Risk Management Policy

Purpose

This policy aims to establish the foundation for a University Risk Management (“URM”) program that ensures that Risk Management is an integral part of the University’s core strategy and integrated into all key activities and functions.  The URM program establishes a Risk management framework that will provide a proactive and consistent approach to ensuring that Risk is considered when decisions are made at all levels of the organization and, in turn, assists the University in operating within its capacity and willingness to take Risk.  The URM program further establishes a commitment to raise awareness surrounding Risk management and provide guidance to all levels of the University.

Objectives: The overall objectives of the Risk Management Policy are to:

1. Formalize a consistent approach to identifying, assessing, measuring, managing, communicating, and mitigating Risks to the University’s strategic plan and priorities and to the University’s operations to reduce uncertainty and
2. Assist the University in making better-informed decisions and promote accountability for Risk management with stakeholders and University Members at all levels.
3. Assess all applicable laws through compliance risk assessment and ensure clear roles, responsibilities, and processes are in place.

Definitions

For this Policy, the following definitions apply: 

“University Risk Management (“URM”)” means a consistent, coordinated, integrated approach to identify, assess, measure, manage, communicate, and mitigate significant and material Risks to the University in achieving its strategic objectives. 

“Risk” means the uncertainty of outcomes against the achievement of planned objectives.  This concept can be applied to strategic objectives as well as all operational activities within the University.  While the application of the definition may change with different University Members, the concept should not change.

“Risk Assessment” means a formalized, systematic ranking and prioritizing of identified Risks using a likelihood/consequence framework.

“Risk Appetite” means the University’s willingness to accept Risk.  Risk Appetite may also be viewed as the acceptable deviation from expected outcomes.

 “University Member” means any individual who is:

• Employed by the University;
• Registered as a student following the academic regulations of the University;
• Holding an appointment with the University, including paid, unpaid, and/or honorific appointments; and/or
• Otherwise subject to University policies by virtue of the requirements of a specific policy (e.g., Booking and Use of University Space) and/or the terms of an agreement or contract.

“Compliance Risk” means potential exposure to penalties, fines, damages, and loss caused by not adhering to applicable laws, regulations, and policies mandated under federal, provincial, or municipal laws, regulations, University policies, procedures, directives, or by-laws.

“Financial Risk” means exposures that arise from the University’s financial operations and/or external market forces, with the potential to impact funding level, investment performance, liquidity, budget, premium revenue/rates, and other key financial indicators.

“Operational Risk” means exposures that arise from people or a failure of internal processes, systems or controls and may impact the University’s ability to sustain immediate or future business operations.

“Reputational Risk” means exposures that arise from stakeholders’ perception of the University with the potential to impact public trust in the University as a result of direct or indirect actions of the University, its employees, partners, or suppliers. 

“Strategic Risk” means risk that arises from the university’s ability to identify and execute strategic objectives and/or from internal and external trends and events that might impact the University’s ability to achieve its mandate.

Scope and authority

This Policy applies to all University Members and extends to all functions and activities.

The Office of Risk Management, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration, and interpretation of this Policy.

Policy

Risk Framework

1. Effective Risk management across the institution will increase stability, safety, security, and prosperity for University Members. This Policy and the associated documents create the Risk management framework developed specifically to fit the governance structure and culture of the University.  The framework is aligned with the strategic priorities of the University and incorporates leading practices tailored to the University’s needs and culture.
2. The framework is intended to support the University in identifying, assessing, measuring, managing, reporting, and mitigating Risks. The ultimate goal of the framework is to assist the University in achieving its strategic priorities and operational objectives through better understanding and management of Risk.
3. The framework provides:
   • Formalized process and approach to executing URM;
   • Clearly defined accountabilities for execution of URM;
   • Robust Risk management communication; and
   • Consistency in Risk management.

