Risk Management Policy


The Canadian Association of Research Administrators (CARA) faces numerous risks that could affect any aspect of its membership, operational, or commercial activities. Sound risk management is therefore required to ensure the Association is able to achieve its operational aims and strategic objectives.


CARA considers risk management to be fundamental to good management practice and a significant aspect of corporate governance. Risks include not only threats facing the Association, but also a failure to seize opportunities. An assessment of risk must, therefore, be conducted to identify, analyze, and report to the most appropriate management level within the Association.


It should be noted that risk management is the responsibility of everyone working for, with or in support of the Association, not just a small number of named individuals. As such the Association maintains a register of strategic and operational risks that are routinely reviewed and integrated into planning and budgeting processes.


This Risk Management Policy identifies the underlying approach to risk management across the Association. It defines the roles and responsibilities of members of staff and the Board of Directors together with the annual mechanism for reviewing risk management processes. The policy is informed by good practice guidelines issued by the Risk and Insurance Management Society (Canada) (www.rimscanada.ca) and the Institute of Risk Management (www.theirm.org). 

The purpose of this policy is a formal acknowledgment of the commitment made by the Association to risk management. The Association considers that taking well-managed risks is essential to its success as the professional association for Canada’s research support profession. The aim of the policy is not to eliminate risk from the Association’s activities, but rather to manage risk appropriately.

Risk is commonly defined as the possibility that an action, event, or set of circumstances will adversely or beneficially affect an organization’s ability to achieve its objectives. Risk is a consequence of uncertainty and is present in all Association activities. The exposure is normally expressed in terms of the failure to reach an objective and the resultant operational, reputational, and/or financial damage that may incur.

What is risk management?

Risk management is the planned and systematic approach to identifying, evaluating, and controlling risks at all levels of the organization.

CARA’s approach

The Association’s approach to risk management is guided by the following principles:

  • the Board of Directors has overall responsibility for the effectiveness of internal controls based on information provided by the Executive Director, officers of the Board of Directors, and/or any sub-committee of the Board of Directors delegated with authority to consider the Association’s risks;

  • risk management is implemented as an integral part of Association activities at all levels and is monitored on a day-to-day basis by the Executive Director;

  • a Risk Management Sub-Committee of the Board of Directors, composed of the President, Past President, Vice President, and Treasurer, will support and advise on the implementation of risk management processes and convene as required to consider risk relating to specific organizational activities and/or decision-making;

  • the risk will be a standing item at the regular meetings of the Board of Directors, sub-committees of the Board of Directors, and the Executive Office. Sub-committee chairs, together with their secretariat (staff) will be responsible for embedding good risk management practice within their portfolio area;

  • risks are identified, analyzed and recorded as appropriate, normally within a risk register that scores the likelihood and impact of risks;

  • the management of risk will involve user-friendly language and Association processes will be kept as simple and effective as possible; and

  • the financial and non-financial implications arising from risks and associated controls will be estimated as accurately as possible.

The Association uses five steps to manage risks, and a common template to record and report strategic and operational risks:

Step 1 – Identifying risks

The identification and review of risks take place throughout the year and is a formal part of the planning and budgeting cycle. The Board of Directors and each of its sub-committee together with members of staff is expected to carry out ongoing reviews and updates of the linkages between strategic objectives and risks to ensure that focus is maintained on priority activities.

Strategic risks typically affect the whole of an organization and not just one or more of its parts. Because of this, strategic risks are recorded and monitored at an organization level and form a key part of strategic management.

Operational risks refer to issues arising from normal business operations. Accordingly, they affect the day-to-day running of the Association in contrast to strategic risks that arise from the organization’s strategic positioning. Operational risks are typically managed by the Executive Director, in consultation with relevant sub-committee chairs and/or officers of the Board of Directors, and can be managed and mitigated by internal control systems.

Step 2 – Analysing the risk

The Association uses standard risk modeling to measure the likelihood and impact of individual risks identified in the risk register. The impact is the potential severity or effect of the risk. The likelihood is the frequency or probability of a risk occurring. The risk score is calculated using impact and likelihood to produce an evaluation of the net risk that can be translated into a traffic light system.

Step 3 – Determining the risk owner

Strategic and operational risks are assigned to a risk owner, who is responsible for managing the risk and associated control measures.

Step 4 – Identifying control measures

The identification of control measures will depend on the treatment category of the risk at a residual level. The Association uses the 4Ts to categorize risk:

  • Tolerate: risks are accepted and built into operational or project management
  • Treat: risks are reduced by management action (e.g. putting in place a business continuity plan)
  • Transfer: risks are passed on to another organization or body (e.g. outsourcing, insurance or subcontracting)
  • Terminate: risks are avoided by doing something else

Actions to mitigate or control risk will have a direct cost or an opportunity cost that is recorded in the risk register. The risk should be reassessed to identify the impact of any action on the net risk. The result of any control measure is known as the residual risk.

Step 5 – Reviewing the risk

Risks should be reviewed on a regular basis to ensure that strategic and operational registers are kept up-to-date. At an Association level, the register of strategic risk is reviewed and discussed at each meeting of the Board of Directors.

Risk responsibilities

It is essential that all participants in risk management are aware of their roles in the overall process and their own responsibilities. The key responsibilities are outlined below:

Board of Directors

The CARA Board of Directors has a fundamental role to play in the management of risk and in setting an overall culture of risk management within the Association. This includes:

  • determining and reviewing the risk appetite of the Association and agreeing on a risk appetite statement that is reviewed annually;
  • approving major decisions affecting the Association’s risk profile or exposure;
  • determining what types of risk are acceptable or not acceptable; and
  • identifying and acting as a risk owner for appropriate strategic risks.

