3.1.44 Risk Management

1.0 Purpose

Effective risk management is a core leadership responsibility that must be consistently practiced across Piedmont University.

2.0 Definition of Risk

“Risk” refers to the probability of an event occurring and the potential consequences to the University associated with that occurrence. Risk is inherent in all activities, and it is neither possible nor desirable to eliminate all risks without ceasing the associated activity.

Risks are defined broadly and extend beyond traditional categories. They include:

1. Strategic Risks – Affect the University’s ability to achieve goals and objectives as outlined in the institution’s strategic plan.
2. Compliance Risks – Relate to compliance with laws, regulations, safety, environmental matters, litigation, conflicts of interests, and related issues.
3. Reputational Risks – Impact reputation, public perception, political standing, and related concerns.
4. Financial Risks – Involve loss of or inability to acquire financial resources, assets, or technology.
5. Operational Risks – Affect the University’s ongoing management processes and procedures.

3.0 Management of Risk

Risk management at Piedmont University is a leadership responsibility. The Chief Information Officer (CIO) shall define the University’s risk tolerance (ability to absorb impact) and risk appetite (willingness to assume risk). Through senior staff and institutional Vice Presidents, the CIO shall ensure effective management of risks.

Certain risks may escalate to a level requiring involvement of the President, Vice President for Administration and Finance (VPAF), and the appropriate department. Acceptance of such risks is at the discretion of the Board of Trustees and the VPAF. These risks are typically those where the probability and potential consequences are likely to:

1. Impair the achievement of a strategic goal or objective.
2. Result in substantial financial costs that exceed the institution’s ability to absorb or that threaten its core mission.
3. Cause significant damage to institutional or University-wide reputation; or
4. Require intervention in university operations by the Board of Trustees or an external authority.

While some level of risk is expected – and can even be beneficial – risk acceptance shall not include:

1. Willful exposure of students, employees, or others to unsafe conditions;
2. Intentional violation of federal, state, or local laws;
3. Willful violation of contractual obligations; or,
4. Unethical conduct.

4.0 Institution Implementation of Risk Management Procedures

An institution-wide approach to risk management shall be embedded in all Piedmont University departments and integrated into management systems and processes. Additionally, risk management efforts must directly support institutional objectives.

The Office of Information Technology (OIT) shall develop and maintain a University-wide risk management framework and associated procedures that include:

1. Ongoing identification of risks affecting institutional goals;
2. Development of formal risk management plans;
3. Monitoring risk mitigation progress;
4. Periodic updates of risk management plans; and
5. Reporting significant risks to the President and appropriate key stakeholders.

The President shall:

• Designate, in writing, a Risk Management Policy Coordinator with sufficient authority to support campus administrators in maintaining the risk management framework and procedures.
• Appoint one or more employees to oversee campus-wide implementation of the Risk Management Policy and support OIT in maintaining the framework.

Oversight of the Risk Management Policy shall be provided by the Committee on Internal Audit, Risk, and Compliance, which shall review major risks on behalf of the President.

The institutional risk management framework and procedures shall be reviewed annually. Additional compliance reviews may be conducted periodically by internal audit or a similar accountability function. System-level reporting and implementation procedures shall be established in a dedicated procedures manual.

Appendix A – Revision Table