Beruflich Dokumente
Kultur Dokumente
Lizz Giordano
Policy Summary:
in February 2016. The institution states that “Risk refers to the probability of an event and
potential consequences, both positive and negative (2016).” The institution states that all parties
at the university are responsible for managing risk and that not all risks can be avoided or
eliminated from activities that take place at the institution. The policy begins with an overview of
what risk is and what types of risk can be encountered including: strategic, compliance,
The policy is comprised of three tiers for managing risk. The institution describes each
tier as
“Tier I risks have the potential to significantly affect the university's mission,
strategies and goals. Tier II risks are shared risks across multiple areas or single
area risks with cascading impacts. Tier III risks are unit or single area risks which
are largely identified and managed at the department level. (n.a., 2016).”
The institution then goes on to outline how to be effective with the policy, key outcomes for the
university, the groups that are responsible for upholding the policy, the process of dealing with
risk management on campus, and who will enforce the policy. The university policy states that
“Each member of the University community has a role to play in risk identification and
management through the integration of risk management and planning processes and the
Analysis:
RISK MANAGEMENT POLICY ANALYSIS 3
management policies at higher education institutions. Saunders and Wilson (2017) stated that
“Laws such as the Jeanne Clery Act, a federal statute that evolved from a crime-
reporting bill to call for promoting student safety on campus (Lake, 2013), and
regarding sexual assault prevention and reporting, have affected student affairs
They also suggested that “increased responsibility for student safety includes describing
potential risks, educating students about foreseeable risks, and developing systems of reporting,
as well as supporting victims and affected communities. (Saunders & Wilson, 2017, p. 93, para.
5).” This shows that it is inherent upon student affairs administrators to educate the students
they come into close contact with on best practices surrounding risk management. It is not just
about having a policy in place it is about ensuring that the student body and all faculty and staff
clearly understand what goes into the risk associated with various types of events that could
occur on campus.
There are many pros and cons to the risk management policy at The University of North
Carolina at Greensboro. One positive is that there is a definitive plan in place to handle any risk
or issues that arise. Another is that the institution just conducted a simulation of a mass shooter
on campus to practice how they would handle risk of this capacity. Another positive is that the
policy gets reviewed every three to five years; therefore, if any issues do arise or any changes
need to be made, it is possible to revise the policy. One negative to the policy is that not
everyone on campus knows the policy, if a student is unaware of how risk is handled they may
not understand the procedures in place. Another negative could be if a change in staff occurs and
RISK MANAGEMENT POLICY ANALYSIS 4
a situation happens prior to them being fully aware of the policy. Another con could be that if the
risk occurs and incapacitates the people in charge of dealing with the situation could have
unforeseen consequences.
One piece of the UNCG Risk Management Policy (2016) is “The institution's risks are
within its risk criteria.” When reviewing this line of the policy it is important to determine what
is the institution’s risk criteria. The policy outlines various processes in determining risk. One
key piece that could assist with better understanding what the institution considers risk criteria is
“Unit Risk Assessment is a process intended to identify individual risks based on likelihood of
occurrence and potential institutional impact should they occur. (2016).” The institution utilizes
assessment processes to better identify risk based on how likely they are to occur and the impact
Overall, the current risk management policy is strong, and does not need to be revised at
this time. The staff that is in place to assist with risk management is still at the university, and the
current policy was recently revised in February 2016, only two years ago. It may be wise for the
board to review the policy next year, to ensure that what is in place is still working and relevant
to the times. One thing that could change is more language surrounding gun violence and mass
casualty events that could occur on campus. With the political climate and issues surrounding
violence at schools and higher education institutions, it is important to have policy and language
relating to these large-scale events. Another thing to consider is unforeseen risk; an example of
this is the recent collapse of a foot pedestrian bridge at Florida International University in Miami.
The bridge collapsed only three days after construction was completed. The policy in place does
account for any type of risk, but creating a policy surrounding these large risks that are
RISK MANAGEMENT POLICY ANALYSIS 5
catastrophic and unexpected, could be helpful to students, faculty, and staff at the university as
When thinking of this policy another thing comes to mind, FEMA training. This training
correlates to this policy because it goes over what to do when risk issues arise. Something
institutions can consider is having students, faculty, and staff do some version of this training to
allow for a better understanding of the risk management policy. This can help all members of the
campus community better prepare and truly understand what to do when disaster strikes at a
university. One thing that helped a portion of the UNCG community was the active shooter
simulation that occurred back in February 2018. This helped UNCG Police, staff, faculty,
students, and the Risk Management Team understand and practice how a situation could play out
if this were to occur in real time at the university. It is important to note that the simulation did
not involve all parties at the institution; therefore, it is nearly impossible to determine if events
that played out during the simulation will occur the same way in real-time.
