May 2011 Wilfrid Laurier University Enterprise Risk Management Draft Final Report
Table of contents Introduction 2 What we heard 8 Risk management current and desired state 20 Operationalizing ERM Opportunities for consideration 26 Appendix I Operational and Strategic Risk Universe 39 Appendix II Detailed risk assessment results 42 1
Introduction Enterprise Risk Management (ERM) is a strategic, systematic and illustrative risk management capability across an organization that includes exercising effective risk governance, establishing customized risk management infrastructure and implementing robust risk management processes. Throughout the past number of weeks we met with members of Wilfrid Laurier s senior administration to review the top 5 strategic and top 5 operational risks as identified by internal audit in 2010 in order to assess the following: Current mitigation strategies and controls employed in response to the risk factor; Existing gaps between the risk factor and the identified mitigation strategies and controls; Action plans to address the gaps and particular risk factors; and Additional information pertinent to evaluation of the particular risk factor. A summary of the interview comments and the updated risk ranking for each of the risks is included in this report. In addition, an assessment of Laurier s current ERM state, and opportunities for consideration to more fully operationalize ERM within the University. 2
Key risk assessment criteria Significance The impact that the risk would have on Wilfrid Laurier's ability to execute its strategies and achieve its objectives, assuming that the risk has occurred. Inherent likelihood The probability that the risk event will occur, assuming that no specific risk mitigation activities are in place to manage the risk (time period: 3 years). Risk mitigation effectiveness The effectiveness of the processes, procedures and activities that are in place to prevent, monitor and/or mitigate the risk. 3
Wilfrid Laurier University risk assessment results Risk name Significance Inherent likelihood Risk score (significance X inherent likelihood) Financial markets 7.8 7.2 56.2 Adequacy of IT infrastructure 7.6 5.9 44.8 Enrolment management 7.3 5.8 42.3 Collective lobbying 6.7 6.2 41.5 Extent of growth 6.6 6.2 40.9 Multi-campus development 6.5 6.2 40.3 Operating costs 6.5 5.9 38.4 Residence capacity 5.9 5.9 34.8 Change readiness 6.0 5.8 34.8 Government regulations 6.0 5.7 34.2 4
Wilfrid Laurier University risk map Top 5 operational and top 5 strategic risks 5
Wilfrid Laurier University risk mitigation effectiveness map Top 5 operational and top 5 strategic risks Under managed risks Potentially over managed risks The zone of balanced risk management depicts the critical risks that appear to be managed effectively relative to the level of risk. Zone of balanced risk management 6
Wilfrid Laurier University residual risk map* Residual risk is the level of risk score less the risk mitigation effectiveness score. Residual risk scores, listed in Appendix II, range from a high of 1.3 to a low of -0.3. In an environment of limited resources, WLU should focus first on the High, then Moderate, then Low, then Well-Managed Risks in terms of next steps. High residual risks Represents the highest residual risk exposure as the assessed level of risk mitigation effectiveness is insufficient for the level of risk. Management should consider improving risk mitigation plans for these risks. Extent of Growth Moderate residual risks Represents additional residual risk exposure that could be investigated further as the assessed risk mitigation effectiveness is not commensurate with the level of risk. Risk mitigation plans should be documented and reviewed for appropriateness. Financial Markets Multi-Campus Development Enrolment Management Collective Lobbying Well-managed risks Represent areas where assessed risk mitigation effectiveness is in excess of the level of risk. Where appropriate, management could consider reallocating resources to managing risks with higher assessed levels. Operating Costs Residence Capacity Government Regulations Change Readiness Adequacy of IT Infrastructure Low residual risks Areas where risk mitigation effectiveness is commensurate with the level of risk. As risk levels can change over time, the risk mitigation plans should be flexible and updated on a regular basis. * Note: The risks have been rated based on the residual risk score and are depicted in quadrants accordingly;(e.g. High Residual Risk >= 1.1); within each quadrant, the farther from the centre, the greater the risk. 7 Wilfrid Laurier University ERM Final DRAFT Report DRAFT
What we heard
Operational risk Adequacy of IT Infrastructure Adequacy of IT infrastructure The risk that the IT Infrastructure architecture and security layer are no longer appropriate for user demands. What we heard A significant amount of effort has been directed toward IT over the past year including a reorganization of the department. However, it is too early to determine if the appropriate amount of progress has been made We spend more per student on IT than University of Waterloo There are ever increasing demands placed on the IT infrastructure due to growth across the university The introduction of the Help Desk has been a benefit A longer term perspective is required for IT architecture Due to the use of local units the result has been decentralized IT across the campus Is the right system in place to support the needs of a modern university? If there is a move toward centralization an understanding of the complexities of the satellite campus will be essential 9
