Risk Assessment Process

Risk Identification

Every year, key academic and administrative leaders engage in a risk assessment process. Within each functional area, risk identification starts with a review of the area’s strategic objectives and its critical functions or services. They then identify key events or circumstances that, over the next three years, could prevent a functional area or the University from achieving its objectives or executing its strategies. Risk assessment leaders consider risks regardless of whether they are under the University’s control as well as the possible interdependence of different risks and their sources. Each functional area identifies risks that it might face, including university-level, campus-level and department-level risks.

Each identified risk is ranked as high, medium or low in three categories: impact, likelihood and velocity. Finally, a management plan is developed for each risk, describing how Georgetown is managing the risk.


The following example illustrates the factors considered for individual risks identified through the risk assessment process.

Risk Event/ Description Federal sequester and current budget paralysis
Risk Category Federal Budget
Key Considerations/ Assumptions Potential NIH, Department of Education and other federal budget cutbacks could undermine research and other programs. 
Impact High (Annual loss of $10 million or more)
Likelihood Medium (Risk is probable and has a medium chance of occurring in the next 3 years)
Velocity Medium (Risk impact will be felt in 3 to 9 months after occurence)
Management Plan

Developed a financial plan that assumes reduction in federal funds for foreseeable future. Seeking opportunities to diversify research portfolio.


Risk Prioritization

All of the risks identified by the University’s functional areas are compiled into a risk inventory. The ERM Committee ranks the identified risks into three risk prioritization levels:

Tier 1                 
  • Strategic and/or institution-wide
  • High Impact (on reputation, mission, financial performance, student safety, etc.)
  • Risk affecting underlying business model
  • Board or top senior management need to know
Tier 2
  • Campus-level
  • Involve infrastructure systems or processes
  • Department-level risks identified by multiple functional areas
Tier 3
  • Departmental risks
  • Involve specific internal controls and infrastructure elements