Risk Committee - Terms of Reference - V4.0
The Governing Authority, at its meeting of September 5th 2013, approved the establishment of a sub-committee of the Governing Authority to be known as the ‘Governing Authority Risk Committee’ (GARC), hereinafter referred to as the ‘Committee’.
The purpose of the Committee is to support the Governing Authority in its oversight of risks that could affect the University’s ability to achieve its strategic objectives or compromise its mission and core values.
3.1) The membership of the Committee shall be appointed by the Governing Authority.
The Committee shall consist of at least four members, two of whom shall be external members of the Governing Authority, and two of whom shall be University members of staff. One additional member, external to the University, may also be appointed.
In appointing members, using formal assessment criteria, consideration shall be given to the skills and independence of members and relevant risk management experience.
3.2) The Chair of the Committee shall be appointed by the Governing Authority and will be an external member of the Authority.
3.3) New members of the Committee will receive a formal Letter of Appointment from the Governing Authority specifying their term of appointment.
3.4) Formal induction training will be provided for new Committee members.
3.5) In addition to these Terms of Reference the Committee may also draw up its own working procedures.
Frequency of meetings & standing items
4.1) The Committee shall meet at least three times a year.
4.2) Meetings may be held on any of campus of the University or held remotely utilising video conferencing technology.
4.3) The meeting agendas for all Committee meetings shall include an item requiring committee members to declare any interests or conflict of interests.
The quorum required for the transaction of business shall consist of at least three members of the Committee, at least two of whom must be external members. A duly convened meeting of the Committee at which a quorum is present shall be competent to exercise all or any of the authorities, powers and discretions vested in, or exercisable by, the Committee.
Attendance at meetings
6.1) The Chief Operations Officer, the Deputy Chief Operations Officer, the Risk & Compliance Officer and any employee or external person relevant to the work of the Committee, may attend for all or part of the meetings at the invitation of the Chair of the Committee. Governing Authority members shall also have the right of attendance with prior agreement by the Chancellor of the Governing Authority and the Chair of the Committee.
6.2) The Committee may also invite the Head of Internal Audit and/or the University’s External Auditor(s) to attend its meetings.
6.3) The Office of the Chief Operations Officer shall provide secretarial services to the Committee.
6.4) At least once a year the Committee will meet separately with each of the following without members of management being present:
a) Head of Internal Audit;
b) Risk & Compliance Officer.
Decisions and voting
Each question at a meeting of the Committee shall be determined by consensus, but where in the opinion of the Chair, consensus is not possible, the question shall be decided by a majority of the members present voting on the question and, in the case of an equal division of votes, the Chair shall have a second and casting vote. All votes taken shall be referred to the Governing Authority for noting.
8.1) The Committee is authorised by the Governing Authority to investigate any activities within its terms of reference and to seek any information it may require from any employee of the University or its subsidiaries. All employees are directed to co-operate with any request made by the Committee.
8.2) The Committee is authorised by the Governing Authority to obtain outside legal or other independent professional advice, if it considers this necessary.
The duties of the Committee shall be to:
9.1) Advise / make recommendations to the Governing Authority on the following:
a) Review the University’s Risk Management Policy and recommend any changes to the policy for approval to the Governing Authority;
b) Determine, at least annually, whether the Risk Management Policy is appropriate for the purposes of the Governing Authority in discharging its responsibilities for ensuring that risks are properly identified, assessed, reported and controlled.
c) Review the University’s draft Strategic Risk Register and recommend same to the Governing Authority for approval.
d) Review the University’s Business Continuity arrangements and Crisis Management Framework for approval by the Governing Authority;
e) Advise the Governing Authority in its consideration of an overall risk appetite(s) and risk tolerance(s) for the University;
f) Advise the Governing Authority of any need for a periodic external review of the effectiveness of risk management for the University.
9.2) Committee obligations
a) The approval of the annual Risk Management Plan;
b) Prepare an annual Committee Work Plan with a subsequent review of whether the intended elements of the plan were achieved;
c) Provide a set of Key Performance Indicators (KPIs) to assess the performance of the Committee and review these at least once a year;
d) Review the key risks to the achievement of the University’s strategic goals, and the adequacy of any planned responses to managing those risks;
e) Monitor the effectiveness of the risk management framework, ensuring its continuing functioning and appropriateness;
f) Review reports of any significant risk incidents, escalation protocols and the adequacy of responses;
g) Seek assurance that risk management practices are embedded across all levels of the University;
h) Ensure that the risk management function is adequately resourced and has appropriate standing within the University;
i) Liaise with the Internal Audit function, the Audit Committee and other committees of the Governing Authority to assist with the review of internal controls and the implications for the Risk Management process;
j) Recommend to the Audit Committee those areas of the University’s Risk Management Framework to be reviewed each year, if any;
k) Evaluate its own performance on an annual basis and, as appropriate, commission an external evaluation;
l) Hold at least one annual joint meeting with the University’s Audit Committee to review the Annual Risk Plan, including the most recently approved Strategic Risk Register, in the context of the University’s Audit Plan;
m) Consider other topics, as requested by the Governing Authority or initiated by the Committee;
n) Consider any external risk reports where these may assist with the Committee meeting its obligations under these Terms of Reference.
10.1) The Committee shall report at least annually on its activities to the Governing Authority. The report will include:
a) Committee’s opinion on the governance, effectiveness, quality and adequacy of the University’s Risk Management Framework;
b) Committee’s Key Performance Indicators; &
c) Committee’s assessment on its own operations.
10.2) The Committee will report to meetings of the Governing Authority on such other occasions as requested.
10.3) Final approved minutes of meetings of the Committee shall be circulated to the Governing Authority for noting.
10.4) The Committee shall arrange for the regular review of its terms of reference and shall submit any changes necessary to the Governing Authority for approval.
11.1) Risk Management Framework
The combination of policies, procedures, processes, controls, oversight and resources applied to the robust management of risk within the University and its campus companies.
11.2) Risk Management Policy
The Risk Management Policy sets out the University’s approach, at a high level, as to how it intends to ensure risks to the delivery of the University’s Strategic Plan are identified, analysed and managed so that they are maintained at acceptable levels. The goal of the policy is to identify risks and determine how they may be treated, tolerated, transferred or terminated.
11.3) Risk Management Plan
The Risk Management Plan is set out in the annual Strategic Risk Register and is composed of the mitigation controls, both current and future, to manage the risks as described in the register.
The plan is intended to:
- provide assurance to the Risk Committee and the Governing Authority that the University’s key risks (Principal, Emerging and High Impact/Low Probability (HILPs)) have been adequately assessed, evaluated and controlled / mitigated;
- set out how the likelihood and impact of operational losses will be mitigated;
- ensure opportunities are pursued; and
- provides a platform for future conversations with the Risk Committee on key risk topics.
The Risk Management Plan sets out in detail the annual process adopted by the University to give effect to the Risk Management Policy.
11.4) Strategic Risk Register (SRR)
The Strategic Risk Register is the highest level risk register prepared by the University. It is a component part of the Risk Management Plan.
11.5) Risk Appetite
Risk Appetite represents the types and aggregate levels of risk an organisation, such as the University, is willing to take on to actively pursue its strategic objectives.
Governing Authority Risk Committee - Terms of Reference
Office of the Chief Operations Officer
DCU Governing Authority
February 9th 2022