ERM Program. Enterprise Risk Management Guideline

Transcription

1 ERM Program Enterprise Management Guideline

2 Table of Contents PREAMBLE... 2 When should I refer to this Guideline?... 3 Why do we need a Guideline?... 4 How do I use this Guideline?... 4 Who is responsible for the ERM program?... 4 ERM PROCESS... 4 Step 1: Management Communication & Consultation Methods... 5 Step 2: Establishing the Context... 5 Step 3 to Step 7 Performing a Assessment... 6 Step 3: Identification... 6 Step 4: Analysis... 7 Step 4 (a) Impact... 9 Step 4 (b) Likelihood Step 4 (c) Combined Impact/Likelihood Score Step 4 (d) Control Response Step 5: Evaluation Step 6: Treatment Step 7: Monitoring and Review FINAL NOTE APPENDIX 1: RISK REGISTER EXAMPLE DEFINITIONS REFERENCES P age

3 Enterprise Management Guideline PREAMBLE The College s Enterprise Management (ERM) Policy sets the tone for risk management throughout the organization and supports the development of an imbedded risk culture. The Enterprise Management (ERM) Guideline provides a best practices approach to guide staff through a logical seven step risk management process. For greater assistance and efficiency, the seven step process has been integrated into a Microsoft Excel working tool to assist with risk identification and assessment. As the College Enterprise Management (ERM) program matures, additional tools will become available. The following 11 principles establish the foundation for the College s ERM program to manage risk at all levels: 1. Creating and protecting value: risk management contributes to the achievement of College objectives and improves performance in areas such as corporate governance, program and project management, health and safety of staff and students and reputation. 2. An integral part of all organizational processes: risk management is not a stand-alone activity performed in isolation. Rather, it is an integral part of our daily organizational processes, change management process, performance management, planning and reporting processes. 3. Part of decision-making: risk management aids decision-makers to make informed choices, prioritize activities and identify the most effective and efficient course of action. 4. Explicitly addressing uncertainty: risk management identifies the nature of uncertainty and how it can be addressed through a range of mechanisms, for example, implementing risk controls. 5. Systematic, structured and timely: risk management contributes to efficiency and to consistent, comparable and reliable results. 6. Based on the best available information: the risk management process should draw on diverse sources of historical data, expert judgment and stakeholder feedback to result in evidence-based decisions. As decision-makers, we should take account any of the limitations of the data, modelling and divergence among experts. 7. Tailored: risk management and individual assessments are aligned with the College s internal and external context and risk profile. 2 P age

4 8. Human and cultural factors: risk management recognizes the capabilities, perceptions and intentions of internal and external factors that can aid or hinder the achievement of the College s objectives. 9. Transparent and inclusive: risk management requires appropriate and timely involvement of stakeholders, in particular, decision makers at all levels of the College to ensure relevance. Involving stakeholders in decision making processes enables diverse views to be taken into account when determining risk criteria. 10. Dynamic, iterative and responsive to change: as internal and external events occur, context and knowledge change, monitoring and review take place, new risks emerge, some change, and others disappear. Therefore, the College should ensure that risk management continually senses and responds to change. 11. Continual improvement of the organization: risk management facilitates continuous improvement of the College s operations. Ultimately, an effective ERM program will raise our awareness with respect to uncertainty and decision making. When should I refer to this Guideline? Increasingly, organizations, their executive leadership and Boards are seeking to have a better understanding of the risks their organizations are facing and the action plans to manage this risk. Although risk is often viewed negatively, the outcome of assuming risk following a risk assessment can have significant positive results. Various levels and types of risk impact departments, projects, strategic and business planning and initiatives on a daily basis. This Guideline will provide a College approved process based on an industry standard framework for staff in positions that require them to identify, assess and manage risk. Enterprise Management Framework Enterprise Management Process Identification Monitoring & Reporting College's Strategy & Objectives Analysis Treatment Evaluation 3 P age

