Risk Management Reporting Guideline

Established: 3 June  2015
Revised: N/A
Mandatory Review Date: 3 June 2017
Supersedes: N/A
Responsible/Originating Department: Secretariat
Executive Contact: University Secretary

Related Policies, Guidelines & Procedures:

1. Policy 11 – University Risk Management

2. Statement of Institutional Risk Appetite

3. Institutional Risk Mitigation Strategy

1. General

 University of Waterloo Policy 11 – University Risk Management (the “policy”) provides the principles and framework for Risk assessment, monitoring and reporting under the University Risk Management (URM) program. This Risk Management Reporting Guideline is an integral part of the policy and provides guidance to employees assessing, monitoring and reporting Risks under the policy.

The University Secretary will initiate a review of this guideline from time to time. Proposed amendments resulting from the review will be submitted to Executive Council for endorsement. The revised guideline will be published on the website of the Secretariat communicated to the community. 

Capitalized terms used but not defined in this guideline have the meaning given to such terms in the policy.

2. Implementation of Policy 11 – University Risk Management

The University has adopted the following phased approach to implementing the assessment, monitoring and reporting requirements under the URM program:

  • From the date the policy is established (the “Establishment Date”) to the first anniversary of the Establishment Date, assessment, reporting and monitoring obligations under the policy apply to: Senior Administration; Internal Audit; Audit & Risk Committee; and the Board of Governors.
  • From the first anniversary of the Establishment Date to the second anniversary of the Establishment Date, assessment, reporting and monitoring obligations will be extended to persons reporting directly to a Senior Administrator. Each Senior Administrator will be responsible for developing and implementing his/her own assessment, monitoring and reporting requirements for his/her areas of responsibility, in accordance with the policy and consistent with these guidelines. The foregoing may include extension of assessment, reporting and monitoring obligations to employees other than those reporting directly to that Senior Administrator.

3. Risk Management Assessment and Reporting

The steps to be followed for Risk Assessment and reporting are:

Step 1: Establish the context

  • Define internal and external parameters that must be taken into consideration when assessing and managing Risk.
  • Internal parameters include: strategic objectives; critical programs/services; internal stakeholders; governance; contractual relationships; organizational competencies; culture; standards.
  • External parameters include: external stakeholders; competitors; applicable legislation; applicable government policy.

Step 2: Identify the Risks

  • Review the seven Risk categories and top thirty Risks in the Risk Registry appearing as Appendix A to this guideline for applicability to the project, decision, plan or operational activities under analysis. In the case of project-specific Risk management, the top eleven Risks, identified in the Risk Registry with an asterisk, must be considered and analysed.
  • Based on your experience, the project, decision, plan or operational activities under analysis, and the context, consider whether there are other applicable Risks.
  • In order to assist you with this exercise, you may wish to consider one of the following methods for identifying Risks: facilitated brainstorming sessions, questionnaires, workshops, data analysis, scenario planning or gap analysis.

Step 3: Analyse the Risks

  • Analyse the likelihood of occurrence of each Risk and assign a score from 1 (rare) to 5 (almost certain).
  • Analyse the consequence or impact of each Risk and assign a score from 1 (insignificant) to 5 (catastrophic).
  • Complete a Risk Impact Rating Table (Appendix B) and Likelihood Table (Appendix C) with indicators supporting each score.
  • The final rating of the Risk is obtained by multiplying the likelihood score by the consequence/impact score. Insert the Risk rating into a Risk Rating Matrix (Appendix D).

Step 4: Evaluate the Risks

  • Compare the rating for each Risk to the University's Risk Appetite for that Risk.

Step 5: Deal with the Risks

  • Sort the Risks by their Risk ratings and Risk Appetites; determine whether Risk management plans or further reporting are required, in accordance with Appendix D.
  • Risk management plans may involve: risk avoidance, risk reduction, risk acceptance, and risk sharing.
  • Risk management plans must identify the individual responsible for taking each action and monitoring the results.

Step 6: Report the Risks

  • Complete the Risk Management Reporting Template (Appendix E). This is the required format for semi-annual reporting to the Secretariat under the policy and is the recommended format for all other Risk Assessment and reporting.
  • See Appendix D for reporting obligations (escalation paths) given Risk Appetites and Risk ratings.

Appendix A

Risk Registry and Official Risk Definitions

The following table lists seven Risk categories and thirty Risks identified through a survey of senior administrators at the University. The top eleven Risks have been identified with an asterisk.

Category of Risks

#

Risk

New Definitions

Environmental

1.

Competitor

The risk of enhanced competition or actions of new entrants to the post-secondary education sector.

2.

Government Policy*

The risk of changes in government policy regarding the post-secondary education sector.

Financial Resources

3.

Capital Availability*

The risk of insufficient capital funding of the University.

4.

Advancement*

The risk that University advancement efforts are insufficient to support ongoing fundraising.

5.

Financial*

The risk of an inadequate financial model for the University.

6.

Liquidity

The risk of unmet cash flow obligations.

7.

Interest Rate

The risk of significant and/or sudden movements in interest rates that would expose the University to higher borrowing costs, lower investment yields or decreased asset values.

8.

Credit/Default

The risk of the failure by a counter party to perform contractual obligations.

9.

Financial Instrument

The risk of unintended consequences due to excessive complexity in financial instrument structures.

Human Resources

10.

Skills and Capacity Management*

The risk of an inadequate number of skilled academic and non-academic support staff.

11.

