University Risk Management

Definition of Terms

Breadcrumb

Definition of Terms

From Risk Appetite to Strategy Map, educate yourself on all of the associated terms around risk management.

Management considered the guidance from numerous sources of URM thought leadership in formulating our own strategy and processes for risk management. 

We define URM as process for identifying, analyzing, evaluating, and ultimately responding to and monitoring both “upside” (opportunities) and “downside” (threats) risk across Brown University, and considering all risks in the context of the University’s strategic plan, built upon a foundation of ownership, accountability, and transparency.

Risk management is the process whereby Brown University will methodically identify and address the risks to successful achievement of its objectives with the aim of achieving sustained benefit within each key activity and across the portfolio of all key activities.

Our pursuit of effective risk management includes the identification and treatment of all relevant risks. Our objective is to add maximum sustainable value to all the activities of the organization.  We will marshal the understanding of the potential upside and downside of all key risk factors that can affect the organization.  We intend for URM to increase the probability of success and reduce both the probability of failure and the uncertainty of achieving Brown University’s objectives.

Resources for managing risk are finite so we aim to achieve an optimum response to key risks, prioritized in accordance with an evaluation of the significance and likelihood of those risks.  We recognize that risk is unavoidable, and we must take action to manage risk, in a justifiable and feasible manner, to a level that is acceptable to our stakeholders.

Responses to key risks will involve one or more of the following approaches:

For threats:

  • Treat:  Taking actions to reduce the likelihood of a risks occurrence at Brown, and/or reduce the impact of the risk, should it occur;
  • Tolerate:  An informed decision to accept that a risk may occur, and nothing more should be done to reduce or further reduce the likelihood or impact of the risk;
  • Transfer:  Transferring or sharing all or some of the exposure of a risk; and
  • Terminate:  Eliminating the activity giving rise to the risk.

For opportunities:

  • Take:  An informed decision to exploit, or make an opportunity definitely happen (i.e., increase probability to 100%). Aggressive measures are taken which seek to ensure that the benefits from this opportunity are realized by the University;
  • Turn up: Take actions designed to increase the likelihood and/or impacts (consequences) of an opportunity for Brown;
  • Take Part (or Team up): Seek a partner able to share or manage the opportunity that can maximize the chance of it happening and/or increase the potential benefits. Involves sharing any upside; and
  • Turn Down: An informed decision to ignore, or make no active pursuit of an opportunity.

Every organization functions within an environment which both influences the risks faced and provides a context within which risk has to be managed. For example, Brown University has partners (such as donors, grantors, customers, vendors, strategic alliances, financiers, consultants, etc.) upon which it depends for the delivery of its objectives.

We recognize that we must give full consideration to the context in which Brown University functions and address certain risk priorities of partner organizations.  In our assessment of key risks we not only consider Brown University’s perspective but also take into account perspectives of our key partners.

The Inherent/Gross Risk model shown below indicates degrees of gross risk.  The Inherent/Gross Risk Score is calculated as the product of impact/severity and likelihood ratings, then converted to an Inherent/Gross Risk Rating:

Inherent/Gross Risk Heat Map
Significance/ Impact 5 Transformative/ Severe Moderate Moderate Significant Severe Severe
4 Major/ Significant Minor Moderate Significant Significant Severe
3 Moderate/ Substantial Minor Moderate Moderate Significant Significant
2 Minor/ Low Insignificant Minor Moderate Moderate Moderate
1 Insignificant Insignificant Insignificant Minor Minor Moderate
  Remote Unlikely Possible Likely Almost Certain
  1 2 3 4 5

Likelihood

 

Management Response Appropriate for Inherent/Gross Risk Rating:

