Risk Register

What is a strategic risk register?

A risk register is a tool to support the risk framework which captures strategic institutional risks.  It will include detailed descriptions of the key risks faced by UVic as well as the various strategies in place to mitigate each risk.  It is envisaged that the register will become a "living" document and will be utilized as a management tool to inform planning and improve decision making within UVic.

What is the goal of having a strategic risk register?

  • To develop and promote a risk management culture within the university focusing on areas of risk;
  • To provide a "living" document that will be utilized as a management tool to assist in achieving the university's strategic objectives;
  • To assist UVic in the development of a long-term sustainable and comprehensive approach to support the identification and management of risks across UVic; and
  • To provide the Board of Governors and senior management with a more comprehensive understanding of the risks faced by UVic, including an assessment of the risks and the activities that have been undertaken to manage the risks facing UVic.

Key definitions

The following definitions apply to this policy:


Risk is a chance of something occurring that may impede the university from achieving its objectives.  The concept of risk has two elements:  the likelihood of a risk happening and the consequence if it happens.

Risk management:

The application of management policies and processes to enable the systematic identification, analysis, mitigation and monitoring of risk.

Risk management plan:

A documented list of risk mitigation strategies/actions, timelines and accountabilities.

Risk mitigation:

Involves identifying the range of options for treating risk, evaluating those options, selecting the preferred treatment strategy, preparing risk mitigation plans and implementing them.

Risk Appetite: 

The amount and type of risk that the university is ordinarily prepared to take in order to meet its objectives. Click here to view the university Risk Appetite Statement(s).  

Inherent risk:

Refers to risk considered without any assessment of controls.

Residual Risk:

The level of risk that remains after all risk treatment measures have been taken.

Risk management responsibility:

Risk management is everyone's responsibility and therefore this information will be a useful reference for all university employees.  It has been designed for use by departments within the university as well as the senior management group, audit committee, line management and those employees involved in the formal application of the risk management process.

Risk mitigation owners:

  • Identify and control risks in their area of responsibility
  • Continually review risks and controls of their operations to ensure effective management
  • Update the status on the risk mitigation plans on a regular basis

Risk and insurance analyst:

  • Ensures the risk management plan is monitored and updated regularly
  • Monitors risks to ensure university objectives are achieved
  • Conducts or arranges appropriate risk management training where necessary
  • Provides policy and framework to departments to identify, analyze and manage risks
  • Produces and provides management with relevant and timely user reports

Risk Management Steering Committee:

  • Monitors risk management plans and ensures the timeliness of their actions
  • Assurance of risk control and compliance
  • Monitors the cost effectiveness of the risk management plan.

View the Risk Management Process Stages for a process stages diagram.

View the Risk Management Process Stages Expanded for an expanded process stages diagram.

Risk Register

Risk identification

The aim of the risk identification process is to generate a comprehensive list of risks that might affect the university's objectives and operations.  These risks are then considered in more detail, to identify their potential consequence.

Some tips for identifying risks include:

  • Workshop the risks in the risk library one by one in round table discussion
  • Obtain reasonable proof of assertions made by individuals, before treating them as facts
  • Consider the history of losses at departmental level
  • Make personal observations if practicable

Describing risks

Each description should be a concise statement incorporating two parts:

  • A description of the risk (e.g., a key member of the faculty leaves with limited notice, taking course notes)
  • A description of the primary consequence (e.g., business interruption and re-creation of course notes)

Approaches used to identify risks include checklists, judgements based on experience and records, flow charts, brainstorming, interviews, workshops, systems analysis and scenario analysis.

Risk categories

The university has identified categories of risk that reflect its current environment.  These are summarized diagrammatically below in Figure 2.  These categories assist in risk identification and provide a basis for organizing and reporting findings.  These categories may be subject to periodic review to ensure they continue to reflect the university's environment.

Risk will be rated according to estimates of likelihood, consequence and existing controls.

The objective of this analysis is to prioritize risks into relevant rating levels.  This rating will be used to focus attention primarily on higher risks.

Although low and medium risks may not be subject to further risk management processes, it is important that they are documented and added to the risk profile to demonstrate the completeness of the risk analysis.

Risk assessment

Risk Likelihood Ratings

Rating risks requires an assessment of their frequency or happening.  Some risks happen once in a lifetime; others can happen almost every day.  The table below provides broad descriptions to support likelihood ratings.

View the UVic risk likelihood ratings.

How to use this Likelihood chart:

We are assessing the likelihood of the risk occurring within our risk timeframe (next 12 months).  If we are assigning likelihood to risks that are more cyclical in nature (e.g., an earthquake), then we use the left column.  We may think that an earthquake has a one in ten chance of happening during the next year (i.e., it is likely to occur once every ten years) and we would rate it as Low.  If we are assigning likelihood to risks that are more one off occurrences (e.g., failure of an IT implementation project), then we would use the right column and choose the rating that best describes the likelihood given our knowledge.  Historically we may conclude that major IT projects may have a Medium to High likelihood of going way over budget, of not meeting deadlines and/or of achieving poor quality outcomes.