5 Why do we need a Guideline? As opposed to a standard, this Guideline provides a flexible best practice approach and allows for the College s various industry types to employ risk management tools that are best suited for their industry group. A guideline creates a consistent approach, establishes common vocabulary and promotes risk management tools for identifying, assessing, evaluating, mitigating, monitoring, reviewing and reporting risks. Furthermore, a guideline helps to promote an environment for informed innovation and risk taking, identify both the favourable and unfavourable impacts of risk, improve accountability and transparency through assigned risk owners and integrate ERM into corporate decision making. How do I use this Guideline? The Guideline is based on a seven step process. Each step includes a brief description and examples of methods to assist in completing the step. Use of any of the illustrations, definitions, appendices and content is promoted. Users are also encouraged to use methods and tools that may be more relevant to the risk or set of risks being assessed. Electronic tools have been created and continue to be improved in order to assist users in applying the steps in a more efficient manner. The intention is to have users spend more time in the risk assessment rather than the administration. To remain sustainable, the risk management process must provide value. Who is responsible for the ERM program? The College Management Committee (CRMC) is responsible for the College s ERM program. The Coordinator, Management is responsible for managing the ERM program on a daily basis. Upon request, the Coordinator will assist you in implementing the risk management process, facilitating a risk assessment, or responding to any questions you may have with respect to the ERM Policy and Guideline. For further information, visit the College s Management webpage. ERM PROCESS The process for managing the College s risks is described in the seven steps below. Many users of this Guideline may skip to Steps 3 to 7 which focus on risk assessment. However, both risk and internal and external environments are continually changing hence the need to return back to Steps 1 & 2. 4 P age

6 Step 1: Management Communication & Consultation Methods Undertaking communication and consultation with potential external and internal stakeholders prior to and throughout the risk management process establishes a positive foundation in order to engage and obtain an understanding of the stakeholder interest, to build stakeholder consensus, and to ensure informed risk taking. Based on the ERM Framework illustration on page 3, this step is involved in all of the steps. Depending on the situation, communication and consultation methods vary and could include: / Newsletters Training and Education Sessions Briefing Notes Reports Dashboards Steering Committee and Working Group Meetings Departmental/Cross Departmental Meetings Regular Employee Meetings Awareness Campaigns Management on-line electronic tools When working through a risk assessment, it s important to receive consensus on the communication format during the risk assessment process, including the risk identification, consequences, both positive and negative, and treatment options. Step 2: Establishing the Context Prior to initiating a risk assessment, an analysis of the internal and external environment is required to identify the main stakeholders. This would include a determination of the interdepartmental interfaces or relationships within the College. In addition to stakeholder identification, defining both the internal and external environment at the time of risk assessment in relation to the achievement of the College s strategic priorities and objectives is critical. External context includes the current political, cultural, economic, regulatory and competitive environment. Internal context includes policies, organizational structure, culture, human resource capabilities, contractual relationships and information systems. Since resources are often limited, it s important to justify the amount of resources required to carry out a risk assessment, to define the goals and objectives, and identify and define responsibilities for managing the risk. Undertaking the above will ensure that the approach taken is appropriate for the situation or risk assessment, to the College and to the risks impacting on the College s ability to achieve its strategic priorities and objectives. Methods include defining: monitoring cycles Vendor relationships acceptability Government relationships Partnerships Job descriptions using College Owners Project methodology Organizational chart 5 P age

7 Step 3 to Step 7 Performing a Assessment The diagram below provides a simplified description of the involvement for Steps 3 to 7 as well as highlights the continuous nature of these steps and their connection to the College s strategy and objectives. As mentioned, on-line electronic tools have been created to simply the step by step approach. Step 3: Identification This step involves the identification of risk sources, events, their causes and their potential impacts that may harm, assist or prevent the achievement of the College s objectives. encompasses the potential for positive as well as adverse results, for example, there could be a positive strategic risk in pursuing a new business initiative and negative operational risk in not having appropriate policies and procedures in place to regulate the business initiative. This step should result in a comprehensive list of risks, known as a Universe, which would be documented in the Register template example in Appendix 1. 6 P age

