Corporate Risk Profile 2021-22
- Introduction
- Departmental Risk 1
- Departmental Risk 2
- Departmental Risk 3
- Departmental Risk 4
- A Path Forward
- Appendix A: Risk Ranking Scales
- Appendix B: Residual Risks Assessment
Risk refers to the effect of uncertainty on objectives. It is the expression of the likelihood and impact an event can have on the achievement of objectives.
Introduction
The Corporate Risk Profile (CRP) is the product of the departmental risk management process, which is facilitated by the Strategic Planning Division (SPD). The CRP includes input from Public Safety's five branches, two directorates and the Office of the Ombudsman, and describes:
- Key corporate risks that may impede the Department's ability to achieve its expected outcomes;
- The context or environment in which the Department operates;
- The drivers of riskFootnote 1 that affect the likelihood of the risk materializing;
- The impactsFootnote 2 should risks materialize;
- The controlsFootnote 3 the Department has in place to mitigate the likelihood of risk materializing and/or the impact of risk should it materialize;
- The risk owners; and
- Additional strategies and measures being implemented to further mitigate residual risk.
The CRP is updated annually to remain current, flexible and responsive, while a comprehensive and thorough review and revision is conducted every three years. Fiscal year 2021-22 is the third year of the CRP lifecycle.
The CRP, along with the Integrated Risk Management Framework (RDIMS 3394475) and the Treasury Board Framework for the Management of Risk, provides the governance, processes and accountabilities linked to integrated risk management at Public Safety.
Corporate Risks
The CRP is comprised of the following four risks, which were established via departmental consultation in 2018-19 and first published in 2019-20:
- There is a risk that some program outcomes relying on the actions of partners will not be met.
- There is a risk that Public Safety will be unable to keep pace with and take advantage of technological advances.
- There is a risk that the Department may not respond effectively to the pace and magnitude of change in the evolving all-hazards threat environment.
- There is a risk that the Department will not attract and retain the employees required to achieve its organizational objectives.
The four risks have potential impacts on all of Public Safety's 12 Programs. For example, most Programs and some of the Department's internal services depend on external partners to achieve their intended outcomes. They all rely on technology to perform their work and provide their services. Given the nature of Public Safety's mandate to strengthen national security, community safety and emergency management, all Programs are impacted by big changes in the all-hazards threat environment. Lastly, the entire department suffers if it is unable to attract and retain the right employees to meet its specialized requirements.
Public Safety Programs (per the Program Inventory)
Core Responsibility 1: National Security
- National Security Leadership
- Cyber Security
- Critical Infrastructure
Core Responsibility 2: Community Safety
- Crime Prevention
- Law Enforcement and Policing
- Serious and Organized Crime
- Border Policy
- Indigenous Policing
- Corrections
Core Responsibility 3: Emergency Management
- Emergency Prevention/Mitigation
- Emergency Preparedness
- Emergency Response/Recovery
Corporate Risk Rankings
Corporate risks are ranked according to the likelihood of their occurrence and the impact should they occur (see Appendix A for the risk likelihood and risk impact scales and Appendix B for the risk rating matrix). Among all the corporate risks identified during the departmental risk management process in 2018-19, the four current risks ranked the highest – the most likely to occur and the most impactful if they were to occur – and, therefore, were retained to be monitored and mitigated.
Over the past three years, the Department has monitored annually the residual riskFootnote 4 levels for all four corporate risks through department-wide consultations. Over that period, branches have noted a reduction in residual risk levels. The controls and additional mitigation strategies that have been partially or fully implemented have contributed to branches assessing the residual risks as being in the range of Medium to Medium-HighFootnote 5. The most recent consultations were conducted from August to November 2021.
