The Risk Management Policy serves as a statement of the overall UNCG risk management goals and focus. It is intended to ensure a consistent approach to risk management throughout the university.
Risk refers to the probability of an event and potential consequences, both positive and negative, to UNCG. Risks do not exist in isolation from other risks, and a series of risk events may result in a collective set of consequences that have a greater impact than the individual consequences associated with each risk event taking place in isolation. Risk is inherent to any activity, and it is neither possible, nor advantageous, to entirely eliminate risk from an activity without ceasing that activity.
Proper management of risk is a core leadership function that must be practiced throughout the University. Institutional Risk Management is a process-driven tool that enables administrators to visualize, assess, and manage significant risks that may impact the attainment of key UNCG objectives. It is the responsibility of UNCG and its leaders to identify, assess, and manage risks using the Institutional Risk Management process.
Some level of risk is not only expected in normal everyday activities but can be beneficial. However, acceptance of risk shall not include:
- Willful exposure of students, employees or others to unsafe environments or activities;
- Intentional violation of federal, state, or local laws;
- Willful violation of contractual obligations; or
- Unethical behavior.
Categories of risks managed through the Institutional Risk Management Process include:
- Strategic Risks
- Compliance Risks
- Reputational Risks
- Financial Risks
- Operational Risks
- Hazard Risks
This policy addresses Institutional Risk Management and applies to the entire University community. Each member of the University community has a role to play in risk identification and management through the integration of risk management and planning processes and the embedding of risk management processes into management activities. This policy is not intended to outline specific procedures as they evolve with time and circumstance. Some of the more pertinent procedures can be found on the IRM webpage.
3.Definitions and Roles and Responsibilities
Risks that affect the ability to carry out goals and objectives.
Risks that affect compliance with laws and regulations and student, faculty, staff & visitor safety, such as environmental issues, litigation, conflicts of interest, and privacy.
Risks that affect the University’s reputation.
Risks that affect the loss of or ability to acquire assets or technology.
Risks that affect on-going management processes and procedures.
Risks that affect the ongoing operation of the University either by man-made, natural or other negative occurring events.
3.2Roles and Responsibilities
The Board of Trustees provides risk oversight and appetite. In order to support the board in this regard, its members are kept informed of IRM’s regular and repeatable processes designed to manage institutional risk within our risk criteria and to provide reasonable assurance regarding achievement of university objectives. The Board of Trustees should be certain that it is properly informed and that an appropriate culture of risk-awareness exists throughout the institution.
The IRM Steering Committee is comprised of the Provost, the Vice Chancellor for Finance and Administration, the Vice Chancellor for Information Technology Services, the Director of Internal Audit and advised by General Counsel. The IRM Officer and other staff will provide support to the committee as required. The IRM Steering Committee meets as needed and is charged with guiding the advancement of Institutional Risk Management, providing its programs and the IRM Committee with direction and assessing ongoing performance. Minutes of IRM Steering Committee meetings will be approved and archived. The IRM Steering Committee reviews and approves IRM presentations to the Compliance, Audit, Risk Management, and Legal Affairs (CARL) Committee of the Board of Trustees and assists in the evaluation of any comments or questions the Board may have. The IRM Steering Committee assesses progress toward optimal risk treatment of identified institutional risks and recommends changes in course as needed.
The IRM Committee meets at least quarterly, and members are the Vice Chancellor for Student Affairs designee, the Vice Chancellor for Information Technology Services designee, the University Controller, the Director of Environment, Health and Safety, the Chief of University Police, the Assistant Athletic Director of Operations, the Vice Chancellor for Research and Engagement designee, other members as needed, to be determined by the IRM Committee membership, and advised by the General Counsel designee. Through various work groups, committee members actively work on Tier I risks as well as associated risk treatments. The IRM Committee has the additional responsibility for providing a common-sense framework within which to scan the university’s environment to identify risk as an integral part of all organizational processes. Minutes of IRM Committee meetings will be approved and archived.
