| Established: | 3 June 2015 |
| Revised: | N/A |
| Supersedes: | N/A |
| Responsible/Originating Department: |
Office of Vice-President, Administration and Finance |
| Executive Contact: |
Vice-President, Administration and Finance |
Related Policies, Guidelines & Procedures:
1. Policy 11 – University Risk Management
2. Statement of Institutional Risk Appetite
3. Institutional Risk Mitigation Strategy
1. General
University of Waterloo Policy 11 – University Risk Management (the “policy”) provides the principles and framework for Risk assessment, monitoring and reporting under the University Risk Management (URM) program. This Risk Management Reporting Guideline is an integral part of the policy and provides guidance to employees assessing, monitoring and reporting Risks under the policy.
The Vice-President, Administration and Finance will initiate a review of this guideline from time to time. Proposed amendments resulting from the review will be submitted to Executive Council for endorsement. The revised guideline will be published on the website of the Office of Vice-President, Administration and Finance communicated to the community.
Capitalized terms used but not defined in this guideline have the meaning given to such terms in the policy.
2. Implementation of Policy 11 – University Risk Management
The University has adopted the following phased approach to implementing the assessment, monitoring and reporting requirements under the URM program:
- From the date the policy is established (the “Establishment Date”) to the first anniversary of the Establishment Date, assessment, reporting and monitoring obligations under the policy apply to: Senior Administration; Internal Audit; Audit & Risk Committee; and the Board of Governors.
- From the first anniversary of the Establishment Date to the second anniversary of the Establishment Date, assessment, reporting and monitoring obligations will be extended to persons reporting directly to a Senior Administrator. Each Senior Administrator will be responsible for developing and implementing his/her own assessment, monitoring and reporting requirements for his/her areas of responsibility, in accordance with the policy and consistent with these guidelines. The foregoing may include extension of assessment, reporting and monitoring obligations to employees other than those reporting directly to that Senior Administrator.
3. Risk Management Assessment and Reporting
The steps to be followed for Risk Assessment and reporting are:
Step 1: Establish the context
- Define internal and external parameters that must be taken into consideration when assessing and managing Risk.
- Internal parameters include: strategic objectives; critical programs/services; internal stakeholders; governance; contractual relationships; organizational competencies; culture; standards.
- External parameters include: external stakeholders; competitors; applicable legislation; applicable government policy.
Step 2: Identify the Risks
- Review the seven Risk categories and top thirty Risks in the Risk Registry appearing as Appendix A to this guideline for applicability to the project, decision, plan or operational activities under analysis. In the case of project-specific Risk management, the top eleven Risks, identified in the Risk Registry with an asterisk, must be considered and analysed.
- Based on your experience, the project, decision, plan or operational activities under analysis, and the context, consider whether there are other applicable Risks.
- In order to assist you with this exercise, you may wish to consider one of the following methods for identifying Risks: facilitated brainstorming sessions, questionnaires, workshops, data analysis, scenario planning or gap analysis.
Step 3: Analyse the Risks
- Analyse the likelihood of occurrence of each Risk and assign a score from 1 (rare) to 5 (almost certain).
- Analyse the consequence or impact of each Risk and assign a score from 1 (insignificant) to 5 (catastrophic).
- Complete a Risk Impact Rating Table (Appendix B) and Likelihood Table (Appendix C) with indicators supporting each score.
- The final rating of the Risk is obtained by multiplying the likelihood score by the consequence/impact score. Insert the Risk rating into a Risk Rating Matrix (Appendix D).
Step 4: Evaluate the Risks
- Compare the rating for each Risk to the University's Risk Appetite for that Risk.
Step 5: Deal with the Risks
- Sort the Risks by their Risk ratings and Risk Appetites; determine whether Risk management plans or further reporting are required, in accordance with Appendix D.
- Risk management plans may involve: risk avoidance, risk reduction, risk acceptance, and risk sharing.
- Risk management plans must identify the individual responsible for taking each action and monitoring the results.