| Corporate Risk | Likelihood | Impact | Residual RiskFootnote 6 |
|---|---|---|---|
|
Moderately Likely (2.8) |
Moderate (3.4) |
Medium-High (9.5) |
|
Moderately Likely (3.0) |
Moderate (3.0) |
Medium (9.0) |
|
Moderately Likely (3.0) |
High (4.0) |
Medium-High (12.0) |
|
Moderately Likely (3.2) |
High (3.8) |
Medium-High (12.2) |
Departmental Risk 1
Risk Statement
There is a risk that some program outcomes relying on the actions of partners will not be met.Risk context
The majority of Public Safety's Programs must forge partnerships to implement initiatives and funding arrangements, meet objectives and achieve outcomes. The need to form partnerships creates a degree of dependence, which may render the Department vulnerable to the actions of partners whose interests or approaches may not align with its own. In some instances this can be mitigated by engaging with partners whose interests are compatible; however, this may not always be possible given the broad scope of partnerships the Department must have with other federal departments and agencies, other levels of government in Canada, foreign governments, the private sector, and non-governmental organizations.
Risk drivers
Risk drivers that were identified at the outset of the CRP cycle in 2018-2019 are as follows:
- Challenges in building and maintaining effective partnerships/relationships with portfolio agencies, other governmental departments, provinces, municipalities, non-governmental organizations and special interest groups;
- Reliance on partners and/or stakeholders to deliver federal programs and services;
- Changing domestic and foreign economic and political landscapes;
- Shared responsibilities and coordination between branches, the Department and other jurisdictions; and
- Insufficient resources to properly engage with all populations.
Impacts
Potential cascading impacts of this risk should it occur include:
- The Department may act in an uncoordinated, ineffective or inefficient manner;
- The Department may lose credibility;
- There may be a breakdown of relationships and barriers to future strategic collaborations;
- The Department may be in non-compliance with national or international standards, policies and requirements in relation to audit, evaluation and reporting;
- The Department may be unable to effectively deliver on its mandate;
- The lives of Canadians may be endangered due to the inability to leverage key partnerships.
Controls
Over the past three years, branches have identified the following controls:
- Efficient communication channels for communication of strategic priorities, risks and issues to Portfolio agencies;
- Integrated policy development procedures aligned among Portfolio agencies;
- Action plan with partners with clearly identified deliverables, timelines and frameworks that guide and facilitate activities;
- Regular reporting mechanisms for early identification of issues and opportunities with partners;
- Operational coordination and governance mechanisms (e.g., Federal Terrorism Response Plan and PS-CSIS Framework for Cooperation, National Cyber Security Strategy Horizontal Initiative Framework, Concept of Operations for Event Response) for effective coordination and governance;
- Joint committees and working groups with partner departments, various levels of government and industry leaders to discuss cross-cutting issues and initiatives, and to advance policy priorities (e.g., Federal/ Provincial/Territorial (FPT) DMs of Justice and Public Safety, DG National Risk Profile Coordinating Committee, Senior Officials Responsible for Emergency Management (SOREM), Cosmicheskaya Sistyema Poiska Avariynich Sudov-Search and Rescue Satellite-Aided Tracking (COSPAS-SARSAT) Programme, National Cross-Sector Forum, FPT Working Group for Critical Infrastructure, Multi-Sector Network meetings, Federal Department Critical Infrastructure (CI) Network, FPT Working Group for Critical Infrastructure, Anti-Money Laundering / Anti-Terrorist Financing Committees, Passenger Protect Advisory Group);
- Contribution funding agreements with partners that include clear expectations, outcomes, and appropriate incentive systems;
- Memoranda of agreement with provinces/territories (e.g., Memorial Grant Program, law enforcement funding contribution agreements with provinces and territories to build and enhance capacity to enforce new drug-impaired driving legislation);
- Engagement-focused relationships and forums with allies such as communities, provinces, territories, Indigenous groups, industry and other partners (e.g., Canada Centre for Community Engagement and Prevention of Violence, Federal Terrorism Response Plan, the National Cross Sector Forum and the Natural Disaster Mitigation Program);
- Community of Exercise Practitioners for Critical Infrastructure and Cyber Security;
- Lessons learned from collective response incidents through the Operations Centre Interconnectivity PortalFootnote 7 (OCIP).
