Risk & Resilience at DCU
N.B. Please see the link below if you wish to access any of the 'Staff Access Only' documents listed on this webpage.
Please click here to log in before accessing them
Welcome to the risk & resilience section of the University's website. This section is managed by the Office of the Chief Operations Officer (COO) with day-to-day responsibility for its maintenance and contents being the responsibility of the University Risk and Compliance Officer (RCO).
This section deals primarily with risk management and resilience within the University and its wholly owned subsidiary campus companies. A seperate webpage section deals with compliance issues within both the University and its campus companies - see link.
This section is designed to assist staff, students, members of the public and other interested parties in understanding the University's approach to risk & resilence. The COO is responsible for the management of the University's risk and resilience process at the University's Executive Board level, with the day-to-day administration of the process being the responsibility of the RCO who reports directly to the Deputy COO. In relation to their risk & resilience roles the COO, the Deputy COO & the RCO are referred to as the 'Risk & Resilience Function'. If you wish to contact the RCO, for example to report a new significant risk or to request specific risk management training, please see the RCO contact details section at the bottom of this page.
The primary roles of the Risk & Resilence Function are as follows:
- to assist all units across the University, and its wholly owned campus companies, in meeting their obligations with regard to risk management and resilience;
- to maintain both unit level risk registers and the overall Institutional Risk Register for each risk review cycle;
- to report to the Risk Committee, and the Executive Board, on progress in relation to the management of risks overall, and in detail on key priority risks; &
- to provide risk & resilience awareness training, guidance and support to both the staff of the Universit and its wholly owned campus companies.
In recent years there has been an increased focus in both the public and private sectors, within Ireland and abroad, on corporate governance arrangements. One element of a strong governance framework is an effective system of risk management & resilience. To address this a formal, dedicated University Risk Management Function was set up in 2011. Since its inception within the University the process of risk management has gone through a number of changes which have sought to enhance the process. Details of the current process and framework for risk management, both within the University and its wholly owned campus companies, are provided on this webpage.
The aims of the University's process for risk & resilience are as follows:
- to document those risks which may prevent the University from achieving its operational and strategic goals at both a unit level and at a wider University level;
- to address identified risks through the implementation of tailored controls and solutions;
- to track the trends in identified risks over time (e.g. are they improving, stable or getting worse); &
- to identify and address significant and common risks across units of the University.
Risk Management Guide
The purpose of the Risk Management Guide is to briefly explain the theory behind risk management and to demonstrate how it is applied within the University and its wholly owned campus companies. The guide is intended to be an introduction to risk management and should be read by anyone who is required to engage with the University's risk management process or who has an interest in this area. The guide may be accessed at the link below.
Risk Management Guide (Staff Access Only)
Unit Impact Assessment Guide
The purpose of the Impact Assessment Guide is to assist Heads of Units in assessing and scoring a risk's impact at a unit level and should be referred to by Heads of Units when updating their respective Unit Level Risk Register in each review cycle. Separate criteria are used when assessing a risk's impact at a University level. The unit level guide may be accessed at the link below.
(A) Risk Management Policy
Risk Management Policy - As originally approved by the DCU Governing Authority on February 8th 2018 with subsequent minor amendments made by the Governing Authority Risk Committee in November 2018 & 2019.
Purpose of the Policy
The purpose of the policy is to ensure that risks to the University’s strategic plan are identified, analyzed and managed so that they are maintained at acceptable levels. The overall goal of any system of risk & resilience management is to identify risks and then to determine how they may be properly treated, tolerated, transferred or terminated if deemed necessary.
(B) Risk Appetite Statement
Risk Appetite Statement - As approved by the DCU Governing Authority on December 6th 2019.
Purpose of the Statement
A 'Risk Appetite' refers to the amount of risk that an organization is prepared to accept, tolerate or be exposed to at any given point in time. In the context of the University, this Statement seeks to summarize its tolerance for risk across a range of activities.
Within the University's curent risk management framework there exists a Governing Authority Risk Committee (GARC). The committee has some responsibilities for risk management as defined both by the University's Risk Management Policy and the committee's Terms of Reference. Further details its membership and Terms of Reference are shown below.
