Executive Policy Manual

EP06 – Policy on Risk Management

Revision Approved August 9, 2023

1.0 Policy and Purpose

Washington State University (WSU) is committed to promoting risk-aware decision-making to maximize effective risk mitigation and minimize loss to WSU and its community members. WSU’s enterprise risk management program provides a framework to proactively identify, assess, and manage enterprise and operational risks. This program is essential to WSU’s ability to achieve its mission and strategic goals.

The system Risk Management office provides support and develops awareness through education, information sharing, facilitating operational risk analysis, and guiding the enterprise risk management program. Risk management is inherent in the work of WSU and is the responsibility of all University employees.

Objectives include:

  • Identifying and assessing a broad array of risks or opportunities that could negatively or positively affect the achievement of the University system’s goals and objectives
  • Ensuring appropriate ownership of and accountability for risks
  • Developing and implementing appropriate risk mitigation and monitoring plans by risk owners
  • Establishing a program that engages functional leaders across the campuses and other WSU locations to identify and prioritize risks
  • Providing senior leadership with key information to make risk-informed decisions and to effectively allocate resources

2.0   Applicability

This policy applies to all WSU system employees, volunteers, and organizational units.

3.0   Definitions

Enterprise Risk Management (ERM) – The process of planning, organizing, leading, and controlling the activities of an organization to minimize the effects of risk. ISO 31000:2018–Risk Management Guidelines is the international standard for the practice of enterprise risk management. It is an enterprise-wide approach that proactively identifies, assesses, and prioritizes strategic risks, followed by the allocation of resources to minimize, monitor, and control the likelihood and impact of risks occurring, or to maximize opportunities. Enterprise risks are potential obstacles or occurrences that could threaten the University’s ability to meet its mission and goals.

Event – A change of a particular set of circumstances.

  • An event can have multiple occurrences, and multiple causes and consequences
  • An event can be expected or unexpected

Executive Owner – The executive or leadership team member who has oversight of a risk. This means that responsibility for managing the risk resides in the division/program that reports to the executive owner.

Inherent Risk – The baseline effect of uncertainty measured by likelihood, before implementing any risk controls.

Likelihood – The chance that a risk would occur within the next two years.

Impact – The effect on the strategic objectives if a risk occurs.

Loss or Current Controls – Measures, such as insurance or contracted risk transfer, that reduce the frequency and severity of losses and/or help risk owners recover from losses as quickly as possible.

Origami ERM Module – The software used to maintain a list of identified risks, the risk rating and score of each risk, the current controls, treatment plan, risk metrics, and who is accountable for managing the risk. This module, provided through the Washington Department of Enterprise Services, provides risk managers a software solution to streamline all ERM processes.

Residual Risk – The leftover risk after implementing any loss control.

Risk – The effect of uncertainty on objectives.

  • An effect can be positive, negative or both, and can create opportunities and threats.
  • Objectives can have various categories and can be applied at diverse levels of an organization.
  • Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.

Risk Appetite – The amount of risk an entity is willing to assume in pursuit of strategic objectives.

Risk Assessment – The process of identifying, analyzing and prioritizing risks.

Risk Identification –The process of identifying risks that might enable or impede WSU’s ability to meet its core mission or its strategic objectives, i.e., brainstorming session.

Risk Management – The total of coordinated activities to direct and control an organization regarding risk.

Risk Owner – The person with the authority and accountability for managing a particular risk and also can affect or be affected by the consequence of that risk. See Section 4.4 for risk owner responsibilities.

Risk Prioritization – The process of evaluating identified risks to determine the likelihood and impact of each risk, resulting in a risk score and rating. This is also known as the Risk Evaluation.

Risk Tolerance – The acceptable degree of variance from the risk appetite that the organization can tolerate in pursuit of strategic objectives.

Treatment – Any action undertaken that modifies risk. Risk treatments generally seek to reduce injury to people and damage to WSU’s finances, properties, and reputation. Risk treatments include:

  • Avoidance (eliminate activity or product)
  • Accept and Monitor (choose to accept and adequately control)
  • Prevention (reduce likelihood or impact of the risk occurring training, personal protective equipment)
  • Reduction (reduce the likelihood and/or impact if the risk occurs fire detectors and sprinklers, fume hoods)
  • Transfer (flammable storage room or cabinet)

4.0   Roles and Responsibilities

4.1    Risk Management Executive Committee (RMEC)

4.1.a    Purpose

RMEC is a presidential committee that provides executive oversight for enterprise and operational risk. It oversees the Enterprise Risk Management (ERM) process. RMEC also provides guidance to the Risk Management Advisory Group (RMAG) and Risk Management (RM).

