Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Threshold for Risk

The Canada Revenue Agency used a risk exposure and tolerance tool to implement and measure changes during the global health crisis.

Comments Views

​When the World Health Organization declared COVID-19 a pandemic in March 2020, the day-to-day business processes for all organizations rapidly and completely changed. Virtually overnight, organizations such as the Canada Revenue Agency (CRA) had to implement important, strategic operational changes to carry on with business amidst a global health crisis. 

To support individuals and businesses facing economic hardship as a result of the pandemic, the Government of Canada created several new tax and benefits programs that the CRA was responsible for administering. To ensure it is well-positioned to support individuals and businesses during the pandemic, the CRA had to increase its tolerance of risk and adjust controls appropriately. This adjustment presented an opportunity to evaluate whether these changes to tolerance levels added value to the organization. When the crisis is over and regular business resumes, should the CRA revert to its previous practices or should these crisis practices become the new normal? 

To help answer this question, the CRA’s Audit, Evaluation, and Risk Branch developed the Risk Exposure and Tolerance Assessment (RETA) tool, which allows users to input risk-related information under three different scenarios: pre-COVID-19, present situation, and post-COVID-19. Based on the information, users then receive objective, quantitative results pertaining to the levels of risk tolerance and exposure, as well as a recommendation on the sufficiency of controls. Combining the power of internal auditing and enterprise risk management into one tool can help the CRA improve the effectiveness of its risk management practices. 


The RETA tool was adapted from a simpler Risk Tolerance Tool in response to the shift in the risk environment generated by the pandemic and the implementation of the CRA’s COVID-19 business continuity plan. The RETA tool distinguishes itself from its predecessor in two ways. First, it considers the entire risk landscape, both risk exposure and risk tolerance, by quantifying three risk exposure elements: 

Likelihood — the chance of the risk materializing in the absence of controls.

Impact — the extent to which the risk will affect the organization if it does materialize.

Control effectiveness — the extent to which the controls in place will affect the likelihood and impact of the risk.

Second, the tool provides an evolutionary look at the risk landscape through three different time periods: before, during, and after implementation of the COVID-19 business continuity plan. This analysis allows users to identify what changes occurred to the risk landscape and whether those changes should remain in place moving forward. 

Like the Risk Tolerance Tool, the RETA tool quantifies risk tolerance by assigning a value to three elements: 

Maturity — the organization’s experience dealing with the risk.

Sensitivity/criticality — the potential level of sensitivity of the general public and media, if the risk were to materialize, and whether the risk affects critical services.

Span of control — the level of control the organization has over the risk.


The RETA tool uses a scale of 1 (very low) to 5 (very high) to quantify the elements of risk exposure (likelihood, impact, and control effectiveness) and risk tolerance (maturity, sensitivity, and span of control). The elements are quantified as: 

Risk exposure = [likelihood] x [impact] x [control effectiveness]

  • Likelihood: 1 to 5 (very low to very high).
  • Impact: 1 to 5.
  • Control effectiveness: 1 to 5.

Risk tolerance = [maturity] x [sensitivity/criticality] x [span of control] 

  • Maturity: 1 to 5. 
  • Sensitivity/criticality: 1 to 5.
  • Span of control: 1 to 5.

The tool calculates an overall score and corresponding recommendation by subtracting the risk tolerance from the risk exposure score. The higher the overall score, the more attention the risk requires. The tool generates a different recommendation depending on the overall score (see “RETA Scoring Recommendations” below).


The tool can be used to analyze any risk. The “RETA Tool Preview,” below, illustrates how the tool could be used to analyze the risk that employees do not adhere to Corporate Policy XYZ, potentially causing harm to the organization. 

Step 1 The tool first establishes specific risks over the three time periods: pre-COVID-19, present situation, and post-COVID-19. The user identifies a risk statement, which remains the same throughout each time period. By numbering the risks and ensuring that the risk statements are consistent throughout the three time periods, the tool allows the user to better analyze the effects of ongoing changes to the risks over time. 

Step 2 The user inputs the elements used to calculate the risk exposure score: risk likelihood, risk impact, identified controls, and control effectiveness. 

There can be no changes to the risk exposure over the time periods. For instance, the risk impact of employees not adhering to Corporate Policy XYZ is “High” at all three points in time, but the level of control effectiveness varies with the modification of the identified controls (from “Very High” to “Moderate” to “High”). These elements are quantified and generate the risk exposure score. 

Step 3 The user inputs the elements used to calculate the risk tolerance score: maturity, sensitivity/criticality, and span of control. 

There can be no changes to the tolerance level over time, regardless of the controls in place. 

Step 4 Once the risk exposure and risk tolerance scores are calculated, the RETA tool will automatically generate the overall score and a corresponding recommendation. 

As seen in the “RETA Tool Preview,” the overall scores from the three different time periods vary. The risk (data interception) remains the same, but as controls change, so does the recommendation.

The RETA tool provides an understanding of the risk landscape associated with the adjustments made by the CRA in response to the pandemic. It also provides a discussion point: If the generated recommendation is similar to, or better than, the risk mitigation strategy before the pandemic, then the CRA need not de facto revert to its previous practices. This tool enables the CRA to apply positive changes that occurred in the risk landscape throughout the pandemic to be more agile with its processes and decision-making. 


The CRA has used the RETA tool to inform its decision-making in a wide variety of circumstances beyond the pandemic. For example, the RETA tool’s use during the risk assessment for the amalgamation of two of CRA’s regions helped equip CRA’s management with knowledge of the current and future risk environment as they worked to ensure the new governance structure could best meet the needs of their employees and the Canadians they serve. 

The RETA tool has been shared with other departments within the Government of Canada and with the international internal audit community via the Organisation for Economic Co-operation and Development (OECD), and it has been endorsed by the Office of the Comptroller General. In addition, the OECD developed a tool based on the RETA tool through which tax administrations can explore remote working risks and the associated mitigation strategies.

Furthermore, the CRA has presented the RETA tool at the Strategic Risk Council, the OECD Forum on Tax Administration (FTA) Risk and Assurance Workshop, the International Public Sector Fraud Forum, the FTA Chief Audit Executive International Working Group Workshop, and the the IIA Canada National Conference. 

COVID-19 saw the need for organizations across all sectors to shift their priorities to provide goods, services, and support to Canadians during an unprecedented crisis. The CRA has had to better understand its risks, be conscious of its tolerance as risks evolve, and generally increase its risk literacy. Rather than reverting to previous practices, the CRA has an opportunity to identify whether short-term changes could add value to its operations if adopted for the long term. In the midst of an ever-changing and unpredictable environment, the RETA tool enables the CRA to quantitatively assess and address new and evolving risks, and ultimately, increase its service efficiency. 

Louis Seabrooke, CIA, CPA, CA, director general of the Internal Audit and Evaluation Directorate at the CRA in Ottawa, and a 2014 Internal Auditor magazine Emerging Leader, contributed to this article.

Mourad Nizar
Bryan Brady
Jessie Mak
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors



Mourad NizarMourad Nizar<p>​Mourad Nizar, CISA, is the director, professional practices and data analytics, at the CRA in Ottawa.<br></p>



Bryan BradyBryan Brady<p>​Bryan Brady, CPA, is the assistant director, professional practices, at the CRA in Ottawa.<br></p>



Jessie MakJessie Mak<p>​Jessie Mak, CIA, is an internal audit project leader at the CRA in Ottawa. <br></p>


Comment on this article

comments powered by Disqus
  • CIA-December-2021-Premium-1
  • AuditBoard-December-2021-Premium-2
  • 2022-GAM-December-2021-Premium-3