to prioritize the risks your organization faces, given its
objectives and the impact and likelihood of a risk. The objective of the process is to determine a control
strategy for each risk. That is, to determine whether the risk will be accepted, avoided, shared with another
organization or treated. This process is typically performed by the Risk Officer and the Operational Manager,
in collaboration with the risk owner and the organization’s senior management.
Control strategies:
Accept: the organization chooses to accept the risk, rather than taking steps to treat it.
Avoid: the organization will change one or more of its activities in order to avoid the risk.
Reduce Impact: the organization will take steps to reduce the severity of the impacts of the risk.
Reduce Likelihood: the organization will take steps to reduce the likelihood of an event in order to lower
the risk.
Share/Transfer: the organization will reduce the severity of a risk by sharing it with another organization, or
by transferring one or more of its activities to another organization.
With the exception of “Accept”, each of these control strategies means that the organization plans to take
action to treat the risk. In the next section, you’ll learn how mitigations are used to define risk treatment
strategies.
1. Select the assessment, and click the Evaluation tab on the left.
2. The page will display a list of scored risks (risks for which at least one scenario has been scored and
finalized).
3. Use the checkboxes to select one or more risks, then select a control strategy and click Save.
Reviewing and Updating Risks
Because strategies, priorities and resources often change over time, an organization should review and
monitor the risks it has identified to ensure that they continue to provide an accurate and complete picture
of the threats to the organization’s objectives.
Watch a tutorial on reviewing and updating risks
Find and view a risk. Click Risks on the toolbar. A list of risks will be displayed based on the settings on
your user account. Click on a risk to view a summary of the risk, including the scenarios used to score it.
User’s Guide - Reviewing and Updating Risks 26
Click the Details tab on the left to view the organizational objectives the risk affects, the controls currently in
place to manage the risk, and to view or add risk stakeholders.
View scenarios developed for the risk. Click Risks on the toolbar, then click on a risk. Click the Scenarios
tab on the left for a list of scenarios developed for the risk. If a scenario has been scored, click Print to print
a summary of the analysis.
View mitigations associated with the risk. Click Risks on the toolbar, then click on a risk. Click the
Mitigations tab on the left to view mitigations developed for the risk.
Edit a risk. Click Risks on the toolbar, click on a risk, and then click Edit Risk. Whether a risk can be edited
depends on your user role and on the risk status:
The risk owner can edit the risk if its status is Active.
If your role is Risk Officer you can edit Active risks in your organization and in organizational units below, with the exception of Ministerial Advice Access risks.
If your role is Corporate Risk Office or System Administrator you can edit Active risks throughout the organization, including Ministerial Advice Access risks.
Risks with the status Closed can’t be edited.
Change the control strategy for a risk. If the decision on how to manage a risk is changed, you can update
the control strategy. If mitigations have already been entered for the risk, selecting Accept will cause
incomplete mitigations to be removed, and you will not be able to enter more mitigations. Selecting any
option other than Accept means that the organization plans to take action to reduce the adverse effects of
the risk.
Print a summary of the risk information as a PDF. Click Risks on the toolbar, click on a risk, then click
Risk Summary .
Close a risk. If a risk is no longer considered to have an effect on the organization’s ability to achieve its
objectives, the risk owner or another user with the appropriate permissions can close the risk. Edit the risk,
and under Risk Status, select Closed. Once a risk has been closed further changes can’t be made to it, and it
can’t be reset to Active.
How is Degree of Risk determined? If scenarios for the risk have been developed and analysed, the
Summary tab displays the scores, and indicates which scenario was used to score the risk. If the Scoring
Method for the risk is “Highest”, ERM uses the scenario with the highest combination of impact severity
and likelihood as the risk score. If the Scoring Method is “Manual”, the risk owner or another user with
permission to edit the risk can select a scenario to be used to score the risk.
User’s Guide - Reviewing and Updating Risks 27
Watch a tutorial on using the risks list
If there are many risks in the risk list, you can sort and filter the list to make it easier to find what you are
looking for:
To sort the list, click a column header, and then click the arrows to sort alphabetically in ascending
or descending order.
To filter the list, click a column header. Type the text to filter by, or click a value. For example, to display only risks with a Risk Degree of High, click the Risk Degree column header, then click High.
