Policy 2.3.32: Risk Management

Effective date: February 23, 2012
Responsibility: Executive Vice-President and Chief Financial Officer


As Canada’s national public broadcaster, CBC/Radio-Canada occupies an important place in the Canadian broadcasting system and faces a unique set of risks to its plans and operations. Like all broadcasters, the Corporation must adapt to technological changes, shifts in demographics and evolving consumer demands, as well as structural changes in the industry. As a public broadcaster with a statutory mandate to serve all Canadians, CBC/Radio-Canada also faces unique financial challenges and risks.

It is CBC/Radio-Canada policy to develop, implement and practice effective risk management to ensure risks and opportunities that impact the Corporation’s strategies, objectives and operations are identified, assessed and managed appropriately.


CBC/Radio-Canada’s risk management objective is to support the achievement of the Corporation’s strategic and operational objectives by:

  • Ensuring risks and opportunities are properly identified, assessed, managed and reported;
  • Aligning risk appetite and strategy;
  • Embedding risk management in decision making;
  • Allocating resources to effectively and efficiently manage risks; and
  • Ensuring that the risk management process is robust and evolves with best practices.

CBC/Radio-Canada’s risk management objective is not to eliminate risk, but rather to manage risk in relation to CBC/Radio-Canada’s risk appetite.

Additional guidance is provided in the Procedures and Guidelines.


The Corporation’s risk appetite is influenced primarily by its role as Canada’s national public broadcaster whose mandate, object, powers and financial authorities are set out in the Broadcasting Act. It is the Corporation’s policy to identify, prioritize and manage the risks of the Corporation and to report to the Audit Committee of the Board on the actions to address any significant risks using the Corporation’s risk appetite as context.


The present policy applies to all CBC/Radio-Canada employees. Managers and staff have a responsibility to identify, assess and manage risk. This includes monitoring risks and related controls to continually optimize the control of risks across the entire organization.


CBC/Radio-Canada’s Risk Management Program is part of an enterprise-wide approach integrated into business processes. Responsibility for risk management is shared amongst the following groups: CBC/Radio-Canada’s Board of Directors; the Board’s Audit Committee; the Senior Executive Team; Internal Audit; and operational units.

The Board oversees CBC/Radio-Canada’s key risks at a governing level, approves major policies and ensures that the processes and systems required to manage risks are in place. The Board is ultimately accountable for the risk management process, including the risk culture, risk appetite and alignment of the Corporation’s risk management practices with strategy, risk appetite and stakeholders’ expectations.

The Audit Committee of the Board discharges its stewardship and oversight responsibilities over risk management by monitoring key risks, discussing their status with management at quarterly Audit Committee meetings, and ensuring that management has programs for evaluating the effectiveness of internal controls.

The Senior Executive Team identifies and manages risks, reports on CBC/Radio-Canada’s key risks to the Audit Committee and the Board, recommends policies, and oversees financial reporting and internal control systems. The Senior Executive Team is also responsible to help resolve cross-component risk issues and challenges.

Internal Audit plans its audits in accordance with the results of the risk assessment process and provides assurance that major risks are covered on a rotational basis by the annual audit plan. Internal Audit is responsible for assessing the effectiveness of risk management practices and processes.

Media and support business units initially identify and assess risks through the annual business plan process, and develop and execute detailed plans to manage risks. Risks are prioritized based on their potential impacts and their likelihood of occurring. The status of risk mitigation on these identified risks as well as any emerging risks are reported to the Board’s Audit Committee on a quarterly basis.

Every manager is responsible for integrating sound risk management planning and process into the business processes they are responsible for and for reporting risks with causes, impacts, or mitigations beyond their scope of responsibility to their supervisor.

Every employee is responsible for applying sound risk management within the scope of their duties and responsibilities and reporting risks with causes, impacts, or mitigations beyond their scope of responsibility or available resources to their supervisor.

Risk Management and Insurance within Corporate Finance and Administration is responsible to coordinate, review and manage the overall key risk identification and reporting process.


