Risk Management
Process
South Texas College
Risk Management*

The process of identifying and
controlling hazards.


A logical thought process from which
users develop tools, techniques, and
procedures for applying risk
management in their areas of
responsibility.
It is a closed-loop process applicable to
any situation and environment.
* Reference: U.S. Military FM 3-100.12 Risk Management
Risk Management Process
Assess
hazards
Develop controls
and make risk decisions
Implement
controls
Identify
hazards
Supervise
& evaluate
Risk Management Process
Identify Hazards
1.
•
Potential exists, impact
Assess Hazards
2.
•
Probability & Severity, identify options
Develop Controls and
Make Risk Decisions
3.
•
Describe risk, identify controls
Implement Controls
4.
•
SOP/training/briefings, etc....
Supervise and Evaluate
5.
•
Reevaluate, lessons learned
Step 1 – Identify Hazards


Hazard - any real or potential
condition that can cause injury,
illness or death of personnel, or
damage to, or loss of equipment
or property.
Risk - chance of hazard or bad
consequences; exposure to
chance of injury or loss.
Higher Ed Risk Categories*





Financial
Human Resources
Risk & Safety
Information Technology
Academic Affairs
* Based on EthicsPoint, Inc Data
Summary of Risk Categories*
* Based on EthicsPoint, Inc Data
Most Likely College Crises*







Serious outbreaks of
illness
Major food tampering
Employee Sabotage
Fires, explosions, and
chemical spills
Environmental
Disasters
Damage to institutional
reputation
Major Crimes






Significant drops in
revenue
Natural Disasters
Loss of confidential
/sensitive information
or records
Major lawsuits
Terrorist attacks
Ethical Breaches by
administrators, faculty,
and trustees
* Mitroff, I. I., Diamond, M. A., & Alpaslan, C. M. (2006). How prepared are
america's colleges and universities for major crises?. Change. 61-67.
Step 2 – Assess Hazards



Probability - the likelihood that an
event will occur.
Severity - the expected consequence
of an event in terms of degree of
injury, property damage, or other
identified factors that could occur.
Output at end of Step 2 is a Risk
Assessment Matrix
Risk Assessment Matrix
Risk Assessment Matrix
Probability
Frequent
A
Severity
Likely
B
Occasional C
Seldom D
Unlikely
E
Catastrophic
I
E
E
H
H
M
Critical
II
E
H
H
M
L
Marginal
III
H
M
M
L
L
Negligible
IV
M
L
L
L
L
Probability Definitions
Probability Definitions
Frequent (A)
Likely (B)
Occasional (C)
Occurs very often, continuously experienced
Occurs several times
Occurs sporadically
Seldom (D)
Remotely possible; could occur at some time
Unlikely (E)
Can assume will not occur, but not impossible
Risk Severity Categories
Risk Severity Categories
Category
CATASTROPHIC (I)
Definition
Loss of ability to conduct instruction and/or conduct normal business functions.
Death or permanent disability. Loss of major or mission-critical system or
equipment. Major property (facility) damage. Severe environmental damage.
Mission-critical security failure.
CRITICAL (II)
Significantly degraded ability to conduct instruction, disruption of normal business
functions or personal disability. Extensive damage to equipment or systems.
Significant damage to property or the environment. Security failure.
MARGINAL (III)
Degraded ability to conduct instruction and/or conduct normal business functions.
Minor damage to equipment or systems, property, or the environment. Injury or
illness of personnel.
NEGLIGIBLE (IV)
Little or no adverse impact on to instruction or normal business functions. First aid
or minor medical treatment. Slight equipment or system damage, but fully
functional and serviceable. Little or no property or environmental damage.
Risk Assessment Definitions
Risk Definitions
Risk Level
Definition
E - Extremely High Risk
Loss of ability to conduct instruction and/or conduct normal business
functions. A frequent or likely probability of catastrophic loss (IA or IB) or
frequent probability of critical loss (IIA) exists.
H – High Risk
Significant degradation of ability to conduct instruction and/or conduct
normal business functions. Occasional to seldom probability of catastrophic
loss (IC or ID) exists. A likely to occasional probability exists of a critical
loss (IIB or IIC) occurring. Frequent probability of marginal losses (IIIA)
exists.
M – Moderate Risk
Expected degraded ability to conduct instruction and/or conduct normal
business functions. An unlikely probability of catastrophic loss (IE) exists.
The probability of a critical loss is seldom (IID). Marginal losses occur with
a likely or occasional probability (IIIB or IIIC). A frequent probability of
negligible (IVA) losses exists.
L – Low Risk
Expected losses have little or no impact on the conduct of instruction or
normal business functions. The probability of critical loss is unlikely (IIE),
while that of marginal loss is seldom (IIID) or unlikely (IIIE). The probability
of a negligible loss is likely or less (IVB through (IVE).
Risk Assessment Matrix Example
Severity
Frequent A
Catastrophic
I
Critical
II
Marginal
III
Negligible
IV
Likely B
Occasional C
Seldom D
Fraud
Improper
Disclosing of
Financial
Records
Return of
Federal
Funding
Falsification of
Contracts
Improper
Receiving of
Gifts
Theft
Waste/
Abuse/
Misuse of
Institute
Resources
Unlikely E
Step 3 – Develop Controls
and Make Risk Decisions



