UNCW
Institutional Risk Management
IRM Overview
and
Policy Development & Implementation Plan
Overview
IRM BOT Audit Committee
Background
Institutional Risk Management Presentations to the UNCW Board of
Trustees Audit Committee began April 2011 with overview of process and
identified risk areas.
Tier 1 Risk Areas with scores (impact, likelihood of occurrence) and heat
map presented April 2012.
Interim Report – October 2012
Tier 1 Response Plan – April 2013 – Presented refined risk statements,
indicators, mitigations and next steps for Tier 1 Risk Areas with High
Rating
University of North Carolina Wilmington
IRM Organization
IRM Steering
Committee
IRM Committee,
Chaired by IRM Officer
Provost and Vice Chancellor for
Academic Affairs
Academic Affairs (7)
Vice Chancellor for Business Affairs
Business Affairs (7)
General Counsel
Student Affairs (2)
Director – Internal Audit
Chancellor (2)
University Advancement (1)
University of North Carolina Wilmington
IRM Objectives
The ultimate goal of Institutional Risk Management (IRM) is to help the
organization achieve its objectives by identifying, evaluating, prioritizing
and managing institutional risks that might endanger the university’s
mission and reputation.
No federal, state or UNC requirement to have a comprehensive,
systematic process for risk identification and management currently
exists.
The Association of Governing Boards (AGB) of Universities and Colleges
conducted a joint survey with United Educators in 2008. Survey findings
found that higher education was lagging behind in this important
fiduciary responsibility (60 percent said they do not use comprehensive,
strategic risk assessment). Action steps were recommended.
University of North Carolina Wilmington
IRM Best Practice Action Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
Develop a disciplined process to consider risk in strategic
discussions.
Designate an owner of the risk identification process.
Require all top administrators to prioritize risk.
Sift through the prioritized risks to decide which ones warrant
attention at the highest level.
Require annual written reports on each high-priority risk being
monitored.
Re-assess priority risks at the board level at least once a year.
Look for blind spots.
Move risk identification deeper into the institution each year.
Keep repeating the process.
C 2009 Association of Governing Boards of Universities and Colleges, United Educators
University of North Carolina Wilmington
UNCW’s Central Process Tenants
Institutional Risk Management (IRM) processes are holistic, flexible and
under continuous refinement.
The six types of risks move beyond the traditional focus on financial risks
covered by insurance. Risks are broadly defined to represent any
impediment to accomplishing institutional goals.
The Tier I risk areas, though broad, are regularly analyzed to ensure a
relevant and sufficiently narrow focus exists for each. The figure below
illustrates other important IRM process components.
University of North Carolina Wilmington
UNCW Risk Tier Overview
Tier I – Top Tier Risk Areas containing
risks with potential to affect the
university’s mission, strategies, and goals
Tier I
Tier II – Shared risks across multiple
areas or single area risks with cascading
impacts
Tier II
Tier III - Unit or single area risks which
are largely identified and managed at the
department level
Tier III
University of North Carolina Wilmington
Tier I Risk Profile
The Tier I Profile is currently comprised of nine risk areas,
each possessing a mission critical nature and risks with
higher than average potential impacts. For these reasons,
their proper management is considered to be of greatest
institutional priority. The top five are all
Catastrophic
rated “High Risk” and fall
Severe
within the orange area
outlined in bold on the
Serious
Risk Matrix. Repeating the
Minor
steps of analysis and
Insignificant
evaluation for April report.
IM PACT
4&5
Rare
Unlikely
Possible
LIKELIHOOD
Tier I High Risk Areas
1. Volatile Essential Resources
2. Regulatory Intervention
3. Human Capital Management
4. Campus Health and Safety
5. Continuity of Operations
Impact
Serious
Serious
Serious
Severe
Severe
Likelihood
Almost Certain
Almost Certain
Likely
Possible
Possible
University of North Carolina Wilmington
3
1&2
Likely
Almost
Certain
Selected Tier II Risk Areas
Tier II –
Shared risks across multiple areas
Single area risks with cascading impacts
-- Often involve continuous monitoring
-- In various stages of analysis, evaluation, and treatment
1 Minors on Campus
2 Vehicle Usage
3 Applied Learning
4 Water Safety
5 IT / Data / Cyber Security
6 Athletics Facilities
7 Fire Safety
8 International Travel
University of North Carolina Wilmington
Tier III - Unit Risk Assessment
Unit level risk assessments aid in the identification, evaluation and
prioritization of risks.
The process also aids in developing front line managers’ risk
awareness, risk evaluation, and risk mitigation skills.
60 units have completed a unit risk assessment. Further refinement
of unit risk assessments planned for 2013-14.
University of North Carolina Wilmington
Process
Maturation
Policy Development &
Implementation Plan
Policy Development &
Implementation Plan
In order to facilitate a more disciplined process and move risk
identification deeper into the institution, a risk management
policy is needed.
Policy Purpose: Serves as a statement of the overall UNCW risk
management goals and focus. It is intended to help ensure a
consistent approach throughout the university.
Policy Scope: Managed with procedures and tools consistent
with industry best practices, including (but not limited to) the
International Organization of Standardization’s ISO 31000: Risk
Management Principles and Guidelines, and the Committee of
Sponsoring Organizations of The Treadway Commission’s (COSO)
Enterprise Risk Management Framework
University of North Carolina Wilmington
Policy Development &
Implementation Plan
 Research best practices
 Present draft policy to IRM Steering Committee and IRM Committee
 Create list of constituent groups, ensuring inclusion of Academic
Coordinating Council, Faculty Senate, Staff Senate, Student
Government, Chancellor committees and selected units
 Conduct workshops to introduce policy and seek feedback
 Submit proposed edits to IRM Steering Committee
 Submit policy for legal sufficiency review
 Propose final policy to Cabinet, followed by the Chancellor for
approval with Chancellor Authority
 Present to April 2014 meeting of the Audit Committee of Board of
Trustees
University of North Carolina Wilmington
Policy Development &
Implementation Plan
Communication Campaign to parallel training and support.
Communication campaign to cover unit risks assessments, as
well as education and outreach on topics of compliance,
continuity of operations, fraud and corruption, insurance, and
memorandums of agreement.
Policy Development and Implementation Plan is congruent with
best practice research and AGB Recommended Action Steps:
Develop a disciplined process.
Move risk identification deeper into the institution each year.
Keep repeating the process.
University of North Carolina Wilmington