4.1.b    Composition

RMEC members are appointed by the President. Core members include:

  • Executive Vice President for Finance and Administration, chair
  • Provost and Executive Vice President (or designee)
  • Executive Vice President Health Sciences
  • Vice President for Research
  • Vice President for Student Affairs
  • Vice President for Strategy, Planning, and Analysis
  • Vice President and Chief Human Resources Officer
  • Chancellor from a WSU campus (on a two-year rotating basis)
  • Chief Information Officer
  • Chief Compliance and Risk Officer (CCRO), ex officio
  • Senior Executive Assistant to the President
  • Other individuals who may be asked to participate at the discretion of the chair.

Current members of RMEC are listed on the President’s Office website.

4.1.c    Responsibilities and Authority of RMEC

RMEC has responsibility and authority for the following:

  • Leading, supporting, and ensuring commitment to the ERM program.
  • Establishing and communicating the organization’s risk appetite and risk tolerance to all employees to support efficient and effective risk mitigation.
  • Ensuring appropriate allocation of resources to support risk management activities.
    • Considering and recommending to University leadership, risk management proposals that require additional funding or proposed policy changes.
  • Communicating with University leadership about risk management policy and strategy and providing at least annual updates to the University’s Board of Regents through the Chief Compliance and Risk Officer’s reports to the Board of Regents.
  • Reviewing unique projects, activities, proposals, or actions that present a higher level of risk than daily operational risk and recommending risk mitigation measures to the appropriate unit(s) and/or President. RMEC seeks input from the University office or body with primary responsibility for the matter, conducts additional review, and provides additional recommendations when warranted.
  • Sending requests to the RMAG for research and development of options or recommendations on risk management issues.
  • In collaboration with unit leadership and RMAG, and the Threat Assessment Team where appropriate, issuing cease and desist notices to WSU employees, students, or units when it determines that an activity presents an unreasonable threat to health, safety, security, or property.
  • Halting any operation or activity occurring on WSU property, or any WSU operation or activity regardless of location, that presents an unreasonable threat to health, safety, security, or property. RMEC, and in emergencies, specific RMEC members, have halting authority. This authority is exercised in collaboration with the CCRO and unit and campus leadership when possible.

    The following guidelines apply:

    • In all cases other than those presenting an emergency need for immediate action, RMEC:
      • First issues a cease-and-desist notice to the WSU employees, students, or units, or non-WSU individuals or operations involved; or
      • Otherwise confirms that the party subject to the action has received written warning and been given an opportunity to correct the situation.

        If the matter has not been corrected within a reasonable time, RMEC may order the cessation of an activity or operation until the matter is corrected.

    • The Executive Vice President for Finance and Administration or the campus Chancellor may order a temporary halt to any activity or operation not to exceed 14 days.
    • In addition, the Vice President for Research may order a temporary halt to any research related activity or operation not to exceed 14 days.
    • Individuals subject to action under this paragraph are provided with an opportunity to meet with the appropriate risk management body as quickly as feasible to provide information and/or evidence of remedial measures they believe warrant resumption of the operation or activity.

4.2   Risk Management Advisory Group (RMAG)

4.2.a Purpose

RMAG operationalizes the strategic goals and directives of RMEC and provides a venue for all system units to seek guidance on operational, programmatic, or project specific risk management.

4.2.b Composition

RMAG is appointed by the Executive Vice President of Finance and Administration. Its membership is representative of system units engaged in daily risk management. Units may request to join RMAG through the Risk Management team.

4.2.c Responsibility and Authority

RMAG is an advisory group and only exercises decision-making authority where such authority is specifically delegated to it.

  • Reviews and provides risk management recommendations on matters brought forward by system units. System units are expected to bring forward matters, projects and programmatic initiatives that are new and/or present unique or extraordinary risks.
  • Monitors and regularly reviews this executive policy (EP6).
  • Undertakes specific risk-focused studies as needed and identified by RMEC, RMAG, or the RMS team.

