7.15 Risk Management Policy
Risk refers to the probability of an event and potential consequences to an organization associated with that event’s occurrence. Risks do not necessarily exist in isolation from other risks; as a result, a series of risk events may result in a collective set of consequences that is more impactful than the discrete set of consequences associated with risk events taking place in isolation. Risk is inherent to any activity. It is neither possible, nor advantageous, to entirely eliminate risk from an activity without ceasing that activity. The safest ships are the ones that do not sail, but that is not what they are designed for.
A risk is defined as Major when the combination of an event’s probability and the potential consequences is likely to:
- Impair the achievement of a University System of Georgia (USG) strategic goal or objective;
- Result in substantial financial costs either in excess of the impacted institution’s ability to pay or in an amount that may jeopardize the institution’s core mission;
- Create significant damage to an institution’s reputation or damage to the USG’s reputation; or,
- Require intervention in institutional or USG operations by the Board of Regents and/or an external body.
Major Risks are a subset of the larger category of Significant Risks referenced in the Risk Management Policy. Major Risks are the most critical risks and must meet the definition of Major Risk as defined in Section 7.15.1 of this Policy Manual. Significant Risks includes Major Risks but also include less critical risks. The definition of Significant Risk will be detailed in the System-level procedures manual referenced in Section 126.96.36.199 of this Policy Manual. However, the level at which a risk becomes Significant will vary by institution given each institution’s risk tolerance, resources, and ability to manage risk events. (BoR Minutes, August 2010)
The Board of Regents recognizes that the proper management of risk is a core leadership function that must be practiced throughout the USG. The Enterprise Risk Management (ERM) framework shall be the accepted framework for USG risk management. ERM is defined as a process-driven tool that enables management to visualize, assess, and manage significant risks that may adversely impact the attainment of key organizational objectives. It is the responsibility of USG and institutional leaders to identify, assess, and manage risks using the ERM process. The successful implementation of ERM policies and practices can enhance potential opportunities to help achieve organizational objectives.
Some level of risk is not only expected in normal everyday activities but can be beneficial. However, acceptance of risk shall not include:
- Willful exposure of students, employees, or others to unsafe environments or activities;
- Intentional violation of federal, state, or local laws;
- Willful violation of contractual obligations; or,
- Unethical behavior.
Risk management decisions should be made after conducting a cost-benefit analysis; such analysis should take into account the potential costs associated with the identified risk should the risk event take place as compared to the costs associated with mitigating the risk. It should be noted that these costs are not only financial but may also include substantial damage to reputation, opportunity costs, potential litigation, distraction from core missions, obsolescence and others.
While it is challenging to properly assess some risk events prior to them happening, Major Risks that could result in significant long-term damage to the USG or a USG institution must be identified to the Board and the Chancellor as soon as possible. Acceptance of Major Risks must be at the discretion of the Board and the Chancellor. The System-level procedures manual referenced in Section 188.8.131.52 of this Policy Manual shall provide additional guidance on the timing and form pertaining to the reporting of Major Risks. Significant Risks should be identified in a timely manner. Significant Risks specific to an institution or unit shall be accepted and/or managed by the institution’s president or the president’s designee.
Categories of risks managed through the ERM framework include:
- Strategic Risks – Affect ability to carry out goals and objectives as articulated in the USG Strategic Plan and individual Institution Strategic Plans;
- Compliance Risks – Affect compliance with laws and regulations, student, faculty and staff safety, environmental issues, litigation, conflicts of interest, etc;
- Reputational Risks – Affect reputation, public perception, political issues, etc;
- Financial Risks – Affect loss of or ability to acquire assets, technology, etc; and,
- Operational Risks – Affect on-going management processes and procedures.
An identified risk may fall into multiple categories. (BoR Minutes, August 2010)
7.15.3 General Objectives
The purpose of the Risk Management Policy is to strengthen the proper management of risks through proactive risk identification, risk management, and risk acceptance pertaining to all activities within the University System Office and USG institutions.
The Risk Management Policy is intended to:
- Ensure that Major Risks are reported to the Board and the Chancellor for review and acceptance;
- Result in the management of those risks that may significantly affect the pursuit of the stated strategic goals and objectives;
- Embed a culture of evaluating and identifying risks at multiple levels within the USG and USG institutions;
- Provide a consistent risk management framework in which the risks concerning USG and institutional business processes and functions are identified, considered, and addressed in key approval, review and control processes;
- Ensure that institutions communicate Significant Risks to the USG level so risk can be measured across the System;
- Inform and improve decision-making throughout the University System;
- Meet legal and regulatory requirements;
- Assist in safeguarding USG and institutional assets to include people, finance, property and reputation; and,
- Ensure that existing and emerging risks are identified and managed within acceptable risk tolerances.
(BoR Minutes, August 2010)
The Risk Management Policy applies to all USG institutions and the University System Office. (BoR Minutes, August 2010)
An institution-wide approach to risk management shall be adopted by all USG institutions. It is expected that risk management processes will be embedded into the institution’s management systems and processes. All risk management efforts will be focused on supporting the institution’s objectives. Therefore, each institution president shall develop a campus risk management framework and associated procedures that include:
- Formal and ongoing identification of risks that impact the institution’s goals;
- Development of risk management plans;
- Monitoring the progress of managing risks;
- Periodic updates of risk management plans; and
- Reporting of risks so that Significant Risks can be rolled up to the System level.
Risks may be managed by using one or more of the following methods:
- Avoid (eliminate, withdraw from or do not become involved in an activity creating risk);
- Retain (accept the risk and plan for the expected impact);
- Transfer/Share (move the risk to another party by hedging against undesired outcome or reduce the risk through processes such as insurance); and,
- Reduce (control the risk through additional or optimized controls).
Each president shall designate in writing a Risk Management Policy coordinator to assist campus administrators in maintaining the campus risk management framework and procedures. The Risk Management Policy coordinator shall have sufficient authority to ensure high-level management of the institution’s risk management efforts.
At the System level, the Chancellor shall designate an executive-level position to oversee implementation of the Risk Management Policy across the University System of Georgia. The Chancellor also shall designate a Risk Management Policy coordinator to assist University System Office (USO) administrators in maintaining the USO risk management framework and procedures. The Committee on Internal Audit, Risk and Compliance is the Board committee that shall provide oversight to implementation of the Risk Management Policy and review Major Risks on behalf of the Board of Regents.
Campus risk management framework and procedures shall be reviewed annually. Periodic reviews for compliance with the system wide guidelines shall also be conducted by internal audit or a similar accountability function. Additional procedures for risk management policy reporting and implementation shall be established in a System-level procedures manual. (BoR Minutes, August 2010)