Inherent/Gross Risk Rating Inherent/Gross Risk Score Appropriate Risk Response
5 Transformative/ Severe 20=<x<=25 Requires executive management and Corporation direction of mitigation through controlling, transferring, or avoiding threats (Tolerate, treat, transfer or terminate), or pursuing and seizing opportunities (Take, Turn up, Take part or Turn down).  Requires strong controls and regular monitoring to manage to an acceptable level of residual risk
4 Major/ Significant 12=<x<20 Requires senior and executive management direction of mitigation through controlling, transferring, or avoiding threats (Tolerate, treat, transfer or terminate), or pursuing and seizing opportunities (Take, Turn up, Take part or Turn down).  Requires some controls and regular monitoring to manage to an acceptable level of residual risk. 
3 Moderate/ Substantial 5=<x<12 Senior management must be aware of and direct implementation of controlling, transferring, avoiding, or risk acceptance based upon cost/benefit analysis of threats and opportunities.  Requires some controls and monitoring to manage moderate to very high severity risks to an acceptable level of residual risk. 
2 Minor/ Low 3=<x<5 Managed through routine procedures, specific monitoring, or response procedures.  Requires some controls to manage high severity/impact risks to an acceptable level of residual risk.
1 Insignificant 1=<x<3 Unlikely to require specific application of resources unless risk profile changes.  Acceptable level of risk.

Brown University has defined the following 5 ratings for evaluating the likelihood of occurrence of relevant risks:

Likelihood Rating Criteria
1 – Remote Risk event is conceivable but highly unlikely to occur (e.g., may require a series events to occur and/or may never have occurred at Brown University). (A 1 in 20 or more year event.)
2 – Unlikely Risk event can be envisioned and may have occurred previously, but is unlikely to occur in the next year.  (A 1 in 10 year event.)
3 – Possible Risk event can be envisioned and occurrence is possible within the next 1 to 5 years. (A 1 in 5 year event.)
4 – Likely Risk event can be anticipated to occur within the next 1 to 2 years. (A 1 in 2 year event)
5 – Almost Certain Risk event is expected to occur one or more times each year. (A multiple times per year event)

Brown University has defined the following 5 ratings for evaluating the relative effectiveness of processes/controls to mitigate relevant risks:

Process/Control Effectiveness Rating Criteria for Opportunities Criteria for Threats
1 – Optimal Processes/Controls enable the University to realize maximum benefit from identified/ associated opportunities, and operate in a manner, which creates a competitive advantage (e.g. low cost solution, part of decision support solution, better than average speed conversion of data into actionable information, etc.) and enable the University to achieve its goals and maximize the value it creates. Processes/Controls effectively mitigate the associated threat, and operate in a manner, which creates a competitive advantage (e.g. low cost solution, part of decision support solution, better than average speed conversion of data into actionable information, etc.) and enable the University to achieve its goals and maximize the value it creates.
2 – Meeting Requirements Processes/Controls enable the University to realize some benefit from identified/ associated opportunities, and are designed and operating in a manner that provides management assurance that it will achieve the related objectives. Processes/Controls effectively mitigate the associated threat, and are designed and operating in a manner that provides management assurance that it will achieve the related objectives.
3 – Minor need for improvement Minor deficiencies exist that prevent processes/controls from being adequately effective to enable the University to realize its desired benefit from identified/associated opportunities and have a minor, negative impact on the achievement of the related objectives. Minor deficiencies exist that prevent processes/controls from being adequately effective to mitigate the associated threat, and have a minor impact on the achievement of the related objectives.
4 – Needs Improvement Deficiencies exist in the design and/or implementation of processes/controls, which prevent the University from realizing its desired benefit from identified/ associated opportunities  and have a moderate, negative impact on the achievement of the related objectives. Deficiencies exist in the design and/or implementation of processes/controls, which prevent the mitigation of the associated threat, and have a moderate impact on the University's ability to achieve the related objectives.
5 – Ineffective/ Non-existent Processes/controls are not designed and/or are not implemented and operating in a manner that provides reasonable assurance that the University will derive any benefit from identified/associated opportunities,  and have a significant, negative impact on the achievement of the related objectives. Processes/controls are not designed and/or are not implemented and operating in a manner that provides reasonable assurance that risk events will be prevented or detected and corrected in a timely manner, and have a significant impact on the University's ability to achieve the related objectives.

