Frequently Asked Questions
What is Risk?
By definition, Risk is the chance of occurrence of an event or trend that will have a negative impact on operations or fulfilment of objectives at the institutional, academic unit and/or academic support unit levels.
For more information, see the definitions page.
What is an example of a Risk?
How does the University determine what a Risk is?
The University determines Risk by utilizing Appendix A, which is a list of seven Risk categories and thirty Risks identified through survey of senior administrators at the University. These Risks are reviewed on a periodical basis.
How does the University manage different types of Risk?
At the institutional level, the University manages Risk through its Internal Audit, Statutory Compliance, and University Risk Management Programs. Considering the University Risk Management Program, the University decides on the reviews conducted by internal audit and monitors Risk through the Statutory Compliance Program.
Throughout the University, many other Risk management activities take place, such as insurance, legal and immigration services, occupational health, safety office, information systems & technology services, etc. There are several bridges between those activities and the Institutional Risk Management Programs, which altogether constitute the overall risk framework of the University.
Why doesn't the University simply eliminate all Risks?
Risk cannot be eliminated but it can be reduced to an acceptable level. With every decision made, opportunity is gained because the University is closer to fulfilling goals of its Strategic Plan. However, Risk may emerge because alternative choices are forgone from making a decision or because processes that are involved in carrying out and achieving those goals create other Risks.
What are the steps to assessing Risk?
The process of assessing Risk can be extensive. However, there are six major steps to be followed for Risk Assessment and reporting:
- Step 1: Establish the context.
- Step 2: Identify the Risks.
- Step 3: Analyze the Risks.
- Step 4: Evaluate the Risks.
- Step 5: Deal with the Risks.
- Step 6: Report the Risks.
For more information, see the Risk Management Reporting Guideline about the steps to assess Risks.
How is Risk reported and to whom?
As per Policy 11, senior administration (the President, vice-presidents and University Secretary) report to the Audit & Risk Committee twice per year. Risks are assessed relative to the Risk Appetite and are tracked until said Risk returns below the Risk Appetite, in addition to one more year of monitoring.
Are there any positive Risks?
Is enterprise risk management regulated?
Enterprise Risk Management (ERM) is not regulated in Canada, with the exception of Alberta. The University of Waterloo’s Audit & Risk Committee oversees ERM. While the Committee does not report to the government for Risk management, they labour within the parameters of Policy 11 – University Risk Management and of their mandate (Audit & Risk Committee’s resolution).
The University’s ERM Program is called University Risk Management to reflect the adaptations made to ERM to the specific setting of this University.
What is internal audit?
Internal audit is a continuous process that is approved by the Audit & Risk Committee. It provides independent review and testing with respect to Risk management and control at the University within the scope of their engagement. The internal auditors report their findings to the University Secretary and the Audit & Risk Committee and suggest recommendations.
For more information, see the Internal Audit Program.
How long does it take to conduct an internal audit?
There is no set amount of time for the completion of internal audits. The length of time varies significantly depending on the size of the audit, complexity and the drive towards completion. As a general guide, a review from scoping to the final report takes a few months. However, acting on the observations made will vary.
What are the reviews conducted by internal audit?
What is external audit?
What is the purpose of statutory compliance?
An important component of the University’s corporate responsibility, the Statutory Compliance Program ensures that the University complies with all laws and regulations applicable to its operations, and adheres to generally accepted standards and best practices.
What is the role of the Audit & Risk Committee
Why are Institutional Risk Programs necessary for the University?
The University, like all post-secondary institutions, is at a perpetual state of caution due to Risk. Institutional Risk Programs are necessary in order to maintain the structural integrity of the University through mitigating Risks.
What does an "optimized Risk framework" entail?
The Statutory Compliance Program, University Risk Management Program and Internal Audit Program work together to create the optimized Risk framework. It creates the ideal situation for the University to assess and mitigate Risk with prompt efficiency and bring Risk to a residual level (where the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls).
More information on the programs that work together to create the optimized Risk framework:
Why does this matter to me?
The Institutional Risk Programs should matter to you for three reasons:
- Policy 11 requires senior administrators to report an on biannual basis; the consolidated report is carefully reviewed by the Audit & Risk Committee and helps them monitor Risks for the entire institution; senior administrators therefore require assessments from their own reports;
- The University Risk Management and Statutory Compliance programs are helpful tools to help you manage your projects, track Risks and report on issues that need the review of a higher instance; internal audits provide a “health check” on your business processes and on implemented and to-be implemented projects, relative to industry and higher education best practices; and
- All employees, as per Policy 11 (including, without limitation, senior administration):
- Are responsible for day-to-day Risk management and control within the scope of their employment responsibilities, and as directed by the senior administrator to whom they ultimately report;
- Are expected to conduct Risk Assessments as part of planning, decision-making, project-related and other operation activities; and
- Deliver Risk management reports as directed by the senior administrator to whom they ultimately report.
For more information, please contact our people.
Who can I contact if I have more questions?
You may find additional information in one of the following key documents:
- Policy 11 - University Risk Management
- Risk Management Reporting Guideline
- Statement of Institutional Risk Appetite
- Institutional Risk Mitigation Strategy
If you still require assistance on Institutional Risk Programs, please contact our people.