Risk can be described as the effect of uncertainty on objectives. Uncertainty is an inevitable component of the world that we live in and managing it is essential for an organisation’s agility and growth. For more information, please refer to the Risk Management Handbook.
Information last reviewed and updated on 27th February 2024.
Risk Management – if implemented formally and practiced collaboratively – is critical to the fulfilment of an organisation’s operational and strategic objectives. Without it, an organisation has no real control over day to day or future events and their impact(s). Circumstances are otherwise left down to happenstance. Through the practice of Risk Management, organisations can identify threats and opportunities. This allows for better decision making which in turn can strengthen the organisation, protect its most valuable assets, and positively cement its place in the world. Risk Management is important therefore because it is about the creation and protection of value.
UCD’s Risk Management process follows the ISO Guidelines. The process is not a ‘one off’ exercise, but rather a continuous, cyclical practice that all staff are responsible for contributing to and integrating into their day-to-day decision making. A high level summary is outlined below.
- Determine Scope, Context and Criteria
- Risk Assessment
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Communication, recording and reporting and monitoring and review are also key components of the framework.
For specific detail on the process and how it applies in practice, please refer to the Risk Management Handbook in Guidance and Templates.
Risk Registers are comprehensive listings or trackers used by organisations to record, monitor, and report on risk in detail. They allow for consistent, effective risk identification, analysis and evaluation, and support decision making and the achievement of business objectives.
The Risk Management Office, in conjunction with Senior Management, have developed a Risk Register template for the organisation. For further information, please refer to the ‘How to complete a Risk Register' template in Guidance and Templates (please note, this template is currently under review).
'Three Lines of Defence' is a universal model of risk management adopted by UCD. The term is used to describe three different 'lines' of responsibility for risk across the organisation as follows.
- 'First Line of Defence' – the Unit that ‘owns’ the risk. In UCD there are layers of Risk Owners, starting at Unit / School / Project Level and moving upward via College / UMT Function level to Enterprise Level Risks which are owned by the UMT. Risk Owners are responsible for identifying, assessing, controlling and mitigating their owned risks.
- 'Second Line of Defence' – specialist University functions that facilitate effective risk management practices by providing Risk Owners with relevant information and guidance. This includes the Risk Management Office, but also other key specialist functions such as UCD Legal, UCD Quality Office, UCD Safety, UCD HR, etc. *Please note - the Second Line do not own risks nor are they responsible for dealing with identified risks, rather they provide the appropriate policies, training, templates and tools to empower the Risk Owners to identify, evaluate and monitor risk(s) effectively and in line with best practice.
- 'Third Line of Defence' – this line provide independent internal assurance to the UMT and GA that the University has an effective Risk Management Framework in place. In UCD this role is fulfilled by Internal Audit and the ARMC itself, which is a subcommittee of the GA.
Risk Owners are individuals who have ownership for the identification and ongoing monitoring of risks as well as any controls and/or actions related to that risk. Risk Owners are normally UMT members, Heads of Colleges, Schools or Business Units depending on type of Risk Register.
Action Owners are individuals who are responsible for seeing through any actions that need to be implemented to reduce the residual risk of a risk. They sit close to the risk and normally act upon instruction of the Risk Owner but do not have ownership of the risk.
Risk Appetite is the level of risk or uncertainty that an organisation is willing to accept in the pursuit of its strategic objectives. It is descriptive in nature, having a Low Risk Appetite, for example, and can vary depending on the type or category of risk. An organisation could have a low risk appetite for activities which result in regulatory non-compliance, whilst at the same time having a high risk appetite for activities that will further innovation, for example. Risk Appetite is not designed to set a limit on decision making and innovation, but rather to facilitate appropriate decision making in an informed way. It allows organisations to realise their goals on a measured basis with minimal detrimental impact to its operations, staff and stakeholders.
For further information, please refer to UCD’s Risk Appetite Framework in Guidance and Templates
In the context of UCD’s Risk Management Process and Risk Register, Inherent Risk is the assessment of risk considering the current controls that are in place.
In the context of UCD’s Risk Management Process and Risk Register, Residual Risk is the assessment of risk considering the current controls and additional controls actions which could reduce or improve the risk.
Please contact the Risk Management Office directly.