Running head: RISK MANAGEMENT POLICY ANALYSIS 1

Risk Management Policy Analysis

Lizz Giordano

University of North Carolina at Greensboro

RISK MANAGEMENT POLICY ANALYSIS 2

Policy Summary:

The University of North Carolina at Greensboro published a policy on risk management

in February 2016. The institution states that “Risk refers to the probability of an event and

potential consequences, both positive and negative (2016).” The institution states that all parties

at the university are responsible for managing risk and that not all risks can be avoided or

eliminated from activities that take place at the institution. The policy begins with an overview of

what risk is and what types of risk can be encountered including: strategic, compliance,

reputational, financial, operational, and hazardous.

The policy is comprised of three tiers for managing risk. The institution describes each

tier as

“Tier I risks have the potential to significantly affect the university's mission,

strategies and goals. Tier II risks are shared risks across multiple areas or single

area risks with cascading impacts. Tier III risks are unit or single area risks which

are largely identified and managed at the department level. (n.a., 2016).”

The institution then goes on to outline how to be effective with the policy, key outcomes for the

university, the groups that are responsible for upholding the policy, the process of dealing with

risk management on campus, and who will enforce the policy. The university policy states that

“Each member of the University community has a role to play in risk identification and

management through the integration of risk management and planning processes and the

embedding of risk management processes into management activities. (n.a., 2016).”

Analysis:
RISK MANAGEMENT POLICY ANALYSIS 3

It is important to understand background information surrounding the need to create risk

management policies at higher education institutions. Saunders and Wilson (2017) stated that

“Laws such as the Jeanne Clery Act, a federal statute that evolved from a crime-

reporting bill to call for promoting student safety on campus (Lake, 2013), and

directives from the Office of Civil Rights in the Department of Education

regarding sexual assault prevention and reporting, have affected student affairs

practice. (p. 93, para. 5).”

They also suggested that “increased responsibility for student safety includes describing

potential risks, educating students about foreseeable risks, and developing systems of reporting,

as well as supporting victims and affected communities. (Saunders & Wilson, 2017, p. 93, para.

5).” This shows that it is inherent upon student affairs administrators to educate the students

they come into close contact with on best practices surrounding risk management. It is not just

about having a policy in place it is about ensuring that the student body and all faculty and staff

clearly understand what goes into the risk associated with various types of events that could

occur on campus.

There are many pros and cons to the risk management policy at The University of North

Carolina at Greensboro. One positive is that there is a definitive plan in place to handle any risk

or issues that arise. Another is that the institution just conducted a simulation of a mass shooter

on campus to practice how they would handle risk of this capacity. Another positive is that the

policy gets reviewed every three to five years; therefore, if any issues do arise or any changes

need to be made, it is possible to revise the policy. One negative to the policy is that not

everyone on campus knows the policy, if a student is unaware of how risk is handled they may

not understand the procedures in place. Another negative could be if a change in staff occurs and
RISK MANAGEMENT POLICY ANALYSIS 4

a situation happens prior to them being fully aware of the policy. Another con could be that if the

risk occurs and incapacitates the people in charge of dealing with the situation could have

unforeseen consequences.

One piece of the UNCG Risk Management Policy (2016) is “The institution's risks are

within its risk criteria.” When reviewing this line of the policy it is important to determine what

is the institution’s risk criteria. The policy outlines various processes in determining risk. One

key piece that could assist with better understanding what the institution considers risk criteria is

“Unit Risk Assessment is a process intended to identify individual risks based on likelihood of

occurrence and potential institutional impact should they occur. (2016).” The institution utilizes

assessment processes to better identify risk based on how likely they are to occur and the impact

these events would have on the campus.

Overall, the current risk management policy is strong, and does not need to be revised at

this time. The staff that is in place to assist with risk management is still at the university, and the

current policy was recently revised in February 2016, only two years ago. It may be wise for the

board to review the policy next year, to ensure that what is in place is still working and relevant

to the times. One thing that could change is more language surrounding gun violence and mass

casualty events that could occur on campus. With the political climate and issues surrounding

violence at schools and higher education institutions, it is important to have policy and language

relating to these large-scale events. Another thing to consider is unforeseen risk; an example of

this is the recent collapse of a foot pedestrian bridge at Florida International University in Miami.

