How do I manage Risk?

Once a risk and its potential consequences have been identified, a management plan can be developed for it. Risk management involves the application of no profound or sophisticated science - except in its extension into actuarial analysis, tort (like negligence), and insurance law. Normally risk management involves only the exercise of common sense. In its basic form it’s a fairly simple process:

1. Identifying risks with potentially consequential negative outcomes.
2. Analyzing risks' "potentially consequential outcomes" to determine their severity. Risk "severity" is the product of the likelihood and gravity of the potential outcomes;
3. Deciding in each case, depending on the severity ascertained for the risk, whether to eliminate, limit (the term often used is "mitigate"), transfer (by, e.g., insurance and/or waivers), or disregard the risk;
4. Developing appropriate and feasible policies and procedures to carry out the decision about how to deal with the risk;
5. Planning responses to negative outcomes in order to limit their damage – and responding accordingly to actual negative events;
6. Monitoring the implementation and success of the risk management policies, procedures, response plans, and actual responses in each case and improving them where necessary and feasible.

It needs to be emphasized at the outset that the purpose of risk management is NOT to eliminate all risks. There can be no growth or development – or, arguably, even survival - without taking risks, hence risk management usually entails not avoiding risks altogether but, rather, limiting or mitigating their possible hazardous consequences. The point also needs to be made that risk management is undertaken not just to protect the University from hazards and liability, but to support the highest ethical and legal standards of responsibility to and care for its members. Moreover, risk management should NOT have, as its primary consequence, the addition of extra layers of bureaucracy and red tape to the University’s operations, or the creation of a “Chicken Little” atmosphere, but the establishment and promotion of clear and comprehensive policies and procedures to which adherence will not be a heavy burden but, once established, routine, and the fostering of risk identification and analysis at all levels of the University’s planning. With good risk management in place, University members should be able to devote more resources and attention to the efficient operation and development of the University’s primary programs: education and research.

The Director of Risk Management will review and promote the development of risk management policies and procedures in close consultation with the departments concerned, while ensuring compliance with law and University policy and regulation. The Director will rely on external best practices and expertise in addition to departmental experience, assessment, and advice. Every effort will be made to establish and support risk management policies and procedures that, while fulfilling legal obligations, aid and do not hinder the departments and personnel responsible for their implementation.