Brown University defines risk relevance at the following three levels for its risk management process: risk assessment, risk management and risk remediation.

  • For risk assessment, a risk is deemed relevant, when management considers it, individually, or in combination with other risks, to have some possibility of occurrence, and have a possible impact on the University’s achievement of one or more of its objectives (See Strategy Map below).
  • For risk management, a risk is deemed relevant, when management determines that the gross risk rating is minor or higher (see Appropriate Risk Response descriptions in the gross risk table below).
  • For risk remediation, a risk is deemed relevant, when management determines that the residual risk rating is minor or higher (see Appropriate Risk Response descriptions in the residual risk table below).

The residual risk model indicates degrees of residual risk, calculated using the product of gross risk ratings and the effectiveness ratings of relevant controls to produce a Residual Risk Score, which is then converted to a Residual Risk Rating.

Residual Risk Heat Map
Gross/Inherent Risk Rating 5 Transformative/ Severe Moderate Moderate Significant Severe Severe
4 Major/ Significant Minor Moderate Significant Significant Severe
3 Moderate/ Substantial Minor Moderate Moderate Significant Significant
2 Minor/ Low Insignificant Minor Moderate Moderate Moderate
1 Insignificant Insignificant Insignificant Minor Minor Moderate
      Optimal Meeting Requirements Minor Need for Improvement Needs Improvement Ineffective Non-existent
      1 2 3 4 5
Control Effectiveness

Any condition or event, external or internal to the organization, that poses a threat to the achievement of University objectives or an opportunity which increases the likelihood of our successful achievement of University objectives.  Types of risks that will be faced include:

  • Any matter that could damage/improve the reputation of Brown University and undermine/increase stakeholders’ confidence in the University,
  • Any failure to comply with applicable regulatory requirements, such as those covering health and safety, financial reporting/disclosures, privacy and the environment,
  • Any opportunity to improve internal operational, compliance processes, and
  • Any failure to identify and seize opportunities to improve University operations, finances, reputation, safety, etc.

The concept of risk appetite is foundational for effective risk management.  Risk appetite is defined as the level of exposure which is considered tolerable should it be realized.  However, it should be noted that some risk is unavoidable and is not within the University’s ability to manage to a tolerable level (e.g., risks arising from terrorist activity and other catastrophic events, including ‘acts of God’).  To the extent these risks can be avoided, transferred or minimized, Brown University will do so, and we will establish procedures for reacting to these risk events, when and if they occur.

Risk tolerance represents the application of risk appetite to specific objectives.  Risk tolerance is defined as:  The acceptable level of variation relative to achievement of Brown University objectives.

We establish the thresholds against which we rate the significance of risks, as a basis for defining the levels we will accept before requiring increasing levels of action by management and/or the Corporation.

We define Brown University’s risk tolerance in conjunction with our definition of our required risk treatment, according to the assessed gross risk and residual risk of each identified/relevant risk.

We express below, Brown University’s definition of Significance/Impact, Likelihood, Control Effectiveness, Gross Risk, Residual risk and Appropriate Risk Response.

Gross risk is evaluated considering only the estimated likelihood and impact/significance of the identified risk, without consideration of the effectiveness of controls over the particular risk.

Residual risk is the estimated exposure of an identified risk after consideration of the effectiveness of controls (including any reduction of exposure due to transfer (contracts & insurance) of all or part of the estimated impact/exposure).

A risk assessment is the process by which Brown University identifies and associates all relevant risks to University objectives, and evaluates the significance of and likelihood of occurrence of each risk (Risk analysis).  The process also involves management’s assessment of the effectiveness of the relevant controls and other risk management techniques in place to reduce possible negative impacts or enhance possible positive outcomes (Risk evaluation).  During these risk assessments, management uses their best judgment, or, when/where available, considers the results of external audits, internal audits, other internal assessments and any other sources at their disposal.