Operational risk Enrolment management Enrolment management The risk that WLU is unable to regularly monitor trends in application numbers and other key statistics in order to remain competitive in the marketplace. What we heard Each year we tend to have more students than were budgeted. In the past there was difficulty in hitting the mark which led to some internal credibility issues We receive ample information from the application centre. We also have sub-committees which look at enrolment management and report directly to the VP Academic Enrolment management is definitely an art and science approach Is the One Laurier approach really applied in our enrolment management processes? There is a real cost in terms of undershooting the target and conversely a reputational risk in overshooting due to the resulting crowding in residences The new Director s role will be a key for this area and address the developments required 10
Operational risk Operating costs Operating costs The risk that operating expenses exceed the funding received in the short/long term. What we heard With 50% of our funding from operating grants this is really out of our direct control We have a conservative budgeting approach and a better planning process is now in place Over the past 5-6 years there has been a surplus at the end of each year even though there have been budget cuts. This impacts our credibility on issues like the pension concerns We operate in a highly fixed cost environment and lack real flexibility in our ability to manage people costs except through the collective bargaining process The weighting values applied to program costs have not kept pace with reality We have to use operating funds to cover real costs incurred by deferred maintenance 11
Operational risk Residence capacity Residence capacity The risks and events related to the consideration of residence capacity and the residence guarantee to first year students. What we heard This may affect enrolment from a competitive perspective It would require debt to build more residence capacity and we presently have the ability to take on additional debt Residence operates with a flawed financial model. We incur costs for 12 months but only receive 8 months of revenue. A large block of land is not available within close proximity to the Brantford campus to build a residence facility The infrastructure funding for maintenance of the residence facilities may not be sufficient In some instances there is a cost premium for the external leasing of beds There is consideration for various partnership type arrangements. For example, private developers and bundling with Food and Retail Services. 12
Operational risk Financial markets Financial markets The risk that financial market performance may result in an adverse impact on University s pension, investments, endowment funds, bond credit rating, and overall financial flexibility. What we heard We have a number of good controls in place such as frequent reporting to the Board in order to manage this risk We have additional governance through the new Investment Oversight Committee Laurier has done a good job of communicating the effects of market impacts to the university community We clearly have issues with the pension and endowments as a result of the financial markets Our key here is to manage the downside risk and this is being done through appropriate diversification and use of balanced and specialty funds 13
Strategic risk Collective lobbying Collective Lobbying The risk that Universities will lobby Government as individual institutions rather than as a collective group, limiting the strength of their bargaining power. What we heard As Laurier is considered a smaller player it is essential that we team up with other Universities as required There is danger that universities will go there own way and exclude the smaller institutions We have a number of good controls in place including active membership and participation in various national and provincial lobbying groups and the addition of the Director of Government Relations Over the past year this risk has increased as the top 15 universities have come together and are lobbying for differential funding approaches There is risk that a fractured system would result in a move from healthy competition to destructive competition between universities 14
Strategic risk Multi-campus development Multi-campus development The risk that the development of other campuses may result in a deterioration of services at satellite campuses, insufficient funding to complete campus development, and/or yield lower benefits then initially envisioned. What we heard The President s task force for multi-campus governance and design has done important work in this area We should abolish the words satellite campus How can we ensure that adding more campuses doesn t result in a deterioration of services offered at the Waterloo campus? The academic community is feeling threatened as there is uncertainty as to which campus they are truly responsible to be a part of The Branford experience is different from main campus as there is no library, dining hall or athletics facilities Brantford and Milton are two very different models. Brantford is an urban setting whereas Milton will be a green fields startup 15
Strategic risk Extent of growth Extent of growth The risk that growth is not balanced properly resulting in financial instability and/or deterioration of service offerings. What we heard This could be a risk to the WLU brand. We need to continue to keep the brand strong. Staff counts have not always kept pace with the growth We have had to grow in order to pay for the inflationary costs Our real concern here should be that WLU is unable to grow It seems that we are trying to be everything to all people Growth provides opportunity The Board is looking for a specific focus whereas management has not responded in the same manner There is feeling that we need to take the emotion out of the debate Our 12 year track record at Brantford has been positive We are seen to be more reactionary than proactive and consequently need to be more strategic and less opportunistic 16