COSO Enterprise risk Management – Integrated Framework
ISO 31000 – Risk Management – Principles and Guidelines
Management Policies:


This policy, which is a formalization of the process that has been in practice since 2007, was approved by the Board of Directors on February 23, 2012.


All questions pertaining to the interpretation or application of this policy should be referred to the Director, Insurance & Risk Management. The responsibility for interpretation of this policy ultimately resides with the Vice-President and Chief Financial Officer.


Corporate Secretariat.




"Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (COSO)


Risk is defined as the effect of unexpected positive or negative events or consequences on objectives. Risks include business environment, process, strategic and financial risk.


"Risk appetite is the amount and type of risk that an organization is willing to pursue or retain" (ISO Guide 73). Risk appetite is influenced by external legislation and policies, stakeholder expectations and CBC/Radio-Canada’s Board of Directors’ guidance.


Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact, ie the level of risk prior to taking into account existing controls and any existing risk responses.


Risk remaining after risk treatment, ie. the remaining risk level after taking into account existing controls and any existing risk responses.


Risk identification and assessment is integrated into the annual business plan process.

Risk assessment and management is a process to determine the threats and opportunities that components must identify and effectively manage to achieve component business objectives, successfully execute component strategies, and meet component performance goals. The risk assessment considers all forms of risk, including business environment, process, strategic and financial risk.

Within CBC/Radio-Canada, the risk assessment and management process begins with the Environmental Outlook presented to the Board of Directors.

The process then moves to the annual business plan process within which each component identifies and assesses their component risks to achieving component objectives and highlights their action plans to mitigate these key risks. Risks are evaluated and ranked by components using a common set of evaluation criteria and risk definitions provided in the Business Plan Guidelines. The ranking is determined by risk score, which is a function of the assessed risk’s impact and likelihood of occurrence, each measured on a scale of 1 (low) to 5 (high).

In order to assist components in completing the risk assessment and action plans, the following resources are attached:

  • Schedule 1 – CBC/Radio-Canada Risk Management Framework
  • Schedule 2 – CBC/Radio-Canada Risk Definitions
  • Schedule 3 – CBC/Radio-Canada Risk Assessment Definitions
  • Schedule 4 – CBC/Radio-Canada Risk Management Model

The component risks are aggregated into a risk register. The risks identified by the components and forming the risk register are categorized by commonality. The corporate ranking of the key risks is compiled and presented to the Senior Executive Team for approval. Risks assessed with a corporate risk score below 12 continue to be reviewed and managed by components but are not reported on in detail at the Board level.


The business risk definitions are provided as reference to assist in the identification of risks by media and the support business units. The CBC/Radio-Canada’s business risk definitions are organized into three primary risk categories:

  1. Strategic Risks
    Strategic risks are the risks of failing to achieve strategic objectives. Strategic objectives are high-level goals, aligned with and supporting the CBC/Radio-Canada’s mission/vision.
  2. Financial Risks
    Financial risks are the risks of failing to allocate scarce resources to meet strategic objectives and investment decisions and/or failing to manage financial pressures.
  3. Business Risks
    Business risks encompass content, operations, people and information process and technology. Business risks are the risks of failing to achieve operational objectives. Operational objectives relate to the effectiveness and efficiency of the CBC/Radio-Canada’s basic operations, including the safeguarding of resources against loss.


The annual business plan process culminates in the Annual Risk Report that is presented to the Audit Committee in February and to the Board of Directors in March of each year. The risks assessed with a score below 12 continue to be reviewed and managed by media and support business units but are not reported on in detail at the Board level. The Annual Risk Report is made up of two sections:

  1. Status Update of the Key Risks as at December 31 of the fiscal year in question; and the
  2. Key Risks and Mitigation Strategies for the upcoming fiscal year starting April 1st.

Risk Management updates are a standing agenda item at quarterly Audit Committee meetings. These Risk Management updates provide the status of the identified key risks and action plans as well as identify changes is risk levels and any emerging risks. The Risk Management Updates are provided to the full Board as an information item.


