University Risk Management
Definition of Terms
Definition of Terms
From Risk Appetite to Strategy Map, educate yourself on all of the associated terms around risk management.
Management considered the guidance from numerous sources of URM thought leadership in formulating our own strategy and processes for risk management.
We define URM as process for identifying, analyzing, evaluating, and ultimately responding to and monitoring both “upside” (opportunities) and “downside” (threats) risk across Brown University, and considering all risks in the context of the University’s strategic plan, built upon a foundation of ownership, accountability, and transparency.
Risk management is the process whereby Brown University will methodically identify and address the risks to successful achievement of its objectives with the aim of achieving sustained benefit within each key activity and across the portfolio of all key activities.
Our pursuit of effective risk management includes the identification and treatment of all relevant risks. Our objective is to add maximum sustainable value to all the activities of the organization. We will marshal the understanding of the potential upside and downside of all key risk factors that can affect the organization. We intend for URM to increase the probability of success and reduce both the probability of failure and the uncertainty of achieving Brown University’s objectives.
Resources for managing risk are finite so we aim to achieve an optimum response to key risks, prioritized in accordance with an evaluation of the significance and likelihood of those risks. We recognize that risk is unavoidable, and we must take action to manage risk, in a justifiable and feasible manner, to a level that is acceptable to our stakeholders.
Responses to key risks will involve one or more of the following approaches:
For threats:
- Treat: Taking actions to reduce the likelihood of a risks occurrence at Brown, and/or reduce the impact of the risk, should it occur;
- Tolerate: An informed decision to accept that a risk may occur, and nothing more should be done to reduce or further reduce the likelihood or impact of the risk;
- Transfer: Transferring or sharing all or some of the exposure of a risk; and
- Terminate: Eliminating the activity giving rise to the risk.
For opportunities:
- Take: An informed decision to exploit, or make an opportunity definitely happen (i.e., increase probability to 100%). Aggressive measures are taken which seek to ensure that the benefits from this opportunity are realized by the University;
- Turn up: Take actions designed to increase the likelihood and/or impacts (consequences) of an opportunity for Brown;
- Take Part (or Team up): Seek a partner able to share or manage the opportunity that can maximize the chance of it happening and/or increase the potential benefits. Involves sharing any upside; and
- Turn Down: An informed decision to ignore, or make no active pursuit of an opportunity.
Every organization functions within an environment which both influences the risks faced and provides a context within which risk has to be managed. For example, Brown University has partners (such as donors, grantors, customers, vendors, strategic alliances, financiers, consultants, etc.) upon which it depends for the delivery of its objectives.
We recognize that we must give full consideration to the context in which Brown University functions and address certain risk priorities of partner organizations. In our assessment of key risks we not only consider Brown University’s perspective but also take into account perspectives of our key partners.
The Inherent/Gross Risk model shown below indicates degrees of gross risk. The Inherent/Gross Risk Score is calculated as the product of impact/severity and likelihood ratings, then converted to an Inherent/Gross Risk Rating:
| Inherent/Gross Risk Heat Map | |||||||
|---|---|---|---|---|---|---|---|
| Significance/ Impact | 5 | Transformative/ Severe | Moderate | Moderate | Significant | Severe | Severe |
| 4 | Major/ Significant | Minor | Moderate | Significant | Significant | Severe | |
| 3 | Moderate/ Substantial | Minor | Moderate | Moderate | Significant | Significant | |
| 2 | Minor/ Low | Insignificant | Minor | Moderate | Moderate | Moderate | |
| 1 | Insignificant | Insignificant | Insignificant | Minor | Minor | Moderate | |
| Remote | Unlikely | Possible | Likely | Almost Certain | |||
| 1 | 2 | 3 | 4 | 5 | |||
|
Likelihood |
|||||||
Management Response Appropriate for Inherent/Gross Risk Rating:
| Inherent/Gross Risk Rating | Inherent/Gross Risk Score | Appropriate Risk Response | |
|---|---|---|---|
| 5 | Transformative/ Severe | 20=<x<=25 | Requires executive management and Corporation direction of mitigation through controlling, transferring, or avoiding threats (Tolerate, treat, transfer or terminate), or pursuing and seizing opportunities (Take, Turn up, Take part or Turn down). Requires strong controls and regular monitoring to manage to an acceptable level of residual risk |
| 4 | Major/ Significant | 12=<x<20 | Requires senior and executive management direction of mitigation through controlling, transferring, or avoiding threats (Tolerate, treat, transfer or terminate), or pursuing and seizing opportunities (Take, Turn up, Take part or Turn down). Requires some controls and regular monitoring to manage to an acceptable level of residual risk. |
| 3 | Moderate/ Substantial | 5=<x<12 | Senior management must be aware of and direct implementation of controlling, transferring, avoiding, or risk acceptance based upon cost/benefit analysis of threats and opportunities. Requires some controls and monitoring to manage moderate to very high severity risks to an acceptable level of residual risk. |
| 2 | Minor/ Low | 3=<x<5 | Managed through routine procedures, specific monitoring, or response procedures. Requires some controls to manage high severity/impact risks to an acceptable level of residual risk. |
| 1 | Insignificant | 1=<x<3 | Unlikely to require specific application of resources unless risk profile changes. Acceptable level of risk. |
Brown University has defined the following 5 ratings for evaluating the likelihood of occurrence of relevant risks:
| Likelihood Rating | Criteria |
|---|---|