Strategic risk Government regulations Government regulations The risks associated with changes in government compliance requirements and/or regulations such that the University is exposed to various qualitative and quantitative risks. What we heard We are working through a strategy and communications plan related to the changes in procurement and expense directives introduced in the public sector These are going to take more staff time and are more complex which may end up driving costs higher We have been mandated that 10% of our executive office expenditures have to be redirected to the frontlines Government is becoming more active and intrusive. For example, we have had to hire 5 new stationary engineers this year at the direction of Technical Safety and Standards Authority (TSSA). Legislation is often geared more toward industry but the university environment is different which makes this more difficult to implement This risk is mitigated in part by our good government relations 17
Strategic risk Change readiness Change readiness Risks related to ensuring the University can adapt to an ever changing environment. What we heard This risk will always exist in the university environment We need to do more work on the administrative strategy which ties into the campus, classroom and student experience Universities tend to be slow to adapt Our collective agreements can be an obstacle to change We have a flexible mindset with our present leadership More and more communications have taken place but the challenge remains in getting people to read them The senior leadership team is in touch with the market and in touch with trends Discussions around the risk and reward relationship tend to strongly polarize the university community 18
Other risks noted by participants Reputation Emergency preparedness and notification Competitor Leadership Infrastructure and facilities management Relationship Academic excellence and teaching quality Professional development for faculty and staff Community relations 19
Risk management current and desired state
Deloitte s Enterprise Risk Management architecture Establishing an effective risk management program with an appropriate supporting structure and processes is critical to proactively managing and monitoring risk on an ongoing basis. Determining and clearly communicating accountability for risk management will help to promote risk based decision making as Wilfrid Laurier University (Laurier) continues to embed effective risk management practices and a culture of risk awareness. The following diagram depicts Deloitte s Enterprise Risk Management (ERM) Architecture which highlights the suggested areas of focus for ERM implementation. Sustainability Integration & Continuous Improvement Risk alignment Risk Qualification/ Key Risk Indicators Risk Culture Alignment Risk processes Risk Identification Risk Assessment Risk Mitigation Foundation Risk Management Policies Risk Governance & Structure Training & Education Risk Management Tools Risk Reporting Program Management Executive Management and Board Support Risk Strategy Program Scope and Definition Program Resources Program Management 21
Deloitte s ERM architecture (continued) The base level (program management) focuses on defining the vision and strategy of ERM and developing a program that will meet the expectations of management and the board of directors. It involves obtaining the necessary support from the top of the organization, confirming management s objectives and expectations for ERM, defining the scope of ERM, project planning and ongoing project management. The second level (foundation) focuses on building the foundation needed for effective ERM implementation. These building blocks include the clarification of requirements and boundaries for ERM; definition of roles, responsibilities and accountabilities; enhancing the human and technological capability for ERM implementation; and defining risk information requirements. At the third level (risk processes), the organization will have a good understanding of the significant risks to which it is exposed to, as well as the extent of exposure to these risks. Actions plans should be developed and implemented at this stage in order to address significant risk exposures. The fourth level (Risk Alignment) involves the collection of data and measurement of risk to enable ongoing monitoring of risk, and the alignment of organizational culture to support a riskconscious environment within the organization. The top level (sustainability) reflects a state where the organization has successfully integrated ERM in strategic and business decision making, corporate and individual performance measurement, pricing decisions, and other business processes; and that based on organizational learning and changing circumstances continuously enhances its ERM capability. 22
Stakeholder Value Risk management current and desired state Reputation and student satisfaction at Laurier serve to support risk management and quality of education. As such, while processes for managing risk are embedded in the daily practices within individual departments/programs, there is a lack of an integrated university wide ERM infrastructure to support a holistic approach to risk management. Risk management identification, assessment and reporting practices are not standardized across departments resulting in a silo d approach to risk which often addresses risks on a departmental basis. This is indicative of an organization that has reached the level of Specialist Silo maturity stage of risk management. While the Specialist Silo level is indicative of existing risk management practices, it is difficult at this level to achieve integration and a strategic approach to risk management on an organization-wide basis. Furthermore, the risk governance and reporting is also less effective at this level. Desired state Current state Top down Systemic Risk Management Risk Intelligent Specialist Silos Ad Hoc Integrated Enterprise Risk Management Capability 23
