Most every leader in the higher education space, instinctively measures strategic, reputational, financial and regulatory risk as part of their daily decision making processes. A successful leader understands the risk taking appetite and philosophy of their institution and transforms it, into opportunity. To assist the University’s Board of Trustees and Executive Leadership, a University Risk Committee was established in 2013 at the direction on OSU legal.
The University Risk Management Committee provides our executive leaders, senior leaders, directors and managers with the appropriate tools to quantitatively and qualitatively assess risk, which will aid them in the decision-making process. Our guiding principles are based on safety, simplicity, transparency, consistency and integrity, with a focus on inclusion and utility.
How We Do It –
The University Risk Assessment is conducted annually by the Office of Risk Management (Risk Management) and the Office of University Compliance and Integrity (Compliance). The Assessment uses a consistent approach to identify and rate all key risks across the university in order to support university decision-making, budgeting and the strategic planning process.
Compliance also independently conducts a Compliance Risk Assessment on an annual basis as a key component of the University Risk Assessment. Compliance risks are identified through the university’s Regulatory Inventory, a list of critical legal requirements applicable to the university, and evaluated based on the university’s current ability to meet those requirements. The Regulatory Inventory was created, and is maintained, jointly by Compliance and the Office of Legal Affairs. The results of the Compliance Risk Assessment provide the basis for the university’s Annual Compliance Plan, as well as detailed Annual Plans for key units.
The risk assessment process operates on a three-year cycle. The first ever University and Compliance Risk Assessments were conducted for FY2014. The first year of the risk assessment process involved a broad-based, bottom-up (micro or business level) and top down (macro or university-wide) approach focused heavily on risk identification, which utilized a quantitative rating methodology to effectively sort the multitude of identified risks across the university spectrum. The sorted risks were then evaluated and prioritized by the university’s senior leadership through the University Risk Management Committee. The second and third year of the risk assessment cycle involve an annual qualitative update to the University and Compliance
Risk Assessments. Updates reflect external changes (e.g., economic, regulatory), changes to university strategy and operations, and adverse impacts (e.g., litigation, audit findings). The FY2015 University Risk Assessment reflects the first qualitative update to the FY2014 Risk Assessment. When the risk assessment cycle starts over in FY2017, another bottom-up assessment will be conducted, much like in FY2014.
Who Is Responsible For It –
The University Risk Assessment resulted from an analysis of risks across all areas of university activity. University leaders and their teams were asked to identify their top risks: either existing risks currently facing the university; or opportunities that, if unaddressed, would present risk to the university in the future (e.g., online education, emerging risks). These risks were then assessed through a consistent methodology: (a) the identification and organization of risks into risk categories; (b) the rating of each risk in an uncontrolled state, for its “Inherent” risk rating; (c) the rating of each risk’s current controls, to determine the remaining or “Residual” risk rating; and (d) a qualitative assessment of each top risk based on both external and internal factors. This methodology is explained in greater detail below.
a. Risk Categories
The assessment of university risks began through the development of 12 risk categories to organize identified risks. These categories, which were developed with the assistance of stakeholders, aligned to many of the university’s organizational units while providing a simplified structure to discuss risks with stakeholders and their teams. These categories are as follows:
Although university risk experts typically identified risks in the category most aligned to their area of responsibility, the process captured all identified risks and did not limit experts to their specific area of expertise.
The 12 risk categories, with demonstrative examples, are as follows:
b. Inherent Risk Rating
Once risks were identified for a given team or category, we worked with risk experts to rate each risk without mitigation (the Inherent Risk Rating). Obtaining this rating ensured a focus on the most important risks, and it was obtained by analyzing two factors: the risk’s impact and its likelihood. The impact rating sought to determine the materiality of a risk based on three different types of potential consequence: financial, reputational, and regulatory. The risk’s impact was determined based on the highest rated consequence of the three. The likelihood rating sought to determine the probability of the risk occurring based on the frequency of the underlying activity or event.
c. Residual Risk Rating
Next, through the Residual Risk Rating process we asked risk experts to evaluate the effectiveness
of existing controls on a risk. If the risk is already present, we evaluated the effectiveness of
existing requirements (e.g., policies and procedures), controls (detailed requirements), and
oversight (testing and reporting), and the control score was based on the highest (worst) category.
For opportunity (future) risks we evaluated the existence of current planning to prepare to meet
the opportunity. The Residual Risk Rating resulted from the product of its Inherent Risk Rating and
its control process score. (Residual Risk= Inherent Risk Rating X Control Process).
To simplify the results and focus on top risks, we did not perform a control assessment of all risks. Rather, we established a threshold to ensure that only top risks were assessed: that is, we assessed the controls for all risks with an Impact score of 2 (a risk that could result in a financial loss greater than $500,000; publicity; or an advisory letter or other enforcement interest from a regulatory body) or above.
d. Qualitative Assessment
We qualitatively determined the “top risks” using an analysis of external and internal factors affecting the magnitude of the risk. External factors consist of events or actions that occur outside of the University’s control. These include new or updated regulations/policies, new publicity surrounding a particular risk that could affect OSU’s reputation, or significant regulatory action. Internal factors consist of events that occur as a result of OSU’s actions. These include changes to University strategy, operational changes, Internal Audit findings, investigations, and other adverse events. After we analyzed all the above, we developed a detailed summary of all University Risks.