Policy Title: Enterprise Risk Management
Policy Owner: VP, Corporate Services
Effective Date: April 2014
Last Revised: November 2015
Mohawk College recognizes that risk is present in all institutional activities and that the successful management of risk is a critical factor in achieving the College’s strategic priorities, objectives and operational commitments. As such, the College will develop, implement and sustain a flexible Enterprise Risk Management (ERM) process to proactively identify, evaluate, treat and report on and monitor challenges and choices that can impact the College. ERM will serve to assist in strengthening our institutional governance; inform our strategic planning and management practices in a manner that creates value for our stakeholders; and, provide institutional guidance to liberate the institution in order to optimize Mohawk’s approach to risk and foster innovation. The Program is based on the ISO 31000.
2. Application and Scope
This policy applies to Mohawk College and any of its wholly owned subsidiaries.
“Enterprise Risk Management (ERM)” is a strategic institutional approach that supports the achievement of the College’s objectives by addressing the full spectrum (reputational, strategic, financial, operational and compliance) of its risks and managing the combined impact of an interrelated risk approach.
“Risk” refers to any event that can potentially impact (positively or negatively) the College's ability to achieve its mandate, its mission, strategic priorities and objectives.
Mohawk is committed to establishing an ERM process that:
- will identify, evaluate and respond to adverse risks in a manner that is structured, consistent and continuous across the entire organization
- raises awareness, harmonizes risk management and fosters risk intelligence within the College’s culture;
- assists in accomplishing the College’s strategic priorities and objectives;
- informs decision-making from strategic to day-to-day operations of the College;
- assists leadership in understanding challenges and choices and supports the proactive management of risk optimization which fosters innovation at the College;
- supports continuous improvement and renewal; and
- assists the institution in aligning Senior Leadership, the Board and its committees in managing to optimize Mohawk’s risk threshold.
5. Accountability and Compliance
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
The VP, Corporate Services is responsible for monitoring the effectiveness of this policy and ensuring compliance.
6.1 The College will establish and maintain an Enterprise Risk Management Process.
6.2 The Enterprise Risk Management Process will be carried out systematically, with a view to supporting and facilitating the achievement of the College’s reputational, strategic, operational, financial and compliance objectives. This will be accomplished by identifying, analyzing, evaluating, treating, monitoring and providing institutional guidance on risks on a continual basis.
6.3 The Enterprise Risk Management Process will serve not as an independent activity but as a fully integrated flexible source of valuable guidance to assist College management in making informed, consistent decisions throughout the institution.
6.4 The College will promote a culture of risk management and will strive to anticipate and evaluate risks at the point of conception for strategies, plans and objectives.
6.5 With respect to each identified risk, the College will provide guidance on how to approach the treatment of the risk. As appropriate, the College will seek to encourage the optimization of risk through collaboration, information, mitigation and education in order for the College to effectively realize strategic objectives and operational commitments.
6.6 In conjunction with its regular reports, the College will maintain a formal register of key risks, indicators and other information that will facilitate management of its ongoing ERM activities.
7. Roles and Responsibilities
7.1 Internal Audit and Risk Committee
The Committee is chaired by the Vice President, Corporate Services. The function of the Internal Audit and Risk Committee is to:
- Exercise oversight for the successful incorporation of ERM principles and activities in the College organization.
- Oversee the ongoing development and direction of the ERM Process and Internal Audit Plan.
- Develop, review (annually) and approve the risk threshold guidance for the College and support the communication of guidance throughout the organization.
- Determine whether material risks being accepted across the College are consistent with the College’s risk threshold.
- Review and assess processes, policies, controls and mitigation strategies.
- Receive, review and approve regular reports of all ERM activities provided the Committee and the AF&I Committee.
- Serve as risk sponsors for each of the College’s key risks.
- Identify risk leaders for each of the College’s key risks.
- Act in an advisory capacity to assist and provide input in the identification, analysis, evaluation, treatment, monitoring and provision of institutional guidance for risks.
- Propose internal audit review priorities.
7.2 Risk Leaders
Risk Leaders are individuals and/or groups identified by the Internal Audit and Risk Committee as holding management accountability and responsibility for mitigating, monitoring and reporting on the designated key risk assigned them. The function of Risk Leader is to:
- Participate in the ERM process by providing knowledge and understanding about designated risk(s) and actions being taken to mitigate, manage, monitor and leverage opportunities for the risks identified including leading the risk(s).
- Provide regular reports on the status of the key risk.
- Provide ad hoc communication on the key risk should a significant change in its status occur.
7.3 Corporate Secretary and General Counsel
The Corporate Secretary and General Counsel leads the Enterprise Risk Management Process in cooperation with the Corporate Policy and Risk Management Analyst and is responsible for:
- Overseeing and maintaining the ERM Policy and processes.
- Facilitating, monitoring and managing institution’s ERM process to insure appropriate risk optimization and value the College.
- Facilitating and coordinating the incorporation of risk identification, assessment and mitigation in the College’s strategic planning process.
- Coordinating building Enterprise Risk Process awareness and a common risk language across the College.
- Facilitating and managing the annual review processes of identification, assessment, evaluation, mitigation, monitoring and provision of institutional guidance on risks.
- Developing risk assessment and management tools to assist the College community with managing challenges and choices.
- Developing a risk register for the College.
- In collaboration with risk leaders, reporting on the status of key risks the Internal Audit and Risk Committee, AF&I Committee and the Board.
- Corporate policy development.
7.4 Faculties and Departments
Faculties and departments are accountable for implementation of this policy within their respective areas of responsibility. They have the responsibility of:
- Incorporating risk management in their planning processes and management activities;
- Actively participating in the risk assessment process; and
- Reporting on the status of items in the risk register as required when it has an impact on their respective responsibilities as part of the annual planning or review cycle.
7.5 Audit, Finance &Infrastructure (AF&I) Committee
The AF&I Committee has been established as a Standing Committee of the Board pursuant to the By-laws of the College and is accountable for ERM as:
- Oversight on behalf of the Board of Governors of the College’s risk management processes; and to
- Review periodic and annual reports relating the College-wide risk management process for identified risks and review the effectiveness of control systems used to monitor the risks.
7.6 Internal Audit
The function of Internal Audit is to provide independent oversight of the effectiveness of, and adherence to, the institution’s organizational and procedural controls.
Through internal audit reviews Internal Audit will:
- Evaluate controls and advise managers at all levels
- Appraise the soundness, adequacy and application of internal controls.
- Evaluate risks
- Identify key activities and relevant risk factors and assess their significance
- Analyze operations
- Work closely with line managers to review operations ascertain whether results are consistent with established goals and objectives.
- Review compliance
- Ensure the College is adhering to rules, regulations, laws, codes of practice and policies as they apply individually and collectively tall parts of the College.
8. Policy Revision Date
8.1 Revision Date
The VP, Corporate Services is responsible for reviewing this policy every three years or earlier where required.
10. Specific Links
- CS-1306-1979 Conflict of Interest
- CS-1004-2013 Approval of Capital Renovation and Maintenance Projects
- CS-1403-2008 Emergency Response
- ISO 31000 - Risk Management