Risk Management Policy

POLICY STATEMENT

The Canadian Association of Research Administrators (CARA) faces numerous risks that could affect any aspect of its membership, operational or commercial activities. Sound risk management is therefore required to ensure the Association is able to achieve its operational aims and strategic objectives.

CARA considers risk management to be fundamental to good management practice and a significant aspect of corporate governance. Risks include not only threats facing the Association, but also a failure to seize opportunities. An assessment of risk must therefore be conducted to identify, analyse and report to the most appropriate management level within the Association.

It should be noted that risk management is the responsibility of everyone working for, with or in support of the Association, not just a small number of named individuals. As such the Association maintains a register of strategic and operational risks that are routinely reviewed and integrated into planning and budgeting processes.

Purpose

This Risk Management Policy identifies the underlying approach to risk management across the Association. It defines the roles and responsibilities of members of staff and the Board of Directors together with the annual mechanism for reviewing risk management processes. The policy is informed by good practice guidelines issued by the Risk and Insurance Management Society (Canada) (www.rimscanada.ca) and the Institute of Risk Management (www.theirm.org). 

The purpose of this policy is a formal acknowledgement of the commitment made by the Association to risk management. The Association considers that taking well-managed risks is essential to its success as the professional association for Canada’s research support profession. The aim of the policy is not to eliminate risk from the Association’s activities, but rather to manage risk appropriately.

What is risk?

Risk is commonly defined as the possibility that an action, event or set of circumstances will adversely or beneficially affect an organisation’s ability to achieve its objectives. Risk is a consequence of uncertainty and is present in all Association activities. The exposure is normally expressed in terms of the failure to reach an objective and the resultant operational, reputational and/or financial damage that may incur.

What is risk management?

Risk management is the planned and systematic approach to identifying, evaluating and controlling risks at all levels of the organisation.

CARA’s approach

The Association’s approach to risk management is guided by the following principles:

  • the Board of Directors has overall responsibility for the effectiveness of internal controls based on information provided by the Executive Director, officers of the Board of Directors, and/or any sub-committee of the Board of Directors delegated with authority to consider the Association’s risks;

  • risk management is implemented as an integral part of Association activities at all levels and is monitored on a day-to-day basis by the Executive Director;

  • a Risk Management Sub-Committee of the Board of Directors will support and advise on the implementation of risk management processes and convene as required to consider risk relating to specific organisational activities and/or decision-making;

  • risk will be a standing item at the regular meetings of the Board of Directors, sub-committees of the Board of Directors, and the Executive Office. Sub-committee chairs, together with their secretariat (staff) will be responsible for embedding good risk management practice within their portfolio area;

  • risks are identified, analysed and recorded as appropriate, normally within a risk register that scores the likelihood and impact of risks;

  • the management of risk will involve user-friendly language and Association processes will be kept as simple and effective as possible; and

  • the financial and non-financial implications arising from risks and associated controls will be estimated as accurately as possible.

The Association uses five steps to manage risks, and a common template to record and report strategic and operational risks:

Step 1 – Identifying risks

The identification and review of risks takes place throughout the year and is a formal part of the planning and budgeting cycle. The Board of Directors and each of its sub-committees together with members of staff are expected to carry out ongoing reviews and updates of the linkages between strategic objectives and risks to ensure that focus is maintained on priority activities.

Strategic risks typically affect the whole of an organisation and not just one or more of its parts. Because of this, strategic risks are recorded and monitored at an organisation level and form a key part of strategic management.

Operational risks refer to issues arising from the normal business operations. Accordingly, they affect the day-to-day running of the Association in contrast to strategic risks that arise from the organisation’s strategic positioning. Operational risks are typically managed by the Executive Director, in consultation with relevant sub-committee chairs and/or officers of the Board of Directors and can be managed and mitigated by internal control systems.

Step 2 – Analysing the risk

The Association uses standard risk modelling to measure the likelihood and impact of individual risks identified in the risk register. Impact is the potential severity or effect of the risk. Likelihood is the frequency or probability of a risk occurring. The risk score is calculated using impact and likelihood to produce an evaluation of net risk that can be translated into a traffic light system.