Mitigation strategies and measures
Where gaps in risk controls have been identified for high-ranking risks, new strategies, measures and mechanisms can be implemented to fill those gaps and further reduce the risk ranking. No new strategies or measures were proposed for Risk #1 - Partnerships, during the 2021 department-wide consultations.
Departmental Risk 2
Risk Statement
There is a risk that public safety will be unable to keep pace with and take advantage of technological advances.Risk context
Over the past five years, the Government of Canada has been developing technology-related policies, directives, plans, strategies and standards to respond to the pace of technological advances and bridge the considerable gaps in its capabilities and infrastructure. There have also been significant federal investments in critical upgrades and modernizing the Government's IT infrastructure to tackle its “technical debt”Footnote 8.
In the recent iteration of the Digital Operations Strategic Plan, the Treasury Board of Canada Secretariat (TBS) details the list of strategic actions and concurrent initiatives that TBS, Shared Services Canada and other partners are taking to deliver on the six government digital priorities, including a digitally enabled public service. Some of these actions were fast tracked due to the advent of the COVID-19 pandemic and the rapid pivot to working from home. In keeping with this direction, Public Safety has improved bandwidth connectivity and updated audio-visual equipment to allow for ease of communications.
While digital advancement is happening, it is still a work in progress. Many challenges remain:
- A lot of the government's mission-critical IT infrastructure and systems are aging and at risk of breaking down; they need to be maintained and upgraded, which is costly;
- Systems are unable to store all the data that are the product of increased computing power and working digitally;
- Cyber threats and threats to digital privacy are on the increase;
- New technologies – such as machine learning, cloud-enabled information-sharing databases, 5G wireless communication, and artificial intelligence – and new business models are rapidly entering the market and will continue to do so for the foreseeable future;
- Employees lack modern and effective tools in the workplace to enable them to serve Canadians and work effectively; this issue has been amplified by the pandemic and the shift towards working from home;
- With an evolving technology environment, public servants and leaders lack the full skills required to keep pace; in fact, some technology skills are in very short supply in society in general, as well as in the public service.
Risk drivers
The risk drivers that were identified at the outset of the CRP cycle in 2018-2019 are as follows:
- The need to remain current with the latest technological advances;
- Outdated systems, such as the Departmental Financial Management System, which lags behind other government departments' financial systems (i.e., e-invoice processing, business intelligence, reporting, data quality, etc.);
- Challenges with connectivity;
- Multiple jurisdictions holding responsibility for Public Safety communications initiatives and, therefore, multiple systems at play;
- Challenges recruiting and retaining employees with specialized skillsets;
- Difficulties in interfacing and data sharing with partners and stakeholders;
- Managing the centralization of IM/IT services;
- Too few resources being assigned to Public Safety's grants and contributions system (PSIMS) to implement systems updates in a timely manner.
Impacts
The potential cascading impacts of this risk should it occur include:
- The Department may lack the information to make timely and evidence-based decisions;
- Employees and partners may not be aware of emerging threats or have access to appropriate and modern technology/tools to carry out responsibilities;
- Key partnerships may deteriorate;
- The Department may be unable to deliver in a timely way on mandate commitments;
- Canadians may be unaware of available services and, therefore, may not use them;
- The response to emergency and public safety events may be slowed or hindered, resulting in economic damage and loss of life.
Controls
Over the past three years, branches have identified the following controls as measures used to lessen the likelihood of this risk occurring and the impact should it occur:
- Critical IT system update schedule maintained to prevent exploitation of IT vulnerabilities;
- Acquisition of technology in partnership with key partners to increase existing capacity and interoperability (e.g., Internet portals for restricted external users to exchange information);
- Information management and technology-focused working group to discuss new technological solutions to process-oriented problems;
- Communication and engagement with IM/IT business partner to discuss digital solutions to process-oriented problems;
- Training on new technology and security of information;
- Improvements to audio-visual equipment to enhance communications between regional and NHQ boardrooms and enable collaboration in a hybrid work environment;
- Improvements to regional office bandwidth connectivity via installation of additional IT equipment to improve office connectivity;
- Liaison with stakeholders in other government departments (OGDs) and private industry, particularly in sectors deemed sensitive, to ensure that Public Safety remains abreast of technological developments;
- Windows 10 migration for all operating systems.
