08-20.00 – Policy on Enterprise Risk Management

  1. Policy Statement:

    Best practices in effective governance require that leaders periodically assess potential risks and exposures, evaluate the probability and the impact of each and as possible, adopt risk mitigation and monitoring strategies. These processes should routinely inform decisions and strategic planning. This policy formalizes Towson University’s ongoing system of enterprise risk management for the institution’s mission and strategic initiatives. This policy also sets periodic reporting expectations and processes for reporting key risk items.

    This policy implements University System of Maryland (“USM”) Policy VIII-20.00 Policy on Enterprise Risk Management.

  2. Definitions:

    Strategic risks – events or activities, whether internal or external, that have the potential to negatively impact the institution’s ability to pursue its mission or achieve its key strategic goals and objectives. These risks include inadequate strategic planning and goal setting, crisis response and business continuity, and community relations. 

    Financial risks – risks and exposures that are associated with inadequate financial planning, management and operational outcomes, including the budgeting and financial reporting processes, financial controls, debt management, endowment investing, and risk management and insurance provision. 

    Operational risks – risks and exposures that may not have an immediate financial impact but impact the ongoing operation and objectives of the institution. Included here are risks to the academic enterprise such as academic quality, tenure and faculty promotion, accreditation, faculty recruitment, program development (including closures, new programs, and international programs). Weather events, power disruptions, and other potential events impacting availability of facilities, would be another group of operational risks, to the extent they have significant impact on ongoing operations.

    Reputational risks - risks and exposures that may harm the primary mission by casting doubt on commitments by campus leadership and negatively affecting the image of the University. Such risks may include claims of harassment and discrimination, waste and abuse, scholarly misconduct. Reputational risks may also be strategic, financial and operational risks depending on the nature and severity. 

    Compliance risks - risks and exposures that may impair our ability to comply with applicable laws and regulations and expose the University to liability for settlements, judgments, and fines and its individual employees to criminal sanctions or personal liability.

    Hazard risks- risks and exposures that pose a level of threat to life, health, property, or the environment. Most hazards are dormant or potential risks with only a theoretical risk of harm: however, once a hazard becomes active, it can create a primarily physical emergency situation for the campus community. 

    Risk mitigation - steps taken at the institution and System level to identify, assess and address and report on potential risks. Risk mitigation strategies include, avoidance, acceptance and monitoring (with leading indicators), reduction of severity, reduction of frequency, or transfer. Methods may include institution level threat and risk assessment team efforts, trainings, coordinated efforts across institutions to identify and mitigate risk. 

    Risk tolerance – ability or willingness by an institution or the System’s leadership to accept a certain level of likelihood that a particular risk exposure materializes. Risk tolerance is important in considering the possibilities for mitigating or eliminating particular risks and exposures, each of which are likely to carry an associated cost or set of requirements

  3. Responsible Executive and Office

    Responsible Executive:
    Chief Compliance & Risk Officer

    Responsible Office:
    Office of the General Counsel 

  4. Procedures: 

    The Chief Compliance and Risk Officer (CCRO) oversees and coordinates all University compliance and risk areas, working with relevant compliance and risk function experts/owners, including (but not limited to) risk aspects of research activities, academic programs, equity and inclusion, human resources, finance/tax, export controls, crisis management, and health and safety. The CCRO maintains the risk portfolio and chairs the University’s Enterprise Risk and Compliance Committee (ERCC), a group of professionals throughout the University who oversee specific risks with a focus on compliance.

    The CCRO will develop a standardized risk assessment methodology that will be used across divisions for risk assessment and for assessing strategic initiatives. Conducts an annual facilitated compliance and risk assessment review Executive Enterprise Risk Committee (EERC). This will include the development of a biennial Risk Register that is prioritized, with written risk assessments supported by the members of the EERC. Mitigation or monitoring plans will be part of a risk assessment. Strategic Planning elements will have risk assessments completed during the tactical development stages of planning. The CCRO will develop and chair appropriate committees and work groups to monitor specific on-going high-risk issues and new compliance obligation(s).