To clear the filter, clear the checkbox beside the text “Risk Degree = ‘High’”.
User’s Guide - Managing Mitigations 29
Watch a tutorial on risk treatment plans
Creating mitigations
1. Select the risk to add a mitigation for, and then click the Mitigations tab on the left.
2. Click Add Mitigation .
3. Enter a title and description in the spaces provided.
4. Under Mitigation Owner, select the name of the person responsible for managing the mitigation.
5. Optionally, enter a due date to indicate when the action or measure is expected to be complete.
6. Use the Status option to indicate whether the mitigation is proposed, approved, rejected, in progress or
complete.
7. Optionally, use the Status Comments field to enter details on the mitigation status.
Managing mitigations
Because strategies, priorities and resources often change over time, your organization should develop a
cycle for monitoring the effectiveness of its risk treatment plans, and updating them when needed.
User’s Guide - Viewing Risks and Mitigations where you are a Stakeholder 31
Viewing Risks and Mitigations where you are a Stakeholder
If you are the stakeholder on a risk or mitigation, the risk or mitigation will display on your dashboard, giving
you an overview of the risk-related information that is important to you.
If you are the stakeholder on a risk, click the risk to display the Risk Details page. This page shows the
scenario scoring summary, the control measures in place to handle the risk, the objectives that the risk
affects and other risk details.
If you are the stakeholder on a mitigation, click the mitigation to display the Mitigation Details page, where
you can review details including the description of the mitigation, performance indicators that have been
put in place and funding requests.
The dashboard link displays risks with a status of Active, and mitigations with statuses of Proposed, In
Progress and Approved.
My Recent Notifications
The My Recent Notifications area on the dashboard displays notifications of events that may require your
attention.
A notification will be created when the following events occur:
You are assigned or removed as the owner on a risk
You are assigned or removed as the owner on a mitigation
You are assigned or removed as a risk stakeholder
You are assigned or removed as a mitigation stakeholder
Scenario scoring is finalized for a risk you own
If you are assigned to a risk or mitigation as the owner or stakeholder, click the notification to view the risk
or mitigation. If scenario scoring is finalized for a risk you own, click the notification to view the scenario and
print the Scenario Assessment report. Notifications are displayed for one month.
Receiving notifications by e-mail
To receive an e-mail with your notifications in addition to viewing them on the dashboard, modify your
profile to select a notification frequency.
1. Click the arrow beside your name in the top right corner of the page, and select Edit Profile.
User’s Guide - Capabilities 32
2. Under Notification Frequency, select Weekly or Monthly to determine the frequency you’d like to
receive e-mail notifications. Select No Emails if you don’t want to receive notifications.
3. Click Save.
Capabilities
ERM's Capabilities module assists your organization in identifying the degree to which it has attained
capabilities considered essential to achieving its objectives, and in identifying and prioritizing areas in which
its capabilities differ from the state it wishes to achieve.
During the risk assessment process, referring to the organization's capability assessments and maturity
models give a broader understanding of the potential impact of risks it faces. If your organization has well-
established procedures for preventing, responding to and recovering from a specific threat, the risk posed by
the threat would be expected to be less severe than one for which the organization lacks the required
procedures, other factors being equal.
Managing an organization's capabilities involves two steps:
Enter an inventory of capabilities. An ERM System Administrator enters the inventory, adding new
capabilities for each risk type the organization assesses.
Complete the capabilities questionnaire. Once the inventory has been entered, ERM will display a
notification on the dashboard, with a link to each pending questionnaire. The notification displays only for
people whose user account includes the role “Complete Capabilities Questionnaire”.
Let's take a closer look at what is involved in assessing capabilities.
Capabilities
A capability is a specific factor contributing to an organization’s ability to achieve its objectives. Information
Governance is a capability. Organizations depend on information to develop products and services, to make
decisions, to protect property rights and to generate revenue. Leadership is another capability. Prioritizing
leadership development processes and skills training assists organizations in delivering predictable and
sustainable results.