Mitigation strategies and performance measurement
| Risk Mitigation Strategy | Accountability / Strategy Lead | Indicator(s) | Year-End Target(s) |
|---|---|---|---|
| NEW - Ensure readiness of the new SAP S4 / HANA solution to be implemented by RCMP in 2022-23 by conducting a Fit-Gap analysis of Financial Management processes and being involved in key project planning activities. . | CMB | % of financial management processes that are included in the Fit-Gap analysis | 100% |
| Implement a business intelligence solution to provide direct access to grants & contributions datasets by means of a user friendly interface, and to allow employees and senior management to organize and report on real-time data. | EMPB | % of EMPB FTEs that have been trained on the business intelligence solution | 10% |
| NEW - Develop and deploy a secure, cloud-based communication and collaboration platform and tools (M365, Teams) to maintain and augment business continuity, productivity and performance in support of a more resilient, mobile, distributed workforce. | CMB | % of devices that have been migrated to M365 and Teams | 100% |
| NEW - Invest in up-to-date mobile computing devices – tablets, laptops, and smart phones – to provide improved and back-up capacity (e.g., switch Teams calls from tablets to mobile phones) in support of flexible and diverse working methods and environments. | CMB | % of new mobile computing devices and smart phones deployed | 100% |
| NEW - Invest in new IT security tools (e.g., [REDACTED] Titus) to increase monitoring, analysis and awareness of cyber incidents within the department. | CMB | Deployment of [REDACTED] Titus applications | Fully deployed |
| NEW - Upgrade internet connections and augment capacity via split tunneling, as well as provide instruction on accessing the corporate network via secure VPN to permit remote work anywhere, any time. | CMB | % of PS work sites with upgraded network bandwidth and improved Wi-Fi in all National Capital Region buildings |
100% of regional sites upgraded to Shared Services Canada/Microsoft recommended bandwidth & migration to GC Wi-Fi in all National Capital Region buildings |
| Make available instructional communications and training sessions on accessing the corporate network via secure VPN to all staff | 100% availability via CIO communiques, InfoBulletin, and training sessions |
Departmental Risk 3
Risk Statement
There is a risk that the department may not respond effectively to the pace and magnitude of change in the evolving all-hazards threat environment.Risk context
An all-hazards threat environment encompasses natural and human activity that may cause death or injury, property damage, social and economic disruption and environmental degradation. The likelihood of occurrence, the frequency and the impact of events - including extreme weather phenomena such as wild fires, flooding and tornados - are growing, thereby increasing the risk to national security and community safety, and creating a strain on emergency management. All-hazards threats also include rapidly evolving and often sensitive events that present a threat to Canadians, critical infrastructure, cyber systems and national security. Public Safety develops policy, legislation and programs to support Canada's capacity to respond to this broad range of threats. The Department also provides national coordination and leadership to partners and stakeholders, and works to strengthen preparedness and Canada's ability to prevent, mitigate, respond and recover from all-hazards events.
Risk drivers
The risk drivers that were identified at the outset of the CRP cycle in 2018-2019 are as followsFootnote 9:
- The complexity of cyber security;
- Extreme weather events due to climate change;
- Man-made environmental disasters;
- Urbanization and critical infrastructure interdependencies;
- Evolving security risks;
- Geopolitical developments;
- The interconnected nature of global supply chains.
Impacts
The potential cascading impacts of this risk should it occur include:
- The Department may be unable to appropriately prepare for or react to an all-hazard threat in a timely manner;
- The Department may be unable to render appropriate decisions;
- The Department may not be able to deliver on its mandate;
- The Department may lose credibility;
- The Department may be unable to provide an effective response to disasters and recovery efforts resulting in economic damage, injury or loss of life.