Governing Authority Risk Committee (GARC)
The GARC is a sub-committee of the University's Governing Authority. Details of its current membership and terms of reference are set out below. Please note that the GARC's membership is composed of both external individuals and internal DCU staff members as indicated below.
|Ms Bernie Gray||Committee Chair & Chairperson of Coillte (External)|
|Ms Marie Sinnott||Compliance Risk & Environment Manager - ESB Group (External)|
|Ms Kathy Quinn||Head of Finance - Dublin City Council (External)|
|Mr Michael Burke||Facilities Manager - DCU (Internal)|
|Mr Padraig McKeon||PR & Communications - McKeon Ireland (External)|
|Prof. Caroline McMullan|
Professor of Business & Society - DCUBS (Internal)
Terms of Reference
The GARC's most recent Terms of Reference were approved by the DCU Governing Authority on June 22nd 2017 with minor amendments made by the GARC in November 2019 (V2.1).
A risk register is a formal method of documenting the specific details of risks. While there is no set format for a risk register there are elements common to most format types. It is therefore up to each entity to design a risk register which is suitable to it's own needs. The essential elements of a risk register are:
a) a description of the risk and its potential impact;
b) an assessment of the likelihood of the risk, as stated, materialising;
c) an indication of the level of seriousness of the risk's impact;
d) the controls / solutions which have been, or can be, put in place to reduce the likelihood of a risk materialising or, if it does materialise, to reduce its potential harmful impacts; &
e) an indication of the risk's owner (i.e. the individual or group responsible for the management of the risk).
Risk Register Template
Within the DCU risk management process a standard unit level risk register template is used. A copy of the Excel template, including guidance notes on how it is to be populated, may be accessed at the link below.
Process for Updating / Compiling a Unit Level Risk Register
The University has a formal system in place for the regular review of, and reporting on, risk registers at a unit level. Where Heads of units are requested to update their their existing Unit Registers, or alternatively to compile a new one, they must follow the process set out below:
a) identify the operational and strategic goals of the Unit;
b) identify the risks which may prevent the achievement of those goals. This can be accomplished by discussing potential risks with relevant members of staff or alternatively arranging a 'Brain Storming' session with all staff of the unit concerned. Such an approach will encourage buy in by staff to the process and will also encourage adoption of identified risks by those members of staff, or groups of staff, who may ultimately become the risk's owners for risk management purposes.
c) assess the likelihood and possible impact of the risk using the criteria supplied in each review cycle by the Risk & Compliance Officer; &
d) identify and document both the current and future controls which are, or can be, put in place to address the risk as stated.
Actions to be taken once a Unit Register is completed
Once a Unit's Risk Register is completed in each review cycle the following sequence of events should occur:
a) the final version of the register is to be forwared to the Risk & Compliance Officer;
b) for those current controls / actions listed against each risk the Heads of Unit should ensure that they are applied in practice; &
c) for those future controls / actions listed against each risk the Heads of Unit should ensure, where possible, that they are developed.
As part of its regular risk review cycle the University prepares an Institutional Risk Register (IRR) each year. The IRR is the primary output of the University's Risk Management Process and it seeks to document those risks, and their respective mitigations, which have the potential to affect the University at a strategic level or which may have a significant operational impact. Copies of recent IRRs may be accessed at links below.
(Please Note: In order to access the IRRs listed below you need to verify you are a member of the University's staff by first of all clicking on the 'Click Here' link at the top of this webpage).
2014 Institutional Risk Register (Staff Access Only) - Final
2015 / 2016 Institutional Risk Register (Staff Access Only) - Final
2016 / 2017 Institutional Risk Register (Staff Access Only) - Final
2017 / 2018 Institutional Risk Register (Staff Access Only) - Final
2018 / 2019 Institutional Risk Register (Staff Access Only) - Final
2019 / 2020 Institutional Risk Register (Staff Access Only) - Final
This section contains links to training materials to assist staff in understanding the theory and practice of risk management & resilience within the University. Heads of University Units and the General Managers of the University's campus companies should contact the Risk and Compliance Officer if they wish to arrange a risk management training session for their own unit or company staff.
Internal University Links
For further information on related risk management topics please refer to the links below.
In relation to the topic of risk management within the Irish university sector the following legislation and guidance is relevant.
As stated in the introduction section above the overall management of the Risk, Resilience and Compliance Function within the University is the responsibility of the Chief Operations Officer. The administrative arrangements that underpin the risk management process across the University, and its wholly owned campus companies, is the responsibility of the University Risk & Compliance Officer (RCO). If you have any queries regarding the University's risk and resilience process please contact the RCO at the contact details below:
Risk & Compliance Officer
Office of the Chief Operations Officer
Room A201 Albert College Extension
DCU Glasnevin Campus
Collins Avenue Extension
Or alternatively click here to send an email to the Risk & Compliance Officer.