Risk Management Policy

Policy Owner
OCOO
Document Type
Policy
Document Approval Date
Version
4.0

Risk management is the on-going process to identify, assess, manage and control potential events or situations in order to provide reasonable assurance regarding the achievement of an organization’s objectives. Dublin City University (hereinafter referred to as the ‘University’) is committed to establishing and maintaining a systematic approach to the identification, assessment and management of risk.

The University endeavours to manage all risks which could prevent the attainment of its stated objectives as set out in its Strategic Plan while at the same time not limiting its ability to attain those same objectives by taking on an acceptable level of risks which may lead to positive outcomes.

The purpose of this risk management policy is to provide guidance regarding the management of risk within the University in order to:

  • support the achievement of strategic objectives;
  • protect staff, students and assets;
  • ensure financial sustainability; and
  • to comply with the requirements of the HEA Code of Governance for Irish Universities.

The Governing Authority has ultimate responsibility for risk and internal control within the University. The Authority determines the nature and extent of risk that it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the University. This policy supports the Authority in meeting its responsibilities in this regard.

This policy applies to all units of the University, both academic and central services, and to its wholly owned subsidiaries.

In addition, the risk registers of the DCU Educational Trust and the Office of Student Life will, where available, also be reviewed as part of the University’s annual risk management process.

  1. The University’s Governing Authority, through its Risk Committee (GARC), is ultimately responsible for exercising oversight over the University’s system of risk management. The Governing Authority will set ‘the tone from the top’ by embedding and leading risk management and by providing direction on the importance of risk management and a risk culture. This policy supports the Authority in meeting its responsibilities in this regard.

  1. The Executive is responsible for coordinating the development and maintenance of the University’s risk management process. The Executive will continually monitor the way in which risk is considered and addressed within the University.

  2. The Executive will advise the Governing Authority on risk management strategies and provide periodic reports and analysis of risk findings.

  3. The Chief Operations Officer is responsible for the ongoing development and day-to-day maintenance of the University’s Risk Management Function and will be assisted in this role by the Deputy Chief Operations Officer and the Risk & Compliance Officer.

  1. The Chief Operations Officer will be responsible for University wide communications on risk matters.

  1. A Strategic Risk Register (SRR) will be maintained by the Risk Management Function and will be prepared and reviewed at least annually. This register will contain risks which either have the potential to affect the University as a whole or be of a significantly serious degree, at both a Unit and University level, to merit their inclusion. Potential risks for inclusion in the SRR will be reviewed by the Executive and the Governing Authority Risk Committee. Final approval of the SRR is the responsibility of the Governing Authority.

  1. The Risk Management Function will develop policies and procedures to ensure that risk management is implemented across all decision making functions of the University.

  2. The University will seek to continuously improve its risk management performance by integrating risk management into its business processes, project management and other reporting arrangements.

  3. Heads of Unit are responsible for the day-to-day management of risks under their control. They will be assisted in this role by senior management as necessary and will cooperate with the Risk Management Function.

  1. Risk registers will be maintained at a Unit level and the Heads of Units shall ensure that risk assessments are performed regularly for their area of responsibility.

  1. Risks will be evaluated on both a ‘Bottom-Up’ and ‘Top-Down’ basis.

  2. Emerging risks will also be evaluated as part of the University’s risk management process.

  3. A Risk Appetite Statement will be kept under review as part of the University’s Risk Management Framework.

  1. Business Continuity and Crisis Management plans will be kept under review as part of the University’s Risk Management Framework.

  1. A Major Emergency Plan will be kept under review as part of the University’s Risk Management Framework. The purpose of the plan is to ensure that appropriate arrangements are in place across the University to deal with major disruptions to its normal operations.

  2. The Risk & Compliance Officer will be responsible for the regular updating and maintenance of the University’s Risk Web page. 

  1. Risk management and oversight is a University wide responsibility that calls for, and requires, the active involvement and cooperation of both management and staff.  

Risk Management Process

The Strategic Risk Register (SRR), which is prepared as part of an annual risk management cycle, is the primary documented output of the University’s Risk Management Process. Each cycle begins with a ‘Bottom-Up’ approach with the selection of risk reporting Units from across the entire University. Selected Units then prepare or update their individual unit level risk registers and in each case they are asked to identify and document both current and emerging risks which may impact upon them directly as well as those which may have an impact at a wider University level.  

Subsequently, the unit level risk registers are reviewed by the member of the University’s Senior Management Group (SMG) who has line management responsibility for the Unit. This initial review results in the collation of risks into ‘Functional Area Risk Registers’ for each SMG member which in turn are used by the SMG to prepare the first draft of the SRR in each cycle.

It is at this point that the opportunity arises for senior management at the Executive level to take a ‘Top-Down’ view and to add relevant high level, sector wide, risks into the draft SRR so that the final draft in each cycle is a comprehensive document intended to capture the most significant and strategic risks facing the University. A subsequent meeting of the Governing Authority Risk Committee (GARC) then reviews the draft SRR in the context of the University’s Strategy and the sectoral challenges facing the University.  Following this review, the Risk Committee submits the draft SRR to the Governing Authority for its approval. Once approved, the SRR is published on the University’s Risk Management Webpage. Updates on any significant changes in risks listed in the current SRR are given at subsequent meetings of the Governing Authority by the President of the University.   