Risk Management and Insurance within Corporate Finance and Administration is responsible to coordinate and manage the overall data gathering process and report preparations for the Annual Risk Report as well as the Quarterly Risk Management Updates.

Schedule 1 – CBC/Radio-Canada’s Risk Management Framework

Schedule 2 – CBC/Radio-Canada Risk Definitions

Strategic Risks

Business Risks

Financial Risks

Political Policies and Mandate

Content and Services

Self-Generated Revenue

Competitive Environment

Quality and Distinctiveness of Content Offering

Financial Markets/ Economy

Technological Innovation

Journalistic Standards and Conflict of Interest

Financial Reporting

Strategy Development/ Refresh & Execution

Content that Responds to Changing Consumption Patterns

Budgeting & Planning

Reputation and Brand Management

Rights & Copyrights Management



Government Funding



Implementation of Major Projects

Business Interruption

Regulatory/Legislative Environment

Organisational and Governance Structure


Change in Leadership

Succession Planning


Change Readiness

Health & Safety/Wellness



Information and Cybersecurity

Infrastructure Portfolio Optimisation

Risk Category Risk Description Examples
Strategic Risks

Political Policies and Mandate

The government or any future government may:

  • change CBC/Radio-Canada's mandate, impacting programming and service levels to Canadians and their associated costs to implement; and/or
  • introduce legislation that impacts operations, costs and/or the attainment of our strategic objectives.

Government legislative changes eg: (Access to Information, CMF, copyright)

  • Government debt reduction agenda
  • Broadcasting Act, S.C. 1991, c. 11
  • Commitment to public broadcasting and culture

Competitive Environment

  • Increased competition from vertically integrated BDUs and well-capitalized global players providing content (Google, Apple, Amazon, Netflix, Facebook) could impact CBC/Radio-Canada’s ability to achieve brand visibility and strategic objectives.
  • Traditional broadcasting advertising continues to migrate from conventional to other platforms impacting the Corporation’s attainment of advertising revenue targets.

Technological Innovation

Failure to anticipate the next big trends in technology, content development, content delivery and/or content consumption, could threaten our connection with audiences and achievement of our strategic objectives.

Strategy Development/Refresh & Execution

Development of a strategic plan that is agile and can adapt to changing circumstances is critical to long-term sustainability and viability of the Corporation.

Successful execution of our A space for us all strategy is critical to enable the long term success and relevance of our business.

Clarity of vision and strategy (positioning).
Relevance, reliability and/or completeness of information being used to establish strategic plans impacts financial conclusions and decisions.

Reputation and Brand Management

Inability to respond swiftly, reasonably and proportionately to significant events or criticisms could impact our reputation. There is a risk that negative perception of CBC/Radio-Canada may decrease credibility, stakeholder support and funding.

Business Risks

Content and Services

Quality and Distinctiveness of Content Offering

Failure to continue to improve the quality, distinctiveness and innovation of our output in all genres while delivering a streamlined CBC/Radio-Canada could limit our ability to meet Canadian’s needs and expectations in an ever more competitive marketplace.

Journalistic Standards and Conflict of Interest

Failure to uphold our editorial values and standards in all our content could affect our ability to maintain high levels of Canadian’s trust, damage our brand or lead to legal exposure.

Content that Responds to Changing Consumption Patterns

Failure to deliver content when and how it is demanded, or to anticipate future consumption patterns could threaten our connection with, or relevance to, Canadians.

Rights & Copyrights Management

Failure by CBC/Radio-Canada to obtain, create and retain the rights and copyrights related to popular programming could adversely affect the Corporation’s revenues and relevance.



Ability to leverage our assets, successfully implement new processes and technologies, achieve benefits from organization redesign or site consolidations or other efficiency initiatives could impact the achievement of strategic or cost reduction targets.


Alliance or partnering agreements impact the operations, costs and/or reputation of the Corporation.

  • SNC Lavalin
  • PricewaterhouseCoopers (PwC)
  • Independent Producers
  • Rogers
  • Bell

Implementation of Major Projects

Delayed and ineffective implementation of major projects could compromise the delivery of the CBC/Radio-Canada’s strategic objectives.

