Enterprise Risk Management


Date and Instance of Approval: 
December 18, 2006
Board of Governors

Responsible Service: Office of the Chief Risk Officer

February 27, 2024


1.1.    This policy has several objectives:

a)    To affirm the University of Ottawa’s (“the University”) commitment to an enterprise risk management (ERM) culture and establish the general principles underlying this commitment.

b)    To define the roles and responsibilities associated with ERM at the University.

c)    To inform employees about the University’s expectations regarding ERM.

d)    To ensure a sustainable and effective approach in implementing ERM activities across the University.


2.1.    The following definitions apply to this policy and any related procedures:

Enterprise risk (risk) is the potential for an event or action to adversely affect the University’s objectives, employees, customers, key stakeholders, finances, reputation or operations. Risk may arise from operational processes, technology, systems, human actions or external factors.

Enterprise risk management (ERM) refers to a holistic, integrated approach to identifying, assessing, managing, measuring, monitoring and reporting risk to support decision-making and achieve the University’s strategic objectives.

Enterprise risk management framework (ERMF) means a structured, systematic framework adopted by the University to provide a comprehensive view of the risk governance model, risk culture, and processes and tools for identifying, assessing, managing, measuring, monitoring and reporting risks. The framework is intended to be flexible and adaptable, to respond to both internal and external changes affecting the University. Continuous improvement will help refine risk management processes.  

Executive management means the president, vice-presidents and secretary-general.

Internal controls refer to a set of policies, procedures, activities and practices established within the University to provide reliable financial reporting, safeguard assets, enhance operational efficiency and ensure compliance with laws and regulations. The primary purpose of internal controls is to mitigate risk.

Policy refers to this document in its entirety.

Risk mitigation includes the development and implementation of strategies, indicators, responses and measures to reduce the likelihood or impact of identified risks that exceed the University’s risk tolerance and appetite.

Senior management means the most senior management personnel within a faculty, service, or unit. It includes, for example, associate vice presidents, vice provosts and deans.


3.1    This policy and any procedures established pursuant to it, apply to all University employees and activities conducted at, by or for the University to manage Enterprise Risk:


4.1     The University considers Enterprise Risk Management to be fundamental to sound management practice and an essential aspect of good organizational governance. It therefore recognizes the following key principles:

a)    ERMF should be aligned with the University’s strategy and objectives. It is a key part of the University’s decision-making processes for risk-informed choices.

b)    Roles and responsibilities should be clearly defined, formalized and communicated at all levels to foster a collaborative culture where individuals understand and take ownership of risk management.

c)    The University should establish, maintain and monitor risk metrics and its “risk appetite” (the amount of risk it is willing to accept in pursuit of its objectives), to ensure that risks are proactively and regularly managed with an acceptable level of risk exposure.

d)    The University risk profile should be dynamic and periodically updated to reflect changes in the internal, external or regulatory environment and to address emerging risks and evolving business conditions.  

e)    The ERM Framework should be continuously improved to incorporate lessons learned and best practices and, thus, enhance the University’s ability to identify, assess and respond to risks effectively.


5.1.    The University’s roles and responsibilities in the review and implementation of ERM are as follows:

a)    The Administration Committee (AC) reviews the Enterprise Risk and Risk Mitigation mechanisms and strategies the University uses to meet its strategic goals and submits them to the Audit Committee of the Board of Governors. It studies the University’s reports on risk and recommends them to the Audit Committee.

b)    The Audit Committee oversees ERMF administration and, after review, submits University risk reports for Board of Governors approval.  

c)    The Board of Governors receives University risk reports for approval. Subject to section 6.3, it approves the Policy and any amendments.

d)    The Chief Risk Officer (CRO) is responsible for implementing and overseeing Enterprise Risk Management processes throughout the University and ensuring the rigorous operationalization of the ERMF.

e)    All employees, at all levels, must take all risk management-related training relevant to their job duties, to recognize risk and report it to their manager.

f)    All members of the Executive Management ensure the implementation of the ERMF within their respective portfolios and promote a culture of risk management among all University employees.

g)    The Office of Internal Audit is responsible for providing independent, objective assurance to the Board of Governors on the effectiveness of the design and implementation of University’s Internal Controls, Enterprise Risk Management and governance processes.

h)    Risk owner (RO) refers to a Senior or Executive Management members who oversee the implementation of ERM, managing specific risks throughout their lifecycle and implementing appropriate risk responses. They must identify, assess, mitigate, measure, monitor and report risks within their faculty, service or unit. They can delegate tasks to another competent employee (“Risk Champions”) to assist them in facilitating the identification, assessment, mitigation, measuring, monitoring and reporting of risks within the Risk Owner’s faculty, service or unit.


6.1.    The Office of the Chief Risk Officer, in collaboration with the Office of Internal Audit, monitors and evaluates this policy and its related procedures, practices and training, to ensure they meet the evolving needs and environment.

6.2.    The CRO reviews this Policy as needed and recommends any necessary ERM- and ERMF-related amendments.

6.3.    Amendments to this policy must be approved by the Board of Governors, on the recommendation of the Audit Committee and the Administration Committee.

6.4.    The Vice-President, Finance and Administration may, on the recommendation of the CRO, establish, amend or abrogate procedures for purposes of the effective implementation of this Policy, provided that such procedures are consistent with its provisions.

6.5.    Notwithstanding Section 6.3 of this Policy, the Secretary-General can amend this policy without Board of Governors approval if such an amendment is necessary to:

a)    Update or correct the name or title of a position, unit, law, regulation, policy, procedure or authority;
b)    Correct punctuation, grammar, typographical errors, revisions to format and other technical revisions, where appropriate, if the correction does not change the meaning of a provision or make such other correction if it is patent both that an error has been made and what the correction should be;
c)    Correct the form of expression of a provision in French or English to conform with the wording in the other language;
d)    Conform with the law or any other University of Ottawa bylaw, resolution, policy or procedure.