8 Example List of s for a College Universe Internal Conditions Value Chain External Conditions Strategic / Structural Governance Performance Measurement Organizational Structure Strategic Alliances, Partnerships & Reciprocal Relationships Policies Innovation Reputation / Brand Stakeholder Relations Public Policy Cultural Goal Alignment Communication Ethics, Values & Diversity Social Responsibility Change Management Accountabilities & Empowerment Students Recruitment, Enrolment & Retention International Students Program Delivery Student Satisfaction & Relationship Management Grants / Scholarships Student Services Student Conduct Technology & Information Systems Capacity and Availability IT Disaster Recovery Security Strategy & Architecture Reliability & Efficiency Information Systems Innovation / Emergency Technology Academic Curriculum Academic Fraud Research Faculty (resources / skills / interdisciplinary collaboration) Administrative / Operations General Operations Policies and Procedures Process Efficiency & Effectiveness Administrative Human Resources Staffing Levels & Skills Development, Performance & Succession Recruitment & Retention Compensation Financial Management Financial Reporting Financial Planning Financial Policies & Procedures Internal Controls Fraud Cashflow and Liquidity Funding Access (public and private sources) Capital Management Endowment Management Interest Rates Facilities Asset Management Physical Infrastructure Capacity Capital Project Management Property & Equipment Maintenance Business Environment Social/Economic (global and local marketability; demographics) Political (education policy) Competition (Colleges, programs offered by other institutions Technological Advancement Compliance & Standards Regulatory AODA Federal, Provincial & Municipal Government (funding compliance) Legal Employment Privacy Procurement Practices Methods used to identify and collect risks include the following: Universe / Register (Appendix 1) Facilitations Identification/Mitigation Worksheet (see Step 6) Stakeholder feedback Interviews & Questionnaires /Surveys Data analysis On-line electronic tools ( Management Website) Scenario planning Strength, Weakness, Opportunities and Threat (SWOT) analysis Gap Analysis Audits or physical inspections Workshops Step 4: Analysis analysis will determine the importance of a risk, current risk control responses, whether a risk control response is required and whether it will proceed to Step 5, Evaluation and Step 6, Treatment. The risk analysis process allows the College to consider the extent to which potential risks might have a negative impact on the achievement of the College s strategic priorities and operational objectives. 7 Page

9 Once a decision is made to record a risk on the Register, one of the six College Categories should be recorded in the Category column in the Register (Appendix 1): 1. Financial: The risk of financial loss due to a potential change in market condition. 2. Strategic: s that affect or are created by the College s business strategy and strategic objectives. 3. Reputational: The loss of value to the College brand and negative impact in our ability to attract students and investment. 4. International: s outside of Canada which impact the College s international and Canadian operations. 5. Operational and Hazard: s that affect the College s ability to execute its strategic plan. 6. Compliance and Legal of loss arising from non-compliance with internal and external regulatory requirements, legal action and liability claims. The College uses a 5 x 5, 25-point scale Rating Matrix to assess Impact and Likelihood of risk, with a total risk score of 25 being the highest risk. Rating Matrix Impact (I) Insignificant (1) Minor (2) (3) Major (4) Catastrophic (5) Almost Certain (5) (5) (10) High (15) Critical (20) Critical (25) Likelihood (L) Likely (4) Possible (3) Low (4) Low (3) (8) (6) High (12) (9) High (16) High (12) Critical (20) High (15) Unlikely (2) Low (2) Low (4) (6) (8) (10) Rare (1) Low (1) Low (2) Low (3) Low (4) (5) 8 P age

10 For each of the risks identified, determine the inherent risk by rating the impact and likelihood using the respective descriptor and score as further described in Step 4(a) and (b). Multiply both scores to produce a total risk score and enter the total risk into the Register (Appendix 1). Step 4 (a) Impact Apply the Descriptors in the Impact Rating Matrix to determine the Impact of the risk and the accompanying Score. The Possible Impact Examples column contains both Key Performance Indicators (KPIs) which is results focused, for example, measuring performance, and Key Indicators (KRIs) which measure or describe the level of risk associated with an activity and is an early warning sign. The examples provided will not apply to the analysis of all risks. In many cases, the risk (possible) impacts will need to be identified for each impact rating. Impact Rating Matrix Score Impact Level Descriptors Possible Impacts Examples 1 Insignificant Negative outcomes from risk or lost opportunities that do not have an effect on the College s reputation or performance 1. Financial: College revenue loss or gain of <$50K. 2. Financial: College department unit <$5K cash impact. 3. Health & Safety (Compliance): no legal consequences or adverse health effects for any individual. 4. Environment (Compliance): minor harm, clean-up <$25K. 5. Compliance & Legal: not guilty, fines <$25K. 6. Reputational: brief negative or positive attention in local news/social media; prompt resolve. 7. Strategic: achievement of a strategic goal delayed within first year. 8. Human (Hazard): injury, no first aid required. 9. Business Interruption (Operational) : <1 week; Small number of classes or research projects disrupted for <1 month. 10. Systems and Processes (Operational): minor errors or delay in system (e.g. IT), short term impact. 9 P age