Risk management current and desired state (continued) Characteristics of the milestones/stages of maturity: Milestone Capabilities Ad hoc Ad-hoc/chaotic Depends primarily on individual heroics, capabilities and verbal wisdom Specialist silos Independent risk management activities Limited focus on the linkage between risk Limited alignment of risk to strategies Disparate monitoring and reporting functions Top down Common framework, program statement, policy Routine risk assessments Communication of top strategic risk to the Board Executive/steering committee Knowledge sharing across risk functions Awareness activities Formal risk consulting Dedicated team Systemic risk management Coordinated risk management activities across silos Risk appetite is fully defined Enterprise-wide risk monitoring, measuring and reporting Technology implementation Contingency plans and escalation procedures Risk management training Risk intelligent Embedded in strategic planning, budget allocation, etc. Early warning risk indicators Linkage to performance measurement/incentives Risk modeling/scenarios Industry benchmarking 24
Risk management current and desired state (continued) Based on discussions with members of senior administration at Laurier, there is a desire to move the organization towards the Systematic Risk Management capability milestone to enhance overall risk governance. Laurier already has some of the critical building blocks for its ERM program that have been established as part of various initiatives over the years: Development of an Enterprise Risk Universe, which serves as a basis for evaluating risk facing the organization; from an operational and strategic perspective; and Increased awareness of risks across the organization. The opportunities for consideration in the following section will provide context for Laurier to establish its ERM program and move the organization towards its desired state, including a sustainable process for ongoing assessment, monitoring and reporting of risks. The following are two items that Laurier should focus efforts on in the near term: An assessment of the Risk Universe, which evaluates each identified risk against the organization s strategic directives; and Development of risk mitigation strategies to address identified gaps for key risks. 25
Operationalizing ERM: Opportunities for consideration
Executive management and board support Opportunities for Laurier s consideration: Given the current changes occurring within the Laurier environment it will be important to continue to reinforce ERM as a priority of the Board and senior management in order to support sustainability of this initiative. Establishing a risk management charter for the organization can assist with communicating this key messaging. The ERM Charter should state Laurier s commitment to risk management, vision and program scope for risk management, delegate risk-taking authority, define the roles and responsibilities, state the risk management objectives and outline risk management processes for identifying and reporting risk including guidelines on risk appetite. It is best formulated at the senior management level with input from the management team and approval by the Board (or assigned Board committee). The policy should be re-evaluated by senior management and the Board on an annual basis or as events warrant. Communication from the top through messaging at meetings, newsletters, forums, etc. will assist in promoting a culture of risk awareness across Laurier and acceptance for a change in the cultural shift towards enhanced risk reporting, monitoring and integration. In addition, messaging on risk management can be incorporated into communication documents from the President s office and in the strategic plan. 27
Risk strategy (vision, scope, resources) Opportunities for Laurier consideration It is important to align the vision and program scope with senior management and Board expectations. The vision and scope should also be aligned with the program resources and budget to support an effective and feasible ERM program that is both practical and sustainable for the university. The following are key guiding principles for the vision and future program scope: Holistic focus on both operational and strategic risks Accountability reinforced by a risk governance structure that promotes accountability for risk management at all levels, but supported by a centralized lead role/function Resource Alignment sufficient dedicated resources to support the program while optimizing existing roles and resources across program areas Vision As Laurier implements an ERM program, developing and communicating a common vision for risk management will assist in reinforcing the importance of this initiative and to provide direction of work efforts. This message should be communicated across all levels of the organization to support a bottom up and top down approach for risk management. Based on our understanding of the future direction and areas of focus the elements of this vision should consider: Linking risk management with the overall vision, mission and strategic planning for the university Leveraging risk awareness to promote risk based decision making Reinforcing proactive risk management vs. being reactive 28
