Established: | 3 June 2015 |
Revised: | N/A |
Supersedes: | N/A |
Responsible/Originating Department: |
Office of Vice-President, Administration and Finance |
Executive Contact: |
Vice-President, Administration and Finance |
Related Policies, Guidelines & Procedures:
1. Policy 11 – University Risk Management
2. Statement of Institutional Risk Appetite
3. Institutional Risk Mitigation Strategy
1. Overview
The Chief Risk Officer (CRO) oversees the Office of Risk Management and Compliance (ORMC) at the University of Waterloo. The ORMC leads, defines, and manages risk management, to effectively establish a strategic and operational risk approach that supports the institution in meeting its objectives and legislative requirements. This includes implementing an Enterprise Risk Management (ERM) framework and developing a risk aware culture through the established University Risk Management Program (URM).
To support the ORMC and the development, oversight and reporting of risks across the institution, a Risk Management Committee (RMC) was implemented in 2024, comprised of senior risk leaders, who are Senior Administrators, from across the University. The RMC is accountable for advancing risk management. This includes implementing an ERM framework and developing a risk aware culture.
The CRO, on behalf of the RMC, reports regularly to President Vice Presidents (PVP) and the Audit & Risk Committee of the Board of Governors on the risk framework, reported enterprise risks and associated mitigation strategies.
2. General
Risk identification, assessment, management and reporting across the institution, plays a crucial role in enterprise risk management. The University of Waterloo Policy 11 – University Risk Management (the “policy”) provides the principles and framework for risk assessment, monitoring and reporting under the University Risk Management (URM) program. This Risk Management Reporting Guideline is an integral part of the policy and provides guidance to employees assessing, monitoring and reporting risks.
3. Three Lines of Defence
To support the risk policy, the URM program incorporates the three lines of defence model. The model is a risk management framework that helps organization’s identity and manage risks.
- First line
- Management and individuals have the primary responsibility to own and manage risks associated with day-to-day business and operational activities. Including designing, implementing, and assessing controls to mitigate risks.
- Second line
- Risk Management (ORMC); monitors first line, defines risk tolerance and sets risk policy. Enables identification of risks at operational and enterprise levels. Provides tools and techniques to support risk and compliance management and provides risk consultation to stakeholders as needed.
- Third line
- Internal Audit; supports risk management and provides objective and independent assurance to management and the board to assess whether the first and second lines are operating and functioning effectively. Internal Audit utilizes a systematic approach to evaluate and improve the effectiveness of risk management, controls, and governance processes.
As part of the first line of defence, all employees (including, without limitation, Senior Administration) are responsible for day-to-day risk management, control and reporting within the scope of their employment responsibilities, and as directed by the Senior Administrator (or delegate) to whom they report. Each Senior Administrator or his/her respective delegates are responsible for developing and implementing business processes, controls and operating policies, to manage risk within their areas of responsibility. In addition, as part of the first line of defence, Senior Administrators will be responsible for developing and implementing risk assessment, monitoring and reporting requirements for their areas of responsibility, in accordance with the policy and consistent with these guidelines. The foregoing may include extension of assessment, reporting and monitoring obligations to employees other than those reporting directly to a Senior Administrator.
Senior Administrators should report enterprise risks to the ORMC and/or CRO. The ORMC can assist the first line of defence with the assessment of enterprise, project, decision, plan or operational activities under analysis. In addition, any staff, faculty, students, volunteers and board members can inform the ORMC of any risk concerns and/or if risk consultation is required.
Office of Risk Management and Compliance: orc@uwaterloo.ca
4. Risk Assessment and Reporting
The steps to be followed for risk assessment and reporting are:
Step 1: State the objective(s)
- Understand the objectives of the institution, unit, process, program or project being assessed.
- Objectives should be SMART: Specific, Measurable, Achievable, Realistic, Time Scaled
- Define internal and external parameters that must be taken into consideration when assessing and managing risks associated with the objective(s).
- Internal parameters include strategic objectives; critical programs/services; internal stakeholders; governance; contractual relationships; organizational competencies; culture; standards.
- External parameters include external stakeholders; competitors; applicable legislation; applicable government policy.
Step 2: Identify the Risk(s)
- Identify any risk(s) to the objective(s).
- Review and utilize the risk categories in Appendix A to this guideline for applicability to the project, decision, plan or operational activities under analysis.
