Understanding your organization’s risks is the first step in developing an effective anti-corruption compliance program. But for many businesses, identifying and understanding their risks is a complex process, involving research, analysis and cooperation from all levels of the organization. Since every company needs a robust compliance program, an effective risk analysis is crucial. The consequences of getting this step wrong can be astronomical. Join anti-corruption experts Marc Tassé and Patrice Poitevin, as they outline the steps and tools necessary to create a risk profile for your organization. The webinar will cover: Tools to help determine areas of risk Factors to evaluate The importance of due diligence once risks are identified Continuous evaluation of your compliance program How to achieve accountability and transparency

1. How to Create a Risk Profile for
Your Organization: 10 Essential Steps
Pat Poitevin, CACM, TASA
Marc Y. Tassé, CPA, CA, CFF, CICA
Canadian Centre of Excellence for Anti-Corruption

2. Pat Poitevin, CACM, TASA
Patrice Poitevin is co-founder and Managing Director of the
Canadian Center of Excellence for Combating Corruption
(CCEAC)
Mr. Poitevin is a 35-year veteran of the Royal Canadian Mounted
Police (RCMP). He retired in October 2017 where he was an anti-
corruption and compliance expert for the RCMP. He is an
internationally recognized expert in the fight against corruption,
ethics and compliance. He is in demand as an expert, speaker
and trainer
Mr. Poitevin was part of the Canadian project committee (PC278)
involved in the development of the anti-corruption management
system standard ISO 37001 and of the United Nations Global
Compact Global Network working group that created the
electronic book anti Corruption.
He is also a member of Transparency International Canada, a
certified anti-corruption official (CACM - USA), an accredited
Trace Anti-Bribery specialist (TASA) and a member of the
Transparency International expert network.

3. Marc Tassé, MBA, CPA, CA, CFF
Marc Tassé is a forensic accountant and is recognized worldwide
as an authority in the fight against corruption, money laundering
and the financing of terrorist activities.
Seasoned and award-winning MBA lecturer and ISO 37001
teaching expert, Mr. Tassé is frequently invited by the media as a
commentator, and he often gives lectures on subjects related to
his areas of expertise . He has published extensively on these
topics in Canada and abroad, and is cited in various prestigious
publications, including the Wall Street Journal.
Mr. Tassé holds the title of Chartered Professional Accountant
(CPA auditor, CA), as well as the American titles of Forensic
Certified Public Accountant (FCPA), Certified Internal Controls
Auditor (CICA), Certified in Financial Forensics (CFF) and
Certified Anti-Corruption Manager (CACM). He holds a Masters of
Business Administration and an Honors Bachelor of Commerce
from the Telfer School of Management at the University of Ottawa.
Marc is also a senior manager and instructor at the Canadian
Centre of Excellence for Anti-Corruption (CCEAC).

4. The adoption of ERM & GRC
processes & standards

5. Governance, Risk management
& Compliance (GRC)

6. Risk management processes
and capability

7. What is a risk profile
A risk profile is a summary that lists estimates for all the risks
associated with a strategy, program, project or activity. Risk profiles are
documented and visualized using different methods but are typically
based on estimates for the probability and impact of a list of identified
risks.

8. Why do you need a risk profile
1. Better informed decision making and corporate planning
• A key purpose of a risk profile is to support effective decision
making in circumstances of uncertainty. By clearly highlighting
where key risk exposures exist, senior decision makers can
work to manage these and avoid action which would drive the
risk outside of acceptable tolerances.
2. Improved ability to anticipate change, emerging risk and
disruption to operations
• A risk profile can support the consideration of emerging and
future risk as well as current exposures so that contingency
plans can be developed where required.

9. Step 1 - Profiling approach and
process
A disciplined approach to risk profile maintenance includes an ongoing
process to identify new or emerging risks and analyze the threats and
opportunities they may represent. This process helps the entity to:
• understand the likely effectiveness of existing strategies and
controls in mitigating emerging risk and optimizing opportunity
• understand how new risk changes the overall exposure of the
entity
• understand the impact that the changed risk profile could have
on stakeholders and shared risks
• anticipate change and disruption to operations

10. Step 2 - Understanding risk
exposure compared to risk
appetiteA good representation of an entity’s risk profile will support senior
officials to understand whether the entity is holding too much, too little,
or just enough risk. Where an entity has a well-defined risk appetite,
this can be represented within the risk profile. The risk profile can be
used to clearly highlight where activities, programs or business units
are operating outside defined risk tolerance thresholds.

