Risk Management Policy | Dublin City University

Introduction

Risk management is an on-going process to identify, assess, manage and control potential events or situations in order to provide reasonable assurance regarding the achievement of an organization’s objectives. Dublin City University (hereinafter referred to as the ‘University’) is committed to maintaining a systematic approach to the identification, assessment and management of risk.

The University endeavours to manage all risks which could prevent the attainment of its stated objectives, as set out in its Strategic Plan, while at the same time not limiting its ability to attain those same objectives by taking on an acceptable level of risks which may lead to positive outcomes.

Purpose

The purpose of this risk management policy is to provide guidance regarding the management of risk within the University in order to:

●    support the achievement of strategic objectives;
●    protect staff, students and assets;
●    ensure financial sustainability; &
●    to comply with the requirements of the HEA Code of Governance for Irish Universities.

Scope

This policy applies to all units of the University, both academic and central services, and to its wholly owned subsidiaries.

In addition, the risk registers of the DCU Educational Trust and the Office of Student Life will, where available, be reviewed as part of the University’s risk management process.

Policy Statement

The University’s Governing Authority, through its Audit and Risk Committee (ARC), is ultimately responsible for exercising oversight over the University’s system of risk management. The Authority determines the nature and extent of risk that it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the University. The Authority will set ‘the tone from the top’ by embedding and leading risk management and by providing direction on the importance of risk management and a risk culture. This policy supports the Authority in meeting its responsibilities in this regard.
The Executive is responsible for coordinating the development and maintenance of the University’s risk management process. The Executive will continually monitor the way in which risk is considered and addressed within the University.
The Executive will advise the Governing Authority on risk management strategies and provide periodic reports and analysis of risk findings.
The Chief Operations Officer is responsible for the ongoing development and day-to-day maintenance of the University’s Risk Management Function and will be assisted in this role by the Deputy Chief Operations Officers, and the Risk & Compliance Officer.
The Risk Management Function will maintain the following: a)Strategic Risk Register (SRR), and b) High Impact Low Probability (HILP) Register.
These will be reviewed at least annually.
The SRR and HILP will contain risks which either have the potential to affect the University as a whole or be of a significantly serious degree, at both a Unit and University level, to merit their inclusion. Potential risks for inclusion in the SRR and HILP Register will be reviewed by the Executive and the ARC. Final approval of the SRR and HILP is the responsibility of the Governing Authority.
Risks will be rated as High, Medium or Low according to an estimate of their likelihood and potential impact.
The University operates a residual risk model whereby it estimates the likelihood and impact of a risk after taking into account the effect of the current controls / measures already in place to manage the risk. It is the residual risk value that will determine whether an individual risk is categorized as either being high, medium or low.
The University will seek to continuously improve its risk management performance by integrating risk management into its business processes, project management and other reporting arrangements.
Risk registers will be maintained at a Unit level where required by the SMG member to which they report and the Heads of Units shall ensure that risk assessments are performed regularly for their area of responsibility.
Risks will be evaluated on both a ‘Bottom-Up’ and ‘Top-Down’ basis.
Emerging risks will also be evaluated as part of the University’s risk management process.
A Risk Appetite Statement will be kept under review as part of the University’s Risk Management Framework.
Business Continuity and Emergency Management plans will be kept under review to support the University’s Risk Management Framework. The purpose of these plans is to ensure that appropriate arrangements are in place across the University to deal with major disruptions to its normal operations.
The Risk & Compliance Officer will be responsible for the regular updating and maintenance of the University’s Risk & Resilience webpages.
Risk management and oversight is a University wide responsibility that calls for, and requires, the active involvement and cooperation of both management and staff.

Risk Management Process

The Strategic Risk Register (SRR), which is prepared and/or updated as part of the risk management cycle, is the primary documented output of the University’s Risk Management Process.

The process takes place over a three-year cycle. In year 1 a full bottom-up and top-down process takes place to develop and approve a new SRR while a check-in is conducted in years 2 and 3 to ensure the prior year’s SRR remains complete and accurate.

An overview of the risk management process is detailed in the flowcharts in appendices 1-2.

Risk Reporting

As part of its responsibilities the Governing Authority must be assured that significant risks are managed on an ongoing basis and that any significant changes to the University’s risk profile are identified and understood in a timely manner. This assurance is provided by means of:

the annual preparation or updating of a SRR as per the University’s risk management process;
ongoing updates on specific risks at Governing Authority meetings by the President;
review of risk registers by Heads of Unit, the SMG and the Executive; &
the ongoing and regular review of both existing and emerging risks, including significant risk incidents, by the ARC.