We are initially rating likelihood in the absence of controls and then we will build in a rating of the controls.  When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive).  When we are looking at the effect of controls on our likelihood rating, we mainly look at preventative (and some detective), given that we are assuming that the risk has occurred.  So we might say that the likelihood of a major IT project failing is High given the recent history of such projects in other institutions, but then assess the excellent preventative controls (e.g., tender selection processes, project management) will reduce the likelihood to Low.  If we talk in this manner we are constantly putting the focus on the controls and particularly on prevention, which is what is desirable.

Risk impact ratings

Impacts can be described in a number of ways.  A risk can have consequences in terms of:

  • Financial
  • Human impact
  • Interruption to business
  • Interruption to teaching
  • Interruption to research
  • Harm to the environment
  • Damage to reputation and image

Each impact can be rated in terms of its severity, from VERY HIGH to VERY LOW.

The risk impact ratings in the table below provide a summary of each type of risk consequence relevant to the university as well as their severity ratings.

If more than one impact type applies to a particular risk, then the highest identified impact ratings should be used.

View the UVic risk impact ratings chart.

How to use this impact rating chart

We are assessing the impact of the risk assuming that it has occurred.

Think first about the main types of impacts that would accrue if the risk did occur, then for each of the types selected choose the example that best equates to what you think the impact would be.  We will then rate the risk impact to the highest of these choices.

As we go, we may choose to augment this table with specific examples that make it easier for us to rate and also may mean more to the university proper when we socialize this document.

We are rating to the most probable worst case, which can be tricky sometimes, but we will work our way through the first examples and settle into a pattern.  The most important thing is consistency.  We are initially rating impacts in the absence of controls and then we will build in a rating of the controls.  When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive).  When we are looking at the effect of controls on our impact rating we mainly look at reactive (and some detective), given that we are assuming the risk has occurred.  So we might say that a major breach of the privacy act would result in a Medium Inherent Impact ($500,000 fine) but that we have good reactive controls (e.g., insurance) that would reduce the net impact to Low or even Very Low.  If we talk in this manner, we are constantly putting focus on the controls, which is what is desirable.

Risk ranking

Risk mitigation

Risks that are not subject to effective mitigation activity may cause adverse impacts.

For each risk, you should first document the applicable list of mitigation activities.  When thinking about what risk mitigation activity is in place (or should be in place), it is useful to think of the following three things:

  • Prevention - What is in place that will attempt to stop the risk happening in the first place? (e.g., security, awareness and training programs, qualified staff, planning, and/or procedures);
  • Detection - What is in place that will let me know if and when the risk does happen? (e.g., staff/customer reporting mechanisms, financial reconciliation, fire alarms, audits); and
  • Response - If the risk happens anyway, what measures do we have in place to lessen the impact? (e.g., contingency plans, back ups, insurance, resolution processes).

Once documented, the list of mitigation activity should be assessed as to how well the group of mitigation activities address the risk.

To assess mitigation strategy effectiveness, consideration should be given to the following questions:

  • Does the group of mitigation activities address the risk effectively?
  • Are the mitigation activities officially documented and communicated?
  • Are the mitigation activities in operation and applied consistently?

Answers to these questions are scored and the results tallied as per the Table below.  Thought processes underpinning this decision are also summarized below.

Mitigation Table


To ensure that mitigation plans are actioned requires management of the process by relevant senior staff.  This management planning process should include:

  • Allocation of risk mitigation responsibilities;
  • Approval or allocation of resources required;
  • Establishment of deadlines;
  • Report back agreed actions and dates to the Risk Coordinators and Manager - Risk Compliance; and
  • An escalation process

All risks identified as requiring further mitigation should be considered in the context of the options available.  These options should be considered, weighing the cost of implementing each option against the potential benefits.  In some cases, a cost-benefit analysis may be required to assist in the selection process.

When assessing risk mitigation options, it is important to understand that it will often be most appropriate to combine several mitigation options.  Risk responses may be specific to one risk or they might address a range of risks.

By completing a risk mitigation plan, relevant university staff can establish accountability, and ensure that risk management is seen as part of each staff member's responsibility.

Risk mitigation plans act as a reporting mechanism to the relevant user groups.  These plans are flexible, allowing for continual updating and reassessment as risks confronting the university change or the likelihood and consequences change.

Risk reporting

Risk mitigation owners

Each risk will be allocated a "mitigation plan owner."  It will be the mitigation plan owner's responsibility to:

  • Ensure that the mitigation plans are enacted;
  • Resolve any issues that may affect the successful outcome of the risk mitigation plans; and
  • Provide regular status reports on the risk mitigation plans.

Reporting framework

Risk management reports are carefully tuned to the needs of the various users of risk information.  The information must be concise, unambiguous, standardized, consistent and integrated with existing reporting processes.

Annually, a summary of the strategic risks facing UVic will be provided to the Board of Governors.  This report will expand on the risks ranked high and very high, and also list medium risks.

User reports

User Group

User Needs

Report Types

Senior Management

All High and Very High risks

Risk Mitigation report

Risk Trends

Risk Committee

All High and Very High risks

 Risk Mitigation report - from Risk Mitigation Owners

Risk Trends

 Risk Mitigation Owners

All risks under their control

 Detailed - mitigation plans

Summary of risk register