4.3   Risk Management (RM)

RM is a part of Compliance and Risk Management under Finance and Administration. RM coordinates and evaluates the risk management program for the WSU system and has responsibility and authority in four primary areas:

  • Risk Awareness, Assessment, and Assistance:
    • Assessing risk and liability exposure;
    • Consulting with units on risk identification, assessment, and mitigation to help protect and steward University resources, employees, and students;
    • Providing or coordinating training, guidelines, and other resources to the WSU community to increase risk awareness while reducing negative risks and maximizing positive ones;
    • Implementing the ERM program.
  • System-wide Risk Committees:
    • Coordinating and supporting the RMAG.
  • Insurance:
    • Selecting and administering all University insurance coverages and related services;
    • Collaborating with units to identify the types, limits, and costs of insurance options for identified risks;
    • Administering or contracting self-insurance programs.
  • Reporting:
    • Coordinating reporting with the workers’ compensation program, the Department of Environmental Health and Safety (EH&S), and other University departments having responsibility for health, public safety, safety, security, or insurance issues;
    • Maintaining close liaison with the state Department of Enterprise Services’ Office of Risk Management and other state and federal agencies;
    • Reporting to departments about the likelihood and impact of accidents, injuries, liabilities, and other risk management activities; and
    • Reporting to departments about the frequency and severity of accidents, injuries, liabilities, and other risk management activities.

4.4    Individual and Unit Responsibilities

All University employees and students are responsible for taking steps to reduce the risk of injury and accidental loss to the greatest extent possible, consistent with carrying out the University’s mission and goals.

RM is available to assist individuals and units with this process. (See Section 7.0 regarding assistance.) Individuals and units are strongly encouraged to consult with RM on issues, situations, or events that pose high or unusual risks.

In the event of a legal or administrative claim against the University that is not paid (in full or in part) by a third party insurer, the University department, program, or unit responsible for the alleged violation may be required to contribute to the cost of any negotiated settlement or judgment from its departmental or program budget.

5.0   Enterprise Risk Management Program

5.1    Program Oversight

RMEC provides general oversight of the ERM program, which is modeled after the ERM ISO 31000:2018–Risk Management Guidelines Purpose, Principles, Framework, and Risk Management Process. RMEC is responsible for committing to adopting and integrating ERM into the organizational culture, and for guiding the ERM program as further set out in Sections 5.2, 5.3, 5.4, 5.5, and 5.6.

5.2    Risk Identification

Risk identification occurs in sessions with RMEC and through consultation with individual units and University leadership. RMEC reviews and brainstorms new risks at least annually.

5.3   Risk Prioritization

RM is responsible for managing the risk prioritization and assessment (scoring) process in coordination with RMEC. Risk prioritization will include input from RMEC, WSU leadership and individual units, among others.

5.4   Risk Monitoring and Reviewing

RMEC is responsible for the monitoring and review of risk mitigation measures of top risks on at least a semi-annual basis. Monitoring and review include planning, gathering, and analyzing information and results, and providing appropriate follow-up. RMEC may develop timetables and mitigation guidance for risk owners.

5.5   Risk Owners

To facilitate an effective ERM process, risk owners are to:

  • Develop and implement mitigation plans and controls for assigned risks
  • Monitor assigned risks to ensure mitigation plans are effective
  • For risk owners with the highest scored risks, work with RMS to:
    • Update risks semi-annually using the Origami ERM module as assigned
    • Report the status of assigned risks (i.e., controls, gaps, and risk metrics) to RMEC annually
  • For all other risk owners:
    • Update risks annually using Origami ERM module as assigned by RMS
    • Report status of assigned risks to RMEC as needed

5.6    Executive Risk Owners

The ERM process identifies executive risk owners. Executive risk owners, working in concert with risk owners, have primary responsibility for management of risks under their purview. For risks that fall within their purview, executive owners work with risk owners to:

  • Review, approve and support the implementation of risk mitigation strategies.
  • Monitor and review mitigation strategy effectiveness for risks.
  • Allocate resources, as available, in a manner consistent with management of risks.
  • Create a communication channel for risk owners to report on their risks regularly.

6.0   References and Resources

ISO 31000:2018–Risk Management Guidelines

7.0   Assistance

Contact Compliance and Risk Management for assistance; e-mail compliance.risk@wsu.edu.