11 Score Impact Level Descriptors Possible Impacts Examples 2 Minor Negative outcomes from risks or lost opportunities that will not have a permanent or significant effect on the College s reputation or performance 3 Negative outcomes from risks or lost opportunities that will not have a permanent or significant effect on the College s reputation or performance 1. Financial: College revenue loss or gain of over >$50K and < $500K. 2. Financial: College department unit $5K to $50K cash impact. 3. Health & Safety: (Compliance): warning or order to comply from regulatory authority; minor injuries to one or two individuals. 4. Environment (Compliance): clean-up $25K to $250K. 5. Compliance & Legal: minor breach, fine <250K. 6. Reputational: negative or positive attention in local news/social media for up to one week. 7. Strategic: one or more strategic goals not attainable and must be revised. 8. Human (Hazard): first aid required, injury. 9. Business Interruption (Operational): 1 to 2 weeks; Small number of classes or research projects disrupted for 1 to 4 months. 10. Systems and Processes (Operational): policy / procedure not met, key programs impacted for short term. 1. Financial: College revenue loss or gain of >$500K to <$3M. 2. Financial: College department unit cash impact of $50K to $250K. 3. Health & Safety (Compliance): statutory charges against one or two employees. 4. Environment (Compliance): short term harm, $250K to $1M clean-up. 5. Compliance & Legal: breach of legislation, fine $250K to $1M 6. Reputational: negative/positive attention in national news/social media for less than a week, or in local media for 1 to 2 weeks or in surrounding communities for < 2 10 P age

12 Score Impact Level Descriptors Possible Impacts Examples weeks; heavy local media 7. Strategic: a key strategic goal underlying an institutional commitment cannot be attained without significant revision and delay of > 1 year. 8. Human (Hazard): injury/hospital; major reversible injury. 9. Business Interruption (Operational): 2 to 4 week interruption; Inability of a substantial portion of an entire department to provide education or perform research for < 1 month or the disruption of a small number of classes or research projects > 4 months. 10. Systems and Processes (Operational): less than 1 KPI not met, service delivery inconvenient to clients, survival/success of key projects impacted. 4 Major Negative outcomes from risks or lost opportunities with a significant effect that will require major effort to manage and resolve in the medium term but do not threaten the existence of the institution in the medium term 1. Financial: College revenue loss or gain of >$3M to <$25M. 2. Financial: College department unit cash impact of $250K to $500K. 3. Health & Safety (Compliance): statutory charges or civil suits against the College and one or more of its senior administrators; permanently disabling injuries to one or more persons. 4. Environment (Compliance): short term, $1 to $5M clean-up. 5. Compliance & Legal: critical risk reported to ARM, legislation breach, fine $1 to $5M 6. Reputational: negative/positive headlines in international news/social media for < 1 week, or attention in national media for 1 to 2 weeks, or in the local media > 2 weeks or 11 P age

13 Score Impact Level Descriptors Possible Impacts Examples sustained negative/positive reaction among surrounding communities; adverse media. 7. Strategic: one or more institutional commitments unable to be achieved in planning timeframe. 8. Human: intensive care; irreversible injury or death (one person). 9. Business Interruption: business interruption 4 to 6 weeks; inability for the substantial portion of an entire department to provide education or perform research for a period between 1 and 4 months. 10. Systems and Processes (Operational): A number of KPIs not met, bad policy advice, degrading service level trends, survival of key programs and projects impacted, IT strategy not aligned with digital college. 5 Catastrophic Negative outcomes from risks or lost opportunities which if not resolved in the medium term will threaten the existence of the institution 1. Financial: College revenue loss or gain of > $25M. 2. Financial: College department unit impact of >$500K. 3. Health & Safety (Compliance): criminal charges and other legal action against the College and one or more senior administrators or directors; one or more fatalities. 4. Environment (Compliance): long term harm, clean-up >$5M. 5. Compliance & Legal: serious breach of legislation, fine >$5M. 6. Reputational: intense negative/positive headlines in the international media for > 1 week or in the national media > 2 weeks; national and international reputation impacted; major negative sanction by MTCU; closure of major part of the College. 7. Strategic: one or more institutional 12 P age