Step 3 – Determining the risk owner

Strategic and operational risks are assigned to a risk owner, who is responsible for managing the risk and associated control measures.

Step 4 – Identifying control measures

The identification of control measures will depend on the treatment category of the risk at residual level. The Association uses the 4Ts to categorise risk:

  • Tolerate: risks are accepted and built into operational or project management
  • Treat: risks are reduced by management action (e.g. putting in place a business continuity plan)
  • Transfer: risks are passed on to another organisation or body (e.g. outsourcing, insurance or subcontracting)
  • Terminate: risks are avoided by doing something else

Actions to mitigate or control a risk will have a direct cost or an opportunity cost that are recorded in the risk register. The risk should be reassessed to identify the impact of any action on the net risk. The result of any control measure is known as the residual risk.

Step 5 – Reviewing the risk

Risks should be reviewed on a regular basis to ensure that strategic and operational registers are kept up-to-date. At an Association level, the register of strategic risk is reviewed and discussed at each meeting of the Board of Directors.

Risk responsibilities

It is essential that all participants in risk management are aware of their roles in the overall process and their own responsibilities. The key responsibilities are outlined below:

Board of Directors

The CARA Board of Directors has a fundamental role to play in the management of risk and in setting an overall culture of risk management within the Association. This includes:

  • determining and reviewing the risk appetite of the Association and agreeing a risk appetite statement that is reviewed annually;
  • approving major decisions affecting the Association’s risk profile or exposure;
  • determining what types of risk are acceptable or not acceptable; and
  • identifying and acting as risk owner for appropriate strategic risks.

Risk Management Sub-Committee

Acting on behalf of the Board of Directors, the Risk Management Sub-Committees will:

  • monitor the management of key strategic risks;
  • satisfy itself that less significant risks are being actively managed, with the appropriate controls in place and working effectively;
  • annually review the Association’s approach to risk management, and recommend changes or improvements to key elements of its processes and procedures;
  • report to the Board of Directors on the effectiveness of risk management processes as appropriate; and
  • convene to consider risks of specific activities or decisions when required.

Executive Director

  • identify and evaluate significant risks faced by the Association for consideration by the Board of Directors;
  • implement policies on risk management and internal control;
  • maintain the risk register;
  • provide adequate information in a timely manner to the Board of Directors and/or the Risk Management Sub-Committee on the status of risks and control measures;
  • regularly review the effectiveness of internal controls; and
  • identify and act as risk owner for appropriate strategic and/or operational risks.

Sub-Committees

Chairs other sub-committees are responsible for identifying, assessing and monitoring risks at portfolio level. They will:

  • disseminate good and appropriate risk practice across their committee;
  • identify, monitor and assess risk issues within their portfolio;
  • monitor and discuss risk as a regular item at committee meetings;
  • report on risk and control issues and review regularly as appropriate; and
  • alert the Executive Director and/or the Risk Management Sub-Committee to risks which may have strategic importance.

Defining the risk appetite

The Board of Directors determines the extent to which the Association is “risk-taking” or “risk- averse”. The evaluation of the Association’s strategic risks provides a regular review of the Association’s risk tolerance line.

Management of risk

The management of risk is supported by a system of internal control, and is closely related to the planning and budgeting processes and organisation performance management. This enables the Association to respond to a variety of operational, financial, reputational and commercial risks. The elements of this system include:

Policies and procedures

Attached to significant risks are a series of policies that underpin the internal control process and are supported by written procedures where appropriate.

Reporting

Significant risks are reported regularly to the Board of Directors via the risk register or on an ‘exception’ basis as required, for example, on risks associated with new projects, or on emergent external risks.

Planning and Budgeting

The annual planning and budgeting processes are used to set objectives, agree action plans and allocate resources.