Controls - actions taken to eliminate
hazards or reduce their risk(s).
Residual Risk - the level of risk
remaining after controls have been
identified and selected.
Risk Decision - the decision to
accept or not accept the risk(s)
associated with an action made by
the leader or the individual
responsible for performing that
action.
Risk Management Worksheet
Hazard:
Control
Date Prepared:
Department:
How to Implement
Approved By:
Initial Risk Level:
Estimated
Resources Needed
Residual Risk Level:
Owner
Risk Management Worksheet Example
Hazard: Fraud
Control
Department: Business Office
How to Implement
Initial Risk Level: Extremely High
Estimated Resources
Needed
Owner
1) Fraud Hotline
Contract with a third party vendor
to monitor a fraud reporting
hotline.
$xxx.xx dollars per
year for contract
Mary
Elizondo,
Business
Office
2) Mandatory
Ethics Training
for all STC
employees
Add ethics training to yearly
mandatory training requirements
for all STC faculty and staff.
1 FTE to develop,
implement and
conduct ethics training
OR $xxx.xx to obtain
online training from
an approved vendor.
Frank Gomez,
HR Office
3) Bid Process
Review current bid process to
ensure that there are adequate
internal controls in place to
mitigate possibility of bid
tampering.
20 hours for a CrossFunctional Committee
Becky
Cavazos,
Purchasing
4) Fraud
Awareness
campaign
Develop a “Make a Difference”
campaign to help faculty, staff
and students aware of these
Business Office, HR
and PR team to
develop and
implement the
campaign
Mary
Elizondo,
Business
Office
unethical and illegal behaviors.
Date Prepared:
2/22/2008
Approved By: Diana Pena
Residual Risk Level: Medium
Step 4 – Implement Controls



Make Implementation Clear Provide a roadmap for
implementation, a vision of the end
state, and description of successful
implementation
Establish Accountability - Clear
assignment of responsibility for
implementation of the risk control is
required
Provide Support - Providing the
personnel and resources necessary
to implement the control measures
Step 5 – Supervise and
Review



Monitor the operation to ensure
controls are implemented correctly,
effective, and remain in place
After controls are applied, a review
must be accomplished to see if the
risks and the mission are in balance
A feedback system should be
established to ensure that the
corrective or preventative action
taken was effective
Risk Management Process
Assess
hazards
Develop controls
and make risk decisions
Implement
controls
Identify
hazards
Supervise
& evaluate
Questions?