Controls
Over the past three years, branches have identified the following controls as measures used to lessen the likelihood of this risk occurring and the impact should it occur:
- Environmental scans to help assess potential risks and opportunities;
- Planning and risk assessment processes for responding to threats;
- Operational coordination and governance mechanisms (e.g., Departmental Continuity Management Plan, Building Emergency Response Plans, COVID Protocols, Hazards Prevention Program);
- Funding and engagement with partners to enhance crime prevention, border and law enforcement activities related to serious and organized crime, and to combat money-laundering and financial crime;
- Engagement with the security and intelligence community to remain apprised of main terrorist and violent extremist threats facing Canada;
- Engagement with international partners and technology companies to ensure online radicalization to violence is understood and effectively addressed;
- Virtual Risk Analysis Cell (VRAC) Program, which develops and shares analytic products and produces impact assessments on disruptions to CI;
- Hands-on training given to Industrial Control System (ICS) experts through the Cyber Engagement Program Symposium, exercises and workshops;
- Government Operations Centre (GOC) training plans utilized to ensure that employees have the knowledge and expertise to carry out responsibilities;
- Collaboration with domestic partners to leverage existing expertise in the cyber realm;
- Capability-based planning (CBP) adopted across FPT governments to address the evolving all-hazards disaster risk environment;
- Regional Resilience Assessment Program (RRAP) non-technical cyber security assessments tools implemented to assess network vulnerabilities (e.g., Network Vulnerability Assessment Tool and the Canadian Cyber Security Tool);
- Oversight, measures, and guidance established to protect the health and safety of employees, including in relation to the pandemic and the anticipated return to a centralized/physical workplace;
- Tools and strategies for departmental partners that address disaster risk influenced by climate change (e.g., National Adaptation Strategy, Climate Lens Pilot, Federal Sustainable Development Strategy 2022-26);
- Renewal and continuous monitoring of the National Strategy for Critical Infrastructure, in collaboration with public and private sector stakeholders, to promote critical infrastructure resilience;
- Updated Public Safety Departmental Security Plan to help mitigate security risks associated with remote work;
- National Strategy to Combat Gun and Gang Violence developed in collaboration with federal, provincial and territorial partners and key stakeholders.
Mitigation strategies and performance measurement
| Risk Mitigation Strategy | Accountability / Strategy Lead | Indicator(s) | Year-End Target(s) |
|---|---|---|---|
| NEW - Establish a Risk Management Community of Practice (RMCOP) to better respond to the ever-evolving all-hazard threat environment. The goal will be to increase awareness of risk management concepts and practices through presentations, exchanges on best practices, and discussions on challenges and risk management strategies. | PACB | % of RMCOP members who indicate that the forum has increased their awareness of risk management practices | 70% |
| % of members who indicate that the knowledge gained through RMCOP will help them better respond to the ever-evolving all-hazard threat environment | 70% | ||
| NEW - Provide policy, training, and operational support to partners in Canada's anti-money laundering, anti terrorist financing regime through the Financial Crime Coordination Centre (FC3). | CPB (formerly NCSB) |
% of partners who reported that Anti-Money Laundering Action, Coordination and Enforcement (ACE) Fusion Team support enhanced their efforts to detect, disrupt and prevent money laundering | 20% |
| % of partners who reported that ACE's support enhanced their efforts to detect, disrupt and prevent terrorist financing | |||
| Implementation of the recommendations from the Government Operations Centre (GOC) Modernization Review | EMPB | % of GOC modernization recommendations addressed | 56% |
Departmental Risk 4
Risk Statement
There is a risk that the department will not attract and retain the employees required to achieve its organizational objectives.Risk context
Public Safety competes against other government departments and agencies as well as the private sector to attract and retain competent, skilled and knowledgeable individuals to carry out the work performed by the Department. The challenge of talent retention is further compounded by the fact that employees are changing jobs on a frequent basis. The vacancies created by this constant movement combined with an inexperienced workforce may hamper the Department's ability to deliver on its mandate.
Risk drivers
Risk drivers that were identified at the outset of the CRP cycle in 2018-2019 are as follows:
- Increasing mobility of employees due to a rise in work opportunities across the public service and the Canadian economy;
- Long and complex hiring processes;
- An aging population and more individuals exiting the workforce;
- Rapid globalization and technological changes leading to the changing nature of work;
- A shortage of certain employees, such as financial and IT officers, which causes significant turnover/movement of employees;
- The complexity of cyber security and its associated skills and responsibilities.
