About the Risk Management Process
Risk Identification
The purpose of risk identification is to find, recognize, and describe risks (uncertainties) that might help or deter the University in achieving its objectives. We categorize risks into five main categories:
- Reputational - How are we protecting the University’s brand and reputation?
- Strategic - How are we meeting the University’s strategic and long-term goals?
- Operational - How can we provide superior service to the students we serve?
- Financial - How can minimize costs and maximize our return on investments?
- Compliance - How can we ensure we meet legal and regulatory requirements?
ERM facilitates risk identification at an institutional level through various measures, including:
- discussions with stakeholders across campus
- annual risk awareness survey
- tracking claims for trends
- benchmarking with other industry professionals
The risks identified in this step are added to the university’s risk register, defined, assigned ownership and periodically reviewed.
Every department/unit and person can start identifying risks by asking the questions under the risk identification section. Make a log of any identified risks, define each one, assign ownership responsibility and set a plan to work through the next step. If you need assistance or want to report identified risks:
- Fill out the Ask A Risk Manager
Subject: Information Technology Operations
The above example is used throughout all sections for consistency and because it is an often-encountered risk. However, the process is applicable to almost any identifiable risk in your groups.
- IT as a Risk:
- If IT services goes down for a certain department or is only accessible from certain locations, work and communication for employees would be limited
- IT as an Opportunity:
- Well-integrated IT can allow employees 24/7 access to programs and information both on and off campus, creating more flexibility
Risk Analysis & Evaluation
The purpose of risk analysis and evaluation is to understand the nature and characteristics of the risk, in order to support decisions about additional action that may be required.
ERM facilitates risk analysis and evaluation at an institutional level through various measures, including:
- biennial risk scoring with Board, Executive Committee and Risk Council
- annual compliance survey
- statistical analysis looking for significant changes or divergence
Risks are based on the current state and scored/quantified using four criteria:
- Likelihood - the probability of the risk events actually occurring (1-low through 6-high)
- Impact - describes the severity of the consequences if the risk occurs (1-low through 6-high)
- Direction - the course the risk is moving (declining, static or rising)
- Velocity - how fast the risk may affect the organization (very slow, slow, neutral, fast, very fast)
Risks are then graphed on a risk mapping matrix with impact and likelihood running along the axis from low to high.
Go through the scoring exercise with each identified risk on the log. Discuss why each risk scored as it did, possible causes, consequences, existing controls, perceptions and opinions on the risk, etc.
Subject: Information Technology Operations
- Likelihood: 4.2
- Impact: 4.3
- Direction: Rising
- Velocity: Very Fast
Risk Treatment
The purpose of risk treatment is to select and implement options for addressing the risk, and balancing achievement of objectives and costs, effort or other potential disadvantages.
ERM commonly uses the following four strategies which are not mutually exclusive or appropriate in all circumstances:
- Avoid – choosing not to take a risk in the first place
- Reduce – utilizing loss control programs
- Transfer – using contracts, waivers or insurance policies to cover the cost of risk
- Retain - choosing to accept the risk
Other loss control measures include having documented policies/procedures, adequate training for personnel, appropriate systems and leadership support. There are many ways to mitigate risk.
Use the scoring and notes to discuss risk treatment strategies for each identified risk on the log. Discuss and document any factors that influence decision making, such as resources required to implement, timing, etc.
Subject: Information Technology Operations
- Avoid: carefully vetting potential IT projects
- Reduce: staged rollouts of new systems to limit impact in event of a failure
- Transfer: working with reputable vendors with established contract terms and ensuring cyber insurance policy is in place
- Retain: IT provides an incalculable value to University students and staff with regular improvements to systems. We accept the inherent risk associated with having IT systems but also make effort to mitigate risk resulting from the purchase, use and improvement of IT.
Risk Monitoring
The purpose of monitoring and review is to assure and improve the quality and effectiveness of the risk management process’ design, implementation and outcomes. The results of monitoring is incorporated throughout the university’s performance management and reporting activities.
ERM monitors risk using good performance metrics which are:
- relatively simple to measure;
- correlate directly to your operational performance;
- comparable to competitors’ metrics;
- give hard data and yield results that measure clearly defined quantities within a range that allows for improvement.
There are two main types of metrics:
- Key Performance Indicator (KPI) a retrospective measure of how well something is being done; KPI measures the performance of a specific activity at a predetermined level or amount within a specific amount of time.
- Key Risk Indicator (KRI) an early warning to identify a potential event or exposure that may harm continuity of the activity, project or mission.
Discuss with your peers how to monitor meeting the established risk mitigation objectives. Potential questions can include:
- Why is this important and what value will this deliver?
- Who do we want to tell about the value?
- How can we demonstrate the value to those stakeholders?
- When will we be accountable to the stakeholders for the value this objective delivers?
Subject: Information Technology Operations
IT is regularly monitored through:
- Security Testing
- Stress Testing
- Service Indicators and problem reporting
- Network Updates
These reports and their results are sent to the delegated risk owner, the Assistant VP of Information Security, who reports findings and concerns to the risk’s executive owner, the University’s Chief Information Officer, and to the Risk Council. The Risk Council and the risk’s executive owner will then make recommendations to the ERM Executive Committee where mitigation measures will be implemented if deemed necessary.
Risk Communication
Throughout the risk management process, communication is the most important component. Open discourse between colleagues, administration, students and ERM is what allows the university to identify, analyze, mitigate and monitor the risks.