Risk Assessment Form
The Risk and Control Self-Assessment Form is used to collect University-wide information about risks. There are large differences in magnitude between risks and risk assessments help the University decide which risks to concentrate on and which are not as important.
The ERM group created the How to Perform a Risk Assessment slide deck with helpful tips and suggestions to use when performing risk assessments.
Risk Mitigation Plan
A Risk Mitigation Plan is a document used to detail both current and planned actions to reduce the impact or likelihood of an identified risk. This planning template has been developed to assist in identifying the various components of a risk mitigation plan and to develop a timeline for finalizing, communicating, and implementing that plan. This planning tool is not a comprehensive list, but rather a guide to help risk owners consider the various aspects of the mitigation plan. The template provided includes generic example information to demonstrate how the form is used.
Calculate a Risk Score
Using the scorecard below, assess the impact and likelihood of a risk at the system-wide level. When assessing risk within a department or unit, adjust the financial impact. Consider using 5% of the unit’s annual budget for the extreme measure.
Risk Score = (Average Impact Score * Likelihood Score) / 5
Risk scores are helpful in determining which risks need attention and in ranking or prioritizing the many risks facing your unit. Once the key risks to your unit have been identified and scored, consider the risk responses, or controls you already have in place that reduce the impact or likelihood of the risk. The level of risk before your current responses are considered is referred to as the inherent risk level. That level is reduced by the effectiveness of your risk responses. The resulting level of risk is known as the residual risk level. The table below includes recommended conclusions based on the level of residual risk. Conclusions can be adjusted based on the experience and expertise of management.
When multiple risks are identified with the same or similar risk scores, it’s helpful to consider the velocity of the different risk events. Risks with higher velocities are urgent and should be prioritized.
Risk Velocity: measures how fast an exposure can impact the University. It is the time that passes between the occurrence of an event and the point at which University first feels its effects.
The result of the risk assessment process is a portfolio of risks and an action agenda. Resources can be allocated for the reduction of prioritized risks followed by less urgent or impactful risks. This will help minimize surprises and the impact of risk on operations and administration. Additionally, when new strategies or initiatives are being considered, the risk portfolio will provide valuable information during the decision-making process.