University Policy


Enterprise Risk Management

Approval Date: 2016-12-01

Effective Date: 2016-12-01

Review Date: 2020-12-01


Vice-President (Administration and Finance) through the Chief Risk Officer


− To formalize the university’s risk management program
− To provide direction to the members of the University community on a coordinated approach to identify, assess, evaluate, and manage risks
− To support decision making processes from a risk management perspective


Activities undertaken by Members of the University Community which include but are not limited to teaching and learning, research, scholarship, creative activity, service, public engagement, and administration.


Enterprise Risk Management — A university-wide, systematic, comprehensive and co-ordinated process of identifying, measuring, managing and disclosing key risks to the University's mission and related goals and objectives.

Key Risk Indicator(s) — Metrics used by organizations to provide an early signal of increasing risk exposures.

Members of the University Community — Any person who teaches, conducts research, studies or works at or under the auspices of the University and includes, without limitation, all employees, all students; and any other person(s) while they are acting on behalf of or at the request of the University.

OCRO — Office of the Chief Risk Officer.

Risk — The effect of uncertainty on objectives, resulting in positive and/or negative impact on the University's mission.

Risk Appetite — The amount and type of risk that the university is willing to take in order to meet its strategic objectives.

Risk Control — The action that avoids, transfer or mitigates various risks.

Risk Owner — The employee(s) designated to manage a particular risk. This is a functional description, not a position title. Normally it is the Unit Head(s).

Risk Register — Documented list of risks and associated risk ratings, key risk indicators, controls (either planned or in place) and the status of these risks.

Risk Tolerance — The acceptable variation relative to the performance of the achievement of objectives.

Unit — Academic or administrative unit as defined in the University Calendar.

Unit Head — Deans, Department Heads, Division Heads, Heads of Schools, Directors, Executive Directors, University Librarian, University Registrar and other senior administrators at a comparable level; Associate Vice-Presidents and Vice-Presidents, as applicable.

University — Memorial University of Newfoundland.

University-related Activity — Any activity that is directly related to or arises out of the operations of the University at any location.


The University recognizes that it inherently assumes a variety of Risks by its undertaking of teaching and learning, research, scholarship, creative activity, service, public engagement, and administration. In doing so, the University’s goal is to ensure that existing and emerging risks are identified and managed in a balanced manner. The University recognizes that it is critical to establish and maintain an approach to Enterprise Risk Management, that supports the achievement of its strategic priorities and objectives and is a fundamental part of all University activities.

Risk Management is a shared responsibility at all levels of the University. 

The Board of Regents is responsible for overseeing the management of Risk and for establishing the Risk Tolerance and the risk ranking methodology, both of which are periodically reviewed and may be revised. 

The President and Vice-Chancellor, through Vice-Presidents Council (VPC), is responsible for the University’s overall Enterprise Risk Management approach, policies, processes, systems, controls and reporting; and for providing direction on a risk management culture.

Vice-Presidents Council, through its Enterprise Risk Management Committee (ERM Committee), oversees the Enterprise Risk Management program. The ERM Committee monitors Risk Registers and makes recommendations to VPC on risks that may affect the achievement of the University’s goals or are otherwise outside the established Risk Tolerance. 

The Office of the Chief Risk Officer (OCRO) is responsible for coordinating risk management activities and procedures across the campuses. It provides support to Units in identifying, assessing, and managing risks. It shares best practices and expertise acquired from risk management activities across the University for the benefit of the entire University. It prepares, submits and presents regular reports, through VPC and the President, to the Audit and Risk Committee of the Board of Regents on risk management. 

The University Auditor is responsible for evaluating the effectiveness of risk management processes of the University, including providing support in risk identification. The University Auditor uses the current Risk Register as a tool in internal audit planning.

Related Documents

Enterprise Risk Management Framework


For inquiries related to this policy:

Office of the Chief Risk Officer: 709-864-6216


Vice-President (Administration & Finance)



Previous Versions:

No previous versions

Policy Amendment History

There are past amendments for this policy:

Date: 2019-05-27 11:21:07
This policy was replaced with a new version. Comment provided: Connected definitions using definitions from the glossary.
Date: 2019-07-30 15:15:22
This policy was replaced with a new version. Comment provided: Added the Enterprise Risk Management Framework to the Related Documents section.
Date: 2022-08-30 10:30:49
This policy was replaced with a new version. Comment provided: 8/30/22 updated broken links
Date: 2024-02-19 09:50:15
This policy was replaced with a new version. Comment provided: Updated broken weblinks