Printable Version in PDF Format (Get Adobe Acrobat)
History
- Policy Number: FA.32.003
- Version:
- Drafted By: Katharine Hullinger
- Approved By: Erika D. Beck
- Approval Date: 02/04/19
- Effective Date: 02/04/19
- Supersedes: FA.32.002
Purpose
California State University Channel Islands (CSUCI) and its management are committed to the effective support of its stakeholders and require that robust strategic risk management processes and procedures be adopted.
Strategic Risk Management is an essential function of each University division and business unit. The University, its faculty and administrators are responsible for conducting University programs and activities in a manner that does not impose an unreasonable risk of loss or injury, and for evaluating the value or potential gain inherent in the acceptance of some risk .
The purpose of this Strategic Risk Management policy is to:
- confirm and communicate the University’s commitment to risk management, and to align risk management with the University's strategic objectives;
formalize a consistent approach to managing risk for all University activities and to establish a reporting protocol; - ensure that all significant risks to the University are identified, assessed and reported to Cabinet in a timely manner;
- assign accountability to administrators and decision-makers for the management of risks within their areas of control;
- provide a framework for setting objectives and establishing an overall sense of direction and principles for action with regard to risk management;
- establish key risk indicators against which risk management efforts will be evaluated;
- ensure necessary resources are available to assist those accountable and responsible for managing risk; and
- achieve a risk management capability that meets changing business needs and is appropriate to the size, complexity and nature of the University.
This Policy shall also specify the ongoing management and maintenance of the strategic risk management program, including:
- assigning of accountabilities and responsibilities at appropriate levels within the organization;
- ensuring that the necessary resources are allocated to risk management;
- embedding of risk management within the organization by communicating the benefits of risk management to all stakeholders;
- evaluating risk treatment plans regularly;
- updating and communicating of the risk treatment plans - particularly when there is significant change in premises, personnel, process, market, technology or organizational structure; and
- ensuring that the framework for managing risk continues to evolve with the growth of the campus.
Background
ISO 31000 (Risk Management System Framework)
ISO 31010 (Risk Assessment Approach)
EO 1069 Risk Management and Public Safety
Policy
Accountability
The Vice President for Business & Financial Affairs administers this policy at CSUCI.
President:
The President provides risk direction and ensures that strategic, operational, financial and compliance risks are effectively managed. The President will embed risk considerations into the strategic planning. The President will hold management accountable for managing campus wide risk.
Campus Administrators:
Campus administrators are responsible for ensuring that faculty and staff are aware of the University’s commitment to risk management and to ensure that all employees are provided with the necessary information to enable them to minimize the effects of accidental losses. To meet this responsibility, campus administrators shall maintain awareness of the resource documents developed by the Risk Management and Internal Audit offices and confer with those offices about risk management matters. They shall encourage faculty and staff to do the same. In addition, campus administrators shall participate in training activities related to strategic risk management and encourage participation by faculty and staff.
Strategic Risk Management Methodology:
Campus administrators, staff and faculty shall identify and manage risks associated with their program or activities. The University shall consider all types of risk it faces, including strategic, operational, financial, reputational, hazard, and regulatory and compliance risks. (See attached Categories of Risk)
The University uses a risk model (see attached Heat Map and Risk Reporting Matrix) to define likelihood and impact. Impact is the potential severity or effect of the risk. Likelihood is the frequency or probability of a risk occurring. The ratings given to impact and likelihood produce an evaluation of net risk. Both the adequacy of existing controls and net risk are denoted on a simple heat map. Any risks in the red will require immediate attention and reporting to the Cabinet; those in yellow and orange require explicit review prioritization, and those in green shall continue to be monitored.
The following steps provide a standard methodology for effectively managing risk.
- Identify risks: Consider the probable risk to life, property, revenue and reputation resulting from an activity.
- Evaluate and prioritize risks: While all activities carry some measure of risk, not all risks require intervention. Risk evaluation contemplates the probable outcome based on analysis of frequency and severity of losses (injury, property, reputation, ability to accomplish mission), or the inherent value or gain from accepting risk.