Activities
Watch a tutorial on Capabilities
User’s Guide - Capabilities 33
Activities are broad actions an organization takes to achieve its capabilities, and can be thought of as high
level groupings of tasks. Activities to achieve an Information Governance capability may include Disposition,
Retention, Availability and Accountability. Activities to achieve a Leadership capability may include
Financial Results, Skills Development and Change Management.
Each activity is broken down into tasks, and includes one or more performance measures.
Measures
Measures are qualitative or quantitative descriptions of how an organization rates its performance for each
activity related to a capability. Each activity may have one or more measures. Using Information
Governance as an example again, the Accountability activity may have performance measures “Information
management practices are periodically evaluated” and “Manager is aware of IM policies and resources”.
These factors rate how well the organization manages its information.
Tasks
Tasks define the specific steps the organization takes to accomplish activities. They are steps considered
essential for achieving the desired outcome of the capability, or the actions taken to prevent, protect
against, respond to or recover from an event. Breaking activities down into measurable tasks helps an
organization identify areas for improvement in its processes.
Maturity Ratings
Capability maturity models consist of a set of levels, or ratings, that describe how well an organization’s
processes can reliably produce specific outcomes. As you enter your capability inventories you should
define these ratings, ensuring that they relate to progress towards achieving the tasks and activities for the
capability.
For example, an Information Governance capability may have maturity ratings ranging from Level 1 through
Level 5, with Level 1 representing an environment in which record-keeping concerns are sub-standard, and
Level 5 representing an environment in which information governance has been effectively integrated into
corporate infrastructure and business processes.
Managing a Capabilities Inventory
ERM enables you to manage an inventory of capabilities related to each type of risk the organization
assesses. For example, if your organization assesses operational and disaster risks, you can enter an
inventory of operational capabilities and an inventory of disaster capabilities. For each capability you can
enter one or more activities, measures and tasks, and you’ll define a maturity model to summarize the
organization’s performance for each capability.
User’s Guide - Capabilities 34
If your organization is at an early stage in describing its capabilities, it may be helpful to begin by identifying
the individual tasks needed to achieve each capability. Once you’ve identified the tasks, group them under
common headings to form activities. Then define the performance indicators that should be used to assess
the achievement of each task.
1. Click Admin on the toolbar, and under Lookup Tables, click Capability Inventory.
2. Click Add Capability.
3. Select the Risk Type the capability relates to. The risk type determines which questionnaire the
capability displays on, and the type of risks the capability relates to.
4. Enter a name or short description of the capability.
5. Enter a detailed description or definition of the capability. Enter enough information to allow the person completing the questionnaire to accurately rate the organization’s performance and maturity level with
regard to the capability.
6. Under Outcome, describe the expected results to be achieved by obtaining mature capabilities in the
area assessed.
7. Under Active, select Yes if you want the capability to be displayed on the questionnaire. Otherwise,
select No. This option is useful if you want to record a capability but don’t want it to appear on the questionnaire yet, or if you want to temporarily or permanently remove a capability from the
questionnaire.
8. Click Create to save the capability, or click Cancel.
Add an activity. Click the capability to display it, then click Add Activity. Enter a name and description.
Under Active, select Yes if you want the capability to be displayed on the questionnaire, then click Create.
Add a measure. Click a capability, then click the activity to add measures for. On the right of the activity's
gray bar, click Add. Enter a description that describes the standard to which your organization’s
achievement should be measured for the activity. For example, describe how much, how well or how quickly
the activity should be performed. Click Create to save the measure.
Add a task. Click a capability, then click the activity and measure to add tasks for. On the right of the
measure's gray bar, click Add. Enter a description, then click Create.
Add a maturity rating. Click a capability, then click the Maturity Ratings tab. Click Add Maturity Rating,
and enter a title and description. Ensure that the title indicates how the rating fits into the set of ratings to
be entered for the capability. Under Sort Order, enter a numeric value to indicate where the maturity rating
should display in the list of maturity ratings for the capability. Enter 1 to indicate that the rating should sort
first, enter 2 to indicate that the rating should sort second, and so on. Click Create to save the maturity
rating.
User’s Guide - Capabilities 35
Completing Capability Questionnaires
If a capability assessment is pending for your organization, a link will display on the dashboard. If multiple
questionnaires are pending a link will be displayed for each, and you’ll complete them separately.