Risk Reporting

As part of its responsibilities the Governing Authority must be assured that significant risks are managed on an ongoing basis and that any significant changes to the University’s risk profile are identified and understood in a timely manner. This assurance is provided by means of:

  • the annual preparation of a SRR as per the University’s Risk Management Process;
  • ongoing updates on specific risks at Governing Authority meetings by the President;
  • regular review of risk registers by Heads of Unit, the SMG and the Executive; &
  • the ongoing and regular review of both existing and emerging risks, including significant risk incidents, by the Governing Authority Risk Committee (GARC).

The primary roles of the various parties involved in risk management and risk governance throughout the University, are summarized in Appendix 1 to this policy.

Risk

In the context of this policy risks can be either positive (i.e. opportunities) or negative. Positive risks or opportunities are uncertain but favourable events which, if they occur, would positively impact upon the University’s objectives. A negative risk is defined as an uncertainty which gives rise to potential events which, were they to occur, would impact negatively on the University by preventing the optimum delivery of the University’s objectives or by damaging its reputation.

Risks may also be split into both ‘Current’ and ‘Emerging’ risks. A ‘Current’ risk is a risk that may seriously affect the performance, future prospects or reputation of the University. An ‘Emerging’ risk is a new or novel manifestation of a type of risk which has never been experienced or one which did previously exist but has not been encountered for a number of years. Emerging risks are difficult to quantify in terms of likelihood and impact due to the limited knowledge of their nature and potential impact.

The University’s Risk Management Process seeks to document and manage both positive and negative risks in addition to current and emerging risks. 

Risk Appetite Statement

Risk is an inherent part of running any organization. At its simplest, a risk appetite can be defined as the amount of risk, on a broad level, that an organization is willing to take on in pursuit of its strategy.

Specifically, a Risk Appetite Statement:

  • enables the Governing Authority to set limits and/or boundaries for key risk drivers;
  • aligns risk willingness of the risk owner, Governing Authority and the Executive with the University’s capacity for taking risks and/or pursue opportunities;
  • provides high level direction on how the University should position itself to protect value and mitigate risk as it moves to implement strategy; &
  • fosters innovation and opportunities to grow and improve performance.

Risk Management Function

The Risk Management Function is the collective term for the combination of the following University Officers in respect of their risk management duties as set out in this policy:

  1. Chief Operations Officer;
  2. Deputy Chief Operations Officer; &
  3. Risk & Compliance Officer.

Strategic Risk Register

The Strategic Risk Register (SRR) is the highest level risk register prepared on an annual basis by the University.

For further information on any aspect of this policy, please contact the Office of the Chief Operations Officer at Ext. 5118 or 8257. The University’s Risk Management Webpage sets out in further detail how the risk management process is applied across the University.

 

This Policy shall be reviewed by the Governing Authority Risk Committee on an annual basis.  

Document Name

Risk Management Policy

Unit Owner

Office of the Chief Operations Officer

Version Reference

Version 4.0

Approved by

Governing Authority

Effective Date

June 30th 2022

 

Party

Roles & Responsibilities

Governing Authority

  1. Ultimate responsibility for risk management within the University.
  2. Performs a ‘Top Down’ overview of risk management.
  3. Oversight and review of risk management activities.
  4. Final approval of the University Risk Management Policy and any fundamental or significant amendments thereto.
  5. Final approval of the Strategic Risk Register (SRR).
  6. Receives quarterly updates from the President on SRR risks.
  7. Sets Risk Appetite and Risk Tolerances.

Governing Authority Risk Committee (GARC)

The GARC exercises oversight of the University’s risk management process in line with its Terms of Reference as approved by the Governing Authority. 

Executive

  1. The Executive is responsible for leading the development and maintenance of the University’s Risk Management process.
  2. The Executive will advise the Governing Authority on risk management strategies and provide periodic reports and analysis of risk findings.

Chief Operations Officer

  1. Member of the Executive responsible for Risk Management.
  2. Responsible for the operations of the Risk Management Function and supports its continued development.

Risk and Compliance Officer

  1. Facilitates the University’s risk management process.
  2. Assists University units in the implementation of the Risk Management Policy.
  3. Maintains a database of both Unit and Strategic Risk Registers.
  4. Assists Units in preparing & updating their individual Unit registers.
  5. Preparation of, and reporting on, risk metrics and risk analysis.

Senior Management Group (SMG)

  1. Members of the SMG perform the initial annual review of Unit Registers for all units under their control.
  2. The SMG as a group prepares the first draft of the Strategic Risk Register in each risk cycle.

Executive Deans, Heads of Schools, Heads of Central Services Units, Directors of Research Centres and General Managers of wholly owned subsidiary companies of the University

 

  1. Ensure risks are identified, assessed and managed on a day to day basis in relation to the Units which report to them. 
  2. Prepare / update Unit risk registers.
  3. Ensure Risk Management is a standing Agenda item at Faculty Management Boards.
  4. Promote Unit risk registers as a management tool.
  5. Cooperate with the Risk Management Function in the reporting and analysis of risks within their Units.

Audit Committee

The Audit Committee coordinates with the Governing Authority Risk Committee in respect of its oversight of the University’s risk management process.

Internal Audit

  1. As an independent appraisal and assurance function, Internal Audit, as part of its programme of work (the objective of which is to provide assurance to the Governing Authority and the President on the University's entire system of controls, including Risk Management), objectively and impartially reviews and reports on the adequacy and effectiveness of the University's risk management processes and procedures to local management, the SMG and the Audit Committee. Internal Audit is an essential part of the overall risk governance framework within the University.
  2. Internal Audit considers the outcome of the University’s regular risk cycles in its overall risk based audit planning process.
  3. The Head of Internal Audit may attend meetings of the Risk Committee as an observer.

All staff

Will cooperate with all parties in the implementation of the University’s risk management process and policy.