Risk Management Policy Considerations

Identifying, minimizing, and controlling exposures to loss are important functions for all institutions.  Most of you have already implemented a risk management policy for your college or university, or are in the process of developing or updating one.

My institution, Washington State University (WSU), published an administrative Policy on Risk Management (EP6) in January 2019.  In August 2023, we finalized a revision to EP6 which included a number of new approaches for overseeing this process that I thought I'd share for your consideration.

Enterprise Type—Campus or System

WSU has multiple campuses in various parts of the state, plus an online (global) campus.  For many years, our Pullman campus was our main administrative hub.  A few years ago, the administration decided to move to a systemwide management model, with each campus, including our flagship Pullman campus, led by a separate campus chancellor, who in turn reports to our system president. 

Some administrative functions are best served by specific campus oversight, and some are best served by systemwide oversight.  International standards encourage an enterprise (systemwide) approach to risk management.  WSU follows International Organization for Standardization (ISO) 31000: 2018—Risk Management Guidelines to identify potential obstacles or occurrences that could threaten an enterprise's ability to meet its mission and goals.

Enterprise Risk Management Software

The state of Washington also encourages an enterprise approach to risk management by state agencies, of which WSU is one.  To facilitate this, the Washington Department of Enterprise Services (DES) provides software modules to the risk management offices at all state agencies to assist with risk identification and rating, risk controls, and planning for managing risks.  The software that DES selected to distribute is the Origami risk management information system. The software platform integrates insurance, risk, safety, and compliance solutions.

I found this addition to our policy rather fascinating, as I'm a fan of tech solutions.  Since the software is distributed directly to our RM office only, little direct information was put into our executive policy.  If you're interested in investigating this further, go to the link above to get more information from the manufacturer's website.

Administrative Oversight

WSU decided to implement a four-level approach to administrative oversight of risk management:

1. Risk Management Executive Committee (RMEC):  RMEC is a presidential committee that provides executive oversight for enterprise and operational risk. It oversees the Enterprise Risk Management (ERM) process. RMEC also provides guidance to the Risk Management Advisory Group (RMAG) and Risk Management (RM) office.
   
2. Risk Management Advisory Group (RMAG): RMAG is appointed by our Executive Vice President of Finance and Administration. Its membership is representative of system units engaged in daily risk management. Units may request to join RMAG through the Risk Management Office.
   
3. Risk Management Office (RM): The RM office at WSU is a part of Compliance and Risk Management under Finance and Administration. RM coordinates and evaluates the risk management program for the WSU system and has responsibility and authority in four primary areas:
• Risk awareness, assessment, and assistance services to units and personnel;
• Coordination of systemwide risk committees;
• Managing and administering insurance coverages and related services to units; and,
• Reporting risks, accidents, injuries, liabilities, and other risk management activities to university departments and applicable state and federal agencies.


4. Individuals and Units: Individual employees, departments, and units are responsible for taking steps to reduce the risk of injury and accidental loss to the greatest extent possible, consistent with carrying out the institution's mission and goals. RM is available to provide assistance to individuals and units, as needed.

Every institution handles risk management processes differently, but as we've all found, it is a good idea to formalize a policy for managing risks.  I hope what I've shared from the WSU perspective helps you start or continue your own conversations about developing or revising risk management at your institution.