Enterprise Risk Management

The purpose of the Enterprise Risk Management (ERM) Policy is to establish a common University of Saskatchewan (USask) approach to effectively assess, manage and report risks that could affect the achievement of USask’s mission and strategic priorities.

The purpose of Risk Management is the creation and protection of value, the effectiveness is supported by these principles:

• Integrated – Risk management is an integral consideration across all USask activities.
• Structured and Comprehensive – A structured and comprehensive approach to risk management contributes to consistent and comparable results.
• Customized – The ERM Framework and processes are customized and proportionate to USask’s external and internal context and Objectives.
• Inclusive – Appropriate and timely involvement of members enables their knowledge, views, and perceptions to be considered. This results in improved awareness and informed risk management.
• Dynamic – Risks can emerge, change or disappear as USask’s context changes. Risk management anticipates, detects, acknowledges, and responds to those changes and events in an appropriate and timely manner.
• Best Available Information – The inputs to risk management are based on historical and current information, as well as future expectations. Risk management explicitly considers any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to members.
• Human and Cultural Factors - Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
• Continual Improvement – Risk management is continually improved through learning and experience.

USask has adopted an Enterprise Risk Management program to:

• Integrate risk management across USask using a systematic ERM Framework.
• Establish a common risk language and direction related to risk management;
• Understand key risks, which could impact USask in achieving its strategic priorities and operational commitments.
• Support effective risk governance.
• Understand USask risk tolerance and appetite.
• Inform and support USask’s strategic decision-making;
• Identify, analyze, evaluate, treat and monitor risks on an ongoing basis;
• Promote a risk management culture to anticipate risk at the evaluation, planning and implementation stages of initiatives and projects.
• Respond to changing social, environmental and legislative requirements.

This Policy applies to all members of USask across all areas, including academic, research, research centres, administration, ancillary, and support services.

Every member of USask has a role in effective risk management, however the following roles are critical to the success of USask’s ERM.

Board of Governors

• Encourages an open and receptive risk management culture.
• Approves USask’s Enterprise Risk Management Policy, including Appendix A – Risk Tolerance and Appetite.
• Oversees USask’s risk management process (delegated to the Audit and Finance Committee).

Audit and Finance Committee of the Board of Governors

• Receives and reviews quarterly reports on ERM.
• Probes management on matters of evolving risk and ERM maturity plans.
• Recommends to the Board of Governors modifications to USask’s ERM Policy and risk tolerance and appetite.

President & Vice-Chancellor

• Is the owner of USask’s ERM, operationally delegated to the Chief Financial Officer.
• Inspires and fosters a culture of risk management as a value and best practice.
• Leads the setting of strategic priorities within USask’s risk tolerance and appetite.
• Leads management discussions with the Board of Governors regarding institutional strategy and risk philosophy.

 President’s Executive Committee (PEC)

• Creates and promotes a risk aware culture within USask, integrating ERM in strategic planning and decision-making.
• Oversees the risk process by monitoring and evaluating risks assessments by SMT.
• Assigns risk owners responsible for addressing prioritized risks within USask’s risk universe.

Senior Management Team (SMT)

• Serves as the ERM Committee responsible for assessing Enterprise Risks in accordance with the ERM Policy, Risk Tolerance and Appetite, and ERM Procedures.
• Formally identifies Enterprise Risks to add or remove from USask’s Risk Universe.
• Undertakes routine (at least quarterly) reviews of enterprise risks and responds to risk assessment surveys to inform reports to PEC of any material changes.

Chief Financial Officer (CFO)

• Implements and leads USask’s ERM, including the ERM Framework.
• Manages USask’s ERM Maturity Plan.
• Maintains USask’s risk register (delegated to USask’s Risk Analyst).
• Oversees ERM reporting to PEC and the Audit and Finance Committee quarterly.

Risk Owners

• Responsible for risk definition, assessment, and treatment.
• Responsible for defining a risk case to promote understanding across ERM roles.
• From time to time, makes presentations to those responsible for assessing risk.

Risk Analyst

• Supports the implementation of USask’s ERM, including training and assistance.
• Conducts routine ERM surveys with SMT and PEC, and other stakeholders as appropriate.
• Maintains, in consultation with risk owners, the Risk Register with a quarterly date stamp.
• Prepares ERM reports and presentations.

Internal Audit

• Executes internal audits, which might include an assessment of USask’s ERM.
• Reports observations and recommendations to the CFO and Audit and Finance Committee.

ERM reports will be provided to PEC, the Audit and Finance Committee, and the Board of Governors quarterly. Reports will include, at minimum:

• USask’s key enterprise risks and management action plan.
• Commentary on changes within the reporting period, including arising risks.
• Progress on USask’s Risk maturity plan.

USask expects that all members of the university community will comply with the responsibilities in this Policy. Should there be reason to suspect non-compliance with the Policy, members shall report the circumstances to the Chief Financial Officer to determine an appropriate course of action. If this does not prevent further violations or failure to co-operate, the matter will be reported to the President and Vice-Chancellor and Board of Governors.

ISO 3100: 2018 Risk Management - Guidelines
Framework for Enterprise Risk Management Policy
Appendix A – Risk Tolerance and Appetite for Enterprise Risk Management Policy

University of Saskatchewan Act, 1995