Risk Management Sub-Committee

Acting on behalf of the Board of Directors, the Risk Management Sub-Committee will:

  • monitor the management of key strategic risks;
  • satisfy itself that less significant risks are being actively managed, with the appropriate controls in place and working effectively;
  • annually review the Association’s approach to risk management, and recommend changes or improvements to key elements of its processes and procedures;
  • report to the Board of Directors on the effectiveness of risk management processes as appropriate; and
  • convene to consider risks of specific activities or decisions when required.

Executive Director

  • identify and evaluate significant risks faced by the Association for consideration by the Board of Directors;
  • implement policies on risk management and internal control;
  • maintain the risk register;
  • provide adequate information in a timely manner to the Board of Directors and/or the Risk Management Sub-Committee on the status of risks and control measures;
  • regularly review the effectiveness of internal controls; and
  • identify and act as a risk owner for appropriate strategic and/or operational risks.


Chairs other sub-committees are responsible for identifying, assessing, and monitoring risks at portfolio level. They will:

  • disseminate good and appropriate risk practice across their committee;
  • identify, monitor and assess risk issues within their portfolio;
  • monitor and discuss risk as a regular item at committee meetings;
  • report on risk and control issues and review regularly as appropriate; and
  • alert the Executive Director and/or the Risk Management Sub-Committee to risks which may have strategic importance.

Defining the risk appetite

The Board of Directors determines the extent to which the Association is “risk-taking” or “risk-averse”. The evaluation of the Association’s strategic risks provides a regular review of the Association’s risk tolerance line.

Management of risk

The management of risk is supported by a system of internal control and is closely related to the planning and budgeting processes and organizational performance management. This enables the Association to respond to a variety of operational, financial, reputational, and commercial risks. The elements of this system include:

Policies and procedures

Attached to significant risks are a series of policies that underpin the internal control process and are supported by written procedures where appropriate.


Significant risks are reported regularly to the Board of Directors via the risk register or on an ‘exception’ basis as required, for example, on risks associated with new projects, or on emergent external risks.

Planning and Budgeting

The annual planning and budgeting processes are used to set objectives, agree on action plans, and allocate resources.

Risk Register

The Risk Register is maintained by the Executive Director and reviewed by the Board of Directors and/or the Risk Management Sub-Committee. It is used to identify, assess, and monitor risks significant to the Association. Improvement actions and risk indicators are monitored regularly.

The template risk register is attached as Annex A.

Annual Review of Effectiveness

The Board of Directors is responsible for reviewing the effectiveness of the Association’s risk management mechanisms. In doing this, the Board will consider the following:

  • The Association’s objectives and its financial and non-financial targets;
  • The Association’s performance in identifying, assessing and reporting risks;
  • Prioritization of risks and the allocation of resources to areas of high exposure; and
  • Effectiveness of control measures.

The Risk Management Sub-Committee, on behalf of the Board of Directors, will review the risk register and this policy document to ensure on-going effectiveness in the management of risk.




Category Key (see Measures of Impact below)

F = Financial   O = Operational

H = Human      R = Reputational

L = Legal         S = Strategic







Risk Rating

Mitigating Action /

Management Tool

Risk Owner

Review Date

Next Review


Office landlord closes premises





Regular engagement with landlord management to ensure the tenancy is secure






















Measures of Impact


Negligible (1)

Minor (2)

Moderate (3)

Major (4)

Severe (5)


Potential loss of

< $2,000

Potential loss of

$2,000 - £10,000

Potential loss of

$10,000 - £20,000

Potential loss of

$20,000 - $50,000

Potential loss of

> $50,000


Potential for minor injury requiring first aid treatment

Potential for injury or illness resulting in medical attention and several days off work

Potential for injury or illness resulting in short-term hospitalization

Potential serious long-term injury

Potential for death, permanent disability or ill-health

Legal / Compliance

Minor dispute that can be remedied without external intervention

Potential for compliance, contractual or regulatory breaches with external implications

Confirmed compliance, contractual or regulatory breaches. Specific activities required to remedy the situation

Significant penalties and/or costs to remedy legal and/or compliance breaches

Severe penalties to company, Directors and/or staff


No noticeable impact on operational functions

Short-term disruption to operational functions

Significant disruption to operational functions

Extended disruption to operational functions

Collapse of operational functions

No noticeable impact on supply chain

Short-term disruption to supply chain

Significant delays to supply chain

Extended delays to supply chain

Total supply chain failure

Minimal change to work conditions

Short-term increase in working hours

A sustained deterioration in working conditions

Long-term deterioration in working conditions resulting in increased sick leave/absences and potential resignations

Unacceptable working conditions resulting in workplace injuries/illness/absence and resignations


Adverse impact that can be remedied immediately

Adverse impact that is short term and reversible at minimal cost

Adverse impact with potential for significant damage

Impacts requiring long-term remedial attention

Irreversible damage to brand and reputation

Strategic / Market

Localized concern – no impact on long term viability

Detrimental to short-term profitability and/or strategic direction

Detrimental to mid-term profitability and/or strategic direction

Significant long-term impacts. Will require a change to strategic directions and objectives

Business viability in question

Measures of Likelihood








Almost Certain (5)






Likely (4)






Possible (3)






Unlikely (2)






Rare (1)






Almost Certain

            76-100% probability


51-75% probability


26-50% probability


10-25% probability


<10% probability


In the event of inconsistency between the French and English versions, the English language version shall prevail.

Approved by the CARA Executive Board on 6 May 2017 and 12 May 2020