Risk Management

Risk & Resilience at DCU

Welcome & Introduction

Welcome to the risk & resilience section of the University's website. This section is managed by the Office of the Chief Operations Officer (COO) with day-to-day responsibility for its maintenance and contents being the responsibility of the University Risk and Compliance Officer (RCO). 

This section deals primarily with risk management and resilience within the University and its wholly owned subsidiary campus companies. A separate web page section deals with compliance issues within both the University and its campus companies - see link.

This section is designed to assist staff, students, members of the public and other interested parties in understanding the University's approach to risk & resilience. The COO is responsible for the management of the University's risk and resilience process at the University's Executive Board level, with the day-to-day administration of the process being the responsibility of the RCO who reports directly to the Deputy COO. In relation to their risk & resilience roles the COO, the Deputy COO & the RCO are referred to as the 'Risk & Resilience Function'. If you wish to contact the RCO, for example to report a new significant risk or to request specific risk management training, please see the RCO contact details section at the bottom of this page.

The primary roles of the Risk & Resilience Function are as follows:

  • to assist all units across the University, and its wholly owned campus companies, in meeting their obligations with regard to risk management and resilience; 
  • to maintain both unit level risk registers and the overall Institutional Risk Register for each risk review cycle;
  • to report to the Risk Committee, and the Executive Board, on progress in relation to the management of risks overall, and in detail on key priority risks; &  
  • to provide risk & resilience awareness training, guidance and support to both the staff of the University and its wholly owned campus companies.
Purpose / Role of Risk & Resilience

In recent years there has been an increased focus in both the public and private sectors, within Ireland and abroad, on corporate governance arrangements. One element of a strong governance framework is an effective system of risk management & resilience. To address this a formal, dedicated University Risk Management Function was set up in 2011. Since its inception within the University the process of risk management has gone through a number of changes which have sought to enhance the process. Details of the current process and framework for risk management, both within the University and its wholly owned campus companies, are provided on this web page. 

The aims of the University's process for risk & resilience are as follows:

  • to document those risks which may prevent the University from achieving its operational and strategic goals at both a unit level and at a wider University level;
  • to address identified risks through the implementation of tailored controls and solutions;
  • to track the trends in identified risks over time (e.g. are they improving, stable or getting worse); &
  • to identify and address significant and common risks across units of the University.

Risk Management Guide

The purpose of the Risk Management  Guide is to briefly explain the theory behind risk management and to demonstrate how it is applied within the University and its wholly owned campus companies. The guide is intended to be an introduction to risk management and should be read by anyone who is required to engage with the University's risk management process or who has an interest in this area. The guide may be accessed at the link below. 

Risk Management Guide (Staff Access Only) 

Unit Impact Assessment Guide    

The purpose of the Impact Assessment Guide is to assist Heads of Units in assessing and scoring a risk's impact at a unit level and should be referred to by Heads of Units when updating their respective Unit Level Risk Register in each review cycle. Separate criteria are used when assessing a risk's impact at a University level. The unit level guide may be accessed at the link below.  

Unit Level Impact Assessment Guide

Risk Management Policy & Risk Appetite Statement

(A) Risk Management Policy

Risk Management Policy - As originally approved by the DCU Governing Authority on February 8th 2018 with subsequent minor amendments made by the Governing Authority Risk Committee in November 2018 & 2019.

Purpose of the Policy

The purpose of the policy is to ensure that risks to the University’s strategic plan are identified, analysed and managed so that they are maintained at acceptable levels. The overall goal of any system of risk & resilience management is to identify risks and then to determine how they may be properly treated, tolerated, transferred or terminated if deemed necessary.


(B) Risk Appetite Statement

Risk Appetite Statement - As approved by the DCU Governing Authority on December 6th 2019.

Purpose of the Statement

A 'Risk Appetite' refers to the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any given point in time. In the context of the University, this Statement seeks to summarise its tolerance for risk across a range of activities.

Risk Committee

Within the University's current risk management framework there exists a Governing Authority Risk Committee (GARC). The committee has some responsibilities for risk management as defined both by the University's Risk Management Policy and the committee's Terms of Reference. Further details its membership and Terms of Reference are shown below.   

Governing Authority Risk Committee (GARC)

The GARC is a sub-committee of the University's Governing Authority. Details of its current membership and terms of reference are set out below. Please note that the GARC's membership is composed of both external individuals and internal DCU staff members as indicated below. 

Name Position
Ms Bernie Gray Committee Chair & Chairperson of Coillte (External)
Ms Marie Sinnott  Company Secretary - ESB Group (External)
Ms Kathy Quinn Head of Finance - Dublin City Council (External)
Mr Michael Burke Facilities Manager - DCU (Internal)
Mr Padraig McKeon PR & Communications - McKeon Ireland (External)
Prof. Caroline McMullan

Professor of Business & Society - DCUBS (Internal)

Terms of Reference

The GARC's most recent Terms of Reference were approved by the DCU Governing Authority on December 4th 2020 (V3.0).