1. Click the dashboard link to display the questionnaire.
2. Each capability will display on a separate row. Click a capability to expand it and read the related
activities.
3. Click each activity to display the related measures, and click each measure to display the related tasks.
4. For each task, select Yes or No to indicate whether your organization has achieved the task. Select All
Yes if your organization has achieved all tasks for the measure, or All No if none of the tasks have been achieved. A measure is considered achieved once all its tasks have been achieved, an activity is
considered achieved once all its measures have been achieved and a capability is considered achieved
once all its activities have been achieved.
5. Click Select Maturity to choose the maturity rating that most accurately describes the organization’s performance for the capability. Your decision should be supported by your responses for each task. As
your organization matures in its capabilities, update the maturity rating.
6. Click Save, or click Cancel to discard your changes.
Updating Capabilities
Resources, strategies and priorities may change over time. To ensure your capabilities inventory remains
relevant and complete, your organization should establish a schedule for reviewing and updating it. If you
update the inventory, notify the person responsible for completing the questionnaire, so that they can
review it. If you add a new task to the inventory after a questionnaire has been completed, a notification will
display on the dashboard indicating that the questionnaire is pending.
It is not necessary to complete an entire questionnaire at once. You can save your changes and
return to it later.
The dashboard link for the questionnaire will display until you have selected Yes or No for each task.
Consider completing capability questionnaires in collaboration with other people in your organization. Particularly in larger organizations, detailed knowledge of the various areas of your
organization’s capabilities may be distributed among multiple people.
If a task is added to the capability inventory for a completed questionnaire, the dashboard link will
be redisplayed. Click the link to open the questionnaire, and view the Activities Achieved scores to locate the updated capability.
To review or update a completed questionnaire, click Capability on the toolbar and select the questionnaire.
User’s Guide - Reports 36
Strategic and operational capabilities are typically reviewed annually. Disaster capabilities may require
review every three to five years. However, these are guidelines only, and you should adopt the schedule that
best meets the needs of your organization.
Reports
Capability Assessment
The Capability Assessment report lists responses to your organization’s Capabilities Questionnaire for a
selected risk type. After the questionnaire has been completed, use this report to save the questionnaire
responses as a PDF.
1. Click Reports on the toolbar, and select Capability Assessment.
2. Choose a risk type.
3. Indicate whether to include tasks marked as Achieved on the questionnaire, tasks marked as Not Achieved, or tasks for which a response was not selected (multiple options can be selected).
4. Click Run Report to open or save the report as a PDF file.
Organizational Risk Summary
Use this report to summarize risk information for an organization based on degree of risk and risk type. The
report displays the following:
Cumulative impact scores for the selected risks. This enables the organization to view at a glance the
type of impacts its risks may result in, if left unmanaged.
Top ten risks by risk degree, for each risk category, for risks that resulted in a risk degree above a
threshold that you enter.
Top ten risks for each impact category by scenario score, for risks that resulted in a risk degree above the
threshold.
This is a useful report to send to an organization’s senior management or to other stakeholders who require
an overview of the organization’s risks.
1. Click Reports on the toolbar, and select Organizational Risk Summary.
2. Select the organization to generate the report for.
3. Select the threshold for the degree of risks to include on the report. For example, select Medium to
include risks with a degree of Medium or higher.
User’s Guide - Reports 37
4. Select one or more types of risks to include.
5. Click Run Report to open or save the report as a PDF file.
Disaster Scenario and Strategic/Operational Scenario
The Disaster Scenario and Strategic/Operational Scenario reports list the details of scenarios that have been
scored for the selected risk type. These reports enable you to obtain statistics on scores by impact category
(when scenarios are scored, the resulting risk degree is displayed, not a numerical score). The reports
exclude scenarios for risks that have been archived, and display scenarios only for risks visible based on your
user account security settings.
1. Click Reports on the toolbar, and select Disaster Scenarios or Strategic/Operational Scenarios.
User’s Guide - User Accounts and Permissions 38
User Accounts and Permissions
You’ll need to create a user account for each person who requires access to ERM. As part of creating user
accounts, you’ll select one or more user roles for each person. The user roles you choose determine the
features the person will have access to. This section describes how to set up user accounts, how to modify
and deactivate accounts and how to select appropriate user roles.
