University Risk Philosophy
The University takes a broad view of risk as any event that could affect the University’s competitive position or ability to achieve its mission, vision, and strategic objectives. The University acknowledges that risk, in one form or another, is present in virtually all its endeavors, and that successful risk-taking will often be necessary to achieve its goals. RIT does not seek to eliminate all risk; rather, it seeks to be risk-aware and to effectively manage the uncertainty inherent in its environment. To this end, RIT seeks to identify, understand, assess, and respond to the risks facing the University, taking into account the impact on the RIT Community, and RIT’s standing, reputation, financial position, and performance.
Guiding Principles of RIT's Enterprise Risk Management Program
RIT seeks to establish a risk-aware university culture where consideration of risk is integrated into decision-making at all levels of the University. These guiding principles support that culture and set expectations for the behavior of University employees and administrators regarding risks.
1. All individuals, regardless of their role at the University, are empowered and expected to report to senior management any perceived risks or failures of existing control measures, without fear of retaliation.
2. Risk management is integral to the management and future of the University and is a shared responsibility at all levels of the University.
3. Ownership and management of risk will be retained within the University function, department, or unit that creates the risk or is best capable of responding to it.
4. The University’s risk philosophy will guide strategic and operational decisions at all levels.
5. RIT encourages an open and honest discussion of the University’s environment, strategy, risks, and actions taken in pursuit of its objectives.
6. All good faith reports of risks are responded to promptly and with integrity by a University official (or designee), and information about risks is shared promptly with senior management and other key stakeholders.
Purpose and Objectives of the Enterprise Risk Management Program
The purpose of Rochester Institute of Technology's Enterprise Risk Management Program is to enhance the University’s ability to achieve its mission, vision, and strategic objectives and strengthen its competitive position by fostering a university-wide culture of risk awareness. The ERM Program is intended to provide a structured, consistent, and continuous process for and proactive identification and reporting of material risks to senior management and the Board of Trustees.
In support of this purpose, the following goals and objectives have been identified:
1. Create a culture of risk awareness where employees understand and consider risk in decision-making:
a. Ensure that all RIT employees are aware of the risks related to their roles and activities and understand their responsibilities for identifying, managing, and reporting on risk in a systematic and timely way;
b. Provide best practice information, education, training, and facilitation of resources to the University community; and
c. Build on the University’s current risk management activities and practices.
2. Reduce operational surprises and losses.
3. Facilitate greater transparency and openness regarding risk.
4. Enhance enterprise decision-making by providing senior management and trustees with timely information that improves their understanding of enterprise-level risks.
a. Assess risks in the context of strategic objectives;
b. Identify related risk factors across the University;
c. Anticipate and respond to changing social, financial, economic, environmental, and legal/regulatory conditions;
d. Assist management in safeguarding University assets, including people, financial resources, property, and reputation; and
e. Assist management in optimizing the use of University resources by aligning resource allocations with the areas of highest risk and the greatest impact on the University’s strategy.
5. Improve the efficiency and effectiveness of University risk management efforts:
a. Provide the University community with a common language, framework, and procedures for identifying, assessing, responding to, and reporting on risk across the University's entire range of operations;
b. Provide enterprise-level coordination of existing University functions for identifying, assessing, and reporting on risk;
c. Integrate risk ownership and management activities at all levels of the University;
d. Where possible, use and strengthen existing management processes, reporting and approval channels, and organizational structures;
e. Establish and maintain a University risk register that allows for the tracking and reporting of risk and of risk response plans; and
f. Review the effectiveness of enterprise risk management practices regularly.