11. Step 3 - Organisational
requirements for risk profiling
Departments and agencies are increasingly seeing the benefits of
implementing an integrated risk management approach. A first step in
pursuing integrated risk management is to develop an organization-
wide risk profile (often referred to as a corporate risk profile)

12. • Key risk areas (e.g., strategic, operational, project)
• Strengths and weaknesses of the department/agency
• Major opportunities and threats
• Risk tolerance levels
• Capacity to manage risks
• Learning needs and tools
• The organization’s risk tolerance, priority setting and ability to mitigate
risks
• Linkages between different levels of risks (e.g., operational and overall
departmental priorities, business and program risks, sector specific
and department-wide)
• Linkages with management processes of the department
Step 4 - Risk profile should address

13. Scope of profiling activity
A corporate risk profile can be prepared for a specific department,
agency, or sector/branch, depending on the scope of its mandate and
operations. The challenge is to ensure that risk management is aligned
at the various levels of the organization.

14. Examples of risks (1)

15. Examples of risks (2)
L

16. A practical approach to developing,
maintaining and improving a risk
profile

17. Step 5 - Develop the Risk profile
• Assess risk with both a short and long-term focus. This enables the
subsequent risk profile to inform both immediate action and longer-
term planning
• Seek input from stakeholders and relevant subject matter experts
who best understand the risks
• Develop the risk profile in accordance with the relevant risk
management framework and ensure consistent and correct use of
risk terminology and categories.

18. Step 6 - Analyse the risk profile for
common themes and systemic
issues• Patterns in the difference between inherent vs residual risk. The
extent and consistency of difference will give an indication of the
effectiveness of the entity’s control framework
• Common causal factors, where a small number of contributing
issues are relevant to a larger number of risks. These may suggest
priority opportunities for treatment
• Linkages between risks in different profiles. This can help
understand interdependencies, relationships and the opportunity for
cascading failures
• Concentrations of severe risk in certain categories may indicate
areas of particular vulnerability for review. For example, if an
otherwise robust entity is managing a number of severe risks within
one category it may indicate attention needs to be paid to this area.

19. Step 7 - Reviewing the risk
profile can assist in ensuring
that• Assumptions about risks remain valid and the external and internal
context in which the risks were assessed remain valid
• Results of risk assessment are in line with actual experience
• Risk controls are being maintained and assured, and that proposed
treatments are being implemented as required
• Assumptions around the interrelationships and linkages between
risks at all levels at the organisation and the impact of change in one
risk on another, remains valid.

20. • Having a relevant risk owner or steward present an analysis of a small
number of risks with a focus on key changes or concerns. Over time, this
will result in a rolling program of review of the risk profile.
• Periodically recreate the risk profile from a ‘clean sheet’. Occasionally
starting from scratch and performing a fresh risk assessment and then
reconciling the results with the existing profile.
• Establish escalation mechanisms to ensure that risks in the entity risk
profile are being managed at the right level.
• Ensure those responsible for designing or implementing new policies or
programs first review relevant elements of the risk profile to ensure that
they understand whether risks will be created or modified and that
control strategies remain appropriate and effective.
• Consider risk monitoring information already available such as audit
reports, quality assurance activities, and the results of key performance
Practical strategies to guide
review of profile

21. Step 8 - Communicate the risk
profile
• Seeking feedback from executive reviewers and stakeholders on
how often and to whom risks are to be reported
• Establishing well understood risk escalation and aggregation
protocols so that unacceptable risks can be quickly conveyed to the
appropriate level of management and that the nature of the risk is
clear
• Tailoring the presentation of the risk profile to its audience and
consider their risk management maturity
• Using colour to highlight key issues and areas of concern, or focus
the audience’s attention on the risks or concerns that most warrant
discussion.

