Policy 11 - University Risk Management

The policies found on the website of the Secretariat are compulsory rules for the University community. The authoritative copies of the policies are held by the Secretariat and bear the seal of the University. The online version accessible through the website of the Secretariat is available for information purposes only. In case of discrepancy between the online version and the authoritative copy held by the Secretariat, the authoritative copy shall prevail. Please contact the Secretariat for assistance if necessary.

Established:

27 May 2015

Revised:

N/A

 

29 June 2023. Amended, official titles only.

Supersedes:

N/A

Class:

G

Responsible/Originating Department:

Office of Vice-President, Administration and Finance

Executive Contact:

Vice-President, Administration and Finance

Related Policies, Guidelines & Procedures:

  1. University Risk Management Reporting Guideline
  2. Statement of Institutional Risk Appetite
  3. Institutional Risk Mitigation Strategy
  4. Statutory Compliance Statement
  5. Policy 34 – Health, Safety and Environment
  6. Policy 60 – University of Waterloo Emergency Response

1. Introduction

The University of Waterloo has adopted a formal University Risk Management (URM) program that adheres to best practices in risk management for leading institutions of like size and complexity. This policy outlines the scope, principles, and roles and responsibilities of University employees under the URM program. The University Risk Management Reporting Guidelines are an integral part of the policy and provide guidance to employees assessing, monitoring and reporting Risks under the policy.

For the purposes of this policy, “Risk” means the chance of occurrence of an event or trend that will have a negative impact on operations or fulfillment of objectives at the institutional, academic unit and/or academic support unit levels.

Note: Other capitalized terms used herein have the meanings given to such terms in Appendix A.

2. Scope

This policy applies to all University employees with respect to Risks to be managed and reported in accordance with this policy.

3. Legal framework

The URM program relates to a wide set of statutes and regulations, in particular, those monitored by the University through its Statutory Compliance Program. If any of these legal provisions are modified, abrogated, superseded, or added to, the policy shall be interpreted in accordance with the new legal framework.

4. Purpose

The purpose of this policy is to:

  • document the framework within which Risk is managed at the University;
  • assist with effective management and control across all categories of Risks; and
  • assist the University in maintaining an effective distinction among those involved in: taking and managing Risk; establishing Risk policy, processes, and standards; and providing assurance that significant Risks are identified, assessed, mitigated and appropriately monitored and reported.

5. University Risk Management Framework

5.1. General Framework

The URM program governance framework involves the following distinct functions for those involved in URM:

  • All employees (including, without limitation, Senior Administration) are responsible for day-to-day Risk management, control and reporting within the scope of their employment responsibilities, and as directed by the Senior Administrator (or his/her delegate) to whom they report.
  • Each Senior Administrator or his/her respective delegates are responsible for developing and implementing business processes, controls and operating policies, consistent with this policy, to manage Risk within his/her areas of responsibility.
  • The Vice-President, Administration and Finance is responsible for the development, communication and periodic review of the URM program, this policy, and guidelines, procedures and standards to support compliance with this policy. The Vice-President, Administration and Finance directs the oversight of the URM program. Oversight is carried out by Senior Administration and their delegates through the reporting and monitoring functions set forth in this policy.
  • Internal Audit provides independent review and testing with respect to Risk management and control at the University within the scope of their engagement.
  • Audit & Risk Committee oversees the URM program on behalf of the Board of Governors in accordance with its terms of reference.
  • Board of Governors receives reports from Audit & Risk Committee and directs the President and Vice-President, Administration and Finance with respect to governance, administration, and significant non-compliance with the URM program.

5.2. Risk Assessment

5.2.1. University-wide Risk Assessment. Twice per year, the University will conduct a University-wide Risk Assessment at the institutional-level and report the results of such Risk Assessment to the Audit & Risk Committee. The University-wide Risk Assessment will take into consideration the information and documentation set forth in the University Risk Management Reporting Guidelines.
5.2.2. Plan, Decision, Project or Operations Specific Risk Assessment. University employees are expected to conduct Risk Assessments as part of planning, decision-making, project-related and other operational activities. Employees are encouraged to consult the University Risk Management Reporting Guidelines for information and assistance. The results of these Risk Assessments will be tracked and reported in accordance with section 6 below.
5.2.3. Identification of New or Emerging Risks. Risks identified through the University-wide Risk Assessment process which are not already listed in the Risk Registry will be reviewed by the Vice-President, Administration and Finance in conjunction with the individual or unit that identified the Risk to determine whether this is a new or emerging Risk that should be added to the University Risk Registry. New or emerging Risks identified at the plan, decision, project or operational level should be tracked and reported in accordance with section 6 below.

5.3. Risk appetite, risk management measures and acceptance of risk

5.3.1. Risk Appetite. Senior Administration will develop and review, on an annual basis, an institutional-level Risk Appetite, taking into consideration the University’s objects as set forth in The University of Waterloo Act, 1972, its strategic plan, its financial position, its role as a steward of public funds, and applicable law. The University’s Risk Appetite will be presented to the Audit & Risk Committee each year in conjunction with the University-wide Risk Assessment.
5.3.2. Risk Management Measures. If a Risk’s rating, as assessed through the Risk Assessment process, exceeds the University’s Risk Appetite, then a Risk management plan must be developed to manage the Risk. Each Risk management plan must identify the employee responsible for ensuring that the plan is implemented.
5.3.3. Acceptance of Risk. If a Risk exceeds the University’s Risk Appetite despite the Risk management plan developed in accordance with section 5.3.2., the Risk will be reported and/or a decision will be made in accordance with the Risk Rating Matrix. Decisions to accept Risks in excess of the University’s Risk Appetite must be included in the University-wide Risk Assessments delivered to the Audit & Risk Committee.