Implications:
The policy is important to have in place because it is for institution wide risk
management. One negative to the policy is that most student affairs offices require a risk
management policy or procedure in addition to the institution wide policy. If offices have a
vastly different policy, this can be an issue if a larger risk occurs and offices are used to handling
things in a variety of ways. Another implication to this issue is that staff could be used to the
policy they utilize in their offices or to the current policy, and if the institution revises the policy,
staff must be updated quickly for the institution to make a seamless transition to the new policy.
This can be complicated, in that not all staff will look at the updated policy and would be
unaware of the changes, thus causing confusion and more issues if an event occurs on campus.
RISK MANAGEMENT POLICY ANALYSIS 6
The policy is affecting the campus community because it is in place to ensure the safety
of the campus at large. When crimes occur on or near campus, every member of the UNCG
community is alerted of what is going on as quickly as the officers can report to the campus. This
can be of concern for some people on campus because the event can be occurring where you
reside or in the academic building where you are taking class. Recently a stabbing was reported
in an academic building that was then said to be a false report. This can be of issue to students
and faculty that were in the building at the time of the alleged stabbing because panic arose that
was unwarranted due to the reporting by officials. The need to be quick with reporting can be an
issue when it comes to risk management since students, faculty, and staff will be on high alert
when the event could be false or not affecting their day to day tasks.
If the policy were to be revised, it can have a major impact on the institution. As stated
previously, if the policy is changed, current faculty, students, and staff will need to be informed
quickly to ensure that majority of employees and students are aware of any major changes prior
to a major risk event occurring. Revisions to the policy need to be approved not only by the
Chancellor, but also by the board of trustees, the IRM steering committee, the IRM committee,
the IRM officer, and the Chancellor’s council member or designee. There are a lot of individuals
that are part of this policy that will need to have their voices heard prior to any revisions to the
policy. This can be an issue because there may be too many voices trying to get their opinions
One thing to note about revisions to the policy would be to further expand on pieces of
the policy so that anyone at the institution could understand. For example, when discussing the
risk criteria, one would not understand what this means unless they work closely with the risk
impact of risk issues that institutions could face, but if one does not understand the scope or lens
with which the risk management team is understanding this terminology, it is hard to fully grasp
the meaning of the policy. In the policy they state “The IRM office is charged with reviewing
best practices and application of said practices in evaluation of Risk. (2016).” It would be
important for the IRM to update the students, faculty, and staff on campus about these best
practices and applications for future revisions to ensure that all parties on campus grasp each
facet of the policy to the best of their ability. Creating a report and updating the community is
important but making it readily accessible to the campus community will be vital in risk
management.
There are some legal implications to events associated with risk. Miller (2017) states that
“risk can arise that is associated with the health or safety of students and other members of the
campus community (p. 107, para. 2).” It is important to understand the legal implications of risk
that can be associated with the students, staff, faculty, and institution as a unit. These
implications can prevent institutions from undergoing construction and building projects that
could have serious risk involved. For example, if Florida International University foresaw the
high risk associated with building the pedestrian foot bridge, they may not have gone through
with the project; however, now with the collapse of the bridge, the institution is likely facing
legal action for the loss of life and the high safety risk associated with the collapse.
Alternatives:
This policy is important for institution wide risk management. A more useful policy
could be for varying scales of risk associated with the current political climate. For instance, if an
active shooter(s) situation occurred on campus, it will likely be the same team to handle the
situation as if there were a weather storm heading to Greensboro; however, the likelihood that a
RISK MANAGEMENT POLICY ANALYSIS 8
weather event would be unexpected and catastrophic prior to evacuating campus is low as
opposed to an active shooter(s) event that has a high probability of being spontaneous. It would
be important to have active shooter training for all administrative offices as well as faculty
departments for the campus to be fully equipped at handling this potentially fatal situation. One
thing that The University of North Carolina at Greensboro does well is having the police
department available to conduct active shooter training with different departments and student
organizations on campus. This can prepare faculty, staff, and students with the tools necessary to
policies under the umbrella heading of risk management. This could include substance and
alcohol consumption among student organizations and Fraternity and Sorority Life members in
relation to events on and off campus. It could include measures to be taken if a health concern
such as epilepsy, mental health, or heart related issues occurs in an office or classroom and how
specific offices and administrative staff can and should be handling the situation so that all
Smaller policies underneath the larger risk management policy can be beneficial since
many offices work closely with students and the Chancellor and Vice Chancellors will not
always be in close proximity to an office that is having to handle risky circumstances. For
instance, if an active shooter comes quietly into the Career Services Center, and takes over the
office, there should be an officer within the office that handles the situation or something that
will alert campus police if this occurs. If risk management is handled by higher level officials at
the university, how can they oversee the operations of a major event if they are unaware of the
RISK MANAGEMENT POLICY ANALYSIS 9
situation? It is important for all offices to be aware of the risk management policy especially if
References:
Miller, T. (2017). Legal foundations and issues. J. H. Schuh, S. R. Jones, & V. Torres In Student
services: A handbook for the profession. (pp. 89-106). San Francisco, CA: Jossey-Bass,
A Wiley Brand.