Impacts
Potential cascading impacts of this risk should it occur include:
- The Department may be unable to render timely, well-informed decisions;
- The Department may not be able to deliver on its mandate;
- The Department may lose credibility;
- Public Safety partnerships may erode;
- The Department may be unable to provide an effective response during natural disasters and recovery efforts resulting in economic damage, injury or loss of life.
Controls
Over the past three years, branches have identified the following controls as measures used to lessen the likelihood of this risk occurring and the impact should it occur:
- Talent Mobility Inventory of current Public Safety employees maintained to assist managers with staffing needs while encouraging internal opportunities;
- Training and communicating to hiring managers on staffing options and the Instrument of Delegation of Human Resources Authorities;
- Public Safety Talent Management Strategy applied for the effective application of integrated human management practices;
- Participation in virtual career fairs and diversity events within and outside of the NCR throughout the year to promote the Department as an employer of choice and to recruit talented individuals;
- Initiatives and governance structures focusing on enhancing the departmental culture, workplace and workforce (e.g., Culture Connect, Mental Health Days and Weeks, Workplace Consultative Committee, Pulse Surveys, Inclusive by Design and the Positive Space Initiative);
- Options for remote and blended office-home working arrangements enabling employees to work from non-Public Safety office locations;
- Enhanced Public Safety onboarding (and off boarding) processFootnote 10 to help new arrivals to the Department adapt quickly to their workplace;
- Psychological Hazard Assessment (Public Safety Mental Health Benchmark Assessment) of employees.
Mitigation strategies and performance measurement
| Risk Mitigation Strategy | Accountability / Strategy Lead | Indicator(s) | Year-End Target(s) |
|---|---|---|---|
| NEW - Implement the hybrid workplace model to support culture and community, employee retention and wellness, and organizational resilience. | CMB | % of employees who answered positively to: “How satisfied are you with current remote work arrangements?” The data source is the Pulse Survey. (Responses include: Very Satisfied and Somewhat Satisfied) |
81% (Aiming for equal or greater than May 2021 results) |
| NEW - Implement the Equitable, Diverse and Inclusive Recruitment Strategy to change business approaches to recruitment to facilitate increased hiring of Canadians of diverse backgrounds and abilities. The business approaches are in keeping with our One Public Safety approach and the objectives set out on diversity and inclusion in the Values and Ethics Strategic Framework and Action Plan. The actions in this strategy also contribute to Public Safety's Strategic Framework on Diversity and Inclusion, released in fall 2020. | CMB | % of employees who answer positively to: “I feel that I have equitable access to career and development opportunities” The data source is the Pulse Survey. |
Women: > 72% Persons with disabilities: > 45% Indigenous people: > 57% Visible minorities: > 43% LGBTQ2S+: > 70% (Aiming for greater than May 2021 results) |
A Path Forward
With corporate risks assessed as Medium to Medium-High as the Department heads into the last year of the CRP's three-year cycle, it appears that implemented controls and mitigation measures in progress are helping to reduce the corporate risks the Department is facing.
Every year, Public Safety identifies the priorities on which to focus its attention and resources. Departmental priorities are generally established in response to ministerial mandate commitments as well as in relation to critical events and the Department's operating environment. They can also be derived from corporate risks, which will ensure that adequate resources are allocated and attention is paid to effectively addressing high-ranking risks to the Department.
Once the risks are addressed, or at the very least accepted and monitored, the Department can look to the future and feel confident in facing new challenges.
Appendix A: Risk Ranking Scales
The following scales are used to assess the likelihood and the impact of any given risk.
Risk Ranking Scale ― Likelihood
Probability / Likelihood of Risk
Level 1: Very Unlikely - The event is seen as very unlikely to occur under normal circumstances.
Level 2: Unlikely - The event is seen as unlikely to occur under normal circumstances.