- Select the best risk management technique: Once a determination has been made that intervention is necessary, identify the method or technique for managing the risk and select that which is cost effective and does not unduly curtail activities essential to the University mission(e.g. loss prevention and safety procedures, training, loss financing including supplemental insurance, transfer of risk through contracts and waivers, avoidance or acceptance of the risk).
- Implement the best risk management technique.
- Monitor and evaluate results.
Assessment and Evaluation of Program:
The Strategic Risk Management program will be evaluated annually by the University’s Risk Management staff and the Internal Auditor. The implemented risk management procedures and risk treatment strategies will be reviewed. The results of the annual evaluation will be summarized in a report prepared for the Cabinet.
Applicability
This policy applies to all CSUCI faculty, staff and students involved in University programs and services, both on and off the campus.
Definition(s)
Frequency: The number of events or outcomes per defined length of time that used as a measure of
likelihood probability.
Probability: The measure of the chance of occurrence expressed as a number between zero and five,
where zero is improbability and five is absolute certainty.
Risk Appetite: The amount and type of risk that an organization is willing to pursue or retain.
Risk Assessment: The process employed to comprehend the nature of risk and to determine the level of risk.
Risk Assessment Record: The tool for ranking and displaying risks by defining ranges for consequence and likelihood.
Risk Attitude: The organization's approach to assess and eventually pursue, retain, take or tum away from risk.
Risk Avoidance: The informed decision not to be involved in, or to withdraw from, an activity in order to eliminate risk exposure.
Risk Description: The structured statement of risk usually containing four elements: sources, events, causes and consequences.
Risk Evaluation: The process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
Risk Identification: The process of finding, recognizing and describing risks; risk identification
involves the identification of risk sources, events, their causes and their potential consequences.
Risk Management: Identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize (mitigate), monitor, and control the probability and/or impact of loss events or to maximize opportunities.
Risk Owner: The person or entity with the accountability and authority to manage a risk.
Risk Profile: The description of any set of risks that relate to the whole organization, part of the
organization, or as otherwise defined.
Risk Tolerance: The organization or stakeholder's readiness to bear the risk after risk treatment in
order to achieve objectives.
Strategic Risk Management: An administrative process that requires organization-wide participation to identify and manage the myriad of risks associated with carrying out the objectives of the University.
Text
Strategic risk management shall be embedded in all University practices and processes in a relevant, effective and efficient manner. The strategic risk management process shall become part of, and not separate from, those organizational processes. In particular, strategic risk management shall be embedded into the policy development, business, budget and strategic planning and review, and change management processes.
To achieve this goal, the University will develop strategic risk management procedures and guidelines, and implement an ongoing risk identification and evaluation process. The strategic risk management process requires participation by employees throughout the University. All University administrators, managers and decision makers shall include risk management as a normal part of conducting University business.
All decision-making within the organization, whatever the level of importance and significance, shall involve the explicit consideration of risks and the application of risk management to some appropriate degree. This shall be documented in risk assessment records, which indicate active contemplation of risks and risk treatment strategies. In addition, all components of risk management are represented and evidenced within key processes for decision making in the organization, e.g. for decisions on the allocation of capital, on major projects and on re-structuring and organizational changes.
Sound strategic risk management shall be seen within the organization as providing the basis for
effective governance.
The University will designate a Risk Manager to facilitate the development of risk assessment procedures and guidelines, and to provide consulting, training and assistance in support of the campus community. The procedures and guidelines will address campus priorities, as well as facilitate campus compliance with Executive Orders.
The Risk Management office will:
- develop and implement a campus-wide Strategic Risk Management Program, wherein
informed risk taking is recognized as an integral component of campus operations and inherent
in strategic planning; - assist University administrators in maintaining sound risk management procedures and
practices by developing resource documents including risk policy, procedures and guidelines, as well as tools for establishing risk inventories, analyses, prioritization and treatment
strategies; - assist the campus community in identifying and evaluating risks, and selecting and
implementing appropriate risk management techniques; and - provide strategic risk management training for managers, coordinators and administrators.
In addition, the Risk Management office will:
- act as liaison to Chancellor’s Office of Systemwide Risk Management and Public Safety;
- administer University insurance policies and other forms of risk financing;
- facilitate risk transfer through contracts, leases and other agreements; and
- administer claims including timely response to incidents, reporting, and participation in claims settlement processes.