Enterprise Risk Management Procedures

Roles and Responsibilities

1. Board of Governors - Finance and Audit Committee
   
   
   
   1. Provides oversight of all components of Enterprise Risk Management (ERM).
   
   
   2. Provides direction and support to the Vice President, People Services and the President on all matters related to ERM.
   
   
   3. Reviews on an annual basis, management's processes with respect to ERM and ensures management is positioned to identify, assess, and respond to risk, and to bring relevant information to the Board of Governors.
   
   
   4. Reviews on an annual basis that VCC's risk tolerance statement is suitable for the environment in which VCC operates.
   
   
   
   


2. President
   
   
   
   1. Ensures strategic, financial, and capital planning activities are aligned with the ERM Framework and within the College's risk appetite and tolerance.
   
   
   2. Provides leadership and direction to senior management on all matters related to ERM, including VCC's commitment to implementing and maintaining an effective ERM process.
   
   
   
   


3. Vice President People Services
   
   
   
   1. With the support and approval of the President, recommends and implements broad-based policies reflecting VCC's risk management philosophy and risk appetite.
   
   
   2. Oversees the maintenance of the Risk Register through the Department of Safety, Security, Risk and Privacy.
   
   
   3. Ensures risk mitigation activities are sufficient and appropriate such that VCC's residual risks are within its risk tolerance.
   
   
   4. Acts as the key liaison with the Finance and Audit Committee on all matters related to ERM and supports the President in their liaison with the Board of Governors.
   
   
   
   


4. Senior Leadership Team
   
   
   
   1. Ensures identified risks in their areas of responsibility are being appropriately managed and mitigated within the ERM Framework.
   
   
   2. Oversees the implementation of high-level mitigation strategies for critical risks in their area(s) of responsibility (e.g. fraud risk, cyber risk, etc.).
   
   
   
   


5. Executive Director, Safety, Security, Risk and Privacy
   
   
   
   1. Provides strategic direction and advice regarding the development and maintenance of the College's ERM program.
   
   
   2. Escalates key strategic risks to the Vice President, People Services.
   
   
   
   


6. Associate Director, Risk Management and Privacy
   
   
   
   1. Supports the Vice President, People Services in reporting of risks and risk mitigation activities to the Finance and Audit Committee.
   
   
   2. Develops and manages the College's ERM Framework.
   
   
   3. Maintains and updates the College's Risk Register.
   
   
   4. Conducts annual reviews of identified risks and control measures in all College departments.
   
   
   
   


7. Management and Employees
   
   
   
   1. Identifies and monitors department-level risks.
   
   
   2. Considers the impact of risk in strategic planning and operational priorities.
   
   
   3. Implements and maintains controls to help ensure that risks are within the College's risk tolerance.
   
   
   
   

Procedures

8. The College will implement and maintain a risk management program to identify and mitigate risks that may impact the College's objectives, and incorporate risk management into core operations, including coordinating and overseeing:
   
   
   
   1. A Risk Register which identifies those risks with the potential to significantly impact the College's strategic innovation plan and operational objectives;
   
   
   2. The assessment, evaluation and prioritization of each risk using consistent criteria;
   
   
   3. The assignment of a risk owner responsible for identifying and mitigating risks in respective department(s);
   
   
   4. The development of risk response plans in order to manage each risk within the acceptable risk tolerance;
   
   
   5. Regular reviews and reports on the progress of risk response plans; and
   
   
   6. Education and awareness initiatives to increase the understanding of risk management across the College.
   
   
   
   


9. The Associate Director, Risk Management and Privacy (the Associate Director), or delegate, will develop the College's ERM Framework and maintain VCC's Risk Register.


10. A formal process to review and update the Risk Register will be conducted on an annual basis. Senior and department leaders are required to provide direct input into the identification and assessment of risks, and for monitoring and evaluating any implemented risk controls between annual reviews, upon request of the Associate Director or their designate.


11. The Associate Director, or designate, will present an annual report to the Finance and Audit Committee on the College's most significant risks, and the controls in place to bring those risks within the established risk appetite and tolerance.


12. The Finance and Audit Committee and Board of Governors will be presented with a summary of significant changes (if any) in VCC's risk profile upon their request.


13. VCC will provide all records relating to the ERM Framework to any approved external auditors when requested.


14. The College's institutional Risk Register is a highly sensitive and restricted document which is only shared in its entirety with the Finance and Audit Committee, Senior Leadership Team, and any external auditors. The Associate Director, or designate, will publish an annual report on the status of the ERM Framework, while keeping the details of risks and their mitigation strategies confidential.