Five Years of Assessing Risk at Georgia Tech
This year, Georgia Tech’s Enterprise Risk Management (ERM) will celebrate its fifth anniversary. The ERM program is a comprehensive and ongoing risk assessment by Georgia Tech’s senior leadership of the key operational, financial, compliance, and reputational risks that could significantly interfere with Georgia Tech’s ability to achieve its Strategic Plan goals and institutional initiatives.
The senior leadership consists of a group of 15 vice presidents, vice provosts, and other senior leaders across campus who make up the Compliance & Risk Management Network. This group reviews the entire range of risks facing the Institute and scores them for likelihood (probability of the risk becoming reality), impact (effect the risk would have on the Institute), and velocity (estimated timing).
“Many people don’t realize that Georgia Tech scores its risks every year,” says Mia Reini, director of ERM. “Not only do we assess risk on an annual basis, but the risks with the highest cumulative scores are addressed with specific risk management plans. These plans have resulted in some significant projects at Tech.” Two such projects are: the Center for Community Health and Wellbeing and the GTPD Enhanced Camera Operations Center.
How Does ERM Work?
During ERM’s first year, in 2011, Georgia Tech developed a risk inventory through a series of focused brainstorming sessions with individuals from different areas of campus, including Academic Affairs, Student Life, Campus Services, Human Resources, Finance, Information Technology, and Research Administration. The risk factors identified in those discussions were reviewed by the Compliance & Risk Management Network, grouped into general subject matter areas, and categorized by risk level:
- Institute (related to strategic objectives)
- Unit (operational or process-oriented)
- Systemic (affecting all of higher education)
Since 2011, the risk inventory has further evolved through annual conversations with risk owners across campus.
“If you know of a risk that could keep Georgia Tech from meeting its strategic goals, we’d like to hear from you,” emphasized Reini. “We are always on the lookout for current risks at Tech, how the risk management is going, and what more could be done to better manage the risk. We’ll never eliminate risk, but we can think of ways to manage it.”
Key examples of campus departments and associated risks are:
- Academic Affairs: faculty retention
- Administration and Finance: financial misconduct
- Emergency Preparedness: continuity of campus operations
- Georgia Tech Police Department: campus safety
- Information Technology: data security
- Research Administration: conflict of interest
- Student Life: student health and safety
The Compliance & Risk Management Network scores all of the Institute-level risks using a risk score sheet. Identification of the most urgent risk factors in the total population of risks is what’s most important. The first risk scoring, and subsequent annual scoring, has created a roadmap for the Institute to manage risk strategically rather than perfectly.
On the recommendation of the Compliance & Risk Management Network, campus individuals are identified as principally responsible for each risk factor and are asked to develop risk management plans for the high priority (high score) risk areas. The risk management plans are reviewed by the Network, presented to the president’s cabinet, and shared with the University System of Georgia Board of Regents.
The risk controls, detailed in the risk management plans, are subsequently included in the risk inventory. The Network annually rescores the risk factors after analyzing how well the controls are working and if additional situational risks are present.
“Overall, the purpose of ERM is to embed risk resources into existing business processes — with the objective of being strategic, efficient, and supportive of entrepreneurship at Georgia Tech,” said Reini. “We want to help eliminate risk surprises.”
For more information, visit the Compliance & Risk Management Network website.