Risk Register

The Risk Register is maintained by the Executive Director and reviewed by the Board of Directors and/or the Risk Management Sub-Committee. It is used to identify, assess and monitor risks significant to the Association. Improvement actions and risk indicators are monitored regularly.

The template risk register is attached as Annex A.

Annual Review of Effectiveness

The Board of Directors is responsible for reviewing the effectiveness of the Association’s risk management mechanisms. In doing this, the Board will consider the following:

  • The Association’s objectives and its financial and non-financial targets;
  • The Association’s performance in identifying, assessing and reporting risks;
  • Prioritisation of risks and the allocation of resources to areas of high exposure; and
  • Effectiveness of control measures.

The Risk Management Sub-Committee, on behalf of the Board of Directors, will review the risk register and this policy document to ensure on-going effectiveness in the management of risk.

   

CANADIAN ASSOCIATION OF RESEARCH ADMINISTRATORS

RISK REGISTER

Category Key (see Measures of Impact below)

F = Financial   O = Operational

H = Human      R = Reputational

L = Legal         S = Strategic

No

Risk

Category

Impact

Likeli-

hood

Risk Rating

Mitigating Action /

Management Tool

Risk Owner

Review Date

Next Review

eg

Office landlord closes premises

O

3

1

3

Regular engagement with landlord management to ensure tenancy is secure

ED

01/10/16

01/04/17

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

 

Measures of Impact

Category

Negligible (1)

Minor (2)

Moderate (3)

Major (4)

Severe (5)

Financial

Potential loss of

< $2,000

Potential loss of

$2,000 - £10,000

Potential loss of

$10,000 - £20,000

Potential loss of

$20,000 - $50,000

Potential loss of

> $50,000

Human

Potential for minor injury requiring first aid treatment

Potential for injury or illness resulting in medical attention and several days off work

Potential for injury or illness resulting in short-term hospitalisation

Potential serious long-term injury

Potential for death, permanent disability or ill-health

Legal / Compliance

Minor dispute that can be remedied without external intervention

Potential for compliance, contractual or regulatory breaches with external implications

Confirmed compliance, contractual or regulatory breaches. Specific activities required to remedy situation

Significant penalties and/or costs to remedy legal and/or compliance breaches

Severe penalties to company, Directors and/or staff

Operational

No noticeable impact on operational functions

Short-term disruption to operational functions

Significant disruption to operational functions

Extended disruption to operational functions

Collapse of operational functions

No noticeable impact on supply chain

Short-term disruption to supply chain

Significant delays to supply chain

Extended delays to supply chain

Total supply chain failure

Minimal change to work conditions

Short-term increase in working hours

Sustained deterioration in working conditions

Long-term deterioration in working conditions resulting in increased sick leave/absences and potential resignations

Unacceptable working conditions resulting in workplace injuries/illness/absence and resignations

Reputational

Adverse impact that can be remedied immediately

Adverse impact that is short term and reversible at minimal cost

Adverse impact with potential for significant damage

Impacts requiring long-term remedial attention

Irreversible damage to brand and reputation

Strategic / Market

Localised concern – no impact on long term viability

Detrimental to short-term profitability and/or strategic direction

Detrimental to mid-term profitability and/or strategic direction

Significant long-term impacts. Will require change to strategic directions and objectives

Business viability in question

Measures of Likelihood

LIKELIHOOD

RISK LEVEL

Insignificant

Minor

Moderate

Major

Severe

Almost Certain (5)

Moderate

High

High

Extreme

Extreme

Likely (4)

Moderate

Moderate

High

High

Extreme

Possible (3)

Low

Moderate

Moderate

High

Extreme

Unlikely (2)

Low

Moderate

Moderate

Moderate

High

Rare (1)

Low

Low

Moderate

Moderate

High

Almost Certain

            76-100% probability

Likely

51-75% probability

Possible

26-50% probability

Unlikely

10-25% probability

Rare

<10% probability

  

the event of inconsistency between the French and English version, the English language version shall prevail.

       

Approved by the CARA Executive Board: 6 May 2017