Productivity

The risk of inefficiencies and/or lack of productivity in the delivery of the University’s programs and services.

12.

Change Readiness*

The risk of employees being unable to implement process and program/service improvements quickly enough.

13.

Accountability

The risk of a failure to establish and enforce policies, guidelines and procedures to hold employees accountable for unauthorized or unethical acts.

Leadership

14.

Management effectiveness

The risk of employees not being enabled to fulfill their responsibilities.

15.

Decision Making

The risk of uncertainty in the scope and exercise of authority, due to ineffective reporting lines.

16.

Performance Management

The risk of inadequate and/or improperly utilized employee performance management systems.

17.

Governance

The risk of a failure to assess adequately, and (where necessary) make changes to management structures, committees and decision-making processes.

18.

Planning

The risk that the University’s planning is inappropriate, ineffective, and/or insufficiently focused on results.

Physical Plant

19.

Physical Infrastructure*

The risk of insufficient physical resources for the University’s research and teaching goals.

20.

Security

The risk of damage, injury to, or loss of students, employees and/or institutional property, due to a failure of health, safety or physical security measures.

Core Mandate

21.

Reputation*

The risk of damage to the University's reputation.

22.

Student Satisfaction

The risk of low student satisfaction.

23.

Academic Program Management

The risk that academic programming does not align with the University’s mission.

24.

Strategic Enrolment Management*

The risk of ineffective enrolment management.

25.

Resource Allocation*

The risk of ineffective allocation of resources (i.e., human, financial, physical).

26.

Research

The risk that research projects do not comply with ethical, fiduciary and regulatory standards.

27.

International

The risk of ineffectively addressing the complex cultural, competitive, regulatory and operational factors with regard to the University’s global activities.

Information Technology

28.

Confidentiality/

Access

The risk of unauthorized knowledge and use of confidential information and/or breach of privacy, due to inadequate restrictions to information, or of employees precluded from performing their responsibilities, due to overly restricted access to information.

29.

Integrity

The risks associated with the authenticity and accuracy of transactions as they are input, processed, summarized and reported by information systems employed by the University.

30.

Institutional Information, Systems and Technology*

The risk of ineffectively leveraging institutional information, systems and technology.

Appendix B

Risk Impact Rating Table

The following table should be used to document a Risk impact rating. The indicators for each Risk impact rating will change depending on the project, decision, plan or operational activity under assessment, the context, and the Risk being considered.  For example of how to complete a Risk impact rating table, please see example on the Risk Management Website [to be created].

Rating:

Risk
Catastrophic 5                                                       
Major 4  
Moderate 3  
Minor 2  
Insignificant 1  

Appendix C

Likelihood Table

The following table should be used to document a Risk likelihood rating. The definitions will change depending on the project, decision, plan or operational activity under assessment, the context, and the Risk being considered.  For an example of how to complete a Risk likelihood rating, please see the Risk Management Website [to be created]. 

Rating: Likelihood
Almost certain 5                                                           
Likely 4  
Possible 3  
Unlikely 2  
Rare 1  

Appendix D

Risk Rating Matrix

By multiplying the results from the Risk impact rating and Risk likelihood rating, you will get a score for each Risk. The score will determine requirements re: Risk management planning, monitoring and reporting.

Likelihood                      Impact
  Insignificant Minor Moderate Major Catastrophic
Rare 1 2 3 4 5
Unlikely

2

4 6 8 10
Possible 3 6 9 12 15
Likely 4 8 12 16 20
Almost certain 5 10 15 20 25

Risk management planning, monitoring and reporting requirements

Risk Appetite Risk Rating Required Action

High

Moderate

Low

16-25 Review and action by responsible Senior Administrator. Reported by responsible Senior Administrator to president, vice-president, academic & provost and University Secretary for review and decision. If the Risk is at the institutional level and the Risk Assessment is confirmed after review, the Risk will be reported promptly to the Audit & Risk Committee and the Board of Governors. The Risk is to be included in semi-annual Risk Assessments to the University Secretary and the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline.

-

Moderate

Low

11-15 Review and action by responsible Senior Administrator. Reported by responsible Senior Administrator to president, vice-president, academic & provost and University Secretary for review. If the Risk is at the institutional level and the Risk Assessment is confirmed after review, the Risk will be reported promptly to the Audit & Risk Committee, and may also be reported to the Board of Governors. The Risk is to be included in semi-annual Risk Assessments to the University Secretary and the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline.

-

-

Low

6-10 Management, monitoring and reporting as determined by the Senior Administrator (or delegate) responsible for the project, decision, plan or operational activity under assessment.
N/A 1-5 Requires no attention above routine practices and procedures, and monitoring.

The University Risk Appetite for any particular Risk is either Low, Moderate or High.  The Risk Rating after any particular Risk assessment is positioned in the “Risk Rating” column above, and the escalation path to be followed in each case is found in the “Required Action” column.

Appendix E

Risk Management Reporting Templates

The following templates should be used for reporting on Risk Assessments and related management plans under the policy.  For an example of how to complete each Risk Management Reporting Template, please see the Risk Management Website [to be created]. The top eleven Risks, identified in the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline and in this table with an asterisk, must be considered and analysed when project-specific Risk management is undertaken.

Institutional Level Risk Reporting

Risk Impact Likelihood

Risk Rating

(Impact X Likelihood)
Risk Appetite Escalation Path to Follow (See Appendix D for details)

Risk Management Plan/Acceptance

(including individuals responsible)
Adjusted Risk Rating