Institutional Risk Programs Frequently Asked Questions

Frequently asked questions

What is Risk?

By definition, Risk is the chance of occurrence of an event or trend that will have a negative impact on operations or fulfilment of objectives at the institutional, academic unit and/or academic support unit levels.

For more information, see the definitionspage.

What is an example of a Risk?

An occurrence as simple as a student walking on campus has potential Risk associated with it. Consider Appendix A, the occurrence of students having bad experiences while walking on campus could impact student satisfaction (Risk #22 in the institutional Risk Registry)

How does the University determine what a Risk is?

At the institutional level, the University manages Risk through its Internal Audit, Statutory Compliance, and University Risk Management Programs. Considering the University Risk Management Program, the University decides on the reviews conducted by internal audit and monitors Risk through the Statutory Compliance Program.

Throughout the University, many other Risk management activities take place, such as insurance, legal and immigration services, occupational health, safety office, information systems & technology services, etc. There are several bridges between those activities and the Institutional Risk Management Programs, which altogether constitute the overall risk framework of the University.

Why doesn't the University simply eliminate all Risks?

Risk cannot be eliminated but it can be reduced to an acceptable level. With every decision made, opportunity is gained because the University is closer to fulfilling goals of its Strategic Plan. However, Risk may emerge because alternative choices are forgone from making a decision or because processes that are involved in carrying out and achieving those goals create other Risks. 

What are the steps to assessing Risk?

The process of assessing Risk can be extensive. However, there are six major steps to be followed for Risk Assessment and reporting:

  • Step 1: Establish the context.
  • Step 2: Identify the Risks.
  • Step 3: Analyze the Risks.
  • Step 4: Evaluate the Risks.
  • Step 5: Deal with the Risks.
  • Step 6: Report the Risks.

For more information, see the Risk Management Reporting Guideline about the steps to assess Risks.

How is Risk reported and to whom?

As per Policy 11, senior administration (the President, vice-presidents and University Secretary) report to the Audit & Risk Committee twice per year. Risks are assessed relative to the Risk Appetite and are tracked until said Risk returns below the Risk Appetite, in addition to one more year of monitoring.

Are there any positive Risks?
“Risk” typically has a negative connotation when associated with Institutional Risk Programs. However Risk can be positive. For purposes of the Institutional Risk Program, positive Risks will be defined as the chance of occurrence of an event or trend that will have a positive impact on operations or fulfilment of an objective at the institutional, academic unit and/or support unit levels. 
For example, a Risk to make adjustments in funding a project is a positive Risk, because if you are able to successfully make adjustments then the project might finish under budget, which will create leftover money. When considering technicalities, completing a project with extra funds will signal mismanagement. However, the long-term impact of having extra funds will benefit the corporation, making it a positive Risk. 

Is enterprise risk management regulated?

Enterprise Risk Management (ERM) is not regulated in Canada, with the exception of Alberta. The University of Waterloo’s Audit & Risk Committee oversees ERM. While the Committee does not report to the government for Risk management, they labour within the parameters of Policy 11 – University Risk Management and of their mandate (Audit & Risk Committee’s resolution).

The University’s ERM Program is called University Risk Management to reflect the adaptations made to ERM to the specific setting of this University.

What is internal audit?

Internal audit is a continuous process that is approved by the Audit & Risk Committee. It provides independent review and testing with respect to Risk management and control at the University within the scope of their engagement. The internal auditors report their findings to the University Secretary and the Audit & Risk Committee and suggest recommendations.

For more information, see the Internal Audit Program.

How long does it take to conduct an internal audit?

There is no set amount of time for the completion of internal audits. The length of time varies significantly depending on the size of the audit, complexity and the drive towards completion. As a general guide, a review from scoping to the final report takes a few months. However, acting on the observations made will vary.

What are the reviews conducted by internal audit?

What is external audit?

What is the purpose of statutory compliance?

An important component of the University’s corporate responsibility, the Statutory Compliance Program ensures that the University complies with all laws and regulations applicable to its operations, and adheres to generally accepted standards and best practices.

For more information, see the Statutory Compliance Statement and Statutory Compliance Program.

What is the role of the Audit & Risk Committee

The role of the Audit & Risk Committee consists of monitoring the effectiveness of the University’s:          

  1. Internal controls and management information systems;
  2. Risk management activities.

For more information, see the Audit & Risk Committee’s resolution.

Why are Institutional Risk Programs necessary for the University?

The University, like all post-secondary institutions, is at a perpetual state of caution due to Risk. Institutional Risk Programs are necessary in order to maintain the structural integrity of the University through mitigating Risks.

What does an "optimized Risk framework" entail?

The Statutory Compliance Program, University Risk Management Program and Internal Audit Program work together to create the optimized Risk framework. It creates the ideal situation for the University to assess and mitigate Risk with prompt efficiency and bring Risk to a residual level (where the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls).

A venn diagram with three different topics in a circle. Those topics are univeristy risk management program, statutory compliance program and internal audit program. In the middle of the venn diagram, optimized risk framework is written in order to represent how the three topics interact together.

More information on the programs that work together to create the optimized Risk framework:

Why does this matter to me?

The Institutional Risk Programs should matter to you for three reasons:

  1. Policy 11 requires senior administrators to report an on biannual basis; the consolidated report is carefully reviewed by the Audit & Risk Committee and helps them monitor Risks for the entire institution; senior administrators therefore require assessments from their own reports;
  2. The University Risk Management and Statutory Compliance programs are helpful tools to help you manage your projects, track Risks and report on issues that need the review of a higher instance; internal audits provide a “health check” on your business processes and on implemented and to-be implemented projects, relative to industry and higher education best practices; and
  3. All employees, as per Policy 11 (including, without limitation, senior administration):
    1. Are responsible for day-to-day Risk management and control within the scope of their employment responsibilities, and as directed by the senior administrator to whom they ultimately report;
    2. Are expected to conduct Risk Assessments as part of planning, decision-making, project-related and other operation activities; and
    3. Deliver Risk management reports as directed by the senior administrator to whom they ultimately report.

For more information, please contact our people.

Who can I contact if I have more questions?