14 Score Impact Level Descriptors Possible Impacts Examples commitments unachievable. 8. Human (Hazard): multiple irreversible injuries or deaths. 9. Business Interruption (Operational): interruption > 6 weeks; Inability for the substantial portion of an entire department to provide education or perform research >1 academic term 10. Systems and Processes (Operational): critical system failure, significant impact on key programs & projects, significant impact on key stakeholders. Step 4 (b) Likelihood Apply the Descriptors below to determine the Likelihood of the risk and the accompanying Score: Likelihood Rating Matrix Score Likelihood Level 1 Rare Event may occur only in exceptional circumstances Descriptors Unlikely to occur in 5 years 2 Unlikely Event could occur at some time Likely to occur once in 5 years 3 Possible Event might occur at some time Likely to occur once in a year 4 Likely 5 Almost Certain Event will probably occur in most circumstances Event is expected to occur in most circumstances Likely to occur in a month Likely to occur in a week Step 4 (c) Combined Impact/Likelihood Score Refer to the Combined Score Legend in the table in the following page and assign the appropriate combined individual risk score, that is, Low (1-4), (5-10), High (11-18) or Critical (19-25). 13 P age

15 Rating Matrix and Combined Score Legend Impact (I) Combined Score Legend Insignificant (1) Minor (2) (3) Major (4) Catastrophic (5) Low (1-4) Low level of risk Manage by routine procedures and operations; should not require much attention but should be reviewed at least every 18 months. Likelihood (L) Almost Certain (5) Likely (4) Possible (3) (5) Low (4) Low (3) (10) (8) (6) High (15) High (12) (9) Critical (20) High (16) High (12) Critical (25) Critical (20) High (15) (5-10) level of risk Manage by specific monitoring or response procedures; should be monitored and reviewed every 12 months. High (11-18) High level of risk Requires escalation to VP and ARM; should be constantly monitored and reviewed every 6 months (May and November). Unlikely (2) Rare (1) Low (2) Low (1) Low (4) Low (2) (6) Low (3) (8) Low (4) (10) (5) Critical (19-25) Top level of risk Requires escalation to VP, ARM and Board of Governors responsible for risk management oversight; should be constantly monitored and reviewed monthly. Step 4 (d) Control Response Review the effectiveness of the current Controls in place and apply the Descriptors below to determine the Response Level and the accompanying Score: Control Response Rating Matrix Score Response Level Descriptors 1 Weak 2 Activities or controls in place are insufficient or not operating effectively to prevent or mitigate this risk or no activities or controls in place to prevent or mitigate this risk. Activities or controls moderately reduce the risk, although activities or controls do not manage all potential risk events or are not operating effectively. Significant attention to the risk and its drivers. 3 Strong Activities or controls in place provide considerable certainty of control and are operating effectively. The College has undertaken all economically feasible controls and is maintaining an ongoing monitoring system. 14 P age

16 Enter the Existing /Planned Responses and the rating Level from the Response Rating Matrix into the Effectiveness of Current Responses in column H in the Register. A B C D E F F F G H I I Strategic Description Observations, Root Existing / Planned Effectiveness Objective Category Name Causes, Impacts Impact Likelihood Score Control Responses of Current Control Responses Impact Likelihood Inherent Residual Taking into consideration the Effectiveness of the Current Response column H, refer again to Steps 4 (a) and (b), and enter the impact and likelihood ratings into Residual column I. Step 5: Evaluation Once risks have been identified and analyzed, that is, columns A through to I in the Register, an evaluation of the risks is performed to determine which risks require risk treatment. The Evaluation is based on a current period of time and as a result, a risk that may appear to be treated in one period, may not be needed to be treated in another. It is also necessary to prioritize the treatment implementation in the Action Plan (column J). A B C D E F F F G H I I I J Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Score Planned Control Responses of Current Control Responses Impact Likelihood Score Plan Inherent Residual Reasons for the change in risk may include: The risk criteria when the context was being considered in Step 2, may have changed. The College s changing risk appetite and tolerance levels, for example, the likelihood and/or impact of risk is low enough that specific mitigation plans are not required or alternatively, there is no mitigation plan available. 15 P age

