Institutional Risk Management

The Committee of Sponsoring Organizations (COSO) defines institutional risk management as “… a process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

• IRM must be value-add to executives and other JHU stakeholders:
  • Effectively draws leadership attention to pressing downside risks
  • Actively holds risk owners accountable for meaningful risk management progress
  • Broadly sensitizes the university community to more reflexively think about risks (build risk awareness)
  • Makes explicit the university’s risk appetite and risk-by-risk variation in tolerance
• IRM must remain focused on high-impact risks
• IRM “mechanics” should be as minimally burdensome as possible
• IRM should balance desire for metrics and quantitative data with concerns about workload and confidentiality/legal exposure

The Office of Institutional Risk Management sits within the Office of the Provost and is led by the Vice Provost and Chief Risk Officer. The office dually reports to the Provost and the Executive Vice President for Finance and Administration. The IRM Office works closely with administrative leaders across the university to ensure risk consciousness, accountability, and prioritization of risk mitigation efforts within a common enterprise risk management framework, with the objective to harmonize the assessment and management of all risks and their harms (strategic, operational, financial, legal/compliance, and reputational).

As a part of the IRM Program’s framework, the Risk Appetite Statement articulates the amount of risk the university is willing to accept on average in pursuit of its mission and strategic goals. This overall risk appetite is complemented by explicit risk tolerances for each risk in the university’s IRM portfolio, using a 5-point scale (Very High, Significant, Intermediate, Slight, or Averse). Using subject matter input and standardized rubrics to express risk tolerance, acceptance (or not) of the current level of residual risk ensures that potential benefits and risks are understood, balanced, and optimized, and that measures to mitigate risk are established that correspond to the magnitude of any desired further reduction in residual risk.

Although the risk tolerance varies by risk, it is helpful to understand the prevailing risk appetite that serves as the starting point for consideration of risk-by-risk tolerance. For the university, that prevailing risk appetite is “Intermediate” – the university is neither risk-seeking nor risk-averse in general. Of major importance, that prevailing level can be significantly moved in either direction for a given risk, with the goal of optimizing – not minimizing – the residual level of risk. In considering whether the current level of residual risk remains too high for a given risk, the following factors are considered:

• the organization’s overall risk appetite
• its risk tolerance for the given risk
• the risk in relation to the benefits of the risk-producing activity
• the costs of further risk reduction

JHU evaluates the following components of risk:

• Likelihood
  • Frequency of event/issue (some are ongoing; others are sporadic)
• Aspects of Impact
  • Financial
  • Legal/Compliance
  • Operational
  • Reputational
  • Strategic
• Current Mitigation Activities
  • People and Resources
  • Policies and Procedures
  • Control Activities
• Risk Tolerance

JHU established the following twelve risk categories:

• Academic and Student Affairs
• External Relationships
• Finance
• Governance and Organizational Processes
• Health Care
• Human Capital
• Infrastructure: Facilities & Technology
• International Activities
• Market Conditions or External Competition
• Reputation of JHU Schools, Programs and Affiliates
• Research
• Safety and Well-Being

Inherent Risk: how troubling is the risk to the institution (as measured by Likelihood and Impact) in the absence of management controls and mitigation activities
Residual Risk: progress towards the desired level of risk incorporating current management controls, mitigation activities, and risk tolerance considerations

Each risk is assigned a risk owner and risk manager.

Risk Owner: JHU individual who is best positioned to hold “executive responsibility” for a risk. In this context, “executive responsibility” includes monitoring whether a risk occurs and directing the response & mitigation effort if the risk manifests; it does not necessary denote direct responsibility for day-to-day management of the risk, as some risks are highly distributed and/or cross-functional

Risk Manager: JHU individual who either (1) has day-to-day responsibility for a risk; or (2) is assigned oversight of a risk by an executive leader.

The Committee is composed of 29 senior leaders at the university, with representation from Vice Presidents, Vice Provosts, and A.V.P.s and Directors within major business units. The Committee is chaired by the Deputy Chief Risk Officer. The Committee’s responsibilities include reviewing the annual risk assessment and reporting it to the Board of Trustees’ Audits & IRM Committee and monitoring and advising on key risks throughout on an ongoing basis.