| 1 – Remote | Risk event is conceivable but highly unlikely to occur (e.g., may require a series events to occur and/or may never have occurred at Brown University). (A 1 in 20 or more year event.) |
| 2 – Unlikely | Risk event can be envisioned and may have occurred previously, but is unlikely to occur in the next year. (A 1 in 10 year event.) |
| 3 – Possible | Risk event can be envisioned and occurrence is possible within the next 1 to 5 years. (A 1 in 5 year event.) |
| 4 – Likely | Risk event can be anticipated to occur within the next 1 to 2 years. (A 1 in 2 year event) |
| 5 – Almost Certain | Risk event is expected to occur one or more times each year. (A multiple times per year event) |
Brown University has defined the following 5 ratings for evaluating the relative effectiveness of processes/controls to mitigate relevant risks:
| Process/Control Effectiveness Rating | Criteria for Opportunities | Criteria for Threats |
|---|---|---|
| 1 – Optimal | Processes/Controls enable the University to realize maximum benefit from identified/ associated opportunities, and operate in a manner, which creates a competitive advantage (e.g. low cost solution, part of decision support solution, better than average speed conversion of data into actionable information, etc.) and enable the University to achieve its goals and maximize the value it creates. | Processes/Controls effectively mitigate the associated threat, and operate in a manner, which creates a competitive advantage (e.g. low cost solution, part of decision support solution, better than average speed conversion of data into actionable information, etc.) and enable the University to achieve its goals and maximize the value it creates. |
| 2 – Meeting Requirements | Processes/Controls enable the University to realize some benefit from identified/ associated opportunities, and are designed and operating in a manner that provides management assurance that it will achieve the related objectives. | Processes/Controls effectively mitigate the associated threat, and are designed and operating in a manner that provides management assurance that it will achieve the related objectives. |
| 3 – Minor need for improvement | Minor deficiencies exist that prevent processes/controls from being adequately effective to enable the University to realize its desired benefit from identified/associated opportunities and have a minor, negative impact on the achievement of the related objectives. | Minor deficiencies exist that prevent processes/controls from being adequately effective to mitigate the associated threat, and have a minor impact on the achievement of the related objectives. |
| 4 – Needs Improvement | Deficiencies exist in the design and/or implementation of processes/controls, which prevent the University from realizing its desired benefit from identified/ associated opportunities and have a moderate, negative impact on the achievement of the related objectives. | Deficiencies exist in the design and/or implementation of processes/controls, which prevent the mitigation of the associated threat, and have a moderate impact on the University's ability to achieve the related objectives. |
| 5 – Ineffective/ Non-existent | Processes/controls are not designed and/or are not implemented and operating in a manner that provides reasonable assurance that the University will derive any benefit from identified/associated opportunities, and have a significant, negative impact on the achievement of the related objectives. | Processes/controls are not designed and/or are not implemented and operating in a manner that provides reasonable assurance that risk events will be prevented or detected and corrected in a timely manner, and have a significant impact on the University's ability to achieve the related objectives. |
Brown University defines risk relevance at the following three levels for its risk management process: risk assessment, risk management and risk remediation.
- For risk assessment, a risk is deemed relevant, when management considers it, individually, or in combination with other risks, to have some possibility of occurrence, and have a possible impact on the University’s achievement of one or more of its objectives (See Strategy Map below).
- For risk management, a risk is deemed relevant, when management determines that the gross risk rating is minor or higher (see Appropriate Risk Response descriptions in the gross risk table below).
- For risk remediation, a risk is deemed relevant, when management determines that the residual risk rating is minor or higher (see Appropriate Risk Response descriptions in the residual risk table below).
The residual risk model indicates degrees of residual risk, calculated using the product of gross risk ratings and the effectiveness ratings of relevant controls to produce a Residual Risk Score, which is then converted to a Residual Risk Rating.
| Residual Risk Heat Map | |||||||
|---|---|---|---|---|---|---|---|
| Gross/Inherent Risk Rating | 5 | Transformative/ Severe | Moderate | Moderate | Significant | Severe | Severe |
| 4 | Major/ Significant | Minor | Moderate | Significant | Significant | Severe | |
| 3 | Moderate/ Substantial | Minor | Moderate | Moderate | Significant | Significant | |
| 2 | Minor/ Low | Insignificant | Minor | Moderate | Moderate | Moderate | |
| 1 | Insignificant | Insignificant | Insignificant | Minor | Minor | Moderate | |
| Optimal | Meeting Requirements | Minor Need for Improvement | Needs Improvement | Ineffective Non-existent | |||
| 1 | 2 | 3 | 4 | 5 | |||
| Control Effectiveness | |||||||
Any condition or event, external or internal to the organization, that poses a threat to the achievement of University objectives or an opportunity which increases the likelihood of our successful achievement of University objectives. Types of risks that will be faced include:
- Any matter that could damage/improve the reputation of Brown University and undermine/increase stakeholders’ confidence in the University,
- Any failure to comply with applicable regulatory requirements, such as those covering health and safety, financial reporting/disclosures, privacy and the environment,
- Any opportunity to improve internal operational, compliance processes, and
- Any failure to identify and seize opportunities to improve University operations, finances, reputation, safety, etc.
