A Study in Risk Tolerance: The Canada Revenue Agency is benefiting from its pilot of a tool to measure risk exposure versus tolerance.

AuthorSeabrooke, Louis

The general public accesses more information more frequently and expects both private and government organizations to provide more services at a proportionate rate. Each successful technological advancement to provide this information has been accompanied by numerous failures--mistakes that expose vulnerabilities and consequently entrench a risk-averse mindset within organizations. A lack of risk-taking leads to unrealized opportunities and stifled innovation. Conversely, uncontrolled risk-taking can result in disaster. Trying to find a balance between the two can lead organizations to analysis paralysis. Measuring the risks that organizations currently take and those they are willing to take can help avoid over-analysis and enable timely, informed decision-making.

In 2016, the Canada Revenue Agency (CRA), which administers tax laws for the Government of Canada and most of the country's provinces and territories, published its Risk Tolerance Tool to quantifiably measure the maximum level of risk exposure that management was willing to accept. The objective of this tool was to provide a basis for management discussions and to inform decisions on actions related to targeted risks. Initially, the CRA used the tool internally in yearly corporate risk profile cycles.

It has since been piloted in the agency's IT security function and internal audit department with positive results.


When approaching risk analysis, distinguishing risk exposure from risk tolerance is critical. Organizations establish risk exposure based on the likelihood that a given risk will occur and its potential impact on the organization. Risk tolerance is the maximum amount of residual risk exposure that an organization is willing to accept while working toward an expected outcome. By comparing how these concepts are quantified, management and assurance providers can more effectively identify the risks that must be mitigated, those that do not require additional action, and even those existing in an overcontrolled environment.


The risk tolerance portion of the tool consists of five clear tolerance criteria that are selected based on their relevance to audit engagements and their ability to be applied consistently from one engagement to the next:

** Maturity--The level of experience the agency has dealing with the issue or risk.

** Criticality--The level of critical service that this risk applies to the government or the CRA.

** Sensitivity--The...

To continue reading

Request your trial