Enterprise Risk Management Policy

Windsor, Ontario

This is the exact embedded text of the captured official document. Snapshot d3387a8dbf33 · verified 2026-06-10 · original document · archived snapshot · unofficial consolidation, the official version is held by the municipal clerk.

Enterprise Risk Management Policy Page 1 of 4 THE CORPORATION OF THE CITY OF WINDSOR POLICY Service Area: Office of the Chief Administrative Officer Policy No.: Department: Approval Date: Division: Corporate Initiatives Approved By: CR45/2017 Effective Date: January 9, 2017 Subject: Enterprise Risk Management (ERM) Policy Procedure Ref.: Review Date: November 28, 2019 Pages: ERM Policy April 20, 2015 CR73/2015 Prepared By: Brittney Yeats Date: N/A 1. POLICY 1.1 The Enterprise Risk Management (ERM) Policy sets out how ERM will be integrated into the Corporation. 2. PURPOSE 2.1 The ERM Policy governs the identification, assessment and management of the risks that have an impact on City services and strategic objectives. The ERM Policy ensures that risk is managed consistently across services and departments. 2.2 The ERM Policy complements but does not supersede any policy or procedures directed by the City of Windsor's insurers or the Manager of Risk & Insurance or any risk management procedures dictated by provincial or federal statute or regulation. 3. SCOPE 3.1 This procedure applies to ALL City of Windsor departments, services and sub- services that fall under the direct mandate of the CAO. This procedure also applies to agencies, boards, corporations and commissions that are managed as a City department (e.g. Windsor Public Library and Transit Windsor) to the extent that such entities may have adopted it. 3.2 This Policy does not apply to other agencies, boards, corporations and commissions of the City of Windsor or organizations that receive grant funding from the City of Windsor. 3.3 Amendments to any Procedures, Protocols or Processes created under this Policy may be made by the CAO. 3.4 The CAO may create new Procedures to support this Policy. 3.5 Any exceptions to this Policy must be approved in advance by City Council. Enterprise Risk Management Policy Page 2 of 4 4. RESPONSIBILITY 4.1 The Mayor and City Council are responsible for: - Approving the ERM Policy; - Setting Corporate Risk Appetite; - Ensuring that the ERM Policy and ERM Framework are supported through approval of the appropriate allocation of resources; - Maintaining an awareness of risks to the Corporation's strategic objectives as identified by Administration. 4.2 The Chief Administrative Officer is responsible for: - Supporting and enforcing the Enterprise Risk Management Policy; - Encouraging the advancement of a risk management culture; - Ensuring risks are managed in a manner consistent with the ERM Framework and related Procedures; - Providing regular updates to City Council regarding Enterprise Risks. 4.3 The Corporate Leadership Team (ERM Governance Committee) are responsible for: - Supporting the Enterprise Risk Management Policy; - Encouraging the advancement of a risk management culture; - Ensuring risks are managed in a manner consistent with the ERM Framework and related Procedures; - Recommending appropriate resources levels to support the Enterprise Risk Management Policy. 4.4 The Executive Directors are responsible for: - Enforcing the ERM Policy in relation to their department(s) and services(s); - Ensuring risks are managed in a manner consistent with the ERM Framework, and related Procedures within their respective departments; 4.5 The Manager of Corporate Initiatives is responsible for: - Developing and providing training on this policy; - Monitoring compliance with this policy and related procedures; - Providing guidance for the advancement and support of ERM throughout the Corporation; - Liaising with key stakeholders /areas within the Corporation that contribute to the management of risk; - Reviewing this policy at least once every three years; - Updating this policy as required. 4.6 Roles and responsibilities are further defined within related procedures and terms of reference documents. Enterprise Risk Management Policy Page 3 of 4 5. GOVERNING RULES AND REGULATIONS 5.1 DEFINITIONS - Risks - the likelihood that there will be a positive or negative deviation from the expected objective. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by likelihood or probability of occurrence and the impact or consequences to people or property should they occur. Risks will be classified as low, moderate, significant or critical. - Enterprise Risk Management (ERM) - the coordinated activities to direct and control risks within an organization. This includes assessing risks, communicating risks, assigning responsibility for risks, identifying mitigating strategies to avoid or reduce risk, planning risk response strategies for reacting when risk occurs and reviewing and improving risk management based on lessons learned from risk experience. - ERM Framework - the suite of policies, procedures, tools and training that support Enterprise Risk Management within the Corporation. The ERM Framework includes the ERM policy, ERM Assessments and supporting procedures, the Council Report Writing Guide with respect to the risk section of Council Reports, the evaluation and results from the Levels of Service & Risk assessment as directed by the Senior Manager of Asset Planning, the insurance policy or policies carried by the Corporation, the policies and procedures directed by the Manager of Risk and Insurance with respect to insurance risk management and the avoidance of loss or damage to people or property, health and safety policies and procedures as directed by the Executive Director of Human Resources and any other policies, procedures and/or tools implemented by Council or Administration to manage risk. - Risk Register - a list of risks and all information for each risk (e.g. risk level, risk owner, mitigation strategies etc.). - Risk Appetite - the general amount of risk the Corporation is willing to accept, which has an influence on how risks are assessed and treated. Knowing the Risk Appetite assists the Corporation in developing risk mitigation and risk response strategies appropriate to the Corporation's needs. - Insurance Risk Management - a component of Enterprise Risk Management where the purchase and management of insurance is used to transfer the risk to a 3rd party. Insurance Risk Management is managed by the Risk and Insurance division. - Service - the delivery of an output or benefit to a client as defined in the Inventory of Programs and Services of the Corporation of the City of Windsor. - Enterprise Risks - broad risk categories that affect the entire Corporation. Enterprise risks are often strategic in nature. Enterprise Risk Management Policy Page 4 of 4 Risk Appetite 5.2 The Corporation is willing to bear or retain risks that are assessed as moderate or low after mitigation in pursuit of its objectives. All critical and significant risks shall require mitigation strategies and a risk owner to be assigned. Risks shall be assigned to the person best able to manage such a risk. Risk Management 5.3 Staff will make an effort to identify and manage risks under their control and those which may impede the achievement of objectives. 5.4 All risks will be managed in accordance with the processes and tools set out within the Enterprise Risk Management Framework and related procedures. The major steps of the risk management process include: - Establishing context - Risk Assessment - Risk Treatment - Monitoring and Reviewing Risks - Communicating and Reporting Risks 5.5 Departmental risk assessments will occur on a multi-year cycle and will be facilitated by Corporate Initiatives. 5.6 All risk information shall be reported on the appropriate risk register and reviewed in a manner consistent with the ERM Monitoring and Reporting Procedure. 5.7 All risks and their mitigation strategies must follow all applicable legislation and City of Windsor by-laws, policies and procedures including, but not limited to: - Municipal Act - Council Report Requirements - Delegation of Authority Report Requirements - Records Retention Bylaw 12599 - Purchasing By-Law 6. RECORDS, FORMS AND ATTACHMENTS 6.1 All documentation related to this policy, as it applies to departments and services, is the responsibility of the Department Head or designate and shall be filed and retained according to the Corporate Records Retention Policy. 6.2 All documentation related to this policy, as it applies to enterprise risks, shall be filed with the Manager of Corporate Initiatives and retained according to the Corporate Records Retention Policy.