- Based on your experience, the project, decision, plan or operational activities under analysis, and the context, consider whether there are other applicable risks.
- In order to assist you with this exercise, you may wish to consider one of the following methods for identifying Risks: facilitated brainstorming sessions, questionnaires, workshops, data analysis, scenario planning or gap analysis.
Step 3: Assess and Evaluate the Risk(s)
- Analyse the likelihood of occurrence of each risk and assign a score from 1 (unexpected) to 5 (almost certain).
- Analyse the consequence or impact of each risk and assign a score from 1 (insignificant) to 5 (catastrophic).
- Complete a Risk Impact Rating Table (Appendix B) and Likelihood Table (Appendix C) with indicators supporting each score.
- The final rating of the risk is obtained by multiplying the likelihood score by the consequence/impact score. Insert the risk rating into a Risk Rating Matrix (Appendix D).
- Risks should be assessed based for both inherit and residual risk to fully understand the effectiveness of current controls and the current potential exposure. The scores submitted should be based on residual. Residual risk is the risk that remains after all possible measures have been taken to mitigate or eliminate a particular risk.
Step 4: Plan and Take Action on the Risk(s)
- Make appropriate decisions on risks and put plan(s) into action.
- Risk management actions include Accept/Avoid/Transfer/Reduce.
- Prioritize the risks by their risk ratings to reporting and resources.
- Risk management plans must identify the individual responsible for taking each action and the target date for completion.
Step 5: Monitor and Report
- Closely monitor the actions plans and results by periodically updating and reporting on the progress of the residual risk and actions plan(s).
- Utilize the Risk Register (Appendix E) to track, score, and update risks.
- See Appendix D for reporting escalation paths based on risk ratings.
Appendix A
Risk Registry and Official Risk Definitions
The following table lists risk categories to support the risk identification and reporting phases. Risk categories provide a structured, systemic approach to identifying, managing, and mitigating potential risks.
Category of Risk |
Definition |
Financial |
The risk of losing revenue and/or incurring costs. This risk category may include Capital Availability Risk, Advancement Risk, Financial Risk, Liquidity Risk, Interest Rate Risk, Credit/Default Risk, and Financial Instrument Risk. It is distinct because it relates generally to the university’s sources of and management of financial resources. Some of the Risks in this category are beyond the conventional direct control of the university, while others can be mitigated through direct action. |
Strategic |
The potential for the University to fail to achieve its short and/or long term objectives and goals due to internal and external factors. This may include market competition, and inadequate planning and/or responses. |
Operational |
Potential loss resulting from inadequate of failed internal controls and processes. This includes Physical Infrastructure Risk. |
People |
This risk category relates to the state of the university’s workforce and the major risks related to the sustainability of productive, engaged, accountable employee groups. In addition, this category includes leadership risk. It is distinct because it relates to the governance structures of the university and the effectiveness of management, working within those structures, in planning the university’s future and seeing to the execution of those plans. |
Information Technology |
The potential harm or loss resulting from the misuse, destruction, or unauthorized access to data or systems, including scenarios such as cyberattacks, data breaches, and system failures. |
Compliance |
The risk of failing to comply with government regulations and/or defined internal policies and rules. |
Health & Safety |
Risk that a person may be harmed or suffer adverse health effective, both physically and/or mentally. |
Appendix B
Risk Impact Rating Table
The following table should be used to document a Risk impact score. The indicators for each Risk impact score will change depending on the current controls, strategy or operational activity under assessment, the context, and the Risk being considered (residual)
The risk impact score should be based on 5 potential categories:
Financial, Safety, Reputation, Operational, and Student Experience & Success.
Assign an impact score for each impact category. The highest score should be used for the overarching impact score.
Rating |
Financial |
Safety |
Reputation |
Operational |
Student Experience & Success |
5 - Insignificant |
|||||
4 - Major |
|||||
3 - Moderate |
|||||
2 - Minor |
|||||
1 - Insignificant |
Appendix C
Likelihood Table
The following table should be used to document a Risk likelihood score. The score will change depending on the current controls, project, decisions, strategy, plan or operational activity under assessment, the context, and the Risk being considered (residual).
Likelihood: | |
5 - Almost certain |
|
4 - Likely |
|
3 - Possible |
|
2 - Unlikely |
|
1 - Unexpected |