The concept of risk appetite is foundational for effective risk management. Risk appetite is defined as the level of exposure which is considered tolerable should it be realized. However, it should be noted that some risk is unavoidable and is not within the University’s ability to manage to a tolerable level (e.g., risks arising from terrorist activity and other catastrophic events, including ‘acts of God’). To the extent these risks can be avoided, transferred or minimized, Brown University will do so, and we will establish procedures for reacting to these risk events, when and if they occur.
Risk tolerance represents the application of risk appetite to specific objectives. Risk tolerance is defined as: The acceptable level of variation relative to achievement of Brown University objectives.
We establish the thresholds against which we rate the significance of risks, as a basis for defining the levels we will accept before requiring increasing levels of action by management and/or the Corporation.
We define Brown University’s risk tolerance in conjunction with our definition of our required risk treatment, according to the assessed gross risk and residual risk of each identified/relevant risk.
We express below, Brown University’s definition of Significance/Impact, Likelihood, Control Effectiveness, Gross Risk, Residual risk and Appropriate Risk Response.
Gross risk is evaluated considering only the estimated likelihood and impact/significance of the identified risk, without consideration of the effectiveness of controls over the particular risk.
Residual risk is the estimated exposure of an identified risk after consideration of the effectiveness of controls (including any reduction of exposure due to transfer (contracts & insurance) of all or part of the estimated impact/exposure).
A risk assessment is the process by which Brown University identifies and associates all relevant risks to University objectives, and evaluates the significance of and likelihood of occurrence of each risk (Risk analysis). The process also involves management’s assessment of the effectiveness of the relevant controls and other risk management techniques in place to reduce possible negative impacts or enhance possible positive outcomes (Risk evaluation). During these risk assessments, management uses their best judgment, or, when/where available, considers the results of external audits, internal audits, other internal assessments and any other sources at their disposal.
The outcome of the risk assessment is a prioritized listing of relevant risks.
- The documented risk priorities provide a risk profile for Brown University which:
- Captures the reasons for decisions made about what is and is not acceptable exposure/residual risk,
- Facilitates recording of the manner in which it decides to manage risks,
- Facilitates review and monitoring of risks, and
- Enables management to associate losses or other University process failures with related risk management techniques, to determine if the related risk event was managed as intended, and if necessary and appropriate, define and deploy additional or improved risk management techniques.
- The highest level risks should be identified/considered regularly by management and the Committee on Risk and Audit of the Corporation as specific risk priorities will change over time and prioritization will consequently change.
Brown University has defined the following five ratings for evaluating the significance/impact of relevant risks according to potential affects of threats (Factors: Strategic, reputational, operational, safety/hazard, human capital, compliance/legal/environmental/fraud, and financial) and opportunities (Factors: Strategic, reputational, enrollment management & student success, operational, and financial). These ratings and the factors for distinguishing one from another are provided below (These factors should be applied without consideration of existing controls and other risk management measures (e.g. if a risk would result in a loss of $10Million, and we have insurance coverage that will cover $8Million of that loss, the risk should be assessed at the full $10Million.; also, if the assessor believes that without controls, our activities could result in a cease and desist order by a regulatory body, but the assessor believes controls effectively reduce that exposure, the assessor should rate the risk impact a ‘5 – Transformative/Severe’),with the assumption that the criteria reflect the cumulative impact over the course of 12 months (e.g. if a risk event is likely to result in a $2.5M loss per occurrence, and can only possibly occur once per year, the rating should be ‘Insignificant’. If another risk event is also expected to result in a $2.5M loss, but can be expected to occur up to 12 times per year, that risk should be considered to have a possible impact of $30M, so it should be rated, ‘4 – Major/Significant’).
Note: If the assessor believes, and this will more often or not be the case, that the potential impact of a risk meets the criteria for multiple ratings, the assessor should rate the risk at the highest applicable rating.
| Significance Rating | Criteria for Opportunities | Criteria for Threats |
|---|---|---|
| 1 - Insignificant |
|
|
| 2 - Minor/Low |
|
|
| 3 – Moderate/ Substantial |
|
|
| 4 – Major/ Significant |
|
|
| 5 -Transformative/ Severe |
|
|
A graphic to display the strategic objectives for Brown University. These objectives are the basis for determining the relevance of threats and opportunities for the URM process.
As illustrated below, a conclusion on the effectiveness of processes/controls is not based solely on the degree to which controls reduce the impact and/or likelihood of risk events, but must also factor in the net benefit to the University. Our goal is not to eliminate threats or to seize all opportunities. Our goal is to optimize the value we are able to create, by taking appropriate action when practical and feasible.