Saunders, S. A., & Wilson, C. M. (2017). What is ethical professional practice? J. H. Schuh, S.R.
Jones, & V. Torres In Student services: A handbook for the profession. (pp. 89-106). San
The University Policy Manual. (2016, February 29). Retrieved March 25, 2018, from
https://policy.uncg.edu/university-policies/risk_management/
RISK MANAGEMENT POLICY ANALYSIS 11
Appendix A: Policy
Purpose
The Risk Management Policy serves as a statement of the overall UNCG risk management goals and
focus. It is intended to ensure a consistent approach to risk management throughout the university.
Risk refers to the probability of an event and potential consequences, both positive and negative, to
UNCG. Risks do not exist in isolation from other risks, and a series of risk events may result in a
collective set of consequences that have a greater impact than the individual consequences associated
with each risk event taking place in isolation. Risk is inherent to any activity, and it is neither possible, nor
advantageous, to entirely eliminate risk from an activity without ceasing that activity.
Proper management of risk is a core leadership function that must be practiced throughout the University.
Institutional Risk Management is a process-driven tool that enables administrators to visualize, assess,
and manage significant risks that may impact the attainment of key UNCG objectives. It is the
responsibility of UNCG and its leaders to identify, assess, and manage risks using the Institutional Risk
Management process.
Some level of risk is not only expected in normal everyday activities but can be beneficial. However,
acceptance of risk shall not include:
Categories of risks managed through the Institutional Risk Management Process include:
Strategic Risks - Affect the ability to carry out goals and objectives;
Compliance Risks – Affect compliance with laws and regulations, student, faculty, staff & visitor
safety, environmental issues, litigation, conflicts of interest, privacy, etc.;
Reputational Risks – Affect reputation, public perception, political issues, etc.;
Financial Risks - Affect loss of or ability to acquire assets, technology, etc.; and
Operational Risks – Affect on-going management processes and procedures.
Hazard Risks - Affect the ongoing operation of the University either by man-made, natural or
other negative occurring events.
Scope
RISK MANAGEMENT POLICY ANALYSIS 12
This policy addresses Institutional Risk Management and applies to the entire University community.
Each member of the University community has a role to play in risk identification and management
through the integration of risk management and planning processes and the embedding of risk
management processes into management activities. This policy is not intended to outline specific
procedures as they evolve with time and circumstance. Some of the more pertinent procedures can be
found on the IRM webpage. http://rsk.uncg.edu/
Standards(s)
Institutional risk is managed with procedures and tools consistent with industry best practices as reflected
primarily in the International Organization for Standardization’s ISO 31000:
http://www.iso.org/iso/home/standards/iso31000 Risk Management Principles and Guidelines; however,
some elements of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
http://www.coso.org/ Enterprise Risk Management Framework are incorporated as well.
Policy
UNCG's approach to risk management reflects an understanding of the institution and its context.
UNCG's framework for managing risk is based upon a three-tiered risk management system. Tier
I risks have the potential to significantly affect the university's mission, strategies and goals. Tier
II risks are shared risks across multiple areas or single area risks with cascading impacts. Tier III
risks are unit or single area risks which are largely identified and managed at the department
level.
Risk Management:
A. Creates and protects value
B. Is an integral part of all organizational processes
C. Is part of decision making
D. Explicitly addresses uncertainty
E. Is systematic, structured and timely
F. Is based on the best available information
G. Is tailored
H. Takes human and cultural factors into account
I. Is transparent and inclusive
J. Is dynamic, iterative and responsive to change
K. Facilitates continual improvement of the organization
. The institution has a current understanding of the major known risks it faces with the
potential to impede achievement of its strategic objectives
A. Risk management and awareness is integrated at all levels of the organization.
B. The institution's risks are within its risk criteria.
IV. Responsibilities
. The Board of Trustees provides risk oversight and appetite. In order to support the
board in this regard, its members are kept informed of IRM's regular and repeatable
processes designed to manage institutional risk within our risk criteria and to provide
reasonable assurance regarding achievement of university objectives. The Board of
Trustees should be certain that it is properly informed and that an appropriate culture of
risk-awareness exists throughout the institution.