Risk strategy (vision, scope, resources) (continued) Vision (continued) Applying risk management to manage organizational change and performance improvement Reinforcing accountability for risk management at all levels Expanding the breadth of the program to organization-wide risks This vision should be communicated to management and staff and should be aligned with senior management and Board s vision for risk management. Establishing a clear plan that outlines the scope and mandate of the ERM program and longer term strategy for sustaining ERM is also important. Program mandate The program mandate should also establish the link between quality, risk and continuous improvement to support the overall vision. The program mandate should define the responsibility for managing risk throughout the university at an organizational and process level. The program mandate should be communicated through the Risk Management Charter and policies and approved by the Board. 29
Risk strategy (vision, scope, resources) (continued) Resourcing and reporting structure It is important to have an appropriate level of risk management resources to effectively support the vision and mandate of the function. Therefore, alignment of the resourcing to the program scope and mandate is vital to ensure that the program is appropriately structured to effectively sustain the ERM mandate which entails achieving a more holistic and integrated approach to risk management. The following are resourcing considerations and options: Status quo Enhanced status quo Additional resourcing Integrate risk, compliance and audit Description Maintain the status quo No additional program resources for ERM Maintain current resourcing, however assign risk leads in each of the departments Allocate additional resource(s) to support the current structure Create a Chief Risk Management Officer role Establish an integrated risk management, compliance and audit function/role which has responsibility for risk and process review and improvement Impact and considerations Limits the ability to enhance program focus to a more holistic and integrated approach Impacts ability to sustain ERM Need to assess whether current resources have sufficient skill sets to lead ERM program Sustainability will still be a challenge given that a centralized lead risk management integration role is key to supporting oversight and monitoring Creating a dedicated role for ERM will enable greater focus and support sustainability This will assist in promoting a cultural shift to risk awareness, especially in the interim as new tools, templates, approaches are introduced This can assist in leveraging synergies in skill sets required for both internal audit and risk Consider budget impact 30
Risk strategy (vision, scope, resources) (continued) Resourcing and reporting structure (continued) Formalization of risk management policies and overall risk governance structure across the university will also enable current resources to perform more strategic, proactive and oversight activities relating to risk management. Therefore, the decision regarding appropriate staffing level for the function should factor in future mandate, vision, impact of process changes and formalization of roles and responsibilities for risk management. Risk management policies Opportunities for HHS consideration Laurier should create and document policies related to ERM. This will assist in formalizing the risk management program at Laurier including risk assessment procedures, reporting and communication of risk, and to clarify roles and responsibilities. HHS should consider the following risk management policies and procedures to document: Risk management charter goals and objectives of risk management and overall vision Risk governance model accountability for risk management and reporting of risks Risk terminology standard risk terminology to promote common understanding and assessment of risk Risk identification guidance on nature of risks that should be reported and timeframe for updates to the Risk Universe Risk assessment the requirements for assessing risk (i.e. timing of periodic assessments) Risk mitigation the responsibilities for risk mitigation and reporting on the status of risk mitigation activities Risk monitoring protocols for ongoing monitoring of risks and reporting of risks to the Board and its committees, and senior management 31
Risk governance structure Opportunities for Laurier s consideration Laurier should formalize the risk governance structure and accountability for risk to reinforce a mechanism for shared responsibility and integration. This proposed structure reinforces the following: Risk Management is everyone s responsibility Risk Management focuses on all types of risks Appropriate escalation and reporting of risks Integrated risk management across the organization. The proposed risk governance structure reinforces the need to assign responsibility for specific risk areas to functions and committees. Senior management, the President and Board play an integral role in supporting integrated risk management. In addition a committee of the Board should be assigned accountability for overall direction and oversight of the ERM program which would also enable integration at the committee level and support effective Board reporting and oversight. Options include: A Risk Management Committee Governance Committee Quality Committee Audit Committee 32
