Corporate Risk Management Policy

Effective Date: December 15, 2022


The Corporate Risk Management Policy (“Policy”) describes the guiding principles, roles, responsibilities, and key activities the Workplace Safety and Insurance Board of Ontario (“WSIB”) undertakes to manage risk across its operations. This Policy meets the requirements of the Management Board of Cabinet’s Enterprise Risk Management Directive (“ERM Directive”), the Agencies and Appointments Directive (“AAD”), and the Memorandum of Understanding between the Minister of Labour and the Chair of the WSIB (“MOU”). This policy is further guided by risk management practices as outlined in ISO 31000, and COSO Enterprise Risk Management Guidelines.


The purpose of this Policy is to guide the implementation of a systematic and comprehensive approach to management of risk at all levels of the organization in support of effective and efficient achievement of WSIB's stated objectives, informed decision-making, and compliance with applicable directives, laws and regulations.

Application and scope

The scope of this Policy is applicable to the WSIB, its Board of Directors (“Board”), its committees, management, and all employees.

Policy statement

WSIB will implement a program to manage and report on risk in support of achieving its business objectives and goals in accordance with Enterprise Risk Management (ERM) best practices and standards, provincial directives, and our Strategic Plan.

WSIB will integrate sound risk management practices into all decision-making, strategy and policy development, and operations in accordance with this policy.


For the purpose of this Policy:

Enterprise risk management (ERM): a proactive, systematic, organization-wide process to identify, analyze, evaluate, manage, and report on risk.

Enterprise risk management framework (ERM Framework): a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.

ERM requirements: the set of requirements WSIB is obligated to follow in terms of its enterprise risk management approach as outlined in the Management Board of Cabinet’s Enterprise Risk Management Directive, the Agencies and Appointments Directive, and the Memorandum of Understanding between the Minister of Labour and the Chair of the WSIB.

Minister: means the Minister as defined in the Workplace Safety and Insurance Act as may be amended from time to time.

Ministry: means the Ontario ministry under the direction of the Minister.

Risk: is the effect of uncertainty on objectives.

Risk management process: a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.

Risk appetite: the types and amount of risk, on a broad level, the WSIB is willing to pursue or retain in the delivery of our organizational mandate.

Risk owner: the executive officer with delegated authority for a particular risk.

Risk register: a tool for documenting risks and associated mitigations.

Risk report: a Governance Committee-level communication mechanism to articulate risks and mitigations relative to the achievement of WSIB’s strategic objectives, issued quarterly.

Risk tolerance: The level of variation relative to WSIB’s stated risk appetite the organization is willing to accept relative to the achievement of corporate objectives.

Significant Enterprise Decisions include decisions that:

  • set and/or change the WSIB’s strategy and organizational priorities;
  • materially impact WSIB’s sufficiency ratio;
  • materially impact WSIB stakeholders (i.e. employers, claimants, providers, government);
  • materially impact more than one cluster;
  • materially impact major programs, projects, or initiatives; and/or
  • could place WSIB outside of its stated risk appetite.


1.    Guiding principles

The following principles will guide the implementation of WSIB’s ERM program:

Enterprise Risk Management:

  • Is focused on the achievement of strategic objectives;
  • Requires the active participation of senior management and staff across the organization;
  • Is driven by deliberate and dedicated communication and consultation activities;
  • Is driven by a common approach and application across the enterprise; and
  • Is tailored to the organization’s external and internal context.

2.    Enterprise risk management program

WSIB shall establish governance structures for oversight, monitoring and reporting on risk that are aligned with this policy and in compliance with the ERM Requirements. The WSIB shall adopt an ERM program that includes the following key attributes:

  • considers the capacity, mandate, objectives, activities and responsibilities of the WSIB;
  • provides a consistent discipline for managing risk through an ERM Framework, in the identification, assessment, and development of appropriate risk management plans;
  • establishes responsibility, accountability, and ownership of risks;
  • is embedded in strategic planning processes;
  • provides management and the Board with an understanding of material enterprise risks and associated potential impacts on corporate objectives;
  • maintains oversight and provides effective challenge of management’s application of the risk management process;
  • manages records to ensure an account of risk based decisions and ERM related materials is maintained and is made available to the Ministry;
  • ensures that risks are responded to in a transparent and timely manner and are escalated as needed;
  • employs a materiality-based approach to ensure that significant enterprise decisions are risk-informed with consideration to WSIB’s risk appetite and tolerances;
  • continuously improves risk management capability and capacity; and
  • fosters a culture of risk management and risk awareness by providing guidance and expertise in support of this Policy.

3.    Risk appetite

WSIB will set its risk appetite through risk appetite statements which document and explain WSIB’s risk posture at any given point in time. Risk appetite statements shall be reviewed and approved by the Board annually. Operations, and risk-based decisions will be maintained within the boundaries established by the risk appetite statements except as authorized by the Board or through delegated authority.