The bridge collapsed only three days after construction was completed. The policy in place does

account for any type of risk, but creating a policy surrounding these large risks that are
RISK MANAGEMENT POLICY ANALYSIS 5

catastrophic and unexpected, could be helpful to students, faculty, and staff at the university as

well as the community neighboring the institution.

When thinking of this policy another thing comes to mind, FEMA training. This training

correlates to this policy because it goes over what to do when risk issues arise. Something

institutions can consider is having students, faculty, and staff do some version of this training to

allow for a better understanding of the risk management policy. This can help all members of the

campus community better prepare and truly understand what to do when disaster strikes at a

university. One thing that helped a portion of the UNCG community was the active shooter

simulation that occurred back in February 2018. This helped UNCG Police, staff, faculty,

students, and the Risk Management Team understand and practice how a situation could play out

if this were to occur in real time at the university. It is important to note that the simulation did

not involve all parties at the institution; therefore, it is nearly impossible to determine if events

that played out during the simulation will occur the same way in real-time.

Implications:

The policy is important to have in place because it is for institution wide risk

management. One negative to the policy is that most student affairs offices require a risk

management policy or procedure in addition to the institution wide policy. If offices have a

vastly different policy, this can be an issue if a larger risk occurs and offices are used to handling

things in a variety of ways. Another implication to this issue is that staff could be used to the

policy they utilize in their offices or to the current policy, and if the institution revises the policy,

staff must be updated quickly for the institution to make a seamless transition to the new policy.

This can be complicated, in that not all staff will look at the updated policy and would be

unaware of the changes, thus causing confusion and more issues if an event occurs on campus.
RISK MANAGEMENT POLICY ANALYSIS 6

The policy is affecting the campus community because it is in place to ensure the safety

of the campus at large. When crimes occur on or near campus, every member of the UNCG

community is alerted of what is going on as quickly as the officers can report to the campus. This

can be of concern for some people on campus because the event can be occurring where you

reside or in the academic building where you are taking class. Recently a stabbing was reported

in an academic building that was then said to be a false report. This can be of issue to students

and faculty that were in the building at the time of the alleged stabbing because panic arose that

was unwarranted due to the reporting by officials. The need to be quick with reporting can be an

issue when it comes to risk management since students, faculty, and staff will be on high alert

when the event could be false or not affecting their day to day tasks.

If the policy were to be revised, it can have a major impact on the institution. As stated

previously, if the policy is changed, current faculty, students, and staff will need to be informed

quickly to ensure that majority of employees and students are aware of any major changes prior

to a major risk event occurring. Revisions to the policy need to be approved not only by the

Chancellor, but also by the board of trustees, the IRM steering committee, the IRM committee,

the IRM officer, and the Chancellor’s council member or designee. There are a lot of individuals

that are part of this policy that will need to have their voices heard prior to any revisions to the

policy. This can be an issue because there may be too many voices trying to get their opinions

heard and the larger issue at hand may be getting ignored.

One thing to note about revisions to the policy would be to further expand on pieces of

the policy so that anyone at the institution could understand. For example, when discussing the

risk criteria, one would not understand what this means unless they work closely with the risk

management team. As a student affairs professional, it is easy to understand implications and

RISK MANAGEMENT POLICY ANALYSIS 7

impact of risk issues that institutions could face, but if one does not understand the scope or lens

with which the risk management team is understanding this terminology, it is hard to fully grasp

the meaning of the policy. In the policy they state “The IRM office is charged with reviewing

best practices and application of said practices in evaluation of Risk. (2016).” It would be

important for the IRM to update the students, faculty, and staff on campus about these best

practices and applications for future revisions to ensure that all parties on campus grasp each

facet of the policy to the best of their ability. Creating a report and updating the community is

important but making it readily accessible to the campus community will be vital in risk

management.