The outcome of the risk assessment is a prioritized listing of relevant risks.

  • The documented risk priorities provide a risk profile for Brown University which:
    •  Captures the reasons for decisions made about what is and is not acceptable exposure/residual risk,
    •  Facilitates recording of the manner in which it decides to manage risks,
    •  Facilitates review and monitoring of risks, and
    •  Enables management to associate losses or other University process failures with related risk management techniques, to determine if the related risk event was managed as intended, and if necessary and appropriate, define and deploy additional or improved risk management techniques.
  • The highest level risks should be identified/considered regularly by management and the Committee on Risk and Audit of the Corporation as specific risk priorities will change over time and prioritization will consequently change.

Brown University has defined the following five ratings for evaluating the significance/impact of relevant risks according to potential affects of threats (Factors: Strategic, reputational, operational, safety/hazard, human capital, compliance/legal/environmental/fraud, and financial) and opportunities (Factors: Strategic, reputational, enrollment management & student success, operational, and financial). These ratings and the factors for distinguishing one from another are provided below (These factors should be applied without consideration of existing controls and other risk management measures (e.g. if a risk would result in a loss of $10Million, and we have insurance coverage that will cover $8Million of that loss, the risk should be assessed at the full $10Million.; also, if the assessor believes that without controls, our activities could result in a cease and desist order by a regulatory body, but the assessor believes controls effectively reduce that exposure, the assessor should rate the risk impact a ‘5 – Transformative/Severe’),with the assumption that the criteria reflect the cumulative impact over the course of 12 months (e.g. if a risk event is likely to result in a $2.5M loss per occurrence, and can only possibly occur once per year, the rating should be ‘Insignificant’. If another risk event is also expected to result in a $2.5M loss, but can be expected to occur up to 12 times per year, that risk should be considered to have a possible impact of $30M, so it should be rated, ‘4 – Major/Significant’).

Note: If the assessor believes, and this will more often or not be the case, that the potential impact of a risk meets the criteria for multiple ratings, the assessor should rate the risk at the highest applicable rating.