Risk Registers - Guidance

Risk Registers

A risk register is a formal method of documenting the specific details of risks. While there is no set format for a risk register there are elements common to most format types. It is therefore up to each entity to design a risk register which is suitable to it's own needs. The essential elements of a risk register are:

a) a description of the risk and its potential impact;

b) an assessment of the likelihood of the risk, as stated, materialising;

c) an indication of the level of seriousness of the risk's impact;

d) the controls / solutions which have been, or can be, put in place to reduce the likelihood of a risk materialising or, if it does materialise, to reduce its potential harmful impacts; & 

e) an indication of the risk's owner (i.e. the individual or group responsible for the management of the risk). 

Risk Register Template

Within the DCU risk management process a standard unit level risk register template is used. A copy of the Excel template, including guidance notes on how it is to be populated, may be accessed at the link below.

Risk Register Template

Process for Updating / Compiling a Unit Level Risk Register

The  University has a formal system in place for the regular review of, and reporting on, risk registers at a unit level. Where Heads of units are requested to update their their existing Unit Registers, or alternatively to compile a new one, they must follow the process set out below: 

a) identify the operational and strategic goals of the Unit;

b) identify the risks which may prevent the achievement of those goals. This can be accomplished by discussing potential risks with relevant members of staff or alternatively arranging a 'Brain Storming' session with all staff of the unit concerned. Such an approach will encourage buy in by staff to the process and will also encourage adoption of identified risks by those members of staff, or groups of staff, who may ultimately become the risk's owners for risk management purposes. 

c) assess the likelihood and possible impact of the risk using the criteria supplied in each review cycle by the Risk & Compliance Officer; &

d) identify and document both the current and future controls which are, or can be, put in place to address the risk as stated.

Actions to be taken once a Unit Register is completed

Once a Unit's Risk Register is completed in each review cycle the following sequence of events should occur:

a) the final version of the register is to be forwarded to the Risk & Compliance Officer;

b) for those current controls / actions listed against each risk the Heads of Unit should ensure that they are applied in practice; &

c) for those future controls / actions listed against each risk the Heads of Unit should ensure, where possible, that they are developed.

Strategic Risk Register

As part of its regular risk review cycle the University prepares a Strategic Risk Register (SRR) each year. In the years prior to 2020/2021 the SRR was known as the Institutional Risk Register (IRR). The SRR is the primary output of the University's Risk Management Process and it seeks to document those risks, and their respective mitigation, which have the potential to affect the University at a strategic level or which may have a significant operational impact. Copies of recent SRRs may be accessed at links below.

(Please Note: In order to access the SRRs/IRRs listed below you will need to verify you are a member of the University's staff by going through the authentication routine first).  

2014 Institutional Risk Register (Staff Access Only) - Final

2015 / 2016 Institutional Risk Register (Staff Access Only) - Final

2016 / 2017 Institutional Risk Register (Staff Access Only) - Final

2017 / 2018 Institutional Risk Register (Staff Access Only) - Final 

2018 / 2019 Institutional Risk Register (Staff Access Only) - Final

2019 / 2020 Institutional Risk Register (Contact the Risk & Compliance Officer) 

2020 / 2021 Strategic Risk Register (Contact the Risk & Compliance Officer)

2021 / 2022 Strategic Risk Register (Contact the Risk & Compliance Officer)

Heads of University Units, and the General Managers of the University's campus companies, should contact the Risk and Compliance Officer if they wish to arrange a risk management training session. 

Links - Internal & External

Internal University Links

For further information on related risk management topics please refer to the links below.

Events Planning

Information for sub-contractors working on campus

Lone / working out of hours policy

External Links

In relation to the topic of risk management within the Irish university sector the following legislation and guidance is relevant.

Risk & Compliance Officer - Contact Details

As stated in the introduction section above the overall management of the Risk, Resilience and Compliance Function within the University is the responsibility of the Chief Operations Officer. The administrative arrangements that underpin the risk management process across the University, and its wholly owned campus companies, is the responsibility of the University Risk & Compliance Officer (RCO). If you have any queries regarding the University's risk and resilience process please contact the RCO at the contact details below:

Noel Prior
Risk & Compliance Officer
Office of the Chief Operations Officer
Room A201 Albert College Extension
DCU Glasnevin Campus
Collins Avenue Extension
Dublin 9
D09 V209

Ph: 7008706

Or alternatively click here to send an email to the Risk & Compliance Officer.