The IRM Officer provides university-wide leadership to identify and manage possible strategic, financial, operational, compliance, hazard or reputational risks. The IRM Officer develops the Institutional Risk Management Program for the university, applying best practices, the standards mentioned above and other industry guidance. In order to foster a risk management culture, the IRM Officer is available for consultation and discussion relative to issues of institutional risk as well as forwarding those issues to appropriate leadership.
The IRM Officer chairs the Institutional Risk Management Committee and works with committee members to identify items for meeting inclusion. The IRM Officer works with the IRM Committee and Executive sponsors to collaborate on a holistic approach to evaluate university risks and select optimal risk treatments.
The IRM Officer promotes risk awareness programs throughout all sectors of the university and provides support to university leadership in defining, maintaining, and educating university stakeholders through the development or procurement of best-practice-related or instructional literature.
Chancellor’s Council member or designee assigned to each Tier I risk are empowered to collaborate cross divisionally and guide the work involved in managing associated risks. Executive Sponsors have the authority to manage risks as well as the commitment to make the necessary resources available to assist those accountable and responsible for risk treatment. Executive Sponsors may find it advisable on occasion, due to the potential for (or the appearance of) a conflict of interest, to seek guidance from the IRM Steering Committee through the IRM Officer with regard to assessment and risk treatment.
Institutional risk is managed with procedures and tools consistent with industry best practices as reflected primarily in the International Organization for Standardization’s ISO 31000: Risk Management Principles and Guidelines; however, some elements of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Framework are incorporated as well.
5.1Approach to Risk Management
UNCG’s approach to risk management reflects an understanding of the institution and its context. UNCG’s framework for managing risk is based upon a three-tiered risk management system. Tier I risks have the potential to significantly affect the university’s mission, strategies and goals. Tier II risks are shared risks across multiple areas or single area risks with cascading impacts. Tier III risks are unit or single area risks which are largely identified and managed at the department level.
5.2Effective Risk Management
- Creates and protects value
- Is an integral part of all organizational processes
- Is part of decision-making
- Explicitly addresses uncertainty
- Is systematic, structured, and timely
- Is based on the best available information
- Is tailored
- Takes human and cultural factors into account
- Is transparent and inclusive
- Is dynamic, iterative, and responsive to change
- Facilitates continual improvement of the organization
- The institution has a current understanding of the major known risks it faces with the potential to impede achievement of its strategic objectives.
- Risk management and awareness is integrated at all levels of the organization.
- The institution’s risks are within its risk criteria.
5.4Risk Assessment Processes
Risk Identification is accomplished through committee discussion, unit risk assessment, periodic stakeholder interviews, education and outreach throughout the institution on a regular basis. Unit Risk Assessment is a process intended to identify individual risks based on likelihood of occurrence and potential institutional impact should they occur. Departments, programs or activities are chosen for assessment based on a number of factors including the number and complexity of risks involved, the interdependence of different risks and their sources, the degree to which the unit’s risks impact the institution as a whole. Strategically critical units should be assessed every three years at minimum.
Risk Analysis is performed on qualitative and quantitative data derived from risk assessments, stakeholder interviews, relevant external events and UNCG’s risk events and near-misses. Risk analysis should result in robust indicators that provide adequate data to recognize shifts in internal and industry risk patterns when they are most valuable, during the development phases of important strategic initiatives.
Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the results of risk analysis. This is primarily accomplished through periodic comparison of current risk ratings with previous ones as well as looking at actual losses in context. Further analysis is often deemed necessary before risk treatment decisions can be made. The IRM office is charged with reviewing best practices and application of said practices in evaluation of Risk.
Risk Treatment emphasizes continual improvement through the use of appropriate measures to modify risk exposure and the review and subsequent modification of processes, systems and resources. It is a cyclical process involving the formulation of treatment measures, the evaluation of their efficacy, the generation of new measures as necessary and the subsequent assessment of the new measures. Risk Treatment Planning is undertaken at regular intervals for all Tier I Risk Areas. “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe consequence but extremely unlikely risks.” – ISO 31000
6.Compliance and Enforcement
The Vice Chancellor for Finance and Administration, the Office of the General Counsel, the Office of Internal Audit and the Office of Institutional Risk Management will enforce this Policy and establish standards, procedures, and protocols in support of the policy.