Risk governance structure (continued) Considerations The creation of a risk management committee is a best practice but in our experience is not a common practice in the university sector and in this case would require the establishment of an additional committee. Each of the other options are valid alternatives. Ultimately the decision will be dependent on the following: Appetite and capacity for the committee to take the overall oversight role for ERM Extent of skill sets and competencies to provide appropriate oversight for risk management given the nature of risks The Risk Management Lead/Champion should participate in all key committee meetings to have sufficient access to these meetings to understand key issues and risks for the organization and to support an effective integration role. The table on the following page summarizes key stakeholders roles and responsibilities to support a comprehensive risk governance structure. 33
Risk governance structure (continued) Stakeholder Laurier s Board of Directors Roles and responsibilities The Board plays an oversight role and needs to understand risk and risk management practices as part of its governance role. It should receive regular reporting on risk exposure, risk mitigation strategies, progress and issues. It should also consider implications of risks and risk management activities to determine whether risks are being appropriately addressed. Approval of the Risk Management Charter and risk management policies. Audit & Compliance Committee The Audit & Compliance Committee has overall oversight for non-clinical risks. It receives regular updates from executive leadership team and senior management on financial and other corporate areas including non-clinical risk management activities, issues and external audit. In its expanded role for overall oversight of the ERM Program it would also receive regular reporting on overall risk management activities and oversee progress against risk mitigation strategies including the results of the overall assessment of risk. Committee approval of the Risk Management Charter and policies prior to seeking review and approval of the Board. President Senior Management Management and Staff The President sets the tone for risk management and also participates in risk identification and assessment processes. This role contributes to and reviews and approves risk mitigation strategies; is responsible for alignment of strategic planning with risk management and building in risk monitoring to the balanced scorecard; has overall accountability for risk management within the organization. Senior Management is responsible for overseeing, assessing and monitoring risks and implementing risk mitigation strategies for their functional areas. The Senior Management team helps to bring an integrated approach to risk management by providing regular reporting and discussing status of risk initiatives and key risks at regular team meetings with management and staff. Management and staff are responsible for risk identification, monitoring and reporting on issues/risks impacting their areas. Management and staff are also responsible for application of risk aware thinking in day to day activities. 34
Ongoing monitoring and management (risk identification, risk assessment, risk mitigation) Opportunities for Laurier consideration The following are some suggested activities to assist in supporting risk processes for ongoing monitoring, assessment and reporting: Develop an implementation plan to address the proposed risk mitigation strategies and continue to identify additional strategies/actions to address other significant risks Assign specific champions or working groups (where needed) for each of the risk mitigation activities/action steps identified. Determine specific resourcing and budget impact of these risk mitigation strategies. Further assess the feasibility of the proposed risk mitigation strategies based on Laurier s resourcing, capacity and funding to implement the proposed strategies. Continue to identify and develop risk mitigation strategies for other significant risks, based on the organization s risk tolerance level and initiatives for process improvement and enhancement of the risk and control environment. Monitor status of risk mitigation activities Review the status of risk mitigation action steps to ensure that these issues are being addressed appropriately and on a timely basis. (i.e., quarterly reporting to the Board). Consider the potential impact of any changes in the risk environment on identified strategies and action steps, especially given that the organization is continuing to implement other initiatives. Consider the potential impact of challenges that arise in the implementation of the proposed mitigation strategies and identify alternative strategies to address the issue. 35
Ongoing monitoring and management (risk identification, risk assessment, risk mitigation) (continued) Opportunities for Laurier consideration (continued) Conduct a periodic re-assessment of risk exposure Update the Enterprise Wide Risk Framework on an annual basis or more frequently if environmental and operational changes may significantly impact the assessment of risk. Updating the risk framework annually is considered best practice but changes in the risk and control environment may require more frequent updates and reassessments of risk. Risk quantification/key risk indicators Opportunities for Laurier s consideration Key risk indicators could be used as a tool to monitor and track trending on key risks and to promote greater accountability for risk. Given that significant data on performance metrics is already compiled this data could be used to consider linkages to risk and to provide insights and perspectives on key risk issues on a forward looking basis. 36
