The Compliance & Risk Management Network consists of senior management who review the entire range of risks facing the Institute and set the general direction for enterprise risk management at Georgia Tech.
The objectives of Compliance & Risk Management Network are to:
- Identify the key risks that could significantly interfere with Georgia Tech’s Strategic Plan Goals and Institutional Initiatives.
- Assess the key risks, identify vulnerabilities, and decide either to accept the existing risk level or invest additional resources to manage it.
- Detail a risk management plan for mitigation controls and operational and communication responses to potential adverse events.
- Support processes to implement these risk management plans.
- Help eliminate risk surprises.
The Georgia Tech Risk Inventory was developed through a series of focused discussions involving individuals with operational responsibility in Academic Affairs, Campus Services, Finance, Human Resources, Information Technology, Research Administration, and Student Life. The risk factors identified in those discussions were reviewed by the Network, grouped into general subject matter areas, and categorized by risk level: Institute (related to strategic objectives), Unit (operational or process oriented), or Systemic (affecting all of higher education, little or no control).
Risk Scoring is based upon the probability of the risk becoming reality (likelihood), the effect that would have on the Institute (impact), and the estimated timing (velocity). Exactness is not needed or achievable. Identification of the highest priority, most urgent risk factors in the total population of risks is what is important. Risk Scoring creates a roadmap for the Institute to manage risk strategically, not perfectly.
Georgia Tech Risk Score Sheet
|Impair Achievement of Strategic Goal
Result in Substantial Financial Cost
Create Significant Damage to Institute Reputation or Serious Injury
Require Intervention in Institutional Operations
|Create Inefficiency or Re-Work
Result in Fines
|Small Limited Loss
Result in Warning or Reprimand
Little Effect on Institute
|Probability > 75%
Will happen frequently
|Probability 50% - 75%
|Probability < 50%
Will seldom happen
|Estimate may happen in 0-3 years||Estimate may happen in 4-6 years||Estimate may happen in 7-10 years|
On the recommendation of the Network, individuals are identified as principally responsible for each of the high priority risk factors and are asked to develop risk management plans in each area. The risk management plans are reviewed by the Network, subsequently presented to the President’s Cabinet, and shared with the University System of Georgia Board of Regents.
Controls detailed in risk management plans are included in the Risk Inventory. The Network re-scores the risk factors after considering controls to determine residual risk (i.e., how well the controls are working). Risk management plans are given one year updates to determine how well they are working and if additional resources are needed.
The Network has a Sharepoint site where the Risk Inventory and Risk Plans are kept for Network editing and use. The Compliance & Risk Management Network Sharepoint site is available to Network members at: http://www.larm.gatech.edu/crmn