Significance Rating Criteria for Opportunities Criteria for Threats
1 - Insignificant
  • No meaningful alignment with Brown vision and mission
  • No meaningful contribution to competitive advantage or long-term viability
  • No measurable effect on the progress of any strategic goal
  • No positive publicity
  • No lasting effect on Brown reputation/image
  • No noticeable improvement in recruitment, retention, completion, or student satisfaction with Brown experience
  • No observed improvements in efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • <.5% of annual Brown operating revenue (approximately $4.5M for FY18) financial impact (e.g. Increase in net assets, earnings, endowment or University value)
  • Minimal liquidity improvement.  Opportunity would not improve our ability to meet obligations coming due
  • Minimal impact on the progress on one Brown strategic goal
  • Limited negative publicity
  • No effect on Brown's reputation or market share
  • Results in no, or brief inconvenience for some students, customers or business partners.
  • Operational issues solved by staff or middle mgmt. through existing routines and resources
  • No disruption of critical operations and services
  • 1-2 day disruption of a department
  • Minor impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • No effect on leadership effectiveness
  • Injuries or ailments not requiring medical treatment
  • Affects less than 5% of employees
  • No collective bargaining impact
  • No impact on recruitment or retention
  • No legal/regulatory impact
  • Not a result of fraud.
  • Minimal fines
  • Minor Audit findings
  • Short-term agency scrutiny
  • <.1% of annual Brown Net Assets (approximately $4M for FY18) financial impact (e.g. decline or loss of assets, earnings, endowment or University value)
  • No liquidity impact, occurrence would not delay our ability to meet obligations coming due
2 - Minor/Low
  • Minor alignment with Brown vision and mission
  • Minor contribution to competitive advantage or long-term viability
  • Minor progress on one strategic goal
  • Limited, local positive publicity
  • No lasting effect on Brown reputation/image
  • Minor improvement in recruitment, retention, completion, or student satisfaction with Brown experience
  • Minor improvements in efficiency, client/student programs and services, environmental sustainability, or infrastructure
  •   .5% to 1% of annual Brown operating revenue (approximately $4.5M to $9M for FY18) financial impact (e.g. Increase in net assets, earnings, endowment or University value)
  • Minimal liquidity improvement.  Opportunity would not improve our ability to meet obligations coming due
  • Slows progress on one of Brown's strategic goals
  • Local/regional negative publicity
  • Impact to mrkt share, and/or reputation is isolated to few stakeholders/customers
  • Minor, short-term effect on Brown reputation/image
  • Ops issues solved by mid and senior mgmt. using existing routines and resources
  • 3- to 5-day disruption of several departments or one critical service
  • Moderate impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • Moderate effect on leadership effectiveness
  • Minor injury, First Aid Treatment required.
  • Self-insured workers’ compensation injury/exposure possible
  • Affects 5-10% of employees
  • Collective bargaining may be required
  • <5% employee turnover
  • Minimal legal/regulatory impact
  • Not a result of fraud
  • Minor legal liability exposure / Short-term agency scrutiny
  • Minor, reparable environmental damage
  • Audit findings requiring programmatic changes
  •   .1% to .25% of annual Brown Net Assets (approximately $4M to $10M for FY18) financial impact (e.g. decline or loss of assets, earnings, endowment or University value)
  • Minor liquidity impact, occurrence would delay less than one day our ability to meet obligations coming due
3 – Moderate/ Substantial
  • Substantial alignment with Brown vision and mission
  • Substantial contribution to competitive advantage or long-term viability
  • Substantial progress on one strategic goal
  • Positive publicity and external recognition
  • Moderate. short-term improvement to Brown’s reputation/image
  • Positive effect on Brown’s academic, environmental, or research reputation
  • Substantial improvement in recruitment, retention, completion, or student satisfaction with Brown experience
  • Substantial improvements in efficiency, client/student programs and services, environmental sustainability, or infrastructure
  •   1% to 2% of annual Brown operating revenue (approximately $9M to $18M for FY18) financial impact (e.g. Increase in net assets, earnings, endowment or University value)
  • Substantial liquidity improvement.  Opportunity temporarily improves our ability to meet current obligations
  • Moderate impact to one or more of Brown's strategic goals
  • National or local negative publicity requiring Brown action to control the message
  • Moderate, Short-term damage effect on mrkt share, and/or reputation impact
  • Ops issues solved by senior mgmt. via a special project and requiring unbudgeted resources and/or reprogramming of budgeted projects
  • 6- to 10-day disruption of a College, School, or Division or several critical services
  • Substantial impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • Substantial impact on leadership effectiveness
  • Serious injury causing hospitalization or multiple medical treatment cases
  • Self-insured workers’ compensation injury probable
  • Affects 11-25% of employees
  • Collective bargaining required
  • 5-10% employee turnover
  • Moderate legal/regulatory impact (Exam - matters requiring attention, lawsuits)
