01.240 Risk Management Policy

Chancellor

 June 2014

UNC Code, Section 502 Chancellors of Constituent Institutions; UNCW 02.100 Protocol for Establishing Policies and Procedures

• The UNC Policy Manual hhttps://www.northcarolina.edu/offices-and-services/governance-legal-and-risk/policies-and-resources/
• ERM webpage https://uncw.edu/ba/erm/
• UNCW Policies https://www.uncw.edu/about/policies/index.html
• Board of Trustees Audit Committee Charter https://uncw.edu/ia/about/committee.html
• UNCW Strategic Action Plan

Provost and Vice Chancellor for Academic Affairs/Vice Chancellor for Business Affairs/Vice Chancellor for Student Affairs/Office of the General Counsel/Office of Internal Audit and Office of Institutional Risk Management

Policy Details:

Review Schedule: This policy shall be reviewed every three to five years 

1. Purpose
   
   The Risk Management Policy serves as a statement of the overall UNCW risk management goals and focus. It is intended to help ensure a consistent approach to risk management throughout the university.
   
   
2. Scope
   
   This policy addresses Insitutional Risk Management and applies to the entire university community. Each member of the university community has a role to play in risk identification and management through the integration of risk management and planning processes and the embedding of risk management processes into management activities. This policy is not intended to replace a centralized compliance function or outline specific procedures as they evolve with time and circumstance. Some of the more pertinent procedures can be found on the IRM webpage.
   
   
3. Standard(s)
   
   Institutional risk is managed with procedures and tools consistent with industry best practices including (but not limited to) the International Organization for Standardization’s ISO 31000: Risk Management Principles and Guidelines, the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management Framework.
   
   
4. Policy

   1. Approach to Risk Management

      1. ISO 31000 States that:

         1. All organizations exist to achieve their objectives.

         2. An organization’s objectives are affected by internal and external events and “environmental” conditions, causing uncertainty with regard to their achievement.

         3. The effect of this uncertainty on an organization’s objectives is defined as “risk”.

      2. UNCW’s approach to risk management reflects an understanding of the institution and its context. UNCW’s framework for managing risk is based upon a three-tiered risk management system. Tier I risks have the potential to significantly affect the university’s mission, strategies and goals. Tier II risks are shared risks across multiple areas or single area risks with cascading impacts. Tier III risks are unit or single area risks which are largely identified and managed by a single manager, director, or department head. A single area may be defined as a unit, department, or section responsible for a program or activity, but could in some instances be defined as a division, college or school.

   2. UNCW Principles for Effective Risk Management (found in ISO 31000)

      1. Creates and protects value.

      2. Is an integral part of all organizational processes.

      3. Is part of decision making.

      4. Explicitly addresses uncertainty.

      5. Is systematic, structured and timely.

      6. Is based on the best available information.

      7. Is tailored.

      8. Takes human and cultural factors into account.

      9. Is transparent and inclusive.

      10. Is dynamic, iterative and responsive to change.

      11. Facilitates continual improvement of the organization.

   3. Key Outcomes

      1. The institution has a current understanding of the major risks it faces with the potential to impede achievement of its strategic objectives.

      2. Risk management and awareness is integrated at all levels of the organization.

      3. The institution’s risks are within its risk criteria.

   4. Responsibilities

      1. The Board of Trustees provides risk oversight through the Audit Committee as outlined in the UNCW Audit Committee Charter. In order to support the board in this regard, its members are kept informed of IRM’s regular and repeatable processes designed to manage institutional risk within our risk criteria and provide reasonable assurance regarding achievement of university objectives.

      2. The Chancellor is responsible to the Board of Trustees for enforcing this policy and submitting related updates and reports as needed.

      3. The IRM Steering Committee is comprised of the Provost and Vice Chancellor for Academic Affairs, the Vice Chancellor for Business Affairs, the Vice Chancellor for Student Affairs, the General Counsel and the Director of Internal Audit with support from the IRM Officer and other staff as required. The IRM Steering Committee meets as needed and is charged with guiding the advancement of Institutional Risk Management, providing its programs and the IRM Committee with direction and assessing ongoing performance. The IRM Steering Committee reviews and approves IRM presentations to the Audit Committee of the Board of Trustees and assists in the evaluation of any comments or questions the Board may have. The IRM Steering Committee assesses progress toward optimal risk treatment of identified institutional risks and recommends changes in course as needed.

      4. The IRM Officer has delegated authority to implement this policy and reports to the IRM Steering Comm ttee. The IRM Officer develops the Institutional Risk Management Program for the university, applying best practices, the standards mentioned above and other industry guidance. In order to foster a risk management culture, the IRM Officer is available for consultation and discussion relative to issues of institutional risk as well as forwarding those issues to appropriate leadership.

         The IRM Officer chairs the Institutional Risk Management Committee and works with committee members and executive sponsors to collaborate on a holistic approach to evaluate university risks and select optimal risk treatments. The IRM Officer is therefore tasked with ensuring that key risk management processes such as risk assessments are performed with the cooperation of the larger campus community.

         The IRM Officer promotes risk awareness programs throughout all sectors of the university and provides support to university leadership in defining, maintaining, and educating university stakeholders through the development or procurement of best- practice-related or instructional literature.

      5. The IRM Committee meets at least quarterly, and members are drawn from various representative university operations to serve as liaisons to the areas they represent. Through various work groups, committee members actively work on analysis and evaluation of Tier I risks as well as associated risk treatments, with oversight provided by the Executive Sponsors. The IRM Committee serves as a liaison for unit management of Tier II risks. The IRM Committee shares responsibility for providing a common-sense framework within which to manage risks as an integral part of all organizational processes.

      6. Executive Sponsors for each Tier I risk area are typically members of the chancellor’s cabinet and are empowered to cross-divisionally guide the work involved in managing university risks. Executive Sponsors have the authority to manage risks as well as the commitment to make the necessary resources available to assist those accountable and responsible for risk treatment.

5.  Risk Assessment Processes

   1. Risk Identification is accomplished through committee discussion, unit risk assessment, periodic stakeholder interviews, education and outreach on a regular basis. Unit Risk Assessment is a process intended to identify individual risks based on likelihood of occurrence and potential institutional impact should they occur. Departments, programs or activities are chosen for assessment based on a number of factors including the number and complexity of risks involved, the interdependence of different risks and their sources, the degree to which the unit’s risks impact the institution as a whole. When any of these factors exist, the unit risk assessment should be repeated every three years at minimum.

   2. Risk Analysis is performed on qualitative and quantitative data derived from risk assessments, stakeholder interviews, relevant external events and UNCW’s risk events and near-misses. Risk analysis should result in robust indicators that provide adequate data to recognize shifts in internal and industry risk patterns when they are most valuable, during the development and implementation phases of important strategic initiatives.

   3. Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the results of risk analysis. This is primarily accomplished through periodic comparison of current risk ratings with previous ones as well as looking at actual losses in context. Further analysis is often deemed necessary before risk treatment decisions can be made.

6. Risk Treatment:
   
   Risk treatment involves continuous improvement through the use of appropriate measures to modify risk exposure and undertake the review and subsequent modification of processes, systems and resources. Risk treatment processes are cyclical in nature in that they involve the formulation of treatment measures, the evaluation of their efficacy, the generation of new measures as necessary and the subsequent assessment of the new measures. Risk treatment planning is undertaken at regular intervals for all Tier I Risk Areas. In accordance with ISO 31000, “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe consequence but extremely unlikely risks.”