Enterprise Risk management is a disciplined approach that enables an organization to identify, evaluate, analyze, monitor, and mitigate the risks that threaten the achievement of the organization’s strategic objectives. Every organization is susceptible to risk in many different areas: operational, market, legal, environmental, reputational, brand, liability, financial, and property.

Introduction

Activities in Scouts Canada must identify and evaluate the risks to ensure the safety of youth and members, the delivery of planned outcomes, the preservation of asset value and property, protection of the environment and ensure all activities (‘projects’) are conducted within the law and regulatory requirements. Scouts Canada organizations at all levels must actively manage their risks and accurately inform the responsible commissioner.

This document will describe in detail how a consistent Risk Management procedure can deliver value, how it can be done both effectively and efficiently. This guideline is not intended for groups, sections or Scouting individuals.

Introduction to Risk Management

Risk Management is primarily about adopting a (structured) way of working, that ensures risks are identified, understood, agreed, communicated and acted upon in a timely and consistent manner. Risk Management delivers the most value when it is led and steered by the appropriate Scouting leadership (team) and actively used to support the decision-making process.

Risk Management has three main purposes: (1) Enabling better decision-making, (2) Protecting the value of past decisions by reducing the impact and chance of ‘negative’ events and (3) increasing the benefit and likelihood of ‘positive’ events affecting those decisions.

Risk management aims to focus attention on uncertain future events and prioritise them against current issues/opportunities. It adds value, not by listing obvious and common activities, but by providing a structured way to foresee the unexpected and be prepared for it. It helps keep track of future events that are not shouting for immediate attention, but which are important because they could have a major impact on the activity. In this way it helps leadership teams to be pro-active and prevents them from entering into a ‘fire-fighting’ mode.

Note: People are generally (too) optimistic about the downside a project / activity faces, or the effort required to manage it, and it is often not fully reflected in the plan. The pro-active management of risks is therefore often seen as a bureaucratic step. It is the job of leadership to champion risk management and ensure proper application.

Organizational Framework for Managing Risk

To enable this process, an organizational framework must be defined that addresses the (i) roles and responsibilities, (ii) identification, assessment and prioritisation of risks, (iii) documentation and (iv) communication.

i. Roles and Responsibilities

The following roles and responsibilities should be assigned, resourced and observed – together with clear deliverables, training requirements and time allocation as appropriate.

Decision-Maker (e.g. CEO, ED, RD)	Champions the need for the Risk Management process Sets objectives (e.g. project / activity / event) Approves risk responses for risks and assigns resources Uses risk information in decision making
(Assigned) Risk Coordinator (e.g. Staff Member)	Maintains the quality of the risk register Ensures risks are correctly assessed and the logic recorded Ensures all recorded risk responses are agreed and resourced Screens proposed risks and accepts/rejects into risk register Proposes Risk Owners Reports risk information to management (Scouting Leadership Team / Council Key 3 member / Functional Commissioner)
Risk Owner (e.g. ED, RD, CK3 Member)	Describes and assesses the risk and proposes suitable risk responses Obtains approval and resources (Action Owners) for planned responses Tracks progress, reviews risk, improves responses, closes risks Keeps continuous record of risk status in register
Action Owner	Executes actions as agreed with Risk Owner Records action status in risk register
Team Member	Identifies risks and proposes them to the risk register Feeds back effectiveness of risk responses to Risk Owner Is aware of main risks impacting own and others work or role

ii. Risk Identification, Assessment & Prioritisation

A comprehensive risk assessment goes beyond a safety checkup. It attempts to identify a complete range of potential outcomes that may impact success in many categories. It assigns a risk rating and enables the development of risk management strategies; develops skill and competency in hazard identification, risk assessment and management.

Risks have to be prioritised and ranked in a consistent and transparent manner against other items requiring project resources and management attention.

Risks must be assessed on their probability and impact on the plan and objectives and prioritised based on their severity. The risk assessment matrix is the primary tool to distinguish and prioritise risks.

To manage risks there are 7 steps that must be taken [as defined in the Risk Management Standards]:

1. Identify: the risk is identified
2. Assess: the risk is assessed and ranked against other risks [using the Scouts Canada Enterprise Risk Matrix – see APPENDIX]
3. Plan: based on the risk assessment, responses are planned and approved [using the Scouts Canada Risk Hierarchy – discussed below]
4. Implement: actions are executed, and responses put in place
5. Monitor (review, appraise, re-assess): feedback is obtained, the risks, actions and responses are monitored for changes and effectiveness, and the situation is re-assessed
6. Improve: if necessary, the plan to manage the risk is updated
7. Close: as mitigation measures are effectively implemented close out the risk in the risk register.