Roles & Responsibilities

The primary roles and responsibilities of the various parties involved in risk management across the University are as follows, and are also detailed in the risk management process flowcharts in appendices 1-2:

Governing Authority

a) Ultimate responsibility for risk management within the University;

b) Performs a ‘Top Down’ overview of risk management;

c) Oversight and review of risk management activities;

d) Final approval of the University Risk Management Policy and any fundamental or significant amendments thereto;

e) Final approval of the Strategic Risk Register (SRR) and the list of High Impact Low Probability (HILP) risks in year one of the three year risk cycle and the approval of the SRR/HILP Addendum in years two to three of the cycle;

f) Review periodic updates from the President on SRR risks; &

g) Sets the Risk Appetite and Risk Tolerances.
Audit & Risk Committee (ARC)

a) The (ARC) exercises oversight of the University’s risk management process in line with its Terms of Reference as approved by the Governing Authority.

b) With regard to year one of the three year risk cycle the ARC:
1. Step 1(c) - reviews the list of units nominated by the SMG members to prepare a unit risk register; &
2. Step 3 (b) - reviews the draft SRR and the list of High Impact Low Probability (HILP) risks and provides commentary.
c) With regard to years two and three of the three year risk cycle the ARC:
1. Step 4 (c) - reviews the SRR and HILP Addendum and provides commentary;
2. Reviews the RCO’s report and the Risk Reporting Forms; &
3. Determines a schedule for Risk Owner presentations based on relative risk.
Executive

a) The Executive is responsible for leading the development and maintenance of the University’s Risk Management process;

b) The Executive will advise the Governing Authority on risk management strategies and provide periodic reports and analysis of risk findings;

c) With regard to year one of the three year risk cycle the Executive, in Step 3(d), decides whether to recommend to the Governing Authority the draft SRR/HILP prepared by the COO;

d) With regard to years two and three of the three year risk cycle:

i) the Executive, in Step 4(e), decides whether to recommend to the Governing Authority the draft SRR/HILP Addendum prepared by the COO; &

ii) The Executive reviews the RCO’s Report and Risk Reporting Forms and decides on actions.
Senior Management Group (SMG)

As a Group

a) The SMG as a group prepares the first draft of the Strategic Risk Register in each risk cycle.

b) With regard to year one of the three year risk cycle:

i) Step 2(b) - As a group the SMG conducts a top-down risk assessment of institutional risks using university-level impact assessment criteria and lists and assesses the highest rated institutionally significant risks identified; &

ii) Step 3(a) - As a group the SMG reviews the consolidated risks list and drafts version 1 of the Strategic Risk Register (SRR) and High Impact Low Probability (HILP) risks based on university-level impact assessment criteria.

b) With regard to years two and three of the three year risk cycle;

i) Step 4(a) - As a group the SMG reviews the existing / prior year’s SRR / HILP to assess whether they remain complete and accurate; &

ii) Step 4(b) - If deemed not, the SMG will produce an addendum to them.

As Individuals

With regard to year one of the three year risk cycle:

i) Step 1(b) - each SMG member individually determines which units in their area should prepare a Unit Risk Register (URR) and how often; &

ii) Step 2(c) - Each SMG member conducts a risk assessment of their area’s risks using university-level impact assessment criteria and creates a consolidated Functional Area Risk Register (FARR) of the highest rated risks in their area of responsibility.

Chief Operations Officer (COO)

a) Member of the Executive responsible for Risk Management;

b) Responsible for the operations of the Risk Management Function and supports its continued development;

c) With regard to year one of the three year risk cycle the COO:

i) Step 3(c) - revises the draft SRR / HILP; &

ii) Step 3(f) - publishes the SRR / HILP for the DCU Community.

d) With regard to years two and three of the three year risk cycle the COO:

i) Step 4(d) - revises the SRR / HILP Addendum; &

ii) Step 4(g) - publishes the revised SRR / HILP for the DCU Community.
Risk & Complianccee Offir (RCO)

a) Facilitates the University’s risk management process;

b) Assists University units in the implementation of the Risk Management Policy;

c) Maintains a database of both Unit and Strategic Risk Registers;

d) Assists units in preparing & updating their individual unit level registers;

e) Preparation of, and reporting on, risk metrics and risk analysis;

f) With regard to year one of the three year risk cycle the RCO:

i) Step 1(a) - contacts the SMG members;

ii) Step 1(d) - contacts the Heads of Unit;

iii) Step 1(f) - reviews the draft Unit Risk Registers (URR);

iv) Step 2(a) - collates URR into separate packs for review by SMG members; &

v) Step 2(d) - produces a consolidated risk list for institutionally significant risks, removing duplicates and those that fall below the threshold for inclusion in a Strategic Risk Register (SRR).

