The University of Nebraska at Kearney annually performs a campus wide risk assessment. This high level risk assessment is the responsibility of management, but the process is coordinated by Internal Audit. The risk assessment is updated annually and serves two purposes. It is used as a basis for creating a risk-based internal audit plan and also to assist management in identifying and managing existing and emerging risks facing the University.
Each operating unit at the University faces its own challenges and risks and must assess how it will manage its risks to meet its objectives. The risk assessment process begins with an initial determination of each unit’s operating objectives, followed by a systematic identification of those things that could prevent each objective from being achieved and/or the identification of potential opportunities.
Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. Once risks are identified, their likelihood and impact must be assessed.
A risk is any event or action that adversely impacts the University’s ability to achieve its objectives. The categories of risk that affect the mission of the University include:
- Strategic - Events that affect the University’s ability to achieve its goal objectives, including competitive and market factors.
- Compliance - Events that effect compliance with laws and regulation, including safety and environmental issues, litigation, and conflicts of interest.
- Operational - Events that affect ongoing management processes and procedures.
- Technological - Events that affect the electronic information flow and communications, including electronic commerce, storage, disaster recovery, interfaces, development cycle, etc.
- Financial - Events that affect profitability and efficiency, including loss of assets, and technology risks.
- Reputational - Events that affect the reputation and public perception of the University, including political issues and negative occurrences on-campus.
The impact of a risk is defined by the outcome and consequences should an event occur. The definition varies somewhat for each organizational unit according to its individual risk appetite, but traditionally falls within the following guidelines:
- High – Consequence include termination of business area or program, significant injury or loss of life, termination of funding, significant financial loss/cost (including legal liability), large loss of assets and criminal penalties.
- Medium – Consequences include inefficiencies and extra workloads, fines, minor injuries or property loss.
- Low – Consequences have little or no effect on the organization; include warnings and/or reprimands with no other actions taken.
The scales for determining the likelihood that an event will occur are defined as:
- High – happens frequently, occurs often, and is common or predictable.
- Medium – happens occasionally, sometimes occurs, or is unpredictable.
- Low – seldom happens, infrequent, rare, or has not happened before.
Finally, having identified and assessed risks, management must decide how to deal with those risks. In some cases, the decision may be to control it; in others, it may be to accept it.
The Internal Auditor conducts interviews with the Chancellor, the Vice Chancellors, Student Affairs, UNK Risk Manager, as well as the Directors of Information Technology, Human Resources, Facilities, Finance, Police and Parking and Athletics to identify and analyze risks for their units, as well as inquire if there were any specific areas of concern of which Internal Audit should be aware and include on the Audit Plan.
During the assessment process, risks of each unit are ranked and plotted on a graph on a scale of high, medium, or low as to their impact to the organization and also to their likelihood of occurrence.
Once all units have completed their risk assessments, individual unit risk rankings are combined on one graph to determine the areas of highest risk to UNK. This comprehensive graph is analyzed to develop an annual audit plan that focuses on mitigation of the risks at the highest level. Subsequent to the Chancellor’s approval, the Internal Audit Plan will be forwarded to the Audit Committee for approval. The audit plan must remain flexible, as it is virtually impossible to anticipate the amount of unscheduled audit requests, investigations or consultations that may be received from management throughout the year.
As a good business practice, the risk assessment process is an ongoing one. Internal and external threats constantly develop, presenting new hazards to the organization. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level.