Risk & Resilience
Albert College DCU Glasnevin Campus
Welcome to the Risk and Resilience section of the university website.
Managed by the University Risk and Compliance Officer (RCO) and owned by the Office of the Chief Operations Officer (COO), this section provides comprehensive information on the management of risk and resilience across the university and its wholly owned subsidiary companies.
The content is intended to assist all stakeholders, including staff, students, and the general public, in understanding our institutional approach to risk management.
- Document risks which may prevent the achievement of operational and strategic goals at both a unit and university level;
- Address identified risks through the implementation of tailored controls and solutions;
- Track the trends in risks over time (e.g. are they improving, stable or deteriorating); &
- Identify and address significant and common risks.
The Chief Operations Officer (COO) is responsible for the management of the University's risk process at the University's Executive Board level, with the day-to-day administration of the process being the responsibility of the Risk & Compliance Officer (RCO).
In relation to their risk roles the COO, Deputy COOs & the RCO are collectively referred to as the 'Risk Function'.
Role of the Risk Function
- Assist all units across the University (including its wholly owned Campus Companies) in meeting their obligations with regard to the management of risk;
- Assist all units with their responsibility to maintain unit level Risk Registers and the University with maintaining the Strategic Risk Register;
- Reporting to the Executive, and the Audit & Risk Committee, in relation to risk management matters; &
- Provide appropriate training, guidance and support to facilitate the University's risk process.
Beginning in 2026, the University's risk process will transition to a three-year cycle. Under this new framework, a Strategic Risk Register (SRR) will still be produced annually, but the method of data collection will evolve to prioritize active mitigation over administrative reporting.
Year 1: Comprehensive Baseline
A full "Bottom-Up" and "Top-Down" exercise is conducted. This involves the creation of:
- Unit Risk Registers (URRs)
- Functional Area Risk Registers (FARRs)
- Strategic Risk Register (SRR)
Diagram of the Year 1 Process Workflow
Years 2 and 3: Active Management & Validation
During the interim years, the focus shifts from data collection to active risk management and mitigation:
- Review & Validation: The Senior Management Group (SMG) reviews the existing SRR to ensure it remains accurate and complete.
- Addendums: If the risk landscape shifts significantly, an addendum to the SRR is produced to reflect these changes.
- Optimization: By reducing the administrative burden of a full "bottom-up" review every year, these years are dedicated to strengthening the robustness of existing risk controls and response strategies.
The Governing Authority, supported by the Audit & Risk Committee (ARC), provides high-level oversight of the University’s risk management process.
Operational responsibility is distributed as follows:
- The Executive: Charged with the development, maintenance, and continuous monitoring of the overarching risk management process.
- Chief Operations Officer (COO): Oversees the strategic development and resourcing of the Risk Management Function.
- Heads of Unit: Responsible for the implementation and day-to-day management of risk within their respective areas.
- Risk and Compliance Officer: Facilitates the risk process and manages the University’s Risk webpage to ensure transparency and accessibility of information.
Each risk cycle culminates with the approval and adoption by the Governing Authority of an annual Strategic Risk Register (SRR) for the University.
The SRR is the primary output of the Risk Management Process and it documents the strategic risks and issues affecting the University at a point in time.
The current year's SRR, along with an archive of prior year registers, is available on the University's website and may be accessed at the link below by Staff of the University.
Current & Prior Year SRRs (Staff Access Only)
The purpose of the Risk Management Policy is to provide guidance regarding the management of risk within the University in order to:
- support the achievement of strategic objectives;
- protect staff, students and assets;
- ensure financial sustainability; &
- to comply with the requirements of the HEA Code of Governance for Irish Universities.
The latest policy, as approved by the Governing Authority on December 5th 2025, may be accessed at the link below.
A 'Risk Appetite' refers to the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any given point in time and is primarily used to aid in decision making.
In the context of the University, its Risk Appetite Statement (RAS) seeks to summarise its tolerance for risks across a broad range of activities that third level institutions commonly engage in.
The RAS is approved by the Governing Authority.
The Audit & Risk Committee (ARC) supports the Governing Authority within the University’s risk management framework. Detailed roles and responsibilities are outlined in the Committee’s Terms of Reference, available via the link below.
The Audit & Risk Committee (ARC) is a sub-committee of the University’s Governing Authority.
Current members are listed below.
| Name | Position |
|---|---|
| Ms Marie Sinnott | Committee Chair & ESB Group Company Secretary |
| Mr Ciaran Flynn | Head of Governance and Consulting Services, Arthur Cox |
| Mr Neil Redmond | Director of Cybersecurity, PWC |
| Mr Paul Dunne | Head of Distribution, State Street Investment Management |
A risk register is a formal tool used by an organisation to document risks. While there is no definitive format for a risk register they do share certain common elements such as:
a) Description of the risk and its potential impact;
b) Assessment of the likelihood of the risk materialising;
c) Indication of the level of seriousness of the risk's impact;
d) Controls or solutions which are, or can be, put in place to reduce the likelihood of a risk materialising or, if it does materialise, to reduce its potential harmful impact; &
e) Assignment of a risk owner (i.e. the individual or group within the organisation responsible for the management of a specified risk).
Once documented, the various risks are then placed in a hierarchy with the highest weighted risks at the top of the register followed by lower weighted risks below.
The University's risk process is based upon the regular updating and review of risk registers across three levels. The bottom level registers are referred to as 'Operational' or 'Unit' registers and the process to update one is:
a) Identify the operational and strategic goals of the Unit.
b) Identify the risks or issues which may prevent the achievement of those goals (e.g. by discussing potential risks with relevant members of Unit staff or, alternatively, by arranging a 'Brain Storming' session).
c) Assess the likelihood and possible impact of the risk.
d) Identify and document both the current and future controls which are, or can be, put in place to manage the risk.
All of the above is documented in the risk register. A detailed guide to preparing a unit level risk register can be found at the link below.
The University's standard risk register template for use at a unit or operational level may be accessed at the link below.
Once a unit risk register is completed the next steps are:
a) The final version of the register is to be forwarded to the Risk & Compliance Officer;
b) For current controls/actions listed against each risk the Head of Unit must seek to apply them in practice; &
c) For future controls/actions listed against each risk the Head of Unit must seek, where possible, that they are developed and applied in practice.
A new online and interactive risk management training course for staff involved in the risk process will be made available in the first quarter of 2026.
The current course, which will be replaced by the new one referenced above, may be accessed via the link below.
As stated in the introduction section above the overall management of the Risk Function within the University is the responsibility of the Chief Operations Officer.
The administrative arrangements that underpin the risk management process across the University, and its wholly owned campus companies, is the responsibility of the Risk & Compliance Officer (RCO).
If you have any queries regarding the University's risk process, please contact the RCO at:
Office of the Chief Operations Officer
Room A201 Albert College Extension
DCU Glasnevin Campus
Collins Avenue Extension
Dublin 9
D09 V209
Ph: +353 1 7008257 or 7005118
Email: coo@dcu.ie
For further University information on certain risk management issues and topics please refer to the internal links below.
Guidance on running an event on a DCU campus
Guidance for Sub-Contractors
In relation to the broader topic of risk management generally within the Irish university sector the website of the Higher Education Authority (HEA) summarises the relevant legislation, codes and guides at the link below.