g) With regard to years two and three of the three year risk cycle the RCO:

i) Step 4(a) - contacts Heads of Units to confirm that URR are being reviewed annually and to request details of material changes to URR;

ii) Issues the DCU Risk Reporting Form to SRR Owners;

iii) Reports to the University Executive, and the Audit & Risk Committee, on the status of the DCU Risk Reporting Forms and provides a high level analysis, including recommendations for improvement; &

iv) Provides the RCO Report and the Risk Reporting Forms to the University Executive and Audit & Risk Committee.
Heads of Schools, Heads of Central Services Units, Directors of Research Centres and General Managers of wholly owned subsidiary companies of the University

a) Ensure risks are identified, assessed and managed on a day to day basis in relation to the Units which report to them;

b) Prepare / update Unit risk registers;

c) Promote Unit risk registers as a management tool;

d) Cooperate with the Risk Management Function in the reporting and analysis of risks within their Units;

e) With regard to year one of the three year risk cycle they, as per Step 1(e), they will conduct risk assessments using unit-level impact assessment criteria and draft Unit Risk Registers; &

f) With regard to years two and three of the three year risk cycle they, as per Step 4(a), will confirm that Unit Risk Registers are being reviewed annually and provide details of any material changes in register risks to the RCO.
Internal Audit

a) Internal Audit is an independent and objective appraisal, assurance and consulting activity. It assists Dublin City University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University's governance, risk management, corporate culture and internal control system. It reports on the adequacy and effectiveness of the University’s risk management framework to management, the SMG and the Audit and Risk Committee. Internal Audit is an essential part of the overall risk governance framework within the University; &

b) Internal Audit considers the outcome of the University’s regular risk cycles in its overall risk based audit planning process.
All Staff

Will cooperate with all parties in the implementation of the University’s risk management process and policy.

Definitions

High Impact Low Probability (HILP) Register

"HILP" is an acronym for High Impact Low Probability, referring to rare, unpredictable events that, despite their low likelihood, can cause catastrophic consequences for an institution. These events, sometimes called outliers, are characterized by a lack of historical precedence, a high degree of uncertainty in their predictability and significant societal shock when they occur. The HILP register will capture the High Impact Low Probability events deemed most pertinent to DCU.

Material Change
A material change includes:

a) a change in the risk weighting of an existing risk in a unit level risk register that results in that risk being added or removed from the category of a high level risk; or

b) the addition or removal of a high level risk from a unit level risk register.

Risk

In the context of this policy risks can be either positive (i.e. opportunities) or negative. Positive risks or opportunities are uncertain but favourable events which, if they occur, would positively impact upon the University’s objectives. A negative risk is defined as an uncertainty which gives rise to potential events which, were they to occur, would impact negatively on the University by preventing the optimum delivery of the University’s objectives or by damaging its reputation.

Risks may also be split into both ‘Current’ and ‘Emerging’ risks. A ‘Current’ risk is a risk that may seriously affect the performance, future prospects or reputation of the University. An ‘Emerging’ risk is a new or novel manifestation of a type of risk which has never been experienced or one which did previously exist but has not been encountered for a number of years. Emerging risks are difficult to quantify in terms of likelihood and impact due to the limited knowledge of their nature and potential impact.

The University’s risk management process seeks to document and manage both positive and negative risks in addition to current and emerging risks.

Risk Appetite Statement

Risk is an inherent part of running any organization. At its simplest, a risk appetite can be defined as the amount of risk, on a broad level, that an organization is willing to take on in pursuit of its strategy.

Specifically, a Risk Appetite Statement:

enables the Governing Authority to set limits and/or boundaries for key risk drivers;
aligns the risk willingness of the risk owner, Governing Authority and the Executive with the University’s capacity for taking risks and/or pursue opportunities;
provides high level direction on how the University should position itself to protect value and mitigate risk as it moves to implement strategy; &
fosters innovation and opportunities to grow and improve performance.

Risk Management Function

The Risk Management Function is the collective term for the combination of the following University Officers in respect of their risk management duties as set out in this policy:

Chief Operations Officer;
Deputy Chief Operations Officers; &
Risk & Compliance Officer.

Risk Level

Risks are assigned a risk level based upon their likelihood and impact. See appendix 3 for details.

Strategic Risk Register

The Strategic Risk Register (SRR) is the highest level risk register prepared within the University’s risk management process.

Document Name	Risk Management Policy
Unit Owner	Office of the Chief Operations Officer
Version Reference	Original Version 5.0	Revised Version N/a
Approved by	Governing Authority	N/a
Effective Date	December 5^th 2025	N/a

Risk Level	Colour	Residual Risk Score
Low level risks	Green	1-7
Medium level risks	Amber	8-15
High level risks	Red	16-25

Level	Likelihood
1	Rare or very remote (20 years and over)
2	Unlikely (10 to 20 years)
3	Possible (5 to 10 years)
4	Likely (1 to 5 years)
5	Certain to occur / already happening / or within one year

Level	Impact	See Appendix 4 - Impact Assessment Criteria at a Unit Level for definitions of each of the levels of impact to the left
1	Minor
2	Limited
3	Serious
4	Very Serious
5	Catastrophic