Executive Enterprise Risk Committee Membership

  • President
  • Provost and Executive Vice President for Academic and Student Affairs
  • Vice President Administration and Finance
  • Vice President for Inclusion and Institutional Equity
  • Vice President for Strategic Partnerships & Applied Research
  • Vice President of Legal Affairs and General Counsel
  • Vice President for Student Affairs
  • Vice President for University Advancement
  • Vice President for University Marketing and Communications
  • Director of Athletics
  • Executive Director of Governmental and Community Relations
  • Director of Public Safety and Chief of Police
  • Vice President of Operations and Chief Human Resources Officer
  • Vice President for Enrollment Management
  • Associate Vice President and Chief Information Officer

Enterprise Risk and Compliance Committee Membership

  •  Intercollegiate Athletics – Associate AD for Compliance
  • Facilities Management – Associate Vice President 
  • University Accounting - Assistant Vice President and Controller
  • Office of Technology Services – Director Information Security
  • Office of the General Counsel – Associate General Counsel
  • Office of Sponsored Programs and Research – Assistant Vice President of Sponsored Programs and Research
  • Public Safety – Chief of Police
  • Office of the Provost – Assistant Provost for Assessment,  Accreditation and Compliance Services
  • Environmental Health and Safety – Director
  • Management Advisory & Compliance Services – Director
  • Strategic Partnerships and Applied Research – Associate Vice President, Operations
  • Auxiliary Services – Associate Vice President for Financial Services
  • Office of Inclusion and Institutional Equity – Assistant Vice President for Institutional Equitty and Compliance 
  • Office of Human Resources – Director of HR Partnership & Faculty/Staff Relations
  • Office of Institutional Research – Director
  • Student Affairs – Assistant Vice President Campus Life

The CCRO is expected to support the President in developing and documenting the 3-5 risks assessed to be the most significant concerns to institutional leadership in terms of setting strategic goals and planning. And before March 15 annually, provide to the President a review or update of how the institution’s risk assessment and management plan has been performed, and provide a listing of significant events that have occurred in the prior calendar year that were contemplated and planned for in the institution’s risk management process.  By March 31 annually, the President is to provide this information to the Chancellor.

Appendix USM Policy: 

Pursuant to this policy, each USM institution and regional higher education center, including the USM Office, is to adopt an enterprise risk management process. The process should be developed to assure that potentially significant and likely risk exposures have been identified and communicated to institutional leadership, and that plans to reduce the risk of occurrence, or mitigate the exposure have been developed.

Under the leadership of each institution’s President, an institution-wide body, such as a campus cabinet or president’s leadership team, is to identify and quantify risks, determine risk tolerances, and oversee risk mitigation strategies or measures where appropriate.

The enterprise risk management process must include an inventory, or register, of risks and exposures that are potentially significant in terms of both likelihood and impact that strategic interests and goals of the institution could be impacted. Each risk should have identified a responsible official or department which will monitor and adopt mitigation strategies as appropriate, and periodically report to the institution-wide body responsible for overseeing the risk management process. Risks are to be evaluated as to the potential impact, as well as the likelihood of occurrence.

Institutions are expected to adopt risk management practices suitable and appropriate to the institution’s activities and goals. Tailoring risk management activities to the institution’s focus and goals may result in similar institutions assessing the likelihood, and the impact, of similarly described risks differently, with risk tolerance and mitigation strategies that reflect those differences. Each risk management process is to include the basic steps of:

  • Risk Identification; 
  • Risk Assessment; 
  • Risk tolerance, prevention and mitigation; and 
  • Reporting

The specific risks, determination as to impact and likelihood, and accordingly, prevention and mitigation strategies, are likely to vary from institution to institution. It is important that each cycle of assessment and evaluation of risks, impact and likelihood, also consider the identification of new and emerging risks.

This policy is not intended to require a specific risk identification, assessment, mitigation or reporting process and acknowledges that institutions may have different approaches and processes to address enterprise risk management.

Related Policies: 

VIII-20.0 USM Policy on Enterprise Risk Management

Approval Date: 06/02/2021

Effective Date: 06/02/2021

Amended Date: 11/30/2023

Approved by: President’s Cabinet