17 Cost of mitigation plan is excessive as compared to the benefit such that acceptance of the risk is the only option. The risk is being driven by an external event/organization and therefore outside of the control of the College. At this stage, the Owner will have gained a complete understanding of the risk which will allow them to identify risk treatment plans to reduce the level of risk as well as apply indicators, such as key performance and key risk indicators to respond to changes in risk prior to a negative outcome. Step 6: Treatment treatment options fall into the following: Avoidance: Reduction: Acceptance: Transfer: Taking action to exit the activities that give risk to the risks. Reducing the risk likelihood, impact or both. Taking no action to affect likelihood or impact. Reducing risk likelihood or impact by transferring or sharing a portion of the risk. The College may benefit from the adoption of a combination of treatment options, for example, both accepting and transferring percentages of risk. Action Plans (column J) are required for Critical, High and rated risks. Action plans for Low rated risks are not required although they should be monitored in the event their risk level increases. Action Plans should have a Owner which is recorded in column K. A B C D E F F F G H I I I J K Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Score Planned Control Responses of Current Control Responses Impact Likelihood Score Plan Owner Inherent Residual Examples of action plans could include: the creation or amendment of a policy and procedure; identifying and addressing a management or employee gap; developing KPI s or introducing current KPIs, for example, the provincial government requires all colleges to gather and report on five (5) KPIs: 16 P age

18 student satisfaction, graduate satisfaction, employer satisfaction, graduate employment rate, and graduation rate; and developing KRI s or introducing current KRIs which will provide an early warning and opportunity to mitigate the risk at an earlier stage. Section 2, in the Identification/Mitigation Worksheet is an efficient tool for determining the appropriate action plan. Section 1 ( Identification) would have been completed in Step 1 to Step 4. /Mitigation Identification Worksheet Section 1: Identification #: Category: Description of : Unit Team: Factors: Impacts: Existing Control Procedures: Rating Inherent Residual Likelihood Impact Level Likelihood Impact Level Section 2: Control Response Possible Treatment Options Analysis Result (Accept/Reject) Control Response Plan Action Item Action By Timeline Resource Requirement: Reporting and Monitoring Required: Completed By: Date: 17 P age

19 Action plans should be integrated with the management processes of the College operations. The ultimate intent is to move the risk rating to within the College s Appetite. Once that is accomplished the residual risk rating will equal the Target rating, refer to diagram below. Aim for Target Step 7: Monitoring and Review Monitoring: monitoring and review provides Owners with a consistent and timely opportunity to identify new emerging risks and revise existing risk ratings as well as to review the effectiveness of risk treatment plans in place. Although ad hoc reviews could be beneficial, particularly in a period of rapid change, planned review periods should be determined. Owners are responsible for monitoring, reviewing and reporting on High and Critical rated risks, their Treatment and Residual status semiannually in March and September. Review: The High and Critical Report will be provided annually to the ARM and Presidents Council in May and November for review and comment. The College wide Register (see Register Template on next page) will be presented annually to the ARM and Presidents Council in July. The Register template will be used as the main reporting tool. At the request of ARM or Presidents Council, the register is subject to change. The tool may also be expanded at a business unit, department or project level. For example, a department may want to add an additional column to record a Business Plan Reference. 18 P age

20 Register Template A B C D E F F F G H I I I J K L Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Inherent Score Planned Control Responses of Current Control Responses Impact Likelihood Residual Score Plan Owner Implementation Timeline FINAL NOTE Throughout the College, and until such time an efficient enterprise data management system is implemented to share and store ERM program related information, all ERM program files should be maintained in accordance with the College Directive, IT05: Information Sensitivity and Security. 19 P age

21 APPENDIX 1: RISK REGISTER EXAMPLE Strategic Objective Student and Client Success Category Strategic Name Student Retention Description The risk of an inability to retain students. Observations, Root Causes, Impacts Observations: Some students do not complete their full program. Upward trend showing a difficulty in retaining international students. Root Causes: Personal circumstances International students receive limited training on Canadian culture Impact: Difficulty maintaining revenue as students are not completing their studies Negative impact on the College s reputation Impact Likelihood Inher ent (3) (4) Likely Score (12) High Existing / Planned Responses The College has recently introduced three new programs which train students to work in growing industries. The College offers a selection of evening and online courses, as well as a fulsome internship program in select programs, in order to accommodate students that balance courses with employment, and to provide valuable employment experience to students. Effectiveness of Current Responses (2) Impact (2) Minor Likelihood Residual Score (2) Unlikely (4) Low Action Plan Measure retention rates to determine any emerging trends Survey students that did not complete their program to determine any key issues or trends Develop and implement a peer mentorship program that pairs international students with domestic counterparts to assist with integration Owner Director, International Education Implementation Timeline months 20 P age