  • Moderate legal liability exposure / Moderate-term agency scrutiny
  • Moderate, reparable environmental damage
  • Audit findings requiring programmatic changes
  • Enforcement action likely
  • .25% to .5% of annual Brown Net Assets (approximately $10M to $21M for FY18) financial impact (e.g. decline or loss of assets, earnings, endowment or University value)
  • Moderate liquidity impact, occurrence temporarily impairs ability to meet current obligations
4 – Major/ Significant
  • Complete alignment with Brown vision and mission
  • Major contribution to competitive advantage or long-term viability
  • Accelerates progress on one or more strategic goals
  • Positive national publicity or external recognition
  • Long-term enhancement of Brown’s academic, environmental, or research reputation
  • Major improvement in recruitment, retention, completion, or student satisfaction with Brown experience
  • Major improvements in efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • 2% to 4% of annual Brown operating revenue (approximately $18M to $36M for FY18) financial impact (e.g. Increase in net assets, earnings, endowment or University value)
  • Major liquidity improvement. Opportunity provides additional liquidity to fund current obligations for foreseeable future
  • Could prevent the achievement of one or more of Brown's strategic objectives, requires executive mgmt. and Board attn.
  • National/International negative publicity, Brown cannot control the message
  • Significant impact to mrkt share, reputation, and/or key alliance impact
  • Significant decrease in enrollment or research funding
  • Ops issues require senior and executive management attention to repair or create operations, customer service, and brand
  • 10- to 30-day disruption of 2 or more Colleges, Schools, or Divisions or three or more critical services
  • Serious impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • Serious effect on leadership effectiveness
  • Life threatening injury or multiple serious injuries causing hospitalization.
  • Self-insured workers’ compensation injury/exposure
  • Affects 26-50% of employees
  • Collective bargaining required
  • 10-25% employee turnover
  • Significant legal/regulatory impact (e.g. regulatory enforcement actions, class-action suits)
  • Serious legal liability exposure / Imposed settlement or corporate integrity agreement
  • Environmental damage eligible for EPA National Priorities List
  • Long-term agency scrutiny
  • Organizational criminal prosecution/ Record financial judgment
  • .5% to 1% of annual Brown Net Assets (approximately $21M to $42M for FY18) financial impact (e.g. decline or loss of assets, earnings, endowment or University value)
  • Significant liquidity impact, occurrence causes obligations to become delinquent
5 -Transformative/ Severe
  • Complete alignment with Brown vision and mission
  • Definitively enhances competitive advantage or long-term viability
  • Fulfills strategic plan
  • Positive national publicity and external recognition
  • Permanent enhancement of Brown’s academic, environmental, or research reputation
  • Results in a significant increase in enrollment, student academic quality, and/or research funding
  • Meets or exceeds recruitment, retention, completion, or student satisfaction with Brown experience goals
  • Transformative improvements in efficiency, client/student programs and services, environmental sustainability, or infrastructure
  • >4% of annual Brown operating revenue (approximately $36M for FY18) financial impact (e.g. Increase in net assets, earnings, endowment or University value)
  • Significant liquidity improvement. Opportunity provides excess liquidity to fund additional investments
  • Brown strategic plan failure
  • National/International negative publicity which could permanently impair Brown's image/reputation
  • Sustained severe loss in mrkt. share, reputation, and alliances
  • Severe decrease in enrollment or research funding
  • Sustained severe business interruption requiring executive mgt. and Board attention in order to survive
  • > 30-day disruption of 2 or more Colleges, Schools, or Divisions or three or more critical services
  • Operations are unsustainable, and/or infrastructure is unsuitable for use
  • Leadership failure results in long-term damage to the institution
  • Death or multiple life threatening injuries.
  • Affects over 50% of employees
  • Collective bargaining required
  • >25% employee turnover
  • Critical legal/regulatory impact (cease and desist order, severe loss due to litigation)
  • Severe legal liability exposure
  • Severe environmental damage eligible for EPA National Priorities List
  • Threatens viability of Brown's research mission
  • Loss of all federal research or Title IV funds
  • >1% of annual Brown Net Assets (approximately $42M for FY18) financial impact (e.g. decline or loss of assets, earnings, endowment or University value)
  • Insolvency - Severe impact to liquidity causes other than temporary inability to meet obligations

A graphic to display the strategic objectives for Brown University.  These objectives are the basis for determining the relevance of threats and opportunities for the URM process.

As illustrated below, a conclusion on the effectiveness of processes/controls is not based solely on the degree to which controls reduce the impact and/or likelihood of risk events, but must also factor in the net benefit to the University.  Our goal is not to eliminate threats or to seize all opportunities.  Our goal is to optimize the value we are able to create, by taking appropriate action when practical and feasible.