Risk Management Hierarchy

When determining how to develop risk controls and actions, we use the standard risk management hierarchy of controls; in order of preference:

1. First, we design controls that should eliminate possible hazards (sources of potential danger). e.g. we ensure our program is age-appropriate, or, we select a site for an activity which is not dangerous.
2. Second, we use engineering controls, which reduce risk without human intervention. e.g. we use auto-locking belay devices when doing top-rope climbing and ensure a secure ground anchor.
3. Third, we use administrative controls, which require human intervention to lessen the risk. e.g. we ensure all youth and scouters have a swim test before we go on a canoe expedition and ensure the expedition leaders are trained in flat-water canoeing.
4. Lastly, we will use a personal protective equipment that should limit the severity of the consequence (for example, protective personal equipment to keep someone from getting hurt). e.g. we wear helmets for biking and tobogganing and safety glasses for repairs to camp equipment.

iii. Risk Documentation

Managing all the risk information, along with the tracking and reporting, requires a suitable tool. Scouts Canada utilises a standard risk register format that incorporates the following classification (in sequence):

No.	Number for categorization / reference only
Status	Current status = Active / Closed
Risk Category	Or…When or where could this happen? Thematic grouping of risks for summarization or plotting on a Council or National Risk matrix. Based on the Risk Matrix, select the highest impacted risk category affected by the risk event. (e.g. Safety, Financial, Reputation)
Risk Scenario	Or… What could happen? Scenarios are summary descriptions “in the event of…”
Risk Event	Or… What might make this happen? Risk events are risks that may impact the achievement of objectives Ensure the actual risk event is adequately defined and described, not just its impact
Risk Causes / Drivers / Triggers	Or… What could be the result? Description to help the reader understand what the causes underlying the risk event: “Risk is caused by….”
Impact / Consequence	The level of loss/gain associated with a risk event. What are the specific reasons for selecting the impact rating?
Impact Rating (Inherent)	The level of loss/gain associated with a risk event. The impact rating is based on the most severe rating for any individual risk category.
Likelihood Rating (Inherent)	The rating that best suits the likelihood of the risk event occurring if no action is taken.
Inherent Risk Rating	Indicates the inherent risk exposure (before any mitigations or controls are applied)
Current Controls & Mitigations	Or… What are we already doing to keep this from happening? What mitigation controls or treatments are currently in place?
Impact Rating (Residual)	What is the impact rating given the mitigation & controls currently in place?
Likelihood Rating (Residual)	What is the likelihood of the event occurring given the mitigation & controls currently in place?
Residual Risk Rating	Indicates the remaining risk exposure. Comparing residual risk with inherent risk exposures will indicate the effectiveness of current controls
(Risk) Treatment Owner	Individual responsible for ensuring current mitigation or controls in place are being used, and any proposed risk treatment strategies or mitigation plans are implemented in a timely manner.
Risk Treatment Strategy	Or… What can we do to reduce or eliminate this risk? Compare the Residual Risk and Targeted Risk Exposure and then choose one of the following four responses: Risk Reduction, Risk Avoidance, Risk Transfer, Risk Acceptance
Impact Rating (Future / Target)	What is the targeted impact rating after proposed mitigation & controls are put in place?
Likelihood Rating (Future / Target)	What is the targeted likelihood of the event occurring if the proposed mitigation & controls are put in place?
Future Residual Risk Rating	Indicates the targeted risk exposure. Comparing targeted risk with residual risk indicates the effectiveness of proposed controls. This helps when prioritizing the implementation of mitigations & controls

iv. Communication

To make risk management happen in practice, it is important to communicate effectively and integrate ‘risk’ into normal management practices. The project / activity risk management plan should describe how this is achieved and serve as a support document for:

• On-boarding of new team members e.g. new Council Key 3, Senior volunteers or National Staff.
• Incorporation of risk management into standard regular meetings.
• Engagement with other stakeholders as appropriate and required.

The risk management plan should be as specific and practical as possible and focus on what the project will do to ensure their risks are managed.

For risk management to deliver value, the understanding gained by taking the risk though the risk management process needs to be communicated. Teams must decide on the following:

• How are risks made part of the decision-making process?
• How are risks integrated in plans and cost/schedule estimates/analysis?
• How are risks communicated up, down and across the organization?
• How are new risks identified, logged, approved and shared?
• How are risks tracked and deviations managed?
• How are risk responses and the residual risk approved and resourced?
• How are risk responses (actions) tracked and deviations managed?
• How are risks closed out (formal procedure/sign off)?
• How are people trained?