Enterprise Risk Management
Operations and General Administration
Authorization: Board of Governors
Approval Date: Oct 6, 2016
This policy was approved by the Board with an effective date of January 1, 2017
Purpose and Objectives
The purpose of Enterprise Risk Management (ERM) is to ensure that the portfolio of risks that could influence the achievement of both the University’s strategic and key operational objectives is being consistently and effectively managed. Implementing an effective ERM process achieves the following key objectives:
- Roles and Responsibilities: To identify the key roles of the Board and senior management associated with managing the University’s risk exposure.
- Oversight: All significant, current and emerging risks have been identified and are being managed and monitored under a holistic approach consistent with the University’s risk management process.
- Ownership and Responsibility: The ownership of risk is inextricably linked with the ownership of goals and objectives. Individuals who are responsible for the completion of goals and objectives are therefore equally responsible for identifying, evaluating, mitigating and reporting associated risk exposures.
- Assurance: The Board and management have reasonable assurance that risk is being appropriately managed within defined levels to bring value to the organization.
The University follows best practices in risk management by embracing the following principles:
- Incorporate a consistent, standardized approach to risk management into the culture and strategic and operational planning processes of the University that supports decision making and resource allocation at all levels.
- Apply a consistent approach to risk management across the University to ensure that risks priorities are identified appropriately.
- Ensure that appropriate measures are in place to address potential unfavourable impacts from risks as well as to be adequately positioned to take advantage of favourable benefits from opportunities.
- Manage a transparent approach to risk through open and meaningful communication and monitoring of all key risks.
Scope of this policy
This policy applies to all members and activities of the University of Saskatchewan.
The University is committed to utilizing a systematic approach to the identification, assessment and mitigation of risk to improve both planning and decision making across the institution through:
- Establishing and maintaining an Enterprise Risk Management Program (the program).
- Applying the program in a standardized fashion, with a view to supporting and facilitating the achievement of the University’s strategic, operational and financial objectives, by identifying, analyzing, evaluating, treating and monitoring risks on an ongoing basis.
- Viewing the program as a valuable and integrated source of information to assist administrators in making informed, consistent decisions throughout the University, rather than an independent activity.
- Promoting a culture of risk management that will seek to evaluate and anticipate risk at the evaluation, planning and implementation stages of initiatives and projects.
- Managing risk and leveraging opportunities.
- Anticipating and responding to changing social, environmental and legislative requirements.
It is the responsibility of all members of the University community to practice risk management as prescribed by this policy and its attendant procedures.
Board of Governors:
- To set the tone and influence the culture of risk management within the University.
- Approve the University’s ERM policy and any required revisions to the policy from time to time.
- In conjunction with senior administration, determine the risk appetite that is appropriate to meet the vision and strategies of the University.
- Oversight of the ERM Process; monitor and satisfy themselves that the Enterprise Risk Management Program has been implemented and is functioning as designed.
- Approve changes, from time to time, to improve key elements of the process.
Audit Committee of the Board of Governors:
- To consider semi-annual enterprise risk management reports, primarily the current University Risk Register, on significant risks from senior administration.
- Ensure that senior administration has defined risk tolerance for key objectives and that it is clearly articulated for strategic and operational planning purposes.
- To provide regular reports to the Board of Governors, as appropriate, on Enterprise Risk Management and alert them to emerging issues.
- To provide advice to the Board of Governors on the effectiveness of Enterprise Risk Management within the University.
- In conjunction with the Board of Governors, set the tone and influence the culture of risk management within the University.
- Require all risk owners to integrate ERM into the development of strategic plans and operational decisions and to report, on the University’s key enterprise risks to the Audit Committee semi-annually.
President’s Executive Committee (PEC)
- In conjunction with the President, act as the University’s Risk Management Steering Committee.
- Create and promote a risk aware culture within the University, integrating risk in all strategic planning and decision making.
- Implement the policy and process pertaining to Enterprise Risk Management.
- Assign responsibility for addressing prioritized risks, as they are determined.
Administrative Heads (Deans, Executive Directors, AVPs/Vice Provosts, Directors, Heads of Academic & Administrative Units
- Create and promote a risk aware culture within their college or unit.
- Implement the University’s policy and process pertaining to the University’s Enterprise Risk Management Program.
- Identify and evaluate, and to the extent possible, mitigate key risks during planning or project development which may impact the University strategically, reputationally or financially.
- Undertake regular reviews of identified key risks and provide reports to the PEC of any material changes with their respective risk profile, at a minimum semi-annually.
Corporate Administration (Manager, Risk Management and Insurance Services):
- Develop, and implement the University’s Enterprise Risk Management Program.
- Ensure that the ERM program remains fit for purpose and aligns with international standards and best practice.
- Deliver training and mentoring for ERM.
- Work with risk owners to facilitate the identification and analysis of both strategic and operational risks.
- Assist risk owners in the development of effective risk mitigations.
- Provide timely and accurate risk reporting to senior administration and the appropriate governing bodies through the maintenance of an up to date University risk register.
The University expects that its members will comply fully with this policy. Failure to comply with this policy could lead the University to suffer significant reputational or financial harm.
Members – Faculty, staff and agents of the University of Saskatchewan.
Risk - the effect of uncertainty on objectives.
Risk Management - is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
Risk owner - a person with the accountability and authority to manage a risk. This is a person who is both interested in resolving a risk, (i.e., someone who is very much interested in preventing such risks from happening) and positioned highly enough in the organization, so that his or her voice would be heard among the decision makers, to do something about it.
Enterprise Risk Management Program (the program) - includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. An ERM Program typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, organizations protect and create value for all of their stakeholders and society overall.
There are no other documents associated with this policy.
Contact Person: Manager, Risk Management and Insurance Services