Home > Policies > Policy & Procedure
Risk Management Policy
Name of Policy
Risk Management Policy
Policy Number
XII. 4
Original Policy Date
Last Revised Date
Other Related Regulatory Rules Laws & Policies Next Scheduled review Date
Associated Procedures & Forms (Attachments)
Cycle of Reviews


It complements other University internal controls and is the foundation of the Risk Management (RM) framework to be implemented at the University. It applies to all administrative and academic departments of the University and all faculty and staff.


1. The University supports an approach based on careful thought to Risk assessment and treatment to avoid, mitigate or manage Risks in support of University activities and strategic and operational priorities. At the institutional level, the Institutional Effectiveness Council determines the appropriate level of acceptable risk based on a balanced view of the Risk, considering both the threat of adverse impacts, and the opportunities that arise from properly managed Risk.

2. The University Risk Management process is designed to:

a. Map to the University’s Strategic Framework and planning, and integrate RM into the culture of the institution.

b. Assess risks and opportunities against the University’s level of Risk tolerance.

c. Anticipate and respond to social, environmental and legislative conditions.

d. Manage Risk according to best practice and demonstrated due diligence in decision- making.

e. Document the framework within which Risk is managed at the University.

f. Foster a culture of identifying, assessing and mitigating Risks.

3. The Risk Management Process

a. Establish the Content

b. Risk Identification

c. Risk Analysis

d. Risk Evaluation

e. Risk Treatment

f. Communication and Consultation

g. Monitoring and Review

4. Roles and Responsibilities

The University utilizes a three lines of defense governance model to manage its Risks and identify those individuals or functions responsible for Risk ownership, Risk oversight and Risk assurance. The President and the University Risk Management Committee, and the Institutional Effectiveness Council provide support to the Risk program and the three lines of defense.

4.1 First Line of Defense – Risk Owners:

a. All University employees have a role in the effective management of Risk within the context of their area of responsibilities, including the identification and disclosure of potential or emerging Risks.

b. Academic and administrative departments are responsible for implementing good operational RM practices and maintaining appropriate internal controls that support the effective management of Risk. Effective RM requires timely recognition and disclosure of potential Risks and should be incorporated into departmental planning processes and management activities.

4.2 Second Line of Defense – Risk Oversight:

a. Various functional councils and committees at the University assist with defining RM practices and provide oversight to some of the activities undertaken within the academic and administrative departments.

b. While the second line of defense is clearly defined for certain Risks, in other cases, the primary responsibility for Risk oversight resides within the academic department or administrative department itself.

4.3 Third Line of Defense – Risk Assurance:

a. The activities of the University’s internal audit function and the external auditors provide assurance to management and the University Council on the effectiveness of the RM practices.

5. Executive and University Risk Management Committee Support:

a. The Associate Vice President of Institutional Development is responsible for embedding Risk management within the strategic and operational management processes of the University. 

This includes:

(i) identification of strategic Risks impacting the University;

(ii) determining priorities;

(iii) assessing Risk tolerance;

(iv) developing strategic Risk management plans; and

(v), monitoring progress and implementation of plans.

b. The University Risk Management Committee (URMC) provides advice and recommendations to the University Management as follows:

(i) Oversees the formulation of University Risk Management strategy and policy.

(ii) Reviews and advises on the University’s Risk Register, including recommendations on emerging Risks and changes to the University’s Risk environment.

(iii) Advises on, and recommends initiatives to manage identified threats and opportunities.

(iv) Ensures appropriate and effective related communication.

6. Institutional Effectiveness Council Oversight:

Institutional Effectiveness Council and the Risk Committee are responsible for support of the implementation of the University RM process, including approval of the Risk appetite statement and assessment of the Risk program against the Risk appetite.