Step 6: Report the Risks
- Complete the Risk Management Reporting Template (Appendix E). This is the required format for semi-annual reporting to the Office of Vice-President, Administration and Finance under the policy and is the recommended format for all other Risk Assessment and reporting.
- See Appendix D for reporting obligations (escalation paths) given Risk Appetites and Risk ratings.
Appendix A
Risk Registry and Official Risk Definitions
The following table lists seven Risk categories and thirty Risks identified through a survey of senior administrators at the University.
|
Category of Risks |
# |
Risk |
New Definitions |
|---|---|---|---|
|
Environmental |
1. |
Competitor |
The risk of enhanced competition or actions of new entrants to the post-secondary education sector. |
|
2. |
Government Policy |
The risk of changes in government policy regarding the post-secondary education sector. |
|
|
Financial Resources |
3. |
Capital Availability |
The risk of insufficient capital funding of the University. |
|
4. |
Advancement |
The risk that University advancement efforts are insufficient to support ongoing fundraising. |
|
|
5. |
Financial |
The risk of an inadequate financial model for the University. |
|
|
6. |
Liquidity |
The risk of unmet cash flow obligations. |
|
|
7. |
Interest Rate |
The risk of significant and/or sudden movements in interest rates that would expose the University to higher borrowing costs, lower investment yields or decreased asset values. |
|
|
8. |
Credit/Default |
The risk of the failure by a counterparty to perform contractual obligations. |
|
|
9. |
Financial Instrument |
The risk of unintended consequences due to excessive complexity in financial instrument structures. |
|
|
Human Resources |
10. |
Skills and Capacity Management |
The risk of an inadequate number of skilled academic and non-academic support staff. |
|
11. |
Productivity |
The risk of inefficiencies and/or lack of productivity in the delivery of the University’s programs and services. |
|
|
12. |
Change Readiness |
The risk of employees being unable to implement process and program/service improvements quickly enough. |
|
|
13. |
Accountability |
The risk of a failure to establish and enforce policies, guidelines, and procedures to hold employees accountable for unauthorized or unethical acts. |
|
|
Leadership |
14. |
Management effectiveness |
The risk of employees not being enabled to fulfill their responsibilities. |
|
15. |
Decision Making |
The risk of uncertainty in the scope and exercise of authority, due to ineffective reporting lines. |
|
|
16. |
Performance Management |
The risk of inadequate and/or improperly utilized employee performance management systems. |
|
|
17. |
Governance |
The risk of a failure to assess adequately, and (where necessary) make changes to management structures, committees, and decision-making processes. |
|
|
18. |
Planning |
The risk that the University’s planning is inappropriate, ineffective, and/or insufficiently focused on results. |
|
|
Physical Plant |
19. |
Physical Infrastructure |
The risk of insufficient physical resources for the University’s research and teaching goals. |
|
20. |
Security |
The risk of damage, injury to, or loss of students, employees and/or institutional property, due to a failure of health, safety or physical security measures. |
|
|
Core Mandate |
21. |
Reputation |
The risk of damage to the University's reputation. |
|
22. |
Student Satisfaction |
The risk of low student satisfaction. |
|
|
23. |
Academic Program Management |
The risk that academic programming does not align with the University’s mission. |
|
|
24. |
Strategic Enrolment Management |
The risk of ineffective enrolment management. |
|
|
25. |
Resource Allocation |
The risk of ineffective allocation of resources (i.e., human, financial, physical). |
|
|
26. |
Research |
The risk that research projects do not comply with ethical, fiduciary and regulatory standards. |
|
|
27. |
International |
The risk of ineffectively addressing the complex cultural, competitive, regulatory and operational factors with regard to the University’s global activities. |
|
|
Information Technology |
28. |
Confidentiality/ Access |
The risk of unauthorized knowledge and use of confidential information and/or breach of privacy, due to inadequate restrictions to information, or of employees precluded from performing their responsibilities, due to overly restricted access to information. |
|
29. |
Integrity |
The risks associated with the authenticity and accuracy of transactions as they are input, processed, summarized and reported by information systems employed by the University. |
|
|
30. |
Institutional Information, Systems and Technology |
The risk of ineffectively leveraging institutional information, systems and technology. |
Appendix B
Risk Impact Rating Table
The following table should be used to document a Risk impact rating. The indicators for each Risk impact rating will change depending on the project, decision, plan or operational activity under assessment, the context, and the Risk being considered. For example of how to complete a Risk impact rating table, please see example on the Risk Management Website.
