Risk Management Plan July 2016
THE PENNSYLVANIA STATE UNIVERSITY
RISK MANAGEMENT PLAN
Penn State University, like most institutions of higher education and other non-profit and for-profit businesses, engages in a deliberate process of identifying, evaluating, managing and monitoring risks. The purpose of a Risk Management Plan is to lay out the structure of how risks are managed, and to ensure that leaders of the University (including its governing board) are aware of the processes involved.
Our vision is to create a risk-aware culture, permitting the University to ensure an effective means to identify, measure, control and assign responsibility to manage risks, while encouraging the acceptance of reasonable opportunities.
At Penn State, these processes takes place in three related and overlapping sets of activities: first and foremost, enterprise-wide risk identification and analysis; contract review; and insurance management. This Plan lays out the framework of how these activities are undertaken, and highlights the relevant operations of University offices that, working in conjunction with all other units of the institution, are responsible for managing the University’s risks.
ENTERPRISE-WIDE RISK MANAGEMENT
Beginning in 2006, the University implemented a formal Enterprise Risk Management program to identify and manage a broad array of risks, categorized by broad type as Academic, Compliance, Financial, Operational and Strategic exposures. The program is managed by the University Risk Officer through the Risk Management Office of the Finance & Business organization. The program operates with the assistance and input of a Risk Council comprised of director- and administrator-level staff plus several faculty members, from across a broad range of University perspectives. Membership is based upon recommendations by the Risk Officer, and appointed by the Senior Vice President – Finance & Business. The Risk Council identifies risks, evaluates practices in place to effectively manage those issues, and recommends improvements; it acts as a resource to the units and leaders responsible for particular risks, and provides guidance to responsible parties to ensure that risks receive appropriate treatment. Risks are initially brought forward in a variety of ways, including information provided from colleges, campuses and administrative units, collaboration with other central units such as OGC, Ethics & Compliance, EH&S, Internal Audit, OPP, Student Affairs and others, contract reviews, claims resolution, industry sources such as peer inquiries and higher-education associations, and media exposure to events at other Universities or businesses.
The process for managing risk involves reviewing the issues and determining which University leader has accountability for the risk. The Risk Council works with that leader and other involved advisors to learn their perspective about the issue, mitigation plans already in place, and expected changes to the risk in the future. The Risk Council might then recommend actions, restrictions, policy changes, management plans including financial risk transfer through insurance, or simple awareness of the exposures, and then follows up periodically with the risk leader to determine any changes in trajectory or outcome. The identified risks are mapped as to relative probability, severity, impact and management maturity, through a process overseen by the Risk Council based on meetings with each of the risk leaders on a biannual cycle (or more frequently if needed), and reports are maintained as to when each risk was last reviewed and any action items. These reviews are designed to allow the risk leader to explain the ongoing processes for managing the risk, any recent changes in the scope or outcome of the risks, and projected future changes.
Additionally, a subset of risks have been set aside due to their potential for strategic impact on the University for more direct oversight by one or more Committees of the Board of Trustees. This includes an opportunity for the appropriate Board Committee to hear from the risk leader on an annual cycle using the same process as other risks. The subset of risks with oversight by a Board Committee, and the overall list of risks, are continuously monitored and more formally evaluated once each year, with adjustments as needed.
The Risk Subcommittee of the Board of Trustees’ Committee on Audit and Risk has been assigned responsibility to oversee the process and report to the Board on risk issues for the institution. The Risk Subcommittee’s Operating Guidelines state its purpose: “The Subcommittee on Risk will be responsible to review on a regular basis the University’s Enterprise Risk Management activities, with a goal of assisting in the fulfillment of the Committee on Audit and Risk’s purpose of overseeing the University’s processes for identifying and managing risks.” The University Risk Officer is tasked with making a presentation on the University’s risk management programs and processes to the full Board during a seminar session each year.
Additionally, the University Risk Officer is tasked with being the liaison to the President’s Council to discuss risk-related issues and seek their input on a regular basis; the Risk Council will make periodic reports to the University’s leadership on emerging risks, assessment outcomes and gaps.
The Risk Council’s activities during 2016 will include continuation of the cycle of hearing about the identified risks, discussion of emerging risks, with special emphasis on development of the setting and communication of risk tolerances throughout the University.
Although the title seems mundane, the contracting process at Penn State has the benefit of bringing risks and risk-bearing activities to light, so that they may be appropriately evaluated and mitigated. Several University offices are responsible to negotiate and process varying types of contracts, and there is close coordination to assure a level of consistency among those offices for risk tolerance in contract language. The Risk Management Office alone processes over 5,000 contracts each year. It provides input to the other contracting offices on insurance, indemnification and other terms and conditions which could affect the University’s rights as a party to written agreements, with potentially significant financial, strategic, operational and compliance risk impact to the institution. This operation and the risk identification and evaluation process undertaken during contract review, forms a first line of defense in the risk management process.
The University uses insurance as a financial backstop to manage unpredictable exposure to the financial consequences of damage to its property, injury to its employees, and legal liability imposed upon the University for the actions of its officers, employees and volunteers acting within the scope of their duties with regard to third parties. Although the University has strong fiscal management, a stable balance sheet, and assumes commensurate levels of self-funding for these exposures, insurance provides a financial transfer mechanism to contain the variable costs which are faced by the institution when unpredictable events unfold. For example, the University purchases property insurance against risks of damage to its facilities and contents such as fires, floods, etc., but holds a deductible to reduce the cost of the insurance in line with our ability to fund the costs for each event. For legal liability, the University purchases significant levels of insurance to protect its assets against settlements or judgments and the costs of legal defense, but has financial arrangements embedded in its insurance programs to self-fund the “working layer” of claims where we can actuarially determine our exposure at a level where management is comfortable with assuming that financial risk in aggregate for any one year, including through the use of a “captive insurance company” to manage certain insurable risks. Similarly, for the University’s employee health benefits and its statutory obligation to provide workers’ compensation to its employees, the institution is “self-insured” for the working layer of claims, but purchases insurance for catastrophic injuries. The University continually evaluates the levels of its retentions and insurance, and adjusts as needed; for example, at the time this Risk Management Plan was published, an exercise was underway to increase its limits and broaden coverage for cyber risk insurance.
The University’s risk management processes are designed to identify, evaluate, manage and monitor the risks it faces; the adoption of a Risk Management Plan addresses a gap that the individuals involved in managing and overseeing risks could miss a step in dealing with a risk, by laying out how the processes are undertaken. The risks faced by the institution, as well as this plan itself, will evolve over time but the efforts to manage the issues will continue.
July 22, 2016