CPPM Policy Chapter 14: Risk Management

Last updated on April 16, 2018

This Core Policy and Procedures Manual chapter presents government's risk management policy for an integrated enterprise-wide risk management process.

14.1 Objectives

  • Recognizing risk management as critical to the achievement of government's goals and governance responsibilities.
  • Encouraging a culture that embraces innovation and opportunity, informed risk-taking, and acceptance of risk as inherent in all activities of government.
  • Providing common and consistent risk management processes and practices that
    • provides assurance that risks are identified and appropriately managed, and
    • supports ministries in  operational and strategic decision making.

14.2 General

In a culture of mature Enterprise Risk Management (ERM), every manager and employee is familiar with the principles of risk management, takes a role in the management of risk within their areas of responsibility, and escalates those risks beyond the scope of their authority or available resources.


Risk - the effect of uncertainty on objectives. 

Risk Management - structured and disciplined efforts undertaken to identify and mitigate risk and to reduce uncertainty in the achievement of organizational goals and objectives.

Enterprise Risk Management (ERM) – the coordinated, ongoing application of risk management across all parts of an organization which flows from the strategic planning to the operational (service delivery) level.

Find more definitions in CSA/ISO 31000 Risk Management principles and guidelines (government access only).

Roles and Responsibilities

  • Ministries are responsible for risk identification, prioritization and mitigation; implementation performance and risk management maturity.
  • Deputy Ministers’ Council is responsible to Cabinet for the management of risk within government, and the escalation of risks and recommended mitigations affecting government-wide policies and programs, strategic priorities and critical decisions.
  • The Government Chief Risk Office (GCRO), resident in the Risk Management Branch, is responsible for adoption of risk management policy, processes and practices. GCRO is responsible to Cabinet for collation and analysis of corporate risks, to Deputy Ministers’ Council for collation and analysis of ministry ERM performance reporting, and to Deputy Ministers’ Council for collation and analysis of ministry ERM maturity reporting.

14.3 Policy

The aim of this policy is to ensure implementation of an appropriate Risk Management accountability mechanism within ministries and across government. This policy seeks to establish and confirm consistent and compatible risk management standards, processes and practice within ministries while reducing barriers to successful implementation.

Ministries must:

  1. Appoint a senior ERM coordinator (ADM or equivalent) to oversee the implementation and ongoing management of ERM, and ensure the maintenance of ministry-wide registers.
  2. Utilize the Risk Management Branch’s approved ERM process (government access only), tools, training and guidance, or consult with the Risk Management Branch to modify the tools if needed.
  3. Conduct an assessment of Enterprise Risk Management implementation within their ministry using the Risk Maturity Self Assessment model (DOCX) (government access only) developed by RMB and report the results to RMB every three years.
  4. Compile and maintain ministry-level risk registers following a government-wide standard process and format, and provide a copy to the Government Chief Risk Office, Risk Management Branch annually.
  5. Track and record progress of planned risk mitigations and provide to RMB semi-annually.
  6. Retain risks that remain after mitigation.

In its role as Government Chief Risk Office, Risk Management Branch must:

  1. Maintain an overall risk register derived from ministry-level risk registers.
  2. Compile and report enterprise risks to Cabinet annually.
  3. Compile and report ministries’ ERM performance to Deputy Ministers’ Council  semi-annually.
  4. Compile and report ministries’ ERM maturity to the Deputy Ministers’ Council every three years.
  5. Monitor ministry ERM performance reports and provide feedback to ministries on the progress of their mitigation strategies.
  6. Support ministries to improve their risk management practice and maturity through the provisions of tools, resources, expertise and facilitation

14.4 Information and References



Contact Information

The Risk Management Branch and Government Security Office (government access only) is accountable for the effective management of the risks to which government is exposed by virtue of its assets, programs and operations.

RMB develops and supports policy for the following CPPM chapters:

RMB approves indemnities, manages claims and litigation for many public sector agencies, operates risk financing programs, provides contract reviews for risk management issues and  contractor insurance, and supports government ERM objectives with how-to training, implementation support and facilitated risk assessments for projects, policies, programs and planning of any scope.

Financial Systems & Controls < Previous | Next > Security