Risk & Resilience Management at DCU
Welcome to the Risk & Resilience section of the University's website.
This section is managed by the Office of the Chief Operations Officer (COO) with day-to-day responsibility for its maintenance being the responsibility of the University Risk and Compliance Officer (RCO).
This section deals primarily with the management of risk and resilience across the University and its wholly owned subsidiary campus companies. A separate section of the website deals with compliance issues and may be accessed at this link.
This section is designed to assist staff, students, members of the public and other interested parties in understanding the University's approach to risk & resilience. The COO is responsible for the management of the University's risk and resilience process at the University's Executive Board level, with the day-to-day administration of the process being the responsibility of the RCO who reports directly to the Deputy COO. In relation to their risk & resilience roles the COO, the Deputy COO & the RCO are collectively known as the 'Risk & Resilience Function'. If you wish to contact the RCO, for example to report a new significant risk or to request specific risk management training, please see the RCO contact details section at the bottom of this web page.
- to assist all units across the University, and its wholly owned campus companies, in meeting their obligations with regard to risk management and resilience;
- to maintain both Unit Level Risk Registers and the overall University level Strategic Risk Register;
- to report to the Risk Committee and the Executive Board on progress in relation to the management of risks; &
- to provide appropriate training, guidance and support to both the staff of the University and its wholly owned campus companies.
In recent years there has been an increased focus in both the public and private sectors, within Ireland and abroad, on corporate governance arrangements. One element of a strong governance framework is an effective system of risk management. To address this obligation a formal and dedicated Risk Management Function was set up within the University in 2011 and since its inception the function has gone through a number of changes which have sought to enhance risk management across the University. Details of the current framework for risk management, both within the University and its wholly owned campus companies, are provided on this web page.
Aims of the University's Risk Management Function
- to document those risks which may prevent the University from achieving its operational and strategic goals at both a unit level and at a wider University level;
- to address identified risks through the implementation of tailored controls and solutions;
- to track the trends in identified risks over time (e.g. are they improving, stable or getting worse); &
- to identify and address significant and common risks across units of the University.
The primary output of the University's annual risk process is a Strategic Risk Register (SRR). The purpose of the SRR is to document the most significant risks that have the potential to affect the University and the steps being taken, or to be taken, to address those risks.
A guide describing how the SRR process works within the University is available at this link. The guide is intended to be a short introduction to the theory of risk management and it outlines the approach taken to provide a SRR in each risk cycle or year.
The guide should be read by anyone who is required to engage with the University's risk management process or who has an interest in this area.
Each annual risk cycle concludes with a Strategic Risk Register (SRR).
The SRR is the primary output of the University's Risk Management Process and it documents the strategic risks and issues affecting the University.
The current year's SRR, plus the archive of prior years registers, are available on the University's website and may be accessed at this link by staff of the University.
Purpose of the Policy
The purpose of the risk management policy is to ensure that risks to the University’s strategic plan are identified, analysed and managed so that they are maintained at acceptable levels. This is the overall goal of any system of risk & resilience management is to identify risks and then to determine how they may be properly treated, tolerated, transferred or terminated if deemed necessary.
Risk Management Policy - As approved by the DCU Governing Authority on June 30th 2022.
Purpose of the Statement
A 'Risk Appetite' refers to the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any given point in time. In the context of the University, its Risk Appetite Statement seeks to summarise its tolerance for risks across a range of activities.
The DCU Risk Appetite Statement, as approved by the University's Governing Authority on December 6th 2019, may be accessed at this link.
Within the University's risk management framework there exists a Governing Authority Risk Committee (GARC). The Committee has some responsibilities for risk management as defined both by the University's Risk Management Policy and the Committee's Terms of Reference.
Membership of the Committee
The GARC is a sub-committee of the University's Governing Authority. Details of its current membership and terms of reference are set out below. Note that the GARC's membership is composed of both external individuals and internal DCU staff members.
|Ms Marie Sinnott||Risk Committee Chair & ESB Group Company Secretary (External)|
|Mr Justin Doyle||Deputy Director of ISS, DCU (Internal)|
|Prof. Caroline McMullan||Professor of Business & Society, DCU Business School (Internal)|
|Mr Padraig McKeon||PR & Communications, McKeon Ireland (External)|
Terms of Reference
The GARC's most recent Terms of Reference (V4.0) were approved by the DCU Governing Authority on February 9th 2022.
A risk register is a formal method of documenting the details of risks and how they are managed. While there is no definitive format for a risk register there are elements common to most. The essential elements of a risk register are:
a) a description of the risk and its potential impact;
b) an assessment of the likelihood of the risk materialising;
c) an indication of the level of seriousness of the risk's impact;
d) the controls or solutions which have been, or can be, put in place to reduce the likelihood of a risk materialising or, if it does materialise, to reduce its potential harmful impacts; &
e) an indication of the risk's owner (i.e. the individual or group within the organisation responsible for the management of the risk).
Updating or Compiling a Unit Level Risk Register
The University's risk process relies upon the regular review and preparation of individual Risk Registers at a unit level. Where Heads of units are requested to update their existing Unit Registers, or alternatively to compile a new one for the first time, they must follow the steps set out in the guide referenced above. In summary the steps are:
a) Identify the operational and strategic goals of the Unit.
b) Identify the risks which may prevent the achievement of those goals. This can be accomplished by discussing potential risks with relevant members of unit staff or alternatively arranging a 'Brain Storming' session with all staff of the unit concerned. Such an approach will encourage buy in by staff and will also encourage adoption of identified risks by those members of staff, or groups of staff, who may ultimately become the risk's owners.
c) Assess the likelihood and possible impact of the risk.
d) Identify and document both the current and future controls which are, or can be, put in place to address the risk.
A guide to preparing a risk register may accessed at this link.
Risk Register Template
Within the DCU risk management process a standard unit level risk register template is used. A copy of the Excel template, including guidance notes on how it is to be populated, has been provided below.
Actions to be taken once a Unit Register is completed
Once a Unit's Risk Register is completed in each review cycle the following sequence of events should occur:
a) The final version of the register is to be forwarded to the Risk & Compliance Officer;
b) For those current controls / actions listed against each risk the Heads of Unit should ensure that they are applied in practice; &
c) For those future controls / actions listed against each risk the Heads of Unit should ensure, where possible, that they are developed and implemented.
Heads of University Units (or General Managers in the case of the University's campus companies) should contact the Risk and Compliance Officer if they wish to arrange a risk management training session.
For 2024 we plan to provide an online training course on the aspects of risk management theory and practice that will be of most benefit to Heads of Units and staff.
The training will be made available through HR's Essential eLearning webpage - see link.
Internal University Links
For further information on related risk management topics please refer to the links below.
In relation to the topic of risk management within the Irish university sector the website of the Higher Education Authority (see link) summarises the most relevant legislation, codes and guides.
As stated in the introduction section above the overall management of the Risk & Resilience Function within the University is the responsibility of the Chief Operations Officer.
The administrative arrangements that underpin the risk management process across the University, and its wholly owned campus companies, is the responsibility of the University Risk & Compliance Officer (RCO).
If you have any queries regarding the University's risk and resilience process, please contact the RCO at the contact details below:
Risk & Compliance Officer
Office of the Chief Operations Officer
Room A201 Albert College Extension
DCU Glasnevin Campus
Collins Avenue Extension
Or alternatively click here to send an email to the Risk & Compliance Officer.