Canada: The Role Of Risk Management In Regulation

Last Updated: September 7 2018
Article by John Risk

We live in a society that assumes risks can be both anticipated and controlled. If there is a failure to foresee and prevent harm (to fail to control the risk) and a regulator in sight, odds are it will be on the list of those to blame. And the standard of affixing blame to a regulator is low. Facing these pressures, regulators are using management tools and concepts to inform their operations and programs. This article is a quick tour through the role of risk management in a regulatory context. 

Risk management as a formal method dates from after WWII. It began in the world of finance and engineering and involved (and still does) technical and quantitative models and approaches. At some point these formal methods were adopted for use outside of financial and technical contexts. At the same time, private firms were beginning to apply risk management to the entire span of their operations.  In addition to the risk of financial loss from such things as market or interest rate changes, firms started to look at other sources of loss such as legal or political hazards. This was the concept of enterprise risk management or 'ERM' for short. 

If you are a regulator looking for a risk management program, what experts will likely try to sell you on is what I would term, "ERM lite". "Lite" refers to the stripping away of the quantitative analysis that goes along with much of the risk management work in finance, insurance and engineering. A barebones ERM process would look something like this: First, you set the context. This involves setting the scope of the ERM process; 'scope' being what areas and objectives the process will apply to. ERM tries to cover most facets of the organization: finance, operations, legal and so forth. Context also includes setting the risk tolerance of the organization in each of these areas. Understanding how the organization and external groups have reacted to harmful events in the past is a key step in setting risk tolerance. 

The next step is to identify risks, or events that may have an adverse effect on the organization or its objectives.  There are many different ways to do this and organizations usually use more than one method. These include workshops, surveys or more detailed methods like scenario review or case studies. The process usually considers each area of risk separately. For example, what can happen from a legal perspective to affect this or that objective, or how would a certain event affect the finances of the organization. The outcome is a list of risks (negative events) organized across the different risk areas. 

With the risks on the table, the next stage is assessment. The goal is to rank the risks to determine priority. Assessment is about two things: the likelihood that the event will happen and how severe is the outcome of the event. Likelihood and severity both receive a score using a similar scale. The scale can be a numerical rank, for example 1 through 5. A scale may instead use descriptive words, for example low, medium and high. The risk level is then calculated from the two scores. By way of example, a risk with high likelihood and high severity ranks higher than a risk with low likelihood and medium severity.  It is easy to map the risk assessment using a matrix, with likelihood on one axis and severity of impact on the other. 

Things get a little more complex than this because the assessment should consider what is already in place to control the risk. What is left over after the existing controls is the 'residual risk', which should drive the next step: risk treatment.  

What you have now is a list of risks ranked according to their combined score of severity and likelihood. Risk treatment is the process of choosing ways to respond to the risks. The organization may choose to accept risks below a certain score while coming up with controls for the highest risks. There are various ways to treat or respond to risks. Examples are to transfer a risk to another party, to avoid or reduce it or to insure against it. The risk tolerance of the organization will determine the type and extent of the treatment.  

Once assessment is complete, the risks and responses to them are set out in a risk register. This provides a basis for tracking the risks. The risk scores and treatment will require adjusting from time to time. Another important feature of the process is communication about risks and responses to them, both inside and outside the organization. 

That in a nutshell is ERM. It certainly seems at first glance to be a good thing. An organization should know the risks it faces and try to control them. But it is hard to find evidence that it works or that it actually reduces risk. And it has a high cost to prepare and implement. There are also a number of examples of things going very wrong with a lot of risk management in place. The Deepwater Horizon blow-out or the Space Shuttle Challenger disaster, for instance. This suggests that a risk management process alone will not suffice (and you also need to build the right culture, which of course is more time and effort). 

These issues aside, it is a good idea for an organization to know its major vulnerabilities and have plans in place to avoid them or deal with the consequences. Given the time and cost involved it is hard to know how much to invest in a formal ERM process. But this is more of a question of governance than regulation. What I want to address here is the potential use of ERM methods to inform the regulatory program. 

If you are an organization with a regulatory mandate a vital question to ask is, "risk to whom?" The focus of ERM is on risks to the organization. Its purpose has largely been to identify and control threats to the bottom line or to achieving certain goals, or to ensure a firm can stay afloat during a crisis and maintain public trust.  But regulators have a mandate to protect the public.  How much sense does it make to use a process that is more about preserving the organization than protecting the public? In response, one could simply say that the role of ERM could be to ensure a regulator achieves its mandate to protect the public. In this context, a regulator would use ERM to identify and control risks to the public.

This seems to make sense.  But given the cost of implementing ERM it may be worthwhile to look at some of its shortcomings. Not all of these shortcomings relate to cost. Some of them go to the issue of whether the simplistic approach to risk assessment in ERM is a sufficient basis for a regulatory program aimed at protecting the public. Here are five things to think about before embarking on a risk management program:

1.It takes a lot of resources

The first consideration does relate to cost. Risk management can turn into a large undertaking. It can be a heavy user of staff time. Because it calls for a high level of analysis and often technical skills you may need to recruit or retain more talent, including an individual with expertise in analyzing data.  It also tends to be report heavy and by its nature needs a high degree of monitoring. A big risk of risk management turns out to be its opportunity cost. The (hard) decision is often about what existing projects to drop in order to do risk management properly. My anecdotal observation is that risk management projects often get off to a good start. But sustaining and completing them is a larger challenge. 