Adding user accounts
1. Click the Admin button on the toolbar, and select Users.
2. Click Add User .
3. Enter a user name that the person will use when signing in to ERM. Consider defining standard user names which will be easy to remember, such as the person’s first initial followed by their last name.
Alternatively, consider adopting standards which already exist in your organization for sign-in
credentials.
4. Enter the person’s first and last name in the spaces provided.
5. Enter the person’s e-mail address in the space provided. E-mail notifications will be sent to the address
entered here.
6. Optionally, enter the person’s job title. The job title is displayed in selection lists to help ensure the
correct name is chosen.
7. Select an organization level to determine the risks and related information the person requires access to.
For example, if the person requires access to risks only for their branch, select their branch from the list. If they require access to risks for all branches in their department, select their department from the list.
If they require access to all risks for the organization, select the top-level organization from the list.
8. Under Active, choose No if you want to create the user account but do not want the person to have
access to ERM at present. Otherwise, choose Yes. Inactive user accounts remain in the system so that they can be re-activated, but attempts to sign in to the system will be blocked.
9. In the Assign Role section, select one or more roles based on the features the person requires access to. When you assign a role, the associated actions the person will have access to will be indicated.
User Role When to select this role
Auditor The person requires read-only access to all risks, mitigations and assessments throughout the organization, with the exception of risks with the security level
Ministerial Advice Access. The person does not require the ability to edit
information, and does not require access to Administrative features.
Capability Assessment The person will be responsible for completing the Capability questionnaire for
their organization.
Corporate Risk Office The person requires the ability to view and edit all risks, mitigations and
assessments throughout the organization, including risks with the security
User’s Guide - User Accounts and Permissions 39
level Ministerial Advice Access. The person does not require access to
Administrative features.
Ministerial Advice Access The person requires read-only access to risks with the security level Ministerial
Advice Access and associated mitigations, within their organization and organizational units below. Most ERM roles don’t allow access to Ministerial
Advice Access risks. Add this role to a person’s account when you need to
allow them to access these risks.
Org Level Access The person requires read-only access to risks, mitigations and assessments in
their organization and organizational units below, with the exception of Ministerial Advice Access risks. The person does not require the ability to edit
information, and does not require access to Administrative features.
Risk Officer The person requires the ability to view and edit risks, mitigations and
assessments in their organization and organizational units below, with the
exception of Ministerial Advice Access risks. The person does not require access to Administrative features.
Sign In Only ERM automatically gives this role to people assigned as external documenters and assessment leads. The person will be able to sign into ERM, but can access
only the assessment(s) they are assigned to.
System Administrator The person requires full access to the system, including access to
Administrative features such as managing user accounts and updating
configuration information.
10. Click Create to save the user account, or click Cancel. When an account is created ERM will send an e-
mail to the address on the account with a link to ERM and a temporary password.
An important point to understand about roles in ERM is that they are cumulative. That is, a user account
may have multiple roles assigned to it, and the person will have access to the actions granted by all of their
roles. Here is an example:
Marie has the role Risk Officer. This means that she can view and edit risks, mitigations and assessments in
her organization and in organizational units below, with the exception of Ministerial Advice Access risks.
User’s Guide - Categories 41
Deactivate a user account. To deactivate an account so that sign in attempts by the user will be blocked,
set the Active option to No. Inactive user accounts remain in the system so that they can be re-activated.
User accounts can’t be deleted.
Categories
Risk categories are used when risk statements are added to ERM. By selecting the relevant category for each
risk, you can perform reporting on the nature and severity of risks the organization faces. For example, the
Organizational Summary report lists the top ten risks by risk degree, for each risk category. Categories are
grouped by the risk types Strategic, Operational and Disaster.
1. Click Admin on the toolbar, and under Lookup Tables, click Categories.
2. To add a new risk category, click Add Category.
3. Enter a name for the category. You must enter a name that has not already been used for a category
within the risk type.
4. Optionally, enter a description.
5. Select one or more risk types that the category applies to.
6. Optionally, enter a numeric Sort Order to indicate where the category should display in lists of categories for the risk type. Enter 1 to indicate that the category should sort first, enter 2 to indicate that
the category should sort second, and so on. By default, category will sort from the lowest number to the
highest.
