This downloaded copy is unofficial. Check www.mun.ca/policy for the official version.

Memorial University of Newfoundland

  Memorial University of Newfoundland

Enterprise Risk Management

Approval Date: 2016-12-01

Effective Date: 2016-12-01

Review Date: 2020-12-01

Authority:

Vice-President (Administration and Finance) through the Chief Risk Officer

Purpose

− To formalize the university’s risk management program
− To provide direction to the members of the University community on a coordinated approach to identify, assess, evaluate, and manage risks
− To support decision making processes from a risk management perspective

Scope

Activities undertaken by Members of the University Community which include but are not limited to teaching and learning, research, scholarship, creative activity, service, public engagement, and administration.

Definitions

Enterprise Risk Management — A university-wide, systematic, comprehensive and co-ordinated process of identifying, measuring, managing and disclosing key risks to the University's mission and related goals and objectives.

Key Risk Indicator(s) — Metrics used by organizations to provide an early signal of increasing risk exposures.

Members of the University Community — Any person who teaches, conducts research, studies or works at or under the auspices of the University and includes, without limitation, all employees, all students; and any other person(s) while they are acting on behalf of or at the request of the University.

OCRO — Office of the Chief Risk Officer.

Risk — The effect of uncertainty on objectives, resulting in positive and/or negative impact on the University's mission.

Risk Appetite — The amount and type of risk that the university is willing to take in order to meet its strategic objectives.

Risk Control — The action that avoids, transfer or mitigates various risks.

Risk Owner — The employee(s) designated to manage a particular risk. This is a functional description, not a position title. Normally it is the Unit Head(s).

Risk Register — Documented list of risks and associated risk ratings, key risk indicators, controls (either planned or in place) and the status of these risks.

Risk Tolerance — The acceptable variation relative to the performance of the achievement of objectives.

Unit — Academic or administrative unit as defined in the University Calendar.

Unit Head — Deans, Department Heads, Division Heads, Heads of Schools, Directors, Executive Directors, University Librarian, University Registrar and other senior administrators at a comparable level; Associate Vice-Presidents and Vice-Presidents, as applicable.

University — Memorial University of Newfoundland.

University-related Activity — Any activity that is directly related to or arises out of the operations of the University at any location.

Policy

The University recognizes that it inherently assumes a variety of Risks by its undertaking of teaching and learning, research, scholarship, creative activity, service, public engagement, and administration. In doing so, the University’s goal is to ensure that existing and emerging risks are identified and managed in a balanced manner. The University recognizes that it is critical to establish and maintain an approach to Enterprise Risk Management, that supports the achievement of its strategic priorities and objectives and is a fundamental part of all University activities.

Risk Management is a shared responsibility at all levels of the University. 

The Board of Regents is responsible for overseeing the management of Risk and for establishing the Risk Tolerance and the risk ranking methodology, both of which are periodically reviewed and may be revised. 

The President and Vice-Chancellor, through Vice-Presidents Council (VPC), is responsible for the University’s overall Enterprise Risk Management approach, policies, processes, systems, controls and reporting; and for providing direction on a risk management culture.

Vice-Presidents Council, through its Enterprise Risk Management Committee (ERM Committee), oversees the Enterprise Risk Management program. The ERM Committee monitors Risk Registers and makes recommendations to VPC on risks that may affect the achievement of the University’s goals or are otherwise outside the established Risk Tolerance. 

The Office of the Chief Risk Officer (OCRO) is responsible for coordinating risk management activities and procedures across the campuses. It provides support to Units in identifying, assessing, and managing risks. It shares best practices and expertise acquired from risk management activities across the University for the benefit of the entire University. It prepares, submits and presents regular reports, through VPC and the President, to the Audit and Risk Committee of the Board of Regents on risk management. 

The University Auditor is responsible for evaluating the effectiveness of risk management processes of the University, including providing support in risk identification. The University Auditor uses the current Risk Register as a tool in internal audit planning.

Related Documents

Enterprise Risk Management Framework

Procedures

For inquiries related to this policy:

Office of the Chief Risk Officer: 709-864-6216

Sponsor: Vice-President (Administration & Finance)

Category: Operations


Procedure for Administering Risk Registers

Approval Date: 2016-12-01

Responsible Unit: Office of the Chief Risk Officer

The OCRO, in consultation with Unit Heads, establishes the Risk Registers for all Units. Risks, risk ratings, any Key Risk Indicators to be used in the Risk Register are identified using a variety of methods. Unit Heads may chose a method(s) appropriate to their Unit’s particular circumstances. 

Every Risk is assigned one or more Risk Owners. The Risk Owner assigns Risk Controls to be included in the Risk Register for each identified risk. 

The Unit’s Risk Register must be submitted to the OCRO. Using the Board of Regents approved risk ranking methodology, the OCRO gathers and consolidates the various Unit Risk Registers for accurate, timely and up-to-date information relating to the transfer, acceptance, mitigation or avoidance of risks by the University, for submission to the ERM Committee. 

With support from the OCRO, Risk Owners are required to review their Risk Registers at least every semester, to make appropriate updates, including indicating the status of any Risk Controls and adding and removing Risks, where appropriate. The updated Risk Registers must be submitted to OCRO.


Procedure for Managing Risk Within Units

Approval Date: 2016-12-01

Responsible Unit: Office of the Chief Risk Officer

Unit Heads are responsible for ensuring risk is managed, in consultation with the OCRO, within their respective Units. Unit Heads are responsible for identifying and evaluating risks within their Units. See Procedure for Administering Risk Registers. Unit Heads shall ensure that Risk Owners in their Unit understand their risk management responsibilities. 

Risk management shall be integrated early in the planning process for all activities and decisions within the Unit, in a manner appropriate to the nature and scope of the activity or decision, and using the list of Considerations as a guide. In making decisions, Unit Heads must ensure risks are managed within the established Risk Tolerance, such that positive outcomes outweigh any potential negative results. 

Considerations

−        Has the established Risk Tolerance been considered?
−        What Risk Controls best fit the situation?
−        Is innovation encouraged?
−        Has due diligence been exercised?
−        Is legal and statutory compliance met, as a minimum standard?
−        Is the safety of members of the University community enhanced?
−        How is continuity of operations affected? or improved?
−        Is effective governance of the University supported?
−        Are efficiency and effectiveness of operations promoted?
−        Is the reputation of the University protected?
−        Are University assets protected?
−        If the activity is of an International nature, are there jurisdictional or statutory compliance impacts?
−        To what extent have objectives to which risks relate, been articulated and are they measureable?