Risk culture alignment Opportunities for Laurier s consideration Generating awareness and communication of risk management is important to promote risk based thinking throughout the organization at all levels. The following activities are recommended to promote a culture of risk responsibility and awareness: Increase the involvement of employees beyond the senior management team in the risk identification and risk assessment phases; Develop a communication strategy for risk management identifying the target audience, format of communication and frequency of the communication; Through education and awareness, reinforce the fact that risk is everyone s responsibility; Communicate accountability, roles and responsibilities for risk management and the risk management structure; Reinforce messaging that risk should be considered on a daily basis as work activities are undertaken. While the formal risk assessment review can be performed on a periodic basis, acting on risk must be intuitive and considered daily at the strategic and operational levels. This means helping individuals to understand how they can consider risks in evaluating decisions; The Intranet could be optimized to communicate and generate awareness of risk management; and Use of newsletters or management meetings to communicate the status of risk mitigation activities and benefits sustained. Risk management could be added as a standing topic on regular senior management meetings to encourage individuals to identify and report key risks and to reinforce accountability for related strategies. 37
Integration and continuous improvement Opportunities for Laurier s consideration Consider opportunities for moving towards aligning strategic planning and change management with risk management. Once risk mitigation strategies have been identified for the significant risks, these strategies and risk assessment results should be reviewed for impact on the overall strategic plan for the organization. The risk assessment results should be reviewed in the context of the following: To provide direction for the prioritization of the strategic initiatives and projects and development of future strategies. To identify other additional strategies and controls that may be required in other areas, keeping in mind the need to prioritize resources and effort to areas of highest risk. To develop more detailed plans to support the risk mitigation strategies that have been developed as part of this project. This includes determining the funding and resource requirements and aligning the budget planning for the risk action items with the business/operational plans. Applying risk based techniques to assess alternatives/scenarios prior to adopting changes Overall, management should seek to link and align risk management activities with strategic planning and project management activities to support a culture of risk management. This is also important to embed risk management activities in a practical manner without duplicating effort and to leverage synergies from other related initiatives. 38
Appendix I
Operational risk universe Risk Type Operational Resources and Processes Risk Category Academic Excellence Students Employees Financial Information Technology Physical Infrastructure Risk Factors Academic Programs Student Satisfaction Labour Relations Financial Markets Adequacy of IT Infrastructure Physical Resource Allocation Teaching Quality Enrolment Management Collective Bargaining Financial and Internal Controls Data Security Condition of Facilities Academic Resource Allocation Residence Capacity Overdependence on Key Staff Financial Commitments Business Continuity Capital Projects Integrity of Academic Health, Safety and Security Health, Safety and Security Operating Costs Disaster Recovery Activities Integrity of Research Activities Student Services Human Resource Allocation Faculty/Staff Attraction and Retention Revenue Sources Resource Allocation IT Resource Allocation 40
Strategic risk universe Risk Type Strategic Leading and Managing Risk Category Government Partner Relations Leadership Competitor Awareness Change Readiness Regulatory/ Compliance Reputation Management Risk Factors Government Funding Alliances and Partnerships Effectiveness of Leadership Competitive Pressures Change Readiness Legislative/ Regulatory Compliance Public Affairs & Media Relations Government Regulation Donor Relationship Management Governance and Oversight Extent of Growth Crisis Management Government Volatility Fundraising Activities Adequacy and Relevance of Information Multi-Campus Development Unexpected Events Collective Lobbying Sustainable Development Emergency Preparedness Business Continuity Mismanaged Issues Disaster Recovery 41
Appendix II
WLU ERM Detailed results by risk name Risk Type Significance Inherent likelihood Level of risk Risk mitigation effectiveness Residual risk gap Adequacy of IT Infrastructure Operational risks 7.6 5.9 6.8 6.4 0.4 Enrolment Management Operational risks 7.3 5.8 6.6 5.5 1.1 Operating costs Operational risks 6.5 5.9 6.2 6.5-0.3 Residence capacity Operational risks 5.9 5.9 5.9 6.2-0.3 Financial markets Operational risks 7.8 7.2 7.5 6.7 0.8 Collective lobbying Strategic risks 6.7 6.2 6.5 6.0 0.5 Multi-campus development Strategic risks 6.5 6.2 6.4 5.1 1.3 Extent of growth Strategic risks 6.6 6.2 6.4 5.1 1.3 Government regulations Strategic risks 6.0 5.7 5.9 6.0-0.2 Change readiness Strategic risks 6.0 5.8 5.9 5.5 0.4 43
WLU ERM Detailed results ordered by residual risk gap Risk Type Significance Inherent likelihood Level of risk Risk mitigation effectiveness Residual risk gap Extent of Growth Strategic risks 6.6 6.2 6.4 5.1 1.3 Multi-Campus Development Strategic risks 6.5 6.2 6.4 5.1 1.3 Enrolment Management Operational risks 7.3 5.8 6.6 5.5 1.1 Financial Markets Operational risks 7.8 7.2 7.5 6.7 0.8 Collective Lobbying Strategic risks 6.7 6.2 6.5 6.0 0.5 Change Readiness Strategic risks 6.0 5.8 5.9 5.5 0.4 Adequacy of IT Infrastructure Operational risks 7.6 5.9 6.8 6.4 0.4 Government Regulations Strategic risks 6.0 5.7 5.9 6.0-0.2 Operating Costs Operational risks 6.5 5.9 6.2 6.5-0.3 Residence Capacity Operational risks 5.9 5.9 5.9 6.2-0.3 44