22. Example – Traditional Risk
Register• Risk ID or unique identifier
• Description of the risk – its cause, the risk event, and key outcome should it be realized
• A risk category or group or family
• Sources or causal factors relevant to the risk
• The likelihood of the risk occurring
• The potential impact or consequence should the risk be realized
• Control measures currently in place and an assessment of their effectiveness
• An assessment of how the risk is changing or trending and how quickly it could be
realized
• An assessment of risk tolerability, or how the risk compares to relevant elements of the
entity’s risk appetite
• Treatments (proposed controls) to be implemented to improve the management of the
risk, if required
• Owner or steward of the risk.

23. Example – Traditional Risk
Register

24. Risk Severity Matrix or HeatMap

25. Inherent risk severity vs control
effectiveness
Control critical risks - are inherently severe, but currently well controlled. Require active monitoring and
management.
Insufficiently controlled risks – are inherently severe and are assessed as being inadequately controlled.
Likely require additional treatment.
Inherently low risks - require active monitoring to ensure changes do not make the risk more severe.
Potentially over controlled risks - are inherently mild with high levels of control. Need to be monitored.
Represent potential opportunities for efficiency gains.

26. Risk exposure compared to risk
appetite
Can be useful to explicitly compare the level of risk exposure represented in a risk profile
against the risk appetite of the entity. This helps decision makers understand if they are
carrying too much, too little, or just enough risk. This can occur at an individual risk, risk
category, or whole of profile level.

27. Risk tolerance
The table presents a risk profile of six risks, comparing the current exposure against
the risk tolerance for that category of risk. The rightmost column clearly illustrates to
a senior decision maker where risk is above, below or in line with the relevant
tolerance and the direction the risk needs to be driven.

28. Step 9 - Risk profile exercise
should include (1)
• Key risk areas (e.g., strategic, operational, project), including major
opportunities and threats
• Categorization of risks (e.g., human health, environment, trade, legal,
human resources)
• Description of the risks
• Probability of risk (low, med, high)
• Impact of risk
• Risk timeframe (e.g., short: 2 years or less, medium: 3-4 years, long
term: 5 years or more)
• Relative priority of the risks
• Ways of measuring the risk (qualitative and quantitative)

29. Step 9 - Risk profile exercise
should include (2)
• Risk tolerance levels (to the extent that these can be identified and/or
measured)
• Mitigation measures that are currently in place, including strengths and
weaknesses of the department
• Linkages between different levels of risks (e.g., operational and overall
departmental priorities, business and program risks, sector specific and
department-wide)
• Linkages with management processes of the organization
• Capacity of the organization to do risk management
• Learning needs and tools

30. Step 10 - Factors to consider to
improve Risk profiling process
• Develop an overall integrated risk profile that covers the full range of risks
(program and internal business risks)
• Maintain and update an overall profile of the internal/ external risks facing the
organization (in the short and long term), and linkages with measures that are
in place to mitigate these risks
• Be more explicit about the acceptable level of risk tolerance in each program/
functional area, and review these with all stakeholders
• Establish more formal process for prioritizing risks and organization-wide
priorities with senior management and the board
• Enhance communications of organization-wide risks to staff and external
stakeholders
• Continue to develop quantitative approaches to assess levels of hazards, risks
and probabilities

31. Key messages to engage
stakeholders in the process
• The close relationships that do exist between organization-wide business risks
and program/commodity risks
• The benefits of collecting intelligence and sharing knowledge on risks at an
organization wide level, and using this information to keep senior management
informed of emerging risks
• The benefits of applying the same rigorous risk management approach that is
used to assess operational risks to assess organization-wide business risks
• The merits of having an ongoing process to identify new emerging risks at an
organization wide level, and continuously reviewing the relative priorities of
these risks to help with resource allocation decisions
• How integrated risk management can help program managers in their day-
today business decisions.
• How integrated risk management can help drive the planning and decision-
making processes of the organisation.

33. Contact Information
Marc Tassé – mtasse@uottawa.ca
Pat Poitevin – pat.poitevin@uottawa.ca
www.cceac.ca