A. The IRM Steering Committee is comprised of the Provost, the Vice Chancellor for
Business Affairs, Vice Chancellor for Information Technology Services, the Director of
Internal Audit and advised by General Counsel. The IRM Officer and other staff will
provide support to the committee as required. The IRM Steering Committee meets as
needed and is charged with guiding the advancement of Institutional Risk Management,
providing its programs and the IRM Committee with direction and assessing ongoing
performance. The IRM Steering Committee reviews and approves IRM presentations to
the Audit Committee of the Board of Trustees and assists in the evaluation of any
comments or questions the Board may have. The IRM Steering Committee assesses
progress toward optimal risk treatment of identified institutional risks and recommends
changes in course as needed.
B. The IRM Committee meets at least quarterly, and members are Vice Chancellor for
Student Affairs designee, Vice Chancellor for Information Technology Services designee,
University Controller, Director of Environment, Health and Safety, Chief of University
Police, Assistant Athletic Director of Operations, Vice Chancellor for Research and
Economic Development designee, other members as needed, to be determined by the
IRM Committee membership, and advised by the General Counsel designee. Through
various work groups, committee members actively work on Tier I risks as well as
associated risk treatments. The IRM Committee has the additional responsibility for
providing a common-sense framework within which to scan the university's environment
to identify risk as an integral part of all organizational processes.
C. The IRM Officer provides university-wide leadership to identify and manage possible
strategic, financial, operational, compliance, hazard or reputational risks. The IRM Officer
develops the Institutional Risk Management Program for the university, applying best
practices, the standards mentioned above and other industry guidance. In order to foster
RISK MANAGEMENT POLICY ANALYSIS 14
a risk management culture, the IRM Officer is available for consultation and discussion
relative to issues of institutional risk as well as forwarding those issues to appropriate
leadership.
The IRM Officer chairs the Institutional Risk Management Committee and works with
committee members to identify items for meeting inclusion. The IRM Officer works with
the IRM Committee and Executive sponsors to collaborate on a holistic approach to
evaluate university risks and select optimal risk treatments.
The IRM Officer promotes risk awareness programs throughout all sectors of the
university and provides support to university leadership in defining, maintaining, and
educating university stakeholders through the development or procurement of best-
practice-related or instructional literature.
D. Chancellor's Council member or designee assigned to each Tier I risk are empowered
to collaborate cross divisionally and guide the work involved in managing associated
risks. Executive Sponsors have the authority to manage risks as well as the commitment
to make the necessary resources available to assist those accountable and responsible
for risk treatment. Executive Sponsors may find it advisable on occasion, due to the
potential for (or the appearance of) a conflict of interest, to seek guidance from the IRM
Steering Committee through the IRM Officer with regard to assessment and risk
treatment.
Risk Assessment Processes:
I. Risk Identification is accomplished through committee discussion, unit risk assessment, periodic
stakeholder interviews, education and outreach throughout the institution on a regular basis. Unit
Risk Assessment is a process intended to identify individual risks based on likelihood of
occurrence and potential institutional impact should they occur. Departments, programs or
activities are chosen for assessment based on a number of factors including the number and
complexity of risks involved, the interdependence of different risks and their sources, the degree
to which the unit’s risks impact the institution as a whole. Strategically critical units should be
assessed every three years at minimum.
II. Risk Analysis is performed on qualitative and quantitative data derived from risk assessments,
stakeholder interviews, relevant external events and UNCG's risk events and near-misses. Risk
analysis should result in robust indicators that provide adequate data to recognize shifts in
internal and industry risk patterns when they are most valuable, during the development phases
of important strategic initiatives.
III. Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the
results of risk analysis. This is primarily accomplished through periodic comparison of current risk
ratings with previous ones as well as looking at actual losses in context. Further analysis is often
RISK MANAGEMENT POLICY ANALYSIS 15
deemed necessary before risk treatment decisions can be made. The IRM office is charged with
reviewing best practices and application of said practices in evaluation of Risk.
IV. Risk Treatment emphasizes continual improvement through the use of appropriate measures to
modify risk exposure and the review and subsequent modification of processes, systems and
resources. It is a cyclical process involving the formulation of treatment measures, the evaluation
of their efficacy, the generation of new measures as necessary and the subsequent assessment
of the new measures. Risk Treatment Planning is undertaken at regular intervals for all Tier I Risk
Areas. "Selecting the most appropriate risk treatment option involves balancing the costs and
efforts of implementation against the benefits derived, with regard to legal, regulatory, and other
requirements such as social responsibility and the protection of the environment. Decisions
should also take into account risks which can warrant risk treatment that is not justifiable on
economic grounds, e.g. severe consequence but extremely unlikely risks." - ISO 31000
Enforcement
Vice Chancellor for Business Affairs, Office of the General Counsel, Office of Internal Audit and Office of
Institutional Risk Management
Review
This policy shall be reviewed every three to five years
Contact
Office of Institutional Risk Management (IRM)
1200 W. Gate City Blvd.
Greensboro, NC 27403
(336) 256-1102