Business Interruption

Inadequate business continuity and disaster recovery planning may increase disruption to operations, increase costs and damage the reputation of the Corporation.

  • Technical failure
  • Catastrophic event
  • Labour disruption
  • Actions of third parties, including suppliers

Regulatory/Legislative Environment

Changes to regulatory or legislative requirements may:

  • impact the Corporation's capacity to efficiently or effectively conduct business;
  • impact the Corporation’s competitive position;
  • may impact the Corporation’s costs and/or obligations;
  • may impact its access to production funding and therefore its ability to create/license programming
  • Broadcasting Act
  • CRTC requirements/conditions of licences;
  • Industry Canada;
  • Human Resources and Skills Development Canada;
  • Income Tax Act;
  • The Canadian Media Fund rules;
  • The Office of the Superintendent of Financial Institutions (OSFI) may change the rules for federal pension plans and that may affect our pension liabilities and future contribution requirements;
  • The Personal Information Protection and Electronic Documents Act (PIPEDA);
  • Environmental regulations and standards;
  • OCOL/CRTC joint jurisdiction over programming-related complaints.

Organisational and Governance structure

Failure to deliver a flexible and agile management and governance structure could limit our ability to respond quickly to new challenges and impact delivery of strategic priorities.

Information and Cybersecurity Cyber threats (hacking, computer viruses, denial of service attacks, industrial espionage, unauthorized access to confidential, proprietary or sensitive information or other breaches of network or IT security) are constantly evolving and IT defences need to be constantly monitored and adapted. Vulnerabilities could harm our brand and reputation as well as our stakeholder relationships.
  • Network operating failures and service disruptions may affect our ability to maintain normal business operations and deliver services
  • The theft, loss or leakage of confidential information, including partner or employee information, that could result in financial loss, exposure to claims of damages by partners and employees, and difficulty in accessing materials to defend legal cases
Infrastructure Portfolio Optimisation There is a risk that:
Ownership of buildings with maintenance deficits increases operating costs, puts pressure on the capital budget and impacts the residual values of the property;
Excess space and infrastructure affects operating and capital budgets as more space than required generates excess costs;
Outdated infrastructure reduces flexibility to adapt and affects operating costs; and
Cumbersome governance and approval process may impact project viability.

Infrastructure includes:

  • Production facility and equipment;
  • IT and telecom infrastructure;
  • Transmission and distribution infrastructure; and
  • Real estate
People & Culture
Change in Leadership Turnover of members of the Senior Executive Team, key members of the component management team or members of the Board may create uncertainty for CBC/Radio-Canada staff and the stakeholders regarding expectations and vision and may affect the Corporation's competitive position and reputation and impact operations.
Succession Planning Ability to plan for the succession of key employees and managers may impact operations.
Engagement Ability to attract, retain, develop and engage qualified employees to achieve long-term goals.
Change Readiness Ineffective change management and the failure to successfully integrate operations under revised structures could adversely affect our business and our ability to achieve our strategic objectives.
Health & Safety/Wellness Inadequate controls could endanger the health and safety of individuals, the natural environment and our reputation.
Diversity Failure to improve the demographic representation (diversity) of the workforce may influence the Corporation’s ability to maintain or improve the Corporation’s relevance.
Financial Sustainability
Self-Generated Revenue Volatility in revenues will affect the ability to balance budgets and achieve strategic objectives.
  • Impacts of Regulatory decisions such as Let’s Talk TV (skinny basic, pick and pay)
  • Increased global competition from well-capitalized players providing content (Google, Apple, Amazon, Netflix, Facebook) and BDUs
  • Change in consumption patterns (cord-cutting, cord-shaving, cord-stacking, cord-nevers, cordless-contemplators, over-the-top programming)
  • Shift in advertising vehicles from conventional broadcasting to digital and mobile
  • Economic upturn/downturn
  • Ongoing industry fragmentation
  • Ad blocking technologies
Financial Markets/Economy Movements in interest rates may affect the returns on the Corporation's investments and its capacity to re-invest the returns into programming activities.
Movements in interest rates may impact the pension plan’s funding and solvency position and the Corporation's capacity to contain costs.
Movements in foreign exchange rates may affect payments denominated in foreign currencies as well as the Corporation's capacity to contain costs.
Inflation impacts the Corporation's operating and capital expenses.
  • Lower Canadian dollar against the United States dollar will increase the costs of US operations/bureaus, commitments in US currency and/or the cost of purchases contracted in USD.
  • The Corporation must fund pension plan’s funding and solvency deficits.
Financial Reporting Failure to ensure accuracy of financial reporting (fairly present the financial position of the Corporation, the results of its operations and its cash flows) may negatively affect the Corporation's reputation or may result in criminal liability to the Corporation.
  • Adequacy of adjustments to or disclosures in the financial statements
  • Existence and adequacy of internal controls on financial reporting.
Budgeting & Planning Ability to adequately plan for the range of potential changes to our funding model (contingency planning) could impact the delivery, scope or timing of our strategic objectives and/or result in further cost reductions.
Ability to allocate scarce resources to meet strategic objectives and manage financial pressures.
  • Change in advertising revenue beyond that planned for,
  • Change in production costs to cover special events, change in government funding, etc.
Fraud Fraudulent activities perpetrated by management or employees against the Corporation may expose the Corporation to financial loss or impair its reputation.
  • Misappropriation of assets
Government Funding The government or any future government may affect operational and capital funding levels impacting its ability to create programming and maintain current service levels to Canadians.
  • Government debt reduction agenda
  • Commitment to public broadcasting and cultural institutions