Level 3: Moderately Likely - The event is seen as reasonably likely to occur under normal circumstances.
Level 4: Likely - The event is seen as likely to occur under normal circumstances.
Level 5: Imminent - The event is expected to occur (or be imminent) almost all of the time, or continually, under normal circumstances.
Risk Ranking Scale ― Impact
Level 1: Negligible - The consequences of the risk, should it materialize, can be absorbed through normal activity.
- Schedule: Schedule not affected. Schedule can be managed within plan. Able to meet key milestones with no schedule delay.
- Cost: Budget not affected. Cost increases can be managed within plan.
- Scope: Scope not affected. Scope changes can be managed within plan.
- Quality / Performance: Requires minor quality/performance tradeoffs within the objective's threshold range. No impact on objective's success.
Level 2: Low - The consequences of the risk, should it materialize, can be absorbed but management effort is required to minimize the impact and prevent it from interfering with organizational objectives.
- Schedule: Minor schedule slip. Non-critical path activities late. Impact to critical path up to 1 month only.
- Cost: Budget affected by less than 5%.
- Scope: Scope may be affected. Scope changes can be managed within plan.
- Quality / Performance: Quality / performance below goal but within acceptable limits. No changes required. May not meet non-critical objective requirements.
Level 3: Moderate - The consequences of the risk, should it materialize, could affect organizational objectives but can be absorbed through targeted management intervention to minimize the impact; program modifications may be required.
- Schedule: Moderate schedule slip. Increases critical path activities between 1 to 2 months.
- Cost: Budget affected by 5% to just below 10%.
- Scope: Scope will be affected. Scope changes may be managed within plan. Management involvement may be needed. Non-key objectives may be at risk.
- Quality / Performance: Quality / performance below goal. Moderate changes required. May not meet an objective requirement.
Level 4: High - The consequences of the risk, should it materialize, could threaten organizational objectives, but can be endured through significant and sustained management intervention to contain the impact; major program modifications may be required.
- Schedule: Increases critical path activities between 2 to 3 months.
- Cost: Budget affected by 10% to 20%.
- Scope: Scope will be affected. Scope changes may not be managed within plan. Major management involvement will be needed. Key objectives may not be met.
- Quality / Performance: Quality / performance unacceptable. Major changes required. Will not meet objective requirements.
Level 5: Extreme - The consequences of the risk, should it materialize, could lead to permanent or long-term damage to the organization's ability to achieve its objectives; may require total program/ initiative overhaul or large-scale, long-term organizational/ programmatic/ initiative change.
- Schedule: Critical path delayed by over 3 months.
- Cost: Budget affected by over 20%.
- Scope: Scope will be affected. Scope changes will not be managed within plan. Significant management involvement will be needed. Key objectives will not be met.
- Quality / Performance: Quality / performance unacceptable. Significant changes required. Key objective requirements will not be met.
Appendix B: Residual Risks Assessment
A risk heat map is a tool used to visually represent the results of a risk assessment process in a meaningful and concise way. It involves evaluating the likelihood and potential impact of identified risks.
| Likelihood / Probability | ||||||
|---|---|---|---|---|---|---|
| 1 Very Unlikely |
2 Unlikely |
3 Moderately Likely |
4 Likely |
5 Imminent |
||
| Impact | 5 Extreme |
5 Medium |
10 Medium-High |
15 High |
20 Very High |
25 Very High |
| 4 High |
4 Medium-Low |
8 Medium |
12 Medium-High |
16 High |
20 Very High |
|
| 3 Moderate |
3 Low |
6 Medium-Low |
9 Medium |
12 Medium-High |
15 High |
|
| 2 Low |
2 Very Low |
4 Low |
6 Medium-Low |
8 Medium |
10 Medium-High |
|
| 1 Negligible |
1 Very Low |
2 Very Low |
3 Low |
4 Medium-Low |
5 Medium |
|
Very Low: Risk worth accepting
Low: Risk worth accepting with monitoring
Medium-Low & Medium: Management effort worthwhile
Medium-High & High: Considerable management required
Very High: Extensive management essential
- Date modified: