Statement of Institutional Risk Appetite

Related Policies, Guidelines & Procedures:

1. Policy 11 - University Risk Management

2. Risk Management Reporting Guideline

3. Institutional Risk Mitigation Strategy

Capitalized terms used but not defined in this Statement have the meaning given to such
terms in the Policy.

1. Introduction
University of Waterloo Policy 11 – University Risk Management (the “Policy”) provides
the principles and framework for Risk assessment, monitoring and reporting under the
University Risk Management (the “URM”) program. The Risk Management Reporting
Guideline (the “Guideline”) is an integral part of the Policy and provides guidance to
employees assessing, monitoring and reporting Risks under the Policy.

This Statement of Institutional Risk Appetite (the “Statement”) is a set of principles related
to appetite for risk acceptable at the institutional level, based on a consideration of the
risk categories and, in some cases, individual risks identified in the Risk Registry provided
in Appendix A to the Guideline. The principles outlined in this Statement have been
developed by the President, the Vice-Presidents and the University Secretary, after
consultation with the Audit & Risk Committee (the “Committee”) of the Board of
Governors.

The University Secretary will initiate a review of this Statement on an annual basis in
September, in advance of the meeting of the Committee scheduled for October each
year. This Statement and any revisions will be provided to Executive Council for
information, and will be published on the website of the Secretariat.

This Statement may be relied upon generally for guidance in the assessment and
management of risks at the local level across the University, although it is intended to
apply formally when Risk at the institutional level is under consideration.

2. General Principles
The University will take a responsible approach to URM in pursuit of its strategic
objectives as identified in its strategic plan. Risks will be identified, assessed and
managed in a manner consistent with the Policy and the Guideline.
The appetite for risk associated with a project or operations under assessment is
determined by taking into consideration the risk likelihood and the risk impact (as outlined
in the Guideline). According to the Guideline, the product of the risk likelihood and the risk
impact yields the risk rating.The escalation paths outlined in Appendix D to
the Guideline must be followed where the Risk Rating exceeds the following thresholds
related to the risk appetite established in this Statement:

Low Risk Appetite – follow appropriate escalation path where the risk rating is 6 and
above

Moderate Risk Appetite – follow appropriate escalation path where the risk rating is 11
and above

High Risk Appetite – follow appropriate escalation path where the risk rating is 16 and
above

The escalation path appropriate to the risk rating and the risk appetite, as indicated in
the Guideline, must be followed (i) prior to taking any action on the project or operation
under consideration, and/or (ii) for direction on taking corrective action.

In general terms, and subject to the specific statements of risk appetite in section 3 of this
Statement, the University has a high appetite for Risk in the pursuit of innovation,
transformational research, scholarship, and instructional innovation.This high appetite for
Risk is consistent with the ambitions of the university as set forth in its strategic plan.

Further, and also in general terms, the University has a moderate appetite for Risk related
to the student experience, and financial health and performance, and a low appetite for
risks related to safety, statutory and regulatory compliance, and the exercise of fiduciary
responsibility.The moderate and low appetites in these general categories are consistent
with the idea of the University as a public institution, operated in the execution of a public
trust and as steward of public resources, with responsibility for creating the conditions
best suited to the achievement of individual and institutional success.

3. Specific Statements of Institutional Risk Appetite - Risk

Categories
The following specific statements of institutional risk appetite are derived of the categories
of institutional risk set forth in the Risk Registry appearing as Appendix A to
the Guideline.

The categories represent seven groupings of the 30 most prominent institutional Risks
identified through the University’s institutional risk survey, conducted in June of the third
year in each five year strategic planning cycle. As adjustments are made in the 30 most
prominent Risks, adjustments will likewise be made in the categories. Those adjustments
will be reflected as necessary in the annual review of this Statement referred to in the
Introduction above.
As each risk category is introduced below, a general description of the category is
provided, together with a list of the institutional Risks included in the category. For
definitions of each institutional Risk, please see the Risk Registry appearing as Appendix
A to the Guideline. In some cases, risk appetite is simply stated based on the category
as a whole. In other cases, specified Risks inside a category must be considered
separately, and those are provided below in individual detail.

Category 1 – Environmental Risks

This category includes Competitor Risk and Government Policy Risk. It is distinct
because the university has little conventional direct control in management of these Risks,
such that mitigation plans are often characterized by anticipating and preparing for
change in the environmental landscape.

Because Environmental Risks may have a significant impact on the ability of the university
to meet its objectives, the university has a low appetite for Risks in this category.