There are some legal implications to events associated with risk. Miller (2017) states that

“risk can arise that is associated with the health or safety of students and other members of the

campus community (p. 107, para. 2).” It is important to understand the legal implications of risk

that can be associated with the students, staff, faculty, and institution as a unit. These

implications can prevent institutions from undergoing construction and building projects that

could have serious risk involved. For example, if Florida International University foresaw the

high risk associated with building the pedestrian foot bridge, they may not have gone through

with the project; however, now with the collapse of the bridge, the institution is likely facing

legal action for the loss of life and the high safety risk associated with the collapse.

Alternatives:

This policy is important for institution wide risk management. A more useful policy

could be for varying scales of risk associated with the current political climate. For instance, if an

active shooter(s) situation occurred on campus, it will likely be the same team to handle the

situation as if there were a weather storm heading to Greensboro; however, the likelihood that a
RISK MANAGEMENT POLICY ANALYSIS 8

weather event would be unexpected and catastrophic prior to evacuating campus is low as

opposed to an active shooter(s) event that has a high probability of being spontaneous. It would

be important to have active shooter training for all administrative offices as well as faculty

departments for the campus to be fully equipped at handling this potentially fatal situation. One

thing that The University of North Carolina at Greensboro does well is having the police

department available to conduct active shooter training with different departments and student

organizations on campus. This can prepare faculty, staff, and students with the tools necessary to

protect themselves and others from harm.

Another alternative to a large-scale risk management policy is having some smaller

policies under the umbrella heading of risk management. This could include substance and

alcohol consumption among student organizations and Fraternity and Sorority Life members in

relation to events on and off campus. It could include measures to be taken if a health concern

such as epilepsy, mental health, or heart related issues occurs in an office or classroom and how

specific offices and administrative staff can and should be handling the situation so that all

offices are on the same page about these issues.

Smaller policies underneath the larger risk management policy can be beneficial since

many offices work closely with students and the Chancellor and Vice Chancellors will not

always be in close proximity to an office that is having to handle risky circumstances. For

instance, if an active shooter comes quietly into the Career Services Center, and takes over the

office, there should be an officer within the office that handles the situation or something that

will alert campus police if this occurs. If risk management is handled by higher level officials at

the university, how can they oversee the operations of a major event if they are unaware of the
RISK MANAGEMENT POLICY ANALYSIS 9

situation? It is important for all offices to be aware of the risk management policy especially if

there is threat of major events occurring on campus.

RISK MANAGEMENT POLICY ANALYSIS 10

References:

Miller, T. (2017). Legal foundations and issues. J. H. Schuh, S. R. Jones, & V. Torres In Student

services: A handbook for the profession. (pp. 89-106). San Francisco, CA: Jossey-Bass,

A Wiley Brand.

Saunders, S. A., & Wilson, C. M. (2017). What is ethical professional practice? J. H. Schuh, S.R.

Jones, & V. Torres In Student services: A handbook for the profession. (pp. 89-106). San

Francisco, CA: Jossey-Bass, A Wiley Brand.

The University Policy Manual. (2016, February 29). Retrieved March 25, 2018, from

https://policy.uncg.edu/university-policies/risk_management/
 RISK MANAGEMENT POLICY ANALYSIS 11

Appendix A: Policy

Risk Management Policy

The University of North Carolina at Greensboro

 (Approved by the Chancellor, February 29, 2016)

Purpose
The Risk Management Policy serves as a statement of the overall UNCG risk management goals and
focus. It is intended to ensure a consistent approach to risk management throughout the university.

Risk refers to the probability of an event and potential consequences, both positive and negative, to
UNCG. Risks do not exist in isolation from other risks, and a series of risk events may result in a
collective set of consequences that have a greater impact than the individual consequences associated
with each risk event taking place in isolation. Risk is inherent to any activity, and it is neither possible, nor
advantageous, to entirely eliminate risk from an activity without ceasing that activity.

Proper management of risk is a core leadership function that must be practiced throughout the University.
Institutional Risk Management is a process-driven tool that enables administrators to visualize, assess,
and manage significant risks that may impact the attainment of key UNCG objectives. It is the
responsibility of UNCG and its leaders to identify, assess, and manage risks using the Institutional Risk
Management process.