|
Rating: |
Risk | |
|---|---|---|
| Catastrophic | 5 | |
| Major | 4 | |
| Moderate | 3 | |
| Minor | 2 | |
| Insignificant | 1 | |
Appendix C
Likelihood Table
The following table should be used to document a Risk likelihood rating. The definitions will change depending on the project, decision, plan or operational activity under assessment, the context, and the Risk being considered. For an example of how to complete a Risk likelihood rating, please see the Risk Management Website.
| Rating: | Likelihood | |
|---|---|---|
| Almost certain | 5 | |
| Likely | 4 | |
| Possible | 3 | |
| Unlikely | 2 | |
| Rare | 1 | |
Appendix D
Risk Rating Matrix
By multiplying the results from the Risk impact rating and Risk likelihood rating, you will get a score for each Risk. The score will determine requirements re: Risk management planning, monitoring and reporting.
| Likelihood | Impact | ||||
|---|---|---|---|---|---|
| Insignificant | Minor | Moderate | Major | Catastrophic | |
| Rare | 1 | 2 | 3 | 4 | 5 |
| Unlikely |
2 |
4 | 6 | 8 | 10 |
| Possible | 3 | 6 | 9 | 12 | 15 |
| Likely | 4 | 8 | 12 | 16 | 20 |
| Almost certain | 5 | 10 | 15 | 20 | 25 |
Risk management planning, monitoring and reporting requirements
| Risk Appetite | Risk Rating | Required Action |
|---|---|---|
|
High Moderate Low |
16-25 | Review and action by responsible Senior Administrator. Reported by responsible Senior Administrator to president, vice-president, academic & provost and Vice-President, Administration and Finance for review and decision. If the Risk is at the institutional level and the Risk Assessment is confirmed after review, the Risk will be reported promptly to the Audit & Risk Committee and the Board of Governors. The Risk is to be included in semi-annual Risk Assessments to the Vice-President, Administration and Finance and the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline. |
|
- Moderate Low |
11-15 | Review and action by responsible Senior Administrator. Reported by responsible Senior Administrator to president, vice-president, academic & provost and Vice-President, Administration and Finance for review. If the Risk is at the institutional level and the Risk Assessment is confirmed after review, the Risk will be reported promptly to the Audit & Risk Committee, and may also be reported to the Board of Governors. The Risk is to be included in semi-annual Risk Assessments to the Vice-President, Administration and Finance and the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline. |
|
- - Low |
6-10 | Management, monitoring and reporting as determined by the Senior Administrator (or delegate) responsible for the project, decision, plan or operational activity under assessment. |
| N/A | 1-5 | Requires no attention above routine practices and procedures, and monitoring. |
The University Risk Appetite for any particular Risk is either Low, Moderate or High. The Risk Rating after any particular Risk assessment is positioned in the “Risk Rating” column above, and the escalation path to be followed in each case is found in the “Required Action” column.
Appendix E
Risk Management Reporting Templates
The following templates should be used for reporting on Risk Assessments and related management plans under the policy. For an example of how to complete each Risk Management Reporting Template, please see the Risk Management Website. The top eleven Risks, identified in the Risk Registry appearing as Appendix A to the Risk Management Reporting Guideline and in this table with an asterisk, must be considered and analysed when project-specific Risk management is undertaken.
Institutional Level Risk Reporting
| Risk | Impact | Likelihood |
Risk Rating (Impact X Likelihood) |
Risk Appetite | Escalation Path to Follow (See Appendix D for details) |
Risk Management Plan/Acceptance (including individuals responsible) |
Adjusted Risk Rating |
|---|---|---|---|---|---|---|---|