| Established: | October 2015 |
| Revised: | N/A |
| Supersedes: | N/A |
| Responsible/Originating Department: | Office of Vice-President, Administration and Finance |
| Executive Contact: | Vice-President, Administration and Finance |
Related Policies, Guidelines & Procedures:
1. Policy 11 - University Risk Management
2. Risk Management Reporting Guideline
3. Institutional Risk Mitigation Strategy
Capitalized terms used but not defined in this Statement have the meaning given to such terms in the Policy.
1. Introduction
University of Waterloo Policy 11 – University Risk Management (the “Policy”) provides the principles and framework for Risk assessment, monitoring and reporting under the University Risk Management (the “URM”) program. The Risk Management Reporting Guideline (the “Guideline”) is an integral part of the Policy and provides guidance to employees assessing, monitoring and reporting Risks under the Policy.
This Statement of Institutional Risk Appetite (the “Statement”) is a set of principles related to appetite for risk acceptable at the institutional level, based on a consideration of the risk categories and, in some cases, individual risks identified in the Risk Registry provided in Appendix A to the Guideline. The principles outlined in this Statement have been developed by the President, the Vice-Presidents and the Vice-President, Administration and Finance, after consultation with the Audit & Risk Committee (the “Committee”) of the Board of Governors.
The Vice-President, Administration and Finance will initiate a review of this Statement on an annual basis in September, in advance of the meeting of the Committee scheduled for October each year. This Statement and any revisions will be provided to Executive Council for information, and will be published on the website of the Office of Vice-President, Administration and Finance.
This Statement may be relied upon generally for guidance in the assessment and management of risks at the local level across the University, although it is intended to apply formally when Risk at the institutional level is under consideration.
2. General Principles
The University will take a responsible approach to URM in pursuit of its strategic objectives as identified in its strategic plan. Risks will be identified, assessed and managed in a manner consistent with the Policy and the Guideline.
The appetite for risk associated with a project or operations under assessment is determined by taking into consideration the risk likelihood and the risk impact (as outlined in the Guideline). According to the Guideline, the product of the risk likelihood and the risk impact yields the risk rating. The escalation paths outlined in Appendix D to the Guideline must be followed where the Risk Rating exceeds the following thresholds related to the risk appetite established in this Statement:
Low Risk Appetite – follow appropriate escalation path where the risk rating is 6 and above
Moderate Risk Appetite – follow appropriate escalation path where the risk rating is 11 and above
High Risk Appetite – follow appropriate escalation path where the risk rating is 16 and above
The escalation path appropriate to the risk rating and the risk appetite, as indicated in the Guideline, must be followed (i) prior to taking any action on the project or operation under consideration, and/or (ii) for direction on taking corrective action.
In general terms, and subject to the specific statements of risk appetite in section 3 of this Statement, the University has a high appetite for Risk in the pursuit of innovation, transformational research, scholarship, and instructional innovation. This high appetite for Risk is consistent with the ambitions of the university as set forth in its strategic plan.
Further, and also in general terms, the University has a moderate appetite for Risk related to the student experience, and financial health and performance, and a low appetite for risks related to safety, statutory and regulatory compliance, and the exercise of fiduciary responsibility. The moderate and low appetites in these general categories are consistent with the idea of the University as a public institution, operated in the execution of a public trust and as steward of public resources, with responsibility for creating the conditions best suited to the achievement of individual and institutional success.
3. Specific Statements of Institutional Risk Appetite - Risk Categories
The following specific statements of institutional risk appetite are derived of the categories of institutional risk set forth in the Risk Registry appearing as Appendix A to the Guideline.
The categories represent seven groupings of the 30 most prominent institutional Risks identified through the University’s institutional risk survey, conducted in June of the third year in each five year strategic planning cycle. As adjustments are made in the 30 most prominent Risks, adjustments will likewise be made in the categories. Those adjustments will be reflected as necessary in the annual review of this Statement referred to in the Introduction above.
As each risk category is introduced below, a general description of the category is provided, together with a list of the institutional Risks included in the category. For definitions of each institutional Risk, please see the Risk Registry appearing as Appendix A to the Guideline. In some cases, risk appetite is simply stated based on the category as a whole. In other cases, specified Risks inside a category must be considered separately, and those are provided below in individual detail.
Category 1 – Environmental Risks
This category includes Competitor Risk and Government Policy Risk. It is distinct because the university has little conventional direct control in management of these Risks, such that mitigation plans are often characterized by anticipating and preparing for change in the environmental landscape.
