7.11 Risk Management
Proper management of risk is a core leadership function that must be practiced throughout the University System of Georgia (USG). Enterprise Risk Management (ERM) is a process-driven tool that enables management to visualize, assess, and manage major risks that may adversely impact the attainment of key organization objectives. The University System Office and USG institution presidents are responsible for identifying, assessing, and managing risks using the ERM process. The Chancellor shall designate an individual with overall responsibility for the USG risk management program.
7.11.1 Definition of Risk
“Risk” refers to the probability of an event and potential consequences to an organization associated with that event’s occurrence. Risk is inherent to any activity and it is neither possible nor advantageous to entirely eliminate risk from an activity without ceasing that activity.
Risks are defined broadly, are not limited to traditional risks, but also include:
1 Strategic Risks, which affect the ability to carry out goals and objectives as articulated in the USG Strategic Plan and institution strategic plans;
2. Compliance Risks, which affect compliance with laws and regulations and student, faculty, and staff safety, environmental issues, litigation, conflicts of interest, and related matters;
3. Reputational Risks, which affect reputation, public perception, political issues, and related matters;
4. Financial Risks, which affect loss of or ability to acquire assets, technology, and related matters; and,
5. Operational Risks, which affect on-going management processes and procedures.
7.11.2 Management of Risk
Management of risk within the USG is fundamentally a leadership responsibility. The Board of Regents and the Chancellor will define the USG’s ability (risk tolerance) and willingness (risk appetite) to absorb the impact of certain risks. The Chancellor, through senior staff and institutional presidents, shall ensure that USG risks are effectively managed; each institution president performs a similar role within his or her institution.
Certain institutional risks rise to a level such that the institution President shall make the Chancellor and the appropriate System Office department aware of the risk. Acceptance of those risks are at the discretion of the Board and the Chancellor. Risks rising to this level includes those where the combination of an event’s probability and the potential consequences is likely to:
- Impair the achievement of a USG strategic goal or objective;
- Result in substantial financial costs either in excess of the impacted institution’s ability to pay or in an amount that may jeopardize the institution’s core mission;
- Create significant damage to an institution’s reputation or damage to the USG’s reputation; or,
- Require intervention in institutional or USG operations by the Board of Regents or an external body.
Some level of risk is not only expected in normal everyday activities but can be beneficial. However, acceptance of risk shall not include:
- Willful exposure of students, employees, or others to unsafe environments or activities;
- Intentional violation of federal, state, or local laws;
- Willful violation of contractual obligations; or,
- Unethical behavior.
7.11.3 Institution Implementation of Risk Management Procedures
An institution-wide approach to risk management shall be adopted by all USG institutions and embedded into the institution’s management systems and processes. All risk management efforts shall be focused on supporting the institution’s objectives. Each institution President shall develop a campus risk management framework and associated procedures that include:
- Formal and ongoing identification of risks that impact the institution’s goals;
- Development of risk management plans;
- Monitoring the progress of managing risks;
- Periodic updates of risk management plans; and,
- Reporting of risks so that significant risks are reported to the Chancellor and appropriate System Office Department.
Each USG institution President shall designate in writing a Risk Management Policy coordinator to assist campus administrators in maintaining the campus risk management framework and procedures. The Risk Management Policy coordinator shall have sufficient authority to ensure high-level management of the institution’s risk management efforts.
At the System level, the Chancellor shall designate an employee or employees to oversee implementation of the Risk Management Policy across the USG and assist University System Office administrators in maintaining the USO risk management framework and procedures. The Committee on Internal Audit, Risk and Compliance shall provide oversight to implementation of the Risk Management Policy and review major risks on behalf of the Board of Regents.
Institution risk management framework and procedures shall be reviewed annually. Periodic reviews for compliance with the system wide guidelines shall also be conducted by internal audit or a similar accountability function. Additional procedures for risk management policy reporting and implementation shall be established in a System-level procedures manual.