ÌÇÐÄvlog¾«Æ·

Enterprise Risk Management Policy

Approver:
Academic Coordinating Committee
Policy Owner:
Associate Vice President, Risk Management
Policy Lead(s):
Manager, Campus Safety
Effective date:
2022-06-22
Date of last approval:
2022-06-22
Status:
Approved

Policy Statement

The ÌÇÐÄvlog¾«Æ· Institute of Technology and Advanced Learning (Conestoga) undertakes strategic decisions and implements business practices that expose it to different types of risks and opportunities within its institutional risk profile. As such, Conestoga is committed to implementing and enhancing an Enterprise Risk Management (ERM) program to drive effective and accountable action to ensure that risk management is a core capability and an integrated strategic tool across the institution’s key functions and processes. 

The ERM policy is a declaration of commitment by the Conestoga Board of Governors and Executive, to adopt and apply ERM practices throughout the institution. The policy sets out the ERM objectives, principles, roles, and responsibilities to ensure that the ERM program is structured, effective and consistent.

Scope

ERM Values: The Conestoga ERM program will evolve over time to conform to the standards of ERM best practices. Conestoga will continue to develop, implement, and deploy risk management tools that support the enablement of an operational culture of planning, accountability, and continuous improvement. 

Audience: This document applies to all employees, policies, property, and processes that exist at Conestoga, which are vulnerable to different types of inherent and residual risks. Such as: 

  • Financial Risk
  • Legal and Regulatory Risk
  • Operational Risk
  • Reputational Risk
  • Safety Risk
  • Security Risk
  • Strategic Risk 

Definitions

ÌÇÐÄvlog¾«Æ· maintains a glossary of terms specific to the institution. The ones in use for this document are defined below.

Enterprise Risk Management (ERM)
A framework that is part of the overall management and stewardship of the organization by the Conestoga Board of Governors, its employees and is applied in a strategic setting. ERM includes methods and processes designed to identify, assess, manage, monitor, and report on the financial, operational, strategic, safety, security, legal and regulatory risks across the Conestoga organization and practices.
Financial Risk
The risk of loss due to the failure of a stakeholder to honour its financial obligations to Conestoga; the risk of loss due to an operational and/or internal control breakdown; the risk of loss due to the inability of Conestoga to meet its financial obligations in a timely manner.
Inherent Risk
The risk to Conestoga in the absence of any controls to alter either the risks likelihood or impact of a risk.
Legal and Regulatory Risk
The risk of loss resulting from failure of Conestoga to comply with the applicable laws, regulatory requirements, legislation or contractual obligations. It also includes the potential for litigation stemming from all aspects of Conestoga activities.
Operational Risk
The risk of loss due to inadequate or failed internal processes, people or systems.
Reputational Risk
The occurrence of a risk event that results in an adverse opinion or perception of Conestoga being formed in the hearts and minds of Conestoga’s audience.
Residual Risk
The risk exposure remaining after management has implemented action to alter the risk’s likelihood or impact.
Risk
a function of the magnitude or seriousness of the harm and the probability that it will occur (p. 22)
Risk Appetite
The type and amount of risk, on a broad level, Conestoga is willing to accept in pursuit of its strategic objectives.
Risk Assessment
The identification of risks and the evaluation of quantitative and/or qualitative impact of risks related to a specific event recognized as a threat, performed by means of tools developed by Conestoga. Risks are analyzed by likelihood and impact, as a basis to determine how the risks should be prioritized and managed.
Risk Capacity
The maximum potential impact of a risk event that Conestoga could withstand. Risk Tolerance is the acceptable level of deviation relative to achievement of a specific Conestoga objective or goal.
Risk Profile
The consolidated or portfolio view of the set of risks to which Conestoga is exposed.
Risk Register
An official record of risks facing Conestoga, as established through the risk assessment process; the register includes root causes, controls, impacts, risk scores, ownership and treatment plans.
Safety Risk
The risk of staff and/or students being harmed if exposed to a hazard.
Security Risk
Something or someone who is a threat to staff and student safety, or key business processes.
Strategic Risk
The risk of loss due to the failure to identify changes in the business environment which impacts Conestoga objectives, or the inability to develop, select and execute an effective strategy.

Policy

  1. The enterprise risks covered under this policy includes those risks that impact Conestoga’s capability to achieve its strategic objectives. 
  2. Conestoga does not strive to remove all current and emerging risks, rather, Conestoga will ensure that key risks are recognized and managed within an adequate risk tolerance to protect the College. 
  3. Conestoga ERM Objectives: 
    1. Incorporate risk management awareness and tools into the culture and strategic decision-making processes of the College; 
    2. Advance Conestoga’s ability to manage risk through appropriate identification, assessment, management, reporting, and monitoring risk;
    3. Sustain a common risk language and understanding across the organization; 
    4. Enable Conestoga’s leadership team and Board of Governors to prioritize key risks to balance the cost of managing risk within risk appetite, and to ensure adequate resources are in place to meet Conestoga’s most critical strategic objectives; 
    5. Support the Conestoga Board of Governors, the Board Governance Sub-Committee, and the Academic Coordinating Committee (ACC) with risk management practices and decision making, as required; and 
    6. Anticipate, effectively plan for and respond to the changing internal and external environments.
  4. ERM Principles 
    1. ERM is every employee’s responsibility; 
    2. ERM is an integral part of organizational processes and controls; 
    3. ERM is part of strategic decision making at the institution; 
    4. ERM proactively addresses risks and opportunities, to protect and create value for all Conestoga stakeholders; and 
    5. ERM is dynamic and responsive to internal and external change. 
  5. ERM Framework 
    1. To perform effective risk management, an ERM framework and plan will: 
      1. Support the management and oversight of risks across Conestoga; 
      2. Enable the three lines of defense model (see appendix); 
      3. Stimulate ERM sustainability and integration into Conestoga’s strategic planning, change management, and decision-making processes; and 
      4. Build the foundation needed for an effective ERM implementation, including scope, roles, responsibilities, and accountabilities.

Relevant Legislation and Related Documents

Related documents

Conestoga Risk Management Committee Terms of Reference
Conestoga Privacy Cyber and Data Risk Subcommittee Terms of Reference

Revision Log

‸¾²¹³Ù±ð

‸¾±ð³Ù²¹¾±±ô²õ

​2022-06-08​Academic Forum
​2022-06-22​Academic Coordinating Committee 

Enterprise Risk Management Policy