- Home
- ยป Risk Management Overview
Risk Management Overview
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure. Georgetown’s risk management process undertakes a best practices approach and focuses on understanding the key risks and managing them within acceptable levels. It is a collaborative process where risk response plans are developed in concert with the stakeholders who understand the risks and are best able to manage them.
The following steps outline the University’s approach to risk management:
- Identify the most significant risks arising from operations on an on-going basis.
- Prioritize risks based on the likelihood of occurrence and potential impact.
- Implement strategies to mitigate risks
- Monitor effectiveness of risk management efforts.
When responding to risks, the University can use different strategies for managing the risk including:
- Avoidance – Avoiding the risk by discontinuing the activity that generates it
- Acceptance – Retaining the risk (self-insurance)
- Mitigation – Reducing the likelihood and impact of a risk (loss control programs)
- Transfer – Shifting ownership of risk to a third party (insurance)
Georgetown University has established a formal enterprise risk management (ERM) process. The objectives of this initiative are to create a systematic and enterprise-wide process to identify, assess, prioritize, respond to and report on risks faced by the University, and to integrate risk ownership and management activities at all levels of the institution. A wide range of people across the University are involved in the ERM process, including the University’s senior leadership and the Board of Directors, who will receive information about risks and provide input and direction to ensure alignment of priorities and risk management activities with the University’s strategic goals.
Risk is a given for a complex organization like Georgetown University. Balancing risks and opportunities is a key management responsibility and the University’s everyday activities involve taking and managing many types of risk. Our ERM approach focuses on understanding the key risks facing the University and managing them within established tolerance levels. The University uses a number of different mechanisms and people to anticipate, identify and manage risk. Our ERM process seeks to align and coordinate these resources to manage risk in a more systematic, comprehensive and effective manner.
Georgetown’s ERM approach consists of the following activities that are repeated as part of a continuous cycle.
- Regular identification and categorization of risks across the University including: financial, operational, strategic, hazard and event-driven risks.
- Quantification and prioritization of risks according to their potential impact and probability of occurrence.
- Risk reduction planning
- Risk response
- Monitoring and reporting of results
The leadership team responsible for the implementation of Georgetown’s ERM process consists of four working committees. The ERM Steering Committee, comprised of the Senior Vice President and Chief Administrative Officer, and the AVP’s for Risk Management, Internal Audit and Compliance and Ethics, is charged with establishing an ERM framework and providing oversight for implementation of the initiative.
A cross-functional group of over (30) university leaders from the Main, Medical and Law Center campuses comprises the ERM Management Committee. This group is charged with identifying and helping the Steering Committee to prioritize departmental, campus and institutional-level risks. The President’s Executive Committee and the Board of Directors Audit Committee assume the oversight roles of ensuring a proper understanding of institutional risks, ensuring that risk reduction planning and response activities are funded and implemented, and evaluating the adequacy of the University’s risk mitigation efforts.
Institutional risk assessments are facilitated by the Steering Committee through a series of face-to-face interviews with the University’s leadership. Management Committee members are asked to identify key risks in their areas and for the University generally and to help gauge the probability and likely impact for the risks they have identified. Risks identified through the interview process serve to establish the University’s baseline enterprise risk portfolio.
The ERM process uses a risk estimation pyramid to provide a conceptual framework for the prioritization of risks. The pyramid consists of three tiers that classify risks according to scope and impact. Broader risks are situated at the top of the pyramid and involve university-level risks that could affect the institution’s strategic objectives or underlying business model or that have a potentially significant impact across multiple business units. Risks in this category are considered high impact events that warrant the attention of the Board of Directors Audit Committee and the senior leadership.
The middle tier of the pyramid represents “Campus-Level” risks and includes risks associated with processes, infrastructure systems, and aggregated interdepartmental risks. More localized “Departmental” risks are situated at the bottom of the pyramid and represent lower priority risks associated with specific internal controls, infrastructure elements, transactions, and policies and procedures.