Category 2 – Financial Resources Risks

This category includes Capital Availability Risk, Advancement Risk, Financial Risk,
Liquidity Risk, Interest Rate Risk, Credit/Default Risk, and Financial Instrument Risk. It
is distinct because it relates generally to the university’s sources of and management of
financial resources. Some of the Risks in this category are beyond the conventional direct
control of the university, while others can be mitigated through direct action by
management.

The university has a moderate appetite for Risks in this category, recognizing in general
terms (i) the regular oversight of Risks in this category by committees of the Board of
Governors and management, (ii) the contemporary financial well-being of the university,
and (iii) the ability of management to make adjustments in financial management on a
year-by-year basis.

Category 3 – Human Resources Risks

This category includes Skills & Capacity Management Risk, Productivity Risk, Change
Readiness Risk and Accountability Risk. It is distinct because it relates to the state of the
university’s workforce and the major Risks related to the sustainability of productive,
engaged, accountable employee groups.

The university has a moderate appetite for Risks in this category, based in large part on
the historical collaboration between employee groups and management, and the
demonstrated willingness to cooperate in identifying innovative solutions to challenges in
the workplace.

Category 4 – Leadership Risks

This category includes Management Effectiveness Risk, Decision Making Risk,

Performance Management Risk, Governance Risk and Planning Risk. It is distinct
because it relates to the governance structures of the university and the effectiveness of
management, working within those structures, in planning the university’s future and
seeing to the execution of those plans.

The university has a low appetite for Risks in this category, primarily because the Risks
associated with this category have a direct impact on the ability of management to
address URM across the other categories. In other words, if the university tolerates
undue risk in this category, then the ability of the university to meet the stated risk
thresholds in the other categories will be jeopardized.

Category 5 – Physical Plant Risks

This category includes Physical Infrastructure Risk and Security Risk. It is distinct
because it relates to the university’s physical plant and to the statutory and regulatory
responsibilities of the university in managing the physical plant. In turn, managing these
Risks has a direct impact on the safety and security of members of the university
community and visitors to university properties.

The university has a low appetite for risks in this category. The development,
maintenance and operation of the university’s physical plant, meeting or exceeding the
university’s statutory and regulatory responsibilities, is central to the delivery of the
university’s core mandate and vital to the safety and security of all members of the
university community and visitors to university properties.

Category 6 – Core Mandate Risks

This category includes Reputation Risk, Student Satisfaction Risk, Academic Program
Management Risk, Strategic Enrolment Management Risk, Resource Allocation Risk,
Research Risk and International Risk. While this category is distinct in grouping Risks
related clearly to the execution of the university’s core mandate, Risks inside the category
must be considered in sub-groups because of their separate significance.

The university has a low appetite for Reputation Risk. Preserving the university’s
reputation has a direct impact on the accomplishment of many of the key objectives of
the university, and it must be managed with that in mind.

The University has a low appetite for Research Risk, based as that risk is on compliance
by the University with ethical, fiduciary and regulatory standards.

The university has a moderate appetite for Student Satisfaction Risk, Strategic
Enrolment Management Risk, Resource Allocation Risk, and International Risk. While
aspects of activities contemplated by these Risks relate directly to the ability of the
university to pursue its key objectives, mitigation strategies for these Risks are
understood to be largely within the control of management.

The university has a high appetite for Academic Program Management Risk. It is in
areas of activity contemplated by this Risk that the University’s focus on innovation in
general, transformational research, scholarship, and instructional innovation is found, and
the tolerance of a high level of Risk in these areas is consistent with the University’s
ambitions as stated in its strategic plan.

Category 7 – Information Technology Risks

This category includes Confidentiality/Access Risk, Integrity Risk, and Institutional

Information Systems & Technology Risk. It is distinct in that all Risks in this category can
be mitigated through enhancements to technology and the processes by which
technology is used and managed.

The university has a low appetite for Confidentiality/Access Risk. This Risk relates
directly to the University’s legal compliance obligations with respect to freedom of
information and protection of privacy, and can relate to the safety and security of members
of the University community.

The university has a low appetite for Integrity Risk, and Institutional Information Systems
& Technology Risk. In general, the University relies on the management of Integrity Risk
to ensure that other Risks, including but not limited to those in Category 2 – Financial
Resources Risks and Category 3 – Human Resources Risks, are properly controlled, and
for that reason Integrity Risk must be kept to a low appetite. Further, Institutional
Information Systems & Technology Risk contemplates the use of information technology
in service of the achievement of the core mission of the University through teaching,
learning and research.