Some level of risk is not only expected in normal everyday activities but can be beneficial. However,
acceptance of risk shall not include:

 Willful exposure of students, employees or others to unsafe environments or activities;

 Intentional violation of federal, state, or local laws;
 Willful violation of contractual obligations; or
 Unethical behavior.

Categories of risks managed through the Institutional Risk Management Process include:

 Strategic Risks - Affect the ability to carry out goals and objectives;
 Compliance Risks – Affect compliance with laws and regulations, student, faculty, staff & visitor
safety, environmental issues, litigation, conflicts of interest, privacy, etc.;
 Reputational Risks – Affect reputation, public perception, political issues, etc.;
 Financial Risks - Affect loss of or ability to acquire assets, technology, etc.; and
 Operational Risks – Affect on-going management processes and procedures.
 Hazard Risks - Affect the ongoing operation of the University either by man-made, natural or
other negative occurring events.

Scope
RISK MANAGEMENT POLICY ANALYSIS 12

This policy addresses Institutional Risk Management and applies to the entire University community.
Each member of the University community has a role to play in risk identification and management
through the integration of risk management and planning processes and the embedding of risk
management processes into management activities. This policy is not intended to outline specific
procedures as they evolve with time and circumstance. Some of the more pertinent procedures can be
found on the IRM webpage. http://rsk.uncg.edu/

Standards(s)
Institutional risk is managed with procedures and tools consistent with industry best practices as reflected
primarily in the International Organization for Standardization’s ISO 31000:
http://www.iso.org/iso/home/standards/iso31000 Risk Management Principles and Guidelines; however,
some elements of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
http://www.coso.org/ Enterprise Risk Management Framework are incorporated as well.

Policy

I. Approach to Risk Management

UNCG's approach to risk management reflects an understanding of the institution and its context.
UNCG's framework for managing risk is based upon a three-tiered risk management system. Tier
I risks have the potential to significantly affect the university's mission, strategies and goals. Tier
II risks are shared risks across multiple areas or single area risks with cascading impacts. Tier III
risks are unit or single area risks which are largely identified and managed at the department
level.

II. Effective Risk Management

Risk Management:
A. Creates and protects value
B. Is an integral part of all organizational processes
C. Is part of decision making
D. Explicitly addresses uncertainty
E. Is systematic, structured and timely
F. Is based on the best available information
G. Is tailored
H. Takes human and cultural factors into account
I. Is transparent and inclusive
J. Is dynamic, iterative and responsive to change
K. Facilitates continual improvement of the organization

III. Key Outcomes

RISK MANAGEMENT POLICY ANALYSIS 13

. The institution has a current understanding of the major known risks it faces with the
potential to impede achievement of its strategic objectives
A. Risk management and awareness is integrated at all levels of the organization.
B. The institution's risks are within its risk criteria.

IV. Responsibilities

. The Board of Trustees provides risk oversight and appetite. In order to support the
board in this regard, its members are kept informed of IRM's regular and repeatable
processes designed to manage institutional risk within our risk criteria and to provide
reasonable assurance regarding achievement of university objectives. The Board of
Trustees should be certain that it is properly informed and that an appropriate culture of
risk-awareness exists throughout the institution.

A. The IRM Steering Committee is comprised of the Provost, the Vice Chancellor for
Business Affairs, Vice Chancellor for Information Technology Services, the Director of
Internal Audit and advised by General Counsel. The IRM Officer and other staff will
provide support to the committee as required. The IRM Steering Committee meets as
needed and is charged with guiding the advancement of Institutional Risk Management,
providing its programs and the IRM Committee with direction and assessing ongoing
performance. The IRM Steering Committee reviews and approves IRM presentations to
the Audit Committee of the Board of Trustees and assists in the evaluation of any
comments or questions the Board may have. The IRM Steering Committee assesses
progress toward optimal risk treatment of identified institutional risks and recommends
changes in course as needed.