7. Under Active, select Yes if you want the category to be displayed when adding and updating risk
statements. Otherwise, select No. This option is useful if you want to enter a category but don’t want it to be used yet, or if you want to temporarily or permanently remove a category from category lists
without affecting existing risks.
8. Click Create to save the category, or click Cancel.
Add a subcategory. Within each risk category you can specify sub-categories. For example, you may have a
category called Public Health, and sub-categories within it called Large-Scale Contamination and
Pandemics. Click the “parent” category, and then click Add Sub-Category.
Edit or delete a category. Click the category or sub-category, then click Edit Category (or Edit Sub-
Category). To delete a category or sub-category, edit it and then click Delete. You can’t delete a category if
it is in use on a risk, or if it has sub-categories.
User’s Guide - Geography Structure 42
Geography Structure
When a risk statement is added in ERM, you must specify the geographic location it applies to so that the
organization’s risks can be analyzed based on location. ERM enables you to add the following levels of
regions:
Province/Territory
Regions within the province/territory
Cities within each region
Subdivisions within each city
1. Click Admin on the toolbar, and under Lookup Tables, select Geography Structure. ERM will display a list of regions for your organization.
2. To add a new region click the “parent” region to add it to, and then click the Add icon.
3. Enter a name for the region, and optionally, enter a short form, or abbreviation, of the region name
under Code.
4. Under Active, select Yes if you want the region to be displayed when adding and updating risk statements. Otherwise, select No. This option is useful if you want to enter a region but don’t want it to
be used yet, or if you want to temporarily or permanently remove a region from region lists without
affecting existing risks.
5. Click Create to save the region, or click Cancel.
Edit or delete a region. Click the region, then click Edit. To delete a region, edit it and then click Delete.
You can’t delete a region if it is in use on a risk, or if it has regions within it.
Organizational Structure
Because risk assessments apply to specific organizational units, you must select the applicable organization
when you begin an assessment. Before you begin using ERM to perform risk assessments, ensure that the
hierarchy and structure of your organization has been properly defined.
1. Click Admin on the toolbar, and under Lookup Tables, select Organizational Structure.
2. To add an organizational level, click the “parent” organization to add a level to, and then click Add.
3. Enter the name of the organization, and optionally, enter a short form, or abbreviation, of the organization’s name under Code.
4. Optionally, enable one or more risk types for the organization. When you begin an assessment for an organization, you must select the risk type that the assessment will pertain to.
User’s Guide - More Resources 43
5. Under Active, select Yes if you want the organization to be displayed in ERM. Otherwise, select No.
6. Click Create to save the organizational level, or click Cancel.
Edit or delete an organizational level. Click the organization, then click Edit. To delete an organization,
edit it and then click Delete. You can’t delete an organization if it is in use, or if it has organizations within it.
For a hierarchical view showing the relation between organizational levels, click Tree View. For a flat list
showing all organizational levels, click Report View. The Report View also indicates the risk type modules enabled for each organizational level.
More Resources
This section contains links to information useful for risk managers and other assessment leaders, as well as
information that can be provided to workshop participants, organizations’ senior management and to other
stakeholders.
ERM Tutorials
This site contains links to a variety of short tutorials on ERM and the risk management process. These
tutorials are useful for anyone who is responsible for using ERM to manage risk assessments, as well as for
participants in the process.
ISO 31000 – Risk Management
The processes described in this guide are based on the ISO 31000 standards for risk management. Visit this
site for more information on the standards, and for articles on risk management.
Public Safety Canada - All Hazards Risk Assessment
Includes a link to Public Safety Canada’s All Hazards Risk Assessment guidelines. You will also find a variety
of articles relating to risk management and emergency preparedness, and many other resources useful for
risk managers.
Global Association of Risk Professionals (GARP)
A not-for-profit independent organization that helps to create a culture of risk awareness within
organizations, and promotes best practices in risk management.
Implementing Risk Management – Risk Manager’s Guide
User’s Guide - More Resources 44
This document is intended for the risk manager or risk officer responsible for assisting an organization in its
adoption of a risk management process. View it by clicking the arrow in the top right corner beside your
name in ERM, and select Help/User Guides.