Policy 6.1 - University Risk Management Policy

The official version of this policy is housed with the University Secretariat.  In the event of a discrepancy, the official version will prevail. Click here for a printable version of this policy. 

Approving Authority: Board of Governors 
Responsible Office: Office of the Vice-President (Finance & Operations)
Responsible Officer: Vice-President (Finance & Operations)
Original Approval Date: June 7, 2007
Most Recent Revision Date: June 16, 2020, Editorial Revision January 27, 2021
Previous Revisions: N/A


Risk is inherent in all academic, administrative and business activities at the University of Guelph ("the University") and to varying degrees, members of the University community are continuously involved in managing these Risks. In order to respond most effectively as an institution, the University employs an enterprise approach to Risk management. The University Risk Management Policy outlines this approach. 

The University's approach to Risk, adopted for the purpose of the University Risk Management (URM), is as follows: The University is committed to continuous quality improvement and will make choices that assess the opportunities and threats inherent in that commitment.1

The University seeks to foster a culture that is Risk-aware without being Risk-averse, pursuing opportunities that further strategic and operational priorities, while effectively managing Risk. It is recognized that virtually all activities carry a degree of uncertainty and require the University to strike an appropriate balance between managing Risks and pursuing strategic opportunities. 

University Risk Management is an important factor for the setting of priorities and strategic decision-making in the best interests of the University, as it facilitates the identification of potential Risks and opportunities that may significantly impact the ability of the institution to achieve its strategic goals or maintain its operations.

1. Purpose

1.1. The University is committed to thoughtful consideration and integration of Risk in decision-making. This policy outlines the University's approach to risk management, in support of its strategic goals and objectives.

1.2. University Risk Management policy does not replace but complements other university internal controls and is the foundation of the Risk management framework to be implemented at the University.

2. Jurisdiction/Scope

2.1. This policy applies to all administrative and academic units of the University and to all faculty and staff.

3. Definitions

3.1. "Risk": Any event or action that may adversely affect the University's ability to achieve its strategic and operational priorities.

3.2. "Inherent Risk": Risk in the absence of any controls, actions or Risk mitigation to alter either the Risk's likelihood or impact.

3.3. "Current Risk": The current level of Risk after taking into consideration the controls, actions and Risk mitigation measures already implemented to reduce either the Risk's likelihood or impact.

3.4. "Residual Risk": The remaining level of Risk after taking into consideration controls, actions and Risk mitigation measures implemented and planned to be implemented to reduce either the Risk's likelihood or impact.

3.5. "Risk Appetite": The level of Risk the University is willing to accept in order to meet its strategic objectives.

3.6. "Risk Management": The planned and systematic approach to the identification, evaluation and control of Risk to maximize opportunities and minimize losses.

3.7. "Risk Tolerance": The willingness to accept or reject a given level of residual Risk aligned with the overall risk appetite.

3.8. "Risk Treatment": The process of selecting and implementing measures to manage the Risk exposure through avoidance, reduction, transfer/sharing, or acceptance.

3.9. "University Risk Management (URM)": Includes the methods and processes used to manage Risk and opportunities related to the achievement of the University's objectives.

4. University Risk Management

4.1. The University will support a deliberative approach to Risk assessment and treatment to avoid, mitigate or manage Risks in support of University activities and strategic and operational priorities. At the institutional level, the University's senior leadership determines the appropriate level of acceptable Risk based on a balanced view of the Risk, considering both the threat of adverse impacts, and the opportunities that arise from properly managed Risk (see also s.5 of this policy.)

An objective of the URM program is effective management of a balanced portfolio of institutional Risks2. The Risk Appetite identifies and defines the categories of risk, along with the acceptable level for each category. 

4.2 The University Risk Management process is designed to:

a. Map to the University's Strategic Framework and planning, and integrate Risk management into the culture of the institution

b. Assess Risks and opportunities against the University's level of Risk tolerance

c. Anticipate and respond to social, environmental and legislative conditions

d. Manage Risk according to best practice and demonstrated due diligence in decision-making

e. Document the framework within which Risk is managed at the University

f. Foster a culture of identifying, assessing and mitigating Risks

4.3. The University Risk Management approach is outlined in Figure 1 and in the University's Risk Management Framework.3 The process is continuous and should be applied at all levels of the institution (i.e. at the University level as well as individual academic and administrative units).

Figure 1 - The Risk Management Process (ISO 30001)


Flow chart of risk management process

5. Roles and Responsibilities

5.1. The University utilizes a three lines of defence governance model to manage its Risks and identify those individuals or functions responsible for Risk ownership, Risk oversight and Risk assurance. The President and Vice-Presidents and the University Risk Management Committee, along with the Board of Governors, provide oversight and support to the Risk program and the three lines of defence.

5.2. First Line of Defence - Risk Owners:

a. All University employees have a role in the effective management of Risk within the context of their area responsibilities, including the identification and disclosure of potential or emerging Risks.

b. Academic department and administrative unit managers are responsible for implementing good operational Risk management practices and maintaining appropriate internal controls that support the effective management of Risk. Effective Risk management requires timely recognition and disclosure of potential Risks and should be incorporated into departmental and unit planning processes and management activities.

5.3. Second Line of Defence - Risk Oversight:

a. Various functional groups and committees at the University assist with defining Risk management practices and provide oversight to some of the activities undertaken within the academic and administrative units. Examples of the groups whose activities support this second line of defence include finance, legal, information technology security and human resources teams, and the Joint Health and Safety Committees.

b. While the second line of defence is clearly defined for certain Risks, in other cases, the primary responsibility for Risk oversight resides within the academic department or administrative unit itself.

5.4. Third Line of Defence - Risk Assurance:

a. The activities of the University's internal audit function, and the external auditors provide assurance to management and the Board of Governors on the effectiveness of the risk management practices.

5.5. Executive and University Risk Management Committee Support and Oversight:

a. The President and Vice-Presidents are responsible for embedding Risk management within the strategic and operational management processes of the University. This includes: (i) identification of strategic Risks impacting the University; (ii) determining priorities; (iii) assessing Risk tolerance; (iv) developing strategic Risk management plans; and (v), monitoring progress and implementation of plans.

b. The Vice-President (Finance & Operations) serves as the Chief Risk Officer for the University and has specific accountability for the coordination and implementation of URM activities, procedures and reporting. The Vice-President (Finance & Operations) will report to the Audit and Risk Committee at least once annually on the execution of URM activity at the University.

c. The University Risk Management Committee (URMC) provides advice and recommendations to the Vice-President (Finance & Operations) as follows:

i. Oversees the formulation of URM strategy and policy

ii. Reviews and advises on the University's Risk Register, including recommendations on emerging Risks and changes to the University's Risk environment

iii. Advises on, and recommends initiatives to manage identified threats and opportunities

iv. Ensures appropriate and effective related communication

d. Membership of the URMC shall be appointed by the Vice-President (Finance & Operations), who will chair the Committee, and include those responsible for major operational functions of the University.

5.6. Board of Governors Oversight:

a. The Board of Governors and its Audit and Risk Committee are responsible for support and oversight of the implementation of the URM process, including approval of the Risk appetite statement and assessment of the Risk program against the Risk appetite.

6. Related Policies, Procedures and Documents

1University of Guelph Strategic Risk Assessment, KPMG 2006

2Adapted from Meeting the Challenges of Enterprise Risk Management in Higher Education, Association of Governing Boards of Universities and Colleges, 2007

3Adapted from Managing Risks: A New Framework, Kaplan, R. & Mikes, A., Harvard Business Review, June 2012