B. The IRM Committee meets at least quarterly, and members are Vice Chancellor for
Student Affairs designee, Vice Chancellor for Information Technology Services designee,
University Controller, Director of Environment, Health and Safety, Chief of University
Police, Assistant Athletic Director of Operations, Vice Chancellor for Research and
Economic Development designee, other members as needed, to be determined by the
IRM Committee membership, and advised by the General Counsel designee. Through
various work groups, committee members actively work on Tier I risks as well as
associated risk treatments. The IRM Committee has the additional responsibility for
providing a common-sense framework within which to scan the university's environment
to identify risk as an integral part of all organizational processes.

C. The IRM Officer provides university-wide leadership to identify and manage possible
strategic, financial, operational, compliance, hazard or reputational risks. The IRM Officer
develops the Institutional Risk Management Program for the university, applying best
practices, the standards mentioned above and other industry guidance. In order to foster
RISK MANAGEMENT POLICY ANALYSIS 14

a risk management culture, the IRM Officer is available for consultation and discussion
relative to issues of institutional risk as well as forwarding those issues to appropriate
leadership.

The IRM Officer chairs the Institutional Risk Management Committee and works with
committee members to identify items for meeting inclusion. The IRM Officer works with
the IRM Committee and Executive sponsors to collaborate on a holistic approach to
evaluate university risks and select optimal risk treatments.

The IRM Officer promotes risk awareness programs throughout all sectors of the
university and provides support to university leadership in defining, maintaining, and
educating university stakeholders through the development or procurement of best-
practice-related or instructional literature.

D. Chancellor's Council member or designee assigned to each Tier I risk are empowered
to collaborate cross divisionally and guide the work involved in managing associated
risks. Executive Sponsors have the authority to manage risks as well as the commitment
to make the necessary resources available to assist those accountable and responsible
for risk treatment. Executive Sponsors may find it advisable on occasion, due to the
potential for (or the appearance of) a conflict of interest, to seek guidance from the IRM
Steering Committee through the IRM Officer with regard to assessment and risk
treatment.
Risk Assessment Processes:

I. Risk Identification is accomplished through committee discussion, unit risk assessment, periodic
stakeholder interviews, education and outreach throughout the institution on a regular basis. Unit
Risk Assessment is a process intended to identify individual risks based on likelihood of
occurrence and potential institutional impact should they occur. Departments, programs or
activities are chosen for assessment based on a number of factors including the number and
complexity of risks involved, the interdependence of different risks and their sources, the degree
to which the unit’s risks impact the institution as a whole. Strategically critical units should be
assessed every three years at minimum.

II. Risk Analysis is performed on qualitative and quantitative data derived from risk assessments,
stakeholder interviews, relevant external events and UNCG's risk events and near-misses. Risk
analysis should result in robust indicators that provide adequate data to recognize shifts in
internal and industry risk patterns when they are most valuable, during the development phases
of important strategic initiatives.

III. Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the
results of risk analysis. This is primarily accomplished through periodic comparison of current risk
ratings with previous ones as well as looking at actual losses in context. Further analysis is often
RISK MANAGEMENT POLICY ANALYSIS 15

deemed necessary before risk treatment decisions can be made. The IRM office is charged with
reviewing best practices and application of said practices in evaluation of Risk.

IV. Risk Treatment emphasizes continual improvement through the use of appropriate measures to
modify risk exposure and the review and subsequent modification of processes, systems and
resources. It is a cyclical process involving the formulation of treatment measures, the evaluation
of their efficacy, the generation of new measures as necessary and the subsequent assessment
of the new measures. Risk Treatment Planning is undertaken at regular intervals for all Tier I Risk
Areas. "Selecting the most appropriate risk treatment option involves balancing the costs and
efforts of implementation against the benefits derived, with regard to legal, regulatory, and other
requirements such as social responsibility and the protection of the environment. Decisions
should also take into account risks which can warrant risk treatment that is not justifiable on
economic grounds, e.g. severe consequence but extremely unlikely risks." - ISO 31000

Enforcement
Vice Chancellor for Business Affairs, Office of the General Counsel, Office of Internal Audit and Office of
Institutional Risk Management

Review
This policy shall be reviewed every three to five years

Contact
Office of Institutional Risk Management (IRM)
1200 W. Gate City Blvd.
Greensboro, NC 27403
(336) 256-1102