Intent
The intent of EWU's Office of Risk Management is to effectively manage risk while providing excellence in academics, student and employee opportunity and support, and community engagement. To achieve this, the office of risk management seeks to pro-actively assess and respond to risks that may affect the achievement of EWU's mission, goals, and objectives. This intent is implemented through EWU's Enterprise Risk Management (ERM) Policy and program.
Scope
Responsibility for identifying and managing the risks of the university, as in any organization, lies with the management of the university. Heads of faculty and administrative services are responsible for ensuring compliance with the university policies. They also have a responsibility to identify, evaluate and manage strategic and operational risks and bring emerging institutional risks to the president's attention.
The Risk Register process plays an important role in identifying, evaluating, and mitigating the risks facing the university and working toward their continued improvement.
Procedures
The university recognizes that there is exposure to risk inherent in its programs and activities. It is the university policy for every employee to act to reduce risk to the greatest extent feasible, consistent with carrying out the mission and goals of the university.
ERM is a holistic approach to risk management and encompasses risks related to all university activities including strategic, operational, compliance, financial, reputable, safety, etc. ERM pro-actively identifies risks, and opportunities across all university programs, departments, or divisions. The impact of risk or opportunities are considered not in isolation, but rather, in relation to all other agency programs and risks. This avoids departmental "silos". To achieve a mature ERM program, EWU will support and implement through its managers, supervisors, and employees, coordinate ERM guidelines, standards and procedures.
The Risk Management Process
Step 1: Identify the Risk(s)
Identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes and potential consequences. Describe those factors that might create, enhance, prevent, degrade, accelerate, or delay the achievement of your objectives. Aim to also identify the issues associated with not pursuing an opportunity; that is, the risk of doing nothing and missing an opportunity.
In identifying the risk, consider these kinds of questions:
- What could happen?
- How could it happen?
- Where could it happen?
- Why might it happen?
- What might be the impact?
- Who does or can influence this partnership, program, project, or event? How much is within the university's control or influence?
Step 2: Analyze the Risk(s)
Once the risk has been identified and the context, causes, contributing factors, and consequences have been described, look at the strengths and weaknesses of existing systems and processes designed to help control the risk. Knowing what controls are already in place, and whether they are effective, helps to identify what - if any - further action is needed.
The process:
- Identify the Existing Controls
- Assess the Likelihood
- Assess the Consequences
- Rate the Level of Risk
Step 3: Evaluate the Risk(s)
Whether a risk is acceptable or unacceptable relates to a willingness to tolerate the risk; that is, the willingness to bear the risk after it is treated in order to achieve the desired objectives.
Decisions about future actions may include:
- Not to undertake or proceed with the event, activity, project, or initiative
- Actively treat the risk
- Prioritizing the actions needed, if the risk is complex and treatment is required
- Accepting the risk
The attitude, appetite, and tolerance for risk is likely to vary over time, across the university as a whole and for individual faculties, schools, divisions, branches and controlled entities.
Step 4: Treat the Risk(s)
Treatment options not applied to the source or root cause of a risk are likely to be ineffective and promote a false belief within the university that the risk is controlled.
- Decide if specific treatment is necessary
- Work out what kind of treatment is desirable for this risk
- Identify and design a preferred treatment option
- Evaluate treatment options
- Document the risk treatment plan
- Implement agreed treatments
- Once the risk has been treated, assess the level of residual risk