One of the main issues identified was the interpretation and understanding of what each department’s objectives actually were. It took some time to make all the stakeholders understand that their individual objectives were going to be supported by the university’s overall strategic plan and goals, but once they did, we categorized them as strategic, operational, financial, compliance and reputational. This process is not easy — it took nearly six months to identify five individual risks for each of the five separate areas of concern. Since most of the personnel were unfamiliar with the enterprise risk management concept, education became a major component of the process.
Once we had a framework to identify and categorize different risks, each member of the working group was interviewed one-to-one to identify all individual risks and internal process concerns by department. More than 900 individual risks were identified; however, a vast majority could be compiled into a single risk affecting the entire university. When the weeding-out process was finished, there were approximately 100 substantial/addressable risks were then submitted for review by an Advisory Group that included representative from academics, operations, athletics, the KSU Foundation, student success, university relations, legal and IT. The Security Department was the interface and acted as the Project Manager.
The Advisory Group was tasked with reviewing the final risk areas and determining whether the risks were university-wide risks or department-level risks — and it was intense and sometimes heated. Those risks classified as department management issues were categorized as low to medium risk/probability, and were sent back to the department level for mitigation. Risks identified as medium to high risk/probability were referred to the enterprise risk coordinator for final determination as to whether the risk should be mitigated or accepted at the university-wide level.
Both risk levels continue to be monitored and mitigated through interaction with both the individual departments and upper management. By our protocol, medium to high risks were submitted by the enterprise risk coordinator to the President’s Cabinet for concurrence and to the University System of Georgia’s Board of Regents.
The Holistic View
The results of this entire process were enlightening. It illustrated how integrating a baseline emergency management, business continuity, disaster recovery and crisis management plans can help everyone in the organization identify overall safety and security objectives and how to mitigate risk; thus giving everyone a holistic view of the university’s operations.
For some, emergency and crisis management may be the primary goals to a safe and secure environment; however, being able to identify those risks through a specific process also provides justification and awareness for where more resources may be needed or a different approach should be adopted — benefits that can be realized by security executives in any market.