4.    Corporate insurance

WSIB shall regularly review its corporate insurance requirements and shall maintain adequate and appropriate insurance coverage that might be necessary and appropriate for a prudent person in the business of WSIB. Further, WSIB shall ensure that any contractual agreements with third-party vendors or suppliers include adequate and appropriate insurance coverage to provide for loss indemnification and to support continuity of service provision.

5.    Data

WSIB, will to the extent possible, employ a data-driven approach to risk-based decision making. To do so, WSIB will leverage available data in the assessment of risks, and will apply quantitative and qualitative analysis to the identification, assessment, monitoring and reporting on risks relative to risk appetite, tolerances and corporate metrics.

6.    Roles and responsibilities

6.1.    The Board of Directors (“Board”) is responsible for:

  • issuing directives to management to ensure compliance with legislative and Treasury Board & Management Board of Cabinet policy obligations;
  • approving the Policy;
  • reviewing and approving WSIB’s risk appetite statements annually;
  • overseeing the development of an appropriate risk management framework, associated risk management plans, and arranging for risk-based reviews and audits of the WSIB as required;
  • ensuring management develops corporate strategy that is aligned with the risk appetite of the WSIB;
  • approving or delegating approval of significant enterprise decisions that may place the WSIB outside of risk appetite as escalated by the CFO; and
  • delegating specific risk management responsibilities to appropriate committees while maintaining effective oversight.

6.2.    The President and Chief Executive Officer (“CEO”) is responsible for:

  • advising the Chair on the requirements of government directives and this Policy;
  • ensuring that the Board has the required visibility into risk management activities to be able to provide effective oversight (i.e. quarterly and annual reporting);
  • recommending to the Board that adequate capacity and capability are made available to execute an ERM program for an organization of WSIB’s size and complexity; and
  • assigning risk owners to enterprise risks.

6.3.    Chief Financial Officer (“CFO”) is responsible for:

  • providing the overall leadership, guidance and direction for enterprise risk management at the WSIB and ensuring that common risk management processes and tools are in place within the organization;
  • ensuring an ERM program is implemented per the Policy;
  • establishing and applying the WSIB risk management framework and risk management plan as directed by the Board;
  • reporting regularly to the Board on issues of risk management, including risk appetite, any proposed changes to the ERM program, and significant emerging or ongoing enterprise risks;
  • ensuring the capacity and effectiveness of risk management functions to support the management of risks across the WSIB;
  • escalation to the Board of decisions being made by the business that clearly deviate from established risk appetite for approval;
  • approving corporate and third-party insurance requirements and exceptions; and
  • reporting to the Ministry on WSIB’s risk management practices.

6.4.    Corporate Risk Management Services (“CRMS”) is responsible for:

  • supporting the CFO in the development and implementation of the WSIB’s ERM program and framework to fulfil the objectives and principles outlined in the Policy;
  • maintenance of a centralized enterprise risk register incorporating risk and risk assessment artefacts as a foundation for quarterly risk reporting and ongoing monitoring of key risks to the organization;
  • partnering with all lines of business to support and enable risk management activities in accordance with the Policy;
  • managing WSIB’s corporate insurance portfolio; and
  • liaising on a continual basis with 1st, 2nd, and 3rd line of defence functions on ongoing matters of risk.

6.5.    Strategy and Planning is responsible for:

  • engaging CRMS to ensure the WSIB's Strategic Plan and annual business planning process includes the identification, assessment and mitigation of risks associated with the plans.

6.6.    Enterprise Project Management Office (“EPMO”)  is responsible for:

  • engaging CRMS to ensure that sound risk management practices are embedded within programs and project management approaches and reporting, and that the EPMO project gating model includes the creation and maintenance of a risk management plan and risk register consistent with the ERM Framework.

6.7.    Risk Owners are responsible for:

  • ensuring that risk management strategies are defined, documented and implemented across all clusters;
  • risk identification, assessment, reporting and management plans for business processes and risks they own;
  • working with CRMS to establish risk appetites, and risk tolerance levels and reporting for ongoing monitoring; and
  • engaging CRMS to support risk and options analysis as it relates to significant enterprise decisions.

6.8.    Corporate Business Information and Analytics (“CBIA”)  is responsible for:

  • coordinating with CRMS to ensure that corporate data is made available and tailored to support quarterly risk reporting and risk based decision support.

6.9.    All WSIB Employees are responsible for:

  • following sound risk management practices, and reporting and escalating observed risks to management and CRMS, as appropriate and in a timely manner.

Related documents

This Policy takes into account the following legislation and documents, as applicable:

  • Agencies and Appointments Directive, Management Board of Cabinet, April 2020
  • COSO Enterprise Risk Management – Integrated Framework, June 2017
  • Enterprise Risk Management Directive, Management Board of Cabinet, December 2019 (Effective April 2020)
  • Enterprise Risk Management Framework and Guidelines
  • IIA’s Three Lines Model, The Institute of Internal Auditors, 2020
  • ISO 31000:2018 Risk Management – Principles and Guidelines
  • ISO Guide 73 Risk Management - Vocabulary
  • Memorandum of Understanding between the Minister of Labour and WSIB
  • Working with Legal Services Policy