Schedule 3 – CBC/Radio-Canada Risk Assessment Definitions - Impact Descriptors








  • Multiple deaths

  • Revenue or cost impact over $50 million
  • Significant asset loss with extreme consequences
  • Total service cessation for a day or more
  • Game-changing loss of market share
  • Severe impact on the Corporation's reputation
    Example: Sustained negative perception or loss of stakeholder support;
  • Regulatory or legal implications of material importance.
  • Example: Significant prosecution and fines, litigation including class actions, incarceration of leadership



  • Single death and/or multiple injuries
  • Revenue or cost impact of $25 to $50 million
  • Loss of asset(s) with high consequences;
  • Total service cessation for a number of hours
  • Significant loss of market share
  • Major impact on the Corporation's reputation.
    Example: long-term negative media coverage

  • Regulatory or legal implications of major importance.
  • Example: Report to regulator requiring major project for corrective action



  • Individual injury
  • Revenue or cost impact of $10 to $25 million
  • Loss of asset(s) with medium consequences
  • Partial service cessation
  • Moderate loss of market share

  • Moderate impact on the Corporation's reputation.
    Example: short-term negative media coverage
  • Regulatory or legal implications of moderate importance.
  • Example: Report of breach to regulator with immediate correction to be implemented



  • First aid
  • Revenue or cost impact of $5 to $10 million
  • Loss of asset(s) with minimal consequences;
  • Minor service interruption
  • Minor loss of market share

  • Minor impact to the Corporation's reputation
    Example: Local reputational damage
  • Regulatory or legal implications of minor importance.
  • Example: Reportable incident to regulator, no follow up



  • No injuries
  • Revenue or cost impact up to $5 million
  • Insignificant loss of asset(s)
  • Insignificant impact on the Corporation's reputation
    Example: Local media attention quickly remedied
  • Regulatory or legal implications of insignificant importance.

Likelihood Descriptors


Example - Probability


Almost Certain

The event is expected to occur in most circumstances.

90% or greater chance of occurrence



The event will probably occur in most circumstances.

65% up to 90% chance of occurrence



The event should occur at some time.

35% up to 65% chance of occurrence



The event could occur at some time.

10% up to 35% chance of occurrence



The event may occur only in exceptional circumstances.

Less than 10% chance of occurrence

Schedule 4 – CBC/Radio-Canada Risk Management Model

Search highlight tool