5.4. Reporting

The reporting obligations of those involved in the URM program are outlined in section 6 of this policy. Reporting is the foundation of the monitoring and compliance elements of the URM program, and, as such, should be as timely, complete and accurate as possible. Please consult the University Risk Management Reporting Guidelines for guidance on how to complete reports referred to in this policy.

5.5. Monitoring and compliance management

The monitoring and compliance management obligations of those involved in the URM program are outlined in section 6 of this policy. Monitoring and compliance management activities rely on reporting by University employees, oversight by Senior Administration, oversight and direction by the Vice-President, Administration and Finance, independent review and testing by Internal Audit, and independent oversight by the Audit & Risk Committee and the Board of Governors.

6. Roles and responsibilities: reporting, monitoring and compliance management

6.1. Board of Governors

The University Board of Governors:

  • Oversees the URM program at the highest level;
  • Receives reports from the Audit & Risk Committee; and
  • Directs the President and the Vice-President, Administration and Finance with respect to issues of governance, administration, and significant non-compliance with this policy.

6.2. Audit & Risk Committee

The Audit & Risk Committee:

  • Provides more in-depth oversight of the URM program on behalf of the Board of Governors;
  • Reviews the policy, recommends revisions to the Vice-President, Administration and Finance, and recommends adoption to the President;
  • Receives semi-annual University-wide Risk Assessments from the Vice-President, Administration and Finance prepared in accordance with section 5.2.1.;
  • Receives an annual report concerning the institutional-level Risk Appetite in accordance with section 5.3.1.;
  • Receives reports on significant non-compliance with this policy;
  • Receives other reports regarding Risk management and control from the University and Internal Audit per its terms of reference; and
  • Reports to the Board of Governors per its terms of reference.

6.3. Internal Audit

Internal Audit:

  • Conducts independent reviews to assess compliance with this policy and the adequacy of URM program processes and controls implemented by the University, per its engagement with the University;
  • Reports its observations and recommendations to the Vice-President, Administration and Finance and the Audit & Risk Committee; and
  • Monitors the University’s responses to and implementation of its recommendations.

6.4. Vice-President, Administration and Finance

The Vice-President, Administration and Finance:

  • Directs URM oversight activities at the university-level;
  • Receives semi-annual University-wide Risk Assessments from Senior Administration prepared in accordance with section 5.2.1.;
  • Delivers a consolidated University-wide Risk Assessment to the Audit & Risk Committee twice per year;
  • Manages the process by which the annual report concerning the institutional-level Risk Appetite is developed in accordance with section 5.3.1 and delivers a report to the Audit & Risk Committee;
  • Maintains the Risk Registry;
  • Reports significant non-compliance with this policy to the Audit & Risk Committee, if and when it arises; and
  • Delivers other reports to the Audit & Risk Committee in accordance with the committee work plan, terms of reference and this policy.

6.5. Senior Administration

Senior Administration:

  • Directs oversight activities within their areas of responsibility;
  • Receives semi-annual University-wide Risk Assessments from their direct reports;
  • Delivers a consolidated University-wide Risk Assessment to the Vice-President, Administration and Finance twice per year;
  • Participates in the annual process to establish the institutional-level Risk Appetite;
  • Reports significant non-compliance with this policy to the Vice-President, Administration and Finance, if and when it arises; and
  • Actively monitors the Risk Registry for new Risks and implementation of Risk management plans for which they are responsible.

6.6. All University employees

All employees (including, without limitation, Senior Administration):

  • Are responsible for day-to-day Risk management and control within the scope of their employment responsibilities, and as directed by the Senior Administrator to whom they ultimately report;
  • Are expected to conduct Risk Assessments as part of planning, decision-making, project-related and other operational activities; and
  • Deliver Risk management reports as directed by the Senior Administration to whom they ultimately report.

Appendix A

Definitions

In this policy, the following terms shall have the following meanings:

“Risk” has the meaning set forth in section 1 of the policy.

“Risk Appetite” means the level of Risk in any particular case that the University is prepared to accept before action is deemed necessary to manage that Risk.

“Risk Assessment” means the identification of Risks and the evaluation of the quantitative or qualitative nature of Risks related to a specific situation and recognized as a threat, performed by means of tools developed by the University (such as the Risk Registry and the Risk rating matrix).

“Risk Registry” means the official record of Risks and related Risk categories facing the University, as established through the Risk Assessment process undertaken pursuant to this policy.

“Senior Administration” (each a “Senior Administrator”) means the Vice-Presidents and the University Secretary, and will include the President for sections 5.3.1. and 5.3.3., and to the extent primary responsibility for an initiative or operations has not been delegated to another Senior Administrator.

“Statutory Compliance Program” means the observance by the University of its statutory and regulatory obligations.

“URM” means a systematic process for University Risk management, by which Risk from all sources is assessed and addressed.