Enterprise Risk Management

Approved Board of Governors 2006.28



1. The purpose of this policy is to formalize the University’s risk management program and articulate the roles and responsibilities of the Board of Governors, the University of Ottawa’s Management and employees, and relevant committees.


2. Risk exists in all activities and cannot be avoided. However, the risks taken and accepted on behalf of the University of Ottawa must be tolerable; risks must be identified and the management of them consciously accepted.


3. Risk is defined as any threat that, if it occurs, may prevent the attainment of the objectives of the University, in whole or in part.

4. Risk management provides the framework to identify, assess and manage risks. It provides the methodology for integrating risk into decision making.


5. This policy is to be applied to activities undertaken by, and on behalf of, the University of Ottawa. This includes Academic, Research and Support activities.


6. Risk management is an integral part of management, not a separate function for specialists. It forms part of strategic planning, business planning and investment/research project approval procedures.

7. The University of Ottawa will foster a culture of spreading best practices and expertise acquired from our risk management activities across the University for the benefit of the entire organization.

8. The University of Ottawa will maintain a risk register identifying the critical risks to the University, the faculties and services.

9. Risk management shall be considered in all project approvals in a manner appropriate to the nature and scope of the project as described in the University of Ottawa Risk Management Manual.

9.1 Risk management should be considered early in the project planning process.

9.2 Preventing a loss from occurring should be emphasized over decreasing the impact of a loss.

9.3 Where feasible, risks should be contractually transferred to other parties.

9.4 External risks shall be considered as well as internal risks.

10. A formal statement of the University of Ottawa’s risk tolerance will be reviewed annually by the Enterprise Risk Management Committee and approved by the Administrative Committee. Activities that are outside this risk tolerance shall not be undertaken unless specifically approved by the President and/or their designate.

11. The University of Ottawa will establish and maintain an Enterprise Risk Management Committee. Chaired by the Vice-President, Resources it will include representatives from the: Office of the Vice-President, Research; Office of the Vice-President Academic and Provost; Office of the Vice-President, University Relations; Financial Resources; Internal Audit Office; Office of the Legal Counsel; and the Office of Risk Management. The Enterprise Risk Management Committee will submit an annual report to the Audit Committee of the Board of Governors.


12. All faculty and staff have a responsibility for maintaining good internal controls and managing risk. Everyone shall be aware of the risks that are present in their activities. As new risks are identified they shall be identified to their supervisor or staff member concerned, where possible with recommended risk management strategies.

13. Supervisors and managers are responsible for ensuring that all risks in their areas of operations are identified and managed appropriately.

14. Deans and Directors are responsible for identifying, evaluating and managing risks within their faculties and services. Deans and Directors shall ensure that everyone in their organization understands their risk management responsibilities and must make clear the extent to which staff are empowered to accept risks.

15. The University’s Risk Manager is responsible for developing and overseeing the risk management system including the University of Ottawa Risk Management Manual.

16. The Office of Risk Management will provide support to assist managers in identifying, assessing, and managing risks.

17. The Internal Audit Office will work to assess how well the policy has been implemented and use the risk registers, where appropriate, for input in preparing a risk-based audit plan.

18. The Enterprise Risk Management Committee will oversee the management of risks at the University of Ottawa and is responsible for the risk register identifying the material risks and their management.

19. The Administrative Committee is responsible for setting policies on risk management and internal controls and to ensure the risk management process is incorporated in priority setting, planning and decision making.

20. The Audit Committee of the Board of Governors is responsible for reviewing the management reports on risk management from the Enterprise Risk Management Committee and findings from the audit process in order to satisfy itself that the process operates effectively and efficiently. The Audit Committee will report annually to the Board of Governors their assessment of risk management.

Published December 18, 2006

(Office of the Vice-President, Resources)