Integrated Risk Management

Overview of Issue

Failures in the financial and healthcare sectors have underscored the importance of anticipating and managing serious organizational risks. An integrated risk management (IRM) approach is required to identify, assess, prioritize, and manage key organizational risks.

Refer to related Risk Notes for details:

  • Risk – Concepts and Misconceptions, Risk Assessment, Risk Management and IRM/ERM.

Key Points

  • IRM is a critical leadership function in healthcare.
  • There are common pitfalls in IRM implementation.
  • A simplified approach may be the most effective, supported by HIROC tools, resources and peer knowledge.


Things to Consider


Definition of IRM

  • The Treasury Board of Canada Secretariat defines IRM as “a continuous, proactive, systematic approach to identifying, assessing, understanding, acting on, and communicating risk from an organization-wide, aggregate perspective” (TBSC, 2010).
  • IRM aligns with Accreditation Canada standards and is used frequently in the public sector.
  • The terms integrated risk management (IRM) and enterprise risk management (ERM) are seen as synonymous.

Rationale for IRM

  • Healthcare is complex, and many organizations manage risks independently as a patchwork of risk management activities within horizontal or vertical silos. The result is that one type of risk may receive attention and resources while another more important risk goes undetected or unacknowledged.
  • The consequences of ineffective management of risks range from organizational underperformance to catastrophic failures that could threaten the continued existence of the organization (Caldwell, 2012).
  • Effective IRM provides a framework for understanding and prioritizing very different types of risks from across an organization, for creating a concise summary of the most significant risks, and for identifying whether further work is required to bring these risks to acceptable levels.

Simplified, Effective Approach

  • There is no universal approach to IRM that will guarantee success and, generally speaking, organizations need to adapt processes to match their particular circumstances (Mikes, 2014).
  • Those that have led IRM implementation efforts in healthcare organizations have consistent advice – keep it simple. The figure to the right depicts the basic components of an simplified and effect approach to IRM including:
    • Focus on risks to key organizational and/or strategic objectives; start with a few;
    • Ensure effective coordination (e.g. Risk Manager);
    • Ensure board and senior leadership oversight / ownership;
    • Identify risks (what can go wrong?) related to key objectives (note: these are largely known; see HIROC taxonomy);
    • Assess impacts (how bad?) and likelihoods (how often?) of identified risks;
    • Manage risks (is there a need for action?) (see HIROC Risk Profiles for peer knowledge on mitigating risks).
  • Record and report risks (see HIROC Risk Register application).

Common Pitfalls

  • Many IRM efforts stall due to:
    • The absence of senior leadership ownership and support;
    • Lack of resources or expertise to carry out key coordinating functions;
    • Cognitive/group biases that result in over or under appreciating the importance of a particular risk due to lack of awareness or understanding, or deference to others;
    • A focus on identifying all risks which can overwhelm resources and mask the truly “vital few” which require senior leadership attention.
  • Commercial IRM (ERM) models are sometimes “tone deaf” to the realities of healthcare and may lead to approaches that result in lost time and resources with little realized benefit including:
    • Seeing strategic risks as distinct from operational risks – this is not the case in healthcare (see Risk – Concepts and Misconceptions Risk Note);
    • Focusing on “upside” risks (i.e. opportunities) versus “downside” risks (i.e. potential failures such as patient harm) (see Risk – Concepts and Misconceptions Risk Note); - Focusing on development of overall risk “appetite” or “tolerance” statements (see Risk – Concepts and Misconceptions Risk Note);
    • Assessing “inherent” risk (before controls/ mitigation strategies in place) versus a focus on “residual” risk (risk as it is now) (see Risk Assessment Risk Note).


• HIROC. (2014). IRM Risk Register website.

• HIROC. (2017). Taxonomy of healthcare organizational risks.

• Treasury Board Secretariat (TBS). (2012). Integrated risk management implementation guide. Government of Canada.

• Caldwell, J. (2012). A framework for board oversight of enterprise risk. Chartered Accountants of Canada

. • Mikes A, Kaplan R. (2014). Towards a contingency theory of enterprise risk management. Harvard Business School Working Paper.

• NHS - National Patient Safety Agency. (2007). Healthcare risks assessment made easy