University Risk Management

Process

Brown University’s Enterprise Risk Management (ERM) process is designed to provide a structured environment and organization that is risk aware and focused on the achievement of our risk objectives defined above and communicated to all levels of the organization.

The foundation of our ERM process is effective communications which we rely on to ensure that all information about risks and risk events and related responsibilities are shared with the personnel responsible for the effective management of our key risks.

  • Identifying risks relevant for the University (those risks that may impact the ability to achieve one or more University objectives) and estimating the exposure of the University to each risk (risk exposure is calculated as the product of the likelihood of the risk occurring together with the impact that arises if that risk event actually occurs),
  • Establishing risk appetite/tolerance for the University,
  • Identifying risk management techniques in place,
  • Evaluating the effectiveness of risk management techniques in managing risk to an acceptable level, for reasonable cost,
  • Coordinating the exchange of risk information among senior management, front-line faculty and administrative process owners, second-line risk management and compliance leaders, and relevant subject-matter experts within the University,
  • Determining if opportunities exist to improve URM, and
  • Deploying improved risk management techniques, when and where appropriate.
  • Understand possible barriers to the successful achievement of University objectives,
  • Consider risk in the development and execution of strategic and tactical plans and in the operation of the University,
  • Architect and continuously maintain University processes and associated controls in a manner which maximizes the return on capital, while ensuring compliance with all relevant laws and regulations,
  • Monitor external and internal events and risk factors and actual performance of the University,
  • Interpret the changing risk profile and performance data, and
  • Provide timely communications and clear direction to decision-makers and line management which is consistent with University objectives and risk tolerances.

Brown University’s URM strategy is to establish and maintain a structured approach to the effective management of its key risks.  This policy, and the process which supports it, is designed to ensure that the following objectives are met:

  • Strategic, financial reporting, operational and compliance controls directly support the management of key risks that threaten the achievement of the University’s objectives.
  • Executive management has an active, structured, and commonly shared knowledge of the range, and the relative priority, of risks that they have to manage.
  • Managers at every level share an understanding of key risks and priorities.
  • University objectives are set in terms that reflect Brown University’s strategic, financial reporting, operational and compliance risk priorities.
  • Responsibility for the management of risks is assigned to employees who have the authority and ability to ensure that they are managed.
  • Resources are assigned to the management of risks in such a way as to optimize value for the cost of those resources.
  • The University’s key risk priorities are communicated to management.
  • The Corporation is informed by upward reporting of key risks throughout the University.
  • With respect to key risks, the University timely identifies risk events, evaluates actual impacts versus defined risk tolerances, implements improved risk management techniques, where possible and appropriate, and shares lessons learned across the University.
  • The risk management system is functioning efficiently and effectively integrates with the University’s operational and strategic planning processes.

University Risk Management Approach

Brown University’s ERM approach is, by design, dynamic inasmuch as any lessons learned in the course of our operation will be used to adapt and improve risk management processes across the organization.  Therefore, communication is central and critical to the adaptability and effectiveness of our ERM approach.  Any material changes to the ERM process may be proposed by management but will require approval by the Chief Risk Officer.

The challenge for any organization to achieve effective ERM is to provide a framework which ensures that the right people have the information they need, when they need it, to determine the appropriate measures to take under the circumstances, obtain necessary authorization and resources to proceed, and take appropriate action in a timely manner.  Our approach is designed to meet this challenge.

Our approach is comprised of periodic, event driven and ongoing processes (more detail is available in procedures prepared for each of the component activities indicated) effected and managed by the organization described below.

  • Risk Assessment:  Ensure that all relevant and significant enterprise risks are known and prioritized based on significance, likelihood and the effectiveness of related controls; that appropriate risk management techniques are identified; and any urgent situations are identified and addressed.  Accountable risk owners are identified for the highest priority risks and the risk owners prepare Risk Action Plans for these risks.
  • Review of, and revision, when/where necessary, of Brown University’s ERM policies and procedures.
  • Management Controls Assessments: Entity level controls assessment and process level controls self-assessments and objective reviews.
  • Present state of the Brown University risk universe to the Corporation.
  • Risk Management Committee to review Key Risk Indicators and other risk information (e.g. results of external audits, Internal audits and other controls reviews/assessments; actions of regulators, risk events affecting the Company, economy, environment, etc.; Student, staff, faculty and University partner feedback; etc.)
  • Internal Controls Assessments: Entity level controls assessment and process level controls self-assessments and objective reviews.
  • Present ERM status reports to the Corporation.
  • When events occur that exceed our risk appetite, University Risk Management will work with affected process owners to evaluate the conditions and determine that an appropriate risk response is identified and implemented.
  • Risk Identification:  Process owners should continuously identify operational risks that could impact the performance of their function or the achievement of their objectives/mission.

  • Risk Assessment: Process owners should evaluate operational risks as identified, and determine if appropriate/adequate risk management techniques are employed, and/or if there exist and opportunities to improve risk management.  Results of the assessment should be reviewed with University Risk Management, to determine if the operational risk is a part of a previously identified University risk, or if it is an indication of another University risk that should be added to the Risk Inventory.  If any urgent situations are identified, University Risk Management, and others, as appropriate should be notified.  

  • Process owners should continuously review available performance data and reevaluate, and when necessary/appropriate, reset key performance indicators (KPIs) and key risk indicators (KRIs) for their respective areas of responsibility.

  • Process should actively and regularly monitor actual performance considering defined KPIs and KRIs, and communicate through appropriate channels when results indicate a risk event or a change in our risk profile.

  • Communications are distributed regularly and frequently to employees regarding their responsibilities relative to risk management.  Special communications are also distributed when an event occurs or condition exists which helps reinforce the importance of diligence of all employees, and/or when an employee’s or employees’ actions merit recognition for exemplary performance related to their risk management duties.

  • Brown’s Anonymous Reporting Hotline is available for reports by customers, employees and the general public to report compliance issues and unethical activity. The hotline may be accessed via the online portal and/or by Phone, dial toll-free: 877-318-9184. The Brown University has established a process to review all reports through the hotline and take appropriate action in a timely manner.  Reporting a concern will not jeopardize your employment and is a service to “Your Brown.” Make “Your Voice” heard, call 877-318-9184 or click here to report.

University Risk Management Communications

Communication within Brown University about risk issues is important to ensure that:

  • Each employee understands what Brown University’s risk strategy is, what the key risk priorities are, and how their particular responsibilities fit into the University’s URM framework,
  • Transferable lessons are learned and communicated to those who can benefit from them, and
  • Each level of management receives regular assurance about the management of key risks within their area of control.
  • Copies of this policy statement should be issued to all new employees as part of the orientation process.