Donate
Login

Risk Management

Governance Policies and Procedures

Policy Number: G 5.3 | Policy Type: Governance | Approval Date: April 2026 | Scheduled Review: Every 3 Years (2027)

INTRODUCTION

The identification of risk to the Ontario Library Association (OLA) addresses predominantly operational matters in nature, and are typically mitigated by staff; however, some risk is governance in nature, such as budgets, political matters, financial sustainability, etc; or be operational matters which are at such a high risk level, the Board should be aware and monitor.  

Responsibility

Risk management is a shared responsibility. All Board members, staff, and volunteers have an ongoing responsibility to take appropriate measures within their scope of authority and responsibility to identify, assess, manage, and communicate risks. Specifically: 

  • As part of the annual planning, the Board will receive semi-annual reports on risk to the Association. The Board will provide direction to Committees and the Executive Director on mitigation expectations. 
  • The Executive Committee will receive information between regular reports, as needed, and apprise the Board accordingly. 
  • The Fund Development Committee will have the primary responsibility of reviewing Upside Risk and making recommendations to the Board on potential opportunities. 
  • The Executive Director will ensure risk is both monitored and mitigated by staff and volunteers, and will provide semi-annual reports to the Board, and any emergent updates to the Executive Committee. The Executive Director will ensure a comprehensive risk training program will be developed by Human Resources, the volunteer services, and programs, to ensure both staff and volunteers are training in identification and, where appropriate, mitigation. 
  • Volunteers will incorporate the principles of risk management in planning for all events and activities, including training prior to events and awareness and mitigation during events. 

Definitions

For the purposes of risk management, the OLA works with two types of risk:  

  • Upside Risk-areas of risk taken to try to grow or create new opportunities;  
  • Downside Risk-areas where the risk will have a negative impact and create losses.  
  • Risk Register-the register is designed to address the Downside Risk. Some Low-Risk items could be brought into upside risk by further effort to bring about growth, but upside risk will most commonly be addressed by the Board through budget exercises when prospecting (taking calculated risk to produce growth) new programs, initiatives, services, and membership options.  

Risk Management Principles

The International Standard Organization (ISO 31000:2009E) states that risk management:   

  • creates and protects value,   
  • is an integral part of all organizational processes,   
  • is part of decision making   
  • explicitly addresses uncertainty, 
  • is systematic, structured, and timely, 
  • is based on the best available information, 
  • is tailored, 
  • considers human and cultural factors, 
  • is transparent and inclusive, 
  • is dynamic, iterative, and responsive to change, 
  • facilitates continual improvement of the organization.  

GENERAL:

Understanding the Risk Register 

The OLA Risk Register is based on a mathematical equation of assessing the downside risk of the OLA by multiplying the Likelihood that the occurrence could happen by the Impact that it would cause, and then breaking that numeric equation into Low, Moderate, High and Critical categories of outcomes.  

LOW-Green: 1-6  Acceptable risk. While the risk is present, it is managed at the activity and operational levels. No additional action is required other than to ensure mitigation controls are continued.  

MODERATE-Yellow: 7-10 Management action is required to reduce risk levels to Low or acceptable risk. These matters may be evaluated based on environmental conditions, which could move then up to High, and should be monitored. All mitigation is time sensitive.  

HIGH-Orange: 11-16 Board awareness and involvement is required due to the potential significant and unacceptable impacts to the Association. Management action is required to reduce risk levels to Moderate or Low. These matters may be evaluated based on environmental conditions or known factors which could move the already concerning situation from High to Critical and should be addressed for time sensitive mitigation immediately.  

CRITICAL-Red: 17-25 Board awareness and involvement are required due to the significant and unacceptable impacts to the Association. Substantial efforts are required to reduce the risk immediately. If the risk is unacceptable the activity may need to be halted or discontinued. If this is a required action, all attention should be put to this matter to lower the risk and mitigate major impacts.   

Mitigation Strategies

Mitigation measures fall into four broad categories: 

  • Retain the risk – no action is taken because the possibility and consequence of the risk is low. It may also be that the risk is inherent in the activity itself and thus can be accepted in its present form.  
  • Reduce the risk – steps are taken to reduce the possibility of the risk, and/or its potential consequences, through efforts such as improved planning, policies, delivery, supervision, monitoring, or education.   
  • Transfer the risk – accept the level of risk but transfer some or all of it to others through the use of insurance, waiver of liability agreements or other business contracts.  
  • Avoid the risk – eliminate the risk by avoiding the activity giving rise to the risk – in other words, simply decide NOT to do something, or to eliminate some activity or initiative.  

Risk Tolerance

As a non-profit the OLA has an overall low tolerance for risk. It may be that a specific event or risk is deemed higher risk however the potential losses or risk event would not significantly hinder operations. It may also be that a specific risk is unable to be mitigated quickly or would be costly to mitigate.  

In these circumstances the Board must be apprised of the risk and all its related variables (cost to mitigate, opportunity lost by not taking risk, possible outcomes, etc.). The Board must pass a motion specifically excluding the risk from the procedures outlined above. Any risk excluded from procedure must be regularly reviewed. The Board must motion to continue to leave the risk unmitigated or under-mitigated on an annual basis at a minimum. 

Reporting 

The Board reports will include:  

  1. a comprehensive Risk Register which identified the item, Initial Risk Level and Concern. This will then show the mitigation process and Residual Risk following mitigation. Additionally, the owner or responsible party of the item and mitigation will be included. 
  2. A summary of the Risk Register highlighting those which the Board should have flagged for discussion and review. 
  3. The various areas of operation and governance such as: 

a. Charitable 

b. Financial 

c. Governance and compliance 

d. Human Resources 

e. Identity & Reputation 

f. Insurance, Safety & Security 

g. Member Retention 

h. Records Management & Business Continuity 

 

Revised: March 2025

Date for Review: 2028; Every 3 Years

  • Centre for Social Innovation, 192 Spadina Avenue, Suite 300 Toronto, ON M5T 2C2
  • 1.877.340.1730
  • info@accessola.com

Quick Links

Become a Member

OLA Events

Opportunities

Awards

Instagram Linkedin Facebook Youtube