22 DEFINITIONS Word/Term Enterprise Enterprise Management Enterprise Management Framework Enterprise Management Policy Enterprise Management Guideline Definition describes the probability of loss (financial / property, human, liability) or other negative event. At an enterprise level it describes the effect that uncertainty can have on the College s ability to execute its strategies and/or achieve its business objectives. encompasses the potential for positive as well as adverse results. Refers to integrating risk management into the entire College operation. A coordinated set of activities and methods that is used to direct the College and to control the many risks that can affect its ability to achieve objectives. Used interchangeably with the term risk management. A set of components that provides the foundations and organizational arrangement for designing, implementing, monitoring, reviewing, communicating and continually improving risk management throughout the College. There are two types of components: the Enterprise Management Policy and the process, also known as the Enterprise Management Guideline. Expresses the College s commitment to risk management and clarifies its general direction or intention. Identifies the activities we apply to manage our risk. Analysis Evaluation Criteria A process used to understand the nature, sources, and causes of the risks identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist. The process of comparing the results of risk analysis with Criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. evaluation assists in risk treatment decision making. Terms of reference used to evaluate the significance or importance of the College s risks. They are used to determine whether a specified level of risk is acceptable or tolerable. 21 P age

23 Word/Term Treatment Appetite Statement Tolerance Profile Owner Culture Control Likelihood Impact Communication Definition The policies, procedures, processes and controls implemented by management to modify risk, taking into consideration the College s risk tolerances, and the cost to modify and the benefit of the modification, including the effect on risk likelihood and impact. A continually reviewed statement that expresses the amount and type of risk that the College is willing to pursue or retain to achieve its mission and strategic objectives. The College statement is updated at a minimum once every three (3) years. Represents the application of Appetite to specific objectives and implemented by Owners and/or their personnel. It describes the level of risk the College is willing to accept in relation to a threat that may cause loss or an opportunity in the day-to-day business activities. The Tolerance of the College may be different for different departments and business units. A written description of a set of risks that are managed and addressed on a College wide basis or only by those that are responsible for a particular function or department of the organization. The College Profile is updated at a minimum once every three (3) years. A College employee who has been given the authority to manage a particular risk and is accountable for doing so. The system of values and behaviors present throughout the College that shape risk decisions. culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits. Culture also describes the degree to which individuals understand that risk and compliance rules apply to everyone as they pursue their business goals and that this requires a common understanding of the organization and its business purpose. An activity or management action to mitigate risk. It includes the policies, procedures, reporting and initiatives performed by the College to ensure that the desired risk response is carried out. These activities take place at all levels and functions of the College. The probability of an event occurring. Likelihood of an event occurring is rated as rare, unlikely, possible, likely, or almost certain. The severity of an event. Impact or severity of an event is rated as insignificant, minor, moderate, major or catastrophic. The process of identifying risk and communicating broadly to enable all personnel to deliver on their responsibilities. 22 P age

24 Word/Term Register Report Gap Inherent Residual Target Response Universe Definition The official recording and assessment (with Impact and Likelihood) of the identified risks facing the College at a given period. A report delivered to the Audit & Management Committee (ARM) at least every six (6) months in May and November that provides ongoing monitoring and reporting on the progress of risk mitigation activities and results. The risk of outcomes not meeting expectations. Other terms used more specifically to the type of risk include performance gap and legitimacy gap that emerges when the interests or values, for example, of funders, Board of Directors and college representatives are not meeting expectations. The Likelihood and Impact scores following a risk assessment and before the application of Response. Also known as risk without controls. The Likelihood and Impact scores after the application of the Response. that remains after controls or treatment is implemented (partially or fully). that management desires after existing and future actions and treatments. One or more risk modifications methods to control risk. All risks that could impact the College. REFERENCES 1. Enterprise Management Policy 2. Colleges Ontario-Integrated Management Framework (February 2014) Webinars - Produced by MNP LLP 3. International Standard CSA/ISO 31000; 2009 Management Principles and Guidelines 23 P age