Risk Management Process South Texas College Risk Management* The process of identifying and controlling hazards. A logical thought process from which users develop tools, techniques, and procedures for applying risk management in their areas of responsibility. It is a closed-loop process applicable to any situation and environment. * Reference: U.S. Military FM 3-100.12 Risk Management Risk Management Process Assess hazards Develop controls and make risk decisions Implement controls Identify hazards Supervise & evaluate Risk Management Process Identify Hazards 1. • Potential exists, impact Assess Hazards 2. • Probability & Severity, identify options Develop Controls and Make Risk Decisions 3. • Describe risk, identify controls Implement Controls 4. • SOP/training/briefings, etc.... Supervise and Evaluate 5. • Reevaluate, lessons learned Step 1 – Identify Hazards Hazard - any real or potential condition that can cause injury, illness or death of personnel, or damage to, or loss of equipment or property. Risk - chance of hazard or bad consequences; exposure to chance of injury or loss. Higher Ed Risk Categories* Financial Human Resources Risk & Safety Information Technology Academic Affairs * Based on EthicsPoint, Inc Data Summary of Risk Categories* * Based on EthicsPoint, Inc Data Most Likely College Crises* Serious outbreaks of illness Major food tampering Employee Sabotage Fires, explosions, and chemical spills Environmental Disasters Damage to institutional reputation Major Crimes Significant drops in revenue Natural Disasters Loss of confidential /sensitive information or records Major lawsuits Terrorist attacks Ethical Breaches by administrators, faculty, and trustees * Mitroff, I. I., Diamond, M. A., & Alpaslan, C. M. (2006). How prepared are america's colleges and universities for major crises?. Change. 61-67. Step 2 – Assess Hazards Probability - the likelihood that an event will occur. Severity - the expected consequence of an event in terms of degree of injury, property damage, or other identified factors that could occur. Output at end of Step 2 is a Risk Assessment Matrix Risk Assessment Matrix Risk Assessment Matrix Probability Frequent A Severity Likely B Occasional C Seldom D Unlikely E Catastrophic I E E H H M Critical II E H H M L Marginal III H M M L L Negligible IV M L L L L Probability Definitions Probability Definitions Frequent (A) Likely (B) Occasional (C) Occurs very often, continuously experienced Occurs several times Occurs sporadically Seldom (D) Remotely possible; could occur at some time Unlikely (E) Can assume will not occur, but not impossible Risk Severity Categories Risk Severity Categories Category CATASTROPHIC (I) Definition Loss of ability to conduct instruction and/or conduct normal business functions. Death or permanent disability. Loss of major or mission-critical system or equipment. Major property (facility) damage. Severe environmental damage. Mission-critical security failure. CRITICAL (II) Significantly degraded ability to conduct instruction, disruption of normal business functions or personal disability. Extensive damage to equipment or systems. Significant damage to property or the environment. Security failure. MARGINAL (III) Degraded ability to conduct instruction and/or conduct normal business functions. Minor damage to equipment or systems, property, or the environment. Injury or illness of personnel. NEGLIGIBLE (IV) Little or no adverse impact on to instruction or normal business functions. First aid or minor medical treatment. Slight equipment or system damage, but fully functional and serviceable. Little or no property or environmental damage. Risk Assessment Definitions Risk Definitions Risk Level Definition E - Extremely High Risk Loss of ability to conduct instruction and/or conduct normal business functions. A frequent or likely probability of catastrophic loss (IA or IB) or frequent probability of critical loss (IIA) exists. H – High Risk Significant degradation of ability to conduct instruction and/or conduct normal business functions. Occasional to seldom probability of catastrophic loss (IC or ID) exists. A likely to occasional probability exists of a critical loss (IIB or IIC) occurring. Frequent probability of marginal losses (IIIA) exists. M – Moderate Risk Expected degraded ability to conduct instruction and/or conduct normal business functions. An unlikely probability of catastrophic loss (IE) exists. The probability of a critical loss is seldom (IID). Marginal losses occur with a likely or occasional probability (IIIB or IIIC). A frequent probability of negligible (IVA) losses exists. L – Low Risk Expected losses have little or no impact on the conduct of instruction or normal business functions. The probability of critical loss is unlikely (IIE), while that of marginal loss is seldom (IIID) or unlikely (IIIE). The probability of a negligible loss is likely or less (IVB through (IVE). Risk Assessment Matrix Example Severity Frequent A Catastrophic I Critical II Marginal III Negligible IV Likely B Occasional C Seldom D Fraud Improper Disclosing of Financial Records Return of Federal Funding Falsification of Contracts Improper Receiving of Gifts Theft Waste/ Abuse/ Misuse of Institute Resources Unlikely E Step 3 – Develop Controls and Make Risk Decisions Controls - actions taken to eliminate hazards or reduce their risk(s). Residual Risk - the level of risk remaining after controls have been identified and selected. Risk Decision - the decision to accept or not accept the risk(s) associated with an action made by the leader or the individual responsible for performing that action. Risk Management Worksheet Hazard: Control Date Prepared: Department: How to Implement Approved By: Initial Risk Level: Estimated Resources Needed Residual Risk Level: Owner Risk Management Worksheet Example Hazard: Fraud Control Department: Business Office How to Implement Initial Risk Level: Extremely High Estimated Resources Needed Owner 1) Fraud Hotline Contract with a third party vendor to monitor a fraud reporting hotline. $xxx.xx dollars per year for contract Mary Elizondo, Business Office 2) Mandatory Ethics Training for all STC employees Add ethics training to yearly mandatory training requirements for all STC faculty and staff. 1 FTE to develop, implement and conduct ethics training OR $xxx.xx to obtain online training from an approved vendor. Frank Gomez, HR Office 3) Bid Process Review current bid process to ensure that there are adequate internal controls in place to mitigate possibility of bid tampering. 20 hours for a CrossFunctional Committee Becky Cavazos, Purchasing 4) Fraud Awareness campaign Develop a “Make a Difference” campaign to help faculty, staff and students aware of these Business Office, HR and PR team to develop and implement the campaign Mary Elizondo, Business Office unethical and illegal behaviors. Date Prepared: 2/22/2008 Approved By: Diana Pena Residual Risk Level: Medium Step 4 – Implement Controls Make Implementation Clear Provide a roadmap for implementation, a vision of the end state, and description of successful implementation Establish Accountability - Clear assignment of responsibility for implementation of the risk control is required Provide Support - Providing the personnel and resources necessary to implement the control measures Step 5 – Supervise and Review Monitor the operation to ensure controls are implemented correctly, effective, and remain in place After controls are applied, a review must be accomplished to see if the risks and the mission are in balance A feedback system should be established to ensure that the corrective or preventative action taken was effective Risk Management Process Assess hazards Develop controls and make risk decisions Implement controls Identify hazards Supervise & evaluate Questions?