 

Risk Governance Structure

1. Oversight: The responsibility to oversee the University’s URM program resides with the University’s Board of Governors (“Board”). The Audit and Finance Committee is delegated to carry out this oversight responsibility on the part of the Board and to report quarterly to the Board on the status of the URM.
2. Direction: The University’s President is responsible for providing direction to ensure that the University’s strategic priorities remain the ultimate focus of all University Members.
3. Risk Appetite: The Risk Appetite will be determined by the University’s President, and the Senior Leadership Team (“SLT”) and ultimately approved by the Board. The Risk Appetite will be reviewed no less frequently than every eighteen to twenty-four months.
4. Risk Owners:
   1. Chief Risk Officer: The University’s President will designate a member of SLT to serve as Chief Risk Officer. The Chief Risk Officer will, among the members of the SLT, have responsibility for coordinating SLT’s Risk management activities.  The Chief Risk Officer will be the primary advisor on Risk to the Board and the President and Vice-Chancellor.       
   2. Senior Leadership Team (“SLT”): SLT as a group is responsible for the management of all institutional and operational Risks, the overall success of URM, and the integration of the URM program into the core operational and strategic decision framework of the University. Individual members of the SLT will act as the primary owners of Risks and Risk management at the University.  Each SLT member will delegate responsibility for Risk management to functional leaders within that SLT member’s area of responsibilit Delegates must hold a position of Director, Executive Director, Assistant/Associate Vice President, Registrar, Dean or equivalent.*   
      
      *equivalency of positions will be determined based on the level of authority of a position within the university, regardless of title and guided by the assessed job evaluation of a given position. A determination will be made by the Policy Owner, or delegate, in consultation with Human Resources.       
5. Responsibilities:
   1. Integrated All Managers Team (“IAM”): IAM will act in an advisory role concerning various aspects of the URM program. IAM will work to ensure that the URM program is integrated into the planning work of the University. 
   2. Office of Risk Management: The Office of Risk Management is responsible for the successful integration and execution of the URM framework and supports the strategic planning process by working to raise awareness of risks that may adversely affect its successful implementation. The Office of Risk Management is committed to fostering a culture of risk ownership throughout the University by providing strategic leadership and direction in the evolution and implementation of enterprise risk management ensures a consistent and proactive approach.       
   3. All members of the University: All members of the University are expected to read, understand, and apply this policy.

Statements of Principle

The University adopts the following statements of principle for application in the implementation of this Policy:

1. Risk Culture: The University is committed to fostering a culture of Risk ownership throughout the University. This does not mean that we avoid engaging in activities that have Risk or that we avoid Risk in our teaching,      research, and other activities we undertake for the University.  It is recognized that both strategic and operational decisions and the work conducted by University Members all inherently involve Risk.
   
   To the University, having a culture of Risk ownership means that:
   1. Strategic and operational decisions are made with full awareness of the Risks relevant to those decisions;
   2. All University Members are aware of the organization’s emphasis on URM and incorporate a proactive approach and awareness to managing Risk in their individual roles.
   3. Risk Owners will establish a processes for seeking feedback from knowledgeable individuals in their areas of responsibility.
2. Communication: A key principle of a successful URM program is regular communication.  The Board and Senior Leadership Team are committed to developing a communication plan to ensure that those who require information to support the URM program receive it. The University’s Risk Management Policy, goals and objectives will be made available to all University Members. Each member will be expected to read and understand the Risk management philosophy and outlined framework.
3. Reporting: University Members are encouraged to raise concerns related to risk to their supervisor or ORM@ontariotechu.ca, and Risk Owners will ensure that these concerns are appropriately considered in the development of risk mitigation strategies.
4. No Reprisal: The University will not discharge, discipline, demote, suspend, threaten, or in any manner discriminate against any officer, employee or student based on any good faith and lawful actions of such employee to responsibly and carefully report Risk issues using the channels provided by the University.
5. The University is committed to academic freedom.

 

Training and Education

The Office of Risk Management will support the development and implementation of institutional Risk management training and education programs needed to reinforce the importance of Risk management.  The type of training and education will be developed and conducted as appropriate.

Monitoring and Review

The Director of Risk Management, or successor thereof, is responsible for monitoring and reviewing this Policy at least every three years.

Relevant legislation

All legislation applicable to University activities under Compliance Risk.

Related policies, procedures & documents

Field Trip Risk Management and Approval Directive

University-Hosted Event Risk Management and Approval Directive

Aircraft Approval Directive

High-Risk International Travel Policy

Student International Travel Policy

Booking and Use of University Space Policy

Booking and Use of University Space Procedures

Directives for the Appropriate Use of Space

University Continuity Management Framework Policy

Safe Disclosure Policy

Ethical Conduct Policy

All University policies applicable to Compliance Risk