The Institutional Quality Management Systems Office, through its Risk Management and Services section, together with the University Risk Management Committee, acts as the overseeing body to help the University manage its risks. It helps the various units of the University assess its risks, conducts internal control review, and reports a summary of the risks to the Executive Committee during the Top Management Review, and to the Board of Directors if so needed. It may also provide advice to the EXECOM on risk strategies, policies, and changes to operational procedures that are needed to address high-priority risks.

The broad functional areas listed below were considered to help identify and manage the University’s risks. While it may seem that there may be some sectors or units that exclusively handle the risks in a particular area, it cannot be denied that these areas form a functional matrix across all sectors of the University as the operations of each sector affect majority of these risk areas. The broad functional areas are the following:

To ensure that all the aforementioned risk areas would be considered, the University Risk Management Committee is comprised of representatives from all sectors of the University, including a representative from the Disaster Resilience Institute. These representatives summarize, assess, and qualify the identified risks, mitigating activities, and opportunities given by the various units in their respective sectors and are discussed on a regular basis with the Institutional Quality Management Office and reported to EXECOM.

The University currently follows four steps in managing its risks. These are:

1. Identification;

2. Assessment;

3. Mitigation;

4. Risk Communication & Monitoring.

This process is cyclical as new risks are identified (or retired) based on the results of risk assessment, mitigation, and monitoring activities. To help in risk identification, the University adapted the risk types identified in higher education institutions by a 2010 ADB Study on Education Sector Risk Management in Asia Pacific:

The risks (statements) are then identified to be either any one (or more) of the aforementioned five types.

The goal of Step 2 is to prioritize the identified risks, which involves assessing the likelihood of occurrence and potential impact. Each unit will need to measure the likelihood and impact for each risk statement. The tables below may be used as reference to aid in assessing the likelihood and impact ratings. It is worthy to note that each unit or sector may have different definitions or rubrics to be used; what is important is that these definitions are documented and agreed upon by each unit and that these are used consistently all throughout the risk management cycle.

After assessing/measuring the impact and likelihood of occurrence of all identified risks, the risk priority number or RPN is determined. The RPN is obtained by getting the product of the ratings of the impact and likelihood of occurrence. The computed RPN helps the University prioritize which among the identified risks should they address first. The RPN also helps the individual units ascertain whether the rating they gave to each risk was appropriate or not based on the accountable mitigation officer at each risk level.

Below is a risk map that shows the likelihood, impact, and their corresponding RPNs. RPNs that plot in the upper right corner are considered “chief risks” and should receive priority over those that plot towards the bottom left.

1. Policies and Procedures

Policies are rules established to reduce risk. Procedures are instructions that outline a series of steps taken to ensure that policies are followed.

2. Education and Awareness Training for Students, Staff, and/or Faculty

Methods used to periodically inform job-specific training or orientation for new employees and in-service training for all employees.

3. Operational Controls (Engineering and Administrative Controls)

Operational controls are mechanisms to confirm that a policy or procedure is followed. Operational controls include engineering and administrative controls. Engineering controls are built-in measures (e.g., access controls such as keys, door locks, and computer passwords). Administrative controls refer to organizational or work practice measures.

4. Oversight, Monitoring or Executive Controls

These controls refer to those designated to verify (e.g. through tracking, inspecting, documenting, and interviewing) that controls are effective.

5. Audit Controls

Formal methods employed to analyze compliance. Audits may include the analysis of documents and sampled transactions.

An Annual Risk Mitigation Plan (Fig. 9) is a tool that documents the risk response and follow-up actions. In a uniform manner, it documents the risk, its impact and likelihood, existing internal controls, potential controls, communication, and monitoring plans for significant risks. Ideally, The Risk Mitigation Plan should be reviewed and updated at the same time each year.

Each unit has a risk mitigation plan, which is then reviewed by that unit’s sector representatives, together with the chair and co-chair of the University Risk Management Committee. Once all risk mitigation plans are reviewed, these are then compiled, summarized, and reported to the Quality Management Representative for her final comments and feedback. Once the QMR has given her go signal, the committee than reports the findings to the University Executive Committee during the scheduled Top Management Review.

The consolidated, reviewed, and approved risk mitigation plan is known as the University Risk Register.

This process is cyclical as new risks are identified (or retired) based on the results of risk assessment, mitigation, and monitoring activities.

Information and Communication Technology Office

Medical Service Department

Budget Service Office