Because Environmental Risks may have a significant impact on the ability of the university to meet its objectives, the university has a low appetite for Risks in this category.
Category 2 – Financial Resources Risks
This category includes Capital Availability Risk, Advancement Risk, Financial Risk, Liquidity Risk, Interest Rate Risk, Credit/Default Risk, and Financial Instrument Risk. It is distinct because it relates generally to the university’s sources of and management of financial resources. Some of the Risks in this category are beyond the conventional direct control of the university, while others can be mitigated through direct action by management.
The university has a moderate appetite for Risks in this category, recognizing in general terms (i) the regular oversight of Risks in this category by committees of the Board of Governors and management, (ii) the contemporary financial well-being of the university, and (iii) the ability of management to make adjustments in financial management on a year-by-year basis.
Category 3 – Human Resources Risks
This category includes Skills & Capacity Management Risk, Productivity Risk, Change Readiness Risk and Accountability Risk. It is distinct because it relates to the state of the university’s workforce and the major Risks related to the sustainability of productive, engaged, accountable employee groups.
The university has a moderate appetite for Risks in this category, based in large part on the historical collaboration between employee groups and management, and the demonstrated willingness to cooperate in identifying innovative solutions to challenges in the workplace.
Category 4 – Leadership Risks
This category includes Management Effectiveness Risk, Decision Making Risk, Performance Management Risk, Governance Risk and Planning Risk. It is distinct because it relates to the governance structures of the university and the effectiveness of management, working within those structures, in planning the university’s future and seeing to the execution of those plans.
The university has a low appetite for Risks in this category, primarily because the Risks associated with this category have a direct impact on the ability of management to address URM across the other categories. In other words, if the university tolerates undue risk in this category, then the ability of the university to meet the stated risk thresholds in the other categories will be jeopardized.
Category 5 – Physical Plant Risks
This category includes Physical Infrastructure Risk and Security Risk. It is distinct because it relates to the university’s physical plant and to the statutory and regulatory responsibilities of the university in managing the physical plant. In turn, managing these Risks has a direct impact on the safety and security of members of the university community and visitors to university properties.
The university has a low appetite for risks in this category. The development, maintenance and operation of the university’s physical plant, meeting or exceeding the university’s statutory and regulatory responsibilities, is central to the delivery of the university’s core mandate and vital to the safety and security of all members of the university community and visitors to university properties.
Category 6 – Core Mandate Risks
This category includes Reputation Risk, Student Satisfaction Risk, Academic Program Management Risk, Strategic Enrolment Management Risk, Resource Allocation Risk, Research Risk and International Risk. While this category is distinct in grouping Risks related clearly to the execution of the university’s core mandate, Risks inside the category must be considered in sub-groups because of their separate significance.
The university has a low appetite for Reputation Risk. Preserving the university’s reputation has a direct impact on the accomplishment of many of the key objectives of the university, and it must be managed with that in mind.
The University has a low appetite for Research Risk, based as that risk is on compliance by the University with ethical, fiduciary and regulatory standards.
The university has a moderate appetite for Student Satisfaction Risk, Strategic Enrolment Management Risk, Resource Allocation Risk, and International Risk. While aspects of activities contemplated by these Risks relate directly to the ability of the university to pursue its key objectives, mitigation strategies for these Risks are understood to be largely within the control of management.
The university has a high appetite for Academic Program Management Risk. It is in areas of activity contemplated by this Risk that the University’s focus on innovation in general, transformational research, scholarship, and instructional innovation is found, and the tolerance of a high level of Risk in these areas is consistent with the University’s ambitions as stated in its strategic plan.
Category 7 – Information Technology Risks
This category includes Confidentiality/Access Risk, Integrity Risk, and Institutional Information Systems & Technology Risk. It is distinct in that all Risks in this category can be mitigated through enhancements to technology and the processes by which technology is used and managed.
The university has a low appetite for Confidentiality/Access Risk. This Risk relates directly to the University’s legal compliance obligations with respect to freedom of information and protection of privacy, and can relate to the safety and security of members of the University community.
The university has a low appetite for Integrity Risk, and Institutional Information Systems & Technology Risk. In general, the University relies on the management of Integrity Risk to ensure that other Risks, including but not limited to those in Category 2 – Financial Resources Risks and Category 3 – Human Resources Risks, are properly controlled, and for that reason Integrity Risk must be kept to a low appetite. Further, Institutional Information Systems & Technology Risk contemplates the use of information technology in service of the achievement of the core mission of the University through teaching, learning and research.