Policy Number: AUS-06P-01001
Sponsor: Office of the Executive Vice President and Treasurer
Effective Date: September 3, 2021
I. POLICY RATIONALE
The American University of Science ("AUS", "University", "university") is committed to managing its risks proactively and holistically and ensuring that risk management is an integral part of all university activities and a core capability. AUS’s risk management process is designed to:
Identify potential events, practices, procedures, trends, and opportunities that may significantly affect the university’s ability to achieve its strategic goals and successfully maintain its operations, reputation, and legal obligations.
Respond to risks based on the university’s risk appetite to ensure that the university’s objectives will be achieved.
AUS’s objectives for the management of risk include:
Integrating the practice of risk management into the culture and strategic decision-making process throughout the university.
Anticipating and responding to changing social, environmental, technological, and legislative conditions.
Managing risk according to best practice and demonstrating due diligence in decision-making
Optimizing value by balancing the cost of managing risk with the anticipated benefits.
Managing significant risks related to potential financial, reputational, health and safety, and legal negative consequences.
II. POLICY APPLICABILITY
This policy applies to the entire AUS community.
III. POLICY PURPOSE
This policy aims to ensure that risks to AUS are identified, assessed, and managed effectively to support its operations as an educational institution. To achieve this, the policy establishes a formal risk management program by designating responsibilities for risk identification and analysis, planning for risk mitigation, and program management and oversight. This policy applies to the entire university community and addresses Institutional Risk Management. All members of the university community have a role to play in identifying and managing risks by integrating risk management and planning processes and embedding them into management activities. University-wide program management and oversight require active participation from executive leadership, departmental management, data stewards, and others in risk decision-making. It is essential to note that this policy is not intended to replace a centralized compliance function or outline specific procedures as they may evolve with time and circumstance.
IV. POLICY STATEMENT
A. Definitions
1. Risk: the potential of harm to the University or its stakeholders, including but not limited to physical risks, property risks, and risk of criminal conduct and other noncompliance.
2. Risk Assessment: an evaluation of the nature and magnitude of risk to the University. The evaluation is based upon known or theoretical vulnerabilities and threats, as well as the likelihood of the threats being realized and the potential impact to the University and its stakeholders.
3. Risk Management: a continual process of analyzing and responding to risks to the University in order to reduce those risks to acceptable levels. Risk management includes the risk assessment process, and uses the results of risk assessments to make informed decisions on the acceptance of risks or on taking action to reduce those risks.
B. Policy Principles
AUS has established a risk management program to ensure that risks to university resources are proactively identified and managed by the appropriate authority. The management of risk is continuous and should be applied at both the enterprise level as well as an individual academic and administrative unit level. AUS ’s principles for managing risk are:
The Executive Vice President and Treasurer with appropriate assistance oversees the management of risk on the campus.
Leadership adopts an open and receptive approach to solving risk problems.
Leadership supports, advises on, and implements policies.
Organizational unit directors develop and implement effective risk management practices within their units.
Key risk indicators are identified and monitored on a regular basis.
Data Owners are appropriately included in the evaluation and acceptance of risk to university information.
1. Approach to Risk Management
1.1. ISO 31000 States that:
All organizations exist to achieve their objectives.
An organization’s objectives are affected by internal and external events and “environmental” conditions, causing uncertainty concerning their achievement.
The effect of this uncertainty on an organization’s objectives is defined as “risk”.
1.2. AUS’s approach to risk management reflects an understanding of the institution and its context. AUS’s framework for managing risk is based upon a three-tiered risk management system.
Tier I risks can significantly affect the university’s mission, strategies, and goals.
Tier II risks are shared risks across multiple areas or a single area with cascading impacts.
Tier III risks are unit or single-area risks that are largely identified and managed by a single manager, director, or department head.
A single area may be defined as a unit, department, or section responsible for a program or activity, but could in some instances, be defined as a division, college or school.
2. Principles for Effective Risk Management (found in ISO 31000)
Creates and protects value.
Is an integral part of all organizational processes.
Is part of decision making.
Explicitly addresses uncertainty.
Is systematic, structured and timely.
Is based on the best available information.
Is tailored.
Takes human and cultural factors into account.
Is transparent and inclusive.
Is dynamic, iterative and responsive to change.
Facilitates continual improvement of the organization.
3. Key Outcomes
AUS has a current understanding of the major risks it faces with the potential to impede achievement of its strategic objectives.
Risk management and awareness is integrated at all levels of the organization.
The institution’s risks are within its risk criteria.
4. Risk Assessment Processes
4.1. Department heads/departments shall ensure that risk assessments are performed on all activities, systems and/or business processes under their department’s control in conjunction with guidance from the risk management office/officer on assessment method, format, content, and frequency. Risk assessments shall include (1) a description of potential risks, (2) potential remediation plans with specific actions and recommended completion dates, and (3) an explanation of residual risks. Department heads/departments shall submit the risk assessments to the risk management office/officer for review on an as-needed basis.
4.2. Risk Identification is accomplished through committee discussion, unit risk assessment, periodic stakeholder interviews, education and outreach on a regular basis. Unit Risk Assessment is a process intended to identify individual risks based on likelihood of occurrence and potential institutional impact should they occur. Departments, programs or activities are chosen for assessment based on a number of factors including the number and complexity of risks involved, the interdependence of different risks and their sources, the degree to which the unit’s risks impact the institution as a whole. When any of these factors exist, the unit risk assessment should be repeated every three years at minimum.
4.3. Risk Analysis is performed on qualitative and quantitative data derived from risk assessments, stakeholder interviews, relevant external events and AUS’s risk events and near-misses. Risk analysis should result in robust indicators that provide adequate data to recognize shifts in internal and industry risk patterns when they are most valuable, during the development and implementation phases of important strategic initiatives.
4.4. Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the results of risk analysis. This is primarily accomplished through periodic comparison of current risk ratings with previous ones as well as looking at actual losses in context. Further analysis is often deemed necessary before risk treatment decisions can be made.
5. Risk Treatment
Risk treatment involves continuous improvement through the use of appropriate measures to modify risk exposure and undertake the review and subsequent modification of processes, systems and resources. Risk treatment processes are cyclical in nature in that they involve the formulation of treatment measures, the evaluation of their efficacy, the generation of new measures as necessary and the subsequent assessment of the new measures. Risk treatment planning is undertaken at regular intervals for all Tier I Risk Areas. In accordance with ISO 31000, “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe consequence but extremely unlikely risks.”
6. Risk Prevention
AUS encourages strategies to prevent loss, including: development of educational materials as well as training programs for employees and students as appropriate; legal and safety audits aimed at early identification and resolution of compliance risks; and cooperation with insurance carriers to take advantage of risk reduction resources.
C. Roles and Responsibilities
1. The risk management officer (the Controller) is responsible for coordinating the development and maintenance of risk management policies, procedures, standards, and forms for AUIS. The Controller is also responsible for the ongoing evaluation and day-to-day management of AUS's risk management program.
2. Every AUS staff and/or AUS function dealing with risk is responsible for promptly reporting any property loss, potential liability claim, and/or potential criminal conduct or other noncompliance to the Controller. All reports will be investigated by the appropriate offices and potential losses or claims reported to the insurance broker\carrier by the Controller. Though individuals are encouraged to identify themselves when making reports to facilitate investigations, reports may be made anonymously to the Controller.
3. The Controller shall periodically advise the Executive Vice President and Treasurer or a designee regarding risk management assessments, evaluation, and risk management program progress.