Compliance & Risk Management Network

The Compliance & Risk Management Network consists of senior management who review the entire range of risks facing the Institute and set the general direction for enterprise risk management at Georgia Tech.

The objectives of Compliance & Risk Management Network are to:

  1. Identify the key risks that could significantly interfere with Georgia Tech’s Strategic Plan Goals and Institutional Initiatives.
  2. Assess the key risks, identify vulnerabilities, and decide either to accept the existing risk level or invest additional resources to manage it.
  3. Detail a risk management plan for mitigation controls and operational and communication responses to potential adverse events.
  4. Support processes to implement these risk management plans.
  5. Help eliminate risk surprises.
 
Risk Inventory

The Georgia Tech Risk Inventory was developed through a series of focused discussions involving individuals with operational responsibility in Academic Affairs, Campus Services, Finance, Human Resources, Information Technology, and Research Administration. The risk factors identified in those discussions were reviewed by the Network, grouped into general subject matter areas, and categorized by risk level: Institute (related to strategic objectives), Unit (operational or process oriented), or Systemic (affecting all of higher education, little or no control).

 
Risk Scoring

Risk Scoring is based upon the probability of the risk becoming reality (likelihood), the effect that would have on the Institute (impact), and the estimated timing (velocity). Exactness is not needed or achievable. Identification of the highest priority, most urgent risk factors in the total population of risks is what is important. Risk Scoring creates a roadmap for the Institute to manage risk strategically, not perfectly.

Georgia Tech Risk Score Sheet

Impact High Medium Low
  Impair Achievement of Strategic Goal

Result in Substantial Financial Cost

Create Significant Damage to Institute Reputation

Require Intervention in Institutional Operations

Create Inefficiency or Re-Work

Result in Fines

Minor Injury

Moderate Loss

Small Limited Loss

Result in Warning or Reprimand

Little Effect on Institute

Likelihood High Medium Low
  Probability > 75%

Will happen frequently
On-going event
Predictable

Probability 50% - 75%

Sometimes occurs
Unpredictable

Probability < 50%

Will seldom happen
Has not happened

Velocity High Medium Low
  Estimate may happen in 0-3 years Estimate may happen in 4-6 years Estimate may happen in 7-10 years
 
Risk Plans

On the recommendation of the Network, individuals are identified as principally responsible for each of the high priority risk factors and are asked to develop risk management plans in each area. The risk management plans are reviewed by the Network, subsequently presented to the President’s Cabinet, and shared with the University System of Georgia Board of Regents.

Controls detailed in risk management plans are included in the Risk Inventory. The Network re-scores the risk factors after considering controls to determine residual risk (i.e., how well the controls are working). Risk management plans are given one year updates to determine how well they are working and if additional resources are needed. 

 
Sharepoint Site

The Network has a Sharepoint site where the Risk Inventory and Risk Plans are kept for Network editing and use. The Compliance & Risk Management Network Sharepoint site is available to Network members at: http://www.larm.gatech.edu/crmn