2.Data comes first

You need data about a sector to identify risks to the public. Most importantly, you need evidence relating to what harms the public face in a certain sector. This data has to be reliable and accurate. It should also provide a general enough picture of the distribution of harms within the sector. It is true that there are ways to identify risks without the help of statistical data. This would include relying on anecdotal or comparative evidence. But it is hard to think that risk management would be of much value without good sources of empirical data. This point concerns the platform or starting point for risk management. If you don't have data, you should likely create the means of collecting and analyzing it before investing much in risk management. And this is by no means easy if you are a complaint-based regulator. You only see largely what the public brings you and you must be creative in searching out and finding harms that do not surface through complaints. 

3.Agreeing on riskiness

Let's assume you are fine with the cost and you have data. You will then have to find some sort of relatively objective standard for determining risk.  People find it hard to agree on two things: the degree of risk (of something or somebody) and what level of risk to tolerate. The first relates to what is or is not risky. This is notoriously subjective and it can take a long time to agree upon. The second relates to what amount of risk is acceptable. This involves trade-offs between cost and safety. A risk management program will not tell you how much you should invest in public safety. But regulators have to answer this when deciding which risks to respond to and how much to invest in response and control for any given risk. They also have to decide how much time and resources to spend on identifying risks. In other words, they must decide when to stop identifying risks and when to move on with the job of controlling them. These challenges of risk perception and striking a balance between cost and safety are not reasons to reject risk assessment. But they are an added level of complexity and take time and effort (and cost) to sort through. 

4.Risk assessment may be too simplistic

The assessment stage in a risk management program looks at two things: the likelihood and the severity of a risk. Of course these are important factors to consider. But risk management tends to be a 'top heavy' or 'early stage heavy' approach. Risk identification and assessment result in a long list of risks and then the treatment stage simply says "control them". But a successful control strategy will require much more than an estimate of how likely the event or harm may be and how bad it will be. To intervene and prevent harm the regulator will need to understand the harm in some detail. What causes it? What kind of response or treatment will work? These are implementation and practice questions. And risk management programs spend very little time down in the weeds, so to speak, with respect to these details. The danger is sinking too much effort into developing a list of risks with little resources left to understand them in depth, let alone trying and testing possible solutions.  Perhaps regulators would do better to identify and tackle a short list of well understood problems rather than compiling a long list of more cursory risks. 

5.The perils of prediction 

To assess a risk is to forecast it. Both the likelihood and severity of a risk will by and large involve an estimate.  But history and science tell us that most people are terrible at forecasts. There is no shortage of biases that hamper prediction. Groupthink, risk anchoring and framing, and the recency effect are all examples of pitfalls that stand in the way of accurate forecasts and estimates.  And added to these pitfalls are Black Swan (remote chance, high impact) events that are impossible to predict. These will occur no matter how sophisticated the risk management program. The failure to confront the problems of prediction is the Achilles Heel of most risk management programs. 

It is worth spending some more time on the role of prediction in the regulatory context. More and more regulators have started to use risk assessment as a tool in their programs.  An example is the use of risk scores to guide discipline decisions or outcomes and to target inspections. This is different than trying to predict the risk of harm. This is about predicting who is at greater or lesser risk to harm the public. And this may be an area where theory and method is moving faster than the evidence of effectiveness and the safeguards in place for fairness and due process. 

The field of law enforcement is a great place to look to learn about the good and bad of person-based targeting. Police are using big data and other new technologies to predict and deter crime. One approach is police 'heat lists'. These lists rely on multiple factors that combine to create risk scores. The factors include criminal history, arrests, parole status and gang membership. A high score means a greater chance of being a victim or committing a violent crime. In Chicago, being on the heat list resulted in a visit and written notice from the police. The intent was to deter future crime by warning the people on the list that they are under watch and that unless they avoid future crime they will face the full force of the law. 

The Chicago heat list has had at best mixed results. A third-party review by the RAND Corporation found that it had little predictive accuracy and effect on violent crime. Problems with prediction are not limited to the criminal context or to targeting individual people. In the UK, the Care Quality Commission (CQC) developed a statistical tool to rank hospitals according to risk and to decide which ones to inspect first or more often. But the attempt to use risk scores to target inspections of hospitals failed. Researchers found no link between the risk scores and the outcomes of subsequent inspections. 

This is not to say that regulators should forego risk assessments. But they should be aware of the growing discussion about the reliance on risk assessment in policing and other fields.  Critics and commentators have pointed out problems with errors and bias infecting the algorithms that are at the basis of the predictions and programs. There is also much talk about fairness and due process and transparency. Among other things, those who are affected by risk assessments likely have the right to know about them and to challenge them. To this extent, risk assessments are much the same as no fly lists or police watch lists. These issues and more will be following close behind as regulators move toward more sophisticated methods of assessing and controlling risk. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
28 Oct 2019, Other, Toronto, Canada

Delegates will include CNAR members, provincial and territorial regulatory bodies, other non-profit organizations engaged in regulatory work, federal/provincial/territorial government representatives and others with an interest in regulatory issues.

28 Oct 2019, Conference, Toronto, Canada

The Canadian Network of Agencies for Regulation (CNAR) conference, which will be held on October 28 to 30, will bring together delegates from across the country to discuss challenges and share ideas and best practices related to a wide range of issues relevant to organizations engaged in the self-regulation of professions and occupations.

28 Oct 2019, Conference, Toronto, Canada
CAN-TECH Law is hosting its annual conference in Toronto on October 28 and 29, 2019. Join our Partner and President of CAN-TECH, James Kosa, and associate and conference committee member, Lisa Danay Wallace, for this exciting event.
Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions