Risk Management (GP 42)


November 26, 2015

Revision Date


GP 42

Revision No.

Risk Management

1.    Preamble

The University recognizes that in undertaking activities not all risk can, or should be, eliminated. Although risk management often involves responding to the negative impacts of risk, it is important to recognize that all opportunities bring some risk which must be effectively managed, and not necessarily avoided.

The University supports risk management through an active program of risk identification, mitigation and transfer at the enterprise and unit levels. The University is committed to continuous improvement by engaging in best practices and regularly reviewing our risk appetite and risk tolerance. SFU actively pursues best practices and engages members of the community in the development of a culture of risk management.

2.    Purpose

The purpose of this Policy is to describe the enterprise-wide risk management strategy at Simon Fraser University and the approach utilized by the University to effectively manage enterprise risks.

3.    Scope

This Policy applies to all university activities, whether in Canada or abroad. Risk management occurs at all levels of the University and all members of the university community play a role by adopting strategies that balance risks and rewards when undertaking activities on behalf of the University.

4.    Policy

The University utilizes a deliberative approach to the identification, analysis, evaluation and treatment of risks which may limit or enhance the University’s strategic and operational priorities. At the institutional level, the University determines the appropriate level of acceptable risk based on a balanced view of risk, considering both the threat of adverse impacts and the opportunities that arise from properly managed risk.

4.1 Objective

An objective of the University’s Enterprise Risk Management (ERM) program is the effective management of a balanced portfolio of enterprise risks, giving due consideration to six categories of risk.

a.     Financial risks which may result in a loss of physical or financial assets.

b.     Operational risk which may impact ongoing management processes.

c.     Reputational risks which may affect SFU’s reputation, brand and public image.

d.     Compliance risks which impact our compliance with internal policies and external laws, regulations, and health and safety issues.

e.     Environmental risks related to impacts on the environment from University activities.

f.      Strategic risks which adversely affect the University’s ability to achieve its strategic goals.


4.2 Risk Management Approach

The University has adopted a consistent approach for university employees to consider and act upon the likelihood and impacts of risks. The assumption of risk is contingent upon the utilization of all available internal controls and risk management approaches to ensure that residual risk does not exceed established tolerance levels. The approach is guided by provincial risk management guidelines as well as internationally accepted risk management standards and processes (e.g. ISO 31000) which is outlined in Figure 1.

Figure 1 - The Risk Management Process

4.3 Risk Appetite Statement

SFU seeks to develop a culture that is risk-aware without being risk-averse, pursuing opportunities that further our strategic and operational priorities while effectively managing risks that have the potential to adversely impact the University. We recognize that virtually all activities carry a degree of uncertainty and require the University to strike an appropriate balance between managing hazards and pursuing strategic opportunities.

The University’s risk appetite, outlined in Appendix A, varies according to its assessment of a particular risk along the risk appetite continuum.

4.4 Principles

The University’s risk management process is guided by the following principles:

Guiding Principle



Strategic decision-making by the senior executive of the University is best informed through open and transparent assessments of enterprise risks.


Congruency with best practices in risk management at other post-secondary education institutions—locally, nationally and internationally—enables the University to effectively manage enterprise risks.


The University seeks to integrate the risk management process across academic and operational units of the University.


Engagement activities with students, faculty and staff are core to the University. Effective assessment of risk and opportunity is critical to the achievement of the University’s strategic goals in these areas.

Leveraging Institutional Strength

The University has robust internal control and risk management practices in place, and endeavours to continually strengthen its practices.

5.    Governance

British Columbia’s post-secondary institutions are governed by the University Act which requires that the Board of Governors (“the Board”) undertake its activities in the best interests of the University. As Section 27(1) of the Act states, “The management, administration and control of the property, revenue, business and affairs of the university are vested in the board.”  

5.1 Roles and Responsibilities

The Board of Governors, through the Audit, Risk and Compliance Committee, is ultimately responsible for ensuring the university has effective risk management and control processes in place. The Board confirms the risk appetite for the University, ensuring a balance between opportunity and risk. The Audit, Risk and Compliance Committee has oversight of risk management structures and processes. The committee reviews the annual ERM Report, the Annual Insurance and Liability Report, the Due Diligence and Compliance Report, and findings from Internal Audit to ensure oversight on risk management activities.

The Vice-President Finance and Administration is responsible for the development and oversight of risk management policy at the University, and has the authority to implement the ERM program.

The roles and responsibilities of other internal stakeholders are described in Appendix B.

6. Definitions




Any event or action that may adversely affect the University’s ability to achieve its strategic and operational priorities.

Risk Management

The application of rigorous methods to identify, analyze and treat risks in order to increase the likelihood of objectives being achieved and decrease the likelihood, or reduce the impact, of negative events.

Enterprise Risk Management (ERM)

ERM consists of the structures, processes and culture that are directed towards the effective management of opportunities and potential adverse effects.


This methodology provides the framework for strategic and operational decision-making, and facilitates the coordinated ongoing application of risk management across all parts of the University, from the strategic plan to the operational level.

ERM Report

The annual ERM Report outlines the risks and associated mitigation strategies to treat those risks which are most likely to negatively impact the University’s ability to achieve its strategic priorities.

Risk Appetite

The Risk Appetite outlines the amount and type of risk the University is willing to take in order to achieve its strategic objectives. It is expressed in a statement that describes the overall approach to risk, acknowledging a willingness and capacity to take on risk when required.

 Risk Tolerance

A more precise definition of the level of risk and uncertainty the University is willing to accept in pursuit of its strategic objectives.

7.    Related Policies




Indemnity Approval


University Occupational Health and Safety


Response to Violence and Threatening Behaviour


Emergency Management


Environmental Management


Biosafety Policy


Radiological Safety


Non-Ionizing Radiation Safety



APPENDIX A - Risk Appetite Continuum


APPENDIX B – Roles and Responsibilities – Enterprise Risk Management



Risk Steering Committee

The Risk Steering Committee oversees the formulation of risk strategy and policy based on the University’s risk appetite and risk tolerance. The Committee also receives reports of significant risks from faculties and departments, and considers whether the risks are significant or pervasive enough to be included in the enterprise risk register.

Chief Safety Officer

The Chief Safety Officer institutes administrative procedures pursuant to the risk management policy and ensures the procedures are updated as required. The Chief Safety Officer also facilitates the identification of key strategic risks, compiles risk information, and reports to the Vice-President Finance and Administration on the challenges, opportunities and outcomes associated with the University’s Enterprise Risk Management (ERM) program.

Safety and Risk Services (SRS)

SRS is responsible for ensuring the effective and efficient operation of specialist risk transfer functions (e.g. insurance). Safety and Risk Services (SRS) also engages members of the University community in establishing a culture of risk management through implementation of a unit level risk register and regular learning opportunities for staff.

Internal Audit Office

The Internal Audit Office provides independent and objective assurance on the University’s risk management processes, operations and governance processes through the conduct of a comprehensive, risk-based internal audit plan.

Faculties and Departments

Supervisors are responsible for the management of unit-level risks and risks associated with local projects, and are encouraged to adopt the University’s overall approach to risk management and to maintain a record of the unit-level risks managed locally.

All Employees

All faculty and staff are responsible for developing an understanding of the University’s risk management policies and procedures, and integrate them with their own roles and responsibilities.